SSL Certificate & Local Access
Hi everyone,
I'm currently in the process of re-keying exchange with a new certificate.
Currently, outlook clients have the following configuration:
Mail Server: server01.domain.local
HTTP Proxy: exchange.domain.com.au
Therefore the current SSL is keyed for:
Primary: exchange.domain.com.au
Alternate: server01.internal.local, autodiscover.domain.com.au, autodiscover.internal.local
With the old certificate, this is fine - however from November the 1st 2015 SSL authorities are allowing only external fully qualified domain names.
Therefore the SSL can ONLY be key for:
Primary: exchange.domain.com.au
Alternate: autodiscover.domain.com.au
This means that when connecting to exchange server01.domain.local I receive an error stating the the name on the certificate does not match the name of the host (because it's connecting locally).
Is there any way of adjusting configuration in Exchange for users to connect to the external exchange.domain.com.au even though they are local? I would obviously need to update autodiscover etc also
Cheers,
Anthony
There are two possible solutions using SSL certificate from public and pricate
1. Use ssl cert from public CA for public domain name (exchange.domain.com.au) on Reverse proxy servers like ISA or TMG for external access. and use Internal CA for internal names on exchnage server (server01.internal.loca)
or
2.You can create another site using separate NIC card on exchange server. Use Internal CA certificate on Default site and public CA certificate on New site.
Similar Messages
-
Scenario:
Windows Server 2012 R2 Essentials
I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
So far so good.
The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local instead of the SSL Certificate I installed, which is
remote.acmedomain.com
If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?Because....
the server does not have a 'trusted' certificate assigned to it.
Only the RDP Gateway has the trusted certificate for the external name.
If you want to remove that error, you have to do one of the following:
Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
So, something like,
server.domain.publicdomain.com
Or,
Install that certificate on your remote computer so it is trusted.
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+ -
When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.Hi Guigs2,
From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix? -
Jabber Guest server Local SSL certificate
Hi , trying to download a local ssl certificate from jabberguest server and issued a 'generate a new self signed certificate' request. system shows 'a certificate signing request is being created, please wait' . unfortunetly its been like that for 2 days now - even after rebooting the server it still reports the same. (version is 10.5.3.115)....any advice appreciated.....TIA , Jeff
Jeff,
I had a look at my Jabber Guest server this morning and oddly enough I found the same thing as you did. I'm not sure when the server got into this state however I can say it has been fully functional. Anyway, there are two options that you generally should have.
1) "Generate a New Self-Signed Certificate"
2) "Create a New Certificate Signing Request"
To restore these options I had to run the certificate scripts through the root of the system.
1) cd /opt/cisco/webcommon/scripts/
2) ./createcsr.sh (This is for the Cert Signing Request)
3) ./selfsigned.sh (This is for the Self Sign)
After running each script you'll need to run through the general certificate questions.
I hope this helps.
-P -
Can't access Exchange ActiveSync server - SSL certificates not being used
When I try to set up my email via Exchange ActiveSync to a corporate server, I am unable to connect. I am using the same exact settings as on an iPhone, where I am able to successfully connect.
Reading the console log in the iPhone configuration utility, the problem appears to be that the iPad is not using the corporate certificates I have installed to enable SSL access to the Exchange server. These certificates are installed in the exact same way they are on my iPhone, where they work correctly.
Has anyone else had a similar problem accessing Exchange mail using SSL certificates? Any ideas on how to fix this? Or is this a bug in the iPad software?IM having the same problem. iPhone works fine on exchange atvwork but iPad with same settings says cannot connect to exchange server. Have you figured anything out yet?
Tom -
Outlook Web Access fails after migrating SSL certificate to dedicated SSL gateway
Hi we have just migrated our SSL certificate form our Outlook exchange server, outlook web access works perfectly but two of our users who have Blackberry devices set up to get their email via owa now fail.
Everything worked fine before the migration.
The new SSL gateway is an Apache box running mod_proxy, mod_SSL and mod_sec. Protecting the box running owa and IIS6.
I can provide the http.conf etc, but I can see the traffic passed by Apache but I am getting a 401 message on the way back through to the device.
Is there a specific IIS/Exchange or Apache config I need to enable to allow BB access?
Thanks in advance
MikeHello there!
You may have run up against some of the complexities between BIS and OWA. There are a couple of circumstances where BIS can't integrate to OWA. Plus, if the mailbox name changed, that may be the problem as well. While I'm neither a BIS nor OWA admin, I can point you to information resources that hopefully can help you.
Try this article.
And this one.
And this one.
And this one.
You also can search the public KBs for more relevant articles:
http://www.blackberry.com/btsc/microsites/microsite.do
Good luck and let us know!
Occam's Razor nearly always applies when troubleshooting technology issues!
If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
Join our BBM Channels
BSCF General Channel
PIN: C0001B7B4 Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA Display/Scan Bar Code -
Install GoDaddy SSL Certificate to Windows Server 2012 - Access Anywhere
I would like to activate Access Anywhere on my windows server 2012 essentials. I went through the guided steps and purchased a SSL certificate from Godaddy. Godaddy doesn't offer support regarding the correct installation process of their certificates
using iis 8 (server 2012 essentials). I noticed that Access Anywhere requires a PFX certificate and Godaddy only provided a PKCS #7 and a cer. file. Please let me know if Godaddy's certificates are compatible with windows server 2012 essentials. Without Access
Anywhere functioning on my server, the usefulness of the server greatly decreases. Your assistance is greatly appreciated. Thanks.All you need is the standard, lowest level, single domain, no email, no bells, no whistles, no UCC. Just a simple SSL cert. Even SBS standard which adds email to the RWA feature, only requires that, thanks to the magic of the dev. team.
Larry Struckmeyer[SBS-MVP] If your question is answered, please mark the response as the answer so that others can benefit. -
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable -
SSL Certificate Exception everytime a connection is established
Hello guys!
I am trying to authenticate a website running SharePoint 2010. But everytime a connection is established, an SSL/TLS exception is thrown. The following is the code I am using. Any idea??
The exception is: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices.WindowsRuntime;
using Windows.Foundation;
using Windows.Foundation.Collections;
using Windows.UI.Xaml;
using Windows.UI.Xaml.Controls;
using Windows.UI.Xaml.Controls.Primitives;
using Windows.UI.Xaml.Data;
using Windows.UI.Xaml.Input;
using Windows.UI.Xaml.Media;
using Windows.UI.Xaml.Navigation;
using System.Net;
using System.Net.NetworkInformation;
using Windows.Networking.Connectivity;
using System.Net.Http;
using System.Xml.Linq;
using System.Text;
using Windows.Web.Http.Filters;
using Windows.Security.Cryptography.Certificates;
// The Blank Page item template is documented at http://go.microsoft.com/fwlink/?LinkId=234238
namespace TestApp
/// <summary>
/// An empty page that can be used on its own or navigated to within a Frame.
/// </summary>
public sealed partial class MainPage : Page
public MainPage()
this.InitializeComponent();
private static HttpWebRequest CreateWebRequest(string url, NetworkCredential credentials)
//Initialize new instance of HttpBaseProtocolFilter, which implements IHttpFilter.
string action = "http://schemas.microsoft.com/sharepoint/soap/GetWebCollection";
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Credentials = credentials;
req.Headers["SOAPAction"] = action;
req.ContentType = "text/xml;charset=\"utf-8\"";
req.Accept = "text/xml";
req.Method = "POST";
return req;
static string soapEnvelope = @"<soap:Envelope xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'><soap:Body></soap:Body></soap:Envelope>";
//static string soapEnvelope =
// @"<?xml version=""1.0"" encoding=""utf-8""?> <soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema""
xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""> <soap:Body> <Login xmlns=""http://schemas.microsoft.com/sharepoint/soap/""> <username>{0}</username> <password>{1}</password>
</Login> </soap:Body> </soap:Envelope>";
private static XDocument CreateSoapEnvelope(string content)
StringBuilder sb = new StringBuilder(soapEnvelope);
sb.Insert(sb.ToString().IndexOf("</soap:Body>"), content);
XDocument soapEnvelopeXml = XDocument.Parse(sb.ToString());
return soapEnvelopeXml;
private static void InsertSoapEnvelopeIntoWebRequest(XDocument soapEnvelopeXml, HttpWebRequest webRequest)
webRequest.BeginGetRequestStream((IAsyncResult asynchronousResult) =>
HttpWebRequest request = (HttpWebRequest)asynchronousResult.AsyncState;
Stream postStream = request.EndGetRequestStream(asynchronousResult);
soapEnvelopeXml.Save(postStream);
//postStream.Close();
request.BeginGetResponse(new AsyncCallback(GetResponseCallback), request);
}, webRequest);
private static void GetResponseCallback(IAsyncResult asynchronousResult)
HttpWebRequest request = (HttpWebRequest)asynchronousResult.AsyncState;
HttpWebResponse response = (HttpWebResponse)request.EndGetResponse(asynchronousResult);
Stream streamResponse = response.GetResponseStream();
StreamReader streamRead = new StreamReader(streamResponse);
string responseString = streamRead.ReadToEnd();
//do whatever with the response
//streamResponse.Close();
//streamRead.Close();
//response.Close();
private void Button_Click(object sender, RoutedEventArgs e)
NetworkCredential credentials = new NetworkCredential("<user>", "<password>", "<domain>");
HttpWebRequest request = CreateWebRequest("https://the_website_I_am_trying_to_connect_to", credentials);
XDocument soapEnvelope = CreateSoapEnvelope("<GetWebCollection xmlns=\"http://schemas.microsoft.com/sharepoint/soap/\" />");
InsertSoapEnvelopeIntoWebRequest(soapEnvelope, request);
Hi,
According to your description, my understanding is that when you access a https web service, it occurs the “The underlying connection was closed. Could not establish trust relationship for the SSL/TLS secure channe” error.
To overcome this error, you need to install the certificate that is used by the web service provider in the server that will be calling the web service.
Open Microsoft Management Console (Start --> Run --> mmc.exe);
Choose File --> Add/Remove Snap-in;
In the Standalone tab, choose Add;
Choose the Certificates snap-in, and click Add;
In the wizard, choose the Computer Account, and then choose Local Computer. Press Finish to end the wizard;
Close the Add/Remove Snap-in dialog;
Navigate to Certificates (Local Computer)
Choose a store to import:
If you have the Root CA certificate for the company that issued the certificate, choose Trusted Root Certification Authorities;
If you have the certificate for the server itself, choose Other People
Right-click the store and choose All Tasks --> Import
Follow the wizard and provide the certificate file you have;
Here are some detailed articles for your reference:
http://www.c-sharpcorner.com/uploadfile/anavijai/could-not-establish-trust-relationship-for-the-ssltls-secure-channel/
http://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap
Thanks
Best Regards
Jerry Guo
TechNet Community Support
Hello Jerry,
Thank you very much for your reply.
But what about Windows Phone? I am running the same code on´WP 8.1 as a store app, and returns an exception at the same place: the GetResponseCallBack.
Any workaround? Can I run a code from the app that uses the certificate or at least installs it?
Thanks a lot. -
Can't find SSL certificate in SQL server configuration manager?
Hi
It's been 2 days and I need a help. I have visited a number of sites and I still can't make it work
Two severs I have: Windows 2012 Standard with SQL 2008 R2 and SQL 2012
I am trying to set it up on SQL 2008 R2 right now.
I have a certificate from a CA and did the followings.
1. Open MMC
2. Add Certificates Snap-in as a computer account (In fact, I tried all the three accounts)
3. Right click-on Personal folder and All taks and Import
4. Installed the certificate with Certificate import Wizard
5. The certificate shows up under Personal/Certificates and Trusted Root Certification Authorities/Certificates
I did this with a local administrator account as well as MSSQL account(SQL Server service account I created). Even though the server is part of domain, SQL server is set up with local accounts.
This is a simply summary. I tried everything in the article such as 'Create Custom Request'.
I am not sure what I am missing. Why can't I see the certificate in SQL Server configuration manager?
I even made MSSQL (service account) as administrator. Not working.
as I am not using the domain service account, I believe below is not relevant.
Missing detail on "Install a certificate in the Windows certificate store..."
When following recommended security procedures and running SQL server under a domain service account, the service will fail to start after assigning a certificate to the protocols. This is because the service account does not have permissions to read
the private key. Fix this in the Certificates MMC snap-in (preferably right after installing the certificate.) Select the certificate you just imported, then in the Action menu select "Manage private keys." Grant the domain service
account read access to the private key of the server certificate.
Below is the few of reference I looked at..
https://support.microsoft.com/en-us/kb/316898/
https://msdn.microsoft.com/en-us/library/ms191192(d=printer).aspx
https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
http://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-
http://blogs.msdn.com/b/sqlserverfaq/archive/2010/05/28/inf-permissions-required-for-sql-server-service-account-to-use-ssl-certificate.aspxHi Dinesh
Thanks for the reply.
I did looked into the both sites as well. but it did not work.
Below is the step to install SQLs server certificate. and I was stuck with Step 9. when click 'next' in the wizard, I am not getting into a place to select 'computer' as certificate type.
Do you know what is wrong please?
Open the Microsoft Management Console (MMC): click Start, then click Run and in the Run dialog box type: MMC
On the File menu, click Add/Remove Snap-in...
Select Certificates, click Add.
You are prompted to open the snap-in for your user account, the service account, or the computer account. Select the Computer Account.
Select Local computer, and then click Finish.
Click OK in the Add/Remove Snap-in dialog box.
Click to select the Personal folder in the left-hand pane.
Right-click in the right-hand pane, point to All Tasks, and then click Request New Certificate...
Click Next in the Certificate Request Wizard dialog box. Select certificate type 'Computer'.
You can enter a friendly name in text box if you want or leave it blank, then complete the wizard.
Now you should see the certificate in the folder with the fully qualified computer domain name -
Installing certificate for access to exchange 2003 server
My exchange server requires that a certificate be installed to enable remote access. Since the iPhone does not support disk mode like the iPod there appears to be no way to install the certificate. Are there any workarounds?
iPhone Windows XPWhole migration from Exchange 2003 server to Exchange 2010 server has been done and applied 3rd party SSL certificate on Exchange 2010 servers also.
Hi,
According to your description, everything about exchange 2010 is ready.
Why don't you follow the mail flow as below?
Internet Emails > Ironport > Exchange 2010 (smart host) > Exchange 2003 servers
Please refer to the following article:
Move Internet Mail Flow from Exchange 2003 to Exchange 2010
Configure mail flow by using one of the methods listed below depending on the needs of your organization. This will enable Internet message flow through your Exchange 2010 Hub Transport servers.
Configure Internet Mail Flow Through Exchange Hosted Services or an External SMTP Gateway
Configure Internet Mail Flow Directly Through a Hub Transport Server
Remove the SMTP connector in Exchange 2003 that is used to handle Internet mail. Your account needs to be a member of the local administrators group and a member of a group that has had the Exchange Administrators role applied at the administrative group
level.
In Exchange System Manager, expand the Organization node, expand
Administrative Groups, expand <AdministrativeGroupName>, expand
Routing Groups, expand <RoutingGroupName>, and then select
Connector.
In the right-hand pane, right-click the connector you want to delete and select
Delete.
Click OK to confirm the deletion.
Hope this helps!
Thanks.
Niko Cheng
TechNet Community Support -
Generating CSRs for SSL Certificates
Hi all,
I am trying to generate CSRs for SSL Certificates, in order to set up a secure (https) dynamic dns connection to my router.
I am supposed to access to the following directory through the Terminal:
cd /usr/local/ssl/private
But all I can access is /usr, I cannot go any further. I always get the message "/local: No such file or directory." Even if I am logged as root.
I might be making some mistakes, but I do not understand what is going on.
Thanks
EnriqueThe error message you posted says there is no "/local" which is true.
There is a "/usr/local"
If you are cd'ing one directory at a time, don't lead them with a /
For example:
cd /usr
cd /local
Will give you the error you describe
cd /usr
cd local
Will put you into /usr/local
If this doesn't solve your issue, please post the exact steps you are taking.
Jeff -
I need to update the SSL certificates on two domains hosted on my OS X 10.5.8 server. It appears that renewal cannot happen in Server Admin.
After extensive web reading, I find that under 10.4 you had to use both Server Admin and and Keychain Access to accomplish the renewal. Here is the official Apple instructions:
http://support.apple.com/kb/TA24487?viewlocale=en_US
Is this the same in 10.5?
My problem is that I have only access via SSH to my server and thus cannot run Keychain Access as a GUI. I found that the terminal command 'security' can do much of this, but its man page is highly cryptic and I fear for my certs as I try this. Any help with usage of 'security' to achieve export of a domains certs, deletion, and importation as per the above instructions?
What if using 'Server Admin', I delete the domain certificate before I request and reinstall the new one? This would leave a small hole of uncovered access, but I can live with that. But I don't want to do this to find out that the Keychain Access app is going to throw a fit?
Any help from someone who has done this successfully would be appreciated. Thanks.To renew your SSL certificate, you can do one of two things:
1) Use your existing CSR to acquire your new certificate.
2) Generate a new CSR to acquire your new certificate.
If you choose to use your existing CSR, you will need to know which keystore file you are currently using and the password you assigned to that keystore file.
Here are the steps to find out which keystore file you are currently using:
1) Login to the PostX Administration Console (GUI)
2) Click on the Configuration tab.
3) Navigate to Web Servers and Proxies > Web Server Config > Connection Listeners > HTTPS (SSL) Connection Listener.
4) You should see a keystore file field. This is will display the path to the keystore file you are currently using.
If you do not remember the password to your current keystore file, we strongly suggest that you create a new CSR.
To generate a new Certificate Request (CSR):
1) Login to the PostX Administration Console (GUI)
2) Click on the Keys and Certificates tab
3) Click on SSL Setup and select Get Certificate Request
4) Fill out the form and hit submit. Your new CSR will be generated in a text box on the page.
5) Copy and paste the CSR onto a local text file which you can then send to your CA of choice.
For more information on the SSL certificate process as well as importing the certificate please refer to our Knowledge Base article 845 at http://tinyurl.com/2n6qru. -
SSL/Certificate creation/distribution questions
I'm extremely new to SSL and using certificates and have been having some trouble figuring out exactly how to create and implement them.
Environment background:
Currently, my entire network is closed off from the outside world. It's a mac-only network, basically sandboxed from a PC-only network via a router (to provide access to the internet, that's provided from the PC network). No port forwarding is set up and I don't have any external IP addresses pointing to my router, so currently there's no way for an outside source to see my network. With not really any need for secure traffic, SSL and certificates aren't really needed (basically, it's a video dept at a university with ~150 users). However, once I get external access (the main IT dept's been "working" on this with our ISP for, um, about a year <coughcough>), I'm wanting to do some stuff with VPN as well as wikis and chat (chat could theoretically be useful internally now). Even though we don't really have much worth hacking, once I get a window to the outside world, I'd like to button up my server/network as much as possible.
Since all my services will be set up and provided by me, I'm comfortable using certificates I create instead of purchasing any--if I knew how to do this, which brings me to my questions. I've tried creating a certificate within Server Admin, but it says it's not trusted (and clients don't seem to see it, anyway). I've also tried the instructions here: www.eclectica.ca/howto/ssl-cert-howto.php, but got an error when actually running the openssl command (OpenSSL is installed and appears to be functional). How do I get a trusted certificate(s) and then, how do I distribute them to the clients so they see and use them? Exactly what path are these created to, or should be placed, etc?
I'd initially like to use SSL for increasing the security of my logins (all network users), but like mentioned, I'd also like to secure other services (is a cert needed/useable for VPN?). In that regard, do I only need one certificate, or would I need certificates for each separate service?
Sorry for the long post, but thanks for any help.Hi There,
If you create a "self signed" certificate you will get warning messages in your browser but can configure your browser to accept these warnings. This is ok if it is just a local access machine and you are the only one accessing it.
If outside people are going to be accessing it, you will want to use a 3rd party SSL certificate from a trusted authority such as Verisign, GeoTrust etc.
Here is a good article on how to create the CSR on 10.6
http://support.apple.com/kb/HT3976
Hope this Helps,
Eric Holtzman
Hosting 4 Less -
SSL Certificate question (minor issue)
I have a Windows 2012 server setup with RDS. I have about 10 virtual machines already setup - my whole VDI infrastructure. Everything is working fine - accessing the vm's internally and externally, however, I have issues w/the certificate.
I am using a self-signed certificate (until I can my client to pay for a real SSL cert).
I have created an A record for my DNS at my hosting company that points to my public IP (e.g. remote.mycompany.com instead of typing in the IP address), the port forwarding on my router kicks in and sends the https traffic to my RD Gateway (my Windows 2012)
and the user will see the RDWeb page and can log in from there. The cert is pointed to remote.mycompany.com too. However, my server is called vdi-remote2.mycompany.com. Naturally, when using IE to access the RDWeb page, their address bar
in IE will be red with the cert error/warning.
First they are greeted with the "There is a problem with this website's security certificate" and will click on continue to the this website. Upon inspection of the certificate, it will say "This CA Root certificate is not trusted. To
enable trust, install this certificate in the Trusted Root Certification Authorities store." Ok, I can install it (and have), but I still get the red address bar in my IE.
Needless to say, I'd like to clean this all up. The users are non-technical people and when they see this stuff, they freak out. We know what it all means - we're technical folks, but I'd like to clean it all up and just have it nice and security.
Green or no address bar when using https in the address bar.
How can I clean this all up though when I have external users accessing https://remote.mycompany.com/rdweb and internal users accessing https://vdi-remote2/rdweb. I don't recall the possibility to have two certs for one website (the RDWeb). So,
I'm a bit confused on all this cert stuff. I could keep everything as is and just train the users, but I'd rather not.
Thank you in advance for your reply.Hi Steve,
Thanks for your comment.
Yeah, your understanding is correct as you have commented that “Things are working, but ONLY after I install the cert in the trusted root certification authorities store.”
Trusted certificate is required for RDS server.
I would like to suggest you that first of all certificate must be placed in (local computer)/Personal Store, and the
certificate must be signed by trusted authority. Please check below link which state that “If the RD Gateway server is configured to use a Secure Sockets Layer (SSL) certificate that is not signed by a trusted
certification authority, users might be unable to connect to internal network resources (computers) through the RD Gateway server. “
RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority
You may export your certificate (and its private key) to a .pfx file using the Certificates mmc snapin. By that way you can use the .pfx file for the RDS Role Services.
Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
For your comment “One user was having issues. Once I installed the cert on her computer, she has no more issues logging in and launching a remote session. “, I can say that if the issue is mostly due to certificate only then
if you will purchase trusted authority certificate then as per my knowledge you’re all problem regarding login and certificate will be solved.
More information:
1. Configuring RDS 2012 Certificates and SSO
2. RD Web Access Web site to use a trusted certificate
(Thread might helpful to understand)
Hope it helps!
Thanks,
Dharmesh
Maybe you are looking for
-
Bind Variable Brain Teaser - Accessing a filtered Parent from a Child
Hi Guys and Gals, Using JDev 11.1.2.4.0. I have two tables, the parent(Scenarios) and the child (Orders). They are setup as such: SELECT Scenarios.SCENARIO_ID, Scenarios.NAME, Scenarios.COMPANY_ID FROM SCENARIOS Scenari
-
Path to includes are not resolving when define is used
in a Php document path to a class specified with a string resolved without a problem: require_once ( './classes/class.php' ); However, if a defined variable is used, the path does not resolve and Dreamweaver doesn't help with method hints: define ( C
-
My Photosmart C6180 will not recognize that the new maginta ink cartrige is full, I have tried two new ones. And it will not print with black only. I shut the printer off and started over with no success. Also shut it down again, removed all ink c
-
Lately I have made a change in the date/time by modifying the timezone. I rebooted the Unix Server and the date is now as I want. However I have noticed that Oracle Enterprise Manager (10g) is still displaying time with the old timezone. Do I need to
-
Maximum Volume Control - Padlocked!!!
Hi ipod guys Can anyone tell me how to unlock the maximum volume control - seems that a combination has been set, but I don't know what it is, so can't adjust the volume control. Is there a way to re-set it to 0000? I've looked all through discussion