[solved] Renewing a verisign cert

Similar Messages

• Reloading the renewed 3rd Party Cert on WLC 5508

  So since my web auth cert is expiring I got it renewed from VeriSign and they sent me back the file.  Do I need to again combine the "myprivatekey.pem" file and the new one that I got and then load it on the WLC?  Can't find any guidelines and instructions from Cisco on this.  Or do I need to go through the whole regenration of CSR process again etc? 

  Yes you would have to combine it again.... as long as you have your private key you should be fine.  Just go through the process for generating the CSR, but skip down to where you start combining it.
  Unchained Certificate:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Chained Certificates:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

• Non-Verisign certs in WS7

  Hello,
  I have a mix of server certificates from Verisign and Network Solutions CAs. Both types are stored in my Crypto accelerator (hardware token), from where I've been using them for WS6 and AS7 instances.
  In WS7, the Certificates tab in the admin interface shows certs of both types and the token that they are contained within. When I attempt to configure a listener with SSL enabled, the Certificate field has two types, "RSA Certificates" and "ECC Certificates". The latter says "No ECC Certificates Available", and the pick-list for the RSA Certificates only lists the Verisign certificates.
  For a server that I migrated from an older version (WS6.1), the server.xml lists the correct server-cert-nickname value for a NetSol cert, and indeed, the cert is properly loaded and the listener starts up fine using that certificate.
  Why is it that my NetSol certs don't show up in the admin interface? I can hack the server.xml file in vi to use the correct certs, but I'm thinking there should be a way that I can access these other certs with the admin interface.
  Thanks,
  Bill

  Output of wadm list-certs --verbose -all:
  nickname        issuer-name     expiry-date
  [email protected]:Server-Cert      Network Solutions Certificate Authority May 19, 2007 6:59:59 PMThere is no -h option to certutil -L:
  certutil -L [-n cert-name] [-X] [-d certdir] [-P dbprefix] [-r] [-a]However, if I export it from the hardware token using pk12util then import it into the internal token, I can view the details:
  # pk12util -o xxx -d . -n [email protected]:Server-Cert  
  Enter Password or Pin for "NSS Certificate DB":
  Enter Password or Pin for "[email protected]":
  Enter password for PKCS12 file:
  Re-enter password:
  pk12util: PKCS12 EXPORT SUCCESSFUL
  # pk12util -i xxx -d $PWD
  Enter Password or Pin for "NSS Certificate DB":
  Enter password for PKCS12 file:
  pk12util: PKCS12 IMPORT SUCCESSFUL
  # certutil -L -d .   
  Network Solutions Certificate Authority - GTE Corporation    c,, 
  Server-Cert                                                  u,u,u
  # certutil -L -d . -n Server-Cert
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              28:f5:87:82:b0:65:ff:58:08:63:b5:0e:69:07:ea:6d
          Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
          Issuer: "CN=Network Solutions Certificate Authority,O=Network Solutio
              ns L.L.C.,C=US"
          Validity:
              Not Before: Fri May 19 00:00:00 2006
              Not After : Sat May 19 23:59:59 2007
          Subject: "CN=*.qisc.com,OU=Secure Link SSL Wildcard,O="Quixote Intern
              et Services & Consulting, Inc.",L=Chippewa Falls,ST=Wisconsin,C=U
              S"
          Subject Public Key Info:
              Public Key Algorithm: PKCS #1 RSA Encryption
              RSA Public Key:
                  Modulus:
                      c4:87:81:66:77:99:c5:8e:f1:59:ff:59:c6:38:63:5a:
                      46:31:8e:13:38:5e:2e:71:d7:22:38:5b:df:c4:47:e9:
                      d3:c3:ff:52:3a:5b:21:c1:b5:01:0a:ec:81:3d:80:b4:
                      39:74:6a:7d:39:63:e1:06:a4:f1:45:cf:43:8d:6a:79:
                      49:4e:d9:22:d2:8f:08:6e:23:87:e3:14:7f:aa:c7:8f:
                      df:d7:d0:e1:e0:7e:1c:d7:64:d0:43:94:19:06:7d:48:
                      82:6f:e3:e1:05:69:cc:42:67:9f:db:e5:c7:6e:11:7a:
                      10:94:6c:95:f0:1e:5c:36:93:37:09:ea:b4:0d:4e:6f
                  Exponent: 65537 (0x10001)
  (stuff deleted for brevity - let me know if you need to see all of this output)Hmmm...this is interesting...after importing the cert from the hardware token into the internal certificate database, it now shows up as "Server-Cert" in the RSA Certificates list of the SSL->Edit HTTP Listener admin page. So it only shows certs from the hardware token when they are Verisign certs, even though the NetSol certs work just fine when they are stored in the internal database. This is NOT a work-around, however, as this defeats the purpose of having the crypto accelerator.
  BTW, I also sent a note to NetSol's support people, and they had this thought:
  As we use an intermediate, that could be the reason why they are not listed.
  Without the intermediate it will not find a chain to the trusted root.
  We would recommend contacting the software provider for details on
  importing the intermediate into the application server.I have already tried importing their certificates into the internal token, but that had no effect on this problem. Do I need to import their intermediate certs into the hardware token, rather than the internal one? If so, how do I do that? Or do I need to install these intermediate certs in the admin server's internal database, rather than my server instance's database?
  On the assumption that these intermediate certs were needed in the admin server's internal database, I used certutil to load them to see if that would help:
  # certutil -A -n 'AddTrust External Root' -t 'CT,C,C' \
  -d . -a -i /tmp/certs/AddTrustExternalCARoot.crt
  # certutil -A -n 'UTN-USERFirst-Hardware - AddTrust AB' -t 'c,,' \
  -d . -a -i /tmp/certs/UTNAddTrustServer_CA.crt
  # certutil -A -n 'Network Solutions Certificate Authority - GTE Corporation' -t 'c,,' \
  -d . -a -i /tmp/certs/NetworkSolutions_CA.crt
  # certutil -L -d .                                                                                     
  Admin-Server-Cert                                            u,u,u
  Admin-Client-Cert                                            u,u,u
  AddTrust External Root                                       CT,C,C
  UTN-USERFirst-Hardware - AddTrust AB                         c,, 
  Network Solutions Certificate Authority - GTE Corporation    c,, 
  Admin-CA-Cert                                                CTu,u,uHowever, after stopping and restarting the admin server, I still do not see my token-resident certs in the admin interface.
  Let me know what you'd like to see next.
  Thanks,
  Bill

• FYI. Verisign Cert & ACS

  for those who have troubles getting verisign cert working on the ACS box, i just spoke to a verisign tech support after facing issues with certs. He mentioned that when generating a CSR on ACS, it generates extra info that are not compatible with verisign. Verisign is working on the issue, it is expected to be rectified soon (in a day or two). The tech support refused to give me further info about what version of ACS causing the issue or so... I'm using ACS3.3 at the moment.

  I've installed a Verisign cert on the ACS with minimal difficulty, but it does take a couple of extra steps.
  When generating the cert request on the ACS, you have to enter the complete identification path in the Common Name field of the form. i.e., instead of just cn=Ciscoacs, you have to enter c=US,s=Florida,l=KeyWest,o=TheShirtShack,ou=Accounting,cn=Ciscoacs all on the same line.
  Also, if the certificate file format that Verisign sends back is not recognized by the ACS, you can import it into your web browser and then re-export it in the correct format (DER .509 if I recall correctly) and then upload the reformatted cert to the ACS.
  It works fine after all that =)

• ACS SE w/ Verisign Cert

  I am using the CAS as an authenication server against AD for my wireless network. I have a WISM as my WLC and some of my users are getting a certifate error when I enable WPA. The error is coming from the ACS. I get an invalid cert error or cert not verified from the Iphone. The certificate is valid and I installed a intemediate CA. No matter what I try i can't get the error to go away.
  Could some please assist?
  Thanks
  mike

  I am using PEAP with MSCHAP. From the IPhone I am getting the cert is not verified, When I use the IntelPro supplicant on a Laptop, it refuses to log on even though I select use "any trusted CA". I called Cisco TAC and they say I have to install the cert on all my computer, I don't believe that is correct. I am using a Verisign cert and so should already be on my computers.
  Internet explorer is not having an issue with the cert, the dell wireless WLAN client does not have a problem either.
  Mike

• Is verisign cert "multi purpose"?

  If i get a certificate from thawte, I can get the multi-purpose authenticode cert, export it from IE, import it into netscape and be able to sign netscape objects as well as CAB files.
  Can I do the same thing with the verisign cert? Verisign doesn't talk about this on their website, but maybe they just want people to pay $800 instead of $400? Just curious if anyone has tried this. If you have tried it, let me know.
  (before anyone asks, yes, I would love to go with thawte, and have in the past, but my organization has recently made the decision that thawte is no longer an option, so I have to go with verisign)
  Thanks!
  Kirby

  To fully answer my own question,
  I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
  I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
  Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

• Renewing Flash Access Certs when a HSM is used

  Hi
  our operations team came across a potential problem in the process of renewing Flash Access certs for
  When a HSM is not used: old certs are referenced in the FA config file so that they can be used to decrypt content that has been encrypted with the old certs. We have done this in the past and works fine.
  When a HSM IS used: the FA config file needs to be able to reference old certs stored on the HSM. It looks like the FA application is unable to do this. It is not possible to remove the private key from the HSM and so it is not an option to store the old certs locally on the license server (not that we would want to do that anyway).
  I’m not sure if it’s an option to point FA to the HSM to look for the certs. Any ideas how this can be done?
  thanks

  Hi DeclanK,
  Take a look at the flashaccess-refimpl.properties file.  The bottom of it should have all sorts of HSM-only configuration settings that you can modify to suit your needs.  You'll see that there are several additional server certificates (ServerCredential.Alias.1=, etc...) that you can set for your license server.  This is where your older certificates go.
  HOWEVER, please note that your license server will not work unless you also have a non-expired certificate set (ServerCredential.Alias=).
  cheers,
  /Eric.
  # HSM Properties #
  # Enables or disables the packager use of HSM. If this is set to true, then set up all the HSM related properties.
  RefImpl.HSM.Enabled=false
  # Full path of configuration file name passed to sun.security.pkcs11.SunPKCS11(configFile)
  RefImpl.SunPKCS11.ConfigFileName=[pkcs11-filename.cfg]
  # HSM partition password ** See note above regarding passwords **
  #RefImpl.HSM.PartitionPWD=[your-hardware-password]
  # Alias of Adobe-issued server transport credential (certificate and private key) stored on HSM
  # When HSM is enabled, use this property instead of HandlerConfiguration.ServerTransportCredential and
  # HandlerConfiguration.ServerTransportCredential.password
  #RefImpl.HSM.HandlerConfiguration.ServerTransportCredential.Alias=[transport_cert_alias]
  # Aliases of additional Adobe-issued server transport credentials (certificate and private key) stored on HSM
  # When HSM is enabled, use this property instead of HandlerConfiguration.AdditionalServerTransportCredential.n and
  # HandlerConfiguration.AdditionalServerTransportCredential.n.password
  #RefImpl.HSM.HandlerConfiguration.AdditionalServerTransportCredential.Alias.1=[transport_c ert_alias]
  #RefImpl.HSM.HandlerConfiguration.AdditionalServerTransportCredential.Alias.2=[transport_c ert_alias]
  # Aliases of authorized Domain CA certificates stored on HSM
  # When HSM is enabled, use this property instead of HandlerConfiguration.DomainCAs.n
  #RefImpl.HSM.HandlerConfiguration.DomainCAs.Alias.1=[domain_ca_cert_alias]
  #RefImpl.HSM.HandlerConfiguration.DomainCAs.Alias.2=[domain_ca_cert_alias]
  # Alias of Adobe-issued license server certificate stored on HSM
  # Used to verify validity of Machine Revocation List
  # When HSM is enabled, use this property instead of RevocationList.verifySignature.X509Certificate
  #RefImpl.HSM.RevocationList.verifySignature.X509Certificate.Alias=[license_server_cert_ali as]
  # Alias of Adobe-issued license server credential (certificate and private key) stored on HSM
  # When HSM is enabled, use this property instead of LicenseHandler.ServerCredential and
  # LicenseHandler.ServerCredential.password
  #RefImpl.HSM.LicenseHandler.ServerCredential.Alias=[license_server_cert_alias]
  # Aliases of additional Adobe-issued license server credentials (certificate and private key) stored on HSM
  # When HSM is enabled, use this property instead of AsymmetricKeyRetrieval.ServerCredential.n and
  # AsymmetricKeyRetrieval.ServerCredential.n.password
  #RefImpl.HSM.AsymmetricKeyRetrieval.ServerCredential.Alias.1=[license_server_cert_alias]
  #RefImpl.HSM.AsymmetricKeyRetrieval.ServerCredential.Alias.2=[license_server_cert_alias]
  # Alias of Adobe-issued domain CA credential (certificate and private key) stored on HSM
  # When HSM is enabled, use this property instead of DomainRegistrationHandler.ServerCredential and
  # DomainRegistrationHandler.ServerCredential.password
  #RefImpl.HSM.DomainRegistrationHandler.ServerCredential.Alias=[domain_ca_cert_alias]
  # Alias of Adobe-issued Packager credential (certificate and private key) stored on HSM
  # This parameter is used when converting FMRMS 1.x metadata to Adobe Access format.
  # When HSM is enabled, use this property instead of MetaDataConverter.SignatureParameters.ServerCredential
  # and MetaDataConverter.SignatureParameters.ServerCredential.password
  #RefImpl.HSM.MetaDataConverter.SignatureParameters.ServerCredential.Alias=[packager_cert_a lias]
  # Alias of Adobe-issued License Server Certificate stored on HSM
  # When HSM is enabled, use this property instead of V2KeyParameters.KeyOptions.AsymmetricKeyOptions.Certificate
  #RefImpl.HSM.V2KeyParameters.KeyOptions.AsymmetricKeyOptions.Certificate.Alias=[license_se rver_cert_alias]
  # Alias of Adobe-issued server transport certificate stored on HSM
  # When HSM is enabled, use this property instead of V2KeyParameters.LicenseServerTransportCertificate
  #RefImpl.HSM.V2KeyParameters.LicenseServerTransportCertificate.Alias=[transport_cert_alias ]
  # Alias of Key Server's Adobe-issued license server certificate stored on HSM
  # When HSM is enabled, use this property instead of HandlerConfiguration.KeyServerCertificate
  #RefImpl.HSM.HandlerConfiguration.KeyServerCertificate.Alias=key_server_cert_alias

• About Profile manager renew code signing cert

  I am using the profile manager service in Mac OS X 10.7 Server.
  My code signing cert just got expired, and the serial no. is 1. So i followed the apple guide to renew the cert in terminal
  ipad:~ test$ sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "ipad.example.com" "IntermediateCA_IPAD.EXAMPLE.COM_1" 1
  /usr/sbin/certadmin Cannot find the certificate: ipad.example.com
  I can renew the another one successfully but only this cannot renew, I don't know why (maybe related to the serial? too short?)
  Anyone know how to solve it?
  Thank you very much
  BTW, Any method can generate the cert for 10 years or renew the cert without re-enroll the device? because I don't want renew the cert every year and ask user enroll again.

  I am using the profile manager service in Mac OS X 10.7 Server.
  My code signing cert just got expired, and the serial no. is 1. So i followed the apple guide to renew the cert in terminal
  ipad:~ test$ sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "ipad.example.com" "IntermediateCA_IPAD.EXAMPLE.COM_1" 1
  /usr/sbin/certadmin Cannot find the certificate: ipad.example.com
  I can renew the another one successfully but only this cannot renew, I don't know why (maybe related to the serial? too short?)
  Anyone know how to solve it?
  Thank you very much
  BTW, Any method can generate the cert for 10 years or renew the cert without re-enroll the device? because I don't want renew the cert every year and ask user enroll again.

• Verisign CERT Root Changw

  Verisign as of Oct. 10th has change the root ca they sign CERTS with. Our 802.1x supplicants are configured to trust only the older Class 3 Public Primary root that is part of widows. Is there any way to configure the ACS box to support the older root as reconfiguring all the supplicants is a non-trivial task. I wondered if there was a way to create a self-signed CERT to act as the root? Has anyone had this problem? Thanks

  Bruce,
  ACS can genrate self sign certificate but this will only work when client do not validate server certificate. If validation is required in your setup then self sign cert wont help.
  If installing cert on each client is feasable then configured not to validate server cert then your current set up will work fine.
  Regards,
  ~JG
  Do rate helpful posts

• VeriSign cert and IE5 on WLCS

  Hi.
  We installed the purchased certificate (from VeriSign) on our server
  WebLogicCommerceServer( weblogic.security.certificate.server &
  weblogic.security.key.server ).
  When the client accesses this host with IE5.5 browser, everything is OK.
  When the client uses IE5, however, he gets an error "the security
  certificate was issued by a company you have not choosen to trust".
  If we're adding weblogic.security.certificate.authority to point to a
  VeriSign root certificate (which we took from their site), then sometimes
  the client gets a "can't display page", and sometimes the same error as
  above.
  Any hints?

  To fully answer my own question,
  I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
  I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
  Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

• How do I renew my Verisign certificate

  Our Verisign certificate is about to expire and we need to replace it. Verisign can generate a new certificate based on our original request. Does this mean that all I should really have to do is to open Oracle Wallet, delete the old user certificate and add the new user certificate? Are there other steps?

  I create a new request and a new wallet. Now I'm having trouble installing it on the app server. See Re: Install renew-ed user certificate in Wallet manager

• Renewed Self signed cert not visible in certmgr.msc

  I am helping a friend's small company with their IT needs and just renewed their self signed exchange certificate. Both the old and new certs show up in the exchange management shell, but only the old cert shows up in Cert Manager MMC on the server.
  Comparing the two certs in the Exchange mgmt shell, the only real difference is with the RootCAType. The old shows "GroupPolicy", and the new shows "None".
  How do I get the new cert into the "Trusted Root Cert... Authorities" in certmgr.msc?

  Don't do certmgr.msc that opens the user store by default. Open mmc than add snap in, certficates store and select local computer and not user.
  James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
  I cannot even see the Add/Remove Snap-In option in my computer management/mmc. Also, there is no console root present. How do I fix this
  Fixed it. You need to open mmc.exe and not computer management. 
  Steps - 
  search for mmc.exe, open it.
  file > add/remove snap-in > Highlight certificates >
  add button > snap in will always manage certificates for
  == My User Account > ok.
  The other options besides, are computer account, network service. I don't know their purpose.

• Automatically accept VeriSign certs?

  Hi all. I'm pretty new to SSL so any help with this question would be appreciated.
  I have a web service app running on a WebLogic 10.3 server (let's call it ServerA). This web service app also contains a web service client to make calls to another web service app running on another server somewhere (let's call it ServerB).
  ServerB is beyond my control, but happens to be behind the same firewall as ServerA. For my app on ServerA, I've been asked to "auto-accept the connection (trust VeriSign)" when making a web service call to ServerB. I believe this is to avoid certificates expiring, but I may be wrong.
  Can anyone tell me how (either in the WebLogic console or in my Java code) to automatically trust VeriSign certificates?
  Forgive my ignorance on this subject. It's my first time working with SSL.

  You probably want to also try the security forum:
  WebLogic Server - Security
  Specify whether you are using just 1-way SSL (where this should work without intervention I believe using the CA list with the JVM). If you're using 2-way SSL, then I think you'll need to do some key importing.
  You should really consult someone who understands security requirements in your environment on what they want, as this is something you really want to get right and not misconfigure.

• Installing Verisign Cert failure

  I have a certificate from verisign and it asks me for the private key file? Verisign didn't give me a private key file, where would I find this file?
  Thanks
  mike

  Hello Michael,
  VeriSign does provide you with the certificate which is the signed public key. For security reasons, the private key is not something that you would provide to VeriSign as this needs to remain on your server or device. It should not be shared with another party. Depending on what was used to generate the key pair, the private key may simply be a file located in a certain path or it could possibly be hidden.
  Please feel free to contact us for further assistance.
  Phone: 1-877-438-8776 Option 1, 2
  Email: [email protected]
  Regards,
  Frank
  VeriSign Technical Support
  VeriSign, Inc.

• ACS - Verisign Cert - PEAP Auth - XP Clients

  Hi
  I am hoping to implement PEAP using a server certificate on ACS generated from a real CA like Verisign/Thawte etc to prevent having to distribute an internal root CA certificate to all clients.
  I have discovered that Verisign provide a WLAN Auth certificate product , but this appears to be specificlly for IAS.
  Does anybody know whether I can just generate a certificate reest from the ACS box and use any certificate , or is there a particular type I need?
  Any help would be much appreciated!
  Thanks
  Leon

  CTA can be configured to perform machine authentication using certificates provided that the 802.1x Wired Client has been installed.Refer http://cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870ac.html for more information.