SSL certificates issues

Similar Messages

• When accessing Intranet sites that use SSL Certificates issued by our internal PKI, FF for Windows give an error of "improperly formatted DER-encoded message"

  When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
  Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.

  Hi Guigs2,
  From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
  registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
  The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix?

• CF7 and JDK 1.4.2 - EV SSL Certificate Issue

  Let me start off by telling the group that we do not use CF for any of our applications.  We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use.  We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API.  About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy.  I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck.  Here are the details:
  EV Certificate issued by DigiCert (4096-bit).
  Customer is on CF7 and JDK 1.4.2.
  When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application.  He is using cfhttp to post his requests.  We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates.  Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
  Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
  Thanks in advance to those gurus that reply.  I have attached a sample post from our customers logs with non-essential data removed.
  I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
  - Dave

  Dave,
  I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
  I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
  so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
  to either CF 8 or CF 9 to get the issue quickly resolved.
  I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
  if I do find a solution, I'll definitely post it there for you.
  Cheers

• NAC SSL certificate Issue

  I recently applied a signed certificate to both the CAM and CAS. ever since then I have been having problems with the system. In the perfigo logs on the CAM I receive a lot of messages with "Certificate chaining error" in them. My question is what is the best way to roll back the signed certificates to the self signed ones? Any other suggestions would be greatly appreciated.
  Thanks in advance.

  Hi Giles,
  Thanks for te update. The problem I am facing is:-I have 2 SSL certificates on my ACE and I have also configured 2 server farms (farm1 and farm2)each associated with ssl certificate, now the problem i am facing is when we access the farm2 serverfarm we are issued the certificate of farm1 wereas i need to be getting the certificate from the farm2.
  Thanks in advance.
  Regards
  Sum

• Firefox does not recognize SSL Certificate issuer Entrust Certification Authority – L1K, but Entrust Certification Authority – L1C is ok?

  We have a new Entrust SSL Certificate with issuer Entrust Certification Authority – L1K which Firefox does not recognize. Internet Explorer and Chrome are ok.
  On a different system we have an Entrust SSL Certificate with issuer Entrust Certification Authority – L1C which is ok with Firefox.

  Did you verify that all intermediate certificates are installed on the server?
  You can inspect the certificate chain via a site like this:
  *http://www.networking4all.com/en/support/tools/site+check/
  *https://www.ssllabs.com/ssltest/

• Snow Leopard Server - SSL Certificate Issue

  Hi. I am hoping someone can shine some light into an issue I am currently experiencing with SSL Certificates on the Snow Leopard Server which hosts out websites. This past weekend an SSL certificate pertaining to our primary domain expired which caused users to receive error messages prior to accessing the website ... the error message stated "the site's security certificate has expired!"
  I have since renewed the certificate via networksolutions.com and applied it on the Mac server. The certificate was applied successfully and i have added the certificate the sites along with restarting the apache to take in the settings. However, the certificate is not propagating out at all. I have also restarted the mac server as well in case there was something in the cache causing issues but unfortunately, the issue still exists.
  I have also removed the certificate entirely and reapplied it from scartch to make sure the original certificate wasn't causing any issues.
  Has anyone else incurred a similar issue or would anyone have any insight on how to possibly resolve the issue?
  Thank you!

  Just a quick update. the DNS seems fine but I am getting errors in the logs as follows.
  May 12 09:37:34 server jabberd/sm[2084]: version: jabberd sm 2.1.24.1-326.5
  May 12 09:37:34 server org.jabber.jabberd[2082]: ERROR: router died. Shutting down server.
  May 12 09:37:34 server com.apple.launchd[1] (org.jabber.jabberd): Throttling respawn: Will start in 10 seconds
  May 12 09:37:34 server jabberd/sm[2084]: attempting connection to router at 127.0.0.1, port=5347
  May 12 09:37:34 server jabberd/sm[2084]: shutting down
  May 12 09:38:45 server jabberd/sm[2167]: version: jabberd sm 2.1.24.1-326.5
  May 12 09:38:45 server jabberd/sm[2167]: attempting connection to router at 127.0.0.1, port=5347
  May 12 09:38:45 server jabberd/sm[2167]: shutting down
  May 12 09:38:45 server org.jabber.jabberd[2165]: ERROR: router died. Shutting down server.
  May 12 09:38:45 server com.apple.launchd[1] (org.jabber.jabberd): Throttling respawn: Will start in 10 seconds
  I checked the the crash report which has the follow kernal issue.
  Exception Type: EXCBADACCESS (SIGBUS)
  Exception Codes: KERNPROTECTIONFAILURE at 0x000000010011adb0
  Crashed Thread: 0 Dispatch queue: com.apple.main-thread
  Any ideas?

• SSL Certificates issues on ACE module

  Hi,
  SSL certificate and keys are not been transfered from active to standby automaticaaly, could anyone tell me why is this happening and what needs to be done.
  Thanks
  Neha

  Hi Neha,
  Yes - unless you are running the 2.2 version of ACE software - which is intended for really large configurations then there is no bulk certificate/key import process.
  Whatever you did to import the certificates/keys on your active configs you'll need to do on the standby configs.
  Note, by having missing files, replication will have been stopped.
  Cathy

• SSL certificate issue with WLS 10.3

  Hi All,
  I am facing this issue with my WLS cluster.
  <21-Apr-2010 10:42:00 o'clock BST> <Warning> <Security> <BEA-090482> <BAD_CERTIF
  ICATE alert was received from system.core.com - 10.15.135.30.
  Check the peer to determine why it rejected the certificate chain (trusted CA co
  nfiguration, hostname verification). SSL debug tracing may be required to determ
  ine the exact reason the certificate was rejected.>
  <21-Apr-2010 10:42:00> <Warning> <Uncaught exception in server handler: javax.ne
  t.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from
  system.core.com - 10.15.135.30. Check the peer to determine wh
  y it rejected the certificate chain (trusted CA configuration, hostname verifica
  tion). SSL debug tracing may be required to determine the exact reason the certi
  ficate was rejected.>
  Please suggest. I have also tried the below settings.
  Node Manager:
  -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
  Admin Server:
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Many thanks in advance.

  Hi Sandip,
  I am facing this issue right after when I have configured the listen address to my system IP in Machine(NodeManager), earlier it was "localhost".
  Also I have tried to generate the certificates e.g.
  C:\bea\wlserver_10.3\server\bin>java utils.CertGen -cn system.core.com -keyfilepass DemoIdentityPassPhr
  ase -certfile mycertificate -keyfile .keystore
  Generating a certificate with common name system.core.com and key strength 1024
  issued by CA with certificate from C:\bea\WLSERV~1.3\server\lib\CertGenCA.der file and key from C:\bea\WLSERV~1.3\server
  \lib\CertGenCAKey.der file
  C:\bea\wlserver_10.3\server\bin>java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePa
  ssPhrase -keyfile .keystore.pem -keyfilepass DemoIdentityPassPhrase -certfile mycertificate.pem -alias demoidentity
  No password was specified for the key entry
  Key file password will be used
  Imported private key .keystore.pem and certificate mycertificate.pem
  into a new keystore DemoIdentity.jks of type jks under alias demoidentity
  Tried the above but not wokring. Please advise.
  Edited by: R Vashi on 21-Apr-2010 03:38

• Exchange 2010: How to renew an SSL certificate?

  Hi all.  I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010.  I really don't want to mess this one up by cobbling together partial answers
  from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out. 
  This is a standard GoDaddy 5-domain UCC certificate.  There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet).  The existing certificate expires in a month or so. 
  I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
  has addressed all my concerns, or in some cases information conflicts.  So my concerns for example are:  can you do a renewal for a certificate before the old one expires?  It is actually a renewal, or are you adding a 2nd certificate? 
  Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  Thank you. 

  -->Can you do a renewal for a certificate before the old one expires? 
  Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
  -->It is actually a renewal, or are you adding a 2nd certificate? 
  You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
  -->Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  You will have to do it from MMC or EMS. No need to do anything from IIS.
  Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
  1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
  folder
  Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
  2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
  3. Open Exchange MMC. Go to Server configuration. Right click on the pending request.  Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
  4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
  5.Delete the old one certificate from MMC.
  From EMS use this command 
  Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
  You can see the the certificate thumprints using Get-ExchangeCertificate command
  MAS. Please dont forget to mark as answer if it helped.

• I do not see SSL certificate warnings now a days, even when visiting sites that do not provide valid identity.

  When visiting a website that has some kind of SSL certificate issue, like missing , untrusted or invalid certificate etc, the browser is supposed to show a warning message, which should warn us of potential hazards of visiting the website. I realised that my browsers have not shown such warning message for a really long time. Can anyone give me any idea why this is happening?
  Thanks,
  Satya

  Do you get an error on this page: https://www.sothai.com/
  Under Technical Details you should get:
  www.sothai.com uses an invalid security certificate.
  The certificate is only valid for the following names:
  www.jeffersonscher.com, jeffersonscher.com
  (Error code: ssl_error_bad_cert_domain)
  If instead you get a real webpage, click the padlock icon in the address bar, then More Information, then View Certificate, and take a look at the "Issued by" section. What do you see there?

• Renew SSL Certificate for for two Exchange 2010 Server and the new rules.

  I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.

  Hi there , 
  My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
  if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ? 
  This topic first appeared in the Spiceworks Community

• A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

  We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
  Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

  cookies.squite answer is Today at 5:15 PM .
  New profile, same problem.
  We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
  Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
  (3) different virus scanners, no hard core problems.
  Suspect how I have something in Windows setup that no one else is using?

• OPEN SSL certificate generation issue--bpel email activity

  Hi all,
  I need to send a mail from bpel using email activity.
  I made all settings changes.I downloaded OPENSSL software and I need to generate smtp ssl certificates?
  But while generation of ssl certificates I am getting some issue
  OpenSSL> openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:465>
  gmail.cert
  openssl:Error: 'openssl' is an invalid command.
  Standard commands
  asn1parse ca ciphers crl crl2pkcs7
  dgst dh dhparam dsa dsaparam
  ec ecparam enc engine errstr
  gendh gendsa genrsa nseq ocsp
  passwd pkcs12 pkcs7 pkcs8 prime
  rand req rsa rsautl s_client
  s_server s_time sess_id smime speed
  spkac verify version x509
  Message Digest commands (see the `dgst' command for more details)
  md2 md4 md5 rmd160 sha
  sha1
  Cipher commands (see the `enc' command for more details)
  aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
  aes-256-ecb base64 bf bf-cbc bf-cfb
  bf-ecb bf-ofb cast cast-cbc cast5-cbc
  cast5-cfb cast5-ecb cast5-ofb des des-cbc
  des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
  des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
  des-ofb des3 desx idea idea-cbc
  idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc
  rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
  rc4 rc4-40
  Can any one suggest me ,What I entered is correct or not?how to generate smtp certificates?
  Thanks in advance
  Krishna

  Fabian,
  Are you familiar with Firefox OS? The reason I say this is because the email client cannot create a certificate excaption. This is actually by design. This is by design: https://wiki.mozilla.org/Gaia/Email/Features#Security
  This support request at Mozilla was placed specifically for the Firefox OS product, for which only a single email client exists.
  That being said the good folks on the Mozilla Bugzilla, were able to show me how to look up another alias for these servers which does in fact work and does in fact match the SSL certificates. Though Dreamhost support could not provide me with said information, and said information does not in fact exist in the DreamHost wiki.
  I find repeated insistance from Dreamhost represenatives that I should just live with SSL certificate exceptions, when there are actual valid server names in existence to match the certificates in question, rediculous.
  The fact that you are posting this non solution for a product it isn't even applicable for is beyond unhelpful. It actually serves to muddy the waters.

• Microsoft Is Rushing to Fix Improperly Issued SSL Certificate

  Microsoft Security Advisory 3046310
  Microsoft is aware of an improperly issued SSL certificate for the domain “live.fi” that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.
  To help protect customers from potentially fraudulent use of this digital certificate, it has been revoked by the issuing CA and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue.
  For more information see:
  https://technet.microsoft.com/en-us/library/security/3046310
  ThinkPad: T530 / X1 Gen 2 / Helix - Yoga: Tablet 2 Pro (Win) / Yoga 3 Pro
  If you find a post helpful and it answers your question, please click the "Accept As Solution" button.
  Lenovo Advocate ~ I am not employed by Lenovo or Microsoft. I am a volunteer.
  Microsoft MVP - Consumer Security
  SpywareHammer

  You appear to be complaining about how Mail executes security. Turns out there is no one standard about how security is handled by Mail. 802.11x has nothing to do with that. 802.11x is simply a wireless router protocol. If you want a feature added to any Mac OS X software go to the feedback page:
  http://www.apple.com/feedback/
  or sign for a free Apple Developer account, and file a bug report here:
  http://bugreporter.apple.com/
  This is a user to user forum, and no one here can guess as to why Apple has incorporated certain features into Mail while others are not included. Please read the Terms of Use on the right more carefully. We'd have to guess Apple's programming policy to answer your questions.

• SSL Certificate question (minor issue)

  I have a Windows 2012 server setup with RDS.  I have about 10 virtual machines already setup - my whole VDI infrastructure.  Everything is working fine - accessing the vm's internally and externally, however, I have issues w/the certificate.
  I am using a self-signed certificate (until I can my client to pay for a real SSL cert).
  I have created an A record for my DNS at my hosting company that points to my public IP (e.g. remote.mycompany.com instead of typing in the IP address), the port forwarding on my router kicks in and sends the https traffic to my RD Gateway (my Windows 2012)
  and the user will see the RDWeb page and can log in from there.  The cert is pointed to remote.mycompany.com too.  However, my server is called vdi-remote2.mycompany.com.  Naturally, when using IE to access the RDWeb page, their address bar
  in IE will be red with the cert error/warning.
  First they are greeted with the "There is a problem with this website's security certificate" and will click on continue to the this website.  Upon inspection of the certificate, it will say "This CA Root certificate is not trusted.  To
  enable trust, install this certificate in the Trusted Root Certification Authorities store."  Ok, I can install it (and have), but I still get the red address bar in my IE.
  Needless to say, I'd like to clean this all up.  The users are non-technical people and when they see this stuff, they freak out.  We know what it all means - we're technical folks, but I'd like to clean it all up and just have it nice and security.
   Green or no address bar when using https in the address bar.
  How can I clean this all up though when I have external users accessing https://remote.mycompany.com/rdweb and internal users accessing https://vdi-remote2/rdweb.  I don't recall the possibility to have two certs for one website (the RDWeb).  So,
  I'm a bit confused on all this cert stuff.  I could keep everything as is and just train the users, but I'd rather not.
  Thank you in advance for your reply.

  Hi Steve,
  Thanks for your comment.
  Yeah, your understanding is correct as you have commented that “Things are working, but ONLY after I install the cert in the trusted root certification authorities store.”
  Trusted certificate is required for RDS server.
  I would like to suggest you that first of all certificate must be placed in (local computer)/Personal Store, and the
  certificate must be signed by trusted authority. Please check below link which state that “If the RD Gateway server is configured to use a Secure Sockets Layer (SSL) certificate that is not signed by a trusted
  certification authority, users might be unable to connect to internal network resources (computers) through the RD Gateway server. “ 
  RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority
  You may export your certificate (and its private key) to a .pfx file using the Certificates mmc snapin.  By that way you can use the .pfx file for the RDS Role Services.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  For your comment “One user was having issues.  Once I installed the cert on her computer, she has no more issues logging in and launching a remote session. “, I can say that if the issue is mostly due to certificate only then
  if you will purchase trusted authority certificate then as per my knowledge you’re all problem regarding login and certificate will be solved.
  More information:
  1. Configuring RDS 2012 Certificates and SSO
  2. RD Web Access Web site to use a trusted certificate
  (Thread might helpful to understand)
  Hope it helps!
  Thanks,
  Dharmesh