Ssl empty certificate chain?

Similar Messages

• Ssl empty certificate chain? (correct message format)

  I am having Problems with client certificate/setup.
  I have a client behind proxy that connect to Web Services.
  I have only a client certificate that I import (use keytool) in my keystore.
  I have this setting in my program:
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  System.setProperty("javax.net.ssl.keyStore", keyStore);
  System.setProperty("javax.net.ssl.keyStoreType", "JKS");
  System.setProperty("javax.net.ssl.keyStorePassword", keystorePass);
  System.setProperty("javax.net.ssl.trustStore", trustStore);
  System.setProperty("javax.net.ssl.trustStoreType", "JKS");
  System.setProperty("javax.net.ssl.trustStorePassword", trustStorePass);
  [proxy setting is ok]
  But when I invoke a service I have a empty certificate chain.
  I use jdk1.3.1_08 and jsse-1_0_3_03
  Please Help me. I have read hundred pages.
  Many thanks in advance for any help.
  My client log:
  adding as trusted cert: [
  Version: V1
  Subject: OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
  Key: com.sun.rsajca.JSA_RSAPublicKey@10c424
  Validity: [From: Mon Jan 29 01:00:00 CET 1996,
                 To: Sat Jan 01 00:59:59 CET 2000]
  Issuer: OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  SerialNumber: [    02a60000 01]
  Algorithm: [MD2withRSA]
  Signature:
  0000: 53 DD D3 F0 9C 24 7E 40 AA E2 FC 00 1A D7 DA 0C S....$.@........
  0010: FC 32 61 B8 15 0D 96 F3 FA 57 1B 7F 33 7C AF E9 .2a......W..3...
  0020: 98 9A 61 C8 7A B3 B7 FF B1 DC 99 83 DC AC 12 FC ..a.z...........
  0030: 70 C9 1F 38 42 ED 44 F6 80 2E 5B 6B 33 69 AC 9C p..8B.D...[k3i..
  0040: D3 5C E7 5F 5A 18 C7 B1 2D 79 04 96 41 91 99 41 .\._Z...-y..A..A
  0050: B1 3C 0D BA 84 39 C6 3B 97 F0 26 C9 8E EE BD CC .<...9.;..&.....
  0060: 42 95 FF 1E C7 02 3F 54 0C 78 F5 BC AA 60 7C 02 B.....?T.x...`..
  0070: 69 E8 DC AC E2 02 76 61 C4 3E 03 EA D2 8A 24 D1 i.....va.>....$.
  adding as trusted cert: [
  Version: V3
  Subject: [email protected], CN=bdrtest.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: com.sun.rsajca.JSA_RSAPublicKey@238bd2
  Validity: [From: Tue Apr 05 16:05:41 CEST 2005,
                 To: Wed Apr 05 16:05:41 CEST 2006]
  Issuer: [email protected], CN=dns.tex.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT
  SerialNumber: [    01]
  Certificate Extensions: 4
  [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
  0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
  0020: 65 e
  [2]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 4D 11 53 D1 7A 92 69 3B 36 F7 D6 BA 53 6A 81 4A M.S.z.i;6...Sj.J
  0010: D5 38 98 59 .8.Y
  [3]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 2D F5 B5 55 88 86 E9 14 60 F1 E6 1C AD E2 71 79 -..U....`.....qy
  0010: 29 A0 F1 8F )...
  [[email protected], CN=dns.tex.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT]
  SerialNumber: [  0  ]
  [4]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:false
  PathLen: undefined
  Algorithm: [MD5withRSA]
  Signature:
  0000: 73 D0 96 DD 6F EF FB 44 AB 3C B1 ED F5 44 4A C4 s...o..D.<...DJ.
  0010: 11 71 5F 66 18 FF 86 B8 FD 1A 7D 0A 10 72 C6 FD .q_f.........r..
  0020: B6 3C 90 1F 38 72 E3 A9 13 84 97 5E 5B 95 09 4E .<..8r.....^[..N
  0030: CB 86 29 7D 7A BB 07 75 97 23 3C D5 B1 16 35 E0 ..).z..u.#<...5.
  adding as trusted cert: [
  Version: V1
  Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
  Key: com.sun.rsajca.JSA_RSAPublicKey@198891
  Validity: [From: Wed Nov 09 01:00:00 CET 1994,
                 To: Fri Jan 08 00:59:59 CET 2010]
  Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  SerialNumber: [    02ad667e 4e45fe5e 576f3c98 195eddc0 ]
  Algorithm: [MD2withRSA]
  Signature:
  0000: 65 DD 7E E1 B2 EC B0 E2 3A E0 EC 71 46 9A 19 11 e.......:..qF...
  0010: B8 D3 C7 A0 B4 03 40 26 02 3E 09 9C E1 12 B3 D1 ......@&.>......
  0020: 5A F6 37 A5 B7 61 03 B6 5B 16 69 3B C6 44 08 0C Z.7..a..[.i;.D..
  0030: 88 53 0C 6B 97 49 C7 3E 35 DC 6C B9 BB AA DF 5C .S.k.I.>5.l....\
  0040: BB 3A 2F 93 60 B6 A9 4B 4D F2 20 F7 CD 5F 7F 64 .:/.`..KM. .._.d
  0050: 7B 8E DC 00 5C D7 FA 77 CA 39 16 59 6F 0E EA D3 ....\..w.9.Yo...
  0060: B5 83 7F 4D 4D 42 56 76 B4 C9 5F 04 F8 38 F8 EB ...MMBVv.._..8..
  0070: D2 5F 75 5F CD 7B FC E5 8E 80 7C FC 50 ._u_........P
  trigger seeding of SecureRandom
  done seeding SecureRandom
  Providers com.sun.net.ssl.internal.www.protocol
  %% No cached client session
  *** ClientHello, v3.1
  RandomCookie: GMT: 1127228533 bytes = { 44, 211, 84, 116, 141, 40, 133, 180, 48, 96, 213, 147, 123, 141, 244, 71, 107, 242, 94, 105, 247, 101, 92, 8, 78, 176, 226, 133 }
  Session ID: {}
  Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
  Compression Methods: { 0 }
  [write] MD5 and SHA1 hashes: len = 59
  0000: 01 00 00 37 03 01 43 30 24 75 2C D3 54 74 8D 28 ...7..C0$u,.Tt.(
  0010: 85 B4 30 60 D5 93 7B 8D F4 47 6B F2 5E 69 F7 65 ..0`.....Gk.^i.e
  0020: 5C 08 4E B0 E2 85 00 00 10 00 05 00 04 00 09 00 \.N.............
  0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
  main, WRITE: SSL v3.1 Handshake, length = 59
  [write] MD5 and SHA1 hashes: len = 77
  0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
  0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
  0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 43 30 24 .............C0$
  0030: 75 2C D3 54 74 8D 28 85 B4 30 60 D5 93 7B 8D F4 u,.Tt.(..0`.....
  0040: 47 6B F2 5E 69 F7 65 5C 08 4E B0 E2 85 Gk.^i.e\.N...
  main, WRITE: SSL v2, contentType = 22, translated length = 16310
  main, READ: SSL v3.1 Handshake, length = 944
  *** ServerHello, v3.1
  RandomCookie: GMT: 1127228167 bytes = { 57, 3, 100, 77, 244, 140, 105, 242, 70, 226, 115, 205, 144, 85, 197, 193, 174, 24, 87, 199, 88, 124, 184, 79, 20, 170, 150, 186 }
  Session ID: {38, 2, 0, 0, 135, 125, 13, 254, 209, 98, 207, 105, 118, 74, 36, 210, 126, 57, 176, 194, 64, 207, 8, 203, 68, 171, 118, 148, 170, 55, 139, 139}
  Cipher Suite: { 0, 4 }
  Compression Method: 0
  %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  ** SSL_RSA_WITH_RC4_128_MD5
  [read] MD5 and SHA1 hashes: len = 74
  0000: 02 00 00 46 03 01 43 30 23 07 39 03 64 4D F4 8C ...F..C0#.9.dM..
  0010: 69 F2 46 E2 73 CD 90 55 C5 C1 AE 18 57 C7 58 7C i.F.s..U....W.X.
  0020: B8 4F 14 AA 96 BA 20 26 02 00 00 87 7D 0D FE D1 .O.... &........
  0030: 62 CF 69 76 4A 24 D2 7E 39 B0 C2 40 CF 08 CB 44 [email protected]
  0040: AB 76 94 AA 37 8B 8B 00 04 00 .v..7.....
  *** Certificate chain
  chain [0] = [
  Version: V3
  Subject: [email protected], CN=bdrtest.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: com.sun.rsajca.JSA_RSAPublicKey@313906
  Validity: [From: Tue Apr 05 16:05:41 CEST 2005,
                 To: Wed Apr 05 16:05:41 CEST 2006]
  Issuer: [email protected], CN=dns.tex.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT
  SerialNumber: [    01]
  Certificate Extensions: 4
  [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
  0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
  0020: 65 e
  [2]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 4D 11 53 D1 7A 92 69 3B 36 F7 D6 BA 53 6A 81 4A M.S.z.i;6...Sj.J
  0010: D5 38 98 59 .8.Y
  [3]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 2D F5 B5 55 88 86 E9 14 60 F1 E6 1C AD E2 71 79 -..U....`.....qy
  0010: 29 A0 F1 8F )...
  [[email protected], CN=dns.tex.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT]
  SerialNumber: [  0  ]
  [4]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:false
  PathLen: undefined
  Algorithm: [MD5withRSA]
  Signature:
  0000: 73 D0 96 DD 6F EF FB 44 AB 3C B1 ED F5 44 4A C4 s...o..D.<...DJ.
  0010: 11 71 5F 66 18 FF 86 B8 FD 1A 7D 0A 10 72 C6 FD .q_f.........r..
  0020: B6 3C 90 1F 38 72 E3 A9 13 84 97 5E 5B 95 09 4E .<..8r.....^[..N
  0030: CB 86 29 7D 7A BB 07 75 97 23 3C D5 B1 16 35 E0 ..).z..u.#<...5.
  updated/found trusted cert: [
  Version: V3
  Subject: [email protected], CN=bdrtest.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: com.sun.rsajca.JSA_RSAPublicKey@313906
  Validity: [From: Tue Apr 05 16:05:41 CEST 2005,
                 To: Wed Apr 05 16:05:41 CEST 2006]
  Issuer: [email protected], CN=dns.tex.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT
  SerialNumber: [    01]
  Certificate Extensions: 4
  [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
  0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
  0020: 65 e
  [2]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 4D 11 53 D1 7A 92 69 3B 36 F7 D6 BA 53 6A 81 4A M.S.z.i;6...Sj.J
  0010: D5 38 98 59 .8.Y
  [3]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 2D F5 B5 55 88 86 E9 14 60 F1 E6 1C AD E2 71 79 -..U....`.....qy
  0010: 29 A0 F1 8F )...
  [[email protected], CN=dns.tex.izs.it, OU=CED, O=IZSAM, L=Teramo, ST=Teramo, C=IT]
  SerialNumber: [  0  ]
  [4]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:false
  PathLen: undefined
  Algorithm: [MD5withRSA]
  Signature:
  0000: 73 D0 96 DD 6F EF FB 44 AB 3C B1 ED F5 44 4A C4 s...o..D.<...DJ.
  0010: 11 71 5F 66 18 FF 86 B8 FD 1A 7D 0A 10 72 C6 FD .q_f.........r..
  0020: B6 3C 90 1F 38 72 E3 A9 13 84 97 5E 5B 95 09 4E .<..8r.....^[..N
  0030: CB 86 29 7D 7A BB 07 75 97 23 3C D5 B1 16 35 E0 ..).z..u.#<...5.
  [read] MD5 and SHA1 hashes: len = 866
  0000: 0B 00 03 5E 00 03 5B 00 03 58 30 82 03 54 30 82 ...^..[..X0..T0.
  0010: 02 FE A0 03 02 01 02 02 01 01 30 0D 06 09 2A 86 ..........0...*.
  0020: 48 86 F7 0D 01 01 04 05 00 30 81 85 31 0B 30 09 H........0..1.0.
  0030: 06 03 55 04 06 13 02 49 54 31 0F 30 0D 06 03 55 ..U....IT1.0...U
  0040: 04 08 13 06 54 65 72 61 6D 6F 31 0F 30 0D 06 03 ....Teramo1.0...
  0050: 55 04 07 13 06 54 65 72 61 6D 6F 31 0E 30 0C 06 U....Teramo1.0..
  0060: 03 55 04 0A 13 05 49 5A 53 41 4D 31 0C 30 0A 06 .U....IZSAM1.0..
  0070: 03 55 04 0B 13 03 43 45 44 31 17 30 15 06 03 55 .U....CED1.0...U
  0080: 04 03 13 0E 64 6E 73 2E 74 65 78 2E 69 7A 73 2E ....dns.tex.izs.
  0090: 69 74 31 1D 30 1B 06 09 2A 86 48 86 F7 0D 01 09 it1.0...*.H.....
  00A0: 01 16 0E 64 2E 7A 69 70 70 6F 40 69 7A 73 2E 69 [email protected]
  00B0: 74 30 1E 17 0D 30 35 30 34 30 35 31 34 30 35 34 t0...05040514054
  00C0: 31 5A 17 0D 30 36 30 34 30 35 31 34 30 35 34 31 1Z..060405140541
  00D0: 5A 30 81 85 31 0B 30 09 06 03 55 04 06 13 02 49 Z0..1.0...U....I
  00E0: 54 31 0F 30 0D 06 03 55 04 08 13 06 54 65 72 61 T1.0...U....Tera
  00F0: 6D 6F 31 0F 30 0D 06 03 55 04 07 13 06 54 65 72 mo1.0...U....Ter
  0100: 61 6D 6F 31 0E 30 0C 06 03 55 04 0A 13 05 49 5A amo1.0...U....IZ
  0110: 53 41 4D 31 0C 30 0A 06 03 55 04 0B 13 03 43 45 SAM1.0...U....CE
  0120: 44 31 17 30 15 06 03 55 04 03 13 0E 62 64 72 74 D1.0...U....bdrt
  0130: 65 73 74 2E 69 7A 73 2E 69 74 31 1D 30 1B 06 09 est.izs.it1.0...
  0140: 2A 86 48 86 F7 0D 01 09 01 16 0E 64 2E 7A 69 70 *.H........d.zip
  0150: 70 6F 40 69 7A 73 2E 69 74 30 81 9F 30 0D 06 09 [email protected]...
  0160: 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 *.H............0
  0170: 81 89 02 81 81 00 F6 E3 70 EC 18 8B B7 1D D6 11 ........p.......
  0180: 11 59 3E 43 09 2D AE F1 06 A3 0C 21 F7 00 09 C2 .Y>C.-.....!....
  0190: 07 52 0B 29 35 CF 65 38 2C 6C 0A 61 06 50 B9 20 .R.)5.e8,l.a.P.
  01A0: 8C 5F A0 B9 B7 E2 8B 2B 10 89 B9 7F 40 0F 49 A1 [email protected].
  01B0: D8 9E A2 C8 BE 4E 63 20 F2 49 35 25 F1 5D 64 00 .....Nc .I5%.]d.
  01C0: ED 02 FD D7 96 51 73 C7 E9 DA 61 AA 88 FB 5D 0A .....Qs...a...].
  01D0: 41 56 EC 36 4F 85 B2 A1 8F E6 DE DC E2 2D B2 DF AV.6O........-..
  01E0: AA 3D 99 51 23 14 19 02 8A 2C D4 F0 4C 83 39 1C .=.Q#....,..L.9.
  01F0: 1B E5 8F 65 06 05 02 03 01 00 01 A3 82 01 11 30 ...e...........0
  0200: 82 01 0D 30 09 06 03 55 1D 13 04 02 30 00 30 2C ...0...U....0.0,
  0210: 06 09 60 86 48 01 86 F8 42 01 0D 04 1F 16 1D 4F ..`.H...B......O
  0220: 70 65 6E 53 53 4C 20 47 65 6E 65 72 61 74 65 64 penSSL Generated
  0230: 20 43 65 72 74 69 66 69 63 61 74 65 30 1D 06 03 Certificate0...
  0240: 55 1D 0E 04 16 04 14 4D 11 53 D1 7A 92 69 3B 36 U......M.S.z.i;6
  0250: F7 D6 BA 53 6A 81 4A D5 38 98 59 30 81 B2 06 03 ...Sj.J.8.Y0....
  0260: 55 1D 23 04 81 AA 30 81 A7 80 14 2D F5 B5 55 88 U.#...0....-..U.
  0270: 86 E9 14 60 F1 E6 1C AD E2 71 79 29 A0 F1 8F A1 ...`.....qy)....
  0280: 81 8B A4 81 88 30 81 85 31 0B 30 09 06 03 55 04 .....0..1.0...U.
  0290: 06 13 02 49 54 31 0F 30 0D 06 03 55 04 08 13 06 ...IT1.0...U....
  02A0: 54 65 72 61 6D 6F 31 0F 30 0D 06 03 55 04 07 13 Teramo1.0...U...
  02B0: 06 54 65 72 61 6D 6F 31 0E 30 0C 06 03 55 04 0A .Teramo1.0...U..
  02C0: 13 05 49 5A 53 41 4D 31 0C 30 0A 06 03 55 04 0B ..IZSAM1.0...U..
  02D0: 13 03 43 45 44 31 17 30 15 06 03 55 04 03 13 0E ..CED1.0...U....
  02E0: 64 6E 73 2E 74 65 78 2E 69 7A 73 2E 69 74 31 1D dns.tex.izs.it1.
  02F0: 30 1B 06 09 2A 86 48 86 F7 0D 01 09 01 16 0E 64 0...*.H........d
  0300: 2E 7A 69 70 70 6F 40 69 7A 73 2E 69 74 82 01 00 [email protected]...
  0310: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 00 03 0...*.H.........
  0320: 41 00 73 D0 96 DD 6F EF FB 44 AB 3C B1 ED F5 44 A.s...o..D.<...D
  0330: 4A C4 11 71 5F 66 18 FF 86 B8 FD 1A 7D 0A 10 72 J..q_f.........r
  0340: C6 FD B6 3C 90 1F 38 72 E3 A9 13 84 97 5E 5B 95 ...<..8r.....^[.
  0350: 09 4E CB 86 29 7D 7A BB 07 75 97 23 3C D5 B1 16 .N..).z..u.#<...
  0360: 35 E0 5.
  *** ServerHelloDone
  [read] MD5 and SHA1 hashes: len = 4
  0000: 0E 00 00 00 ....
  *** ClientKeyExchange, RSA PreMasterSecret, v3.1
  Random Secret: { 3, 1, 60, 231, 207, 10, 49, 242, 250, 171, 53, 8, 41, 187, 100, 227, 91, 207, 240, 75, 233, 38, 44, 239, 48, 98, 118, 122, 4, 85, 50, 152, 59, 82, 172, 186, 169, 235, 87, 214, 155, 243, 41, 52, 92, 5, 252, 141 }
  [write] MD5 and SHA1 hashes: len = 134
  0000: 10 00 00 82 00 80 86 7D 83 84 8C 38 3A 3A C3 37 ...........8::.7
  0010: D1 4E 69 55 77 6D 14 C8 04 F4 AB 62 3D 71 32 6F .NiUwm.....b=q2o
  0020: A4 0D 16 F6 99 0C FD FD 39 08 C3 B2 B8 BF 93 BA ........9.......
  0030: 23 CE 3E 8D 91 75 EC 29 D0 30 72 00 1B 00 F2 71 #.>..u.).0r....q
  0040: 8D C2 FF 78 16 89 C5 8B 99 4A 1E 17 8F 86 A9 F9 ...x.....J......
  0050: B3 46 04 B5 5C 0B 27 84 22 E4 0A 7D 0E 9E 8A CC .F..\.'.".......
  0060: 5D 52 FB 63 77 11 FF 54 FB FC 96 89 F6 15 BC 0F ]R.cw..T........
  0070: 6C EE C9 43 1D 51 97 D0 4B 48 31 FA D5 0B 63 6A l..C.Q..KH1...cj
  0080: B2 9B 99 2C 99 CA ...,..
  main, WRITE: SSL v3.1 Handshake, length = 134
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 3C E7 CF 0A 31 F2 FA AB 35 08 29 BB 64 E3 ..<...1...5.).d.
  0010: 5B CF F0 4B E9 26 2C EF 30 62 76 7A 04 55 32 98 [..K.&,.0bvz.U2.
  0020: 3B 52 AC BA A9 EB 57 D6 9B F3 29 34 5C 05 FC 8D ;R....W...)4\...
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 43 30 24 75 2C D3 54 74 8D 28 85 B4 30 60 D5 93 C0$u,.Tt.(..0`..
  0010: 7B 8D F4 47 6B F2 5E 69 F7 65 5C 08 4E B0 E2 85 ...Gk.^i.e\.N...
  Server Nonce:
  0000: 43 30 23 07 39 03 64 4D F4 8C 69 F2 46 E2 73 CD C0#.9.dM..i.F.s.
  0010: 90 55 C5 C1 AE 18 57 C7 58 7C B8 4F 14 AA 96 BA .U....W.X..O....
  Master Secret:
  0000: 6E 47 12 2F BD 40 E5 30 E2 0E 0C 24 23 DD FC 53 nG./[email protected]...$#..S
  0010: DD 7C A8 6C 9F 36 48 82 03 B1 63 21 64 73 A6 E3 ...l.6H...c!ds..
  0020: 4D E6 6B 06 77 7D A6 38 4A EB 76 C1 34 85 75 31 M.k.w..8J.v.4.u1
  Client MAC write Secret:
  0000: 95 7D A9 28 CA 82 E9 69 3E DC 79 8D C0 36 70 30 ...(...i>.y..6p0
  Server MAC write Secret:
  0000: 7D 10 E4 35 B4 D9 62 BA 83 1D F3 16 B0 D1 14 AC ...5..b.........
  Client write key:
  0000: 44 0E 25 5D AC 78 51 19 21 66 06 CF 3D 8C 98 98 D.%].xQ.!f..=...
  Server write key:
  0000: 3D C2 21 97 4C E3 D3 69 9E D9 8A CC 63 E0 0C 8E =.!.L..i....c...
  ... no IV for cipher
  main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
  *** Finished, v3.1
  verify_data: { 65, 234, 65, 174, 47, 136, 37, 130, 121, 68, 222, 210 }
  [write] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 41 EA 41 AE 2F 88 25 82 79 44 DE D2 ....A.A./.%.yD..
  Plaintext before ENCRYPTION: len = 32
  0000: 14 00 00 0C 41 EA 41 AE 2F 88 25 82 79 44 DE D2 ....A.A./.%.yD..
  0010: E8 81 F0 28 5A 40 91 C8 BA 85 76 8F 34 EB 95 C7 ...([email protected]...
  main, WRITE: SSL v3.1 Handshake, length = 32
  main, READ: SSL v3.1 Change Cipher Spec, length = 1
  main, READ: SSL v3.1 Handshake, length = 32
  Plaintext after DECRYPTION: len = 32
  0000: 14 00 00 0C 17 47 6E 29 11 06 A0 41 A0 0C 9D 41 .....Gn)...A...A
  0010: 61 F9 5F E0 B3 90 BA B2 63 8A 45 8F 61 84 40 39 a._.....c.E.a.@9
  *** Finished, v3.1
  verify_data: { 23, 71, 110, 41, 17, 6, 160, 65, 160, 12, 157, 65 }
  %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  [read] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 17 47 6E 29 11 06 A0 41 A0 0C 9D 41 .....Gn)...A...A
  Plaintext before ENCRYPTION: len = 63
  0000: 50 4F 53 54 20 2F 77 73 73 75 69 6E 69 41 75 74 POST /wssuiniAut
  0010: 43 65 72 74 2F 77 73 53 75 69 6E 69 55 70 64 2E Cert/wsSuiniUpd.
  0020: 61 73 6D 78 20 48 54 54 50 2F 31 2E 31 0D 0A 2F asmx HTTP/1.1../
  0030: 83 FA 4C 02 2F 83 20 D3 49 7C CD 39 A2 95 53 ..L./. .I..9..S
  main, WRITE: SSL v3.1 Application Data, length = 63
  Plaintext before ENCRYPTION: len = 57
  0000: 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 Content-Type: te
  0010: 78 74 2F 78 6D 6C 3B 20 63 68 61 72 73 65 74 3D xt/xml; charset=
  0020: 22 75 74 66 2D 38 22 0D 0A 54 E1 A0 DE 70 E4 92 "utf-8"..T...p..
  0030: 12 58 C1 C6 58 9A 44 39 E2 .X..X.D9.
  main, WRITE: SSL v3.1 Application Data, length = 57
  Plaintext before ENCRYPTION: len = 37
  0000: 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 Content-Length:
  0010: 38 34 38 0D 0A 86 C7 70 1C 67 47 DC 1C D4 E7 67 848....p.gG....g
  0020: CB 64 69 5A 44 .diZD
  main, WRITE: SSL v3.1 Application Data, length = 37
  Plaintext before ENCRYPTION: len = 69
  0000: 50 72 6F 78 79 2D 41 75 74 68 6F 72 69 7A 61 74 Proxy-Authorizat
  0010: 69 6F 6E 3A 20 42 61 73 69 63 20 5A 47 35 68 64 ion: Basic ZG5hd
  0020: 47 56 73 62 47 45 36 59 7A 46 7A 61 57 52 70 4D GVsbGE6YzFzaWRpM
  0030: 44 45 3D 0D 0A C1 74 CC F1 05 89 84 2C B1 69 45 DE=...t.....,.iE
  0040: 2A 6F B3 7A 23 *o.z#
  main, WRITE: SSL v3.1 Application Data, length = 69
  Plaintext before ENCRYPTION: len = 71
  0000: 53 4F 41 50 41 63 74 69 6F 6E 3A 20 68 74 74 70 SOAPAction: http
  0010: 3A 2F 2F 62 64 72 2E 69 7A 73 2E 69 74 2F 77 65 ://bdr.izs.it/we
  0020: 62 73 65 72 76 69 63 65 73 2F 49 6E 73 65 72 74 bservices/Insert
  0030: 5F 4E 6F 74 65 0D 0A 4B 7C 0F A5 D6 00 58 78 BC _Note..K.....Xx.
  0040: 0B 59 52 E1 FC 70 86 .YR..p.
  main, WRITE: SSL v3.1 Application Data, length = 71
  Plaintext before ENCRYPTION: len = 42
  0000: 55 73 65 72 2D 41 67 65 6E 74 3A 20 4A 61 76 61 User-Agent: Java
  0010: 31 2E 33 2E 31 5F 30 38 0D 0A 61 25 77 68 A0 C2 1.3.1_08..a%wh..
  0020: AC 52 CA F3 A3 F7 75 8A B0 FE .R....u...
  main, WRITE: SSL v3.1 Application Data, length = 42
  Plaintext before ENCRYPTION: len = 38
  0000: 48 6F 73 74 3A 20 62 64 72 74 65 73 74 2E 69 7A Host: bdrtest.iz
  0010: 73 2E 69 74 0D 0A D3 39 F0 0E C3 28 D0 12 1A 58 s.it...9...(...X
  0020: 83 A4 BB 23 11 48 ...#.H
  main, WRITE: SSL v3.1 Application Data, length = 38
  Plaintext before ENCRYPTION: len = 78
  0000: 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D Accept: text/htm
  0010: 6C 2C 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D l, image/gif, im
  0020: 61 67 65 2F 6A 70 65 67 2C 20 2A 3B 20 71 3D 2E age/jpeg, *; q=.
  0030: 32 2C 20 2A 2F 2A 3B 20 71 3D 2E 32 0D 0A 89 64 2, */*; q=.2...d
  0040: F7 A9 7F 6C 29 07 22 6F AC F3 B4 D4 7F C1 ...l)."o......
  main, WRITE: SSL v3.1 Application Data, length = 78
  Plaintext before ENCRYPTION: len = 40
  0000: 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 Connection: keep
  0010: 2D 61 6C 69 76 65 0D 0A 1E D0 BD FD 9C 84 0A E0 -alive..........
  0020: 9D 3D 26 26 99 09 BB FB .=&&....
  main, WRITE: SSL v3.1 Application Data, length = 40
  Plaintext before ENCRYPTION: len = 18
  0000: 0D 0A C9 79 35 92 83 D8 A1 BF 46 B9 3E FC B9 78 ...y5.....F.>..x
  0010: 07 89 ..
  main, WRITE: SSL v3.1 Application Data, length = 18
  Plaintext before ENCRYPTION: len = 864
  0000: 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 <?xml version="1
  0010: 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 .0" encoding="UT
  0020: 46 2D 38 22 3F 3E 0A 3C 73 6F 61 70 2D 65 6E 76 F-8"?>.<soap-env
  0030: 3A 45 6E 76 65 6C 6F 70 65 20 78 6D 6C 6E 73 3A :Envelope xmlns:
  0040: 73 6F 61 70 2D 65 6E 76 3D 22 68 74 74 70 3A 2F soap-env="http:/
  0050: 2F 73 63 68 65 6D 61 73 2E 78 6D 6C 73 6F 61 70 /schemas.xmlsoap
  0060: 2E 6F 72 67 2F 73 6F 61 70 2F 65 6E 76 65 6C 6F .org/soap/envelo
  0070: 70 65 2F 22 20 78 6D 6C 6E 73 3A 78 73 69 3D 22 pe/" xmlns:xsi="
  main, WRITE: SSL v3.1 Application Data, length = 864
  main, READ: SSL v3.1 Handshake, length = 20
  Plaintext after DECRYPTION: len = 20
  0000: 00 00 00 00 AC FA A9 49 7D 8A 0B A9 50 2F 74 A3 .......I....P/t.
  0010: D2 BA 7A 39 ..z9
  *** HelloRequest (empty)
  %% Client cached [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  %% Try resuming [Session-1, SSL_RSA_WITH_RC4_128_MD5] from port 4625
  *** ClientHello, v3.1
  RandomCookie: GMT: 1127228534 bytes = { 18, 49, 204, 75, 133, 78, 163, 164, 250, 200, 97, 100, 19, 143, 176, 205, 50, 166, 159, 21, 80, 181, 243, 41, 64, 166, 190, 104 }
  Session ID: {38, 2, 0, 0, 135, 125, 13, 254, 209, 98, 207, 105, 118, 74, 36, 210, 126, 57, 176, 194, 64, 207, 8, 203, 68, 171, 118, 148, 170, 55, 139, 139}
  Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
  Compression Methods: { 0 }
  [write] MD5 and SHA1 hashes: len = 91
  0000: 01 00 00 57 03 01 43 30 24 76 12 31 CC 4B 85 4E ...W..C0$v.1.K.N
  0010: A3 A4 FA C8 61 64 13 8F B0 CD 32 A6 9F 15 50 B5 ....ad....2...P.
  0020: F3 29 40 A6 BE 68 20 26 02 00 00 87 7D 0D FE D1 .)@..h &........
  0030: 62 CF 69 76 4A 24 D2 7E 39 B0 C2 40 CF 08 CB 44 [email protected]
  0040: AB 76 94 AA 37 8B 8B 00 10 00 05 00 04 00 09 00 .v..7...........
  0050: 0A 00 12 00 13 00 03 00 11 01 00 ...........
  Plaintext before ENCRYPTION: len = 107
  0000: 01 00 00 57 03 01 43 30 24 76 12 31 CC 4B 85 4E ...W..C0$v.1.K.N
  0010: A3 A4 FA C8 61 64 13 8F B0 CD 32 A6 9F 15 50 B5 ....ad....2...P.
  0020: F3 29 40 A6 BE 68 20 26 02 00 00 87 7D 0D FE D1 .)@..h &........
  0030: 62 CF 69 76 4A 24 D2 7E 39 B0 C2 40 CF 08 CB 44 [email protected]
  0040: AB 76 94 AA 37 8B 8B 00 10 00 05 00 04 00 09 00 .v..7...........
  0050: 0A 00 12 00 13 00 03 00 11 01 00 06 4B 44 B4 6C ............KD.l
  0060: 9E B4 85 36 A4 D9 93 23 DB 49 0C ...6...#.I.
  main, WRITE: SSL v3.1 Handshake, length = 107
  main, READ: SSL v3.1 Handshake, length = 4076
  Plaintext after DECRYPTION: len = 4076
  0000: 02 00 00 46 03 01 43 30 23 09 DD 0A F6 93 D0 16 ...F..C0#.......
  0010: CE 00 CC 72 55 92 92 12 4A B3 B7 92 8F 94 02 CA ...rU...J.......
  0020: FE 25 A6 65 88 CF 20 2D 10 00 00 0F 1A 6E 56 46 .%.e.. -.....nVF
  0030: 1B AD 9F E9 00 B2 DD 00 07 60 94 08 43 9E AC 9B .........`..C...
  0040: 89 EA 73 79 EA 00 D1 00 04 00 0B 00 03 5E 00 03 ..sy.........^..
  0050: 5B 00 03 58 30 82 03 54 30 82 02 FE A0 03 02 01 [..X0..T0.......
  0060: 02 02 01 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 ....0...*.H.....
  0070: 04 05 00 30 81 85 31 0B 30 09 06 03 55 04 06 13 ...0..1.0...U...
  0080: 02 49 54 31 0F 30 0D 06 03 55 04 08 13 06 54 65 .IT1.0...U....Te
  0090: 72 61 6D 6F 31 0F 30 0D 06 03 55 04 07 13 06 54 ramo1.0...U....T
  00A0: 65 72 61 6D 6F 31 0E 30 0C 06 03 55 04 0A 13 05 eramo1.0...U....
  00B0: 49 5A 53 41 4D 31 0C 30 0A 06 03 55 04 0B 13 03 IZSAM1.0...U....
  00C0: 43 45 44 31 17 30 15 06 03 55 04 03 13 0E 64 6E CED1.0...U....dn
  00D0: 73 2E 74 65 78 2E 69 7A 73 2E 69 74 31 1D 30 1B s.tex.izs.it1.0.
  00E0: 06 09 2A 86 48 86 F7 0D 01 09 01 16 0E 64 2E 7A ..*.H........d.z
  00F0: 69 70 70 6F 40 69 7A 73 2E 69 74 30 1E 17 0D 30 [email protected]
  0100: 35 30 34 30 35 31 34 30 35 34 31 5A 17 0D 30 36 50405140541Z..06
  0110: 30 34 30 35 31 34 30 35 34 31 5A 30 81 85 31 0B 0405140541Z0..1.
  0120: 30 09 06 03 55 04 06 13 02 49 54 31 0F 30 0D 06 0...U....IT1.0..
  0130: 03 55 04 08 13 06 54 65 72 61 6D 6F 31 0F 30 0D .U....Teramo1.0.
  0140: 06 03 55 04 07 13 06 54 65 72 61 6D 6F 31 0E 30 ..U....Teramo1.0
  0150: 0C 06 03 55 04 0A 13 05 49 5A 53 41 4D 31 0C 30 ...U....IZSAM1.0
  0160: 0A 06 03 55 04 0B 13 03 43 45 44 31 17 30 15 06 ...U....CED1.0..
  0170: 03 55 04 03 13 0E 62 64 72 74 65 73 74 2E 69 7A .U....bdrtest.iz
  0180: 73 2E 69 74 31 1D 30 1B 06 09 2A 86 48 86 F7 0D s.it1.0...*.H...
  0190: 01 09 01 16 0E 64 2E 7A 69 70 70 6F 40 69 7A 73 .....d.zippo@izs
  01A0: 2E 69 74 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D .it0..0...*.H...
  01B0: 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 .........0......
  01C0: F6 E3 70 EC 18 8B B7 1D D6 11 11 59 3E 43 09 2D ..p........Y>C.-
  01D0: AE F1 06 A3 0C 21 F7 00 09 C2 07 52 0B 29 35 CF .....!.....R.)5.
  01E0: 65 38 2C 6C 0A 61 06 50 B9 20 8C 5F A0 B9 B7 E2 e8,l.a.P. ._....
  01F0: 8B 2B 10 89 B9 7F 40 0F 49 A1 D8 9E A2 C8 BE 4E [email protected]
  0200: 63 20 F2 49 35 25 F1 5D 64 00 ED 02 FD D7 96 51 c .I5%.]d......Q
  0210: 73 C7 E9 DA 61 AA 88 FB 5D 0A 41 56 EC 36 4F 85 s...a...].AV.6O.
  0220: B2 A1 8F E6 DE DC E2 2D B2 DF AA 3D 99 51 23 14 .......-...=.Q#.
  0230: 19 02 8A 2C D4 F0 4C 83 39 1C 1B E5 8F 65 06 05 ...,..L.9....e..
  0240: 02 03 01 00 01 A3 82 01 11 30 82 01 0D 30 09 06 .........0...0..
  0250: 03 55 1D 13 04 02 30 00 30 2C 06 09 60 86 48 01 .U....0.0,..`.H.
  0260: 86 F8 42 01 0D 04 1F 16 1D 4F 70 65 6E 53 53 4C ..B......OpenSSL
  0270: 20 47 65 6E 65 72 61 74 65 64 20 43 65 72 74 69 Generated Certi
  0280: 66 69 63 61 74 65 30 1D 06 03 55 1D 0E 04 16 04 ficate0...U.....
  0290: 14 4D 11 53 D1 7A 92 69 3B 36 F7 D6 BA 53 6A 81 .M.S.z.i;6...Sj.
  02A0: 4A D5 38 98 59 30 81 B2 06 03 55 1D 23 04 81 AA J.8.Y0....U.#...
  02B0: 30 81 A7 80 14 2D F5 B5 55 88 86 E9 14 60 F1 E6 0....-..U....`..
  02C0: 1C AD E2 71 79 29 A0 F1 8F A1 81 8B A4 81 88 30 ...qy).........0
  02D0: 81 85 31 0B 30 09 06 03 55 04 06 13 02 49 54 31 ..1.0...U....IT1
  02E0: 0F 30 0D 06 03 55 04 08 13 06 54 65 72 61 6D 6F .0...U....Teramo
  02F0: 31 0F 30 0D 06 03 55 04 07 13 06 54 65 72 61 6D 1.0...U....Teram
  0300: 6F 31 0E 30 0C 06 03 55 04 0A 13 05 49 5A 53 41 o1.0...U....IZSA
  0310: 4D 31 0C 30 0A 06 03 55 04 0B 13 03 43 45 44 31 M1.0...U....CED1
  0320: 17 30 15 06 03 55 04 03 13 0E 64 6E 73 2E 74 65 .0...U....dns.te
  0330: 78 2E 69 7A 73 2E 69 74 31 1D 30 1B 06 09 2A 86 x.izs.it1.0...*.
  0340: 48 86 F7 0D 01 09 01 16 0E 64 2E 7A 69 70 70 6F H........d.zippo
  0350: 40 69 7A 73 2E 69 74 82 01 00 30 0D 06 09 2A 86 @izs.it...0...*.
  0360: 48 86 F7 0D 01 01 04 05 00 03 41 00 73 D0 96 DD H.........A.s...
  0370: 6F EF FB 44 AB 3C B1 ED F5 44 4A C4 11 71 5F 66 o..D.<...DJ..q_f
  0380: 18 FF 86 B8 FD 1A 7D 0A 10 72 C6 FD B6 3C 90 1F .........r...<..
  0390: 38 72 E3 A9 13 84 97 5E 5B 95 09 4E CB 86 29 7D 8r.....^[..N..).
  03A0: 7A BB 07 75 97 23 3C D5 B1 16 35 E0 0D 00 0C 28 z..u.#<...5....(
  03B0: 01 01 0C 24 00 C4 30 81 C1 31 0B 30 09 06 03 55 ...$..0..1.0...U
  03C0: 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0A 13 ....US1.0...U...
  03D0: 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 .VeriSign, Inc.1
  *** ServerHello, v3.1
  RandomCookie: GMT: 1127228169 bytes = { 221, 10, 246, 147, 208, 22, 206, 0, 204, 114, 85, 146, 146, 18, 74, 179, 183, 146, 143, 148, 2, 202, 254, 37, 166, 101, 136, 207 }
  Session ID: {45, 16, 0, 0, 15, 26,

  Thanks very much for reply.
  I'm sorry, I missed a piece in previous post.
  This is Server response:
  Plaintext after DECRYPTION: len = 4316
  0000: 48 54 54 50 2F 31 2E 31 20 34 30 33 20 41 63 63 HTTP/1.1 403 Acc
  0010: 65 73 73 20 46 6F 72 62 69 64 64 65 6E 0D 0A 53 ess Forbidden..S
  0020: 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F 66 74 erver: Microsoft
  0030: 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65 3A 20 -IIS/5.0..Date:
  0040: 57 65 64 2C 20 32 31 20 53 65 70 20 32 30 30 35 Wed, 21 Sep 2005
  0050: 20 30 37 3A 32 34 3A 33 39 20 47 4D 54 0D 0A 43 07:24:39 GMT..C
  0060: 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 onnection: close
  0070: 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length
  0080: 3A 20 34 32 33 37 0D 0A 43 6F 6E 74 65 6E 74 2D : 4237..Content-
  0090: 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D Type: text/html.
  00A0: 0A 0D 0A 3C 21 44 4F 43 54 59 50 45 20 48 54 4D ...<!DOCTYPE HTM
  00B0: 4C 20 50 55 42 4C 49 43 20 22 2D 2F 2F 57 33 43 L PUBLIC "-//W3C
  00C0: 2F 2F 44 54 44 20 48 54 4D 4C 20 33 2E 32 20 46 //DTD HTML 3.2 F
  00D0: 69 6E 61 6C 2F 2F 45 4E 22 3E 0D 0A 3C 68 74 6D inal//EN">..<htm
  00E0: 6C 20 64 69 72 3D 6C 74 72 3E 0D 0A 0D 0A 3C 68 l dir=ltr>....<h
  00F0: 65 61 64 3E 0D 0A 3C 73 74 79 6C 65 3E 0D 0A 61 ead>..<style>..a
  0100: 3A 6C 69 6E 6B 09 09 09 7B 66 6F 6E 74 3A 38 70 :link....font:8p
  0110: 74 2F 31 31 70 74 20 76 65 72 64 61 6E 61 3B 20 t/11pt verdana;
  0120: 63 6F 6C 6F 72 3A 46 46 30 30 30 30 7D 0D 0A 61 color:FF0000...a
  0130: 3A 76 69 73 69 74 65 64 09 09 7B 66 6F 6E 74 3A :visited...font:
  0140: 38 70 74 2F 31 31 70 74 20 76 65 72 64 61 6E 61 8pt/11pt verdana
  0150: 3B 20 63 6F 6C 6F 72 3A 23 34 65 34 65 34 65 7D ; color:#4e4e4e.
  0160: 0D 0A 3C 2F 73 74 79 6C 65 3E 0D 0A 0D 0A 3C 4D ..</style>....<M
  0170: 45 54 41 20 4E 41 4D 45 3D 22 52 4F 42 4F 54 53 ETA NAME="ROBOTS
  0180: 22 20 43 4F 4E 54 45 4E 54 3D 22 4E 4F 49 4E 44 " CONTENT="NOIND
  0190: 45 58 22 3E 0D 0A 0D 0A 3C 74 69 74 6C 65 3E 54 EX">....<title>T
  01A0: 68 65 20 70 61 67 65 20 72 65 71 75 69 72 65 73 he page requires
  01B0: 20 61 20 63 6C 69 65 6E 74 20 63 65 72 74 69 66 a client certif
  01C0: 69 63 61 74 65 3C 2F 74 69 74 6C 65 3E 0D 0A 0D icate</title>...
  Please Help me.
  Regards.

• Connect - SSL and certificate chain

  Hi,
  is it possible to place a certificate chain somewhere, so
  that Adobe connect users dont have to manually install the
  certificates from the chain?

  Hi cj63, why isn't your cert accepted automatically? We're
  using hardware SSL and encountered an issue with our cert. We ended
  up changing the cert chain on the F5, I believe. I'm not sure of
  the "how" other than to know we did it with hardware SSL, so it
  should be possible.

• SSL CA Certificate Chain not available.

  Hey Everyone,
  I've got a Cisco 851 running IOS12.3. I'm trying to install a SSL Certificate but after following all the instructions and installing a CA certificate I'm not getting the full chain of authority in a browser just the devices certificate itself. I've repeated the installation process using individual CA certificates all up and down the chain but still the same results. I've even tried installing all the chain certificates but the buffer times out before they are all pasted in.
  What am I doing wrong?
  Russ

  I assume you are using a 3rd party CA with 2048-bit certificate and intermediate certificates. In these cases, it's sometimes counter-intuitive in getting the right order for the chaining to be correctly parsed.
  I've had good results using the checking tools at digicert and verisign sites. See:
  http://www.digicert.com/help/
  https://ssl-tools.verisign.com/#certChecker

• Hybrid Connection fails for Windows SQL Server 2014 - SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted

  Hello,
  I have configured BizTalk Services Hybrid Connection between Standard Azure Website and SQL Server 2014 on premise.
  Azure Management portal shows the status of Hybrid Connection as established.
  However, the website throws an error when trying to open a connection
  <
  addname="DefaultConnection"
  connectionString="Data
  Source=machine name;initial catalog=AdventureWorks2012;Uid=demouser;Password=[my password];MultipleActiveResultSets=True"
  providerName="System.Data.SqlClient"
  />
  (The same website, with the same connection string deployed on SQL Server machine works correctly).
  I tried various options with the connections sting (IP address instead of machine name, Trusted_Connection=False, Encrypt=False, etc. the result is the same
  [Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
  [SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.
  I tried various machines - on premise and a clean Azure VM with SQL Server and it results in the same error - below full stack
  The certificate chain was issued by an authority that is not trusted             
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.            
  Exception Details: System.ComponentModel.Win32Exception: The certificate chain was issued by an authority that is not trusted
  Source Error:
  An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.                  
  Stack Trace:
  [Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
  [SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)]
  System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +5341687
  System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +546
  System.Data.SqlClient.TdsParserStateObject.SNIWritePacket(SNIHandle handle, SNIPacket packet, UInt32& sniError, Boolean canAccumulate, Boolean callerHasConnectionLock) +5348371
  System.Data.SqlClient.TdsParserStateObject.WriteSni(Boolean canAccumulate) +91
  System.Data.SqlClient.TdsParserStateObject.WritePacket(Byte flushMode, Boolean canAccumulate) +331
  System.Data.SqlClient.TdsParser.TdsLogin(SqlLogin rec, FeatureExtension requestedFeatures, SessionData recoverySessionData) +2109
  System.Data.SqlClient.SqlInternalConnectionTds.Login(ServerInfo server, TimeoutTimer timeout, String newPassword, SecureString newSecurePassword) +347
  System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) +238
  System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) +892
  System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) +311
  System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData) +646
  System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) +278
  System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) +38
  System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +732
  System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +85
  System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +1057
  System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +78
  System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +196
  System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +146
  System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +16
  System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +94
  System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +110
  System.Data.SqlClient.SqlConnection.Open() +96
  System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +44
  [EntityException: The underlying provider failed on Open.]
  System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +203
  System.Data.EntityClient.EntityConnection.Open() +104
  System.Data.Objects.ObjectContext.EnsureConnection() +75
  System.Data.Objects.ObjectQuery`1.GetResults(Nullable`1 forMergeOption) +41
  System.Data.Objects.ObjectQuery`1.System.Collections.Generic.IEnumerable<T>.GetEnumerator() +36
  System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +369
  System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
  CloudShop.Services.ProductsRepository.GetProducts() +216
  CloudShop.Controllers.HomeController.Search(String SearchCriteria) +81
  CloudShop.Controllers.HomeController.Index() +1130
  lambda_method(Closure , ControllerBase , Object[] ) +62
  System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
  System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +193
  System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
  System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +28
  System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +10
  System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
  System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
  System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +58
  System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +225
  System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +10
  System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
  System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
  System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +23
  System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99
  System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
  System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
  System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14
  System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
  System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
  System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +39
  System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
  System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
  System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +29
  System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
  System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
  System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
  System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
  System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +31
  System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
  System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9651188
  System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
  Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.36213            
  Regards,
  Michal
  Michal Morciniec

  Same issue here, looking for more information !

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• SSL between JNDI and AD - certificate chain

  Hi,
  I am trying to connect my active directory via SSL with the samples from the tutorial. Can anybody tell me, how I can export a certificate from AD (self-signed), so that I can import it with keytool? Or better, how to build that required certificate chain.
  Thanks a lot
  Falko Braun

  If you are using AD as your Certificate Authority you can go to
  http://servername/certserv
  which is the web interface for certificates.
  If you want the AD servers certificate, in the certificates snapin in MMC you can right click on the servers personal certificate -all tasks->export and export it.
  Hope this helps.
  G
  Hi,
  I am trying to connect my active directory via SSL
  with the samples from the tutorial. Can anybody tell
  me, how I can export a certificate from AD
  (self-signed), so that I can import it with keytool?
  Or better, how to build that required certificate
  chain.
  Thanks a lot
  Falko Braun

• SSL for Weblogic 6.0: Server Certificate Chain File & Verisign

  http://www.bea.com/support/askbea/wls/S-07188.shtml
  This issue attempts to explain what a "certificate chain file" is for. I still don't understand why this is so difficult. Where do I get this from?
  At the end of the article it points me here:
  http://www.verisign.com/repository/root.html
  And vaguely tells me to convert the unspecified format on that page using a utility from OpenSSL. The format on that page is NOT .pem, what is it? Which utility do I use, and HOW do I convert the root server CA on that page to .der format?
  Thanks for tips!

  Unfortunately this is a missleading exception you are getting.
  Here is a suggested workaround (at-least to get SSL working )
  https://www.verisign.com/server/prg/browser/root.html
  I have been meet same question as you.
  The Server Certificate Chain File obtained from your Browser (such as IE5.5 )
  Jason Pettiss <[email protected]> wrote:
  http://www.bea.com/support/askbea/wls/S-07188.shtml
  This issue attempts to explain what a "certificate chain file" is for.
  I still don't understand why this is so difficult. Where do I get
  this from?
  At the end of the article it points me here:
  http://www.verisign.com/repository/root.html
  And vaguely tells me to convert the unspecified format on that page using
  a utility from OpenSSL. The format on that page is NOT .pem, what is
  it? Which utility do I use, and HOW do I convert the root server
  CA on that page to .der format?
  Thanks for tips!

• SSL certificates chain

  When I try to connect to a site with chain certificates, I get javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.
  Correct me if I'm wrong, this looks like Java problem.
  I'm now trying to investigate:
  a) there's a workaround for this?
  b) If I really really really had to make this work, do you know if there's another passage, trick, product or whatsoever?
  Any suggestion, advice?
  Thanks to everyone in advance.
  Simone

  By the way, I was thinking... maybe I might be doing something wrong with the approach.
  I mean, I tried to download https://paypal.com an HttpURLConnection and worked like charm. But that was simple https stuff.
  Now this new site has a certificate chain ...
  Edited by: Simone.Pezzano on Jan 29, 2010 3:06 AM

• No client certificate available, sending empty certificate message

  Dear Experts,
      I am trying to establish SSL client certificate connection to external partner. What puzzles me is that the certificate is not picked up by SAP PI. The intermediate and root CA for the partner are OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network and OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US, respectively. You will be able to spot them in the Accepted Certificate Authority list, yet PI insists on sending empty certificate.
      Below is trace gathered from J2EE default trace. Please help shed some light
  Date : 11/16/2011
  Time : 8:49:11:423
  Message : additional info ssl_debug(9): Starting handshake (iSaSiLk 4.3)...
  ssl_debug(9): Sending v3 client_hello message to preprod.connect.elemica.com:443, requesting version 3.2...
  ssl_debug(9): Received v3 server_hello handshake message.
  ssl_debug(9): Server selected SSL version 3.1.
  ssl_debug(9): Server created new session 22:E7:C0:9E:C1:D2:78:83...
  ssl_debug(9): CipherSuite selected by server: TLS_RSA_WITH_AES_256_CBC_SHA
  ssl_debug(9): CompressionMethod selected by server: NULL
  ssl_debug(9): Received certificate handshake message with server certificate.
  ssl_debug(9): Server sent a 1024 bit RSA certificate, chain has 2 elements.
  ssl_debug(9): ChainVerifier: No trusted certificate found, OK anyway.
  ssl_debug(9): Received certificate_request handshake message.
  ssl_debug(9): Accepted certificate types: RSA, DSA
  ssl_debug(9): Accepted certificate authorities:
  ssl_debug(9):   CN=QuoVadis Global SSL ICA,OU=www.quovadisglobal.com,O=QuoVadis Limited,C=BM
  ssl_debug(9):   CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
  ssl_debug(9):   CN=CSF - Classe III - Sign et Crypt,OU=Certification Professionnelle,O=Autorite Consulaire
  ssl_debug(9):   CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
  ssl_debug(9):   CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
  ssl_debug(9):   CN=DPWN SSL CA I2 PS,OU=I2 PS,O=Deutsche Post World Net
  ssl_debug(9):   CN=CSF,O=Autorite Consulaire
  ssl_debug(9):   C=BE,O=GlobalSign nv-sa,OU=RootSign Partners CA,CN=GlobalSign RootSign Partners CA
  ssl_debug(9):   CN=Dell Inc. Enterprise Utility CA1,O=Dell Inc.
  ssl_debug(9):   EMAIL=premium-server(a)thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
  ssl_debug(9):   CN=TC TrustCenter Class 2 L1 CA XI,OU=TC TrustCenter Class 2 L1 CA,O=TC TrustCenter GmbH,C=DE
  ssl_debug(9):   CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   OU=VeriSign Trust Network,OU=(c) 1998 VeriSign, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign, Inc.,C=US
  ssl_debug(9):   CN=TC TrustCenter SSL CA I,OU=TC TrustCenter SSL CA,O=TC TrustCenter GmbH,C=DE
  ssl_debug(9):   CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US
  ssl_debug(9):   CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   CN=Meijer ipprod,OU=IT,OU=Merch,O=Meijer Stores Limited,L=Walker,ST=MI,C=US
  ssl_debug(9):   CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
  ssl_debug(9):   OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network
  ssl_debug(9):   CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
  ssl_debug(9):   CN=Deutsche Telekom CA 5,OU=Trust Center Deutsche Telekom,O=T-Systems Enterprise Services GmbH,C=DE
  ssl_debug(9):   CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
  ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network
  ssl_debug(9):   CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA
  ssl_debug(9):   CN=Bertschi CA,O=Bertschi AG (Schweiz),L=Duerrenaesch,ST=Switzerland,C=CH
  ssl_debug(9):   CN=Cybertrust SureServer CA,O=GlobalSign Inc
  ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   EMAIL=server-certs(a)thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
  ssl_debug(9):   CN=Mark Van Hamme,O=Brain2 BVBA,L=Brussels,ST=Brabant,C=BE
  ssl_debug(9):   CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
  ssl_debug(9):   EMAIL=bis.at(a)siemens.com,CN=bis.siemens.at,OU=SBS ORS EDO,O=Siemens Business Services,L=Vienna,ST=Vienna,C=AT
  ssl_debug(9):   CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   CN=mail2.adr-logistics.hu,O=ADR Logistics Kft.,L=Gyu00E1l,ST=Pest,C=HU
  ssl_debug(9):   EMAIL=brent.kemp(a)sscoop.com,CN=bacchusdevp.sscoop.com,OU=IS,O=Southern States Cooperative Inc,L=Richmond,ST=VA,C=US
  ssl_debug(9):   CN=Cybertrust SureServer Standard Validation CA,O=Cybertrust Inc
  ssl_debug(9):   OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US
  ssl_debug(9):   CN=Certipost E-Trust Secondary Normalised CA for Legal Persons,O=Certipost s.a./n.v.,C=BE
  ssl_debug(9):   EMAIL=cert(a)bit-serv.de,CN=BIT-SERV GmbH Root CA,O=BIT-SERV GmbH,C=DE
  ssl_debug(9):   CN=SAP_elemica_tester
  ssl_debug(9):   CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
  ssl_debug(9):   OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
  ssl_debug(9):   CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
  ssl_debug(9):   CN=Montova Root CA,OU=Root CA,O=Montova,C=BE
  ssl_debug(9):   CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
  ssl_debug(9):   CN=Dell Inc. Enterprise CA,O=Dell Inc.
  ssl_debug(9):   CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
  ssl_debug(9):   EMAIL=support(a)tamgroup.com,OU=Engineering,O=Tamgroup,ST=California,L=San Anselmo,C=US,CN=Tamgroup
  ssl_debug(9):   CN=GlobalSign Organization Validation CA,O=GlobalSign,OU=Organization Validation CA
  ssl_debug(9):   CN=Certinomis AC 1 u00E9toile,OU=0002 433998903,O=Certinomis,C=FR
  ssl_debug(9):   CN=GlobalSign ServerSign CA,OU=ServerSign CA,O=GlobalSign nv-sa,C=BE
  ssl_debug(9):   CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
  ssl_debug(9):   CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
  ssl_debug(9):   CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
  ssl_debug(9):   CN=GlobalSign Organization Validation CA,O=GlobalSign,OU=Organization Validation CA
  ssl_debug(9):   CN=thawte Primary Root CA,OU=(c) 2006 thawte, Inc. - For authorized use only,OU=Certification Services Division,O=thawte, Inc.,C=US
  ssl_debug(9):   CN=Certipost E-Trust Primary Normalised CA,O=Certipost s.a./n.v.,C=BE
  ssl_debug(9):   CN=Thawte DV SSL CA,OU=Domain Validated SSL,O=Thawte, Inc.,C=US
  ssl_debug(9):   OU=Equifax Secure Certificate Authority,O=Equifax,C=US
  ssl_debug(9):   CN=preprod.connect.elemica.com,OU=CONNECTED SOLUTIONS,O=Elemica,L=Wayne,ST=Pennsylvania,C=US
  ssl_debug(9):   CN=Certinomis - Autoritu00E9 Racine,OU=0002 433998903,O=Certinomis,C=FR
  ssl_debug(9):   CN=DPWN Root CA R2 PS,OU=IT Services,O=Deutsche Post World Net,DC=com
  ssl_debug(9):   CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte Certification,ST=FOR TESTING PURPOSES ONLY,C=ZA
  ssl_debug(9):   OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
  ssl_debug(9):   EMAIL=santiago.tolosa(a)eu.rhodia.com,CN=Rhodia Development CA,OU=ISF - WARTE,O=Rhodia,L=La Villette,ST=France,C=FR
  ssl_debug(9):   CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
  ssl_debug(9):   CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
  ssl_debug(9):   CN=Groep H. Essers TEST (99805D6DA33FCC1700010002),O=Montova,C=BE
  ssl_debug(9):   serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US
  ssl_debug(9):   CN=VeriSign Class 3 Secure Server 1024-bit CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   serialNumber=10688435,CN=Starfield Secure Certification Authority,OU=http://certificates.starfieldtech.com/repository,O=Starfield Technologies, Inc.,L=Scottsdale,ST=Arizona,C=US
  ssl_debug(9):   CN=Conextrade,OU=Swisscom IT,O=Swisscom AG,L=Zurich,ST=Zurich,C=CH,EMAIL=ccc.eTrade(a)swisscom.com
  ssl_debug(9):   CN=b2bproto.basf-corp.com,OU=Corporate IS,O=BASF Corporation,L=Mount Olive,ST=New Jersey,C=US
  ssl_debug(9):   CN=GlobalSign Domain Validation CA - G2,O=GlobalSign nv-sa,C=BE
  ssl_debug(9):   CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
  ssl_debug(9):   CN=GeoTrust DV SSL CA,OU=Domain Validated SSL,O=GeoTrust Inc.,C=US
  ssl_debug(9):   EMAIL=!sysadmin(a)elemica.com,CN=www.elemica.com,OU=Connected Solutions,O=Elemica, Inc,L=Wayne,ST=Pennsylvania,C=US
  ssl_debug(9):   CN=GeoTrust SSL CA,O=GeoTrust, Inc.,C=US
  ssl_debug(9):   CN=RapidSSL CA,O=GeoTrust, Inc.,C=US
  ssl_debug(9):   CN=Entrust Certification Authority - L1E,OU=(c) 2009 Entrust, Inc.,OU=www.entrust.net/rpa is incorporated by reference,O=Entrust, Inc.,C=US
  ssl_debug(9):   CN=EAS,O=COMPUDATA EDI Dienstleister,C=CH,EMAIL=helpdesk.dl(a)compudata.ch
  ssl_debug(9):   CN=GlobalSign Domain Validation CA,O=GlobalSign nv-sa,OU=Domain Validation CA,C=BE
  ssl_debug(9):   CN=GlobalSign Primary Secure Server CA,OU=Primary Secure Server CA,O=GlobalSign nv-sa,C=BE
  ssl_debug(9):   CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
  ssl_debug(9):   CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US
  ssl_debug(9):   CN=Thawte SSL CA,O=Thawte, Inc.,C=US
  ssl_debug(9):   CN=Entrust Certification Authority - L1C,OU=(c) 2009 Entrust, Inc.,OU=www.entrust.net/rpa is incorporated by reference,O=Entrust, Inc.,C=US
  ssl_debug(9):   CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
  ssl_debug(9):   EMAIL=vladimir.polak(a)esa.ch,CN=Vladimir Polak,O=Einkaufsorganisation des Schweizerischen Auto- und Motorfahrzeuggewerbes,C=CH
  ssl_debug(9):   CN=IT Directions and Strategies,OU=ITDS EDI,ST=WI,C=US,L=Hartland,EMAIL=aklumpp(a)itdsllc.com,O=ITDS EDI
  ssl_debug(9):   CN=Entrust Certification Authority - L1B,OU=(c) 2008 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY,OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE,O=Entrust, Inc.,C=US
  ssl_debug(9):   CN=GlobalSign Organization Validation CA - G2,O=GlobalSign nv-sa,C=BE
  ssl_debug(9):   CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   CN=TeleSec ServerPass CA 1,OU=Trust Center Services,O=T-Systems International GmbH,C=DE
  ssl_debug(9):   CN=TC TrustCenter Class 3 L1 CA V,OU=TC TrustCenter Class 3 L1 CA,O=TC TrustCenter GmbH,C=DE
  ssl_debug(9):   C=NL,ST=Zuid-Holland,L=Spijkenisse,O=De Rijke Transport,OU=ICT,CN=smtphost.derijke.com
  ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9):   CN=Comodo Class 3 Security Services CA,OU=(c)2002 Comodo Limited,OU=Terms and Conditions of use: http://www.comodo.net/repository,OU=Comodo Trust Network,O=Comodo Limited,C=GB
  ssl_debug(9):   CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
  ssl_debug(9):   OU=Starfield Class 2 Certification Authority,O=Starfield Technologies, Inc.,C=US
  ssl_debug(9):   EMAIL=ftp(a)csx.com,C=US,O=CSX Corporation Inc,CN=CSX_CORPORATION_AS2_02062009
  ssl_debug(9):   CN=EssentialSSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
  ssl_debug(9):   CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
  ssl_debug(9):   CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(9): Received server_hello_done handshake message.
  ssl_debug(9): No client certificate available, sending empty certificate message...
  ssl_debug(9): Sending client_key_exchange handshake...
  ssl_debug(9): Sending change_cipher_spec message...
  ssl_debug(9): Sending finished message...
  ssl_debug(9): Received alert message: Alert Fatal: bad certificate
  ssl_debug(9): SSLException while handshaking: Peer sent alert: Alert Fatal: bad certificate
  ssl_debug(9): Shutting down SSL layer...
  Severity : Error
  Category : /Applications/ExchangeInfrastructure/AdapterFramework/SAPLibraries/SAPXDK
  Location : com.sap.aii.messaging.net.HTTPClientConnection.call(Object)
  Application : sap.com/com.sap.xi.rwb
  Thread : SAPEngine_Application_Thread[impl:3]_0
  Datasource : 7662250:E:\usr\sap\T37\DVEBMGS00\j2ee\cluster\server0\log\defaultTrace.trc
  Message ID : 00505688007A006A0000005100001B8C0004B1CF78E9602A
  Source Name : com.sap.aii.messaging.net.HTTPClientConnection
  Argument Objs :
  Arguments :
  Dsr Component :
  Dsr Transaction : cc6d1cee0fec11e1c90200000074eaaa
  Dsr User :
  Indent : 0
  Level : 0
  Message Code :
  Message Type : 0
  Relatives : /Applications/ExchangeInfrastructure/AdapterFramework/SAPLibraries/SAPXDK
  Resource Bundlename :
  Session : 365
  Source : com.sap.aii.messaging.net.HTTPClientConnection
  ThreadObject : SAPEngine_Application_Thread[impl:3]_0
  Transaction :
  User : CPWONG
  Dsr Root Context ID :
  Dsr Connection :
  Dsr Counter : -1

  Hi ,
  Is the above problem solved , can you share the solution.
  Thanks

• Oracle HTTP Server, client certificate chain

  I use Oracle (Apache) HTTP Server, installed from Oracle SOA Suit distrib.
  There're 2 types of ssl client cert chains that I use: client-issue-root, client-root.
  My ssl works fine, unless I should config mod_ossl to accept only user certificates signed by certificate issuer (not root).
  I add SSLRequire directive:
  SSLOptions StdEnvVars ExportCertData
  SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == file("/path/to/issue.cer"))
  but this doesn't work (condition expression always turn in false), and
  SSLOptions StdEnvVars ExportCertData
  SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == "")
  condition always turn in true.
  So, SSL_CLIENT_CERT_CHAIN_0 is ALWAYS EMPTY.
  I've tried to use different versions of ApacheModuleOSSL.dll (build in 09/19/2006 version 10.1.3.1, 06/12/2007 version 10.1.3.3), result is the same.
  I've found something about mod_ssl (not mod_ossl) in "Technologies for Information Environment Security: TIES project report" (http://edina.ac.uk/projects/ties/ties_23-9.pdf):
  "NOTE: This is the second, and more significant, problem we encountered in this area of mod_ssl: the first caused all the
  SSL_CLIENT_CERT_CHAIN_n environmental variables to be empty. We traced this bug back to a literal +17 offset into a
  character string that should have been +18, but by the time we had done so, a fixed version was available."
  Is there the same problem in mod_ossl?
  Does anybody have any ideas?

  Once again)
  http://www.mail-archive.com/[email protected]/msg11705.html
  I've got a question for Oracle developers: is this the same problem in OHS and OHS2 mod_ossl?
  And if yes, when we can wait the patch?
  Thanks!

• SUN Java System Web Server 7.0U1 How to install certificate chain

  I am trying to install a certificate chain using the SUN Java Web Server 7.0U1 HTTPS User interface. What I have tried so far:
  1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pem
  2. Go to Certificates Tab/Server Certificates
  3. Choose Install
  4. Cut and paste contents of cert_chain.pem in the certificate data box.
  5. Assign to httplistener
  6. Nickname for this chain is 'server_cert'
  7. Select httplistener and assign server_cert (for some reason, this is not automatically done after doing step 5).
  8. No errors are received.
  When I display server_cert (by clicking on it), only the first certificate of the chain is displayed and only that cert is provided to the client during the SSL handshake.
  I tried to do the same, except using the Certificate Authority Tab, since this gave the option of designating the certificate as a CA or chain during installation. When I select ed "chain," I get the same results when I review the certificate (only the first cert in the file is displayed). This tells me that entering the chain in PEM format is not acceptable. I tried this method since it worked fine with the F5 BIG-IP SSL appliance.
  My question is what format/tool do I need to use to create a certificate chain that the Web Server will accept?

  turrie wrote:
  1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pemIn my opinion (I may be wrong) cut and pasting multiple begin end
  --- BEGIN CERTIFICATE ---
  ... some data....
  --- END CERTIFICATE ---
  --- BEGIN CERTIFICATE ---
  ... some data....
  --- END CERTIFICATE ---is NOT the way to create a certificate chain.
  I have installed a certificated chain (it had 1 BEGIN CERTIFICATE and one END CERTIFICATE only and still had 2 certificates) and I used the same steps as you mentioned and it installed both the certificates.
  some links :
  [https://developer.mozilla.org/en/NSS_Certificate_Download_Specification|https://developer.mozilla.org/en/NSS_Certificate_Download_Specification]
  [https://wiki.mozilla.org/CA:Certificate_Download_Specification|https://wiki.mozilla.org/CA:Certificate_Download_Specification]

• TMG - 0x80090325 -Certificate Chain was issued by an authority that is not trusted

  Hello,
  I am having some problems with testing a OWA (SSL) rule. I get that message.
  The TMG belongs to the domain and therefore as far as I know it gets the root certificate of my CA (I have deployed a Enterprise CA for my domain).
  That is why I don't understand the message: "...that is not trusted."
  The exact message:
  Testing https://mail.mydomain.eu/owa
  Category: Destination server certificate error
  Error details: 0x80090325 - The certificate chain was issued by an authority that is not trusted
  Thanks in advance!
  Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  Thanks Keith for your reply and apologies for the delay in my answer.
  I coud not wait and I reinstalled the whole machine (W28k R2 + TMG 2010) . I suppose I am still a bad troubleshooter, I have experience setting up ISA, TMG, PKI, Active directory but to a certain extent.
  1. Yes, I saw it when hitting the button "Test Rule" in the Publising rule in the TMG machine.
  2. No, it did not work in this implementation but it has worked in others, this is not difficult to set up, until now, hehe.
  3. You said: "...If you are seeing it when running "Test Rule" then it simply means that TMG does not trust something about the certificate that is on your Exchange Server...."
  But the certificates are auto-enrolled, and when I saw the details of the certificates they all are "valid" , there is a "valid" message.
  4. You wrote: "...Easiest way see everything is create an access rule that allows traffic from the LocalHost of TMG to the CAS and open up a web browser. Does the web browser complain?..."
  But as I said, I re-installed the whole thing because nobody jumped in here , and I needed to move forward, I hope you understand.
  5. S Guna kindly proposed this:
  If you are using internal CA,
  You need to import the Root CA certificate to TMG servers.
  Import Private Key of the certificate to Server personal
  Create a Exchange publishing Rule and Point the lisitner to the Correct certificate.
  Since you are using internal CA, You need to import the Root CA certificate to all the client browers from where you are accessing OWA
  But I think I do not have to perform any of those tasks, although I am not an expert but have worked with Certificate for one year or so.
  Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

• "The certificate chain was issued by an authority that is not trusted" when migrating to SQL 2012

  Environment:
  1 Primary Site (USSCCM-Site.domain.com)
  1 CAS (USSCCM-CAS.domain.com)
  SQL 2008 R2 (USSCCM-CAS.domain.com)
  SQL 2012 SP1 CU6 (USSQL12.domain.com)
  Issue:
  We were successfully able to migrate the CAS to the new SQL 2012 server, almost without incident. When attempting to migrate the Site instance however, we are getting errors. Screenshot below.
  Attached is a copy of the log. But below is a highlight of what I think are the errors… It appears that either SQL or SCCM doesn’t like a certificate somewhere, but it is contradicting because the logs say that it has successfully tested connection to SQL.
  I am lost.
  Logs stating it can connect successfully to SQL
  Machine certificate has been created successfully on server USSQL12.domain.com.        Configuration Manager Setup                10/21/2013 10:20:10
  AM               2100 (0x0834)
  Deinstalled service SMS_SERVER_BOOTSTRAP_USSCCM-Site.domain.com_SMS_SQL_SERVER on USSQL12.domain.com.  Configuration Manager Setup    10/21/2013 10:20:10 AM              
  2100 (0x0834)
  SQL Server instance [sccmsite] is already running under the certificate with thumbprint[f671be844bf39dec7e7fdd725dc30e225991f28a].       Configuration Manager Setup    10/21/2013 10:20:10 AM        
  2100 (0x0834)
  INFO: Testing SQL Server [USSQL12.domain.com] connection ...                Configuration Manager Setup    10/21/2013 10:20:10 AM      
  2100 (0x0834)
  INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Unsecure                Configuration Manager Setup    10/21/2013 10:20:10 AM              
  2100 (0x0834)
  INFO: Tested SQL Server [USSQL12.domain.com] connection successfully.  Any preceding SQL connection errors may be safely ignored.            Configuration Manager Setup    10/21/2013
  10:20:10 AM               2100 (0x0834)
  INFO: Certificate: 308202FC308201E4A003020102021011BA47041BB0609D4097BC19F5AB96B5300D06092A864886F70D01010B0500301D311B301906035504031312555353514C31322E7063756265642E636F6D3020170D3133313031373139343632345A180F32313133303932343139343632345A301D311B301906035504031312555353514C31322E7063756265642E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100CFAC23CEA8920051C8C24DF4E96D76D9E034931867C4DBF74F8AE863C5BDE6D1EAEAAF363F6B97DEF1D7A1FC292CB870F353D72F04472EBE3D31DCA009BD3F8C58E2AAB69C892C20598306537F5EEAA43FA6DE55D4A784CEB6FD07486AB2CC2DE1A8651648EBC31A5CD918E8ED6E184FC560B3A8B0F76F83E310BBA8C4EB27F46707E3A6377D8DD06C6808146E407EF9DB464F453798B6C1748216665884A7F2CDE03D9DA1CB4E59E67516E4F345755E35450F84F4B039642851EFFA96B22D8E77EC11C01D389989F740923B58799E34FC8F4F19CD55830FA7E786C993A08A1EEDCA87F209268CE9D5E86AC9E2A14668207721D94ACE9FACE3AA55B53507F6BF0203010001A3363034301D0603551D11041630148212555353514C31322E7063756265642E636F6D30130603551D25040C300A06082B06010505070301300D06092A864886F70D01010B05000382010100A0E33BF490B60C2B8A73BF7FA90EBB69D92DA27B439EF0569650F388EBA34B9F382CEF52DAAB543C2924E1B8DC7BEE828FB0C276330B0FF67340CBFA0CC24F47431E5272DC76C7610C290A04411036441E9822FBF8AB52B4BBE43F5FF48074BA420FF690A94D53AFCEF7AC75E2D2723520A9EF64AF06759814AE92D41CEA2F0D6CC8D9E5DEF121234F5DD97A7E886BE55F57DC0B79052A554724E8A0146C08A74AE75672FBD8C8BD6B7FCA82C1CC69906A45128CDDD1BC3985ED9603C16E712FFBAA8AA6878F853367F3E1F69E727DB96864DF6B47EBDA82659036EC82A8B04E77535CEA314D7518D02C401969C77B91C8C210C57AA991A622D679B994AEED3C               
  Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
  INFO: Created SQL Server machine certificate for Server [USSQL12.domain.com] successfully.    Configuration Manager Setup 10/21/2013 10:20:10 AM               2100 (0x0834)
  INFO: Configuration Manager Setup - Application Shutdown       Configuration Manager Setup    10/21/2013 10:20:10 AM         2100 (0x0834)
  INFO: Running SQL Server test query.    Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
  INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Secure                Configuration Manager Setup    10/21/2013 10:20:10 AM              
  2100 (0x0834)
  INFO: SQL Server Test query succeeded.              Configuration Manager Setup    10/21/2013 10:20:10 AM              
  2100 (0x0834)
  INFO: SQLInstance Name: sccmsite         Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
  INFO: SQL Server version detected is 11.0, 11.0.3381.0 (SP1).      Configuration Manager Setup    10/21/2013 10:20:10 AM         2100 (0x0834)
  Logs saying certificate is not trusted
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
  10/21/2013 10:20:49 AM                2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:49
  AM               2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:49 AM              
  2100 (0x0834)
  *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:49 AM              
  2100 (0x0834)
  INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:49
  AM               2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:52 AM              
  2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
  10/21/2013 10:20:52 AM                2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:52
  AM               2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:52 AM              
  2100 (0x0834)
  *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:52 AM              
  2100 (0x0834)
  INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:52
  AM               2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:55 AM              
  2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
  10/21/2013 10:20:55 AM                2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:55
  AM               2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:55 AM              
  2100 (0x0834)
  *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:55 AM              
  2100 (0x0834)
  INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:55
  AM               2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:58 AM              
  2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
  10/21/2013 10:20:58 AM                2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:58
  AM               2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:58 AM              
  2100 (0x0834)
  *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:58 AM              
  2100 (0x0834)
  INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:58
  AM               2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:01 AM              
  2100 (0x0834)
  More logs saying cert is not trusted
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:20 AM              
  2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
  10/21/2013 10:21:20 AM                2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:21:20
  AM               2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:21:20 AM              
  2100 (0x0834)
  *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:21:20 AM              
  2100 (0x0834)
  INFO: Updated the site control information on the SQL Server USSQL12.domain.com.    Configuration Manager Setup                10/21/2013 10:21:39 AM              
  2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:39 AM              
  2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
  10/21/2013 10:21:39 AM                2100 (0x0834)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:21:39
  AM               2100 (0x0834)
  ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:21:39 AM              
  2100 (0x0834)
  *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:21:39 AM              
  2100 (0x0834)
  CSiteSettings::WriteActualSCFToDatabase: Failed to get SQL connection                Configuration Manager Setup               
  10/21/2013 10:21:39 AM               2100 (0x0834)
  CSiteSettings::WriteActualSCFToDatabaseForNewSite: WriteActualSCFToDatabase(USA) returns 0x87D20002                Configuration Manager Setup    10/21/2013 10:21:39
  AM               2100 (0x0834)
  ERROR: Failed to insert the recovery site control image to the parent database. Configuration Manager Setup                10/21/2013 10:21:39 AM              
  2100 (0x0834)
  Troubleshooting:
  I have read on a few articles of other people having this issue that states to find the certificate on SQL 2012 that’s being used and export it to the SCCM server – which I’ve done.
  http://damianflynn.com/2012/08/22/sccm-2012-and-sql-certificates/
  http://trevorsullivan.net/2013/05/16/configmgr-2012-sp1-remote-sql-connectivity-problem/
  http://scug.be/sccm/2012/09/19/configmgr-2012-rtm-sp1-and-remote-management-points-not-healthy-when-running-configmgr-db-on-a-sql-cluster/
  -Brad

  Hi,
  How about importing certificate in the personal folder under SQL server computer account into SCCM server computer account or SCCM server service account? That certificate is for SQL Server Identification. And you could
  set the value of the ForceEncryption option to NO. (SQL Server Configuration Manager->SQL Server Network Configuration->
  Protocols for <server instance>->Properties)
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Error code 265: The certificate chain was issued by an authority that is not trusted.

  We are in the process of trying to set up a wireless network that uses NPS servers to authenticate domain users with computers that are not on our domain (BYOD).
  We are using a valid, wildcard SSL (with intermediate certificates) to authenticate via PEAP.  The certificate was issued by Godaddy.
  When trying to connect, we are getting the authentication request.
  The result of a connection attempt is no connection with an event log error code of - “265: The certificate chain was issued by an authority that is not trusted.”
  We have tried ensuring that the certificates are in the correct containers on the respective NPS servers: “Certificates\Personal\Certificates” With the intermediate certificates located: “Certificates/Intermediate Certification Authorities”
  All these attempts have proven fruitless.  Any assistance or direction would be very much appreciated.

  Hi,
  Do you import the intermediate certificate in the right account? It should be imported in the Computer Account.
  Have you imported the intermediate certificate in your client? Client need it to validate the certificate of your NPS server.
  Here is a similar thread in which Greg has explained this issue in detail.
  http://social.technet.microsoft.com/Forums/en-US/b770fcf6-d1e9-4aac-9005-62cb5ff6d485/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted?forum=winserverNAP
  Hope this helps.
  Steven Lee
  TechNet Community Support