SSL Cert. Request with multiple CNs?

Similar Messages

• Issues with certificates with multiple CNs

  Hi,
  I manage my own internal Windows Certificate Authority which I use to sign certificate requests for internal web servers. I have an odd issue.
  If I create a CSR from a server that has multiple CNs (e.g. 10.1.1.25, *.mydomain.local, www.mydomain.local) FF 9 and FF 10 both complain about the certificate "The connection is not trusted". It would appear FF is only using one of the CNs to validate the site in question. i.e. if I visit the site via 10.1.1.25 I get the warning. If I use www.mydomain.local I do not receive the warning.
  Further, I do not have this issue with IE9. Is there something broken with FF and sites that use multiple CNs in their SSL cert? Or perhaps am I doing something wrong when generating the CSR (not that I see how, as it's a standard template I use, and it works flawlessly with IE9 browsers)?

  # curl -v https://areaclienti187.telecomitalia.it
  * Rebuilt URL to: https://areaclienti187.telecomitalia.it/
  * Hostname was NOT found in DNS cache
  * Trying 62.77.57.164...
  * Connected to areaclienti187.telecomitalia.it (62.77.57.164) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using TLSv1.0 / AES128-SHA
  * Server certificate:
  * subject: C=IT; ST=Italy; L=Pomezia; O=Telecomitalia; OU=ADM.AP.PM.WO; CN=areaclienti187.telecomitalia.it; emailAddress=[email protected]
  * start date: 2013-10-08 10:06:37 GMT
  * expire date: 2014-10-08 10:06:37 GMT
  * common name: areaclienti187.telecomitalia.it (matched)
  * issuer: C=IT; O=I.T. Telecom; OU=Servizi di certificazione; CN=I.T. Telecom Global CA
  * SSL certificate verify ok.
  With curl no problem at all.
  Last edited by saronno (2014-08-15 19:10:09)

• Create Service Request with Multiple Choices

  Dears,
  I need to create Service Request to appear in the portal with Multiple Choices like blow 
  Mohamed Fawzi | http://fawzi.wordpress.com

  Hi Mohamed.
  I am sitting almost in the same sudation, I am designing a service request form in the portal and will be using multiple checkboxes for various new equipment aka desktop, laptop, mobile blah blah.
  were you able to get multiple checkboxes to work in the portal, and if so, could you possibly share the solution. also if I may ask, can you have two or there checkboxes in the same row (next to each other), or only in a column?
  thanks in advance

• Saving spool request with multiple Adobe PDF files to local directory

  Hi,
  I have a spool file with multiple Adobe PDF files in it.  You can only save the spool content to local directory by opening and save each PDF files.  Does anyone know whether there is a way to combine all the PDF files within a spool into one big PDF file?
  Chuin

  Are you using any plugins, like PDFlyer?

• SSL Cert problem with smtp

  If I use a self signed cert and name it default the smtp mail service works.
  If I try to use the cert I got from the CA, the imap service works with the cert, however the smtp service does not.
  This is most odd

  You don't need to buy a new one.
  See here for more info:
  http://discussions.apple.com/thread.jspa?messageID=6251145&#6251145

• Problems setting up 2way SSL with option Client certs requested Not Enfor

  Hi,
  Iam having problems trying to set up 2 way SSL with the option "Clients Certs Requested But Not Enforced". I am using DefaultIdentityAsserter with my own implementation of UserNameMapper. And I have the login-config set to CLIENT-CERT in web.xml. I have tested this setup and it works when I have "Client Certs Requested and Enforced" but when I change it to "Requested and not enforced" it gives an 401 unauthorized exception.
  Any help with this will be greatly appreciated.
  Thanks
  Praveena.

  Hi Peter,
  I'm afraid not, I turned to Apple support forums, followed their advice for troubleshooting Mac Mail (obviously not relevant to you using Outlook) but It involved scanning ports checking firewalls etc, all of this was clear and I just cannot see the problem.
  I even got one of the Livechat BC guys to look into it, by setting up a dummy email address on the client's account, I think he was rather intrigued, but I'm not sure he's had much luck as he still hasn't got back to and that was over 20 hours ago.
  Can your client receive emails? I can only get my client's account receiving emails, when I try to send an email I just keep receiving an message telling me that it cannot connect to smtp!
  According to the BC fact sheet for sending and receiving emails: "By Default, email software will set the SMTP port to 25, which is the standard port for the smtp protocol. However our mail service has two alternative ports available that you can send through. 8025 or 587.
  However it's not blocked and those port settings didn't work either.
  The Apple fact sheet made mention to firewall settings possibly also blocking, but it's not relevant to me using my version of OS.
  Good luck, and please repost if you get any further.
  I am now just looking for a reason that my client's mail WONT work on Mac Mail, just so I can sound professional when I tell them the answer is "no".
  Penny

• Remote Desktop Services Single SSL Cert with multiple hosts

  I am trying to use a single SSL Cert from a third party issuer.  I have 3 servers in my deployement all are 2012R2.  One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role.  The other 2 are
  RD Session Hosts.  I have the SSL cert for the server that has the Gateway and other roles.  My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL.  It works currently with the
  exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match.  Is anyone else using a similar setup and had success with it?  I am trying
  to avoid buying an expensive wildcard cert to cover all of them.

  Hi,
  Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC.  To do this, log on to RD Web Access using IE, right-click and choose View Source.  Find the goRDP function for the icon you want to examine and copy
  the text between the ' marks.  Next paste this into the escape text box the below page:
  http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
  Click complete unescape to get the plain text version.  After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file.  Once you have the .rdp file created you can compare
  it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
  Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
  Thanks.
  -TP

• CSS11500 SSL handling question for multiple url/FQDNs with the same ip address

  I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url.   For instance, I can set up www.cats.com and www.dogs.com at the same 192.168.35.12 address in DNS, and set up two different content rules:
  content cats
  vip address 192.168.35.12
  port 80
  url "//www.cats.com/*"
  add server cats1
  add server cats2
  active
  content dogs
  vip 192.168.35.12
  port 80
  url "//www.dogs.com/*"
  add server dogs1
  add server dogs2
  active.
  Easy and straightforward.
  But what if I want to add SSL handling for https://www.cats.com and https://www.dogs.com?
  I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.
  Can this be done?  Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service?  Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?
  Thanks in advance for any insights.

  Hi Tim,
  Unfortunately this is not possible; you can't associate multiple certificates to a single proxy list due to the fact that SSL handshake is done first with no visibility of the URL being requested, so the CSS won't know which public server to use in order to perform the traffic decryption.
  But there are a couple of options that you may want to look at (depending on the URL string)
  If your URLs are subdomains and you hold a wildcard SSL certficate to match multiple requests, i.e your domain being "pets.com" you can have a certficate that will match request for dogs.pets.com or cats.pets.com because the cert will be in the form *.pets.com
  The second option is SAN (Subject alternative names) certificates; which give you the option to include up to 4 flavors of the domain within the same file, such as pets.com, pets.net, www.1pets.com.
  I hope this helps.
  Pablo

• [svn] 949: Bug: BLZ-96 - When sending a HttpService request from ActionScript with multiple headers with the same name , it causes a ClassCastException in the server

  Revision: 949
  Author: [email protected]
  Date: 2008-03-27 07:12:59 -0700 (Thu, 27 Mar 2008)
  Log Message:
  Bug: BLZ-96 - When sending a HttpService request from ActionScript with multiple headers with the same name, it causes a ClassCastException in the server
  QA: Yes - try again with legacy-collection true and false.
  Doc: No
  Checkintests: Pass
  Details: Another try in fixing this bug. When legacy-collection is false, Actionscript Array on the client becomes Java Array on the server and my fix yesterday assumed this case. However, when legacy-collection is true, Actionscript Array becomes Java ArrayList on the server. So added code to handle this case.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/BLZ-96
  Modified Paths:
  blazeds/branches/3.0.x/modules/proxy/src/java/flex/messaging/services/http/proxy/RequestF ilter.java

  Hi all!
  Just to post the solution to this if anyone ever runs accross this thread...
  For some reason i had it bad the first time, don't have time right now to see why but here is what worked for me:
  HashMap primaryFile = new HashMap();
  primaryFile.put("fileContent", bFile);
  primaryFile.put("fileName", uploadedFile.getFilename());
  operationBinding.getParamsMap().put("primaryFile", primaryFile);
  HashMap customDocMetadata = new HashMap();
  HashMap [] properties = new HashMap[1];
  HashMap customMetadataPropertyRoom = new HashMap();
  customMetadataPropertyRoom.put("name", "xRoom");
  customMetadataPropertyRoom.put("value", "SOME ROOM");
  properties[0] = customMetadataPropertyRoom;
  customDocMetadata.put("property", properties);
  operationBinding.getParamsMap().put("CustomDocMetaData", customDocMetadata);
  Basically an unbounded wsdl type is an array of objects (HashMaps), makes sense, i thought i had it like this before, must have messed up somewhere...
  Good luck all!

• [svn] 931: Bug: BLZ-96 - When sending a HttpService request from ActionScript with multiple headers with the same name , it causes a ClassCastException in the server

  Revision: 931
  Author: [email protected]
  Date: 2008-03-26 11:31:01 -0700 (Wed, 26 Mar 2008)
  Log Message:
  Bug: BLZ-96 - When sending a HttpService request from ActionScript with multiple headers with the same name, it causes a ClassCastException in the server
  QA: Yes - we need automated tests for this basic case.
  Doc: No
  Checkintests: Pass
  Details: RequestFilter was not handling multiple headers with the same name properly.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/BLZ-96
  Modified Paths:
  blazeds/branches/3.0.x/modules/proxy/src/java/flex/messaging/services/http/proxy/RequestF ilter.java

  Hi all!
  Just to post the solution to this if anyone ever runs accross this thread...
  For some reason i had it bad the first time, don't have time right now to see why but here is what worked for me:
  HashMap primaryFile = new HashMap();
  primaryFile.put("fileContent", bFile);
  primaryFile.put("fileName", uploadedFile.getFilename());
  operationBinding.getParamsMap().put("primaryFile", primaryFile);
  HashMap customDocMetadata = new HashMap();
  HashMap [] properties = new HashMap[1];
  HashMap customMetadataPropertyRoom = new HashMap();
  customMetadataPropertyRoom.put("name", "xRoom");
  customMetadataPropertyRoom.put("value", "SOME ROOM");
  properties[0] = customMetadataPropertyRoom;
  customDocMetadata.put("property", properties);
  operationBinding.getParamsMap().put("CustomDocMetaData", customDocMetadata);
  Basically an unbounded wsdl type is an array of objects (HashMaps), makes sense, i thought i had it like this before, must have messed up somewhere...
  Good luck all!

• Multiple SSL Certs in one SSL Proxy/VIP

  Guys
  I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
  However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
  Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
  Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
  Thanks

  Cathy
  Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for www.website.com and ww2.website.com due to cost.
  Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?
  Can SAN certs not be used in this example?
  Thanks

• IMAP Mail Setup with self-signed SSL certs

  I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
  Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

  If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
  And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

• Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

  We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
  Currently i am only able to generate SSL cert with md5RSA.

  Hi,
  Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
  Therefore, you need to build a new CA to use a new algorithm.
  More information for you:
  Is it possible to change the hash algorithm when I renew the Root CA
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
  Changing public key algorithm of a CA certificate
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
  modify CA configuration after Migration
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
  Best Regards,
  Amy Wang

• Getting sec_error_inadequate_cert_type with Private SSL Cert

  Howdy,
  I run a Private Certificate Authority for my personal use and just to learn about SSL Certs. However, with the current build of FireFox I'm on ( 31 ) I can no longer visit sites I've secured with SSL Certs signed by this certificate authority, even though these SSL certs work just perfectly fine in Chrome and Internet Explorer. I keep getting a "sec_error_inadequate_cert_type" error. I can only assume that the certs I've been issuing are incorrect in some way, but the error is so vague and the error page doesn't specify more.
  I only discovered this when I realized some of my SSL certs had expired, and I went to re-issue them.
  One of the certs that hasn't expired yet but is experiencing problems can be found here:
  * https://forums.silicateillusion.org
  One of the Certs I've tried re-issuing, matching fields included as closely as I can to a Google SSL cert that I looked up is here:
  * https://phpmyadmin.endofevolution.com
  These certificates were generated using the application called SimpleAuthority, found here: http://simpleauthority.com/
  A Site like Networking4All.com seems to believe the Certs are valid, excepting the CA that is Self Signed: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=phpmyadmin.endofevolution.com&protocol=https
  Interestingly enough, using a different site like SSLShopper shows an error similar to FF31: http://www.sslshopper.com/ssl-checker.html#hostname=https://phpmyadmin.endofevolution.com
  The certs are running on an Apache Web server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.10
  The CA Cert is in FireFox's store as trusted.
  If needed, I can provide certs.

  ''SniperFodder [[#answer-626818|said]]''
  <blockquote>
  I however, do not. It's something specific to Firefox I seem to be having. Maybe I'm running an outdated version of Chrome? Which would be hard seeing as chrome itself says it's up to date: Version 37.0.2062.120 m
  I appreciate the link to Bug 1034124, However the SSL certificate itself IS NOT self signed. Only the CA is, which signed the SSL Cert. I guess what I mean to be asking is... Is Firefox Rejecting my SSL Cert, because my CA Is Self Signed?
  I also offer the CA Cert for download since no one would have the cert in their stores. Would this also affect it?
  I've attached a screen shot of the error I'm getting so that it's available for the ticket. The following is also the "plaintext" verison of the error I'm getting:
  "Certificate type not approved for application."
  </blockquote>

• Security Management Appliance - Multiple SSL Cert support.

  Does anyone know if the SMA supports multiple SSL certs?  We would like to create a cert for our users that access the Spam Quarantine that uses a different FQDN from what we have now for admin access.
  I noticed in instuctions for importing certs into the SMA, that it does ask if you want to use that cert for everything, but I haven't found anything that elaborates on what options you have if you say NO.  I'm guessing from that question that it allows for a different cert for a different function, but I'd like confirmation and maybe direction on how to implement.
  Thanks in advance.

  You can install a different cert for different process:
  http://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/118460-technote-sma-00.html
  Certificates can be used for four different services:
  Inbound TLS
  Outbound TLS
  HTTPS
  LDAPS
  When you say No, you'll just need to be prepared to enter in the separate certs as needed for each process.  And, SMA is still CLI only for cert management.
  -Robert