SSL Certificate CSR using SH1

Is it possible to generate CSR using SH1 instead of md5 on Cisco 1841 for SSL VPN, because the provider that I try to use doesn't accept md5. Also tried to import there private key and got an error "Error: invalid PEM boundary" any help would be appreciated

Well, I have run into the same issue. I'm trying to generate a CSR (certificate signing request) on a Cisco 2821 running IOS 12.4(15)T8 with a SHA signature because StartSSL does not accept CSR's with a MD5 signature anymore.
According to me the 'hash sha1' command within the crypto pki trustpoint should do the trick, but apparently not. The CSR that is generated is still not accepted by StartSLL claiming it is still signed with a MD5 hash.
So: How to generate a CSR with a SHA signature?

Similar Messages

  • HTTPS SSL Certificate Signed using Weak Hashing Algorithm

    I am support one client for,  whom falls under Security  scans mandatory for new implementation of ASA 5520 device .  The client uses Nessus Scan and  the test results are attached
    The Nessus scanner hit on 1 Medium vulnerabilities, Could you pls review the statement and provide work around for the same.
    Nessus Scanner reports
    Medium Severity Vulnerability
    Port : https (443/tcp)
    Issue:
    SSL Certificate Signed using Weak Hashing  Algorithm
    Synopsis :
    The SSL certificate has been signed using  a weak hash algorithm.
    Description :
    The remote service uses an  SSL certificate that has been signed using
    a cryptographically weak hashing  algorithm - MD2, MD4, or MD5. These
    signature algorithms are known to be  vulnerable to collision attacks.
    In theory, a determined attacker may be  able to leverage this weakness
    to generate another certificate with the same  digital signature, which
    could allow him to masquerade as the affected  service.
    See also :
    http://tools.ietf.org/html/rfc3279
    http://www.phreedom.org/research/rogue-ca/
    http://www.microsoft.com/technet/security/advisory/961509.mspx
    http://www.kb.cert.org/vuls/id/836068
    Solution :
    Contact the Certificate Authority to have the certificate  reissued.
    Plugin Output :
    Here is the service's SSL certificate  :
    Subject Name:
    Common Name: xxxxxxxxxx
    Issuer Name:
    Common Name: xxxxxxxxxx
    Serial Number: D8 2E 56 4E
    Version: 3
    Signature Algorithm: MD5 With RSA  Encryption
    Not Valid Before: Aug 25 11:15:36 2011 GMT
    Not Valid After:  Aug 22 11:15:36 2021 GMT
    Public Key Info:
    Algorithm: RSA  Encryption
    Public Key: 00 AA AB 57 9C 74 FF E9 FB 68 E1 BF 69 90 8E D2 65 7F  DF 40
    D6 F6 29 E7 35 5E 16 FB 76 AA 03 3F 47 07 5A D0 6D 07 E0 EC
    06 7E  D4 9A 43 C6 B3 A6 93 B7 76 CC 58 31 25 36 98 04 30 E6
    77 56 D7 C3 EE EF 7A  79 21 5E A0 78 9B F6 1B C5 E6 2A 10 B5
    CB 90 3D 6D 7C A0 8D B1 B8 76 61 7F  E2 D1 00 45 E2 A1 C7 9F
    57 00 37 60 27 E1 56 2A 83 F5 0E 48 36 CC 61 85 59  54 0C CB
    78 82 FB 50 17 CB 7D CD 15
    Exponent: 01 00 01
    Signature: 00 24 51 24 25 47 62 30 73 95 37 C4 71 7E BD E4 95 68 76 35
    2E AF 2B 4A 23 EE 15 AF E9 09 93 3F 02 BB F8 45 00 A1 12 A9
    F7 5A 0C E8  4D DB AE 92 70 E4 4C 24 10 58 6B A9 87 E1 F0 12
    AE 12 18 E8 AB DF B9 02 F7  DA BE 3C 45 02 C4 1E 81 44 C2 74
    25 A2 81 E7 D6 38 ED B9 66 4C 4A 17 AC E3  05 1A 01 14 88 23
    E8 9F 3B 5C C5 B8 13 97 27 17 C3 02 5F 6E 7C DB 4C D3 65  B5
    C5 FC 94 62 59 04 E7 7E FB
    CVE :
    CVE-2004-2761
    BID :
    BID 11849
    BID  33065
    Other References :
    OSVDB:45106
    OSVDB:45108
    OSVDB:45127
    CWE:310
    Nessus Plugin ID  :
    35291
    VulnDB ID:
    69469
    and try with configure the ssl encryption method with " ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5" but it throws the same issue.
    Here is ASA log
    7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
    7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
    7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxx/2586
    6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2586
    6|Oct 19 2011 01:59:34|725007: SSL session with client production:xxxxxxxx/2586 terminated.
    6|Oct 19 2011 01:59:34|302014: Teardown TCP connection 3201 for production:xxxxxxx/2586 to identity:xxxxxx/443 duration 0:00:00 bytes 758 TCP Reset-I
    6|Oct 19 2011 01:59:34|302013: Built inbound TCP connection 3202 for production:xxxxxxxxxxx/2587 (xxxxxxxxx/2587) to identity:xxxxxx/443 (xxxxxxx/443)
    6|Oct 19 2011 01:59:34|725001: Starting SSL handshake with client production:xxxxxxxxxxx/2587 for TLSv1 session.
    7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
    7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
    7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxxxx/2587
    6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2587
    H

    Hi Ramkumar,
    The report is complaining that the Certificate Authority who signed the ID certificate presented by the ASA used a weak hashing algorithm. First, you need to determine who signed the certificate.
    If the certificate is self-signed by the ASA, you can generate a new certificate and use SHA1 as the hashing algorithm. To do this, the ASA needs to be running a software version that is at least 8.2(4) (8.3 and 8.4 software also support SHA1).
    If the certificate is signed by an external CA, you need to contact them and ask them to sign a new certificate for you using SHA instead of MD5.
    The links you posted have more information on this as well. Hope that helps.
    -Mike

  • What kind of SSL Certificate to use on Profile Manager?

    I would like to get my SSL CSR signed to use it with Profile Manager, but on the CA's website it asks me what kind of SSL Certificate I need giving me these options: 
    <option value=1>AOL</option>
                          <option value=2>Apache-ModSSL</option>
                          <option value=3>Apache-SSL (Ben-SSL, not Stronghold)</option>
                          <option value=4>C2Net Stronghold</option>
                          <option value=33>Cisco 3000 Series VPN Concentrator</option>
                          <option value=34>Citrix</option>
                          <option value=5>Cobalt Raq</option>
                          <option value=6>Covalent Server Software</option>
                          <option value=29>Ensim</option>
                          <option value=32>HSphere</option>
                          <option value=7>IBM HTTP Server</option>
                          <option value=8>IBM Internet Connection Server</option>
                          <option value=9>iPlanet</option>
                          <option value=10>Java Web Server (Javasoft / Sun)</option>
                          <option value=11>Lotus Domino</option>
                          <option value=12>Lotus Domino Go!</option>
                          <option value=13>Microsoft IIS 1.x to 4.x</option>
                          <option value=14>Microsoft IIS 5.x to 6.x</option>
                          <option value=35>Microsoft IIS 7.x and later</option>
                          <option value=15>Netscape Enterprise Server</option>
                          <option value=16>Netscape FastTrack</option>
                          <option value=17>Novell Web Server</option>
                          <option value=18>Oracle</option>
                          <option value=30>Plesk</option>
                          <option value=19>Quid Pro Quo</option>
                          <option value=20>R3 SSL Server</option>
                          <option value=21>Raven SSL</option>
                          <option value=22>RedHat Linux</option>
                          <option value=23>SAP Web Application Server</option>
                          <option value=24>Tomcat</option>
                          <option value=25>Website Professional</option>
                          <option value=26>WebStar 4.x and later</option>
                          <option value=27>WebTen (from Tenon)</option>
                          <option value=31>WHM/CPanel</option>
                          <option value=28>Zeus Web Server</option>
                          <option value=-1>OTHER</option>
    which one should I use?

    If the Certificate is already on your Mac, you can examine it in the "Keychain Access" application.  What they are asking you is who issued the Certificate.  If you do not see the Issuer listed, try "Other".

  • SSL certificate and use?

    Hi,
    some time ago I've become aware of the presence of an SSL certificate for for the Arch homepage.
    Unfortunately Firefox tells me that the site "Contains unauthenticated content". And if I try to visit the forum, wiki or AUR (with https://...), then I get redirected to the Arch homepage.
    Is there a particular reason that on the one hand the infrastructure for SSL/https seems to be there, but on the other hand is not complete (in case of the Arch homepage) and not extended to the forum, wiki, and the AUR?
    And if SSL is not intended to be used for the sub domains of archlinux.org, how are the login-processes for the forum/wiki/AUR handled/secured?
    I ask mainly because of paranoia and secondly out of curiosity.

    cactus wrote:The ssl cert was purchased long ago (and recently renewed) for www.archlinux.org only.
    It is not a 'wildcard' ssl cert like you sometimes see, which would allow for *.archlinux.org (likely due to cost).
    It's been a while, but the situation has slightly changed, and I've also gained a bit of experience about PKIs, so I wanted to propose an idea.
    As I've seen today, the ssl certificate for www.archlinux.org seems to have expired, because it's no longer there and has been replaced by a self-signed certificate for dev.archlinux.org.
    As you're not using officially signed certs any longer, you could also do the following:
    You could start your own certificate authority, make one certificate for each domain {aur,bbs,wiki,dev,bugs,www,etc}.archlinux.org, and sign each of these with your own root-cert. Then you would only have to spread the public key of your root cert, and every signed cert of yours would be recognized and accepted by the users.
    I've found a really well-written howto here, and I've already tested it within my local network.
    Once the root cert has been imported/accepted on the client system, all signed certs will be accepted, too. And if you ever wanted to get an officially signed cert, you would only need to have your root cert signed (e.g. by CAcert). But that is only an assumption, as I don't have any experience how to get signed by an official institution.
    Or you could also ship your root cert with the installation iso, similar to Ubuntu shipping the public pgp-keys of their package-managers with there installation isos.
    This is of course only a suggestion, but as I think everyone should be aware of the importance of encrypted and signed communication, and in the end everyone would benefit from it.
    I'm pretty interested in everyone's feedback. Maybe there's even one who has experience about other distros and how they've handled that problem.

  • Godaddy SSL certificate on weblogic

    Hello,
    Recentally I purchased ssl certificate from godaddy, they send me 2 files (mydomain.crt) and (gd_bundle.crt).
    now I don't know how to create .pem file just to complete the installation. below the instruction I did.
    - keytool -genkey -alias client -keyalg RSA -keysize 2048 -keystore identity.jks -storepass password -keypass password
    - keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password
    here when I enter this I get an error ( keytool error: java.io.FileNotFoundException: CertChain.pem (No such file or directory not found). so how to create the CertChain.pem from the files I got from godaddy.
    - keytool -import -file CertChain.pem -alias client -keystore identity.jks -storepass password
    - keytool -import -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password
    Keytool –list –v –keystore <keystore-name> -storepass <keystore-password>

    I found out how to install godaddy ssl certificate on weblogic follow the link below.
    http://coreygilmore.com/blog/2009/06/02/install-a-go-daddy-ssl-certificate-for-use-with-jboss-or-the-bes-5-bas/
    but I still get This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

  • Creating SSL certificate and configuring it with JBOSS 4.0.1

    I have to post some data to a secured site from my application.
    For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
    But, while creating the stream it is showing SSLException and message is No trusted certificate found.
    For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
    Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.

    I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
    See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum.

  • SSL Certificate and SSL Authentication

    Hi-
    I'm hoping someone can shed some light on this issue.
    First off, is there a difference between SSL Certificate and SSL Authentication?
    I have a POP account. The Incoming port is set to 110. The Outgoing, 26. (This is according to Bluehost.com). The security settings for both incoming/outgoing are set to none. Everything works fine.
    But if I want extra security, I'll set the incoming to 995 and outgoing to 465.
    If I set the security settings to SSL, do I check "Use secure authentication", or do I have to purchase a SSL certificate to secure the authentication? This is where I'm confused. I tried asking the hosting company but they're not much help.
    Any advice would be appreciated.
    Thanks!

    Hi Imagine,
    You do not need to purchase your own SSL certificate to use secure authentication. The server handles this for you. You just need to make sure the port #s are correct and you simply check mark the SSL boxes and leave authentication on Password at least on most setups. Each host maybe different so you have to double check with them.
    Hope That Helps,
    Eric

  • Server 3 / SSL Certificate / Open Directory - Problem!

    We've updated from Server 2 to Server 3 / OS X 10.9.
    We have an SSL certificate for server from Comodo.
    Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).
    Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.
    I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.
    Does this matter?  Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.
    Anyone got any clues as to whether to fix or not, and if to fix, how?
    Thanks in advance.

    Have you check to see that the certificate is indeed "Trusted" by your server?
    Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them.  You can create a "Self Signed" Certificate and still have certificates in there.  That doesn't mean that anyone else on the planet has to trust them.
    Open Keychain Access in your utilities folder.  Depending on how you have it configured, you may have to look around to find the certificate in question.  It may be under login, or System. 
    When you select your Certificate, if it's there, does it show as trusted?
    Another thing you can check...  Often times Certificate authories, use Intermdeiate certificates.  Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else.  A good example is Godaddy.  They sell both SSL and Code signing certificates of all flavours.  In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain.  My Godaddy cert looks to be trusted by Verisign via an intermediate.
    Have a look here...  https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182
    Not sure if it's directly relevant, but there it is.
    The point is, I think you need to verify that your certificate is trusted by your server.  OD won't use an untrusted certificate. 
    --an afterthought--  Anything in the logs?
    Open up your server window where you try to select the certificate for OD.  Also, in another window open up the terminal.  In terminal, type:
    tail -f /var/log/system.log
    In the server window try to select the certificate and click done.  See what the output in terminal says.

  • Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2

    HI All,
    I am hearing the news that SHA-1 certificates will be soon phased out on Chrome and Microsoft platforms. I am Ok with replacing public certificates with SHA-2 certificates.
    But I see that our internal certificates are also issued with SHA-1 algorithm. And these SSL certificates are used in LAN to access internal sites. So Do I need to get internal certificates reissued with SHA-2(256)? If so what do I need to make the
    changes on CA server to use SHA-2 algorithm.
    Thanks in advance.
    Mahi

    On 9/20/2014 1:28 AM, "Paul Adare [MVP]" wrote:
    On Sat, 20 Sep 2014 06:24:23 +0000, mahi_tweak wrote:
    Could you please let me know w.r.t to phase out of SHA1, is it required to take action for Internal (private) CA servers as well?
    Currently no. All of the current SHA1 deprecation notices from Microsoft
    apply only to public root CAs that are part of the Microsoft Trusted Root
    program.
    You should start planning to migrate your internal CAs however. At some
    point in time I think you'll find that all SHA1 certificates will be
    deprecated.
    Paul - does IE have the logic built in to know when a cert has been issued by an internal CA so that it does not flag it as unsafe? The way I see it is this is all pointless to have legacy SHA1 in your environment if the browser cant distinguish one from
    the other.
    This depends somewhat on what version of IE you are using. I urge anyone who is stuck with an older version to modernize ASAP.
    I also recommend CA servers also be the latest version. Like Paul said, SHA-1 has been deprecated and the new SHA-2 is the new flavor of the week.
    Being cynical, seems that too many problems come from suspicious efforts to make the system secure in the first place.
    Please don't pay attention to anything Vegan Fanatic has to say on this topic as he is clearly out of his depth here and has no idea what he's talking about.
    IE does not itself do certificate validation, that is passed off the certificate chaining engine that is built into the Windows OS. When the date arrives that SHA1 SSL and code signing certificates issued by roots in the Microsoft Trusted Root program are
    no longer accepted arrives, determining whether the certificate being validated chains to an internal or an external root will be determined by the certificate chaining engine and not directly by IE.
    The last sentence above makes no sense at all, and SHA2 is not "the new flavour of the week".

  • How we can get SSL certificate for any site?

    i want to know how can get SSL certificate for any website and what is the main benefit for particular website with the help of this certificate.

    Hi,
    Would you please let me know edition information of the SBS server? Was it SBS 2008 or SBS 2011?
    Based on your description, I’m a little confused with your question. Did you mean that want to know why need
    SSL certificate for website?
    Certificate Services and SSL protect sensitive information by encrypting the data sent between client browsers
    and your server.
    An SSL Certificate is used for two reasons (1) to validate the remote server to the client before the client sends any data to that server (2) to encrypt the data between the client and server over an un-secure network (ie. the Internet). You can use
    a self-issued certificate or a third-party trusted certificate. For more details, please refer to following articles and check if can help you.
    Managing Certificates
    SSL and Certificates
    Understanding Self-Issued
    Certificates in SBS 2003 & SBS 2008
    Installing a GoDaddy Standard
    SSL Certificate on SBS 2008
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
    does not guarantee the accuracy of this information.
    If anything I misunderstand or any update, please don’t hesitate to let me know.
    Hope this helps.
    Best regards,
    Justin Gu

  • RDS SSL Certificate Problem

    Hi
    We've bought an SSL certificate for use on our RDS Session Host connector. We've imported it but when we try to select it in RDS settings we get a message saying 'There are no certificates installed on this Remote Desktop Session Host server'. If I try to
    use it in RemoteApp Manager under Digital Signature Settings I can select it without issue. We don't have Gateway installed and ideally don't want to, we just want to put a certificate on the connector.
    Is there any advice anyone can give me to get this working?
    Many thanks 
    Simon Whittington

    Hi Simon,
    As suggested by “TP” check where the certificate is stored. The certificate must be installed in the personal certificate of the computer account and not your personal account. Also you can check by running below command in command prompt to check
    where the issue is going wrong as stated by “Alan” in this thread.
    certutil -f –urlfetch -verify <your_certificate>.cer
    In meanwhile, also go through beneath link for more information.
    1.  How to Import a Server Certificate
    2.  Exporting/Importing SSL Certificates Between Windows Servers
    Hope it helps!
    Thanks.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Is it possible to use single ssl certificate for multiple server farm with different FQDN?

    Hi
    We generated the CSR request for versign secure site pro certificate
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
    And the same message when trying to access https://www.abc.com from Google Chrome.
    "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
    so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
    Now my question is
    1. Is is possible to  remove above errors doing some ssl configuration on ACE?
    2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
    Thanks
    Waliullah

    If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
    Hope this helps,
    Sean

  • Is there a way to change the CSR for install SSL Certificate for CCMADMIN

    HI there,
    Our customer want a solution for the https failure on CCMAdmin and CCMUser sites.
    For that, I have exported a csr to buy a ssl certificate from verisign.
    The problem is the csr includes fqdn an not just the servername
    But the users just have to type in the servername to reach the server.
    Is there a way to export a csr which include as common name only the server name without changing the domain settings in the cucm?
    thanks
    Marco

    Hi
    You can go to the server via SSH, and enter the 'set web-security' command with the alternate-host-name parameter:
    Command Syntax
    set web-security orgunit orgname locality state country alternate-host-name
    Parameters
    • orgunit represents the organizational unit.
    • orgname represents the organizational name.
    • locality represents the organization location.
    • state represents the organization state.
    • country represents the organization country.
    • alternate-host-name (optional) specifies an alternate name for the host when you generate a
    web-server (Tomcat) certificate.
    Note When you set an alternate-host-name parameter with the set web-security command,
    self-signed certificates for tomcat will contain the Subject Alternate Name extension with
    the alternate-host-name specified. CSR for Cisco Unified Communications Manager will
    contain Subject Alternate Name Extension with the alternate host name included in the CSR.
    Typically you would still use an FQDN, but a less specific one (e.g. ccm.company.com)...
    Regards
    Aaron
    Please rate helpful posts...

  • How Do You Generate a 2048bit CSR for a Third Party SSL Certificate for LMS 4.0.1?

    Our site requires Third Party SSL certificates to be installed on our servers.  We have an agreement with inCommon. I have to supply a CSR in order to obtain the SSL certificate.
    My installation is on a Windows 2008 server and I had the self-signed CSR already but it is only 1024 bits.  Is there someplace in the GUI or OS where I can change the encryption?

    This is a shot in the dark, but since CiscoWorks is using (I believe) Tomcat as the web server, could you run keytool to generate the CSR?
    http://help.godaddy.com/article/5276
    You could also use an online CSR gererator such as:
    http://www.gogetssl.com/eng/support/online_csr_generator/
    The key (pun intended) is having the private key on your server so that when you get the signed certificate and install it (using sslutil) it will be usable.
    Hope this helps.

  • Problem in installation of free SSL certificate on Weblogic using keytool

    We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
    Steps followed:-
    1) To generate keystore and private key and digital cerficate:-
    keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
    2) To generate CSR
    keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
    3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
    4) Same certificate is put into same keystore using following command
    keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
    5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
    (intermediateCa.cer file is downloaded from verisign site)
    keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
    6) After this configuration we used weblogic admin module to configure Keystore and SSL.
    7) For KeyStore tab in weblogic admin module, we have select option “Custom Identity And Custom Trust” provided following details under Identity and Trust columns:-
    Private key alias: mykey2
    PassKeyphrase: webconkeystorepassword
    Location of keystore: location of webconkeystore.jks file on server
    8) For SSL tab in weblogic admin module, we have select option “KeyStores” for “Identity and Trust locations”.
    Error on console:
    <Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
    <Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
    <Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
    <Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
    <Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
    <Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
    If anyone knows the solution ,please help us out.Thanx in advance.
    I was really happy to get reply yesterday from "mv".I was not expecting such instant response.

    Thanx all guys for your interest and support.
    I have solved this issue.
    We have weblogic 9 on unix env.
    Following steps which I followed:
    #generate private key
    keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
    #generate csr
    keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
    Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
    We copied that text file in "ert4nov2009.crt" rt file used below.
    Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
    roo ca in "root4nov2009.cer" file.
    intermediate ca in "intermediateca4nov2009.cer"
    both these files used in
    #import root certificate
    keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
    #import intermediate ca certificate
    keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
    #install free ssl certifiate
    keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
    #after this admin configuration
    In weblogic admin console module, we did following settings:-
    1. under Configuration tab
    a. Under KeyStore tab
    For keystore , we selected "Custom identity and Custom Trust"
    Under Identity,
    Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
    Custom Identity Keystore Type: JKS
    Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
    Same we copied Under "Trust", as we have not created separate keystore for trust.
    Save setting.
    b. Under SSL tab
    Identity and Trust Locations: select "Keystores"
    Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
    Save setting.
    c. Under General tab
    Check checkbox "SSL Listen Port Enabled"
    and mention ssl port "SSL Listen Port"
    Save setting.
    After this activate changes.You might see error on admin module.
    Using command prompt, stop the server and again restart and then try to access using https and port ...
    you will definately get output...
    in our case issue might be due to key size..we used 1024 key size ..it solve problem.
    for your further reference plz find link below..it is also helpful.
    http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674

Maybe you are looking for

  • IR Value exceed GR value

    Hi xpert, how to block IV from processing IR if the item value exceed GR item value.

  • Mutiple contributor contribute through Site Studio

    Hi, Just a quick question here, can multiple user/contributor make a check in through Site Studio at one time? I use the Site Studio for check in doc from Oracle Portal into UCM. As everyone knows, when do a contribution from Site Studio, only one us

  • Exception thrown from servlet function

    Hi, I have a servlet "main.java" which connects to a database and displays a table. The table contains a check box in front of each table row. It has three buttons at the bottom "add" modify" "delete". When the user clicks on some check boxes and cli

  • COPA cost estimate from costing for COGS

    Hi, we are using sales order costing (variant config), discrete(Prdn Order) and repitative (Cost collectors) in production costing. Need to update COGS under COPA based on cost component structure using mat cost estimate. All mat uses mat type as ZIN

  • What is step 6 of 6 when syncing iPhone?

    IPhone now stuck on step 6 when I sync to iTunes, anyone know what this step is doing? All just started at iOS5 upgrade, Sync does not complete.