SSL Certificates - sec_error_unknown_issuer
Fix your browser already. Getting these SSL errors on every other site is starting to really get annoying! There is nothing wrong with the SSL certificates or the sites. It's your browser that is unable to verify the certificates.
http://i.imgur.com/52qSNXt.png
Latest addition to the sites that do not work: https://www.inspirepay.com
The latest browser causing nothing but trouble for clients.
''Edited for language. Please see [[Forum rules and guidelines]]''
What is an "(i)frame"? Not everybody is a code freak. I'm with the other guy -- FIX your browser! OR AT LEAST tell ME how to fix it in PLAIN ENGLISH.
Similar Messages
-
installed a new SSL certificate with 2048 bit encryption (as is now required by issuer of certificate). Everything is OK with IE, FF shows error: (Fehlercode: sec_error_unknown_issuer)
== URL of affected sites ==
https://www.dongil.at/I have also tried all the solutions mentioned - but no luck.
I wrote to Geotrust support and the pointed out that I needed the intermediate certificate and provided me with this url:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
Please note, this intermediate certificate was *not* the same is linked to above - seems like there are 2 different intermediate certificates, depending on what type of certificate you got from Geotrust.
Just to recap - if you got yourself a "QuickSSL, QuickSSL Premium or SSL Trial"-certificate (like me) then use this intermediate:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
If you got a "True BusinessID or Enterprise SSL"-certificate, you should use this:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1423
- Lasse -
How to Create SSL certificate for HTTPS Connection in SAP PI
Hi,
I have Proxy to HTTPS scenario. I need to provide my SSL certificate( SAP PI SSL Certificate) to the vendor.
How to generate SAP PI SSL certificate. I have already imported vendor certificate using STRUST T-code.
I am not sure from where to generate SAP PI SSL certificate that need to be shared with vendor.
Please help me on this issue.
Thanks,
SivaHi,
Check if it helps:
http://help.sap.com/saphelp_nwpi711/helpdata/en/49/26af8339242583e10000000a421937/frameset.htm
But as mentioned for the colleague above, you can create that on Visual Administrator Tool -> Keystore
Regards,
Caio Cagnani -
Office Web Apps Server SSL Certificate
Hi
I am deploying Office Web App Server for Integration with Lync 2013. I opted for secure communication with SSL Certificate. I want this server available to internal and external users.
I am little confused over CA for Issuance of SSL Certificate. On most of the forums, I found SSL Certificate to be issued by Internal CA. If so, will this also work for external users?
If not, then plz guide me for Generating Certificate Request on Office Web App Server to be submitted to External CA for Issuance of Certificate.
Regards.Hi,
Thanks for your posting in this forum.
I have moved this thread in Lync Server 2013-Management, Planning, and Deployment forum for more dedicated support.
Thanks for your understanding.
Best Regards,
Wendy
Wendy Li
TechNet Community Support -
SSL Certificate Export Password
Hi ,
I am trying to export certificate and Key from CSS, Unforunately i do not have password from them.
Is their anyway to recover password or can i export keys and certificate without password.
Thanks in Advance
AniruddhaI think the only way to export the key is to use the password issues when importing the key. The SSL Certificate and Key are stored in DES encryption. There is no way to get the key without the password for the certificate and key except to break DES or guess the password.
-
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable -
We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cachecookies.squite answer is Today at 5:15 PM .
New profile, same problem.
We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
(3) different virus scanners, no hard core problems.
Suspect how I have something in Windows setup that no one else is using? -
Is it possible to use single ssl certificate for multiple server farm with different FQDN?
Hi
We generated the CSR request for versign secure site pro certificate
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
SSL Certificate for cn=abc.com considering abc.com as our major domain. now we have servers in this domain like www.abc.com, a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
And the same message when trying to access https://www.abc.com from Google Chrome.
"This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
Now my question is
1. Is is possible to remove above errors doing some ssl configuration on ACE?
2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate for CSR generated uisng cn =abc.com to be installed on ACE and will be used for all servers like www.abc.com , a.abc.com etc..
Thanks
WaliullahIf you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate. Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate. And right now it won't beause your certificate is for abc.com. You need a wildcard cert that will be for something like *.abc.com.
Hope this helps,
Sean -
How can I change an SSL Certificate display name on Firefox?
I have 6 SSL Certificate to install in order for an application to open in 6 ways. Each certificate represent a way. The problem is that the pop up window i am receiving to choose one of these 6 SSL displays the Issuer CN while i need it to display the friendly name / or the description since i can modify them.
Any way this is possible?
Thanks,This article may help you
https://support.mozilla.org/en-US/kb/enable-ssl-fix-cannot-connect-securely-error?esab=a&s=SSL+certificate+display+on+Firefox&r=7&as=s
regards,
Gautam sharma. -
Is there a way to change the CSR for install SSL Certificate for CCMADMIN
HI there,
Our customer want a solution for the https failure on CCMAdmin and CCMUser sites.
For that, I have exported a csr to buy a ssl certificate from verisign.
The problem is the csr includes fqdn an not just the servername
But the users just have to type in the servername to reach the server.
Is there a way to export a csr which include as common name only the server name without changing the domain settings in the cucm?
thanks
MarcoHi
You can go to the server via SSH, and enter the 'set web-security' command with the alternate-host-name parameter:
Command Syntax
set web-security orgunit orgname locality state country alternate-host-name
Parameters
• orgunit represents the organizational unit.
• orgname represents the organizational name.
• locality represents the organization location.
• state represents the organization state.
• country represents the organization country.
• alternate-host-name (optional) specifies an alternate name for the host when you generate a
web-server (Tomcat) certificate.
Note When you set an alternate-host-name parameter with the set web-security command,
self-signed certificates for tomcat will contain the Subject Alternate Name extension with
the alternate-host-name specified. CSR for Cisco Unified Communications Manager will
contain Subject Alternate Name Extension with the alternate host name included in the CSR.
Typically you would still use an FQDN, but a less specific one (e.g. ccm.company.com)...
Regards
Aaron
Please rate helpful posts... -
How can i refresh an SSL certificate for a specific page?
i am trying to access my electronic training jacket on Navy Knowledge Online to check the status of my security clearance. the ETJ page requires an SSL certificate. when i initially loaded the page the message window popped up prompting me to add the security exception and get the certificate. i got the certificate and continued to load the page but it came up with HTTP error 403.7 saying that i didn't have the certificate i needed. for some reason NKO isn't recognizing the certificate i got so i need to clear that certificate and get a new one that hopefully the server will recognize. how can i do this?
You can try to remove that certificate here:
Edit > Preferences > Advanced > Encryption: Certificates > View Certificates -
How do I install this self-signed SSL certificate?
I haven't been able to connect to the jabber server I've been using (phcn.de) for quite some time now, so I filed a bug report with mcabber. The friendly people there told me to install phcn.de's self-signed certificate, but I can't figure out for the life of me how to do that.
I know I can download something resembling a certificate using
$ gnutls-cli --print-cert -p 5223 phcn.de
Which does give me something to work with:
Resolving 'phcn.de'...
Connecting to '88.198.14.54:5223'...
- Ephemeral Diffie-Hellman parameters
- Using prime: 768 bits
- Secret key: 767 bits
- Peer's public key: 767 bits
- PKCS#3 format:
-----BEGIN DH PARAMETERS-----
MIHFAmEA6eZCWZ01XzfJf/01ZxILjiXJzUPpJ7OpZw++xdiQFBki0sOzrSSACTeZ
hp0ehGqrSfqwrSbSzmoiIZ1HC859d31KIfvpwnC1f2BwAvPO+Dk2lM9F7jaIwRqM
VqsSej2vAmAwRwrVoAX7FM4tnc2H44vH0bHF+suuy+lfGQqnox0jxNu8vgYXRURA
GlssAgll2MK9IXHTZoRFdx90ughNICnYPBwVhUfzqfGicVviPVGuTT5aH2pwZPMW
kzo0bT9SklI=
-----END DH PARAMETERS-----
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `CN=phcn.de', issuer `CN=phcn.de', RSA key 1024 bits, signed using RSA-SHA, activated `2009-05-04 08:26:21 UTC', expires `2014-04-08 08:26:21 UTC', SHA-1 fingerprint `d01bf1980777823ee7db14f8eac1c353dedb8fb7'
-----BEGIN CERTIFICATE-----
MIIBxzCCATCgAwIBAgIINN98WCZuMLswDQYJKoZIhvcNAQEFBQAwEjEQMA4GA1UE
AwwHcGhjbi5kZTAeFw0wOTA1MDQwODI2MjFaFw0xNDA0MDgwODI2MjFaMBIxEDAO
BgNVBAMMB3BoY24uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALqS+tnB
tNruBGdcjw0o+BWSdfkKH4T3VpS7bkrsS0q7RD5iUIao7jH2lJqTk1TrLbQe28+R
H0X9Ya+w22iYFea2l3wkrTnBfgdSZbRhpSxgVvC2QEBMoSrEQoRpo5lzXadRlob/
RQ+rhu/cWCNeiRJzfkmNirPVEciGKQHrwKxxAgMBAAGjJjAkMCIGA1UdEQQbMBmg
FwYIKwYBBQUHCAWgCwwJKi5waGNuLmRlMA0GCSqGSIb3DQEBBQUAA4GBALFBalfI
oESZY+UyVwOilQIF8mmYhGSFtreEcUsIQvG1+cgD16glKehx+OcWvJNwf8P6cFvH
7yiq/fhMVsjnxrfW5Hwagth04/IsuOtIQQZ1B2hnzNezlnntyvaXBMecTIkU7hgl
zYK97m28p07SrLX5r2A2ODfmYGbp4RD0XkAC
-----END CERTIFICATE-----
- The hostname in the certificate matches 'phcn.de'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
Unfortunately, the above command spits out more than a certificate. Do I need the additional information? If so, what do I need it for? Where do I need to put the certificate file?Hi,
I recently found out a way how to install test or self-signed certificates and use it with S1SE.
See:
http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
Follow the instructions there
1. Create CA
2. Create root ca certificate
Now install the root-ca-certificate in S1SE -> Security>Certificate Management and Install a "Trusted Certificate Authority".
Paste the contents of the file: cacert.pem into the message-text box.
Then restart the server. Now your CA-Cert should be visible in the Manage Certificates menu.
The next step is to send a certificate-request from S1SE to your e-mail-address.
The contents of the e-mail the server sends to you (certificate request) must be pasted into the file: newreq.pem.
Now just sign the Request:
CA.pl -sign
The last step is that you have to paste the contents of the file newcert.pem into the message-box of the Security>Certificate Management - now under the option Certificate for "This Server".
Then you have to reboot the server/instance again and it should work with your certificate.
Regards,
Dominic -
Our site requires Third Party SSL certificates to be installed on our servers. We have an agreement with inCommon. I have to supply a CSR in order to obtain the SSL certificate.
My installation is on a Windows 2008 server and I had the self-signed CSR already but it is only 1024 bits. Is there someplace in the GUI or OS where I can change the encryption?This is a shot in the dark, but since CiscoWorks is using (I believe) Tomcat as the web server, could you run keytool to generate the CSR?
http://help.godaddy.com/article/5276
You could also use an online CSR gererator such as:
http://www.gogetssl.com/eng/support/online_csr_generator/
The key (pun intended) is having the private key on your server so that when you get the signed certificate and install it (using sslutil) it will be usable.
Hope this helps. -
Copying SSL Certificates from one server to another.
I have a question that hopefully someone might have the answer for... I have a IPlanet 6.0 SP4 server that has an SSL certificate I'm trying to move to a new server that's on SunOne 6.1. I was under the impression that I could easily copy the <Iplanet_Root>/alias/https-<ServerInstance>-<server>-<key3/cert7>.db files to the new server from that server's alias directory. However before I copied the files, I immediately noticed the new server's cert file is called cert8 instead of cert7 and is 64K as opposed to the 6.0 server's 16K.
I stopped the web instance and renamed the current db files and copied in the new and changed the cert7 to cert8. When I restarted the server, it stayed up and didn't report any problems. However, when I go the security tab and click on any of the links on the left column, an internal server error (http500) page is displayed. No additional errors show up in the errors log.
Unfortunately, we don't have the original certificate request. I'm sure when it was applied for; it was cut and pasted into the install certificate page. Otherwise, I'd simply do the install on the other server. Is there a simply means to copy an already installed cert from one sever to another?
Any assistance would be greatly appreciated.Migration from 6.0 to 6.1 should take care of this. You don't have to rename the files to cert7.db after the migration, just leave them with their new names and size as is. The new file created in 6.1(after migration is complete) will be called cert8 and this is fine because 6.1 uses newer version of security libs. Doc links:
http://docs.sun.com/source/817-1830-10/migrate2.html
http://docs.sun.com/source/817-1831-10/agcert.html#wp1017112
Thanks,
Manish -
Sequence tag error while importing the SSL certificate into ".keystore" fil
I have created the ".keystore " file successfully and also imported the "root.cer".
but while importing the SSL certificate it says like
"keytool error: java.security.cert.CertificateException: IOException: Sequence ta
g error" (I got the certificate from Verisign)
How to resolve this Error?
can anyone help me?
mail to:: [email protected]
Thanks in AdvanceHi,
I resolved this error by making it sure that there are no extra spaces or unwanted caracter copied while copying the certificate response from the CA. Make sure you are copying the certificate response properly. In my case, some extra space was getting copied so after re-copyinf it properly, it worked.
Maybe you are looking for
-
How to download Adobe Edge Inspect?
It maybe weekend woes, but I find it impossible to download Adobe Edge Inspect. For starters, I would like to test the free version. This is what I'm doing 1 )install the Edge Inspect Extension on Chrome 2) sign up for Adobe Create Cloud 3) go to app
-
What is PKCS7 and how to use it?
Hi! I'm in a project in which I must send a file encrypted with a key that is also encrypted with a public key, the receiver must decrypt the key using his(her) private key, and then, using that decrypted key to in turn decrypt the file. I've been to
-
Syncing my iphone goes to step 5 of 5 and stalls
Since Christmas I have been unable to sync my iphone. It continues to get to step 5 of 5 and just continues to send a message , waiting for changes to be applied. Anyone have any idea how to fix?
-
Revision: 1384 Author: [email protected] Date: 2008-04-24 07:54:58 -0700 (Thu, 24 Apr 2008) Log Message: Splitting DefineFont into the various DefineFont 1, 2, 3, etc SWF tag formats but retaining a common base DefineFont class so that embedded font
-
my database is in archivelog mode and i have a two database one is db01 which has alok1 tablespace and second is oemrep and i have a tablespace name alok1 and it has 3 tables in it i want to know that if i want to recover alok1 tablespace in second d