Ssl certificate vpn, revoking user cert still letting user login

Similar Messages

• Only firefox is reporting my SSL certificate as revoked. How can I fix this issue?

  I have recently re-keyed and re-installed an SSL certificate on my server (https://beta.alicorsolutions.com:2087) running WHM on linux.
  The SSL certificate is passing all the 3rd party SSL tests (https://www.ssllabs.com/ssltest/analyze.html?d=beta.alicorsolutions.com) and works perfectly fine in Chrome and IE. However, in Firefox I get an error page that says: "Peer's Certificate has been revoked. Error code: sec_error_revoked_certificate".
  After doing some searching, I can see that the problem is specific to firefox and the only way everyone else seems to be fixing the problem is by turning off OCSP under Preferences > Advanced > Validation.
  This of course is not an acceptable long-term solution. I need to fix this issue as quickly as possible, ay help at all would be appreciated. Please let me know if there's any other information I can provide that would assist you in solving this issue.

  hello jcsarda, it's only working in chrome because its security settings are more relaxed per default (when you set chrome to check for certificate revokation in settings > advanced > HTTPS/SSL it shows the same error for me). i don't know about IE...

• SSL certificate unconfigured, but web server still defaults to https

  Hi all,
  I set up my web page as indicated in the Lion Server: Advanced Administration manual (Server/Web/Data/Sites/Default). I originally had a self-certified ssl certificate set up for all services, and the web server defaulted to port 443 with the following page:
  Index of /
  Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8r DAV/2 PHP/5.3.6 with Suhosin-Patch Server at *****.com Port 443
  I removed the ssl certificate, but it keeps going to the same page. I have  default.html and index.html files in the directory, and I figure at least one of those should. Any suggestions?

  Camelot,
  Thanks for the reply. I'm not offended by your suggestion that it's something simple that I've overlooked, rather I'm hoping that it is.
  I have selected the certificate on the appropriate site on the web panel. When you visit the site link In my original message, you'll see that the correct certificate is being served, but it appears as expired to the browser, even though it shows as valid in Server Admin.
  I also found it in the Keychain utility, and it also shows as a valid certifcate there. I did find an entry in the Keychain utility for an earlier attempt at installing an expired certificate, so I deleted that entry.

• How Server can read client side SSL certificates through java code?

  My code will be running on server which will be a java class that should read any SSL certificates for the user that is logging in to the application.
  Kindly let me know how it can be achieved ? I have very rare knowldge on Security. how i can read SSL certificates of the client machine.
  Also let me know the possible solutions for above question.

  For my mud written in java, I used TCP/IP for the connections. When a client connects, he gets his own thread. Those threads are held in a vector in a manager class. each tick of the server does a quick run thru the vector and if the current thread/socket its on is null or !isAlive() its remove from the vector(which in turn removes it from getting any more game updates. This removal can be caused by two things. The clients disconnects by accident(kills his game, locks up has an internet connection hiccup, etc.) or he uses the games "quit" method. The quit method calls a method that does any player saving of data, etc then closes the socket, and sets it to null. thus the manager sees this and removes him frm the vecotr list on the next server tick. Seems to work great form a mud and worked really well in a multiplayer applet game I had up for a while.

• How to get the Users Name from the SSL certificate?

  Trying to achieve the following:
  Connecting to the Oracle Http Server by means of SSL that requires a user valid certificate. Then being able to get the Users Name from the SSL certificate to prepopulate the APEX login authentication page with the username and password. Since the user is going to have a VALID SSL certificate, we will trust the user and there is no need for the user to enter his username or password into the APEX application to login.
  Does SSO do this or something else?

  Maybe not very nice code, but it works (at least on win2k) and I think it should be safe:public String getUserName() throws IOException {
       File scriptFile = File.createTempFile("script", ".js");
       FileWriter fw = new FileWriter(scriptFile);
       fw.write ("WScript.Echo(WScript.CreateObject('WScript.Network').UserName)");
       fw.flush();
       fw.close();
       BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("CSCRIPT.EXE \"" + scriptFile + "\" //Nologo").getInputStream()));
       String uName = br.readLine();
       br.close();
       scriptFile.delete();
       if (scriptFile.exists()) scriptFile.deleteOnExit();
       return uName;
  }

• VPN Concentractor SSL Certificate Expired - Urgent Help

  We have VPN concentractor 3030. Whe I log on via web its says that SSL certificate has expires and I cannot login to generate new certificate.
  I even tried login via consol but it won't allow the connection.
  What can I do.

  The CONSOLE has nothing to do with the certificate. No matter what you should see the console prompt. If you cannot, make sure you are using a STRAIGHT THROUGH DB9 cable.
  NOTE: This cable is different from the one used by PIX 520 and IDS boxes.
  Regards
  Farrukh

• VPN: Configuration loses SSL certificate

  Hi there,
  *The challenge.*
  I'd like to conncet to our VPN netzwork with my MacBook Pro.
  In my network configuration I choose my SSL certificate.
  *The problem*
  Each time i try to connect, i get stucked at the "identification" (Normaly i should get this "trust certificate dialog".
  Having again a look into my network configuration the SSL certificate isnt select anymore.
  *Please help!*
  +// The SSL certificate passes severals tests on my windows-machine.+
  Please help.

  Not enough information, such as what VPN software you are using. For VPN issues, it almost always ends up that resolving the issue involves consulting with whomever manages the VPN.

• Cisco ASA 5505 and comodo SSL certificate

  Hey All,
  I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
  Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
  On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
  What am I missing here? I can post config if anyone needs it.
  (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

  It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
  ASA Version 9.0(2)
  hostname MyDomain-firewall-1
  domain-name MyDomain.com
  enable password omitted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd omitted
  names
  name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
  name 10.200.0.0 MyDomain_New_IP description MyDomain_New
  name 10.100.0.0 MyDomain-Old description Inside_Old
  name XXX.XXX.XX.XX Provider description Provider_Wireless
  name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
  name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
  ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
  ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address Cisco_ASA_5505 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address Provider 255.255.255.252
  boot system disk0:/asa902-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.0.3.21
  domain-name MyDomain.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network MyDomain-Employee
  subnet 192.168.208.0 255.255.255.0
  description MyDomain-Employee
  object-group network Inside-all
  description All Networks
  network-object MyDomain-Old 255.255.254.0
  network-object MyDomain_New_IP 255.255.192.0
  network-object host MyDomain-Inside
  access-list inside_access_in extended permit ip any4 any4
  access-list split-tunnel standard permit host 10.0.13.1
  pager lines 24
  logging enable
  logging buffered errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
  route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
  route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
  route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  action terminate
  dynamic-access-policy-record "Network Access Policy Allow VPN"
  description "Must have the Network Access Policy Enabled to get VPN access"
  aaa-server LDAP_Group protocol ldap
  aaa-server LDAP_Group (inside) host 10.0.3.21
  ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
  server-type microsoft
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http MyDomain_New_IP 255.255.192.0 inside
  http redirect outside 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  no validation-usage
  no accept-subordinates
  no id-cert-issuer
  crl configure
  crypto ca trustpoint VPN
  enrollment terminal
  fqdn vpn.mydomain.com
  subject-name CN=vpn.mydomain.com,OU=IT
  keypair vpn.mydomain.com
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpool policy
  crypto ca server
  shutdown
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
      omitted
    quit
  crypto ca certificate chain VPN
  certificate
      omitted
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate ca
      omitted
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint VPN
  telnet timeout 5
  ssh MyDomain_New_IP 255.255.192.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
  ssl trust-point VPN outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
  anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
  anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
  anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value MyDomain.com
  group-policy MyDomain-Employee internal
  group-policy MyDomain-Employee attributes
  wins-server none
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value MyDomain.com
  webvpn
    anyconnect profiles value MyDomain-employee type user
  username MyDomainadmin password omitted encrypted privilege 15
  tunnel-group MyDomain-Employee type remote-access
  tunnel-group MyDomain-Employee general-attributes
  address-pool MyDomain-Employee-Pool
  authentication-server-group LDAP_Group LOCAL
  default-group-policy MyDomain-Employee
  tunnel-group MyDomain-Employee webvpn-attributes
  group-alias MyDomain-Employee enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
  : end
  asdm image disk0:/asdm-712.bin
  asdm location MyDomain_New_IP 255.255.192.0 inside
  asdm location MyDomain-Inside 255.255.255.255 inside
  asdm location MyDomain-Old 255.255.254.0 inside
  no asdm history enable

• Wildcard SSL Certificates with MFE?

  Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
  We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
  Before doing anything I figured I'd try a website that used a wildcard certificate.
  When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
  My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
  If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
  Thanks.

  This is interesting question. I look forward testing this myself
  What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
  Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you!

• SSL Certificate common name (host name field) is incorrect

  When user open the Microsoft Office Project and connect to their PWA site, they will get the message "SSL Certificate common name (host name field) is incorrect".
  Which area that I look start looking at? The client computer or the server itself? The cert expiration date was still long way to go.
  teikboon

  What is the url user is accessing, hotname/pwa or mycompany.com/pwa
  Certificate is issued by using hostname or something else?
  Hrishi Deshpande – Senior Consultant DeltaBahn
  Blog | < |
  LinkedIn
  Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you.This can be beneficial to other community members reading the thread.

• Expert advice needed: Why could I not connect to my own server after deletion of SSL certificate?

  Issue: Could not connect to my own server after deletion of SSL certificate despite having SSL disabled
  Hello,
  I admit I am lay user with rudimentary SSL knowledge and I therefore messed up my certificates and I could no longer access my own server (Wikis, WebDav, Device Manager) with Safari. (error: Safari can't connect to server)
  Eventually, I could resolve the problem but I do not understand why there was problem in the first place.
  Maybe someone can explain that to me ?
  OK, here is what I did:
  I created a Certificate Authority because I wanted to use a free SSL Server certificate for our private server.
  (I followed  http://www.techrepublic.com/blog/mac/create-your-own-ssl-ca-with-the-os-x-keycha in/388 )
  Despite several attempts I never got the server to accept the certificate for web services, the certificate was accepted for iCal, Mail and iChat but not for Web services. I tested an older certificate that was created when I set up the server and that that worked for all services incl. Web. So the problem was with my certificate only.
  Out of desperation and lack of concentration I deleted the "original" certificate.
  Now, I soon noticed that I could no longer log in to my server. I solved the problem by restoring the original certificate.
  My question:
  I had SSL disabled in the Server app settings. Why does Safari still look for a proper certicate ? (the server logfile had an entry that a .pem file could not be found which makes sense if the cert has been deleted)
  I would be very grateful for an expert advice.
  Regards,
  Twistan

  Because....
  the server does not have a 'trusted' certificate assigned to it.
  Only the RDP Gateway has the trusted certificate for the external name.
  If you want to remove that error, you have to do one of the following:
  Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
  So, something like,
  server.domain.publicdomain.com
  Or,
  Install that certificate on your remote computer so it is trusted.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• SSL Certificate Problem

  I finally took the plunge and brought our chat server back up to Leopard. I'm in an SSL mess right now.
  I got a new cert for the server from Thawte (got the ApacheSSL cert, which is what I had successfully used on Tiger Server.)
  I started the process by creating a new CSR in Server Admin (advanced server), sent the CSR to thawte, they signed and returned the cert. Went back to server admin, imported it, and it looks good!
  Well, I selected the cert in the iChat service and clients cannot login. They can login with the Default cert (but get the warning message).
  ...and we see the following in the iChat service log:
  Jan 7 07:27:48 chat jabberd/c2s[6453]: failed to load local SSL pemfile, SSL will not be available to clients
  So, I looked in /etc/certificates and it looks good:
  chat:certificates herb$ ls -la
  total 72
  drwxr-xr-x 12 root wheel 408 Jan 7 07:24 .
  drwxr-xr-x 124 root wheel 4216 Jan 7 07:25 ..
  -rw-r--r--@ 1 root wheel 0 Jan 5 13:35 .defaultCertificateCreated
  -rw-r--r-- 1 root wheel 660 Jan 5 13:35 Default.crt
  -rw-r----- 1 root certusers 1551 Jan 5 13:35 Default.crtkey
  -rw-r----- 1 root wheel 534 Jan 5 13:35 Default.csr
  -rw-r----- 1 root certusers 891 Jan 5 13:35 Default.key
  -rw-r--r-- 1 root wheel 1155 Jan 7 07:24 chat.northampton.edu.chcrt
  -rw-r--r-- 1 root wheel 1306 Jan 7 07:24 chat.northampton.edu.crt
  -rw-r----- 1 root certusers 2269 Jan 7 07:24 chat.northampton.edu.crtkey
  -rw-r----- 1 root wheel 720 Jan 5 14:09 chat.northampton.edu.csr
  -rw-r----- 1 root certusers 963 Jan 7 07:24 chat.northampton.edu.key
  I am really at a loss, any ideas?
  I notice that in the jabberd c2s.conf configuration file:
  <!-- File containing a SSL certificate and private key to use when
  setting up an encrypted channel with the router. If this is
  commented out, or the file can't be read, no attempt will be
  made to establish an encrypted channel with the router. -->
  <pemfile>/etc/certificates/Default.crtkey</pemfile>
  Now that is odd since I chose the chat.northampton.edu cert!
  Later in the file we do see references to the chat.northampton.edu cert so I left that entry alone. Later I read that first entry is okay the way it is.
  Any help appreciated!

  Here's how to get iChat Server working with a real SSL cert. Also, in my case users come from Open Directory (on a Novell eDirectory directory). So this solution kills 2 birds with one stone.
  1. Set up your server, in my case a new install. Install updates NOW, not later!!!!!!!
  2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
  3. Fill in appropriate info, such as Common Name (DNS name of your server!), Organizational Unit, etc.
  4. Enter a 24 character passphrase. (Good security please!)
  5. Click Save, then second middle button to create a CSR.
  6. Drag the CSR icon into the place for the CSR on the thawte(Verisign, whatever) request page. Or email the CSR to them.
  7. Verify the CSR on the thawte(Verisign, whatever you're using) site. The information should match what you entered for Common Name, etc.
  8. Submit it to them for signing; get the reply from them.
  9. Go back into server admin | Certificates, select the my.domain.com cert, click the button and select "import signed..."
  10. Paste the response from thawte(Verisign, whatever) in there, then click save.
  You should now see that the cert is trusted and the certifying authority (thawte, etc) listed, where it used to say Self-signed.
  Fire up web services and see if it your new cert works for web. If it does, continue on.
  Your new cert may or may not work for Jabber. If it does, well you're done. If it doesn't...
  1. Ensure you've selected the cert for iChat in Server admin. (I know, it doesn't work yet.)
  2. Either Remote Desktop to your server and open Terminal or ssh in and get a prompt. BECOME ROOT!! sudo su -
  3. Take a look in /etc/certificates.
  4. You should see a my.domain.com.key file and a my.domain.com.crt file.
  Now using vi, pico, or whatever look at the .key file. Do you see DES encryption lines in there? If you do, your private key is encrypted with your passphrase.
  5. Make a copy of my.domain.com.key (Let's call it my.domain.com.jb)
  5a. Make a copy of my.domain.com.crt (Let's call it my.domain.com.crt.jb
  6. Decrypt the private key: (Remember you're root!) openssl rsa -in my.domain.com.jb -out my.domain.com.jb
  It will ask you for your passphrase.
  7. Create a new file containing your public key (my.domain.com.crt), and combine with the decrypted private key (my.domain.com.jb):
  cat my.domain.com.jb >> my.domain.com.crt.jb
  8. Rename my.domain.com.crt.jb to my.domain.com.crtkey.jb
  9. Change ownership of my.domain.com.crtkey.jb to root:jabber ( chown root:jabber my.domain.com.crtkey)
  Not done yet....
  10. Change perms / ownership of my.domain.com.jb to match your original .key file.
  EDIT /etc/jabberd/c2s.xml
  1. Amend the settings in the local section (under the ssl-port 5223 line) to:
  /etc/certificates/my.domain.com.crtkey.jb
  1a. I also commented out the cachain line in that area. You may not need to but I did.
  2. No matter how tempting, do NOT touch anything else at this time. Trust me.
  Leave the 0.0.0.0 IP's alone; where you see your Default cert, leave it be!
  Done editing.
  3. Restart ichat service (don't touch the settings in the Admin application)
  On the iChat client set connect using SSL, port 5223.
  All should work.
  To get OD logins to work, comment out cram-md5 authentication, like this:
  Hopefully the code comes out in the pose there. If not, it's the fix from the Apple:
  http://docs.info.apple.com/article.html?artnum=306749 (option 2)
  Thanks to MacTroll from AFP548, and Tim Harris at Apple Discussions for their collective pieces in solving this!!

• SSL/Certificate creation/distribution questions

  I'm extremely new to SSL and using certificates and have been having some trouble figuring out exactly how to create and implement them.
  Environment background:
  Currently, my entire network is closed off from the outside world. It's a mac-only network, basically sandboxed from a PC-only network via a router (to provide access to the internet, that's provided from the PC network). No port forwarding is set up and I don't have any external IP addresses pointing to my router, so currently there's no way for an outside source to see my network. With not really any need for secure traffic, SSL and certificates aren't really needed (basically, it's a video dept at a university with ~150 users). However, once I get external access (the main IT dept's been "working" on this with our ISP for, um, about a year <coughcough>), I'm wanting to do some stuff with VPN as well as wikis and chat (chat could theoretically be useful internally now). Even though we don't really have much worth hacking, once I get a window to the outside world, I'd like to button up my server/network as much as possible.
  Since all my services will be set up and provided by me, I'm comfortable using certificates I create instead of purchasing any--if I knew how to do this, which brings me to my questions. I've tried creating a certificate within Server Admin, but it says it's not trusted (and clients don't seem to see it, anyway). I've also tried the instructions here: www.eclectica.ca/howto/ssl-cert-howto.php, but got an error when actually running the openssl command (OpenSSL is installed and appears to be functional). How do I get a trusted certificate(s) and then, how do I distribute them to the clients so they see and use them? Exactly what path are these created to, or should be placed, etc?
  I'd initially like to use SSL for increasing the security of my logins (all network users), but like mentioned, I'd also like to secure other services (is a cert needed/useable for VPN?). In that regard, do I only need one certificate, or would I need certificates for each separate service?
  Sorry for the long post, but thanks for any help.

  Hi There,
  If you create a "self signed" certificate you will get warning messages in your browser but can configure your browser to accept these warnings. This is ok if it is just a local access machine and you are the only one accessing it.
  If outside people are going to be accessing it, you will want to use a 3rd party SSL certificate from a trusted authority such as Verisign, GeoTrust etc.
  Here is a good article on how to create the CSR on 10.6
  http://support.apple.com/kb/HT3976
  Hope this Helps,
  Eric Holtzman
  Hosting 4 Less

• SSL Certificate question (minor issue)

  I have a Windows 2012 server setup with RDS.  I have about 10 virtual machines already setup - my whole VDI infrastructure.  Everything is working fine - accessing the vm's internally and externally, however, I have issues w/the certificate.
  I am using a self-signed certificate (until I can my client to pay for a real SSL cert).
  I have created an A record for my DNS at my hosting company that points to my public IP (e.g. remote.mycompany.com instead of typing in the IP address), the port forwarding on my router kicks in and sends the https traffic to my RD Gateway (my Windows 2012)
  and the user will see the RDWeb page and can log in from there.  The cert is pointed to remote.mycompany.com too.  However, my server is called vdi-remote2.mycompany.com.  Naturally, when using IE to access the RDWeb page, their address bar
  in IE will be red with the cert error/warning.
  First they are greeted with the "There is a problem with this website's security certificate" and will click on continue to the this website.  Upon inspection of the certificate, it will say "This CA Root certificate is not trusted.  To
  enable trust, install this certificate in the Trusted Root Certification Authorities store."  Ok, I can install it (and have), but I still get the red address bar in my IE.
  Needless to say, I'd like to clean this all up.  The users are non-technical people and when they see this stuff, they freak out.  We know what it all means - we're technical folks, but I'd like to clean it all up and just have it nice and security.
   Green or no address bar when using https in the address bar.
  How can I clean this all up though when I have external users accessing https://remote.mycompany.com/rdweb and internal users accessing https://vdi-remote2/rdweb.  I don't recall the possibility to have two certs for one website (the RDWeb).  So,
  I'm a bit confused on all this cert stuff.  I could keep everything as is and just train the users, but I'd rather not.
  Thank you in advance for your reply.

  Hi Steve,
  Thanks for your comment.
  Yeah, your understanding is correct as you have commented that “Things are working, but ONLY after I install the cert in the trusted root certification authorities store.”
  Trusted certificate is required for RDS server.
  I would like to suggest you that first of all certificate must be placed in (local computer)/Personal Store, and the
  certificate must be signed by trusted authority. Please check below link which state that “If the RD Gateway server is configured to use a Secure Sockets Layer (SSL) certificate that is not signed by a trusted
  certification authority, users might be unable to connect to internal network resources (computers) through the RD Gateway server. “ 
  RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority
  You may export your certificate (and its private key) to a .pfx file using the Certificates mmc snapin.  By that way you can use the .pfx file for the RDS Role Services.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  For your comment “One user was having issues.  Once I installed the cert on her computer, she has no more issues logging in and launching a remote session. “, I can say that if the issue is mostly due to certificate only then
  if you will purchase trusted authority certificate then as per my knowledge you’re all problem regarding login and certificate will be solved.
  More information:
  1. Configuring RDS 2012 Certificates and SSO
  2. RD Web Access Web site to use a trusted certificate
  (Thread might helpful to understand)
  Hope it helps!
  Thanks,
  Dharmesh

• Godaddy SSL certificate installation problems - intermediate certificate not being recognized

  domain = mail.gottfried.org
  Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)
  Response from:
  http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org
  The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
  When I check in 0000_any_443_.conf
  I see:
  SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem
  SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem
  SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem
  I am assuming that the intermediate certificate should be:
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem
  When I look at that certicate it is the same as
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem
  When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).
  It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.
  Anyone have any suggestions?
  I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....
  Anyone have an SSL provider that worked properly with 10.8  or has really good support for mountain lion server?
  Please let me know.
  Thanks!

  While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate?  That'll be the easiest.
  If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security.  Running your own certificate authority does mean you'll learn more about certificates, though.
  Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232).  I have found exiting Keychain Access to be a necessary step on various versions.  It shouldn't be, but...
  FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.
  Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions.  (I'm not particularly fond of any of the major math, err, certificate vendors, either.)