Trust the server's certificate

hello
I have a certificate already generate by the server and I do not know its alias, how I can make:
- to export the server certificate from the certs keystore.
with keytool:
keytool -export -keystore "java.home"/lib/security/cacerts -alias jamie -file server.cer
but I had the error: alias does not exist.
somebody will be able to give me an indication thank you .

You can always use the "keytool -list" to print all the aliases in a keystore.
BTW, are you sure your certificate is inside "java.home"/lib/security/cacerts? That's the root CA collections comes with the JRE.

Similar Messages

  • The verification of the server's certificate chain failed

    Hi All,
    Not sure this is the right forum for this but never mind.
    I am trying to get abap2GApps working and am having problems with the client certificates.
    I am getting the below error in ICM :-
    [Thr 06] Mon Jul 30 09:34:47 2012
    [Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
    [Thr 06]    session uses PSE file "/usr/sap/BWD/DVEBMGS58/sec/SAPSSLC.pse"
    [Thr 06] SecudeSSL_SessionStart: SSL_connect() failed
      secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
    [Thr 06] >>            Begin of Secude-SSL Errorstack            >>
    [Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
    ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E
    ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
    [Thr 06] <<            End of Secude-SSL Errorstack
    [Thr 06]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
    [Thr 06]   SSL NI-sock: local=172.30.7.170:59036  peer=172.30.8.100:80
    [Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000053910f0)==SSSLERR_SSL_CONNECT
    [Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000726d5} [icxxconn_mt.c 2031]
    Having already got the accounts.google.com SSL certificate chain installed and working I can't get the docs.google.com SSL chain working.
    For accounts.google.com they use (this set works) :-
    1) CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
    2) CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
    3) OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    For docs.google.com they use a different set of SSL certs. :-
    1) CN=*.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
    2) CN=Google Internet Authority, O=Google Inc, C=US
    3) OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Can anyone explain what I am doing wrong or how to correct this?
    Thanks
    Craig

    Further UPDATE
    After removing every certificate related to docs.google.com I still get the same error!
    I have even tried downloading the root certificate directly from GeoTrust themselves and yet I still get the same error.
    I have even resorted to running SAP program ZSSF_TEST_PSE from note 800240 to check the PSE and all is well!
    Referring to SAP Note 1318906 suggests I am missing a certificate in the chain but I am not!
    "Situation: The ICM is in the client role and the following entry is displayed in the trace:
    ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
    Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required certificates are not available.
    Solution:The missing certificates are listed in the trace file. You must use transaction STRUST to insert these certificates in the Personal Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there."
    What could possibly causing this?
    Please help!
    Craig

  • Help with the server's certificat​e

    Hi everyone!
    I have been using the curve for a while and my blackberry is connected to 2 different emails.  It has been working fine.  This morning, the screen won't display messages coming from one email account.  So I went to the wizard account set up and tried to put in my email address as I had at the very beginning but when opening it won't open the connection because "the server's certificate has expired"  Any idea what that means and how I can fix it? Appreciate your help!

    Did you use wi-fi connection before, if so, refer to http://www.blackberry.com/btsc/KB15204
    If someone give you helpful hints, please click on Kudos.
    If you issue is resolved, mark Accept Solution next to the resolution post.
    Feel free to search www.blackberry.com/btsc to find your answers.

  • Open Directory refusing to use the server's certificate

    We have an SSL certificate signed by a 3rd party (Digicert) and our Maverick's server refuses to accept it for use with Open Directory (though other services appear to be using it).
    Here is a related thread discussing the problem.
    We need SSL to work with Open Directory in our environment so I'd like to try whiping out the Open Directory data and set up our Maverick's Server as an OD master from scratch now that the certificate has been added to the server (it wasn't there when OD was originally turned on). What I don't want to do is re-install the entire OS.
    Any tips on how to do this? 

    I am having this exact same problem, and just noticed it. The certs we use here (Office of Information Technology at University of Massachusetts Amherst) are most often issued by InCommon.org so there shouldn't be a problem with this.
    I am now wondering if this is causing a related problem with Profile Manager.
    This is happening on Server v3.0.3.

  • Trying to setup an email, but won't verify it says the server is not trusted how do i fix this?

    Hi,
    I wonder of anyone can help me, I am trying to setup an email account on my IPhone 4 but the accoutn won't verify. I get to the point where is says continue, cancel and details. Under the details section it gives me the error message that the server is not trusted. I am not sure what this means but I have been looking online and I think it is something to do with the primary certificate or something along those lines although I don't completely understand what that means, I hope someone can help as this is driving me crazy.
    Thanks
    Emma

    That message usually means that the server's Certificate has expired. You can just tap Continue and it should connect. It's a warning that you may not be connecting to the server you think you are. But if you are sure it is the right one just click Continue.

  • Is a truststore neeeded if the server certificate is signed by a CA?

    I have a server SSL certificate that has been signed by a trusted certificate authority (CA). I'm using a java desktop application to consume web services at that server over ssl/https using Axis 2 (no client certificate authentication). Everything is working fine, but I see code examples using a truststore or keystore (by the way, what is the difference?) and I'm starting to wonder if I need to use this kind of mechanism. Some articles I have read imply that I don't need to use a keystore because the server's certificate is signed by a CA. I've read lately about some man-in-the-middle attacks that involve intercepting https traffic and impersonating the server. Will my solution be vulnerable to this kind of attack if I don't use a keystore? If I simply provide Axis with an https endpoint url of the web services, will my solution be secure? Any help would be appreciated. Thanks.

    SSL provides you with privacy, integrity, and authentication. That is, the messages are encrypted, tamper-evident, and come from an authenticated identity. Whether that's the identity you want to talk to is another question. So the application has to perform the authorization step, i.e. check the identity against what is expected. You do this by getting the peer certificates out of the SSLSession, usually in a HandshakeCompletedListener, and check that the identity of the server is what you expect. SSL can't do this for you as only the application knows who it expects to talk to. Another way around this is to ship a custom truststore that only contains the server certificate for the correct server, so it won't trust anybody else.

  • TLS get server's certificate

    Hello,
    I'm connecting with java mail to a smtp server which offers STARTTLS. I would like to know if there is a way to get the server's certificate to my application using the java mail API. Basically, I just want to show the server certificate in the same way the openssl command does it :
    openssl s_client -connect 192.168.0.1:25 -starttls smtp -showcerts  EDIT: ok I think I have to do this on a lower level with a SSL Socket:
        SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
        SSLSocket socket = (SSLSocket) factory.createSocket("127.0.0.1", 8888);
        socket.startHandshake();
        SSLSession session = socket.getSession();
        java.security.cert.Certificate[] servercerts = session.getPeerCertificates()The problem is that when I do not have the remote certificate in my keystore, the "startHandshake" will fail. What I want to do is to offer the user the possibility to accept/refuse the certificate. How can I do this ?
    EDIT2: I did the following workaround by implementing a dummy X509TrustManager : http://forums.sun.com/thread.jspa?threadID=183410
    But now I don't know how to 1st connect in clear, then issue STARTTLS and then use a SSL socket to get the certificate.
    Thanks,
    Tex
    Edited by: Tex-Twil on Jul 13, 2010 2:31 AM
    Edited by: Tex-Twil on Jul 13, 2010 2:56 AM

    I think I found a solution. Basically I connect manually to the smtp using a normal socket, issue "EHLO" and "STARTTLS" commands. Then I wrap the clear socket into a SSL Socket and start the handshake. Then I can get the certificates:
    public static void main(String[] args) {
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    Socket clearSocket = null;
    PrintWriter out = null;
    BufferedReader in = null;
    clearSocket = new Socket("192.168.0.1", 25);
    out = new PrintWriter(clearSocket.getOutputStream(), true);
    in = new BufferedReader(new InputStreamReader(clearSocket.getInputStream()));
    readServerResponse(in);
    out.println("ehlo test");
    readServerResponse(in);
    out.println("starttls");
    readServerResponse(in);
    // SSL
    TrustManager[] tm = { new RelaxedX509TrustManager() };
    SSLContext sslContext = SSLContext.getInstance("SSL");
    sslContext.init(null, tm, new java.security.SecureRandom());
    SSLSocketFactory factory = sslContext.getSocketFactory();
    SSLSocket sslSocket = (SSLSocket)factory.createSocket(clearSocket, "192.168.0.1", 25, true);
    sslSocket.startHandshake();
    Certificate[] servercerts = sslSocket.getSession().getPeerCertificates();
    private static String readServerResponse(BufferedReader in) throws IOException {
            String serverResponse = null;
            String line = null;
            StringBuffer buf = new StringBuffer(100);
            do {
                line = in.readLine();
                if (line == null) {
                    serverResponse = buf.toString();
                    if (serverResponse.length() == 0)
                        serverResponse = "[EOF]";
                buf.append(line);
                buf.append("\n");
            while (isNotLastLine(line));
            System.out.println(buf.toString());
            return buf.toString();
    class RelaxedX509TrustManager implements X509TrustManager {
        public boolean isClientTrusted(java.security.cert.X509Certificate[] chain) {
            return true;
        public boolean isServerTrusted(java.security.cert.X509Certificate[] chain) {
            return true;
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        public void checkClientTrusted(java.security.cert.X509Certificate[] chain) {
        public void checkServerTrusted(java.security.cert.X509Certificate[] chain) {
        public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
        public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
    }

  • There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server

    Hello,
    I have an issue with connecting client SB1H on Windows, the scenario is as follows:
    1.- Server:
         Suse Linux Enterprise Server 11.3 kernel version: 3.0.76-0.11 IBM
         NDB and Server are review 69 SP06
    2.- Client:
         Windows 8 Pro Virtual Machine on Microsoft Hyper-V
         SB1H PL 11 version 32bits    
         SAP HANA Studio version 1.0.60
    When I run SB1H the following message appears:
    There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server.
    Any idea what could be the solution?

    Hi,
    Please check SAP notes:
       1993392 - Server components setup wizard: New default values for certificates and single sign-on option
    1929288 - Do not configure SSL for XApp during installation or upgrade if XApp is installed on a different machine than the SAP HANA server
    Thanks & Regards,
    Nagarajan

  • How do i "re-trust" the SSL certificate sent from a server I previously marked as untrusted?

    I use Citrix Receiver to access my workplace Windows environment remotely from home, where I run Firefox 7.01 on Ubuntu 11.10. Two days ago the SSL certificate expired, so when I tried to logon remotely it failed. Now the company have renewed the certificate, but now when I try to logon I get an error from the Citrix ICA Client saying "You have not chosen to trust Verisign Class 3 Public Primary Certification Authority - G5, the issuer of the server's security certificate (SSL error 61)"
    I have found a couple of similar queries here, but neither had a solution which worked for me. The entry for Verisign Clas 3... G5 is in /etc/ca-certificates.conf, also there's a link to it in /etc/ssl/certs to an existing ...G5.crt file in /usr/share/ca-certificates - Firefox seems to recognise the issuer as a valid existing certificate issuer. Firefox displays the certificate for the page when I use menu options Tools -> Page Info -> Security -> View Certificate, and the certificate shows as valid for today - for the life of me I can't find a way to make Firefox trust the darn issuer.
    I get the same fault with Firefox 3.6.23 on Ubuntu 10.04.
    (I'd rather not tell everyone here the URL of my company's remote access website)

    Thanks for the swift reply, cor-el - unfortunately, no joy with this approach.
    A. As my named user (called "greg", surprise, surprise, no secret there...)
    Run Firefox; select Edit > Preferences > Advanced : Encryption:
    Here I get no option for Certificates, but I do get View Certificates - then tabs for:
    - Servers, under which my company's remote logon URL is listed - Edit button is grey
    - Authorities, under which the Verisign...G5 entry may be edited; 3 options:
    1. may identify websites (ticked)
    2. may identify mail users (unticked)
    3. may identify software makers (ticked)
    I ticked 2, tried again - same failure. Unticked it.
    B. As root.
    Run Firefox; select Edit > Preferences > Advanced : Encryption:
    Here I get no option for Certificates, but I do get View Certificates - then tabs for:
    - Servers, under which my company's remote logon URL is NOT listed
    - Authorities, under which the Verisign...G5 entry may be edited; 3 options:
    1. may identify websites (ticked)
    2. may identify mail users (unticked)
    3. may identify software makers (unticked)
    I ticked 2 and 3, tried again - same failure. Unticked them.
    Maybe a solution would be, in some way, to add my company's remote logon URL to the list of Servers while running Firefox as root. The Export and Import buttons may help here. However, when I first declined their certificate I was running Firefox as greg, not as root, so I am a bit suspicious there - what can be done as greg should be undoable as greg.
    This is doing my head in. Maybe it's time to step back and think a bit. Maybe try Citrix's online help (already spent a fair amount of time there with no joy either).
    So, thanks again for the reply - I've generally tried to provide a good list of what's up, and your reply has given me food for thought. OK, I'll keep trying.

  • Certificate presented by the server is not trusted warning

    Dear All,
    When ever I try to create new suffixes or list the available certificates in the database, it is showing the following message.
    Certificate "CN=DirectoryServer-2, CN=1736, CN=directory Server, O=Sun Microsystems" presented by the server is not trusted.
    Type "Y" to accept, "y" to accept just one, "n" to refuese, "d" for more details: Y
    Why it is throwing the error message like this, eventhough we are using Sun microsystems default certificate. What should we do to avoid this error.
    Thanks inadvance,
    Yogendra.

    Your server has a self-signed certificate. DSEE 6.x arranges this for you by default, but this cert is not automatically trusted by clients everywhere. This is useful for testing, but not so much for production usage.
    What should we do to avoid this error.Set up your server with a SSL certificate that is signed by a certificate authority which your clients trust.

  • While logon to lync it gives error " there was a problem verifying the certificate from the server "

    i already go through all threads related to my question. but not even one thread is satisfying my question  ok my problem is again the same it gives me error as i mentioned in title. client OS is XP. actually can somebody tell  me which certificate
    i should import in which name of certificate group.
    N ya why error has occur. help me 
    thanks in advance 
    jayesh rohit

    You'll want the CS root certificate in the trusted root certificate authorities area of the machine store (vs the user store).  If there are any subordinate CAs with intermediate certificates, put them in the intermediate certification authorities area. 
    Verify that the certificate has the correct SANs for you server.  Did you generate the certificate from the deployment wizard, did you check the box for the sip domains as you went through the wizard?  Is the certificate internally signed by your
    certificate authority?  Are you attempting to connect internally or externally when you see the issue? 
    Can you confirm that your SRV records for _sipinternaltls._tcp.domain.com have the correct port and hostname and that the hostname is also resolvable?  Can you do the same for _sip._tls.domain.com?
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • The server's security certificate is not yet valid!

    I am getting this message with Google Chrome to access https sites (facebook.com for instance.
    This message is only received with my primary user, other users function properly.
    The system clock is set automatically and is showing the correct date.
    Advancing the system time setting manually about 2.5 month or so the browser returns an "expired" message.
    I am in web development and cannot simply replace my default user.
    Is there anywhere I can look to see what is causing this error?

    Hi krudesill,
    Welcome to Apple Support Communities.
    Are you seeing the same security certificate issue in Safari? The article linked below provides some information and a troubleshooting suggestion that may resolve the issue.
    OS X Mavericks: If your certificate isn’t being accepted
    http://support.apple.com/kb/PH14003
    If a certificate is not accepted, it may have expired or it may be invalid for the use to which it is being applied. For example, some certificates may be used for establishing a secure connection to a server but not for signing a document.
    The most common reason a certificate isn’t accepted is that the certificate authority’s root certificate isn’t trusted by your computer. Before your computer will trust a certificate authority, you must add the certificate authority to a keychain and set the certificate trust settings.
    Some apps (such as Safari) display the root certificate from the certificate authority as part of the message from the certificate authority. In this case, drag the root certificate icon to the desktop.
    Drag the certificate file onto the Keychain Access icon, or double-click the certificate file.
    Choose a keychain from the pop-up menu, then click OK.If you’re asked, type the name and password for an administrator user on this computer.
    Select the certificate, then choose File > Get Info.
    Click the Trust Settings disclosure triangle to display the trust policies for the certificate.
    To override the trust policies, select new trust settings from the pop-up menus.
    I hope this helps.
    -Jason

  • Lync 2010 Certificate Issue - "There was a problem verifying your certificate from the server"

    Greetings.
    My Issue:
    Lync 2010 client does not connect to server;error displayed "Cannot sign into Lync. There was a problem verifying the certificate from the server."
    Description:
    The client is running on my Windows 7 box, and my CA server is a Windows Server 2003 box. I have installed the hotfix on the Server 2003 box to update the Web Enrollment portion of CA to allow for newer clients (Vista and 7) to receive certificates from
    this server. 
    Lync server is running on Server 2008 R2 STD, installation was a success.
    The Windows 7 box is a part of the domain.
    I have manually exported the Root CA from my Enterprise CA server from
    Trusted Root Certification Authorities -> Certificates and imported into the same location on my Windows 7 box. 
    If I look at the certification path on the Root CA, on my Windows 7 box,  it says "The certificate is OK." The same goes for the servers involved. 
    Still nothing.
    I have read the other forum posts on here about people having success once they manually import the Root CA from the Enterprise CA server, but this is not my case here. 
    All certificates are successfully assigned on the Lync server box; however, I did have to manually import the Root CA into Lync server's
    Trusted Root Certification Authorities -> Certificates before I could successfully assign them. Had to do this on another deployment I completed, so I didn't think anything of it.
    To recap: it seems that even with my Root CA imported into my Windows 7 box I can still not connect to my Lync server with the client, and I get the error message "There was a problem verifying the certificate from the server."

    Solved
    Solution :  Export certificate from Lync Server Start > Administrative Tools > IIS > Server Certificate > Export >   abc.pfx   save it,  Copy and place the certificate where Ms Lync 2010 client is installed or getting certificate
    error.  Follow these steps on client machine to install certificate 
    Run > mmc > add or remove snap in > certificates > computer account > local computer >finish > ok > expand Certificate > Trusted Root Certification Authorities > Certificate > All task > Import > copy abc.pfx certificate
    and delete unnecessary certificate from there.
    Restart Client machine and open microsoft Lync client 2010 and open option menu > Personal > Advanced > choose Auto Configuration > save ok

  • Internet Security Warning - The Server you are connected to is using security certificate that...

    Mail Client on Laptop is Windows Live Mail.  Mail server outgoing.yahoo.verizon.net.  DSL Internet.  Long time Verizon customer.  Client configuration settings correct according to Verizon.  I now get an Interenet Security Warning message whenever I start up the Live Mail Client and send an e-mail.  Only happens on sending e-mails.  The warning message comes back looking for a YES or NO answer.  The message is
    "The server you are connected to is using a security certificate that could not be verified."
    "A certificate chain processed, but terminated in a root certificate which is not trused by the trust provider."
    "Do you want to continue using the server?"      "YES    or   NO"
    I click YES in order to successfully send e-mail messages which I do not like to do.  I only have to press YES on the first e-mail message that I send.  The rest outgoing e-mail work correctly after that first one. 
    What has Verizonn done to cause the problem on my client software?  I have done nothing to change configurations on my Windows 7 and Windos Live Mail laptop.  I have done some research, and verified that my computer time and time zone is correct.  I am looking for an explanation on why this is happening from Verizon. 
    HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    If no one has a better idea you may want to unlink Yahoo from VZ. http://forums.verizon.com/t5/Verizon-net-Email/Unlinking-Verizon-email-from-Yahoo-portal/td-p/413475 It is possible to lose data as pointed out in the linked thread.
    OR Did you get any indication that your mail server settings were going to change at the end of Sept 2013? A mass email went out for "standard" verizon users earlier this year.  I am not sure if this effects Yahoo/VZ settings.
    If a forum member gives an answer you like, please give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem. Thanks !!!
    http://forums.verizon.com/t5/Verizon-net-Email/Fix-for-Missing-Inbox-sent-folders-etc-with-Internet-Explorer-11/m-p/647399

  • CA Certificate is not in the server certificate chain...

    Use keytool command to import server certificate.
    I got this error when running an ldap browser (I downloaded from the Net) to connect to my Active Directory server via SSL. Connecting via non-ssl is successful and I can browse the ldap tree. I'm not sure what is causing the problem. I did the following, but no success:
    1. I used the keytool command to successfully import a certificate to cacerts file found in the \java\j2re1.4...\lib\security\directory.
    2. I verified that the domain server accepts ldap queries via ssl over port 636.
    Now I'm wondering if I used the keytool command properly or is there anything I need to do to get this to work.
    Peter
    3.

    Perhaps you may want to post the output from keytool (you may want to edit any confidential information).
    For example from my Active Directory domain & Certificate Authority:
    #keytool -list -alias antipodes -keystore /usr/java/jdk1.5.0_01/jre/lib/security/cacerts
    Enter keystore password: xxxxxxx
    antipodes, 20-Aug-2005, trustedCertEntry,
    Certificate fingerprint (md5): B7:5B:DE:61:D5:89:A1:91:96:0E:C7:0A:52:86:BB:79My guess is that you have either not imported the certificate as a Trusted Certifcate entry, you may not have imported the correct CA certificate, or if you have a CA hierarchy, you may only have imported the intermediate CA certificate, and not the root CA certificate.
    Also I have noticed that many applications have separate keystores. I recall that when I first played around with Java/JNDI on Linux to access my AD, and imported my CA cert into the Java keystore, that when I wanted to use a browser on the Linux desktop to access my secure web site, I had to also import the same CA cert into the Netscape browser's keystore. (As a Windows guy, I thought how dumb, but that's another story)

Maybe you are looking for