Setup SSL on ABAP : the issuer certificate is unknown
Hello,
I've been asked to set up the SSL on SAP 6.20 web applications servers (4.7).
I've carefully followed the instructions given in sap note 510007 : sapcryptolib installed, parametres configured, SSL server PSE configured, etc ..
Now, we have to create a certificate request and send it to our CA.
But, before to do that I wanted to test SSL server.
I found in the sapmarketplace that you can request a SSL Test Server Certificates, apparently it works exactly like the "real" SSL Server Certificates exept that it is temporary ( 8 weeks).
Therefore, I've generated the certificate request, sent it to sap trust certificate center, and imported the certificate response into the PSE, exactly as described in sap documentation.
Then I've established the trust relashionship necessary when using the SSL server PSE, I mean that I've imported the CA root certificate that the server should trust : TC TrustCenter Class 2 CA
Then I have inserted it into the server PSE's certificate list. In the end, I've restarted the ICM.
I wanted to test the SSL feature by sending https requests to the WAS but I got the following error (firefox):
******************************:1443 uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
Unknown identity, certificate is not trusted because it hasn't been verified by a recognized authority
As you can imagine, I checked the certificate authorities in the browser, and TC TrustCenter Class 2 CA exists ... so I really do not underdtand where does the error come from ? Maybe from the TEST server certificate ?
I encounter the same behaviour with IE7.
Thank you in advance for your help.
Best regards.
Raoul.
Edited by: Raoul Shiro on Mar 30, 2009 8:58 PM
Hi Raoul,
the SSL Test Server Certificates are issued from the SAP Server CA. You need to install the root certificate of the SAP Server CA in your browser. You can download this root certificate from [http://service.sap.com/tcs] -> Download Area -> Root Certificates.
Best regards,
Klaus
Similar Messages
-
I downloaded a program and got this error message: "The issuer certificate of a locally looked up certificate could not be found" and "The root CA certificate is not trusted for this purpose". What do I do?
* Download a fresh Firefox copy from http://www.mozilla.com/firefox/all.html and save the file to the desktop.
* Uninstall your current Firefox version and remove the Firefox program folder before installing that copy of the Firefox installer.
* Don't remove personal data when uninstalling.
* It is important to delete the Firefox program folder to remove all the files and make sure that there are no problems with files that were leftover after uninstalling. -
I can access my Google Mail and Google Home Page just fine using IE.
I am currently using Firefox version 8.0.Check the date and time in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
*https://support.mozilla.org/kb/Secure+Connection+Failed
Clear the cache and the cookies from sites that cause problems.
"Clear the Cache":
*Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
"Remove Cookies" from sites causing problems:
*Tools > Options > Privacy > Cookies: "Show Cookies" -
Note: I am in the process of moving the site to our central server so all pages, with the exception of the secure ones and the homepage, are redirected. See https://www.homelink-usa.com/secure/subscribe/subscribe.lasso which is secure and, in my browser Firefox 3.6.13, the location window is blue just like your site that I am typing on. The certificate expires on March 20, 2011.
I do not get the error message on any of my machines or browsers.
Karl
This Connection is Untrusted
You have asked Firefox to connect securely to *www.homelink-usa.com*,
but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place. However,
this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could
mean that someone is trying to impersonate the site, and you shouldn't
continue.
Technical Details
www.homelink-usa.com uses an invalid security certificate. The
certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
I Understand the Risks
If you understand what's going on, you can tell Firefox to start
trusting this site's identification. *Even if you trust the site, this
error could mean that someone is tampering with your connection.*
Don't add an exception unless you know there's a good reason why this
site doesn't use trusted identification.Might have a hardware issue that was caused by the minor liquid spill.
Take it to Apple to have them look at it. I think they do a free diagnostics. That way you can find out what's wrong with your MB.
Good luck....Hope you get it sorted out. -
SSL Strust : Issuer certificate missing in database
Hi,
I am apply ssl in Abap stack STRUST. When i apply the certificate respond from the CA , it showing error
Issuer certificate missing in database:CN=DigiCert High Assurance CA-3, OU=www.digicert.c
Any idea??
ThanksIn Strust, goto Certificate->Database, create a new "ROOT CA" entry ex;Z_NETCA.
Select any PSE(System PSE) ->Certificate->Import and Import the "Issuer Certificate".
Certificate->Export->Database>Select Z_NETCA, CA, Some description ->OK
Now you will be able to import your certificate response without any issues.
To Get the "Issuer Certificate" open your certificate response(certificate) , goto Certification Path TAB and select the next level higher to your Server CA and ->View Certificate->Goto Details tab and Copy to File->Export in base64 or DER format. -
Hello, I´m stucked with this problem for 3 weeks now.
I´m not able to configure the EAP-TLS autentication.
In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
The ISE´s certificate has been issued with the "server Authentication certificate" template.
The clients have installed the certificates also the certificate chain.
When I try to authenticate the wireless clients I allways get the same error: " Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
and "OpenSSLErrorMessage=SSL alert
code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack= 1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
I don´t know what else can I do.
Thank you
JorgeHi Rik,
the Below are the certificate details
ISE Certificate Signed by XX-CA-PROC-06
User PKI Signed by XX-CA-OTHER-08
In ISE certificate Store i have the below certificates
XX-CA-OTHER-08 signed by XX-CA-ROOT-04
XX-CA-PROC-06 signed by XX-CA-ROOT-04
XX-CA-ROOT-04 signed by XX-CA-ROOT-04
ISE certificate signed by XX-CA-PROC-06
I have enabled - 'Trust for client authentication' on all three certificates
this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
when i check the certificates of current user in the Client PC this is how it shows.
XX-CA-ROOT-04 is listed in Trusted root Certification Authority
and XX-CA-PROC-06 and XX-CA-OTHER-08 are in Intermediate Certificate Authorities -
How do I trust a self-signed issuer certificate?
I created a self-signed CA cert using openssl, and imported it into Firefox, but when I select it in the Certificate Manager under “Your Certificates” and click “View…”, I see the message “Could not verify this certificate because the issuer is not trusted.”
https://www.dropbox.com/s/i38v78802ym9fug/Screenshot%202014-04-15%2010.49.14.png
When I visit the site that I set up with an SSL cert signed by that same self-signed CA cert, I get an untrusted connection warning with the following technical details: “staging.cakemade.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)”
https://www.dropbox.com/s/rvq00r0pdn99rd6/Screenshot%202014-04-15%2010.57.54.png
When I view the site certificate, it correctly identifies the issuer as the CA cert that I imported, but also displays the message “Could not verify this certificate because the issuer is not trusted.”
https://www.dropbox.com/s/b3no5pdhf9ddx5h/Screenshot%202014-04-15%2010.57.29.png
I am using Firefox Aurora, and apply updates daily. I am using the default settings for OCSP.
https://www.dropbox.com/s/in58viu3q6wkxvn/Screenshot%202014-04-15%2011.02.22.png
What do I need to do to get Firefox to trust the CA cert that I imported?I'm assuming you've imported your CA cert underneath the 'Authorities' tab.
Restart FF after importing the cert.
I'd expect you're being prompted to set the trust level upon importing the cert. If not you can do that manually via the 'Edit Trust' button. -
My mother was having problems with her computer on the Internet and had to reset the modem. Problem was, I was on the Internet at the time using Twitter. She reset the modem, I thought everything was okay, but now Firefox isn't letting me access Twitter at all because of the security certificate. Here's the error message:
This Connection is Untrusted
You have asked Firefox to connect
securely to twitter.com, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
twitter.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
The certificate is only valid for gateway.2wire.net
(Error code: sec_error_untrusted_issuer)
gatway.2wire.net is the default error page for my modem, if the Internet is not working at all. I think the problem here is that now Firefox thinks the legitimate site for Twitter is the error page and not, well, Twitter.com. Also, I'm not getting any "add exception" option. How do I fix this?Clear the cache and the cookies from websites that cause problems.
"Clear the Cache":
*Firefox/Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
"Remove Cookies" from sites causing problems:
*Firefox/Tools > Options > Privacy > Cookies: "Show Cookies" -
Hi,
When I check pkiview.msc on my 2012 Subordinate CA I get the error shown in the first picture below. I'm also getting errors similar to below in the event log:
"Active Directory Certificate Services could not create an encryption certificate. Requested by contoso\admin1. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)."
I'm assisting in setting up a 2 tier PKI infrastructure using Windows 2012. The root CA looks good, but we're getting errors on the subordinate. The server was working, but we discovered that the server would only issue certificates with a maximum of a 1
year expiry date - obviously no good, so we decided to run through the following commands on the root CA (as recommended byhttp://www.techieshelp.com/subordinate-ca-increase-certificate-validity/)
certutil -setreg ca\ValidityPeriodunits "Years"
certutil -setreg ca\ValidityPeriod "5"
restarted AD certificate services on the root and subordinate CA.Then did the following on the subordinate CA:
1.On the Subordinate CA create a new CA request by right clicking the server in ADCS and select New Request.
2.Supplied the original request file from the subordinate CA (I couldn't find a way of generating a new request file)
3.Issued the certificate using the Root CA.
4.On the Subordinate CA ADCS installed new CA cert.
However, I keep on getting CDP or AIA errors on my subordinate CA.Also I'm missing a CDP field value when I look at the certificate listed in the personal and trusted certification authority store on my subordinate CA.
In addition, when I look at my CDP locations in Certificate Authority, I see a lot of CDPs, but I'm not sure if I need them all - I suspect I could just get away with LDAP, the C:\windows path and a single http:// path.
I've tried renewing the existing certificate and CRL on my subordinate CA, but that didn't work either.
Please advise.
ThanksOk, the process to renew the subordinate CA is incorrect. Once the registry setting to change the validity period was made on the root CA, the root CA ADCS service needs to be restarted. That is the only time those keys are read. Then:
1) On the subordinate CA, open the CA tool, right click the CA and select Renew CA Certificate. You can use the same key, no need to create a new one. It will create a NEW certificate request file
2) Copy that to the Root CA and submit like you would have done during the initial install
3) Approve the request and export the issued certificate
4) On the subordinate CA, in the CA tool, right click the CA and choose Install CA Certificate.
You can not reuse request files.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. -
This Connection is untrusted (issuer certificate not trusted)
For the past week I have been unable access internet sites via firefox. I keep getting the "The connection is untrusted" error. It does not matter what site, be it google, Mozilla or Yahoo mail.
I have deleted the cert8.db file, cleaned my history and cache and reset firefox but nothing helps. When I go through the "I understand the risk" steps the sites load but not properly. Usually no pictures will load.www.google.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer)
It is a work computer and I believe we use McAffee.
I follow the other directions and viewed the certificate. All looks OK, my time is correct, the certificate isn't set to expire till sometime in October. -
How do I correct the problem of( error unknown issurer?
I have a problem of the error code coming up that says the certificate if not trusted because the issurer certificate is unknown how do correct this problem so i can view different pages to download or to just read?
so iHi,
The answer above is correct, though you don't really need to reload, you can just simply clear the OSPF process with the following command:
clear ip ospf 1 process
HTH -
May I know the document name which I need to follow when I setup SSL on Por
Hi Gurus,
We have installed 9iAS Portal 90201 and upgraded it to 9023. We are trying to setup SSL for everything in the server. We have both infrastructure and middle tier on the same server. We are not sure where to start the SSL setup. Infrastructure has a HTTP server, SSo server ..etc. and the middle tier has a HTTP and OC4j and Portal, webcache..etc. Is there a standard document or list of documents in sequence which I can follow to setup SSL on our server. I have found couple of them. But not sure which one has to go first and which one has to go next. I am planning to use the trial certificate from Verisign. Please post a reply if you have sojme info about it.
Thanks
Raj
----------We're in the middle of trying to do the same for 904 on Solaris. If anyone has some advice, we'd really love to hear it.
-
How to renew the issuing CA certificate
Hi,
We have one root CA and two issuing CAs setup in our environment in Windows server 2003 platform. The CA certificate of one of the issuing CA has expired and the other will expire in two weeks. The root
CA certificate is valid through 2018. The MS PKI infrastructure is primarily used for issuing workstation certificates via GPO to client
machines for VPN two factor authentication.
Any help you can provide will greatly be appreciated.
Thanks in advance,
VThe ship has sailed on the issuing CA that expired. You need to uninstall certificate services and reinstall ADCS (I would consider setting up a new CA (new name, newer OS)
The second issuing CA can be renewed anytime within the next two weeks. After the certificate expires, renewal is not possible.
There is no risk in setting up the new CA. All of the certificates are expired as well on the first issuing CA, so there will be no loss of functionality.
That being said, this is a horribly managed PKI. A CA should be renewed when half of its lifetime has expired. To leave a CA to the point of two weeks left or worse yet, letting the CA certificate expired is terrible. Who is managing the service - they really
need to step it up
Brian -
Setup SSL using test Certificate
Hi,
All I am trying to setup SSL on my weblogic server 6.1. I have generated CSR and
received a temporary free certificate from verisign. But I am having hard time
following documentation..as wording is misleading. Can anyone tell me exactly
how would I setup/configure SSL using this test certificate. Any help ASAP will
be greatly appreciated.
Thanks
JiteshYeshwant,
I looked at my weblogic.log file and apparently last log I see is when I actually
generated a CSR using servlet. That was last week, no updates to log after that.
I got my error on IE browser version 5.0
Also CA root file that you pointed me to will not work. I am assuming do if I
need to go buy valid certificate which comes along with CA file and CSR.
Thanks
Yeshwant <[email protected]> wrote:
Hi Jitesh
can you attach the weblogic.log file ?
If you look at the logs or the server startup do you see something like
<Aug 6, 2002 11:35:08 AM PDT> <Notice> <WebLogicServer> <SSLListenThread
listening
on port 7002, ip address 172.17.24.85
in your log ?
I am trying to understand if the ssl listen thread comes up or not .
"There was a communicator problem"
Is this error coming in the browser? if so which browser and what version
Jitesh wrote:
Yeshwant,
Thanks for providing good information to my question. I tried whatyou told me,
but still I cannot get SSL to work. Any suggestions. I get Problemreport as:
"There was a communicator problem", when I use https after configuringit.
Thanks
Yeshwant <[email protected]> wrote:
Hi Jitesh
There are 3 things needed to get up and running with ssl
1)Server Key File Name --> This is the private key which is generated
along with the
CSR (usually by the certificate webapp if you are using it)
2)Server Certificate File Nname --->This is the certificate that verisign
sent you
3)Server Certificate Chain File Name ---> This should be either sent
by verisign or
it will be available on their site . If not try the Intermediate
CA
available at
http://www.verisign.com/support/install/index.html
On the right there is a link titled (Get Intermediate CA here )
All these 3 fields can be configured through the Console-->Server-->SSL
tab
Restart the server and it should be able to use the trial certificate
and start the
SSLListenThread
Jitesh wrote:
Hi,
All I am trying to setup SSL on my weblogic server 6.1. I have generatedCSR and
received a temporary free certificate from verisign. But I am havinghard time
following documentation..as wording is misleading. Can anyone tellme exactly
how would I setup/configure SSL using this test certificate. Any
help
ASAP will
be greatly appreciated.
Thanks
Jitesh -
Error 2
An error occurred while signing: Failed to sign bin\Debug\app.publish\\setup.exe. SignTool Error: No certificates were found that met all the given criteria.
Yesterday I could publish, today no code changes, but I get the above error.
HelpHi El-sid,
So glad that you have solved your issue, and thanks for your sharing.
Have a nice day.
Best Regards,
Youjun Tang
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.
Maybe you are looking for
-
IPhone 5 (iOS 6.1.4) back up issue
This started of late; every time I try to back up I get the message "iTunes could not back up the iPhone "... iPhone" because the iPhone disconnected" while it's still connected via Lightning. It goes through suncing just fine, but does not back up.
-
Tring to save data for n iterations, beginning when SAVE button is pressed
OK, I'm STILL struggling with this vi. (See post from 12/16). I've cleaned up the code considerably, and better defined what it is I want to accomplish. When the vi begins, I want to immediately begin displaying on the front panel 3 values: Indica
-
In desperate Need of support of an all too common problem with the xt912's
https://vzwsupport.jive-mobile.com/#jive-discussion?content=%2Fapi%2Fcore%2Fv2%2Fdiscussions%2F808263 First off,i tried to reply to the above link/thread,because my issue is IDENTICAL,so this below post,is what i tried to wright into the reply,though
-
Favorite JSF component library?
Hi all, For those of you using one of the many JSF component library, what's your favorite, aesthetically? I've looked at a number of them, especially those listed over at jsfcentral.com. I think RichFaces and ICEFaces aren't bad, although I can't re
-
using ipages where are instructions on creating & printing labels??? Tx don