SSL (Self Signed Certificate) in Business Connector
After going through hundreds of messages, I am still not clear about the steps involved in including SSL certificate with HTTP protocol.
1. Instead of subscribing to Trusted Certificate Authority, can we ceate a Self Signed Certificate? If yes, how?
2. Can anyone please explain the steps involved in including SSL certificate (configuring/importing the certificate)? We are successfully calling HTTP and sending the XML document to a HTTPS URL with authorized user name and password. I need to include SSL certificate to complete the requirement. I have looked at all the PDF documents that are available with BC installation and looked at many forums and still haven't found the answers.
Thanks in advance.
Hi Ramesh.
When untrusted root certificates may be acceptable
Some CAs may be trusted, but in only a very limited way. For example, a company with employees in diverse
locations can make internal documents available to all its employees by setting up a Web site on an intranet that
is only accessible from inside the corporate LAN (i.e. people on the Internet cannot see it). If there are
documents on this site that should have limited access within the company (such as strategic plans or personnel
documents), then these can be protected with SSL.
Since both the servers as well as the browsers are on corporate-controlled equipment, it is well within the
companyu2019s interests to act as its own CA. This means that the company can generate its own root certificate
with which it can sign as many SSL certificates as required for the servers deployed in its intranet. Once this is
done, this certificate should be installed into the certificate stores of all the browsers used in the company. Since
the computers these browsers run on are controlled by the company, this is easy to do: the corporate IT
department can have a policy that the companyu2019s root certificate is installed in the browseru2019s certificate store
whenever a new computer is set up. This prevents security warnings from being displayed whenever an
employee accesses an SSL-secured site on the company intranet.
The advantage to the company is that it can deploy secured sites anywhere on its intranet without purchasing
certificates from an external CA. Note that if the company also runs an e-commerce site, then it should purchase
its SSL certificate from a trusted CA and not use an internal one for sites accessible to the public, who will not
have the certificate installed by the corporate IT department, and thus would receive a security warning.
In such an environment, an unscrupulous employee (most likely a member of the IT team) who has access to
the private key could launch very successful MITM attacks against employees who visit SSL-protected ecommerce
and e-banking sites at work. This will be discussed later in this document. However, the company
can easily protect itself by warning employees not to visit such sites on company time or equipment, since they
are not u201Cbusiness related activities.u201D
Please see this doc related to trusted and untrusted certificate.
http://www.sericontech.com/Downloads/Untrusted_Root_Certificates_Considered_Harmful.pdf
Similar Messages
-
Safari 7 on OSX 10.9 not enjoying SSL self signed certificates
Hello people from the web,
I am experiencing a weird issue with self signed certificates. Since I upgraded to OSX 10.9 (Maverick) I am not able to connect to an HTTPS site protected by a self signed SSL certificate. The only remaining browser on my computer able to do the trick is Firefox (24). Chrome (30) and Safari (7) cannot.
Have you experienced the same issue? Have you found a solution?
On my quest for a solution I found this article:
http://curl.haxx.se/mail/archive-2013-10/0036.html
However it seems to me this is more the webkit common engine causing the issue. Is it possible that Webkit has become more picky with SSL Certificates? In which case how to generate a cutom one that would suit Safari 7 and Chrome 30+?
Thank you for any help you could provide
OscarSafari - Unsupported third-party add-ons may cause Safari to unexpectedly quit or have performance issues
Safari/other browsers – Website not loading
Safari Problems -
How do I override self-signed certificate old ssl blocking.
My hard drive failed and was replaced by my desktop support team. As a result, I had to re-install FireFox, my preferred browser to provide console connections to my production servers. These connections are old, firmware platforms that are not updatable behind multiple firewall layers. They use old versions of ssl and self signed certificates. Your new browser simply blocks access. Without the ability to override permanently this 'feature', I am unable to access the consoles of servers doing billions of dollars in business. I have a work-around in place with other browsers.
So, you are saying that EVERY time I need to access this type of server on my own internal network that is not visible anywhere, I have to go thru this rigamarole of this add on thing, because YOU have decided I can no longer access my own servers in my own network? If there is no permanent fix, I will find another browser that will do the job, and this will be uninstalled across the enterprise, because it becomes very unusable in crisis situations and even during a normal workday, because of the unnecessarily complicated process that has to be done each time. Unbelievable gall. I am speechless. Sure glad I discovered it when it was not urgent. I am sure glad you all are smarter than I am. Sheesh.
-
Scenario:
Windows Server 2012 R2 Essentials
I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
So far so good.
The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local instead of the SSL Certificate I installed, which is
remote.acmedomain.com
If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?Because....
the server does not have a 'trusted' certificate assigned to it.
Only the RDP Gateway has the trusted certificate for the external name.
If you want to remove that error, you have to do one of the following:
Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
So, something like,
server.domain.publicdomain.com
Or,
Install that certificate on your remote computer so it is trusted.
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+ -
How to erase all self signed certificates and force Server to use Signed SSL
I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
Can I replace those self-signed certs with the new one some how?Don't delete those. However, you are on the right track. Follow these steps to resolve.
1: Launch Keychain Access
2: Select the System Keychain
3: Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
4: In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
5: Press Save Changes to save.
6: Reboot the server or kill the servermgrd process to restart the service.
That should resolve your issue.
R-
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store -
Two way ssl with self signed certificate?
How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
Specfically, I don't want to use any CA authority.
Is it possible to simply have the clients certificate in the servers truststore or not?
I pull out the certificate via
javax.servlet.request.X509Certificate
but when I use a self signed certificate it's never there.
If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
Specfically, I don't want to use any CA authority.
Is it possible to simply have the clients certificate in the servers truststore or not?
I pull out the certificate via
javax.servlet.request.X509Certificate
but when I use a self signed certificate it's never there.
If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain. -
Problems with Creating a self-signed Certificate
hi,
I read the keytool Documentation and wanted to create my own self-signed certificate.
ok, I followed the steps :
1) keytool -keyclone -alias origkey -dest my_key
2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
3) keytool -certreq -alias my_key (output in mycert.cer)
4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
.. Password Input...
Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
But it exists, see :
[usr]$ keytool -list
Keystore-Typ: jks
Keystore-Provider: SUN
new_key, 06.05.2003, keyEntry,
So it exists, but why do I get the error ?
So far,
Stefan Grossstefan hi,
i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
and then using the keystore you can create as many certificates as possible based on the key pair.
try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
hope this time it'll work, let me know.
cem.
note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
To set up a digital certificate,
Generate a key pair.
The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
keytool -genkey -keyalg RSA -alias tomcat-server
-keystore <keystore_filename>
The keytool utility prompts you for the following information:
Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
First and last name--Enter the appropriate value, for example, JWSDP.
Organizational unit--Enter the appropriate value, for example, Java Web Services.
Organization--Enter the appropriate value, for example, Sun Microsystems.
City or locality--Enter the appropriate value, for example, Santa Clara.
State or province--Enter the unabbreviated name, for example, CA.
Two-letter country code--For the USA, the two-letter country code is US.
Review the information you've entered so far, enter Yes if it is correct.
Key password for the Web server--Do not enter a password. Press Return.
The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
Creating a Self-Signed Certificate
This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
Export the server certificate to a certificate file:
keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
Enter the password (changeit).
Keytool returns the following message:
Certificate stored in file <server.cer>
Import the new server certificate into the Certificate Authority file cacerts.jks:
keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
-file server.cer
Enter the password (changeit).
Keytool returns a message similar to the following:
Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
ST=CA, C=US
Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
ST=CA, C=US
Serial number: 3e39e3e0
Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
Certificate fingerprints:
MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
Trust this certificate? [no]: yes
Certificate was added to keystore
---------------------------------- -
ACS 5.3 / Self Signed / Certificate base auth
Hello,
Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
We have exported it to have a Trusted Certificate for client machine.
This certificat has been installed on a laptop.
The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
I have this error in the log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
I think the Access Policies (identity & authorization) are misconfigured:
> I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
> Identity: System:EAPauthentication match EAP-TLS
id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
> authorization: System:WasMachineAuthenticated=True
Thanks for your help,
regards,Hello,
I found the answer here:
https://supportforums.cisco.com/message/1298039#1298039
ACS self-signed certificate is not compatible with EAP-TLS
Thanks, -
How to replace an expiring self-signed certificate?
Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
http://screencast.com/t/zlVyR2Hsc
Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
http://screencast.com/t/54c2BUJuXO2
Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
Be aware that creating certificates starts to populate your server Keychain.
http://screencast.com/t/JjLb4YkAM
It appears that when you start to delete certificates, it leaves behind private keys.
http://screencast.com/t/XD9zO3n16z
If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
Bypass "Introduction".
In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
(OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
Pant, pant...
The next window asks for an email address and location information - this appears to be optional.
Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
Key Usage Extension window
Here's where it gets interesting...
I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
Extended Key Usage Extension...
Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
Sorry, folks, I just HAVE to show you the help for this window...
+*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible. EKU is defined with object identifiers called OIDs. If the EKU extension is omitted, all operations are potentially valid.*+
KILL ME NOW!!!
OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
Basic Constraints Extension...
Well, there is no mention of that on the original certificate, so leave it unchecked.
Subject Alternate Name Extension...
Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
DONE!!!! Let's see what the heck we got!
http://screencast.com/t/QgU86suCiQH
Well, I don't know about you but that looks pretty close for Jazz?
I got some extra crap in there but the stuff from the original cert is all there.
Think we're OK??
Out with the old certificate (delete).
Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
http://screencast.com/t/bydMfhXcBFDH
Oh yeah...one more thing in KeyChain Access...
See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
http://screencast.com/t/GdZfxBkHrea
Select "Always Trust".
I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
If you want to see my rant on Apple's worthless documentation, it's here.
http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0to add to countryschool and john orban's experiences:
using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
maybe that's hopeful to somebody. but i stopped there since things seem to be working.
last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
now, we'll see how everything works once people start really using it... -
ASA self-signed certificate for Anyconnect 3.1, which attributes?
Hi everybody,
I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1
I have added two servers in the client connection profile:
IP address, primary protocol IPsec
IP address/non-default port number, primary protocol SSL
Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)
Connecting via SSL issues an additional warning "Certificate does not match the server name".
The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.
I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.Shamelessly bumping this question,
Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?
I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server. -
Importing self-signed certificate
Hi there!
I have some problems in importing SSL certificates on my macbook.
There are 2 certificates that needs to be imported: the root CA certificate, which is self-signed naturally and private user certificate, which is signed by above-mentioned CA.
The first file in .crt format, which is consists of CA public key and sign. The second file in .p12 format, which is consists of encrypted public and private keys.
The problem is:
I can't import nor CA neither my personal certificate.
The CA cert should be imported at "CA" tab in keychain, but the import button ("+") is inaccesible here:
http://img.200133883.info/big//%D0%A1%D0%B2%D1%8F%D0%B7%D0%BA%D0%B0_%D0%BA%D0%BB %D1%8E%D1%87%D0%B5%D0%B9-20120313-143521.png
When I tried to double-click CA.crt I got the import error # -67762 which saying that attribute "key length" was invalid. The same thing with my personal certificate.
Could somebody explain me, how should I import those two SSL certificated?I'm using self-signed certificate from SBS. Right now it's not the question, if something is misconfigured within my certificate (I'm aware of SBS certificate problems), the problem is that E90 WILL NOT recognize .cer or .der files as certificates.
There must be someone, who can answer this really simple question, which certificate formates are supported on E90.
You will find this type of question posted many times on different forums, with diiferent suggestion, but they simply don't work.
Again my error is "file format not supported" -
Lion server erased self signed certificate
Help!!! I accidentally deleted the self signed certificate that had the right keys for my third party SSL. Now I cannot replace the self signed certificate with the new SSL. Now what????
I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.
Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted
in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.
The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.
After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed
certificate created by SQL Server for data in transit transmission.
BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.
I hope this information helps,
-Raul Garcia
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights. -
RV120W- How to create new unique self-signed certificate?
Hello,
how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself. Any idea? Did I miss something? Many thanks!
AbudefSo basically RV120W does not support self-signed certificate? It only allows to generate private key and certificate signin request. There is no chance to replace default generic ssl/vpn certifice within router itself? Could you please give me an advice, how to sign that request by some "CA"? I mean no commercial CA, I need something free running under Windows os. Many thanks!
-
Hi,
I have got a theoretical question: Is it right to use self-signed certificate in production environment?
We don't want to use this cert. for authentication but for SSL decryption. Is this a good solution?
Thanks!
V.Hi Rick,
May be I was not completely clear in my wordings :)
VPN connection is not a mandate. The VPN connection already existed between our organization and the provider service (instead of going over the internet) and hence the security person in our organization was fine with us using self signed certificates.
I gave you a scenario where the use of self signed certs was authorized. And also once more scenario where using self signed certs in test environments is not allowed.
Two contrasting thoughts, so basically it is up to the perception of the security people to assess the risk and give a go ahead.
Personally I feel that if the communication channel is secure between the systems (2 way ssl) then using self signed certs for message encryption might be fine.
If the channel is not secured (may be even 1 way SSL), I would prefer using CA certified certs.
Hope I make more sense now :)
Thanks,
Patrick -
How to use self-signed Certificate or No-Check-Certificate in Browser ?
Folks,
Hello. I am running Oracle Database 11gR1 with Operaing System Oracle Linux 5. But Enterprise Manager Console cannot display in Browser. I do it in this way:
[user@localhost bin]$ ./emctl start dbconsole
The command returns the output:
https://localhost.localdomain:1158/em/console/aboutApplication
Starting Oracle Enterprise Manager 11g Database Control ... ...
I open the link https://localhost.localdomain:1158/em/console/aboutApplication in browser, this message comes up:
The connection to localhost.localdomain: 1158 cannot be established.
[user@localhost bin]$ ./emctl status dbconsole
The command returns this message: not running.
[user@localhost bin]$ wget https://localhost.localdomain:1158/em
The command returns the output:
10:48:08 https://localhost.localdomain:1158/em
Resolving localhost.localdomain... 127.0.0.1
Connecting to localhost.localdomain|127.0.0.1|:1158... connected.
ERROR: cannot verify localhost.localdomain's certificate, issued by `/DC=com/C=US/ST=CA/L=EnterpriseManager on localhost.localdomain/O=EnterpriseManager on localhost.localdomain/OU=EnterpriseManager on localhost.localdomain/CN=localhost.localdomain/[email protected]':
Self-signed certificate encountered.
To connect to localhost.localdomain insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
A long time ago when I installed Database Server Oracle 11gR1 into my computer, https://localhost.localdomain:1158/em in Browser comes up this message:
Website certified by an Unknown Authority. Examine Certificate...
I select Accept this certificate permanently. Then https://localhost.localdomain:1158/em/console/logon/logon in Browser displays successfully.
But after shut down Operating System Oracle Linux 5 and reopen the OS, https://localhost.localdomain:1158/em/console/logon/logon in Browser returns a blank screen with nothing, and no more message comes up to accept Certificate.
My browser Mozilla Firefox, dbconsole, and Database Server 11gR1 are in the same physical machine.I have checked Mozilla Firefox in the following way:
Edit Menu > Preferences > Advanced > Security > View Certificates > Certificate Manager > Web Sites and Authorities
In web sites tab, there is only one Certificate Name: Enterprise Manager on localhost.localdomain
In Authorities tab, there are a few names as indicated in the above output of wget.
My question is: How to use self-signed certificate and no-check-certificate in Mozilla Firefox for EM console to display ?
Thanks.Neither problem nor solution do involve Oracle DB
root cause of problem & fix is 100% external, detached, & isolated from Oracle DB.
This thread is OFF TOPIC for this forum.
Maybe you are looking for
-
Getting "ora-20005 task is modified" error while updating task payload
Hi, I am trying to update a task's payload using the Task Service. But I am getting the following error :- "IRC_SOAINFRA.WFTASKPKG_111160", line 2932 ORA-20005: ORA-06512: at line 1I am using the task element which I got back by calling the TaskQuery
-
Inserting image in Pages footer
Hi, I'm new to a mac and iWork '09. I am trying to create a landscape formatted ebook. Only problem is, I can't figure out how to create a footer which has both an image and a page number (which would start on page 2 - as page 1 is the cover page). I
-
How to make this tween in a XML gallery?
Hi, on this site (click enter and then "Projects" and then, let say web sites. It will open a new swf with this amazing scrollable gallery, where every next item has a little time delay showing itself on the stage. And of course there's also that nic
-
How to maintain our own search help
Hi Everybody This is Vijai. Im facing a problem with maintaining my own search help. Like what i have to do if i want a search help in the sap screens. Thanks in Advance and cheers Vijai
-
Before the latest update to iTunes, everything was listed by artist. All albums by the same artist were listed together. Now they are all separated by the name of the album instead of the artist. How do I return to the other format?