Unsigned ssl certificates no longer work

Similar Messages

• Self signed SSL Certificates no longer work after upgrade to 37.0.1

  I followed these two articles to create local self signed certificates and they have been working fine since February. Now with the update to 37.0.1 I get "Secure Connection Failed" while trying to access my local website through FireFox. IE and Google Chrome have no problem accessing the local site.
  http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/
  http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/
  I have already deleted cert8.db, restarted FF, then re-imported the self signed certificates but get the same error. No other software has changed on this box except the automatic upgrade to FF 37.0.1.
  The network setting is already set to use "No Proxy"
  How do I fix this?
  Windows 8.1 Pro
  IIS 8

  I have exactly the same problem. All servers and devices that use a self-signed certificate are not reachable anymore via FF37.0.1 after upgrade to FF 37.0.1.
  Firefox prints:
  "Secure Connection Failed
  The connection to the server was reset while the page was loading.
  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  Please contact the website owners to inform them of this problem."
  I'm not getting the chance to add an exception hence no access to the server anymore.
  This is a severe problem, because all internally used Glassfish servers in our test environments run with self-signed certificates. As Firefox blocks access to them I cannot maintain my servers anymore.
  I have the same problem with Chrome but not with IE - IE is the offers to add an exception but suffers the blank page problem when accessing Glassfish.
  I tried to adjust the following values in the FF config:
  security.tls.version.min = 0 ;default
  deleted cert8.db and restarted FF
  I'm really lost, kindly advise.

• Active Sync certificates no longer work with iOs 4.3

  Existing Active Sync certificates no longer work with iOs 4.3. Can I fix this?

  My results differ from yours.
  With iOS 4.0x, 4.1 and 4.2x my smart playlists with live updating were broken. It would start with track 1 of 5, then 2 of 4, then 3 of 3, 4 of 2, then would generally crash the iPod app. If I left the playlist and re-entered it would have removed the entries already played, but I would find that some of the entries that should have played had actually been skipped in m playlist.
  With iOS 4.3, my playlists are properly working for me again. Now they play 1 of 5, 2 of 5, 3 of 5, ... If I return to the playlist while it is playing, I see that the entries that have already played are removed, and if I leave the playlist to return later, it starts over a 1 of 2, 2 of 2...
  I have posted another thread of how I have my playlists defined, so perhaps that would help you. I do recall that there were some conditions that used to cause problems if used in a smart playlist.

• SSL certificate doesn't work in FF only. It says "The certificate is not trusted because no issuer chain was provided."

  It is suggested here (https://support.mozilla.org/en-US/questions/1021610) to check the website on networking4all.com
  I performed the check and the results are pretty fine. See below:
  http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=happydemics.com&protocol=https
  But Firefox still says it is untrusted. What's wrong with the certificate?

  hello rocketblr, the site isn't providing a full certificate chain that links the intermediate certificate that it uses to the root certificate trusted by the browser: https://www.ssllabs.com/ssltest/analyze.html?d=happydemics.com&hideResults=on&latest
  (in this case it will depend on chance/if you have visited another site which used and implemented the same intermediate certificate properly).
  please report that issue to the webmasters of this particular site...
  http://wiki.gandi.net/en/ssl/faq#what_is_an_intermediate_ssl_certificate

• Certificates no longer work for signing when moving to Acrobat XI

  Hello,
  At my organization we have vendor-supplied certificates (x.509 v3) that we use to sign PDFs.  These certificates function correctly with Acrobat 7, 9, and X (mix of XP and Win7).  When attempting to sign a PDF in Acrobat XI (Win7), an error is reported by the Windows CSP: "The requested operation is not supported.  Error Code: 2148073513".
  I also have some certificates generated in-house that do not result in this error, and sign correctly with Acrobat 7, 9, X, and XI.
  My guess is that some property of the vendor-supplied certificates is not playing well, and that it must be some difference between the two.  The vendor certs have about 10 extensions, mine has 2.  I've pasted a dump of the additional extensions below; all other details appear to be shared.  Key size is 2048 for the vendor, 1024 for in-house.
  Thank you!
  Certificate Extensions: 10
      2.5.29.15: Flags = 0, Length = 4
      Key Usage
          Digital Signature (80)
      2.5.29.32: Flags = 0, Length = 13
      Certificate Policies
          [1]Certificate Policy:
               Policy Identifier=2.16.840.1.114027.200.3.10.2.1
      2.5.29.17: Flags = 0, Length = 1a
      Subject Alternative Name
          RFC822 [email protected]
      2.5.29.9: Flags = 0, Length = 15
      Subject Directory Attributes
          Entrust User Role=161
      2.5.29.31: Flags = 0, Length = 16d
      CRL Distribution Points
          [1]CRL Distribution Point
               Distribution Point Name:
                    Full Name:
                         Directory Address:
                              CN=CRL281
                              OU=Commercial Private Sub CA1
                              OU=Certification Authorities
                              O=Entrust
                              C=US
          [2]CRL Distribution Point
               Distribution Point Name:
                    Full Name:
                         URL=http://comprivweb1.managed.entrust.com/CRLs/EMSComPrivCA1.crl
                         URL=ldap://comprivshad1.managed.entrust.com/ou=Commercial%20Private%20Sub%20CA1,ou=Certif ication%20Authorities,o=Entrust,c=US?certificateRevocationList;binary
      2.5.29.16: Flags = 0, Length = 24
      Private Key Usage Period
          Not before=Thursday, September 27, 2012 2:07:29 PM
          Not after=Monday, November 03, 2014 1:37:29 AM
      2.5.29.35: Flags = 0, Length = 18
      Authority Key Identifier
          KeyID=d6 57 4d cb f4 e9 cd 6a cb 67 b4 ba 1d cf 10 d3 8b d6 2c 99
      1.2.840.113533.7.65.0: Flags = 0, Length = c
      Entrust Version Info
          Entrust Authority Security Manager Version=V8.0
          Key Update Allowed=Yes
          Certificate Category=Enterprise

  The issue is that Adobe cannot access the path of the CRL since they don't support LDAP path. To resolve the issue you need to uncheck the option to embedded the CRL status in the signature information. To change it go to Edit > Preferences >Security > Advanced Preferences > Creation tab > de-select Include signature's revocation status when signing
  I've add screenshots from Adobe X & XI:
  Edit > Preferences >Signatures > Creation & Appearance > More > de-select Include signature's revocation status when signing

• Concentrator SSL Certificate Expirtation

  I'm getting the following message alert from my 3000 Concentrator: SSL certificate will expire in 26 daysIssuer. It appears that this certificate (public/private) as well as an identity certificate are being issued by one of our 2003 servers (not 3rd party). I'm tempted to press the renew buttons on each of these certificates; however, being new to this arena, I'm leary about what might (or might not ) happen. My research tells me that this may result in the certificate being rejected. Can someone give me an overview of what these certificates are doing and what I need to do to get myself back into comfortable breathing status again? Thanks.

  generating the ssl certificates seemed to work; however, I accepted the defaults and instead of the certificates being issued by my local ca server, it thinks its being issued by cisco systems. I don't know if this is going to work or for how long. I tried renewing them and it bombed miserably. I don't even know what these certificates do but from what I've read, it has something to do with the https management interface. My identity certificate doesn't have a 'generate' option only renew or delete. I have tried renewing and it bombs as well. It shows up in enrollment status however when I click to install and use cut and paste, I get the following message: Error installing identity certificate: Bad file format. Not having had to deal with certificates until now, I find this whole thing confusing and frustrating. I'm finding Cisco documentation to be worthless as it might as well be trying to tell me how to shave a peanut. I thought I read somewhere that you need to delete the certificate first before trying to renew, but I am extremly reluctant to do so. Any comments would be most appreciated.

• SSL certificate error on every SSL page

  Hello,
  I was having problems earlier with connecting to my wireless internet so I deleted some of my .plist files attempting to fix the problem. Now I am having problems connecting to ANY SSL page, (as well as google chat, etc.) saying "security certificate is not trusted". Same happens on all browsers. I think it is because I deleted some plist files (not sure which ones).
  How can I fix this problem? I cannot find any documentation of anyone else having this problem, so please help!
  Much thanks.

  The answer was found elsewhere: Android is much more picky when it comes to SSL certificates and what works in the browser doesn't necessarily work in an Android app.
  A technician had to add a "SSLCACertificateFile to the SSL conf to provide this intermediate chain". I don't know what this is, but it worked.

• Iplanet 6.0 creating a development SSL certificate for internal use

  With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
  Is there a tool to create my own SSL certificate for development work with iplanet 6.0?

  With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
  Is there a tool to create my own SSL certificate for development work with iplanet 6.0?

• After installing Leopard 10.5.3 Mail no longer works in SSL

  After installing Leopard 10.5.3 Mail no longer supports SSL (Port 993) with password authentication. Setting it back to Port 143 seems to be fine. While this is not a problem at home when I am on the road it is a definite problem. Are other users finding similar problems? What are the work arounds (besides changing mail programs)?

  No, all certificates are fine.
  Three months on 10.5.3? Really? It seems to me that we had 10.5.2 three months ago.
  Anyway, it seems that the mail problem may have been a coincidence with the release of 10.5.3 -- mail servers seem to be back up and mail, both SSL and non-SSL seem to be working as if 0730 EDT.
  This then becomes more of an Apple problem of letting the community know that mail is down -- and that problems are most likely not related to the update of Leopard. This would be particularly helpful since many of us (very many, I suspect) have the auto update configuration for doing system updates turned on.

• ICal server won't work with SSL certificate

  I'm running Leopard Server 10.5.7, and have a GoDaddy SSL certificate installed on the server, which is working fine in Apache, but not for iCal server.
  In the Security Certificates section of Server Admin, the certificate shows up properly with the correct hostname, with the correct authority (i.e. not self-signed). I can use the certificate for one of my SSL websites, and it works fine, no browser errors, all works great.
  However, if I use Server Admin to enable SSL for iCal server and then select my GoDaddy certificate from the "Certificate" dropdown, the dropdown immediately changes to "Custom Configuration." So I save changes and stop/start the iCal service.
  Then I took my iCal clients (which were all working fine without SSL), and in 'Server Settings,' I changed the server address to https (instead of http), and port 8443 (instead of port 8008). But then when I refresh the calendars, iCal throws an error saying:
  "Unexpected secure name resolution error (code -9844). The server name may be incorrect."
  When I set everything back to the way it was before I started, all works fine.
  Anyone have any suggestions?

  Your problem seems similar to this thread:
  http://discussions.apple.com/thread.jspa?threadID=1992033&tstart=0
  There is some contradictory anecdotal information there, however. Tis reply in another thread:
  http://discussions.apple.com/message.jspa?messageID=6288712#6288712
  may hold some answers to your problem. There are two very enlightening articles on AFP548.com regarding certificate issues:
  http://www.afp548.com/article.php?story=20080624005724638
  http://www.afp548.com/article.php?story=20071203011158936
  That might also be of assistance. Then there's this little tidbit:
  http://www.networkjack.info/blog/2007/11/30/ssl-cert-with-subject-alternate-name /
  These may-or-may-not solve theproblem but may provide insight as to why it's happening.

• SSL Certificate Advanced Administration - How Does It Work?

  Is there any documentation for advanced administration of SSL certificates on Lion Server? I see that Apple's documentation page Lion Server: Advanced Administration covers SSL certs, but makes no mention creating/signing new certificates with Open Directory in use. I've run into a host of annoyingly simple SSL cert problems that arise from using Apple's defaults -- with apparently no documentation to fix them.
  Is it necessary that the server's [LAN FQDN server.computer.private] SSL cert be signed by the automatically created Intermediate CA "server.computer.private OD Intermediate CA"? This CA is created by the Server app Mange>Manage Network Accounts...
  How do I create a SSL cert that works for both my computer's LAN FQDN server.computer.private and its internet FQDN mydomainname.com?
  If I create a new self-signed certificate when OD is already set up, what must I do?
  How do I sign my server's SSL cert using my own root CA?
  Whenever I try to change any SSL certs on my own, everything breaks. I have an Apple support account, but Enterprise Support says that these basic questions go beyond the support agreement. Is there documentation anywhere that explains any of these issues? Surely someone has figured out how to set up Lion Server to work securely both on the LAN and the internet, or to use their own root CA.

  I too am interested in this. I seem to be having the same issue. I setup profile manager, etc before when testing. Yesterday I went and purchased a wildcard cert and installed it. Everything was fine until I go to profile manager and go to select the cert in "sign configuration profiles". when I enter there all I see is the old self generated "macserver.local OD intermediate CA" cert. I don't see my new cert at all.
  Please clarify.

• Gmail Push no longer works after update to iOS 4.2.1

  I have tested this several times. What previously worked as push yesterday no longer works as push from my Gmail account today after updating to 4.2.1. Is anyone else having this issue? In order to get mail to show up on my phone, I have to go into Mail on my phone. Then the little connecting thing starts up and all the mail since the last time I checked appears.

  This may be related -- I just updated my iPhone to 4.2.1 from 4.1. I immediately found that my Google Apps accounts, which had been configured as vanilla IMAP in Mail.app and successfully synced with iPhones as such for the past couple of years, have now started to sync with my iPhone as gmail accounts (not plain IMAP) and have therefore completely lost the custom From addresses, as it seems the iPhone does not allow custom From addresses in gmail accounts. (The accounts list in iPhone mail now has little red gmail icons instead of the generic blue account icons.) It also seems that push no longer occurs, whereas it certainly used to.
  Deleting all of the mail accounts from the iPhone, power-cycling the iPhone and then freshly syncing mail accounts from iTunes results in the same outcome. It is as though the iPhone is looking at the IMAP/SMTP settings and inferring that since they end with .gmail.com that the accounts are of type gmail, regardless of the fact that I have said that they are plain old IMAP. (It is tempting to create a noddy domain with CNAMEs pointing at {imap,smtp}.gmail.com just to fool the iPhone however it would probably then complain about invalid SSL certificates.)
  I deleted one of the accounts and recreated it manually on the iPhone. This lets me create a plain IMAP account even with {imap,smtp}.gmail.com server names, however when editing the address field, the keyboard which appears is bizarre -- no comma key! (Yes, I searched the various modifier keys, etc.) So, I copied a comma into the clipboard, pasted it into the middle of two From addresses and was at least mildly relieved to find that the mail program did then let me choose between the addresses. However, given half a dozen Google Apps accounts and a plethora of custom From addresses, there is no way that I am going to create this stuff manually. Maybe I will give that CNAME trick a go after all...
  My iPad on 4.2 is fine, however I have a hunch that I have not since resynced mail accounts to it since updating. I'll certainly not be daring to do that now.

• CF7 and JDK 1.4.2 - EV SSL Certificate Issue

  Let me start off by telling the group that we do not use CF for any of our applications.  We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use.  We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API.  About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy.  I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck.  Here are the details:
  EV Certificate issued by DigiCert (4096-bit).
  Customer is on CF7 and JDK 1.4.2.
  When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application.  He is using cfhttp to post his requests.  We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates.  Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
  Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
  Thanks in advance to those gurus that reply.  I have attached a sample post from our customers logs with non-essential data removed.
  I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
  - Dave

  Dave,
  I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
  I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
  so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
  to either CF 8 or CF 9 to get the issue quickly resolved.
  I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
  if I do find a solution, I'll definitely post it there for you.
  Cheers

• SSL certificates and Web Services Usage inside Oracle Database Questions!

  We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
  Service1 is already working, and we can call the service from PL/SQL without troubles.
  However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
  Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
       - SSL Certificates:
  1- Can installed certificates in the Database put in risk the stability of the database?
            2- Can installed certificates in the Database generate performance issues?
            3- Can installed certificates reloading the Databases?
            2- Can installed certificates in the Database generate security issues?
       - Web services:
  1- Can web services calling from the Database put in risk the stability of the database?
  2- Can web services calling from the Database generate performance issues?
  3- Can web services calling from the Database generate security issues in the DMZ?
  Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
  Those are the links describing the procedure mentioned above.
  1 -http://www.kotti.es/2009/11/oracle-wallet/
  DB: Oracle 9i.
  Average number of lines in file: 300
  Periodicity: Twice at day.

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• Expert advice needed: Why could I not connect to my own server after deletion of SSL certificate?

  Issue: Could not connect to my own server after deletion of SSL certificate despite having SSL disabled
  Hello,
  I admit I am lay user with rudimentary SSL knowledge and I therefore messed up my certificates and I could no longer access my own server (Wikis, WebDav, Device Manager) with Safari. (error: Safari can't connect to server)
  Eventually, I could resolve the problem but I do not understand why there was problem in the first place.
  Maybe someone can explain that to me ?
  OK, here is what I did:
  I created a Certificate Authority because I wanted to use a free SSL Server certificate for our private server.
  (I followed  http://www.techrepublic.com/blog/mac/create-your-own-ssl-ca-with-the-os-x-keycha in/388 )
  Despite several attempts I never got the server to accept the certificate for web services, the certificate was accepted for iCal, Mail and iChat but not for Web services. I tested an older certificate that was created when I set up the server and that that worked for all services incl. Web. So the problem was with my certificate only.
  Out of desperation and lack of concentration I deleted the "original" certificate.
  Now, I soon noticed that I could no longer log in to my server. I solved the problem by restoring the original certificate.
  My question:
  I had SSL disabled in the Server app settings. Why does Safari still look for a proper certicate ? (the server logfile had an entry that a .pem file could not be found which makes sense if the cert has been deleted)
  I would be very grateful for an expert advice.
  Regards,
  Twistan

  Because....
  the server does not have a 'trusted' certificate assigned to it.
  Only the RDP Gateway has the trusted certificate for the external name.
  If you want to remove that error, you have to do one of the following:
  Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
  So, something like,
  server.domain.publicdomain.com
  Or,
  Install that certificate on your remote computer so it is trusted.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+