SGD 4.20.983 and Verisign certificate

Similar Messages

• Difference b/w OCA certifciate and verisign certificate

  What is the difference b/w OCA certifciate and verisign certificate
  Do we need to buy the OCA certificate as well as I understand that we need to buy verisign certificate?
  Thanks

  A certificate is not a single entity. It helps if you know how to administer certificates using the openssl commandline tool. A certificate is a signed public key.
  This is how it works in using the oracle tools:
  First, a wallet is created using the wallet manager (owm) or orapki. A wallet at that point consists of some trusted CA (Certificate Authority) certificates, and probably already the (non visible) private key.
  Next, a CSR (Certificate Signing Request) is made using the wallet manager or orapki. This is a non-signed version of the certificate.
  This is where the OCA comes into play. The OCA is the oracle version of a Certificate Authority. Using the CA, you can sign your certificate yourself. The signer certificate (the certificate of the OCA) is not officially listed as trusted certificate.
  If you send your CSR to verisign, verisign signs it for you. The advantage verisign has, is it's certificate (the signer certificate) is officially listed as trusted certificate. That's the reason people use verisign for their certificates.

• Can not import Verisign certificate

  Dear all,
  I am trying to import a Verisign certificate in my ABAP BW 3.5
  Production system.This is a certificate renewal as I had a certificate there for a year that is to expire on the 12th of June. However, because of the fact that we had to change the SSL
  PSE so that it contains field SP, it is more like installing a new
  certificate.
  What I did: I deleted the old PSE that didn't have any information about the "State" field and created a new one.
  I then created the CSR request to Verisign. I received
  the response from Verisign, which I pasted in a text file together with the Verisign Intermediate and Verisign Root certificate which I used last year as well when I installed a Verisign certificate in this server for the first time.
  When I apply the response, by pasting the contents of the text
  file created above, I get the message:
  "CA Certificate missing in database"
  I have already looked at notes 508307, 518185, 510007, 1074447, 511919
  I am sure that the Verisign root and Intermediate certificates are ok because I have used them successfully in the past in the same server and recently to create the certificate chain for other system certificates of my EP 6.0 landscape.
  I am also sure that the Verisign CA root certificate exists in the
  database, I checked table STRUSTCERT and it is there. Also, if it didn't exist, I wouldn't have been able to import the Verisign certificate last year
  I haven't restarted ICM so the previous certificate still works. After the 12th of June though it will expire and all funtionality based on HTTPS in BW will not work.
  Many thanks in advance for your help
  Regards
  Andreas

  Just created a new SSL PSE and imported the certificate chain again and this time it worked...

• Signing in mail with a verisign certificate

  I have 2 certificates bought from Verisign that I used previously under 10.6.
  I made a clean install of 10.6 and then updated to 10.7, but even if I managed to import the certificates in the keychain access, the buttons in mail proposing the signature and encryption of emails doesn't appear.
  Thank you in advance for your help

  I haven't been able to resolve this issue using Mail and a Verisign certificate. So instead I tried Comodo and my Mail system now works perfectly with both signature and encryption. So perhaps the problem lies with Verisign rather than Apple......
  And Comodo is free, see http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

• How can I get an up to date Verisign certificate??

  For an app I need the Verisign certificate. I downloaded one from a link provided in this forum but once installed I see it valid until "15-07-2009" -- no good for me, I'm in August.
  Trawling the Verisign site didn't help ease the frustration.
  Any pointers? 
  It's a VeriSign Class 3 Code Signing Certificate. I've already updated the Nokia firmware to the latest version. 

  I can't seem to find any other place to put this but here.
  I have the same exact issue as the person who started this thread.
  I have a valid VeriSign Class 3 code signing certificate and when trying to do a OTA for a E63 phone the message shows "certificate not recognizable".
  VeriSign blames Nokia.
  What can I do for this?

• Verisign Certificates renewal Issue

  Hi
  We are running Sun Java Web Server 7.0 update 5 and wanted to renew verisign certificates for 2 more years.
  What i did:
  1. Got the certificates from Verisign with last year CSR (i'm not sure if previous CSR can be used or not)
  2. Using admin console (browser based) , i went to "server certificates" ->"install" and could successfully installed them (but there was a warning that duplicate nick name) and i selected ls2 (listener-2 for https)
  3. admin console shows renewal successful and expiry year is 2011.
  4. I also restarted both admin and web services
  But the problem that when i access the application from browser, it still says the expiry year as 2009.
  Please advise.
  Prvn

  Well ... I don't know WHICH three *db files you copied, or from where you copied them in the admin-serv directory.
  If the admin server appears to be working as expected, and the instance appears to be working as expected, then just make sure the admin server isn't telling you that changes have been made on the instance (if it is then tell it to copy the changes and make them the new current version).
  Depending on which files you copied from where you may end up with the admin server having the wrong certificates. This could cause a problem for any nodes that are registered with it. I think you'd already see a problem if this were going to break things though.
  In a perfect world everything is just working as expected now, and you're done. If you want to be extra cautious, though, you should restore the admin server's key3 and cert8 databases from a backup (these databases contain the self-signed certificate and its associated keys that were created when you installed Web Server).

• Installing verisign certificates

  Hi
  I have two load-balanced portal gateways , and I need to install a Verisign certificate on them.
  The question is: Do i have to create a csr request for each server and ask for separate certificates (obviously registering the same fqdn host name)??
  thanks a lot

  If your gateways have different hostnames, you have to get a separate certificate for each host. Otherwise, you will get a certificate mismatch error. If your gateways share the same hostname in a load balancing environment, one certificate can serve both servers. There may be licensing issues with this depending on your Certificate provider.
  To accomplish this task, create your CSR on gateway1, get it signed and install it. After gateway1 is complete, copy all the files in /etc/opt/SUNWps/cert/<profilename> from gateway1 to gateway2. Don�t forget the .files.
  Steve

• Importing Verisign Certificate on PIX7.1

  Hi there,
  After having importet Verisign Intermediate CA onto my PIX, I've send the CSR request to Verisign and gotten a Certificate back. Now when I try to import the returned certificate on the PIX, I get an error :
  Failed to parse or verify imported certificate
  Now, I've tried clearing all certs, reauthenticate the CA etc.
  Any ideas?
  Is it a problem that the CA is Intermediate? Can the CSR attributes contain spaces?
  Pix is running latest version 7
  Kind regards
  Kelvin Dam

  Hi koksm,
  Yeah - I got it to work. I dont know how many of these steps you have done, but heres how I did it :
  RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:
  crypto key generate rsa
  Then define the trustpoint:
  crypto ca trustpoint Verisign
  crl optional
  enrollment terminal
  subject-name CN=host.domain.com,OU=Unit,O=Organisation,C=NL,St=xxx,L=xxx,[email protected]
  Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):
  crypto ca authenticate Verisign
  ---BEGIN--- or ---END--- lines do not matter>
  quit
  INFO: Certificate has the following attributes:
  Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a
  Do you accept this certificate? [yes/no]: yes
  Trustpoint CA certificate accepted.
  Generate the CSR:
  crypto ca enroll Verisign
  % Start certificate enrollment ..
  % The subject name in the certificate will be: xxxx
  % The fully-qualified domain name in the certificate will be: hostname.domain.com
  % Include the device serial number in the subject name? [yes/no]: no
  Display Certificate Request to terminal? [yes/no]: yes
  Certificate Request follows:
  MIICNjCCAZ8CAQAwgbwxJTAjBgkqhkiG9w0BCQEWFnNlcnZpY2VkZXNrQGR5bm9t
  aWMubmwxEjAQBgNVBAcTCUJpbHRob3ZlbjEQMA4GA1UECBMHVXRyZWNodDELMAkG
  ---End - This line not part of the certificate request---
  Redisplay enrollment request? [yes/no]: no
  Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.
  After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:
  crypto ca import Verisign certificate
  % The fully-qualified domain name in the certificate will be: xxx.domain.com
  Enter the base 64 encoded certificate.
  End with the word "quit" on a line by itself
  -----BEGIN CERTIFICATE-----
  MIIDcTCCAtqgAwIBAgIQIHOwJ7acK6Fmibyhf67HlDANBgkqhkiG9w0BAQUFADC
  MXN/DqZw504SdlIkm3K4Dt7kSa5NILlncBiPhJJPJRjcOk6wRB6vuGG85uz6twR
  nq4BqbMitzpgxvK12hgS9ZDy62kC
  -----END CERTIFICATE-----
  quit
  INFO: Certificate successfully imported
  Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:
  ssl trust-point thawte.com [interface]
  One more thing - the verisign root cert, I did NOT get from their webpage, but I took the one that accompanies the Internet Explorer.
  Hope it helps
  Kdam

• Cacerts verisign certificate expires Jan 08 2004

  Two Verisign Certificates in the jdk 1.4 keystore 'jdk1.41/jre/lib/security/cacerts' expire on Thu Jan 08 2004.
  They are stored with alias 'verisignclass2ca' and 'verisignclass3ca'.
  A Weblogic Server Message looks like this:
  <Dec 16, 2003 5:39:13 PM CET> <Notice> <WebLogicServer> <BEA-000298> <Certificate expires in 22 days: [
  Version: V1
  Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
  Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@3e
  Validity: [From: Mon Jan 29 01:00:00 CET 1996,
                 To: Thu Jan 08 00:59:59 CET 2004]
  Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  SerialNumber: [    e49efdf3 3ae80ecf a5113e19 a4240232]
  Algorithm: [MD2withRSA]
  Signature:
  0000: 61 70 EC 2F 3F 9E FD 2B E6 68 54 21 B0 67 79 08 ap./?..+.hT!.gy.
  0010: 0C 20 96 31 8A 0D 7A BE B6 26 DF 79 2C 22 69 49 . .1..z..&.y,"iI
  0020: 36 E3 97 77 62 61 A2 32 D7 7A 54 21 36 BA 02 C9 6..wba.2.zT!6...
  0030: 34 E7 25 DA 44 35 B0 D2 5C 80 5D B3 94 F8 F9 AC 4.%.D5..\.].....
  0040: EE A4 60 75 2A 1F 95 49 23 B1 4A 7C F4 B3 47 72 ..`u*..I#.J...Gr
  0050: 21 5B 7E 97 AB 54 AC 62 E7 5D EC AE 9B D2 C9 B2 ![...T.b.]......
  0060: 24 FB 82 AD E9 67 15 4B BA AA A6 F0 97 A0 F6 B0 $....g.K........
  0070: 97 57 00 C8 0C 3C 09 A0 82 04 BA 41 DA F7 99 A4 .W...<.....A....
  ]>
  Does anybody know,
  what that means for ssl ?
  Is there a Patch or a new cacerts file for download ?
  Thanks a lot.
  Ede

  I would assume that there are not that many certificates still
  being used that use those CA certs for their CA.
  As you probably noticed, there are a bunch of newer Verisign
  CA certs in that trust store (cacerts). The newer CA certs are
  probably the ones being used by certificates that are currently
  in use.
  I suppose you have to ship the older CA certs until they become
  invalid. I doubt that Verisign issued any certificates with those
  old CA anytime recently.
  -Steve

• Importing Verisign Certificate to Integrated ITS

  We currently have external ITS running on Microsoft IIS.  We are switching to integrated ITS and would like to import our existing Verisign certificate(s) to SAP WebAS 6.40 on ECC5.  We have tried exporting the certificate from IIS and importing it to SAP but the export file format - .pfx and others do not seem to be supported by SAP.  Has anyone done this successfully?  Thanks!

  We currently have external ITS running on Microsoft IIS.  We are switching to integrated ITS and would like to import our existing Verisign certificate(s) to SAP WebAS 6.40 on ECC5.  We have tried exporting the certificate from IIS and importing it to SAP but the export file format - .pfx and others do not seem to be supported by SAP.  Has anyone done this successfully?  Thanks!

• VeriSign Certificate  OR Unified Testing Initiative (UTI) root Certificate?

  Hello everybody!
  I've signed my J2ME application with a Verisign Class 3 Public Primary CA but it seems that wasn't a good deal!
  Indeed, once signed, this application no longer is supported by my Samsung SGH-D840 even if on a Nokia6300 all still run well.
  The difference between these 2 handsets regarding the signing aspects is that the SGH-D840 is not JSR-177 SATSA compatible whereas the Nokia6300 is.
  A friend told me that the Unified Testing Initiative (UTI) root certificate is available on more handsets than the VeriSign certificate. He seems be right because all the handsets marked with a (+) in the list at [http://www.javaverified.com/docs/Table_of_Supported_Devices_1.20.pdf|http://www.javaverified.com/docs/Table_of_Supported_Devices_1.20.pdf] support the UTI Certificate.
  My questions:
  1) Has anyone ever used the UTI certificate to sign a J2ME application? If yes, could the person tell me if he recommend it instead of VeriSign Certificate?
  2) Could you confirm if UTI certificate is supported by many more handsets (regardless to the manufacturer) in relationship with VeriSign Certificate?
  Thanks you in advance,
  arkienou

  Finally solved it
  Followed the instructions of note 694290 to import the certificate chain
  Essentially, I needed to export the already existing private key to a .p8 file named exactly after the already existing private key entry. Then, I delete the private key entry and  hit Load, put the .p8 file I just exported and then import my certificate file (CSR response), the intermediate CA certificate and the root CA certificate
  Regards
  Andreas

• Verisign certificate & Chain File Name

  Perhaps a newbie question, but here goes:
  I am having trouble installing a Verisign certificate on my Weblogic 6.0
  server. I have my private key and certificate file installed properly I
  believe, but am unsure what to put in the Certificate Chain File entry
  in the console. I only have 1 certificate for this server. I have tried
  to
  a) leave it empty - in which case it uses a default file name which does
  not exist
  b) use the certificate I got from Verisign
  c) export a class 3 certificate from my browser and use that file
  In all the cases that I give it an existing file name, I get the
  following stack trace:
  weblogic.security.CipherException: Incorrect encrypted block
  at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
  at
  weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
  at weblogic.security.X509.verifySignature(X509.java:243)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  <Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
  security configuration, weblogic.security.AuthenticationException:
  Incorrect encrypted block possibly incorrect
  SSLServerCertificateChainFileName set for this server certificate>
  weblogic.security.AuthenticationException: Incorrect encrypted block
  possibly incorrect SSLServerCertificateChainFileName set for this server
  certificate
  at weblogic.security.X509.verifySignature(X509.java:251)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)

  OK. Found out what it was.
  The Server Certificate Chain File name is what Verisign calls the
  Intermediate Certificate. So what you need to do is grab that cert off the
  Verisign site, paste it into a new file on your server and put that file
  name in as the path to the Chain File name.
  New question: Why the 2 names for the same thing ? The documentation could
  be a bit clearer here, as it's a very simple process that seems more
  complicated than it needs to be (IMHO).
  Brian Hall wrote:
  Perhaps a newbie question, but here goes:
  I am having trouble installing a Verisign certificate on my Weblogic 6.0
  server. I have my private key and certificate file installed properly I
  believe, but am unsure what to put in the Certificate Chain File entry
  in the console. I only have 1 certificate for this server. I have tried
  to
  a) leave it empty - in which case it uses a default file name which does
  not exist
  b) use the certificate I got from Verisign
  c) export a class 3 certificate from my browser and use that file
  In all the cases that I give it an existing file name, I get the
  following stack trace:
  weblogic.security.CipherException: Incorrect encrypted block
  at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
  at
  weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
  at weblogic.security.X509.verifySignature(X509.java:243)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  <Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
  security configuration, weblogic.security.AuthenticationException:
  Incorrect encrypted block possibly incorrect
  SSLServerCertificateChainFileName set for this server certificate>
  weblogic.security.AuthenticationException: Incorrect encrypted block
  possibly incorrect SSLServerCertificateChainFileName set for this server
  certificate
  at weblogic.security.X509.verifySignature(X509.java:251)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)

• How do I renew my Verisign certificate

  Our Verisign certificate is about to expire and we need to replace it. Verisign can generate a new certificate based on our original request. Does this mean that all I should really have to do is to open Oracle Wallet, delete the old user certificate and add the new user certificate? Are there other steps?

  I create a new request and a new wallet. Now I'm having trouble installing it on the app server. See Re: Install renew-ed user certificate in Wallet manager

• ISE 1.2 and iPEP Certificate Requirements

  Hi,
  For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:
  Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.
  [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  Any thoughts?
  Thank you,
  Octavian

  The EKU validation has been removed in version 1.2
  "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."
  Source:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

• Private key and digital certificate

  I have a keystore . in ordeer to know what it contains ,i opened this keystore with this command ...keytool -list -keystore DemoIdentity.jks
  and i got,
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 1 entry
  demoidentity, Jan 4, 2007, keyEntry, // is it called private key ?
  Certificate fingerprint (MD5): 60:42:75:33:31:AA:9A:C6:9D:1A:CD:9F:22:8D:4A:6A // is it called certificate ?
  Question :
  I still dont understand what a keystore contains. does it contains "private key" + "digital certificate" ?
  If so , what are private keys and digital certificate in the above contents ?
  Message was edited by:
  Unknown_Citizen
  Message was edited by:
  Unknown_Citizen

  The content of a 'keystore' is what you, or the person who provided it, put in it. In this case it looks like all it contains it a public key certificate with an alias of 'demoidentity' .