Sun PKCS#11 NSS Problem with CA Certificates

Similar Messages

• [SOLVED] Problem with ca-certificates

  For some time there is a problem with ca-certificates during update. I receive folowing error:
  [user@bragi ~]$ sudo pacman -Suy
  :: Synchronizowanie baz danych z pakietami...
  core jest już w najnowszej wersji
  community jest już w najnowszej wersji
  multilib jest już w najnowszej wersji
  :: Rozpoczynanie pełnej aktualizacji systemu...
  ostrzeżenie: libxml-perl: local (0.08-6) jest nowsze niż community (0.08-5)
  rozwiązywanie zależności...
  ostrzeżenie: nie można rozwiązać "ca-certificates-mozilla", zależności od "ca-certificates"
  :: Następujący pakiet nie mógł zostać zaktualizowany w wyniku niespełnionych zależności:
  ca-certificates
  :: Czy chcesz pominąć powyższy pakiet przy aktualizacji? [t/N] N
  błąd: nie udało się przygotować transakcji (niespodziewany błąd)
  I know that this is not in english but the messages says that there is a error with dependency ca-certificates-mozilla <--> ca-certificates.
  I ask this same question on polish forum but I only receive suggestion to try run:
  pacman -Suyy
  but this is not a solution.
  Any ideas?
  Last edited by web01 (2014-10-16 19:36:30)

  I'm not sure but maybe becouse of this
  [user@bragi ~]$ sudo pacman -Suyy
  :: Synchronizing package databases...
  core 116.7 KiB 1945K/s 00:00 [#####################################################] 100%
  extra 1767.3 KiB 2.16M/s 00:01 [#####################################################] 100%
  community 2.3 MiB 2.28M/s 00:01 [#####################################################] 100%
  multilib 118.9 KiB 2.04M/s 00:00 [#####################################################] 100%
  :: Starting full system upgrade...
  :: Replace ati-dri with extra/mesa-dri? [Y/n]
  :: Replace baloo with extra/baloo4? [Y/n]
  :: Replace baloo-widgets with extra/baloo4-widgets? [Y/n]
  :: Replace grantlee with extra/grantlee-qt4? [Y/n]
  :: Replace intel-dri with extra/mesa-dri? [Y/n]
  :: Replace java-common with extra/java-runtime-common? [Y/n]
  :: Replace kfilemetadata-frameworks with extra/kfilemetadata5? [Y/n]
  warning: libxml-perl: local (0.08-6) is newer than community (0.08-5)
  :: Replace nouveau-dri with extra/mesa-dri? [Y/n]
  :: Replace svga-dri with extra/mesa-dri? [Y/n]
  resolving dependencies...
  looking for inter-conflicts...
  error: unresolvable package conflicts detected
  error: failed to prepare transaction (conflicting dependencies)
  :: kwin and kdebase-workspace are in conflict

• Having some problems with security certificates

  Hello,
  In some pages, e.g. Twitter, and pages that load FB comments sections, I'm having problems with the certificates and the pages won't load. I don't get an option to add an exception either, therefore I cannot access pages.
  I have pasted the error details below. Here is some important info for you:
  Version: 9.0.1 <-- Upgrading is NOT an option, this is a corporate machine
  Connect via proxy: yes
  I doubt very much that this is an issue with the connection, as IE and Chrome are NOT having this issue on the same connection.
  Error I get:
  This Connection is Untrusted
  You have asked Firefox to connect securely to twitter.com, but we can't confirm that your connection is secure.
  Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
  What Should I Do?
  If you usually connect to this site without problems, this error could mean that someone is
  trying to impersonate the site, and you shouldn't continue.
  Technical Details
  twitter.com uses an invalid security certificate.
  The certificate is not trusted because the issuer certificate is not trusted.
  (Error code: sec_error_untrusted_issuer)
  Can anyone shed some light? The usual troubleshooting I've come across hasn't helped me much.

  Off the cuff it smells of a man-in-the-middle situation to me. As far as I know, Twitter does have a valid certificate, signed by Verisign. That IE and Chrome have no problem with it, could just mean they do not check resp. do let you know.
  I'll have to pass here, because I would not know, how to turn this checking off in FX 9.0 - in any case I would think twice before doing it. The place to look would be Options > advanced > Encryption.
  Hope somebody else joins us:)
  PS: keeping you nailed down to Fx 9.0 version is unsafe - not just for you, but for your company as well.

• Getting error "Problem with SSL Certificate" but I'm connecting to my private server without SSL

  I wanted to create a PDF from a subtree at a website. The first problem was that Acrobat Pro (11.0.7) wouldn't spider it (probably because there was a robot.txt file there) so I had to use SiteSucker to pull the pages down to my Mac.
  Then I discovered that Acrobat Pro can't handle file:/// URLs so that was no good either
  So then I copied all the pages to a folder on my Linux server where I use a non-standard port (86) for http connection as a minor security precaution.
  When I tried to access that from Acrobat Pro, it bitched about a problem with SSL Certificate but gave me no option to do anything about it. More relevantly, all the files were accessible using http protocol, not https so there shouldn't have been any need to deal with SSL certificates at all
  I had to temporarily enable port 80 on my apache server at which point it's now pulling all the files in and hopefully converting them.
  A) We're at version 11 ---- these kinds of issues should have been fixed years ago
  B) While you're at it, fix the stupid UI issue where the download dialog disappears completely if Acrobat Pro doesn't have the focus. On a long download, I'd like to be able to see progress while working on other stuff. Acrobat Pro is not the center of the universe!

  Interesting point 2, I am working on a Mac plugin at the moment. It does not hide its dialogs when switching to a different app. I consider this a bug and will fix it so the dialog disappears. I hadn't considered the question of progress but there is a very strong reason to do this on the Mac.
  My tests seem to show that
  (a) to get a dialog to sit above PDF documents all the time, it must be on a higher "level".
  (b) if a dialog is at a higher level, this is a global setting.
  So, if the dialog is not hidden when switching all, it will typically sit on top of the other app's document windows. This would not be popular, as the end user, unless they have mountains of screen space and choose to use it that way, must either close or move the dialog when switching app, then bring the dialog back.  So, because Acrobat Pro is not the centre of the universe, it will hide dialogs (or rather, the Mac will, as it's a standard option when creating a window).

• Java Webstart application problem with TLS certificate revocation checks (Java 1.7.0_76)

  We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
  The application is running on a server within a wide area network which is separated from the internet.
  The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
  The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call  "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
  The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
  The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
  are no problems with certificate revocation checks.
  The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
  "Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
  Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
  it cannot fetch the certificate under https://my-site.de:80.
  The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
  - Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
    has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
  - Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
    While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
    our users.
  It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
  Many thanks!
  This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
  (sorry for this is in german... and also my english above)
  network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  security: OCSP Response: GOOD
  network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  security: UNAUTHORIZED
  security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
  network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
  cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
  cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
  network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
  network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
  network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
  CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
  network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
  network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
  security: Revocation Status Unknown
  com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
      at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
      at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
      at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
      at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
      at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
      at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
      at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
      at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
      at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
      at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
      at sun.security.ssl.Handshaker.processLoop(Unknown Source)
      at sun.security.ssl.Handshaker.process_record(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
      at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
      at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
      at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
      at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
      at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
          at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
          ... 35 more
  Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      ... 36 more
  security: Ungültiges Zertifikat vom HTTPS-Server
  network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]

  Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.

• After last updating for OS 10.7.2 problems with digital certificate

  Hi everybody,
  Im having problems with lion after last updating yesterday... The digital certificates dont more work!!! In time: the same certificates still work in to snow leopard...
  I exported from snow leopard and imported on lion, but nothing.
  Until the keychain GUI aborted after that import... Just surfing on HTTPS page with that certificate and safari aborted too.
  Some ideia? i id send reports to Apple... but I dont have hope to answer.
  To test with version 10.7.2, please access https://www.caixa.gov.br
  Thanks
  Roberto Malheiro

  Assuming that the HP software is up-to-date, but still not working, have you tried Image Capture in the Applications folder. Does that work?

• Problems with server certificate

  Hi,
  i am using Adobe Drive 5.0.2.16 in order to connect to AEM 6 through an SSL connection. According to the Adobe Drive Admin Manual (http://help.adobe.com/en_US/AdobeDrive/5.0/Adobe_Drive_Admin_Guide.pdf), I added the non-trusted certificate hierarchy to the cacerts file in C:\ProgramData\Adobe\CS5\jre\lib\security. Unfortunalty I still get an exception (see below) when connecting to the server.
  Strangely enough, if i write a small java application that connects to the server using the same JRE mentioned above, the connection can be established! Having a closer look to the content of my harddisk, I saw a second JRE that is obviously also related somehow to Adobe Drive: C:\Program Files (x86)\Common Files\Adobe\Adobe Drive 5\jre
  So, my questions are:
  - which JRE is used by Adobe Drive 5?
  - what could be the reason for the exception although the server certificates are added to (all existing) cacert files?
  Thank you in advance
  Holger
  Exception:
  com.adobe.drive.connector.api.exception.RemoteServerUntrustedCertificateException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  I'm glad I'm not the only one with this problem.  I posted a message here regarding this earlier today.  I'm now getting a -1004 error when I try.  I'm assuming it's something on Apple's side at this point.

• Problems with signing certificate for Adobe CC Applications

  I've just purchased Adobe CC and set out to install quite a few apps.  Photoshop, Illustrator and Fireworks all installed without a hitch. 
  Then I tried installing the Edge tools and Lightroom, and that's when the trouble started.
  They failed.  The error was this (I've seen this several places):
  Exit Code: 7Please see specific errors below for troubleshooting. For example,  ERROR: DW006 ... -------------------------------------- Summary -------------------------------------- - 0 fatal error(s), 2 error(s)  ----------- Payload: AdobeLightroom5CCMPkg-mul 5.0.0.0 {4b06fc24-6249-4c57-9830-6008a3ce9a80} -----------ERROR: DW006: Apple Package failed to install successfully.ERROR: Third party payload installer Adobe Photoshop Lightroom 5.pkg failed with exit code: 1-------------------------------------------------------------------------------------
  Did some research and tried the following things:
  Ran the cleaner tool
  booted in to safe mode and tried reinstalling
  uninstall/reinstall AIR (I think this was an outdated suggestion)
  Verified and Fixed disk permissions
  Created new admin user account and tried installing from there
  No luck.   I checked the install logs:
       installer: Certificate used to sign package is not trusted. Use -allowUntrusted to override.
  OK - something with the certificte.  So I grab the downloaded packages from the /tmp folder for the apps.  When I try to install the packages there, I get the warning that the package is not signed by a trusted certificate - I say install anyway and everything works! 
  Except Lightroom 5.  I can't get that oe to go.  It never asks me to override the certificate.  It just tries to install and fails just as it did through Adobe CC Desktop.  I can dig in to the deploy packages and install it there, but when I launch it, it asks for my serial number, which we don't have via Adobe CC, correct?
  So what's going on?  I seem to be the only person having this problem.  I spent 3-4 hours this morning with Adobe support.  I have them screen control and they couldn't get it installed.
  Any ideas?  I'm on a newest version MacBook Air, i7, 8GB RAM, 256GB SSD running OS X 10.8.4.  (I swear at one point scrolling through the endloess lines of install logs I saw something about my os not being supported, but that can't be right, can it?  I'm 100% current - I can't tbe too current, right?)
  Thanks in advance,
  Adam Barney

  Wow.  I have no idea how this happened, but at some point, I lost my Apple Root Certificate - that seems important.  I reinstalled it from http://www.apple.com/certificateauthority/ and all is right with the world - and Adobe CC Desktop Installer.

• Problem with client certificate based authentication

  Hello.
  We are developing an AIR application that uses client
  certificates for authentication. We have written a simple test case
  to show the problem.
  <?xml version="1.0" encoding="utf-8"?>
  <mx:WindowedApplication xmlns:mx="
  http://www.adobe.com/2006/mxml"
  layout="absolute">
  <mx:Script>
  <![CDATA[
  import mx.controls.Alert;
  private function responseHandler(): void {
  Alert.show("Response received");
  ]]>
  </mx:Script>
  <mx:HTTPService id="exampleService"
  url="https://www1.aeat.es/pymes1/pacargoi.html"
  showBusyCursor="true"
  result="responseHandler()">
  </mx:HTTPService>
  <mx:Button label="Send"
  click="exampleService.send()"/>
  </mx:WindowedApplication>
  When we click on the button, it sends the request to the
  protected page and then (if you have CA emitted certificates) the
  dialog appears requesting the client certificate. And it works
  fine.
  But next time we click on the button, the dialog requesting
  the client certificate appears again.
  Is there a way to stop showing the dialog every time?
  Any help would be very appreciated.
  Thanks a lot for your support.
  Paco.

  I have just sent a Feature Request/Bug Report with the
  following text:
  "We are experiencing a problem using AIR with a server that
  requires authentication via client certificate.
  The dialog for selecting the client certificate appears every
  time that the AIR application interacts with the server (not only
  the first time).
  Steps to reproduce bug:
  1. Install Apache HTTP Server with SSL and require client
  certificate in order to authenticate.
  2. Develop an AIR Application that connects to this server
  (HTTPService or RemoteObject have been tested with the same
  result).
  3. Every time that the AIR application connect to the
  server, the dialog appears in order the user to select the client
  certificate.
  Results: This makes the AIR application unusable.
  Expected results: The dialog requesting the client
  certificate should appear the first time only."
  Thanks,
  Paco.

• Problem with ios certificate server not updating the CRL

  Hi all,
  The background is that i'm currently setting up a DMVPN solution with the ipsec tunnels between the spokes created using certificates.
  I'm using a cisco 877 as the CA server (its running 12.4(6)T5) to provide the certificates to the spoke routers. This part is working fine - the spokes can request a certificate and get one issue all well and good.
  The problem is on the CA, the CRL lifetime is set to 24 hours but the CA is not updating the CRL so when the spokes look for the revocation list (as set in their trustpoint) they are reporting an error that the CRL is out of date and won't connect.
  If is do a '#sh crypto pki server' it lists a 'CRL NextUpdate timer. this has a timestamp that is 24 hours after the last certificate was revocked. The only way i can get the CRL to be re-generated is to revoke a certificate.
  So, my question is, have i missed something here? I thought the CA would automatically generat a new CRL file every 24hours.
  Can anyone help?
  thanks.

  Hi Mark (?)
  this seems to match this bug:
  CSCsy95838    IOS CA: CRL not updated, update timer no started
  However it does not mention if 12.4(6)T5 is affected, only that it was found in 12.4(15)T3 and resolved in 12.4(15)T10 and other more recent releases.
  I would suggest trying the latest 12.4(15)Tx, 15.0(1)Mx or 15.1(4)Mx release if you can.
  I supposed you've though of it, but just in case: as a workaround you can disable the CRL check on all the DMVPN routers, obviously they will still allow connections from routers with a revoked spoke.
  As a (temporary?) replacement for a CRL, you could use a "certificate ACL" with which you can kind of create a "manual local CRL" :
    crypto pki certificate map certACL 10
     serial-number ne
     serial-number ne
     etc.
    crypto pki trustpoint myTP
     match certificate certACL
  (note the "ne" stands for "not equal" so you are permitting any certificate whose serial number is not listed)
  Obviously you would have to configure (and maintain!) this on each router participating in the DMVPN so this is cumbersome, but I suppose if you don't often revoke certs it might be an option.
  hth
  Herbert
  If this post answers your question, please click the "Correct Answer" button

• ADCS problem with enroll certificates for computers.

  Hi All,
  There are PKI infrastructure:
  1 standalone root CA (Win 2008 Std, workgroup, offline)
  2 enterprise issuing CA (Win 2008 Ent, DC role, NPS role)
  In AD all root\issue CA certs is available, crl is available, Enterprise PKI console show OK status for all components,  etc.
  It seems work and right config.
  But there is one problem.
  PCs and DCs in domain cannot request computer cert from both CA.
  Manual enroll through mmc fails on domain members/domain controllers with error
      Source: CertificateServicesClient-CertEnroll
      Event ID: 13
      Certificate enrollment for Local system failed to enroll for a Workstation/Domain Controller certificate from ....(name of CA).... (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
      Autoenroll through GP/Manual enroll through Web-enrollment also failed.
  But!!! User enroll cert without problem. At least through mmc console i can enroll user cert.
  Plz help somebody. I crash my mind with problem. )))
  Thanks all.

   
  Hi,
  Please add the following groups to the Certificate Service DCOM Access group:
  ·         Domain Users group
  ·         Domain Controllers group
  ·         Domain Computers group
  In addition, make sure that the Certificate Service DCOM Access group has Local/Remote Activation permission as well.
  And then, update the DCOM security settings for the certificate service by running the following commands at a command prompt:
  certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
  net stop certsvc
  net start certsvc
  Note: Press Enter after each command.

• WebVPN-Problem with Digital Certificate and AAA

  Hello everyone,
  I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
  Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
  But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
  Here are details:
  I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
  Testing:
  The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
  Does anyone know and advise ?
  Thanks
  Khanh

  Hi all,
  Here are attach files for my issuse,
  Khanh

• 31.3.0 hangs when connecting to my IMAPS server (problem with intermediate certificates or SSL in general?).

  After update to 31.3.0 Thunderbird hangs when connecting to IMAPS server aie.de (intermediate certificates in chain). No error message is given, Thunderbird just hangs with out updating the subject lines of the inbox.

  It is a configuration problem of the courier imap ssl daemon, resolution is shown [http://xf.wiki.mithi.com/index.php/Error_observed_in_/var/log/messages_log,_imapd:_couriertls:_accept:_error:1408F10B:SSL_routines:SSL3_GET_RECORD:wrong_version_number#Resolution here]

• Problem with ssl certificate

  Hello everyone!
  I have a scenario wherein I am trying to connect SRM to a marketsite through XI.
  SRM (Purchase Order) --->  XI (marketplace adapter) ---> Marketsite
  The URL of the marketsite is of the type HTTPS so I am using certificate logon as the method for authentication.
  Please tell me whether this is the right thing to do:
  1. Create a self-signed certificate in the "Key Storage" of the visual administrator.
  2. Export the certificate and have it installed in the marketsite.
  3. Configure the marketplace com. channel in the integration directory to use the private key I used to generate the certificate I sent to the marketsite.
  Having done that, I am get a "server rejected by chain verifier" error in the message monitoring tool.
  Here are some other questions:
  1. Should I create a new View for the certificate and private key, or should I create the certificate in the existing "service_ssl" and rename the new certificate "ssl-credentials-cert" and the private key "ssl_credentials"
  2. Will a self-signed certificate work or do I need to get it signed by a CA before importing the response.
  3. If a self-signed certificate will work, do I need to add another certificate in the "TrustedCAs" view?
  4. If I should import a certificate response from a CA, where can I get the certificate of the CA?
  I know these are a lot of questions, but I'd really appreciate all the help I can get from you guys. Please avoid posting links to other threads as I have pretty much read all of them..
  Warm regards,
  Glenn

  Hi Glenn,
  Let me explain the scenario without client certificate Logon (User and password) first .
  When you want to communicate with marketsite in secure manner, get the certificate of the CA (Certifying Authority) who has signed market site Cert. and add it to Trusted CAs view in Visual Admin of XI. Sometimes it may be a CA certificate chain.
  If that certificate is self-signed, add the market site certificate itself in to Trusted CAS of Vis.Admin of XI.
  Certificate Logon:
  This is for ur (XI servers) Identity to Marketsite.
  In Visual Admin KeyStorage create a view or in any of existing views create a Private Key and Public key (Certificate) pair representing XI Server (CN should be hostname of XI server). Get the public Key signed by CA and import the Certificate in Visual Admin.
  Now in Configuration select view and the Private Key just created for XI's Identity.
  PS: There may be some steps in Marketsite too in case of Certificate logon like Adding XI certificate to something like Trusted CAS of Marketsite.You can get better picture from guys administrating the Marketsite..
  Try these options and post the results in forum.
  Good Luck.
  Regards,
  Sudharshan N A

• Having problems with security certificates-can't access sites

  I just installed Firefox & am not having problems which result in security certificate error messages. I cannot access Facebook; Pandora, etc.

  Which SSL error message do you get?
  Check the date and time in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
  *https://support.mozilla.com/kb/Secure+Connection+Failed