SSL Certificate installation

Similar Messages

• Godaddy SSL certificate installation problems - intermediate certificate not being recognized

  domain = mail.gottfried.org
  Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)
  Response from:
  http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org
  The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
  When I check in 0000_any_443_.conf
  I see:
  SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem
  SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem
  SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem
  I am assuming that the intermediate certificate should be:
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem
  When I look at that certicate it is the same as
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem
  When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).
  It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.
  Anyone have any suggestions?
  I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....
  Anyone have an SSL provider that worked properly with 10.8  or has really good support for mountain lion server?
  Please let me know.
  Thanks!

  While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate?  That'll be the easiest.
  If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security.  Running your own certificate authority does mean you'll learn more about certificates, though.
  Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232).  I have found exiting Keychain Access to be a necessary step on various versions.  It shouldn't be, but...
  FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.
  Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions.  (I'm not particularly fond of any of the major math, err, certificate vendors, either.)

• SSL Certificate- installation problems - uydo

  Your "Step 1" sounds fine. You don't need to convert the key from .der
  (AFAIK). So no "Step2" ! The Server Certificate Chain File Name is a
  bit of a strange one. As far as I can tell, its just more or less
  means that your actual server certificate (purchased from cert
  provider - Verisign say) is actually from Verisign.
  I got it by:
  Go to the Verisign site (verisign.com)
  Click on gold rosette
  "Verisign secure site - click to verify" to see their certification
  details.
  Then d-click on the gold padlock at bottom of this window to see
  certificate information
  Then click details tab
  Then click copy to file button - to save off what is the '1024 bit'
  root certificate. Use this .cer file as it is as the Server
  Certificate chain file.
  If you need the 512 bit root cert, then simply browse to find a site
  that's using that level of encryption with a verisign certificate.
  I had purchased a certificate, so it wasn't a trial one, so it may be
  that you need a different root certificate from mine.
  If that is the case, I suppose you might have to contact Verisign
  again
  Re step 4 I'm using 6.1, but I didn't need to do that, but If you
  think you do I would put the rootcert for that.
  (your email didn't work so I'm posting this - which might help others
  anyway)
  The original was:
  I'm trying to install the SSL on BEA 6.0, but failed to install it.
  Here are steps I got involved in :
  1. I created a CSR, fetched it to Verisign(trial Server ID), get backthe >certificate. Install this certificate in "Server Certificate File
  Name" in SSL >tab. The private key I got from the CSR process is
  installed at "Server Key >File Name". It's in DER format
  2. I don't know how to use the Utility to convert from Der2pem, orpem2der, >becase the private key I got is in DER format.
  3. I don't know how to get the server chain certificate. How can youcreate a >Server Certificate Chain to install in "Server Certificate
  Chain File Name"?
  4. Do I need to set a Trusted CA File Name in the SSL tab?

  Hi Jon,
  Thank you very much for your explain. Although I followed your steps,I still got
  the same error. Maybe, I'll ask Verisign, because BEA is no help at all.
  Thanks again,
  Uy
  [email protected] (Jon Lee) wrote:
  Your "Step 1" sounds fine. You don't need to convert the key from .der
  (AFAIK). So no "Step2" ! The Server Certificate Chain File Name is a
  bit of a strange one. As far as I can tell, its just more or less
  means that your actual server certificate (purchased from cert
  provider - Verisign say) is actually from Verisign.
  I got it by:
  Go to the Verisign site (verisign.com)
  Click on gold rosette
  "Verisign secure site - click to verify" to see their certification
  details.
  Then d-click on the gold padlock at bottom of this window to see
  certificate information
  Then click details tab
  Then click copy to file button - to save off what is the '1024 bit'
  root certificate. Use this .cer file as it is as the Server
  Certificate chain file.
  If you need the 512 bit root cert, then simply browse to find a site
  that's using that level of encryption with a verisign certificate.
  I had purchased a certificate, so it wasn't a trial one, so it may be
  that you need a different root certificate from mine.
  If that is the case, I suppose you might have to contact Verisign
  again
  Re step 4 I'm using 6.1, but I didn't need to do that, but If you
  think you do I would put the rootcert for that.
  (your email didn't work so I'm posting this - which might help others
  anyway)
  The original was:
  I'm trying to install the SSL on BEA 6.0, but failed to install it.
  Here are steps I got involved in :
  1. I created a CSR, fetched it to Verisign(trial Server ID), get backthe >certificate. Install this certificate in "Server Certificate File
  Name" in SSL >tab. The private key I got from the CSR process is
  installed at "Server Key >File Name". It's in DER format
  2. I don't know how to use the Utility to convert from Der2pem, orpem2der, >becase the private key I got is in DER format.
  3. I don't know how to get the server chain certificate. How can youcreate a >Server Certificate Chain to install in "Server Certificate
  Chain File Name"?
  4. Do I need to set a Trusted CA File Name in the SSL tab?

• Problem in installation of free SSL certificate on Weblogic using keytool

  We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
  Steps followed:-
  1) To generate keystore and private key and digital cerficate:-
  keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
  2) To generate CSR
  keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
  3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
  4) Same certificate is put into same keystore using following command
  keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
  5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
  (intermediateCa.cer file is downloaded from verisign site)
  keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
  6) After this configuration we used weblogic admin module to configure Keystore and SSL.
  7) For KeyStore tab in weblogic admin module, we have select option “Custom Identity And Custom Trust” provided following details under Identity and Trust columns:-
  Private key alias: mykey2
  PassKeyphrase: webconkeystorepassword
  Location of keystore: location of webconkeystore.jks file on server
  8) For SSL tab in weblogic admin module, we have select option “KeyStores” for “Identity and Trust locations”.
  Error on console:
  <Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
  <Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
  <Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
  <Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  If anyone knows the solution ,please help us out.Thanx in advance.
  I was really happy to get reply yesterday from "mv".I was not expecting such instant response.

  Thanx all guys for your interest and support.
  I have solved this issue.
  We have weblogic 9 on unix env.
  Following steps which I followed:
  #generate private key
  keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
  #generate csr
  keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
  Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
  We copied that text file in "ert4nov2009.crt" rt file used below.
  Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
  roo ca in "root4nov2009.cer" file.
  intermediate ca in "intermediateca4nov2009.cer"
  both these files used in
  #import root certificate
  keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
  #import intermediate ca certificate
  keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
  #install free ssl certifiate
  keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
  #after this admin configuration
  In weblogic admin console module, we did following settings:-
  1. under Configuration tab
  a. Under KeyStore tab
  For keystore , we selected "Custom identity and Custom Trust"
  Under Identity,
  Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
  Custom Identity Keystore Type: JKS
  Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
  Same we copied Under "Trust", as we have not created separate keystore for trust.
  Save setting.
  b. Under SSL tab
  Identity and Trust Locations: select "Keystores"
  Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
  Save setting.
  c. Under General tab
  Check checkbox "SSL Listen Port Enabled"
  and mention ssl port "SSL Listen Port"
  Save setting.
  After this activate changes.You might see error on admin module.
  Using command prompt, stop the server and again restart and then try to access using https and port ...
  you will definately get output...
  in our case issue might be due to key size..we used 1024 key size ..it solve problem.
  for your further reference plz find link below..it is also helpful.
  http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674

• Cisco ASA 5505 and comodo SSL certificate

  Hey All,
  I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
  Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
  On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
  What am I missing here? I can post config if anyone needs it.
  (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

  It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
  ASA Version 9.0(2)
  hostname MyDomain-firewall-1
  domain-name MyDomain.com
  enable password omitted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd omitted
  names
  name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
  name 10.200.0.0 MyDomain_New_IP description MyDomain_New
  name 10.100.0.0 MyDomain-Old description Inside_Old
  name XXX.XXX.XX.XX Provider description Provider_Wireless
  name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
  name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
  ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
  ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address Cisco_ASA_5505 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address Provider 255.255.255.252
  boot system disk0:/asa902-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.0.3.21
  domain-name MyDomain.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network MyDomain-Employee
  subnet 192.168.208.0 255.255.255.0
  description MyDomain-Employee
  object-group network Inside-all
  description All Networks
  network-object MyDomain-Old 255.255.254.0
  network-object MyDomain_New_IP 255.255.192.0
  network-object host MyDomain-Inside
  access-list inside_access_in extended permit ip any4 any4
  access-list split-tunnel standard permit host 10.0.13.1
  pager lines 24
  logging enable
  logging buffered errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
  route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
  route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
  route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  action terminate
  dynamic-access-policy-record "Network Access Policy Allow VPN"
  description "Must have the Network Access Policy Enabled to get VPN access"
  aaa-server LDAP_Group protocol ldap
  aaa-server LDAP_Group (inside) host 10.0.3.21
  ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
  server-type microsoft
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http MyDomain_New_IP 255.255.192.0 inside
  http redirect outside 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  no validation-usage
  no accept-subordinates
  no id-cert-issuer
  crl configure
  crypto ca trustpoint VPN
  enrollment terminal
  fqdn vpn.mydomain.com
  subject-name CN=vpn.mydomain.com,OU=IT
  keypair vpn.mydomain.com
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpool policy
  crypto ca server
  shutdown
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
      omitted
    quit
  crypto ca certificate chain VPN
  certificate
      omitted
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate ca
      omitted
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint VPN
  telnet timeout 5
  ssh MyDomain_New_IP 255.255.192.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
  ssl trust-point VPN outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
  anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
  anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
  anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value MyDomain.com
  group-policy MyDomain-Employee internal
  group-policy MyDomain-Employee attributes
  wins-server none
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value MyDomain.com
  webvpn
    anyconnect profiles value MyDomain-employee type user
  username MyDomainadmin password omitted encrypted privilege 15
  tunnel-group MyDomain-Employee type remote-access
  tunnel-group MyDomain-Employee general-attributes
  address-pool MyDomain-Employee-Pool
  authentication-server-group LDAP_Group LOCAL
  default-group-policy MyDomain-Employee
  tunnel-group MyDomain-Employee webvpn-attributes
  group-alias MyDomain-Employee enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
  : end
  asdm image disk0:/asdm-712.bin
  asdm location MyDomain_New_IP 255.255.192.0 inside
  asdm location MyDomain-Inside 255.255.255.255 inside
  asdm location MyDomain-Old 255.255.254.0 inside
  no asdm history enable

• How Do You Generate a 2048bit CSR for a Third Party SSL Certificate for LMS 4.0.1?

  Our site requires Third Party SSL certificates to be installed on our servers.  We have an agreement with inCommon. I have to supply a CSR in order to obtain the SSL certificate.
  My installation is on a Windows 2008 server and I had the self-signed CSR already but it is only 1024 bits.  Is there someplace in the GUI or OS where I can change the encryption?

  This is a shot in the dark, but since CiscoWorks is using (I believe) Tomcat as the web server, could you run keytool to generate the CSR?
  http://help.godaddy.com/article/5276
  You could also use an online CSR gererator such as:
  http://www.gogetssl.com/eng/support/online_csr_generator/
  The key (pun intended) is having the private key on your server so that when you get the signed certificate and install it (using sslutil) it will be usable.
  Hope this helps.

• Help needed in importing SSL Certificate

  Hi All,
  The SSL certificate in our application server has expired. We have created a new certificate and imported it through oracle wallet manger. But the application server is not recognizing the new certificate. Still shows certificate error when we try to access the application via https.
  We are using oracle application server 10.1.2.0.2
  I don’t have much knowledge on application server.
  Please help me on this.
  Thanks in Advance,
  Jey

  Hi Jeykrishnan,
  The installation consists of three main parts:
  a) Importing the Primary Root CA
  b) Import the Intermediate Certificate and Cross Certificate
  c) Installing your SSL123 certificate
  a) Importing the Primary Root CA
  1. Launch Oracle Wallet Manager.
  2. Click Operations and select Import Trust Certificates from the menu
  3. When the Import Trusted Certificate window appears, click Paste the Certificate and click OK.
  4. When the message "Please provide a base64 format certificate and paste it below" appears, paste the entire contents of Primary Root CA text into the box and click OK.
  5. A message should appear that the import was successful and you will see the Root Certificate at the bottom of the Trusted Certificates tree.
  b) Importing the Intermediate and Cross certificates
  1. Launch the Oracle Wallet Manager.
  2. Click Operations > Import Trust Certificates from the menu.
  3. When the Import Trusted Certificate window appears, click Paste the Certificate and click OK.
  4. When the message "Please provide a base64 format certificate and paste it below" appears, paste the entire contents of the Intermediate Certificate text into the box and click OK.
  5. A message should appear that the import was successful and you will see the Intermediate Certificate at the bottom of the Trusted Certificates tree.
  6. Repeat the same steps for the Cross certificate
  c) Importing your SSL123 certificate
  1. Click Operations > Import User Certificate from the menu bar.
  2. The Import Certificate dialog appears.
  3. Select the Paste the Certificate radio button, and click OK.
  4. The Import Certificate dialog appears.
  5. Paste the entire contents of your SSL123 Certificate file and click OK.
  6. A message should show that the certificate was imported successfully.
  7. When you return to the main window, wallet status should show "Ready."
  Regards
  FAbian

• Problem with OAS Instance Name y Host Name to create trial ssl certificate

  Hi, everyone
  I have a problem when creating a trial ssl certificate from Verisign page, affer a live assistance, that page rejected my CSR generated from OAS, saying thay my common name has invalid characters.
  My Oracle Application Server installation name: Instance.HostName is:
  IAS_IND01.ind-internet
  So, Verisign told me this name can't contain "_" or "-" characters for example.
  I need to know if it's possible to change the instance name and if OAS host name changes also if i change server's host name.
  I wouldn't like to reinstall all over again.
  Please help.
  Regards
  David

  Hi,
  No your AS server will not automatic. even if you change your host name.
  If U 'll try to change your host name, be carefull when U 'll try to start you AS instacne
  it ' not start anymore , AS user hosts fill to get full quallified name of your host.
  U 've two choices
  -1 delete your AS, then change your hosts name, then new installtion of AS
  2- If U 've exprience with AS, just breng your AS down, change your hosts name,
  U 'll need to do some changes in your AS, just read admininstrator Guide.
  Cheers,
  Hamdy

• MPX 2.1.1.2 SSL Certificates doesn't show in the web administration

  Hey guys,
  I've uploaded SSL certificates to my MeetingPlace Express installation and I got the error showed in the attached file. "Display Certificate" via the web interface doesn't show anything but under CLI with SSLUtil command I can see that the certificates are actually generated in the system.
  Currently the certificates are actullay working when I access the meetingplace via web but I don't have any administration control over them via the web administration. Rebooting the server doesn't help. Anyone experienced similar issue?
  Regards,
  Vladimir

  Correct it did work in 1.5. on .sql files, when connected, so I have updated the ER to bug. We also need to expand this to support PL/SQL files.
  Sue

• SSL certificates and Web Services Usage inside Oracle Database Questions!

  We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
  Service1 is already working, and we can call the service from PL/SQL without troubles.
  However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
  Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
       - SSL Certificates:
  1- Can installed certificates in the Database put in risk the stability of the database?
            2- Can installed certificates in the Database generate performance issues?
            3- Can installed certificates reloading the Databases?
            2- Can installed certificates in the Database generate security issues?
       - Web services:
  1- Can web services calling from the Database put in risk the stability of the database?
  2- Can web services calling from the Database generate performance issues?
  3- Can web services calling from the Database generate security issues in the DMZ?
  Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
  Those are the links describing the procedure mentioned above.
  1 -http://www.kotti.es/2009/11/oracle-wallet/
  DB: Oracle 9i.
  Average number of lines in file: 300
  Periodicity: Twice at day.

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• SSL Certificate Error in AIX server~~~SCOM 2012 R2

  Hi Everyone,
  While installing SCOM client i am getting below error. Plz suggest.
  Agent verification failed. Error detail: The server certificate on the destination computer (FQDN(Server Name):1270) has the following errors: 
  The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
  The SSL certificate is signed by an unknown certificate authority.      
  It is possible that:
     1. The destination certificate is signed by another certificate authority not trusted by the management server. 
     2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: FQDN serve 
     3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.
  The server certificate on the destination computer (FQDN(Server Name:1270) has the following errors: 
  The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
  The SSL certificate is signed by an unknown certificate authority.      
  It is possible that:
     1. The destination certificate is signed by another certificate authority not trusted by the management server. 
     2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: FQDN serve.
     3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool. 

  Hi Pawan
  Have you exported/imported scx certificates?
  Check out Kevin Holmans blog on installation of UNIX/Linux agents:
  http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx
  www.coretech.dk - blog.coretech.dk

• Sending SSL Certificate to external Web service in BizTalk 2010

  Hi,
  We are facing issues in calling the external web service(SAP I Web service) which is authenticated using the SSL self signed certificates.
  When BizTalk sends the request to SAP it fails with HTTP 401 error, and in SAP PI the log says calling application not sending the client certificate. Please help us in sending the request to external web service by signing with the client
  certificate.
  Below are the details,
  1. This is a 2-way SSL communication authenticating based on the client Certificate.
  2. BizTalk server public key certificate is shared to SAP PI and using SAP PI certificate public key in biztalk
  3. Configuration done at BizTalk as given below
  1. Created BizTalk Certificate using makecert command
  2. Client and Server Certificate Installation
  - Installed BizTalk Client Certificate in Certificates Store under
  a. Current User--> Personal (Private Key)
  b. Current User --> Trusted Root Certification Authorities (Public Key)
  c. Local Computer --> Personal (Private key)
  d. Local Computer --> Trusted Root Certification Authorities (Public Key)
  e. Current User--> Other People
  Installed SAP Server Certificate in Certificates Store under
  a. Current User --> Trusted Root Certification Authorities
  b. Current User --> Trusted People
  c. Local Computer --> Trusted Root Certification Authorities
  d. Local Computer --> Trusted People
  e. Current User--> Other People
  3. BizTalk Status Solicit Response Send Port(used to call the SAP PI Web service) Configuration
  - Transport Type  WCF-Custom
  - Binding  BasicHttpbinding
  Security Mode : Transport
   Client Credential Type : Certificate
   Proxy Credential Type : None
   Realm : localhost
  • Message
   Client Credential Type : Certificate
  Client CredentialsClient Certificate
   findValue : CN=< Thumbprint >
   x509Findype : FindByThumbPrint
  • Server Certificate
   findValue : <Thumbprint>
   x509Findype : FindByThumbPrint

  Hi All,
  The reasons why the trigger from BizTalk is failing and the trigger from SoapUI is successful.
  In SoapUI configuration we select the Private key of the client certificate and provide the password for the same.
  In BizTalk we only have the option of selecting the certificate and we cannot provide the password. Below is the MSDN article for the same
  In one of the Site  , its mentioned as below, Kindly let us knwo whether the below mentioned will work or not
  Organization Security Restrictions::
  Each organization may have restriction on using client certificates for security reasons . One such restriction is when a user requests a client certificate a password prompt is displayed . A client certificate can be used only if the correct password is provided
  becuase Biztalk Server uses services and services cannot interact with dialog boxes so do not use client certificates requiring password validation.
  To Prevent the issue , configure the policy so no password are prompted when a certificate is used this setting is enforced by the Group policy Object (GPO) system cryptography: Force strong Key protection for user keys stored on the computer . If setting
  this policy , then the value should be set to "User input is not required when new keys are stored and used "
  Kindly let us know whether setting needs to be done in the system cryptography
  Thanks

• Installing SSL Certificates on OS X 10.7 Lion Server

  Is there anybody out there that has gotten this to work.
  Have been at this for 3 days. Now on 10th clean install.
  Have tried different SSL certificates from different CA vendors. All on clean installs.
  Can install along with intemediate certificates.
  Differnet SSL checkers report differing results. Some will report as fine whilst others will report that the chain is broken.
  Some examples:
  https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=conten t&id=SO9556&actp=LIST&viewlocale=en_US
  Will report a double entry
  http://www.digicert.com/help/
  will report a break between the server certificate and the first intermediate certificate which it recognises as the same server certificate (weird!)
  https://www.ssllabs.com/ssldb/analyze.html
  Will report "incorrect order"
  http://www.sslshopper.com/ssl-checker.html
  Seems to report as fine although you will notice the server certificate twice in the chain again first as Server then first link in chain
  I assure you have only installed certificates once (1 for purchased cert and 1 for intermediate) at the beginning of a clean install.
  At a loss with this and very frustrated after 3 days getting no where.
  Anyone able to help?

  https://certs.godaddy.com/ccp/tools/sslinstallvalidator.seam
  Will report "Chain of Trust broken!"
  All this despite being able to access the server over SSL just fine. Need to get this to work properly though to make use of profile manager.

• Unable to configure SSL certificate on Apex

  I am trying to configure ssl certificate in one apex application.
  http://docs.tpu.ru/docs/oracle/en/oas/10.1.2.0.0/web.1012/b14007/ssl.htm#i1031859
  as per the above document first step is create a wallet with SSL certificate information.
  While creating wallet i am trying to import the CA certificate and User Certificate.
  But i am not able to import the certificates properly. I am getting error messages.
  Error Message :
  User certificate installation failed
  Possible Errors;
  -- Input was not a valid certificate.
  -- No matching certificate was found
  -- CA certificate is needed for certificate chain not found please install it first.
  What could be the reason for this. and solution for this problem ?

  Yes I am using OWM ( Oracle Wallet Manager)
  First I have created a new wallet and then i did create service request.
  Then Import user certificate and import CA certitificates are enabled.
  Then tried to import the certificates above mentioned errors are coming.....
  Yes first i imported the CA certificate then i imported the user certificate using the wallet manager. I used the copy - paste certificate method while importing.
  Any how if do import user certificate first it will show an error saying install ca certificate first.
  Message was edited by:
  Santhosh Kumar T

• UNIFIED MANAGER ALERT : on EXPIRING SSL certificates in clustered Data ONTAP systems

  The default ssl certificates on clustered Data ONTAP systems are valid for 1 year.
  Since we have cDOT clusters monitored via Oncommand Unified Manager 6.2, we would like Unified Manager to alert on expiring Certificates.
  Is this possible in OCUM 6.2?
  Thanks

  Thanks Saravanan, Initially i had it on RHEL 6.6, and i see some of the existing packages were of a older version and created some issues while rrdtool and sql installation. but i managed to do the installation and faced the same issue. I Didnt know that this is a user account issue not a package dependency issue.and thats the reason i got my server upgraded to RHEL 7.1 and the installation went fine but the same issue. But its working for now, thanks again :-)