Untrusted Root Certificate when using zac reg
Hello,
I am trying to register some PCs silently from one zone to another, but I keep having issues with this popup:
http://imgur.com/HwCVUG9
Using TID 70000620, I have tried to import the cert with zac ci.
I went ahead and grabbed the cert off of the new server at /etc/opt/novell/zenworks/security/ca.der, and then imported it with "zac ci C:\mycerts\ca.der", and the important is successful.
Then I register to the new server(which I pulled the ca.der off of), and the popup is there anyway. I tried using zac ci on the .cert, server.cert, and server.der as well just to see, and had the same issue.
When I open the ca.der in a text editor, it shows a different serial number than the popup.
Is there anything I can do to fix this?
Originally Posted by georgesa
Hello,
I am trying to register some PCs silently from one zone to another, but I keep having issues with this popup:
http://imgur.com/HwCVUG9
Using TID 70000620, I have tried to import the cert with zac ci.
I went ahead and grabbed the cert off of the new server at /etc/opt/novell/zenworks/security/ca.der, and then imported it with "zac ci C:\mycerts\ca.der", and the important is successful.
Then I register to the new server(which I pulled the ca.der off of), and the popup is there anyway. I tried using zac ci on the .cert, server.cert, and server.der as well just to see, and had the same issue.
When I open the ca.der in a text editor, it shows a different serial number than the popup.
Is there anything I can do to fix this?
What's the url you are using in the "zac reg" command? It should not through that warning if you use the fqdn as shown on the server certificate (looks like it should be https://zenserver.yourdomain.com)
Cheers,
Willem
Similar Messages
-
Untrusted root certificates?
So I was browsing my computer today (checking out another problem I'm not so concerned about) and I noticed something. In my Keychain, under "System", I have 2 certificates listed as "This root certificate is not trusted". Both have names starting with com.apple, so I'm less worried, but I'm wondering if other people have these on their systems and if they're normal. I don't know what these things do, so I haven't touched them, and I'm not going to post the full names in case it publishes a possible vulnerability in my computer.
Are you sure you have Passwords selected on the left?
Also... this is from the Safari Help Viewer for Root Certificates
When you go to a secure webpage—for instance, to do online banking—Safari checks the site’s certificate and compares it with certificates that are known to be legitimate. If Safari doesn’t recognize the website’s certificate, or if the site doesn’t have one, Safari will let you know.
For more detailed information on how Safari works with certificates, see this topic:
Certificates and secure websites
How to respond to a certificate warning:
Click Show Certificate, and inspect the certificate for suspicious information.
Look for a message that says, “This certificate was signed by an untrusted issuer.” If you see this message, click Cancel, and do not go to the website.
Click the triangle next to the word “Details.” Check to make sure that the name and organization sections match those of the person or organization that owns the website. If anything looks unusual or is not what you expect, click Cancel, and do not go to the website.
If you continue to the website, double-check the address in Safari’s toolbar to confirm that it is the correct address for the page you want to visit. The address should begin with “https://,” and the name of the website should be spelled correctly. Sometimes fraudulent websites masquerade as trusted websites by changing one or two letters of the trusted website’s address.
Contact the administrator of the website, explaining the problem and requesting more information.
If you continue, the certificate will be stored on your computer, and this warning won’t be displayed again for this website until you quit and restart Safari. If you like, you can remove the certificate later using Keychain Access. For instructions, open Keychain Access and choose Help > Keychain Access Help.
Carolyn -
How to identify which root certificate is used?
How to identify which root certificate(on terminal) is used when a terminal is connecting to a https website?
SecurityInfo.getServerCertificate() only returns the certificate send from the https server.
But how could know the which local root certificate is used to verify the certificate send from the https server?
Is there a method or class in MIDP 2.1?
ThanksUP�Cthis question is urgent. Hope anyone can answer me!
-
When opening www.google.dk and searching from the page, everything is ok
When using Google search engine in the address line search bar the error is present
When changing to Yahoo, bing or another search engine in the search bar, the error is not present
So, the error
"www.google.com uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)"
is only present when using google search engine in the search bar
Have tried to delete the files cert8.db and key3.db with no success
Read about firewall settings, but Bullguard firewall was not coveredIn your "More system details" it says your address bar search provider is Babylon, not Google. Perhaps that's the problem? Or are you using a shortcut to force the address bar search to Google?
This add-on will reset your address bar search to Google: https://addons.mozilla.org/firefox/addon/searchreset/
That might not stick if you have an add-on which reverts the setting. You can disable nonessential and unrecognized extensions here:
orange Firefox button (or Tools menu) > Add-ons > Extensions category
Also, you might need to edit or delete your user.js file to prevent your settings from being overridden at the next startup. This article has info on that: [[How to fix preferences that won't save]].
Any luck? -
Need help with Digital Certificates when used with Adobe Acrobat
Hi,
I need some urgent help for one of my project. Any help or
guidence would be very much appreciated...
I am using Digital Certificates with Adobe Reader 6.0 and
above and currently if I want to install the process it requires
around 2 steps. Below are the steps.
Once the install now button is clicked.
Step 1. Click on set contract set.
Step2. Click on first un check box, Adobe 7.0 or Adobe 6.0
Step3. Click OK,
Now the Question or issue is, I want to make the above
mentioned steps 1 to step2 automated, once a user downloads this
Digital certificate over the Web. Else if I can pre-select the 2
steps for the ease of the user.
Any help to get this automated would be much
appreciated......Do let me know if anybody has any further
questions...
Pls help...and thanks for helping in advance..much
appreciated...
Cheers
AshishHi Ashish,
Since the title of your post refers to Adobe Acrobat, and the
mention of RoboHelp is conspicuously absent, I suspect you are in
the wrong forum. You probably need the Acrobat forum instead.
Regards,
Anne -
Removing / updating root certificates?
I know from the documentation I've reviewed that the root certificate store isn't easily viewed in webOS. There is a knowledge base article that lists certs that come pre-installed (at least in 2.x), but that's the closest I've come to being able to see them.
I have a need to remove one of the root certificates that came pre-installed, and I can't seem to find a way to do it. If I have to, I am open to writing an application toward this end, but I'm finding it difficult to believe that there isn't some easier way, or some HP internal tool that might do this.
Do any of you have any suggestions? I really don't want to trust a particular CA for one minute longer than I have to.
Alternatively, can anyone at HP tell me if you are planning to release a CRL for any of the compromised Diginotar CA certs, and if so, how quickly?
I'm most concerned about this on the Touchpad and original Pre.
Thanks.
Post relates to: Pre p100eww (Sprint)I'm curious about the intent to do a wholesale update of the root certificates in a server operating system. I would think you should consider yourself lucky, because there are practical limits to the size of the Trusted Root Certificate Store (64kb of certificates,
which is 175-200 of them, depending on their data size).
A more surgical approach is to only install a new root certificate when it is needed for a specific purpose. Otherwise, certificates that are expired can generally just be deleted.
However, for an alternative approach to this process, I would suggest installation of KB931125 to a **WORKSTATION** operating system (a reference VM not actually used by anybody would be even better), and then EXPORT those certificates that you actually
need from that reference system and import them to where they are needed.
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds. -
I have been unable to fully update the root certificates on my Windows 2008 Server machine. I have tried doing a manual install using https://www.verisign.com/support/roots.html and there are still certificates that are not updated, but used to be trusted
before certification expiration. Is there a way to update these roots automatically by Windows without messing with Group Policy settings? Or a way to update individual roots via Windows?
Thanks.I'm curious about the intent to do a wholesale update of the root certificates in a server operating system. I would think you should consider yourself lucky, because there are practical limits to the size of the Trusted Root Certificate Store (64kb of certificates,
which is 175-200 of them, depending on their data size).
A more surgical approach is to only install a new root certificate when it is needed for a specific purpose. Otherwise, certificates that are expired can generally just be deleted.
However, for an alternative approach to this process, I would suggest installation of KB931125 to a **WORKSTATION** operating system (a reference VM not actually used by anybody would be even better), and then EXPORT those certificates that you actually
need from that reference system and import them to where they are needed.
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds. -
When trying to connect to online banking this is what I get.
This Connection is Untrusted
You have asked Firefox to connect
securely to www.txn.banking.pcfinancial.ca, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
Technical Details
I Understand the Risks
When I click on I understand the risks and try to add an exception I get this:
This site provides valid, verified identification. There is no need to add an exception.
yet I can't get passed this and connect to the site!What are the Technical details showing as the cause?
Check the date and time in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
*https://support.mozilla.org/kb/Secure+Connection+Failed
Try to rename the file cert8.db to cert8.db.old in the Firefox Profile Folder to remove all intermediate certificates that Firefox has stored by visiting secure websites.<br />
If that helped to solve the problem then you can remove the renamed file cert8.db.old unless you have user certificates that you may want to export first and import them in the new file.<br />
Otherwise you can restore the certificates by renaming (copying) the file back to cert8.db<br />
Firefox will automatically store new intermediate certificates when you visit websites that send them.<br />
You can use this button to go to the Firefox profile folder:
*Help > Troubleshooting Information > Profile Directory: Open Containing Folder -
Hello,
I have this issue regarding certificate chains while performing Outlook Anywhere connectivity test
by Microsoft Remote Connectivity Analyzer:
"ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."
Note: even if I got the error, Outlook Anywhere and
ActiveSync services work fine.
Environment:
- Exchange 2007 with SP3
- Go Daddy Multiple Domains UCC certificate (up to 5 Subject Alternative Names)
I already read and followed instructions on this TechNet post
Can I safely ignore this warning about the SSL cert? Using GoDaddy UCC cert but it is a little bit different by this case.
So after an investigation I understand the issue above is related to SSL certificate
Certification Path (see screenshots below).
NO ERRORS on ExRCA checking
Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
repository
Go Daddy Class 2 Certification Authority is under Intermediate Certification Authorities
repository
Starfield Technologies (http://www.valicert.com)
is under Trusted Root Certification Authorities repository
ERROR on ExRCA checking
Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
repository
Go Daddy Class 2 Certification Authority is under Trusted Root Certification Authorities
repository
Can you add some useful information ?
I'm opening a support ticket at Go Daddy; I hope they could me some positive feedbacks.
Regards,
Luca Fabbri
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.Strange I have a feeling the exrca tool can't validate the godaddy class2 root authority due some older compability and wants to use the older original root authority valicert owned godaddy. Or when the exrca tool is validating the root CA it only has the
goaddy class2 root ca that was issued by valicert and not the standalone cert when doing the comparision. I sent the question to MS and will let you know when I hear back.
You can get rid of it
https://certs.godaddy.com/anonymous/repository.seam
Download the cert
◦gd_cross_intermediate.crt
Then import it into the trusted root cert authority on your CAS boxes. Then you need to delete the other godaddy class2 root authority. Make sure you see the one you imported both will be named goaddy class2 root authority but one will be issued by valicert.
Re-run the test and it will go away, I also saw the error with my domain as well using godaddy and got rid of it by using the new cert authority.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com -
I am remotely accessing a website which has iFrame in it. The website uses https, but iFrame tag has "src" pointing to a site using http only. However, when I remotely go to the site, iFrame shows the message below although the ''src" url is http only (there is no SSL certificate) when I use IP address (https://10.10.101.156:8006/apprecovery/admin/Core/Storage) in address bar instead of hostname (https://hostname:8006/apprecovery/admin):
===
This Connection is Untrusted
You have asked Firefox to connect
securely to d37t50w1, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
d37t50w1 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_ca_cert_invalid)
===
Why is it giving this when using hostname but not when IP address is using?Corrected first para above:
I am remotely accessing a website which has iFrame in it. The website uses https, but iFrame tag has "src" pointing to a site using http only. However, when I remotely go to the site, iFrame shows the message below although the "src" url is http only (there is no SSL certificate) when I use hostname address (https://<hostname>:8006/apprecovery/admin) in address bar. But I dont see the message in iFrame when I instead use IP Address (https://<IP Address>:8006/apprecovery/admin) to go to main website. -
When using certificates that have a password enabled and private keys we find the machine hangs up competly with the memory usage jumping to 99%. The main process being the Local Secuirty Authority Process that causes the machine to lock up. The work
around we have is to remove this certificate and import a new certificate making sure we un-tick the check box for private key password.
Not sure if this
KB2813237 is linked, but this hotfix is available for Windows 8.1 Pro OS.Hi Simon,
You can try that suggestion and check whether it is solved and give your result, if there is any other issue, you can post it back.
Regards
Wade Liu
TechNet Community Support -
Error when using sapgenpse import_own_cert to import a signed certificate
We have installed a WebDispatcher and want to use SSL and executed the following steps:
1. Generate Self-Signed Certificate and CSR by:
sapgenpse get_pse -p SAPSSLS.pse -r SAPSSL.req "CN=emsd3c.cs-apps.carestreamhealth.com, OU=IT, O=Carestream Health, C=US"
2. User service.sap.com/trust SSL Test Server Certifcated service to signed the CSR which looks like
BEGIN CERTIFICATE-----
MIIBpDCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEUNhcmVzdHJlYW0g
SGVhbHRoMQswCQYDVQQLEwJJVDEsMCoGA1UEAxMjZW1zZDNjLmNzLWFwcHMuY2Fy
ZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP+w
TmRWeRlt1tg5GnjMloRhezO6lRJ1mhgNcWGQTECtAXDVypnznTFhimj3OG1zgW
gItJ1u4GjvQuYR2w2T92UrV3mnORrlHfpYOBCngRwQWfSaG7Ih5g3NeQ4bAq60Ap
0BwVg9hTpjZfTXfqYQHyzYPk6Pv9c+l0m3Va/DMfAgMBAAGgADANBgkqhkiG9w0B
AQUFAAOBgQBw6ipAyPUor96WGIOu93v7jjxE0uLuCMkfjaHnuqpYaOWM7z6XQn
2jWMwEKG4vsvU1X5azUuqA1yidH5+GXTD0VCbXUqLWZEP6S2FMJXixv/e3QELYrT
qBee2JDYPAdoMkKX/cwshFwXXo41R/gjEwn6aBDg9jkA70xFZEOjTQ==
BEGIN CERTIFICATE-----
The certificated signed by SAP looks like and I have created a file called d3c_test.cer to contain it:
BEGIN CERTIFICATE-----
MIIC5zCCAlCgAwIBAgIDANTZMA0GCSqGSIb3DQEBBQUAMFAxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MQ8wDQYDVQQLEwZTZXJ2ZXIx
EjAQBgNVBAMTCVNlcnZlciBDQTAeFw0wOTA3MjkxNzM4NDVaFw0wOTA5MjcxNzM4
NDVaMIGAMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0
eTEYMBYGA1UECxMPQ2FyZXN0cmVhbUhlYXRoMQswCQYDVQQLEwJJVDEsMCoGA1UE
AxMjZW1zZDNjLmNzLWFwcHMuY2FyZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPjouDXa5nj8UQN77E53KCn1Xv2mI4uQMwz2cv
2YLL0086PfLzv+GZgMNsykmFzCAw2Nq2PthvhRhIUSZmCWgF36vN3GnwYPhc3flw
bvYGkeyFvJ3i3I0xiZTwVdvNDnd/GmLH6VCqCEbIwPXEJJamWop6SumaHl7h5KgV
aaqPAgMBAAGjgZ0wgZowDAYDVR0TAQH/BAIwADAlBgNVHRIEHjAchhpodHRwOi8v
c2VydmljZS5zYXAuY29tL1RDUzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8B
Af8EBAMCBPAwHQYDVR0OBBYEFHBRAASwukLlThOY+NbGKycJGjjIMB8GA1UdIwQY
MBaAFIHbg/NK+zUYCLkBvbcdW51zNVtJMA0GCSqGSIb3DQEBBQUAA4GBAIxe9gRz
7UdawNwiIyKo2jvg6P0VnvPRMiyfMJdtbaTarinJmgP2yghMGKx84twvEds9GV42
xUXbX/AHdgI3ef8N/WXvs15Hi4GnMdb/d7zhz3DAcjajbr7xmFycFFqRSwJ68Kb0
JF2cZLtwh9G0dJZMbT5ihJ61mCVMXvIbH27s
END CERTIFICATE-----
3. Execute the following commend to import SAP's response (d3c_test.cer)
sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
Receive the following error:
sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
Please enter PIN: ****
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
Any help will be appreciated.
Thanks
RiversHi Sri Garimella,
As you have mentioned above to donwload root certificate also & giv the command as
sapgenpse -import_own_cert -c d3c-test.cer -p SAPSSLS.pse -r <RootCA_cert_file>.
Could you please help me from where can i get the RootCA_cert_file ?
In service market place I am unable to find RootCA_cert_file.
Could you please elloborate the issue ?
Regards
Hari -
Do I have to use certificates when writing an HTTPS server
I'm writing a client app and a server app. The client will connect to the server via HTTPS. A browser will never connect to this HTTPS server, just the client I have written. Can I skip the step of using certificates? I've been told it isn't a requirement. I just want SSL communication, that is all.
When I try to do this, I get a handshake error, "no cipher suites in common'' coming from the client. The client seems okay because I can get it to connect to other secure web sites.
So, certificates...must use in this case, or no?
Thanks!!!Hi,
I think you must use certificates if you want to do SSL communication.
When using Netscape Navigator or IE to access files on a server that only has DSA-based certificates, a runtime exception occurs indicating that there are
no cipher suites in common .
By default, certificates created with keytool use DSA public keys. Navigator and IE do not use DSA public keys in their enabled cipher suites.
To interact with IE or Navigator, you should create certificates that use RSA-based keys. To do this, you need to specify the -keyalg RSA option when using keytool. For Example:
keytool -genkey -alias duke -ketstore testkeys -keyalg rsa
Hope this will help you.
Regards,
Anil.
Technical Support Engineer. -
Exchange 2007 Certificate Expired Error when using VPN
We recently did a server migration to a new domain (split away from part of the company - sept 2013). I set up the exchange certs and everything worked fine, even when people used the vpn. Recently (it probably started a few months ago) it has
started giving cert errors again, but just for VPN users.
This happens when someone takes their computer or has Outlook 2010 set up on their home computer. They VPN in and when the program starts, it gives the certificate errors for exchange and for autodiscover saying "The security certificate has expired
or is not yet valid". I have checked to make sure that the certs are in fact up to date and are pointing to the correct certificates in IIS. They haven't changed since I originally set them up.
One of the users sent me a picture of the certificate and it is the old cert (that is expired) that used to belong to the previous address when we used the other (completely different) exchange server. The other users haven't sent me the errors they
see, but I assume they are similar. They are able to use exchange if they hit ok on the error box. I couldn't find anywhere online saying that there was any kind of local caching for certs - it should always call home when connecting. So
why are their systems pulling up the old cert when they VPN in, but not when they are hardwired to the internal network on the same computer?
When using the internal network without the vpn, there aren't any error messages.
Any ideas? I've looked around the forums, but I didn't see anything that has helped. I'm using godaddy for my certs currently.Hi,
Since the Outlook clients work well without VPN, I suggest re-build the VPN (if you don't mind) to verify whether it is a caches issue.
Thanks
Mavis
Mavis Huang
TechNet Community Support -
I am on a website that requires a client certificate to validate identity. When I select a certificate to use, it goes back to the list of certificates. I can't seem to get anywhere. Help!
You should be given the certificate, or cookie, by the website. See if in Preferences (under Safari on the menu bar), Privacy, do you have certificates blocked Always?
Maybe you are looking for
-
It was working fine less than 10 hours ago, but went to work, came back, turned it on, worked for about two minutes then suddenly turned itself off, said red zone battery (swear it was more than 50% when I left and it wasn't used while I was at work)
-
Why to use xml ,sax api ,?
Dear friends 1> Can u please tell me why to use xml instead of html. When the developement is easy & fast in html, then why peoples are going for xml. 2> Please tell me role of SAX api in relevence to XML. 3>What is difference between DOM & SAX.? If
-
My photos on iphone and Ipad not uploading to icloud
-
TechTool Deluxe Download?
Can you still download TechTool Deluxe from Apple's site? I've googled the world, searched Apples webiste and cant find the link. The old link i've found in previous posts does not work https://support.apple.com/techtooldeluxe/main?id=dl My MacBook P
-
hey all, trying to resolve my quicktime issues. i can't find an upgrade download (for 6.02-6.5). i did find one for 6.5.2 (or something like that), but it's a pro account. i'd like to de-install and re-install an earlier version, then try to let my s