SSL Certificate appears valid in Server Admin, but as expired in browsers

Similar Messages

• Unable to set (ssl) certificate on a SQL Server 2012 clustered instance

  Hello everyone!
  I'm trying to encrypt the SQL Server communication with SSL but I can't add the certificate in the configuration manager. I've found and tried a lot of different explaination but none of them worked. I'll described what I've done and hope someone will point
  out what I'm missing.
  Here is my situation:
  - SQL Server 2012 Enterprise Edition. Instance name = INSTANCE, FQDN =  SQINSTANCE.mydomain.com. The instance is running under a customized service account: mydomain\sql_sa
  - Two cluster nodes running Win Server 2008R2: NODE1.mydomain.com and NODE2.mydomain.com. Cluster itself is CLUSTER.mydomain.com
  What I've done:
  1) Asked the team in charge to generate a certificate issued to "SQINSTANCE.mydomain.com" with aliases to "NODE1.mydomain.com", "NODE2.mydomain.com" and "CLUSTER.mydomain.com". I get a certificate with "p7b"
  as extension
  2) Connect on "NODE2.mydomain.com" with account "mydomain\sql_sa". Opened MMC and added the certificate under "Personnal" folder. I tried to add it with "Current user" and "Local computer" settings. Saw both
  on internet since I use a specific service account
  3) Get the thumbprint of the certificate and add it under HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL11.INSTANCE\MSSQLServer\SuperSocketNetLib\Certificate. (I triple checked to remove blanks or special characters)
  4) Reboot the node
  5) Open the SQL Server Configuration Manager, go to the network properties. Certificate does not appear in the list
  I tried to check with certutil and saw the certificate in the output. Some guys talked about some private key but I don't see this particularity in my situation. I tried to check if the certificate is valid and, according to the criterias, it is.
  Does anyone can help me with this?

  Hi,
  Are you sure you've got the certificate correct?  http://msdn.microsoft.com/en-us/library/ms191192.aspx
  To use encryption with a failover cluster, you must install the server certificate with the fully qualified DNS name of the virtual server
  on all nodes in the failover cluster. For example, if you have a two-node cluster, with nodes named test1.<your
  company>.com and test2.<your
  company>.com, and you have a virtual server named virtsql, you need to install a certificate for virtsql.<your
  company>.com on both nodes. You can set the value of the ForceEncryptionoption
  toYes
  In your case, shouldn't it be created for CLUSTER.mydomain.com?
  Thanks, Andrew
  My blog...

• How do i "re-trust" the SSL certificate sent from a server I previously marked as untrusted?

  I use Citrix Receiver to access my workplace Windows environment remotely from home, where I run Firefox 7.01 on Ubuntu 11.10. Two days ago the SSL certificate expired, so when I tried to logon remotely it failed. Now the company have renewed the certificate, but now when I try to logon I get an error from the Citrix ICA Client saying "You have not chosen to trust Verisign Class 3 Public Primary Certification Authority - G5, the issuer of the server's security certificate (SSL error 61)"
  I have found a couple of similar queries here, but neither had a solution which worked for me. The entry for Verisign Clas 3... G5 is in /etc/ca-certificates.conf, also there's a link to it in /etc/ssl/certs to an existing ...G5.crt file in /usr/share/ca-certificates - Firefox seems to recognise the issuer as a valid existing certificate issuer. Firefox displays the certificate for the page when I use menu options Tools -> Page Info -> Security -> View Certificate, and the certificate shows as valid for today - for the life of me I can't find a way to make Firefox trust the darn issuer.
  I get the same fault with Firefox 3.6.23 on Ubuntu 10.04.
  (I'd rather not tell everyone here the URL of my company's remote access website)

  Thanks for the swift reply, cor-el - unfortunately, no joy with this approach.
  A. As my named user (called "greg", surprise, surprise, no secret there...)
  Run Firefox; select Edit > Preferences > Advanced : Encryption:
  Here I get no option for Certificates, but I do get View Certificates - then tabs for:
  - Servers, under which my company's remote logon URL is listed - Edit button is grey
  - Authorities, under which the Verisign...G5 entry may be edited; 3 options:
  1. may identify websites (ticked)
  2. may identify mail users (unticked)
  3. may identify software makers (ticked)
  I ticked 2, tried again - same failure. Unticked it.
  B. As root.
  Run Firefox; select Edit > Preferences > Advanced : Encryption:
  Here I get no option for Certificates, but I do get View Certificates - then tabs for:
  - Servers, under which my company's remote logon URL is NOT listed
  - Authorities, under which the Verisign...G5 entry may be edited; 3 options:
  1. may identify websites (ticked)
  2. may identify mail users (unticked)
  3. may identify software makers (unticked)
  I ticked 2 and 3, tried again - same failure. Unticked them.
  Maybe a solution would be, in some way, to add my company's remote logon URL to the list of Servers while running Firefox as root. The Export and Import buttons may help here. However, when I first declined their certificate I was running Firefox as greg, not as root, so I am a bit suspicious there - what can be done as greg should be undoable as greg.
  This is doing my head in. Maybe it's time to step back and think a bit. Maybe try Citrix's online help (already spent a fair amount of time there with no joy either).
  So, thanks again for the reply - I've generally tried to provide a good list of what's up, and your reply has given me food for thought. OK, I'll keep trying.

• Problem Installing a SSL Certificate on a RD Server

  I'm trying to install a 3rd party SSL Certificate (GoDaddy) on my RD Session Host server (2008 R2).  I generated the request through IIS, received the cert from GoDaddy and imported it into [Certificates(Local Computer)\Personal\Certificates]. 
  I then went to RD Session Host Configuration,  and RDP-Tcp, and chose to select certificate.... however, I'm not given a choice...instead I receive a dialogue box saying "There are no certificates installed on this Remote Desktop Session Host server". 
  Any ideas why I cannot choose the cert?  Do I request the cert improperly ?  I'm stuck here...  thanks in advance for any tips!
  Scott

  It looks like you have the correct certificate but perhaps didn't import it the correct way. Did you create the Certificate Request on the same machine as you imported it? Otherwise you don't have the private key. If not them import the certificate on the
  same where you created the CR and then export the certificatye and make sure you select to export the private key as well and then import it on the RDS. If you followed the import steps correctly I suggest you contact GoDaddy to make sure the delivered
  a valid certificate.
  Kind regards,
  Freek Berson
  http://microsoftplatform.blogspot.com/

• SSL Certificate on 10.6 Server

  I've just been migrating services off a G5 Xserve running 10.5 Server, to a Mac Pro running 10.6 Server.
  It dawned on me it'd be a good idea to get an actual SSL certificate. Because of the lack of funds available, I've gone for PositiveSSL.
  Here are the steps I took to get it:
  1. In Server Admin > Certificates I chose Generate CSR
  2. I pasted this in to Comodo's page and chose Apache + MOD SSL
  3. Took the .crt file emailed to me and chose "replace with signed certificate", dropped it on and clicked "replace certificate" (replacing the old, self signed one).
  This all seemed to work fine. HOWEVER, the web service doesn't seem to be playing ball with it at all and because of this I'm scared to propagate it around any other services.
  These are the errors I'm receiving: (not that Server Admin notices anything wrong!)
  [Wed Jan 19 05:59:58 2011] [error] Init: Pass phrase incorrect
  [Wed Jan 19 05:59:58 2011] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2iASN1SET:bad tag
  [Wed Jan 19 05:59:58 2011] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1CHECKTLEN:wrong tag
  [Wed Jan 19 05:59:58 2011] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1ITEM_EXD2I:nested asn1 error
  [Wed Jan 19 05:59:58 2011] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
  Now I'm aware there needs to be a pass pharse, I saw the box in Server Admin 10.5, but it's gone from Snow Leopard.
  ...and therefore I'm stumped.
  Is there any easy how-to guide for actually getting this sorted and having SSL up and running?
  Thanks in advance

  I'm not sure if this will be helpful or not but the information in this post really helped me to get SSL working on my server...
  http://discussions.apple.com/thread.jspa?messageID=12447818&#12447818

• How to get the ssl-certificate trusted on lion-server

  I'm in the process of setting up lion server to create a small (international) research group collaborating on a project.
  So I want to use the server to exchange data, use a common calendar, address-book etc.
  To do so you need to get a SSL-certiifcate (unless you do everything on VPN).
  So I selected the server in server.app (Hardware) and selected SSL certificate edit
  created a certificate signing request that I exported and saved on my computer
  I received a ssl.crt that I also saved and dragged into the window and replace the original certificate with the signed one
  and also imported the certificate in to the keychain
  All following the steps described in:
  Managing iOS deviceswith OS X Lion Server by Arek Dryer
  the book describes that the certiifcate should now be trusted and valid. However, I keep the message "This certificate was signed by an unkown authority"
  So I somehow did something wrong.
  Any suggestions what I should do?

  ok let me add some info in the hope I will get some guidance:
  using the site http://www.sslshopper.com/ssl-checker.html
  I was able to check on the status of the certificate:
  The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.
  since it is a non-commercial server I used a 'free?' SSL-certificate provider that will charge you when you contact them, so you have to figure it out by yourselve
  I guess I would be helped if there is a step by step manual how to install a root certificate

• Unable to install SSL Certificate - ADMIN4118: Only one server certificate can be installed at a time

  Hi,
  We are trying to install SSL certificate (Verisign Class 3) on iPlanet Web Server (version 7). However, at the final step we are getting the error "ADMIN4118: Only one server certificate can be installed at a time"
  We are following the below steps,
  Under "Server Certificates" tab,
       -> Click on "Install" button.
       -> On "Select Configuration" click on "Next" button.
       -> On "Select Tokens and Passwords", select default token as "internal" and click on "Next" button.
       -> On "Enter Certificate Data", select option as "Certficate File" and give path to the certificate file which is having .p7b extension
       -> On "Certificate Details" we are getting warning as "Duplicate Server Details Found" and it's by default using the existing certificate's nickname.
       -> On "Review" page after clicking "Finish" button, an error is displayed saying "ADMIN4118: Only one certificate server can be installed at a time"
  There are multiple sub-domains availble and the new certificate we want to install contains one more sub-domain.
  So, say currently the subdomains present are,
  1.abc.com
  2.abc.com
  so on...
  and now we are trying to install a SSL certificate having one more subdomain say 10.abc.com.
  Please let us know if you have solution to this problem.
  Thanks,
  Rajesh

  Hi Rajesh,
  That error is most commonly seen when you are trying to install a certificate chain into the Web Server.
  The chain should be installed using the "Certificate Authorities" tab per the following steps:
  1) Login to the Admin Console.
  2) Click Edit Configuration from Common Tasks > Configuration Tasks.
  3) Click the Certificates > Certificate Authorities tab from the Configurations page.
  4) Click the Install... tab from the Certificate Authorities (CAs) page.
  An Install CA Certificate Wizard opens. The wizard guides you through the settings available for installing a Certificate Chain. Select Certificate Chain when prompted for Certificate Type.
  You should then see the CA and intermediate certificate(s) listed in the security database.
  If you have access to MOS, more details can be found in the MOS KM Note:
     Oracle iPlanet Web Server - 'ADMIN4118: Only one server certificate can be installed at a time' When Installing Certificate Chain (Doc ID 1925025.1)
  regards
  Tracey

• Install SSL certificate for Oracle HTTP server

  I received a PFX file that contains an SSL wildcard certificate for our company *.xyz.com.
  I used this tool "xca" to extract two files: "server.crt" and "serverkey.pem".
  I want to install this on the oracle 11g HTTP server (OHS) installed as standalone based on apache 2.2
  With oracle, i have to create a wallet and point the SSL.CONF wallet directive to use that wallet.
  I used Oracle Wallet Manager to create it and import the certificate but this is where i am having a problems.
  First I could not restart the web server but the it worked but I got SSL handshake errors (Shown below).
  According to oracle steps, I have to create a CSR and then import the certificate into the wallet
  http://www.apache.com/resources/how-to-setup-an-ssl-certificate-on-apache/
  However, when I tried to use Oracle Wallet Manager, there were two options: import server certificate and trusted certificate.
  The import server certificate was greyed out. I had to create a CSR just to get it enabled but I did not use the CSR, i just imported the "server.crt" file.
  I also tried to import the "serverkey.pem" into the trused certificate option but was rejected (invalid certificate).
  Do you know how to create a successful wallet based on the files i have and not creating a CSR since i already have a certificate file?
  2013-05-04T20:11:40.2718-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.2719-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
  [2013-05-04T20:11:40.4774-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
  [2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
  [2013-05-04T20:11:40.6814-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
  [2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error

  I do not have weblogic installed. I only have standalone 11g HTTP server with mod_plsql.
  If i can get OWM working to create a successful certificate them the problem would be resolved.
  I am just not sure what is Root Certificate and Trustworthy Certificate and how to get that from the files i have.

• FTP Displays as Disabled via Server Admin, but FTP still active via tnftpd

  Server Admin (v 10.5.3) displays that the FTP service on our box is inactive.
  However, FTP access to the server is still active. When I FTP via command line, I'm informed that tnftpd has allowed me to connect via FTP.
  I'd like to have OS X's built in FTP services disabled so that I can use SFTP only via CrushFTP.
  I can't figure out how to disable/block tnftpd. Any suggestions?
  I tried adding a "nologin" file to /etc, but this ended up causing every shell session to error out with a "access not allowed" error.

  The process was still loaded in launchd, so we just unloaded and that appears to have killed it for good.
  Weird, but that would explain it. I'm just not sure if there's a launchdaemon that would need to be removed to keep it from starting up after a reboot.
  -Doug

• SSL Certificate Error in AIX server~~~SCOM 2012 R2

  Hi Everyone,
  While installing SCOM client i am getting below error. Plz suggest.
  Agent verification failed. Error detail: The server certificate on the destination computer (FQDN(Server Name):1270) has the following errors: 
  The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
  The SSL certificate is signed by an unknown certificate authority.      
  It is possible that:
     1. The destination certificate is signed by another certificate authority not trusted by the management server. 
     2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: FQDN serve 
     3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.
  The server certificate on the destination computer (FQDN(Server Name:1270) has the following errors: 
  The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
  The SSL certificate is signed by an unknown certificate authority.      
  It is possible that:
     1. The destination certificate is signed by another certificate authority not trusted by the management server. 
     2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: FQDN serve.
     3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool. 

  Hi Pawan
  Have you exported/imported scx certificates?
  Check out Kevin Holmans blog on installation of UNIX/Linux agents:
  http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx
  www.coretech.dk - blog.coretech.dk

• Firefox does not recognize SSL Certificate issuer Entrust Certification Authority – L1K, but Entrust Certification Authority – L1C is ok?

  We have a new Entrust SSL Certificate with issuer Entrust Certification Authority – L1K which Firefox does not recognize. Internet Explorer and Chrome are ok.
  On a different system we have an Entrust SSL Certificate with issuer Entrust Certification Authority – L1C which is ok with Firefox.

  Did you verify that all intermediate certificates are installed on the server?
  You can inspect the certificate chain via a site like this:
  *http://www.networking4all.com/en/support/tools/site+check/
  *https://www.ssllabs.com/ssltest/

• SSL certificate not valid

  Just started receiving 'server's security certificate not valid for palm.imap.mail.yahoo.com' error early this morning. I have a (Sprint) Palm Pre (P100EWW) on version 1.4.1.1. How do I correct?

  I have tried removing palm and still cannot get it to work!   any other ideas?   I did notice it changed the port to 995 when I first was entering my email info.   It used to be set to 993?
  Also, what do you put in the username....  is that the beginning part of the yahoo id prior to @yahoo.com?

• SSL certificate not valid in Safari, but webservice  works with Chrome and Firefox

  As a MD, I'm used to check blood results online on the service
  https://inet.zentral-labor.ch/c16/kunweb.dll - this is the online-portal of my laboratory medica in Zurich. http://www.medica.ch
  Access to the loginscreen is public ;-) and should look like this (Screenshot from Firefox)
  I've setup a new workstation 3 weeks ago (iMac with OS Lion 10.7.4), and this webservice service works fine till yesterday. Now, Safari is every time we try to reach the service telling us, that this service needs a certificate, we can choose only a default apple certificate
  and then, the error is:
  This Site needs a valid SSL-Client-Certificate... (Screenshot below)
  What's wrong with Safari? With Chrome and Firefox, the webservice works fie without any problems.
  Thanks for an advice
  MD Patric Eberle

  As a MD, I'm used to check blood results online on the service
  https://inet.zentral-labor.ch/c16/kunweb.dll - this is the online-portal of my laboratory medica in Zurich. http://www.medica.ch
  Access to the loginscreen is public ;-) and should look like this (Screenshot from Firefox)
  I've setup a new workstation 3 weeks ago (iMac with OS Lion 10.7.4), and this webservice service works fine till yesterday. Now, Safari is every time we try to reach the service telling us, that this service needs a certificate, we can choose only a default apple certificate
  and then, the error is:
  This Site needs a valid SSL-Client-Certificate... (Screenshot below)
  What's wrong with Safari? With Chrome and Firefox, the webservice works fie without any problems.
  Thanks for an advice
  MD Patric Eberle

• Why we need SSL Certificates for configuring App Server in Sharepoint

  Hi Support,
  We are planning to have a separate server for Apps, while configuring the server its asking for certificate. The main scenario is while configuring server inside the same firewall why we need SSL for configuring.
  Could you please let me know the reason why we need SSL for configuring App Server.
  Thanks in Advance,
  Regards,
  Pradeep

  Hi  Pradeep,
  SSL (Secure Sockets Layer) is a transaction security standard that provides encrypted protection between browsers and App Servers. When SSL is enabled for an App Server, browsers communicate with the App
  Server by means of an HTTPS connection, which is HTTP over an encrypted Secure Sockets Layer. HTTPS connections are widely used by banks and web vendors for secure transactions over the web.
  Secure Sockets Layer  is a requirement for web applications that are deployed in scenarios that support server-to-server authentication and app authentication. This is such a scenario. As a prerequisite
  for configuring Task Synchronization, the computer that is running SharePoint Server must have SSL configured.
  Reference:
  http://blogs.technet.com/b/speschka/archive/2012/09/03/planning-the-infrastructure-required-for-the-new-app-model-in-sharepoint-2013.aspx
  http://corypeters.net/2013/03/ssl-and-sharepoint-2013/
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Does anyone know how to install an SSL certificate on 10.3 Server?

  Can't find this in the documentation.

  You cannot install a spam filter on iPad. Spam is generally controlled by your email provider at the server level, though mail clients do often have a secondary filter that learns from your behavior.
  Who is your email provider? Have you tried adjusting their spam filters?