SSL certificate and use?

Hi,
some time ago I've become aware of the presence of an SSL certificate for for the Arch homepage.
Unfortunately Firefox tells me that the site "Contains unauthenticated content". And if I try to visit the forum, wiki or AUR (with https://...), then I get redirected to the Arch homepage.
Is there a particular reason that on the one hand the infrastructure for SSL/https seems to be there, but on the other hand is not complete (in case of the Arch homepage) and not extended to the forum, wiki, and the AUR?
And if SSL is not intended to be used for the sub domains of archlinux.org, how are the login-processes for the forum/wiki/AUR handled/secured?
I ask mainly because of paranoia and secondly out of curiosity.

cactus wrote:The ssl cert was purchased long ago (and recently renewed) for www.archlinux.org only.
It is not a 'wildcard' ssl cert like you sometimes see, which would allow for *.archlinux.org (likely due to cost).
It's been a while, but the situation has slightly changed, and I've also gained a bit of experience about PKIs, so I wanted to propose an idea.
As I've seen today, the ssl certificate for www.archlinux.org seems to have expired, because it's no longer there and has been replaced by a self-signed certificate for dev.archlinux.org.
As you're not using officially signed certs any longer, you could also do the following:
You could start your own certificate authority, make one certificate for each domain {aur,bbs,wiki,dev,bugs,www,etc}.archlinux.org, and sign each of these with your own root-cert. Then you would only have to spread the public key of your root cert, and every signed cert of yours would be recognized and accepted by the users.
I've found a really well-written howto here, and I've already tested it within my local network.
Once the root cert has been imported/accepted on the client system, all signed certs will be accepted, too. And if you ever wanted to get an officially signed cert, you would only need to have your root cert signed (e.g. by CAcert). But that is only an assumption, as I don't have any experience how to get signed by an official institution.
Or you could also ship your root cert with the installation iso, similar to Ubuntu shipping the public pgp-keys of their package-managers with there installation isos.
This is of course only a suggestion, but as I think everyone should be aware of the importance of encrypted and signed communication, and in the end everyone would benefit from it.
I'm pretty interested in everyone's feedback. Maybe there's even one who has experience about other distros and how they've handled that problem.

Similar Messages

  • Creating SSL certificate and configuring it with JBOSS 4.0.1

    I have to post some data to a secured site from my application.
    For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
    But, while creating the stream it is showing SSLException and message is No trusted certificate found.
    For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
    Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.

    I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
    See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum.

  • SSL certificates and Web Services Usage inside Oracle Database Questions!

    We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
    Service1 is already working, and we can call the service from PL/SQL without troubles.
    However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
    Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
         - SSL Certificates:
    1- Can installed certificates in the Database put in risk the stability of the database?
              2- Can installed certificates in the Database generate performance issues?
              3- Can installed certificates reloading the Databases?
              2- Can installed certificates in the Database generate security issues?
         - Web services:
    1- Can web services calling from the Database put in risk the stability of the database?
    2- Can web services calling from the Database generate performance issues?
    3- Can web services calling from the Database generate security issues in the DMZ?
    Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
    Those are the links describing the procedure mentioned above.
    1 -http://www.kotti.es/2009/11/oracle-wallet/
    DB: Oracle 9i.
    Average number of lines in file: 300
    Periodicity: Twice at day.

    Thiago:
    You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
    I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
    http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
    Regards,
    Jason

  • SSL Certificate and SSL Authentication

    Hi-
    I'm hoping someone can shed some light on this issue.
    First off, is there a difference between SSL Certificate and SSL Authentication?
    I have a POP account. The Incoming port is set to 110. The Outgoing, 26. (This is according to Bluehost.com). The security settings for both incoming/outgoing are set to none. Everything works fine.
    But if I want extra security, I'll set the incoming to 995 and outgoing to 465.
    If I set the security settings to SSL, do I check "Use secure authentication", or do I have to purchase a SSL certificate to secure the authentication? This is where I'm confused. I tried asking the hosting company but they're not much help.
    Any advice would be appreciated.
    Thanks!

    Hi Imagine,
    You do not need to purchase your own SSL certificate to use secure authentication. The server handles this for you. You just need to make sure the port #s are correct and you simply check mark the SSL boxes and leave authentication on Password at least on most setups. Each host maybe different so you have to double check with them.
    Hope That Helps,
    Eric

  • HTTPS SSL Certificate Signed using Weak Hashing Algorithm

    I am support one client for,  whom falls under Security  scans mandatory for new implementation of ASA 5520 device .  The client uses Nessus Scan and  the test results are attached
    The Nessus scanner hit on 1 Medium vulnerabilities, Could you pls review the statement and provide work around for the same.
    Nessus Scanner reports
    Medium Severity Vulnerability
    Port : https (443/tcp)
    Issue:
    SSL Certificate Signed using Weak Hashing  Algorithm
    Synopsis :
    The SSL certificate has been signed using  a weak hash algorithm.
    Description :
    The remote service uses an  SSL certificate that has been signed using
    a cryptographically weak hashing  algorithm - MD2, MD4, or MD5. These
    signature algorithms are known to be  vulnerable to collision attacks.
    In theory, a determined attacker may be  able to leverage this weakness
    to generate another certificate with the same  digital signature, which
    could allow him to masquerade as the affected  service.
    See also :
    http://tools.ietf.org/html/rfc3279
    http://www.phreedom.org/research/rogue-ca/
    http://www.microsoft.com/technet/security/advisory/961509.mspx
    http://www.kb.cert.org/vuls/id/836068
    Solution :
    Contact the Certificate Authority to have the certificate  reissued.
    Plugin Output :
    Here is the service's SSL certificate  :
    Subject Name:
    Common Name: xxxxxxxxxx
    Issuer Name:
    Common Name: xxxxxxxxxx
    Serial Number: D8 2E 56 4E
    Version: 3
    Signature Algorithm: MD5 With RSA  Encryption
    Not Valid Before: Aug 25 11:15:36 2011 GMT
    Not Valid After:  Aug 22 11:15:36 2021 GMT
    Public Key Info:
    Algorithm: RSA  Encryption
    Public Key: 00 AA AB 57 9C 74 FF E9 FB 68 E1 BF 69 90 8E D2 65 7F  DF 40
    D6 F6 29 E7 35 5E 16 FB 76 AA 03 3F 47 07 5A D0 6D 07 E0 EC
    06 7E  D4 9A 43 C6 B3 A6 93 B7 76 CC 58 31 25 36 98 04 30 E6
    77 56 D7 C3 EE EF 7A  79 21 5E A0 78 9B F6 1B C5 E6 2A 10 B5
    CB 90 3D 6D 7C A0 8D B1 B8 76 61 7F  E2 D1 00 45 E2 A1 C7 9F
    57 00 37 60 27 E1 56 2A 83 F5 0E 48 36 CC 61 85 59  54 0C CB
    78 82 FB 50 17 CB 7D CD 15
    Exponent: 01 00 01
    Signature: 00 24 51 24 25 47 62 30 73 95 37 C4 71 7E BD E4 95 68 76 35
    2E AF 2B 4A 23 EE 15 AF E9 09 93 3F 02 BB F8 45 00 A1 12 A9
    F7 5A 0C E8  4D DB AE 92 70 E4 4C 24 10 58 6B A9 87 E1 F0 12
    AE 12 18 E8 AB DF B9 02 F7  DA BE 3C 45 02 C4 1E 81 44 C2 74
    25 A2 81 E7 D6 38 ED B9 66 4C 4A 17 AC E3  05 1A 01 14 88 23
    E8 9F 3B 5C C5 B8 13 97 27 17 C3 02 5F 6E 7C DB 4C D3 65  B5
    C5 FC 94 62 59 04 E7 7E FB
    CVE :
    CVE-2004-2761
    BID :
    BID 11849
    BID  33065
    Other References :
    OSVDB:45106
    OSVDB:45108
    OSVDB:45127
    CWE:310
    Nessus Plugin ID  :
    35291
    VulnDB ID:
    69469
    and try with configure the ssl encryption method with " ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5" but it throws the same issue.
    Here is ASA log
    7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
    7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
    7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxx/2586
    6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2586
    6|Oct 19 2011 01:59:34|725007: SSL session with client production:xxxxxxxx/2586 terminated.
    6|Oct 19 2011 01:59:34|302014: Teardown TCP connection 3201 for production:xxxxxxx/2586 to identity:xxxxxx/443 duration 0:00:00 bytes 758 TCP Reset-I
    6|Oct 19 2011 01:59:34|302013: Built inbound TCP connection 3202 for production:xxxxxxxxxxx/2587 (xxxxxxxxx/2587) to identity:xxxxxx/443 (xxxxxxx/443)
    6|Oct 19 2011 01:59:34|725001: Starting SSL handshake with client production:xxxxxxxxxxx/2587 for TLSv1 session.
    7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
    7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
    7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxxxx/2587
    6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2587
    H

    Hi Ramkumar,
    The report is complaining that the Certificate Authority who signed the ID certificate presented by the ASA used a weak hashing algorithm. First, you need to determine who signed the certificate.
    If the certificate is self-signed by the ASA, you can generate a new certificate and use SHA1 as the hashing algorithm. To do this, the ASA needs to be running a software version that is at least 8.2(4) (8.3 and 8.4 software also support SHA1).
    If the certificate is signed by an external CA, you need to contact them and ask them to sign a new certificate for you using SHA instead of MD5.
    The links you posted have more information on this as well. Hope that helps.
    -Mike

  • SSL certificates and/ or Oracle Certificate Authority

    Our Oracle infrastructure is as follows:
    1.Database server
    (a)Oracle 9i R2 database
    (b) Oracle ApEx 2.2
    2. Infrastructure server
    (a) Oracle 10g (9.0.4.x.x) Infrastructure
    (b) OID - configured as external authentication to Microsoft 2003 Active Directory LDAP version 3
    (c) SSO - configured as Windows Native authentication
    3. Application server
    (a)Oracle 10g (9.0.4.x.x) Forms and reports server
    Network traffic currently is not encrypted. All we need is to ensure that network traffic is encrypted between the the end-user PC and all servers (database or app server)
    I was reading through Oracle Certificate Authority and Secure Sockets Layer.
    1. Is there a difference between the two products?
    2. Which product would be best to ensure the encryption (authentication is provided through MS LDAP)
    Thanks,
    Mayura

    Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
    SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
    The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
    To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
    1. From the web browser to the middle tier
    2. End user to database
    3. from the middle tier to OID
    4. from the middle tier to the database
    5. From OID to active directory

  • What kind of SSL Certificate to use on Profile Manager?

    I would like to get my SSL CSR signed to use it with Profile Manager, but on the CA's website it asks me what kind of SSL Certificate I need giving me these options: 
    <option value=1>AOL</option>
                          <option value=2>Apache-ModSSL</option>
                          <option value=3>Apache-SSL (Ben-SSL, not Stronghold)</option>
                          <option value=4>C2Net Stronghold</option>
                          <option value=33>Cisco 3000 Series VPN Concentrator</option>
                          <option value=34>Citrix</option>
                          <option value=5>Cobalt Raq</option>
                          <option value=6>Covalent Server Software</option>
                          <option value=29>Ensim</option>
                          <option value=32>HSphere</option>
                          <option value=7>IBM HTTP Server</option>
                          <option value=8>IBM Internet Connection Server</option>
                          <option value=9>iPlanet</option>
                          <option value=10>Java Web Server (Javasoft / Sun)</option>
                          <option value=11>Lotus Domino</option>
                          <option value=12>Lotus Domino Go!</option>
                          <option value=13>Microsoft IIS 1.x to 4.x</option>
                          <option value=14>Microsoft IIS 5.x to 6.x</option>
                          <option value=35>Microsoft IIS 7.x and later</option>
                          <option value=15>Netscape Enterprise Server</option>
                          <option value=16>Netscape FastTrack</option>
                          <option value=17>Novell Web Server</option>
                          <option value=18>Oracle</option>
                          <option value=30>Plesk</option>
                          <option value=19>Quid Pro Quo</option>
                          <option value=20>R3 SSL Server</option>
                          <option value=21>Raven SSL</option>
                          <option value=22>RedHat Linux</option>
                          <option value=23>SAP Web Application Server</option>
                          <option value=24>Tomcat</option>
                          <option value=25>Website Professional</option>
                          <option value=26>WebStar 4.x and later</option>
                          <option value=27>WebTen (from Tenon)</option>
                          <option value=31>WHM/CPanel</option>
                          <option value=28>Zeus Web Server</option>
                          <option value=-1>OTHER</option>
    which one should I use?

    If the Certificate is already on your Mac, you can examine it in the "Keychain Access" application.  What they are asking you is who issued the Certificate.  If you do not see the Issuer listed, try "Other".

  • SSL certificates and GWIA

    I have run up against a wall trying to install a third party SSL certificate with GWIA 7.0.3 and securing IMAP connections;
    Certificate (And SSL) works fine, but the infamous "The origin of this certificate cannot be verified" type of message comes up for all mail clients attaching, and this is particularly bad for handheld devices like iPhone connecting via IMAP using SSL.
    Has anyone ever successfully installed a 3rd party SSL cert into GWIA with chain of trust back to root CA and been able to overcome this ?
    It' basically the same problem one would run into if issuing a self-signed cert out of NDS/Edir Cert server 2.x or 3.x.
    Any suggestions would be welcome !
    Thanks !

    Hi, I very recently had a similar problem...our existing 3rd party ssl external Verisign certificate expired!!!!
    I have'nt been able to in the past configure a 3rd party ssl certificate into our current Groupwise 7 system due to lots of various methods of doing this task....i got quite confused and if you do not do things in the correct order the whole process will need to ber started over again.
    Ive managed to eventually cracked it and figure out a simple and more structured approach to setting this up.
    The following was in relation to applying the 3rd party external certificate to WEBACCESS
    This was the steps i took:
    Firstly ensure you have the registered details you completed already with your 3rd party SSL supplier, they should have provided you with a:
    OU
    O
    L
    S
    C
    the CN is the webaddress or DNS name your users will hit to access your secured page - we will add this later.
    1) Highlight the container where your server is located which will be the host application part of the webaccess that the ssl is assigned to.
    (my setup is, i have my main grpwise system in one tree, my application - webaccess component in a separate tree) - we need to re-create the SSL object in the second tree or the container where the application component is located.
    2) Right-click to create an object > from the list choose > NDSPKI:Key Material.
    3) Give a name for the certificate name object > then select the second option > Custom.
    (This will allow you to enter more specific information relating to the 3rd party ssl certificate)
    4) The next screen select "External Certificate authority" - this would be your 3rd party ssl. Click next
    5) Next screen asks for the Key size, accept the default value of "2048 bits" > tick "Allow private key to be exported", click next.
    6) Next screen asks for the Certificate Parameters, depending on the order of your, CN, OU,O,L,S,C
    I clicked the edit button and then clicked the small arrow icon to switch the SSL URL around so that my .cn=webserver url address will be read first then the - OU,O,L,S,C.
    (PLEASE NOTE: The (OU,O,L,S,C) should be identical to what was initially registered with your 3rd party SSL supplier.
    7)Once you are happy with the details click "Finish".
    8) You will immediately be asked where to save the "b64" file that will be generated which will be sent off to your 3rd party supplier for re-minting.
    choose a file name - ensure no hyphens,or special characters etc are used and keep to the 8.3 naming length just to avoid any long name issues, i do believe that by adding a hyphen may cause problems as the system automatically puts a hyphen to separate the names automatically hence that is why its advised not to use this.
    I saved my file to root of my c:\
    9)Once this has been done and you click save, send the file off to your 3rd party SSL supplier, they will re-mint the "b64" file and you should get back 2 files:
    a)file.cer
    b)Intermediate.cer
    (filenames could be anything)
    10) Select the "KMO object" you created earlier in step 2, then goto the Certificate tab > Trusted Root certificate" tab to import the Intermediate.csr file sent to you.
    Select import > then read from file and browse for the "Intermediate.csr" file - i chose root of my c:\ to save the re-minted 2 files sent back to me.
    Select the Intermediate file, you should see some encrypted characters show in the blank screen, then select Ok or finish.
    If you see a pop up window stating " Subject name mismatch error" dont worry this is merely a cosmetic issue due to the details not being in the exact naming order, it has been IMPORTED!!
    Click OK.
    Once you have done this you should see your first key pair file imported, check the subject name, Issuer name, effect date, expiration date, certificate status details, these should all show the 3rd party certificate details.
    Then next part is to import the second key pair file.
    Click Certificate>Public Key Certificate tab > import.
    Select to read from file> then browse for the file.csr
    You should see the encrypted characters, then select ok or finish.
    Now you have competed the difficult part you now need to tell you application what SSL object to point to in order to use the SSL encryption.
    For webaccess, you have to edit the apache conf files and enter the name of the SSL/KMO object you created earler.
    11) Goto your application server that will use the ssl, then browse to:
    server\sys\apache2\conf
    edit a file called "httpd.conf"
    then
    amend or add the section:
    SecureListen 443 "Verisign"
    Save theses changes - then shut down your web services on the server, apache, etc. ie, type :
    Apache shutdown commands:
    ap2webdn
    tc4stop
    admsrvdn
    Apache load commands:
    apache2
    ap2webup
    tc4stop
    admsrvup
    wait a minute or so so that the services can be unloaded.
    If you think its safer to do so, you can restart the server - that way you know for sure that everything has been unloaded and re-loaded cleanly.
    ALL done.
    SSL now in operation and working.
    I carried out this method - my own steps and this worked for me.
    Good luck!!!
    Dennis
    Originally Posted by shale999
    I have run up against a wall trying to install a third party SSL certificate with GWIA 7.0.3 and securing IMAP connections;
    Certificate (And SSL) works fine, but the infamous "The origin of this certificate cannot be verified" type of message comes up for all mail clients attaching, and this is particularly bad for handheld devices like iPhone connecting via IMAP using SSL.
    Has anyone ever successfully installed a 3rd party SSL cert into GWIA with chain of trust back to root CA and been able to overcome this ?
    It' basically the same problem one would run into if issuing a self-signed cert out of NDS/Edir Cert server 2.x or 3.x.
    Any suggestions would be welcome !
    Thanks !

  • SSL Certificate CSR using SH1

    Is it possible to generate CSR using SH1 instead of md5 on Cisco 1841 for SSL VPN, because the provider that I try to use doesn't accept md5. Also tried to import there private key and got an error "Error: invalid PEM boundary" any help would be appreciated

    Well, I have run into the same issue. I'm trying to generate a CSR (certificate signing request) on a Cisco 2821 running IOS 12.4(15)T8 with a SHA signature because StartSSL does not accept CSR's with a MD5 signature anymore.
    According to me the 'hash sha1' command within the crypto pki trustpoint should do the trick, but apparently not. The CSR that is generated is still not accepted by StartSLL claiming it is still signed with a MD5 hash.
    So: How to generate a CSR with a SHA signature?

  • SSL certificates and JES 2005Q1

    We encountered some issues installing certs on a JES 2005Q1 installation and wanted to get outside input on what we did and our conclusions:
    We have a msg store with iMS, admin server, web server for UWC, and directory server installed on an 8-way v880. Following the instructions on installing a self-signed certificate via the cli failed. When we used the Cert Wizard we found that the databases were in DirServerRoot/alias as msg-config-key3.db and msg-config-cert8.db owned by root. Once we copied these files to the MsgRoot/config directory as key3.db and cert8.db, changed the ownership of the three .db files to the msg server user, and made sure the sslpassword.conf file had the correct password all was fine. The problem I have is that it looks like each "application" or "service" might need a cert (directory, iMS, web, admin). Is there a way to get each of these applications to use the same certificate, even if I have to create copies of the .db files? We had installed on self-signed certificate on the admin server and tried to copy it into the MsgRoot/config but the msg software failed to recognize the admin server cert.

    Here's what one of my co-workers said, after he figured it out:
    The problem was the files cert8.db, cert7.db and key3.db were not correct under /var/opt/SUNWmsgsr/config area.
    The soft links u created was with the prefixes "msg-*" and this is no longer required by the messaging server.
    The files should be either cert7/cert8.db and key3.db
    I have made the correct soft links to /var/opt/mps/serverroot/alias area. The messaging server is running now w/ SSL mode.

  • SSL certificates and more than one hostname / interface

    Hi,
    I'm trying to configure the directory proxy server of DSEE7 to listen at 636 (SSL) at 2 different interfaces. As both of them got different hostnames, I get a certificate error for one of them because the name does not match the one of the certificate. Is there a way to configure the proxy server with different certs for different interfaces / hostnames?
    thank you,
    solst_ice

    Hi,
    Did you tried SAN certificates (also known as Unified Communication Certificates by Public CA like DigiCert, Entrust etc..) ?
    SAN stands for Subject Alternate Names - this allows more than one hostname to be binded to a single certificate for such multihosting setup. I think you should try using a self-signed SAN certificate before purchasing a SAN certificate from External Public CA (if you rely on External Public CA). If you have Private CA then I think there should be much cost impact for you.
    HTH,
    Randip Malakar

  • Exchange 2010 SSL certificate and internal names

    So I received an email from Digicert stating our certificate contains .local internal domain names and we need to remove the names and re-issue our cert. Our cert currently contains the following names:
    CN: mail.ourdomain.org
    mail.ourdomain.org
    mailservername.ourdomain.local
    autodiscover.ourodmain.org
    autodiscover.ourdomain.local
    So after removing all .local names and re-issuing/re-installing the certificate, is there any additional configuration I need to do on the Exchange side? We already have an internal DNS A record pointing mail.ourdomain.org to internal IP of Exchange server.
    This topic first appeared in the Spiceworks Community

    So I received an email from Digicert stating our certificate contains .local internal domain names and we need to remove the names and re-issue our cert. Our cert currently contains the following names:
    CN: mail.ourdomain.org
    mail.ourdomain.org
    mailservername.ourdomain.local
    autodiscover.ourodmain.org
    autodiscover.ourdomain.local
    So after removing all .local names and re-issuing/re-installing the certificate, is there any additional configuration I need to do on the Exchange side? We already have an internal DNS A record pointing mail.ourdomain.org to internal IP of Exchange server.
    This topic first appeared in the Spiceworks Community

  • How to erase all self signed certificates and force Server to use Signed SSL

    I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
    I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
    Can I replace those self-signed certs with the new one some how?

    Don't delete those.  However, you are on the right track.  Follow these steps to resolve.
    1:  Launch Keychain Access
    2:  Select the System Keychain
    3:  Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
    4:  In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
    5:  Press Save Changes to save.
    6:  Reboot the server or kill the servermgrd process to restart the service.
    That should resolve your issue.
    R-
    Apple Consultants Network
    Apple Professional Services
    Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store

  • DSEE 6.3.1 and 2048-bit SSL certificates

    Related to my previous post, I'm standing up a new 6.3.1 proxy server and directory server instance that are being added to my existing environment. We use GoDaddy for SSL certificates and they require 2048-bit CSRs, which cannot be generated with 6.3.1 software. That being the case I generated the CSR for each host using openssl with the command:
    openssl req -new -newkey rsa:2048 -nodes -out ldp05_domain_com.csr -keyout ldp05_domain_com.key -subj "/C=us/ST=Massachusetts/L=Cambridge/O=My Corp/OU=Network Operations/CN=ldp05.domain.com"I then took the CSR and received a new signed 2048-bit cert from GoDaddy. I added the GoDaddy root bundle certs into my CA cert chain and then attempted to add the server cert.
    On the directory server I have the problem:
    # dsadm add-cert /usr/local/ds/domain/ ldp05.domain.com /tmp/ldp05.domain.com.crt
    Unable to find private key for this certificate.
    Failed to add the certificate.I get the same error when attempting to add the certificate through DSCC.
    I have a different problem with the 2048-bit certificate on the proxy server. I added the CA cert and that was fine. However, when I add the server cert, it shows up in the CA cert chain.
    # dpadm add-cert /usr/local/dps/domain/ dps05.domain.com /tmp/dps05.domain.com.crt
    # dpadm list-certs /usr/local/dps/domain/
    Alias             Valid from       Expires on       Self-signed? Issued by                          Issued to    
    defaultservercert 2011/02/25 10:08 2013/02/24 10:08 y            CN=dps05.domain.com:389 Same as issuer
    1 certificate found.
    # dpadm list-certs -C /usr/local/dps/domain/|grep dps05
    dps05.domain.com     2011/02/25 11:43 2014/02/25 11:43 n         SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US      CN=dps05.domain.com, OU=Domain Control Validated, O=dps05.domain.comHas anyone successfully added 2048-bit CA signed certificates to both DPS and DS instances? Is there a limitation on the size of a certificate that can be imported as a non CA cert in directory proxy server 6.3.1?

    Sadly after opening a case with Oracle support I was told that the hotfix wasn't built for Linux (which I'm running) and would take 1-2 weeks to complete. I have managed to solve 99% of the issue on my DPS host thus far and have only one remaining issue which is upon adding the cert.
    In order to generate the 2048-bit CSR I had to run the following:
    # cd /usr/local/dps/domain/alias
    # modutil -changepw "NSS Certificate DB" -dbdir .
    # certutil -R -s "CN=dps05.domain.com,OU=Network Operations,O=My Corp,L=City,ST=State,C=US" -o /tmp/dps05.domain.com.csr -d /usr/local/dps/domain/alias -a -g 2048For reference, running the dpadm command to set the cert db password didn't work.
    # dpadm stop /usr/local/dps/domain
    # dpadm get-flags /usr/local/dps/domain
    # dpadm set-flags /usr/local/dps/domain/ cert-pwd-prompt=onOnce I had the properly sized CSR I had the cert issued and attempted to add the root certs to the CA chain and the server cert to the server certificates:
    # dpadm add-cert /usr/local/dps/domain gd-root-bundle gd_bundle.crt
    # dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
    - This shows the Go Daddy root cert bundle in the CA cert chain
    # dpadm add-cert /usr/local/dps/domain dps05.domain.com dps05.domain.com.crt
    # dpadm list-certs /usr/local/dps/domain
    - Shows only the defaultservercert
    # dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
    - The server cert now shows up in the CA chain.Does anyone have any idea how I can properly add the new cert to the server cert list so it can be used by the server?

  • Replacing SSL keys and certificates for already defined services

    I have about 10 new 2048-bit keys and certs to replace existing 1024 bit keys and certs on my CSS11500 with SSL modules.
    I'm trying to figure out my options, now that I've got the files SFTP'ed to the CSS.
    I can create a new startup-config file for the CSS with the new files referenced by the SSL associate commands in the startup-config. This will require a reboot (not desired).
    I can come up with new associations for the new files, then suspend the ssl-proxy-list and edit it to use the new associations. This doesn't require a reboot but then I have to clear out the old associations before I can delete the old key/cert files.
    Is there any way to force the CSS to "overwrite" an existing SSL association without rebooting the CSS?

    "Clear file filename "password" commad will help you to clear SSL certificates and private keys from the CSS that are no longer valid.
    Please check if the below URL: could help:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdGenA.html#wp1030153

Maybe you are looking for

  • HT204266 Why is it that after upgrading to IOS 6, I could not retreive my full list of my purchased applications & ganes list in the app store now !!!!

    Why is it that after upgrading to IOS 6, I could not retreive my full list of my purchased applications & ganes list in the app store now !!!! Whenever I try to tab my purchased in the update feature of app store; not only does the long list of my pr

  • I can't control my mouse in games [SOLVED]

    Hi I can't control my mouse in games like nexuiz, teeworld, sauerbraten, open arena... My mouse connected at usb and i have a laptop. I'm not using touchpad. Here's my xorg conf: # nvidia-settings: X configuration file generated by nvidia-settings #

  • Runtime error! Please help. Has anyone found a solution?

    I just started to get the below error as soon as i open iTunes. Then it closes. Does anyone have a solution? Runtime Error! Program: c:/Program Files/ITunes/ITunes.exe This application has requested the Runtime to terminate it in an unusual way. Plea

  • Sender soap webservice error

    hi, i am working on soap(webservice)) to rfc scenario. the adapet for sender soap created in business service for reciever side is not dispalyed in adapter monitoing in component monitor of rwb. any body help will be appriciated. t&g vijedner

  • What's the tick to swiping up?

    About one time in 10 (if I'm lucky), when I try to swipe up to get then new menu in IOS 7, I get that menu.    What am I doing wrong? I try changing my speed, I try changing the starting position.   But usually nothing happens at all.