SSL Certificates issues on ACE module

Similar Messages

• NAC SSL certificate Issue

  I recently applied a signed certificate to both the CAM and CAS. ever since then I have been having problems with the system. In the perfigo logs on the CAM I receive a lot of messages with "Certificate chaining error" in them. My question is what is the best way to roll back the signed certificates to the self signed ones? Any other suggestions would be greatly appreciated.
  Thanks in advance.

  Hi Giles,
  Thanks for te update. The problem I am facing is:-I have 2 SSL certificates on my ACE and I have also configured 2 server farms (farm1 and farm2)each associated with ssl certificate, now the problem i am facing is when we access the farm2 serverfarm we are issued the certificate of farm1 wereas i need to be getting the certificate from the farm2.
  Thanks in advance.
  Regards
  Sum

• When accessing Intranet sites that use SSL Certificates issued by our internal PKI, FF for Windows give an error of "improperly formatted DER-encoded message"

  When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
  Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.

  Hi Guigs2,
  From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
  registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
  The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix?

• CF7 and JDK 1.4.2 - EV SSL Certificate Issue

  Let me start off by telling the group that we do not use CF for any of our applications.  We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use.  We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API.  About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy.  I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck.  Here are the details:
  EV Certificate issued by DigiCert (4096-bit).
  Customer is on CF7 and JDK 1.4.2.
  When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application.  He is using cfhttp to post his requests.  We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates.  Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
  Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
  Thanks in advance to those gurus that reply.  I have attached a sample post from our customers logs with non-essential data removed.
  I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
  - Dave

  Dave,
  I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
  I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
  so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
  to either CF 8 or CF 9 to get the issue quickly resolved.
  I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
  if I do find a solution, I'll definitely post it there for you.
  Cheers

• Firefox does not recognize SSL Certificate issuer Entrust Certification Authority – L1K, but Entrust Certification Authority – L1C is ok?

  We have a new Entrust SSL Certificate with issuer Entrust Certification Authority – L1K which Firefox does not recognize. Internet Explorer and Chrome are ok.
  On a different system we have an Entrust SSL Certificate with issuer Entrust Certification Authority – L1C which is ok with Firefox.

  Did you verify that all intermediate certificates are installed on the server?
  You can inspect the certificate chain via a site like this:
  *http://www.networking4all.com/en/support/tools/site+check/
  *https://www.ssllabs.com/ssltest/

• Unable to import PKCS12 certificate file to ACE module

  Hi,
  I'm currently in the process of replacing my CSS-appliances with the ACE module. So far everything's been smooth, but when I'm trying to import a certificate file to the respective context using the "crypto import"-command, ACE can't recognize the filetype, it's just marked as UNKNOWN. On the CSS I had to specify PKCS12 as the fileformat, but this is apparently not an options on the ACE. Does anyone know the equivalent commmand on how to import a PKCS12-file to the ACE?
  Thankx
  /Ulrich
  PS! I haven't created a cert chaingroup, as I was told this would not be necessary.

  Hi Ulrich,
  Short answer is you cannot import PKCS12 format. You'll need to extract the component parts into PEM format outside of the ACE and then use crypto import.
  You will also need a chaingroup unless this is a self-signed certificate. Again any intermediate and root certificates will need to be in PEM format.
  HTH
  Cathy

• Snow Leopard Server - SSL Certificate Issue

  Hi. I am hoping someone can shine some light into an issue I am currently experiencing with SSL Certificates on the Snow Leopard Server which hosts out websites. This past weekend an SSL certificate pertaining to our primary domain expired which caused users to receive error messages prior to accessing the website ... the error message stated "the site's security certificate has expired!"
  I have since renewed the certificate via networksolutions.com and applied it on the Mac server. The certificate was applied successfully and i have added the certificate the sites along with restarting the apache to take in the settings. However, the certificate is not propagating out at all. I have also restarted the mac server as well in case there was something in the cache causing issues but unfortunately, the issue still exists.
  I have also removed the certificate entirely and reapplied it from scartch to make sure the original certificate wasn't causing any issues.
  Has anyone else incurred a similar issue or would anyone have any insight on how to possibly resolve the issue?
  Thank you!

  Just a quick update. the DNS seems fine but I am getting errors in the logs as follows.
  May 12 09:37:34 server jabberd/sm[2084]: version: jabberd sm 2.1.24.1-326.5
  May 12 09:37:34 server org.jabber.jabberd[2082]: ERROR: router died. Shutting down server.
  May 12 09:37:34 server com.apple.launchd[1] (org.jabber.jabberd): Throttling respawn: Will start in 10 seconds
  May 12 09:37:34 server jabberd/sm[2084]: attempting connection to router at 127.0.0.1, port=5347
  May 12 09:37:34 server jabberd/sm[2084]: shutting down
  May 12 09:38:45 server jabberd/sm[2167]: version: jabberd sm 2.1.24.1-326.5
  May 12 09:38:45 server jabberd/sm[2167]: attempting connection to router at 127.0.0.1, port=5347
  May 12 09:38:45 server jabberd/sm[2167]: shutting down
  May 12 09:38:45 server org.jabber.jabberd[2165]: ERROR: router died. Shutting down server.
  May 12 09:38:45 server com.apple.launchd[1] (org.jabber.jabberd): Throttling respawn: Will start in 10 seconds
  I checked the the crash report which has the follow kernal issue.
  Exception Type: EXCBADACCESS (SIGBUS)
  Exception Codes: KERNPROTECTIONFAILURE at 0x000000010011adb0
  Crashed Thread: 0 Dispatch queue: com.apple.main-thread
  Any ideas?

• SSL certificate issue with WLS 10.3

  Hi All,
  I am facing this issue with my WLS cluster.
  <21-Apr-2010 10:42:00 o'clock BST> <Warning> <Security> <BEA-090482> <BAD_CERTIF
  ICATE alert was received from system.core.com - 10.15.135.30.
  Check the peer to determine why it rejected the certificate chain (trusted CA co
  nfiguration, hostname verification). SSL debug tracing may be required to determ
  ine the exact reason the certificate was rejected.>
  <21-Apr-2010 10:42:00> <Warning> <Uncaught exception in server handler: javax.ne
  t.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from
  system.core.com - 10.15.135.30. Check the peer to determine wh
  y it rejected the certificate chain (trusted CA configuration, hostname verifica
  tion). SSL debug tracing may be required to determine the exact reason the certi
  ficate was rejected.>
  Please suggest. I have also tried the below settings.
  Node Manager:
  -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
  Admin Server:
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Many thanks in advance.

  Hi Sandip,
  I am facing this issue right after when I have configured the listen address to my system IP in Machine(NodeManager), earlier it was "localhost".
  Also I have tried to generate the certificates e.g.
  C:\bea\wlserver_10.3\server\bin>java utils.CertGen -cn system.core.com -keyfilepass DemoIdentityPassPhr
  ase -certfile mycertificate -keyfile .keystore
  Generating a certificate with common name system.core.com and key strength 1024
  issued by CA with certificate from C:\bea\WLSERV~1.3\server\lib\CertGenCA.der file and key from C:\bea\WLSERV~1.3\server
  \lib\CertGenCAKey.der file
  C:\bea\wlserver_10.3\server\bin>java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePa
  ssPhrase -keyfile .keystore.pem -keyfilepass DemoIdentityPassPhrase -certfile mycertificate.pem -alias demoidentity
  No password was specified for the key entry
  Key file password will be used
  Imported private key .keystore.pem and certificate mycertificate.pem
  into a new keystore DemoIdentity.jks of type jks under alias demoidentity
  Tried the above but not wokring. Please advise.
  Edited by: R Vashi on 21-Apr-2010 03:38

• SSL certificates issues

  I am using Safari Browser to login to SSL protected web sites. I have 3 certificates from different certificate authorities.
  1.) Certificate A for Website A.
  2.) Certificate B for Website B.
  3.) Certificate C for Website C.
  Installed in this particular order.
  I have changed trust setting for each certificate and set it as "Ask Pemission".
  Now, when I try to login on website A, a dialog box pops up and upon selection of certificate A everything work fine.
  When I try to login on website B, the same dialog box reappears everytime I select certificate B showing error
  "The website 'website A' did not accept the certificate 'Certificate B'".
  The same thing happens when I try to login on Website C.
  It means no matter what I do, Safari always selects certificate A.
  Did anyone else encounter this problem before?
  I also want to know how can change System setting for SSL.
  e.g whom to trust, clearing SSL state of Safari etc.

  Hi Neha,
  Yes - unless you are running the 2.2 version of ACE software - which is intended for really large configurations then there is no bulk certificate/key import process.
  Whatever you did to import the certificates/keys on your active configs you'll need to do on the standby configs.
  Note, by having missing files, replication will have been stopped.
  Cathy

• Exchange 2010: How to renew an SSL certificate?

  Hi all.  I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010.  I really don't want to mess this one up by cobbling together partial answers
  from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out. 
  This is a standard GoDaddy 5-domain UCC certificate.  There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet).  The existing certificate expires in a month or so. 
  I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
  has addressed all my concerns, or in some cases information conflicts.  So my concerns for example are:  can you do a renewal for a certificate before the old one expires?  It is actually a renewal, or are you adding a 2nd certificate? 
  Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  Thank you. 

  -->Can you do a renewal for a certificate before the old one expires? 
  Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
  -->It is actually a renewal, or are you adding a 2nd certificate? 
  You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
  -->Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  You will have to do it from MMC or EMS. No need to do anything from IIS.
  Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
  1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
  folder
  Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
  2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
  3. Open Exchange MMC. Go to Server configuration. Right click on the pending request.  Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
  4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
  5.Delete the old one certificate from MMC.
  From EMS use this command 
  Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
  You can see the the certificate thumprints using Get-ExchangeCertificate command
  MAS. Please dont forget to mark as answer if it helped.

• I do not see SSL certificate warnings now a days, even when visiting sites that do not provide valid identity.

  When visiting a website that has some kind of SSL certificate issue, like missing , untrusted or invalid certificate etc, the browser is supposed to show a warning message, which should warn us of potential hazards of visiting the website. I realised that my browsers have not shown such warning message for a really long time. Can anyone give me any idea why this is happening?
  Thanks,
  Satya

  Do you get an error on this page: https://www.sothai.com/
  Under Technical Details you should get:
  www.sothai.com uses an invalid security certificate.
  The certificate is only valid for the following names:
  www.jeffersonscher.com, jeffersonscher.com
  (Error code: ssl_error_bad_cert_domain)
  If instead you get a real webpage, click the padlock icon in the address bar, then More Information, then View Certificate, and take a look at the "Issued by" section. What do you see there?

• Renew SSL Certificate for for two Exchange 2010 Server and the new rules.

  I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.

  Hi there , 
  My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
  if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ? 
  This topic first appeared in the Spiceworks Community

• ACE module - end-to-end SSL

  Hello,
  I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
  I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
  Is there any clear documentation on how to configure an end to end SSL ?
  I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
  I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
  Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?

  just don't know where to start.
  I feel like you do not have the right key/cert.
  This would be the very first thing to verify.
  Where did you get your key and cert ?
  What certificate authority signed your certificate ?
  The creation of the session key requires the use of an RSA key pair (private/public).
  Every server must have a public and a private key associated with a certificate signed by a certificate authority.
  If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
  Maybe you should start be reading on the subject from various article available on the WEB.
  openssl is a great tool to generate keys and certficates.
  I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
  Then import everything into ACE.
  Once you have valid key/cert we can continue with the configuration.
  Gilles

• Certificates vanished - ACE Module. Strange!

  ACE modules are configured in Active/Standby context mode on two distinct Cat6500's. The feature license is 10,000 SSL tps, 8Gbps throughput.
  We ran the application performance tests with 1000 users with https transactions and I noticed that the all the root certificates under the chaingroup disappeared. Only the website certificate remained. When I accessed the website, it gave 'error with the security certificate' i.e. the root was not identifiable due to missing certificates. Eventually, the CPU went 100% on Cat6500 and the ACE module was shutdown by the chassis. It got reenabled automatically in 5 minutes.
  I re-added the root certs, removed/added the service policy and after sometime I noticed the root certs disappeared again. STRANGE !
  show version output is
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
  loader: Version 12.2[121]
  system: Version 3.0(0)A1(6.3a) [build 3.0(0)A1(6.3a) adbuild_02:16:25-2008/02/02_/auto/adbu-rel3/ws/rel_3_0_0_a1_6.3-thr
  ottle/REL_3_0_0_A]
  system image file: [LCP] disk0:c6ace-t1k9-mz.3.0.0_A1_6_3a.bin
  installed license: ACE-08G-LIC ACE-VIRT-020 ACE-SSL-10K-K9
  Hardware
  Cisco ACE (slot: 2)
  cpu info:
  number of cpu(s): 2
  cpu type: SiByte
  cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
  cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
  memory info:
  total: 957640 kB, free: 347924 kB
  shared: 0 kB, buffers: 1588 kB, cached 0 kB
  cf info:
  filesystem: /dev/cf
  total: 1014624 kB, used: 360960 kB, available: 653664 kB
  last boot reason: NP 0 Failed : NP ME Hung
  configuration register: 0x1
  Could you please advise whether there is any bug in the above software version i.e. it removes the root certs due to heavy transaction load.
  Thanks.

  I wanted to look for more details regarding this bug id. But I got the below message in Bug Toolkit. Please advise...
  CSCsl96203 Bug Details
  Information contained within bug ID CSCsl96203 is only available to Cisco employees. It is our policy to make all externally-facing bugs available in Bug Toolkit so the system administrators have been automatically alerted to the problem. By choosing to save this bug, you may be notified when the decision to make this bug available to you has been made. Note: Some product enhancement requests and documentation error bugs may not be available in Bug Toolkit.

• REDUNDANT ACE 20 WITH SSL CERTIFICATE

  Hi
  I have an ACE 20 redundant infrastructure (Active-Standby),and  it´s needed to implement a secure aplication with SSL certificate.
  The question I have is, for this solution is neccesary to generate a digital certificate and key  for each ACE module? and, It´s is possible to use the same certificate and key in both ACE modules?
  Thanks for your help.
  Regards

  Ricardo,
  You can just the same certificates for both devices.
  Jorge