SSL Certificate problem with WL 5.1

Similar Messages

• SSL certificates problems

  hi,
  has anyone also problems with self signed certificates and ios5?
  my certificates used for ipsec connections show up as "untrusted" in the certificate profiles and ipsec vpn does not work anymore.
  a second device with ios4.3 shows the same certificates as trusted.
  any ideas?

  Finnaly, after hours and hours of trying, I found the solution for myself without any support from apple (try to reboot your ios device... :-/).
  The SSL certifiactes MUST NOT use MD5 as signature alg.
  Using SHA (1,2) solves the issue. The CA is not affected by this (the CA still can use MD5 for its own public key), bute the user-certificate has to use something else then MD5....

• SSL + Certificate problems solved

  To all of you who are having problems with Weblogic and Verisign Certificates.....
  Here is what I got from BEA:
  To solve this problem, review the corresponding configuration for our demo certificates
  and
  then proceed to similar Verisign setups.
  Once WLS 6.0 is started, proceed to a browser and open the console. Move to the
  servers
  tree, expand it, chose your server and move to its SSL tab.
  WLS demo 512 bit certificate
  1. Server Key File Name -> demokey.pem
  2. Server Certificate File Name -> democert.pem
  3. Server Certificate Chain File Name -> ca.pem
  WLS 1024 bit Demo Certificate
  1. Server Key File Name -> demokey1024.pem
  2. Server Certificate File Name -> democert1024.pem
  3. Server Certificate Chain File Name -> ca1024.pem
  Trial Verisign Certificates - 2 week expiration
  When you initially make the request, the following two files are generated:
  a. mycomputer_bea_com-key.der
  b. mycomputer_bea_com-1024cert.pem
  Once Verisign acknowledges the request, you are given instructions to install
  the
  certificate as well as use test CA's for each browser, IE and Netscape. You will
  need to
  save the test CA and use this in the SSL configuration.
  1. Server Key File Name -> mycomputer_bea_com-key.der
  2. Server Certificate File Name -> mycomputer_bea_com-1024cert.pem
  3. Server Certificate Chain File Name -> testca.der (obtained from the installation
  to each
  client browser)
  Purchased 1 year 1024 bit certificate from Verisign.
  As in the case of the trial certificate, much is the same except that no CA is
  forwarded.
  1. Server Key File Name -> mycomputer_bea_com-key.der
  2. Server Certificate File Name -> mycomputer_bea_com-1024cert.pem
  Now what to specify as the CA?
  Using any of the other CA's will generate the modulus exception. The only recourse
  in this
  event is to do the following:
  1. go to http://www.verisign.com/repository/root.html
  You'll find Class I to Class III root certificates and a Server CA.
  Take the plain text Server CA and save this to a file.
  2. Use a conversion utility, which can be found within OpenSSL, to convert the
  plain text
  to a .der format.
  3. Once the conversion is complete, this CA.der can be used as the Server Certificate
  Chain
  File Name.

  as in mail to CC_AA with scenarios, and Private Messages, happens WIN Vista and 7. IE 9 and 10. 3 diff machines, Dell laptop home, 2 Dell Desktops work. I always clear / delete top 4 items via Internet options approx. twice a week, first thing I did along with clearing SSL state. From CC homepage, click SIGN-IN in left side black box. Enter ID and Password, SIGN IN -> . Returns to CC homepage. Click on EMAIL box below the black box, get:There is a problem with this website's security certificate.     The security certificate presented by this website was issued for a different website's address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website.  Click here to close this webpage. Continue to this website (not recommended). More informationIf you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com. For more information, see "Certificate Errors" in Internet Explorer Help. Address bar shows "https://login.comcast.net/login........" Interesting, for secure site no security icon appears on the address bar. On Home page, if instead I click arrow in Email box, I see a preview of my mail. Then I have to click "View Inbox" lower left corner of popup, and Inbox comes up..... 

• Certificate problem with adobelc

  Hi,
  I am quiet new with mac and did get some problems with the following:
  I tried to open secured documents coming from adobeLC ( rights management from my company) but can not be open since I upgraded to 10.8.2. Certificate seems not to be recognized. the certificate is either in system and login keychain as trusted for all source but not read I think.
  Any clue ?
  Cheers

  Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option will be greyed out.
  We will have to create a new template that does so. Here are the steps:
  1. Start > Run > certmpl.msc
  2. Right-click Web Server template and choose Duplicate Template
  3. Name the template something easy to identify like ACS.
  4. Go to the Request Handling tab and check Allow private key to be exported.
  5. Click on the CSPs button and check Microsoft Base Cryptographic Provider v1.0 and
  click OK.
  6. All other options can be left at default.
  7. Click Apply and OK.
  8. Open the CA MMC snap-in.
  9. Right-click Certificate Templates and choose New > Certificate Template to Issue.
  10. Choose the new template you created and click OK.
  11. Restart the CA.
  The new template will be included in the Certificate Template dropdown.

• SSL certificate problem on most https websites

  Some https sites can not be reached in my system, and it is going to include more https sites as times goes by. I have noticed that the problem is the SSL certificate. I even check an arch iso and there I have the same problem. I tetsted two thing in case it rings any bell for you
  omid@localhost›~⁑ curl -v https://github.com
  * Rebuilt URL to: https://github.com/
  * Adding handle: conn: 0x1757250
  * Adding handle: send: 0
  * Adding handle: recv: 0
  * Curl_addHandleToPipeline: length: 1
  * - Conn 0 (0x1757250) send_pipe: 1, recv_pipe: 0
  * About to connect() to github.com port 443 (#0)
  * Trying 192.30.252.128...
  * Connected to github.com (192.30.252.128) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * Unknown SSL protocol error in connection to github.com:443
  * Closing connection 0
  curl: (35) Unknown SSL protocol error in connection to github.com:443
  in which  you can see the problem. But
  omid@localhost›~35↵⁑ curl -v3 https://github.com
  * Rebuilt URL to: https://github.com/
  * Adding handle: conn: 0xf31250
  * Adding handle: send: 0
  * Adding handle: recv: 0
  * Curl_addHandleToPipeline: length: 1
  * - Conn 0 (0xf31250) send_pipe: 1, recv_pipe: 0
  * About to connect() to github.com port 443 (#0)
  * Trying 192.30.252.129...
  * Connected to github.com (192.30.252.129) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using RC4-SHA
  * Server certificate:
  * subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=5157550; street=548 4th Street; postalCode=94107; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
  * start date: 2013-06-10 00:00:00 GMT
  * expire date: 2015-09-02 12:00:00 GMT
  * subjectAltName: github.com matched
  * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance EV CA-1
  * SSL certificate verify ok.
  > GET / HTTP/1.1
  > User-Agent: curl/7.33.0
  > Host: github.com
  > Accept: */*
  >
  < HTTP/1.1 200 OK
  * Server GitHub.com is not blacklisted
  < Server: GitHub.com
  < Date: Fri, 06 Dec 2013 09:55:10 GMT
  < Content-Type: text/html; charset=utf-8
  < Status: 200 OK
  < Cache-Control: private, max-age=0, must-revalidate
  < Strict-Transport-Security: max-age=2592000
  < X-Frame-Options: deny
  < Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 06-Dec-2033 09:55:10 GMT; secure; HttpOnly
  which seems OK.  Is there even anyway to add certificate to avoid this strange behavior. I use an updated x86_64 KDE.
  Last edited by nikta (2013-12-06 11:37:06)

  [omid@localhost ~]$ ldd `which curl`
  linux-vdso.so.1 (0x00007fff8bd7c000)
  libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f9f479c6000)
  libz.so.1 => /usr/lib/libz.so.1 (0x00007f9f477b0000)
  libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f9f47592000)
  libc.so.6 => /usr/lib/libc.so.6 (0x00007f9f471e7000)
  libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f9f46fbe000)
  libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f9f46d51000)
  libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f9f46949000)
  /lib64/ld-linux-x86-64.so.2 (0x00007f9f47c2b000)
  libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f9f46745000)
  [omid@localhost ~]$ pacman -Q|egrep '(openssl|curl|ca-cert)'
  ca-certificates 20130906-1
  ca-certificates-java 20130815-1
  curl 7.33.0-3
  lib32-openssl 1.0.1.e-2
  mingw-w64-openssl 1.0.1e-4
  openssl 1.0.1.e-5
  Last edited by nikta (2013-12-06 13:15:18)

• SSL Certificate Mismatch with AnyConnect client

  Hello,
  We are having a problem with the AnyConnect client when connecting to our VPN.  We are running the following:
  AnyConnect v2.4.0202
  (2 each) ASA v8.2(1) -- active/standby failover
  AnyConnect Essentials Licensing
  NOTE:  We are not using certificates for authentication.
  Primary clients:  Windows XP and Windows 7
  Problem
  We have purchased an Entrust certificate for our ASA failover cluster called "vpn.company.com" and the it is attached to the outside interface on the ASA.
  Steps to Reproduce
  Install the AnyConnect (AC) client via https://vpn.company.com/.  Connection occurs here without issue.
  Once the AC client is installed and we try to use it in stand-alone mode (i.e., w/o hitting the ASA w/ a browser), a certificate mismatch occurs, and AC brings up the Windows/IE Security Alert dialog (see attachment CertError.jpg).
  The user must press Yes to bypass mismatch.
  PROBLEM:  On Windows 7, the user must have administrative privileges and run the AC client as administrator -- otherwise, they get a dialog saying "Unable to establich VPN" (see attachment Unable.jpg).
  The issue is we have a valid certificate that should be used for the connection.  However, when looking at the connections made by the AC client with Fiddler, it would appear that the AC client is trying to connect directly to the ASA's IP address, and not the name.  This is a nuisance for XP users, and a show-stopper for Win7 users as they do not have admin privileges.
  I have not been able to find any documentation on Cisco.com relating to this issue.  In short, how do I get the AC client to use "vpn.company.com" so there is no Cert mismatch?
  Thanks,
  -Matt

  Tim,
  I will read through the article more thoroughly; I've already been through parts of it -- won't hurt to go through again.  I did initially have the IP address in my XML file, and immediately removed it when I noticed that it was using the IP address in the FIddler dump.  It hasn't had any effect unfortunately -- even with uninstalling and re-installing the AC client locally.
  The only other article/post I've come across on Cisco's site that comes close is here:
  Cisco Support Community: ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide
  which seems to suggest that I will need a UCC certificate (which seems ridiculous) to do some of what I need to do.  However the issue with that post is that it still wouldn't fix the issue where the AC client is using the IP address.
  I will let you know if I find any smoking guns in the doco link you sent.  Any other thoughts appreciated.  I can't believe Cisco made the setup of the AC client this convoluted.
  Thanks!
  -Matt

• SSL Certificate Problem

  I finally took the plunge and brought our chat server back up to Leopard. I'm in an SSL mess right now.
  I got a new cert for the server from Thawte (got the ApacheSSL cert, which is what I had successfully used on Tiger Server.)
  I started the process by creating a new CSR in Server Admin (advanced server), sent the CSR to thawte, they signed and returned the cert. Went back to server admin, imported it, and it looks good!
  Well, I selected the cert in the iChat service and clients cannot login. They can login with the Default cert (but get the warning message).
  ...and we see the following in the iChat service log:
  Jan 7 07:27:48 chat jabberd/c2s[6453]: failed to load local SSL pemfile, SSL will not be available to clients
  So, I looked in /etc/certificates and it looks good:
  chat:certificates herb$ ls -la
  total 72
  drwxr-xr-x 12 root wheel 408 Jan 7 07:24 .
  drwxr-xr-x 124 root wheel 4216 Jan 7 07:25 ..
  -rw-r--r--@ 1 root wheel 0 Jan 5 13:35 .defaultCertificateCreated
  -rw-r--r-- 1 root wheel 660 Jan 5 13:35 Default.crt
  -rw-r----- 1 root certusers 1551 Jan 5 13:35 Default.crtkey
  -rw-r----- 1 root wheel 534 Jan 5 13:35 Default.csr
  -rw-r----- 1 root certusers 891 Jan 5 13:35 Default.key
  -rw-r--r-- 1 root wheel 1155 Jan 7 07:24 chat.northampton.edu.chcrt
  -rw-r--r-- 1 root wheel 1306 Jan 7 07:24 chat.northampton.edu.crt
  -rw-r----- 1 root certusers 2269 Jan 7 07:24 chat.northampton.edu.crtkey
  -rw-r----- 1 root wheel 720 Jan 5 14:09 chat.northampton.edu.csr
  -rw-r----- 1 root certusers 963 Jan 7 07:24 chat.northampton.edu.key
  I am really at a loss, any ideas?
  I notice that in the jabberd c2s.conf configuration file:
  <!-- File containing a SSL certificate and private key to use when
  setting up an encrypted channel with the router. If this is
  commented out, or the file can't be read, no attempt will be
  made to establish an encrypted channel with the router. -->
  <pemfile>/etc/certificates/Default.crtkey</pemfile>
  Now that is odd since I chose the chat.northampton.edu cert!
  Later in the file we do see references to the chat.northampton.edu cert so I left that entry alone. Later I read that first entry is okay the way it is.
  Any help appreciated!

  Here's how to get iChat Server working with a real SSL cert. Also, in my case users come from Open Directory (on a Novell eDirectory directory). So this solution kills 2 birds with one stone.
  1. Set up your server, in my case a new install. Install updates NOW, not later!!!!!!!
  2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
  3. Fill in appropriate info, such as Common Name (DNS name of your server!), Organizational Unit, etc.
  4. Enter a 24 character passphrase. (Good security please!)
  5. Click Save, then second middle button to create a CSR.
  6. Drag the CSR icon into the place for the CSR on the thawte(Verisign, whatever) request page. Or email the CSR to them.
  7. Verify the CSR on the thawte(Verisign, whatever you're using) site. The information should match what you entered for Common Name, etc.
  8. Submit it to them for signing; get the reply from them.
  9. Go back into server admin | Certificates, select the my.domain.com cert, click the button and select "import signed..."
  10. Paste the response from thawte(Verisign, whatever) in there, then click save.
  You should now see that the cert is trusted and the certifying authority (thawte, etc) listed, where it used to say Self-signed.
  Fire up web services and see if it your new cert works for web. If it does, continue on.
  Your new cert may or may not work for Jabber. If it does, well you're done. If it doesn't...
  1. Ensure you've selected the cert for iChat in Server admin. (I know, it doesn't work yet.)
  2. Either Remote Desktop to your server and open Terminal or ssh in and get a prompt. BECOME ROOT!! sudo su -
  3. Take a look in /etc/certificates.
  4. You should see a my.domain.com.key file and a my.domain.com.crt file.
  Now using vi, pico, or whatever look at the .key file. Do you see DES encryption lines in there? If you do, your private key is encrypted with your passphrase.
  5. Make a copy of my.domain.com.key (Let's call it my.domain.com.jb)
  5a. Make a copy of my.domain.com.crt (Let's call it my.domain.com.crt.jb
  6. Decrypt the private key: (Remember you're root!) openssl rsa -in my.domain.com.jb -out my.domain.com.jb
  It will ask you for your passphrase.
  7. Create a new file containing your public key (my.domain.com.crt), and combine with the decrypted private key (my.domain.com.jb):
  cat my.domain.com.jb >> my.domain.com.crt.jb
  8. Rename my.domain.com.crt.jb to my.domain.com.crtkey.jb
  9. Change ownership of my.domain.com.crtkey.jb to root:jabber ( chown root:jabber my.domain.com.crtkey)
  Not done yet....
  10. Change perms / ownership of my.domain.com.jb to match your original .key file.
  EDIT /etc/jabberd/c2s.xml
  1. Amend the settings in the local section (under the ssl-port 5223 line) to:
  /etc/certificates/my.domain.com.crtkey.jb
  1a. I also commented out the cachain line in that area. You may not need to but I did.
  2. No matter how tempting, do NOT touch anything else at this time. Trust me.
  Leave the 0.0.0.0 IP's alone; where you see your Default cert, leave it be!
  Done editing.
  3. Restart ichat service (don't touch the settings in the Admin application)
  On the iChat client set connect using SSL, port 5223.
  All should work.
  To get OD logins to work, comment out cram-md5 authentication, like this:
  Hopefully the code comes out in the pose there. If not, it's the fix from the Apple:
  http://docs.info.apple.com/article.html?artnum=306749 (option 2)
  Thanks to MacTroll from AFP548, and Tim Harris at Apple Discussions for their collective pieces in solving this!!

• Ssl certificate problem under lion (mail,safari)

  Hello,
  After a timemaschine backup recovery to my imac (mid 2010) lion os x 10.7.1 there is a strange behavior with ssl certificates in mail and safari !
  Every time mail starts new it ask me to trust my mobile.me ssl certificate, what i do of course, but at the next start it appears again, same for ssl websites in safari every time a ssl popup to accept...
  What i have done til now:
  Repair permissions
  drag the ssl certificate icon in the popup to the desktop and accept it manually
  keychain utility edit all these ssl certificate and accept manually
  mail:reenter account passwords accept ssl certificate again
  reset keychain
  this behavior appears at all account on the imac
  ssl certificate are marked in the keychain utility as trusted
  now I'm at the end of my knowledge....
  can anybody please help, please !
  Thanks
  Tobias

  Hi Simon,
  As suggested by “TP” check where the certificate is stored. The certificate must be installed in the personal certificate of the computer account and not your personal account. Also you can check by running below command in command prompt to check
  where the issue is going wrong as stated by “Alan” in this thread.
  certutil -f –urlfetch -verify <your_certificate>.cer
  In meanwhile, also go through beneath link for more information.
  1.  How to Import a Server Certificate
  2.  Exporting/Importing SSL Certificates Between Windows Servers
  Hope it helps!
  Thanks.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• DS 6: SSL certificate mapping with subject/issuer containing (")

  Hello,
  I got my personal test certificate from Verisgin, with an issuer: CN=VeriSign Class 1 Individual Subscriber CA - G2, OU=Persona Not Validated, OU=Terms of use at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  The subject of the certificate ends with: ...OU=Digital ID Class 1 - Netscape, OU=Persona Not Validated, OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Trust Network, O="VeriSign, Inc."
  My certmap.conf looks like:
  certmap VeriSign [issuerDN]
  VeriSign:FilterComps cn
  VeriSign:verifycert on
  VeriSign:CmapLdapAttr certSubjectDN
  The question is what's the valid form of these strings containing (") in certmap.conf ([issuerDN]) to match the issuer and in certSubjectDN attribute - assuming it follows DirectoryString syntax. Note that they surround strings containing comma (,).
  I see in logs:
  conn=1 op=-1 msgId=-1 - SSL 128-bit RC4; client *OU=Digital ID Class 1 - Netscape,OU=Persona Not Validated,OU=\22www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98\22,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22; issuer CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22,C=US
  I tested configuration against cert strings from logs, but they don't work. Strings containing (") also don't work.
  Did anyone face the same issue?
  Thanks for help in advance.

  The DN normalized version of O="Verisign, Inc." is O=Verisign\, Inc.
  You may want to try this. BUt I must admit that I've never tried to do certificate mapping with quotes.
  The certificate mapping functionality hasn't changed since the Netscape DS 4 code when Sun and Netscape started to work together.
  Ludovic.

• SSL certificates possible with different tools

  I had the impression that the SSL certificate can be configured with Linux eg. RHEL only by following the normal procedure of installing mod_ssl package, using genkey …etc
  But, I came to know that SSL certificate can be generated with the web server like Tomcat also. Is it correct that generation of SSL certificates is not limited to Linux only?
  I hope my query is clear that if SSL certificates can be generated not only with Linux but with other tools also.
  Please revert with the reply to my query.
  Regards

  Try using Google to get information.
  Just because you happen to be a user of these forums (and also glancing at your posting history to see what sort of issues you are curious about) doesn't mean you should ask every question here at this web forum site.
  When I place one of your sentences into Google,
  "I came to know that SSL certificate can be generated with the web server like Tomcat also"
  I get more than 800,000 search results that would easily guide toward better information than waiting for someone here to teach you about a non-Oracle topic.

• RDS SSL Certificate Problem

  Hi
  We've bought an SSL certificate for use on our RDS Session Host connector. We've imported it but when we try to select it in RDS settings we get a message saying 'There are no certificates installed on this Remote Desktop Session Host server'. If I try to
  use it in RemoteApp Manager under Digital Signature Settings I can select it without issue. We don't have Gateway installed and ideally don't want to, we just want to put a certificate on the connector.
  Is there any advice anyone can give me to get this working?
  Many thanks 
  Simon Whittington

  Hi Simon,
  As suggested by “TP” check where the certificate is stored. The certificate must be installed in the personal certificate of the computer account and not your personal account. Also you can check by running below command in command prompt to check
  where the issue is going wrong as stated by “Alan” in this thread.
  certutil -f –urlfetch -verify <your_certificate>.cer
  In meanwhile, also go through beneath link for more information.
  1.  How to Import a Server Certificate
  2.  Exporting/Importing SSL Certificates Between Windows Servers
  Hope it helps!
  Thanks.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SSL client certificate problem with exchange owa

  Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
  When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
  Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
  I cannot get through this dialog because it seems I do not have the required certificate.
  What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
  I do not understand what mobileme has to do with this exchange server at all.
  What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
  Can anybody point in the right direction please ?
  For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
  Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

  Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
  When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
  Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
  I cannot get through this dialog because it seems I do not have the required certificate.
  What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
  I do not understand what mobileme has to do with this exchange server at all.
  What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
  Can anybody point in the right direction please ?
  For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
  Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

• Certificate problem with HTTPS -sites

  Hey. Im having a problem on ALL https-starting sites. When i try to in example connect https://addons.mozilla.org/ , i get just this:
  http://i.imgur.com/2zPE8.jpg
  I have already tried to reboot computer, boot FF without addons, reinstall firefox etc, but the problem still stays. With IE everything seems to work fine, but i would still like to use firefox.

  Which security software (firewall, anti-virus) do you have?
  Some firewalls monitor secure (https) connections and send their own certificate instead of the website's certificate.<br />
  If you have ESET then see:
  *[[/questions/790114]]
  *ESET setup -> advanced setup -> extend web and email tree -> SSL
  *SSL protocol: Do not scan SSL protocol
  You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
  * Click the link at the bottom of the error page: "I Understand the Risks"
  Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
  * Click the "View..." button and inspect the certificate and check who is the issuer.
  You can see more Details like intermediate certificates that are used in the Details pane.

• Safari/Mail certificate problem with gmail/google

  Here is my problem:
  I have set-up Mail to use my gmail account through POP. Since yesterday, when I try to get or send mail, mail gives me the error:
  Unable to verify SSL server pop.gmail.com
  Mail was unable to verify the identity of this server, which has a certificate issued to "pop.gmail.com'. The error was:
  You might be connecting to a computer that is pretending to be "pop.gmail.com', and putting your confidential information at risk. Would you like to continue anyway?
  I then have the option to show the certificate,cancel or continue. If I hit Continue, nothing happens and mail set itself to offline. If I force Mail back online (Menu Mailbox/Go Online), when it goes on the next automatic check, it turns back offline. After hours of google search, I also tried the option to show the certificate, then drag the icon of the certificate to the desktop, then open the certificate with Keychain in order to add it to the keychain but this did not work for me, keychain refused to open it and if I double-click it on the desktop it opens as a clipping content. If I change the typre/creator to force Keychain to open it, then I got an error "Unable to import an item".
  I then tried to access gmail within Safari (not through POP) and I got this error when I tried to login:
  Safri cannot establish a secure connection to www.google.com
  At the same time, I had no problem to access it with Firefox. Back to google search, I tried to use Safari debug menu to set the security to "Performs Lax Certificate Checks" and then I could access my gmail with Safari. However the problem persists in Mail.
  I believe this is a system-wide certificate issue (Firefox not affected because of a diffrent handling of certificates?not much knowledge about certificates). I tried all the standard troubleshooting:
  re-boot, logoff, repair permissions, reapply latest security updates, reapply latest OS update, reset Safari, clean-up caches, discarded all mail preferences,clear-up keychain of any google/gmail.
  Finally I also found in my searches to try ro download a certicate from Thawte (ThawtePremiumServerCA.cer) and add it to my keychain but this does not solve the problem.
  Help will be greatly appreciated
  System info: iMac G5 1.6, 1Gb RAM, OS X 10.3.9 (everything up to date according to Software update), internet connection through Airport extreme base station.

  Are you saying that this is a well-recognised issue?
  Can we assume that the reason for not fixing it is that Nokia want people to use Nokia Messaging instead? It came free with my phone and I did try it. It connected & synchronised well but contacts in headers kept appearing in quotes ("") and when I checked my email from my main IMAP client my sent items included incomplete versions of my emails as well as the finished email - as if it was sending drafts.
  I guess I'm sticking with MfE for calendar and IMAP for email...

• SSL certificate issue with WLS 10.3

  Hi All,
  I am facing this issue with my WLS cluster.
  <21-Apr-2010 10:42:00 o'clock BST> <Warning> <Security> <BEA-090482> <BAD_CERTIF
  ICATE alert was received from system.core.com - 10.15.135.30.
  Check the peer to determine why it rejected the certificate chain (trusted CA co
  nfiguration, hostname verification). SSL debug tracing may be required to determ
  ine the exact reason the certificate was rejected.>
  <21-Apr-2010 10:42:00> <Warning> <Uncaught exception in server handler: javax.ne
  t.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from
  system.core.com - 10.15.135.30. Check the peer to determine wh
  y it rejected the certificate chain (trusted CA configuration, hostname verifica
  tion). SSL debug tracing may be required to determine the exact reason the certi
  ficate was rejected.>
  Please suggest. I have also tried the below settings.
  Node Manager:
  -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
  Admin Server:
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Many thanks in advance.

  Hi Sandip,
  I am facing this issue right after when I have configured the listen address to my system IP in Machine(NodeManager), earlier it was "localhost".
  Also I have tried to generate the certificates e.g.
  C:\bea\wlserver_10.3\server\bin>java utils.CertGen -cn system.core.com -keyfilepass DemoIdentityPassPhr
  ase -certfile mycertificate -keyfile .keystore
  Generating a certificate with common name system.core.com and key strength 1024
  issued by CA with certificate from C:\bea\WLSERV~1.3\server\lib\CertGenCA.der file and key from C:\bea\WLSERV~1.3\server
  \lib\CertGenCAKey.der file
  C:\bea\wlserver_10.3\server\bin>java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePa
  ssPhrase -keyfile .keystore.pem -keyfilepass DemoIdentityPassPhrase -certfile mycertificate.pem -alias demoidentity
  No password was specified for the key entry
  Key file password will be used
  Imported private key .keystore.pem and certificate mycertificate.pem
  into a new keystore DemoIdentity.jks of type jks under alias demoidentity
  Tried the above but not wokring. Please advise.
  Edited by: R Vashi on 21-Apr-2010 03:38