Untrusted root certificates?

Similar Messages

• Untrusted Root Certificate when using zac reg

  Hello,
  I am trying to register some PCs silently from one zone to another, but I keep having issues with this popup:
  http://imgur.com/HwCVUG9
  Using TID 70000620, I have tried to import the cert with zac ci.
  I went ahead and grabbed the cert off of the new server at /etc/opt/novell/zenworks/security/ca.der, and then imported it with "zac ci C:\mycerts\ca.der", and the important is successful.
  Then I register to the new server(which I pulled the ca.der off of), and the popup is there anyway. I tried using zac ci on the .cert, server.cert, and server.der as well just to see, and had the same issue.
  When I open the ca.der in a text editor, it shows a different serial number than the popup.
  Is there anything I can do to fix this?

  Originally Posted by georgesa
  Hello,
  I am trying to register some PCs silently from one zone to another, but I keep having issues with this popup:
  http://imgur.com/HwCVUG9
  Using TID 70000620, I have tried to import the cert with zac ci.
  I went ahead and grabbed the cert off of the new server at /etc/opt/novell/zenworks/security/ca.der, and then imported it with "zac ci C:\mycerts\ca.der", and the important is successful.
  Then I register to the new server(which I pulled the ca.der off of), and the popup is there anyway. I tried using zac ci on the .cert, server.cert, and server.der as well just to see, and had the same issue.
  When I open the ca.der in a text editor, it shows a different serial number than the popup.
  Is there anything I can do to fix this?
  What's the url you are using in the "zac reg" command? It should not through that warning if you use the fqdn as shown on the server certificate (looks like it should be https://zenserver.yourdomain.com)
  Cheers,
  Willem

• Where are root certificate located in OS 10.6.8?

  I have been using Outlook for my mail, as Mail has dropped several attachments and does not seem to be as reliable.  However, I am receiving error messages informing me that the root certificates for my .me account are not trusted.  I accessed Keychain after downloading certificates from the Apple website, but I was not allowed to drag them into Keychain.  When I attempted to open them, nothing seemed to happen to the list that was there.  Does anyone know how to resolve this "untrusted certificate" issue?

  You have probably figured this out by now, but I had trouble with this also.  I figured it out by first quitting Safari, then going to the folder mentioned by Niel (Choose Go to Folder from the Finder's Go menu and provide ~/Library/Safari/ as the path). 
  Once that folder is opened, leave it open and then enter Time Machine.  It will open up to that folder and then go back to your backup you want to restore from and restore the bookmarks.plst file. 
  That worked for me anyway and was a huge save after an iCloud mistake!
  Shawn

• Wireless 802.1x netwrok and Untrusted Root Cretificate?

  Folks,
  My college uses a secure 802.1x wireless network that I've been trying to join my AppleTV to (latest software) . Unfortunetly, our IT folks are using a self-issued root certificate that is then "trusted" in Active Directory using policies - it doesn't seem to work with the AppleTV. Can anyone tell me am I out of luck here?
  Thanks,
  Michael Lynch

  Hi,
  I believe the issue is more related to the internal clock not set to validate the certificate. The AppleTV does not keep its time and relies on the internet to update its clock. One of the only ways to update the clock using 802.1x is to plug in an ethernet cable to update the clock then removing it and the 802.1x Wi-Fi profile should take over if configured correctly. I too use an "untrusted" certificate and it does work following the ethernet cable work around, however, the moment you power it off, you will not be able to connect until you go through the steps again.

• Can you revoke a root certificate?

  A customer has lost the backup of it's own offline PKI Root Server (Windows 2003). As a security precaution we want to revoke the current root and issuing certificates.
  In our test environment we already managed to create a new root certificate and a new issuing certificate. We also placed the old issuing certificate on the CRL, which we published. Now we can see that the old issuing certificate is revoked.
  I was wondering if it is also possible to place the old Root certificate on the CRL (somehow)? Or must you move it to the Untrusted folder on all (AD) clients?
  Are there any other precautions we should take?
  The idea is to this also on the production environment asap, only after everything is figured out :)

  Hi,
  Just checking in to see if the suggestion was helpful. Please let us know if you would like further assistance.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Regards, Yan Li

• How to verify CA root certificate?

  When the client downloads CA root certificate from the CA server , how to verify that the root certificate is actually from the CA server from which we want to connect?

  > but I have interpreted this question to be specifially about Root CAs ... as these are the only ones that require explicit trust or trust in a browser / OS vendor.
  No, I think the question was about web server trust. Since, the transport is not secured (there is no SSL) you can't verify whether you are downloading from the right server. Say, someone created a rogue web server and gain control over the traffic
  (may be, DNS is tampered, or MITM situation). As long this rogue web server responds with the certificate which can be successfully validated by the certificate chaining engine, this web server may be considered as valid.
  And vice versa, legitimate web server is misconfigured, and wrong certificate was placed there. Downloaded certificate won't pass the check and you may wrongfully consider this legitimate server untrusted. This is why you can't tell certainly whether
  you connected to the right server. You only can make assumptions based on downloaded content after it verification, but yet no certainty.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Untrusted SSL certificat

  Hi,
  Yesterday we ordered a server certificate from http://certs.ipsca.com/ for having no "untrusted connections" messages on our webmail page. I'm not getting it to work. The issuer should be trusted afaik.
  In the end I followed the manual on http://www.stanford.edu/group/macosxsig/blog/2008/03/gettingssl_certs_leopardserv.html
  The mod_ssl part in my virtual host config:
  <IfModule mod_ssl.c>
  SSLEngine On
  SSLCertificateFile "/etc/certificates/mail.bek.no.crt"
  SSLCertificateKeyFile "/etc/certificates/mail.bek.no.key"
  SSLCertificateChainFile /etc/apache2/conf/IPS-IPSCABUNDLE.crt
  SSLCipherSuite "ALL:!ADH:RC4RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:eNULL"
  Apache gives no errors.
  But still the "Error code: secerror_untrustedissuer" error.
  I tried on linux and apple firefox, and on a windows pc with explorer.
  Does somebody knows what goes wrong? If you need more info please ask.
  Best,
  Bart

  A test confirms that the server sends all intermediate certificates, so there shouldn't be a problem with Firefox.<br />
  *http://www.networking4all.com/en/support/tools/site+check/
  Possible causes of such errors are that the system click is set to the wrong date and time or that Firefox has stored in the past a certificate that has now expired.
  Visitors that have the problem can try to remove the stored intermediate certificates that are used with that connection.
  * Tools > Options > Advanced > Encryption: Certificates > View Certificates : Authorities
  Stored intermediate certificates show as "Software Security device" and the build-in root certificates show as "Builtin Object Token".<br />
  Don't remove the latter.
  Rename the file cert8.db to cert8.db.old in the Firefox Profile Folder to remove all intermediate certificates that Firefox has stored by visiting secure websites.<br />
  If that helped to solve the problem then you can remove the renamed file cert8.db.old unless you have user certificates that you may want to export first and import them in the new file.<br />
  Otherwise you can restore the certificates by renaming (copying) the file back to cert8.db<br />
  Firefox will automatically store new intermediate certificates when you visit websites that send them.<br />

• Error: Untrusted Server Certificate

  When i click on Query Interfaces (IPS Manager: Configuration > Settings > Interfaces) i get the following error:
  An error occurred trying to get the interface information. An error occurred while trying to determine the sensor version. Detail = Error occurred while communicating with 172.17.xx.xx: java.security.cert.CertificateException: Untrusted Server Certificate Chain
  Any suggestion?
  Thank you,

      That is a pretty strange message. Have you had a chance to reach out to Windows Live?
  TamaraH_VZW
  Follow us on Twitter @VZWSupport

• Untrusted Server Certificate Chain error

  I am trying to use a certificate (digital signature) on the client, when accessing a Webservice. This fails with the following error :
  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
  My code is :
  KeyStore ks = null;
  String strURL = "https://myserver.com/myurl/lookup.asmx";
  SSLSocketFactory sslSocketFactory = null;
  System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Load certificate dynamically
  SSLContext sslContext = SSLContext.getInstance("SSLv3");
  TrustManagerFactory trustMgtFactory = TrustManagerFactory.getInstance("SunX509");
  CertificateFactory cert = CertificateFactory.getInstance("X.509");
  FileInputStream lo_fileinputstream = null;
  lo_fileinputstream = new FileInputStream("c:\\temp\\digital.cer");
  X509Certificate servercacert = (X509Certificate)cert.generateCertificate(lo_fileinputstream);
  lo_fileinputstream.close();
  String s1 = servercacert.getSerialNumber().toString();
  if(ks == null)
  ks = KeyStore.getInstance("JKS");
  ks.load(null, null);
  ks.setCertificateEntry(s1, servercacert);
  trustMgtFactory.init(ks);
  sslContext.init(null, trustMgtFactory.getTrustManagers(), null);
  sslSocketFactory = sslContext.getSocketFactory();
  HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
  // Call webservice
  URL cascadeURL = new URL(strURL);
  HttpsURLConnection conn = (HttpsURLConnection) cascadeURL.openConnection();
  String inputline=null;
  if (conn instanceof HttpsURLConnection) {
  conn.connect();
  BufferedReader in = new BufferedReader(
  new InputStreamReader(
  conn.getInputStream()));
  while ((inputline = in.readLine()) != null) {
  System.out.println(inputline);
  in.close();
  Please help - I am on a very tight deadline (as usual).

  Found the problem. I simply needed to add another certificate.

• How do I install a Root Certificate on my Iphone for an email account?

  I use an email account requiring a root certificate to be installed on my phone. I have this on my PC and need to know how to actually import the certificate to my iPhone. I go through the normal setup with the account which shows the correct port settings, however, without the certificate, every time I try getting emails, it fails to connect with the server. Any ideas??

  Thanks for the tip. I emailed the certificate to my other email account on my iPhone, but when I tried to open the attached certificate I got a message - "Invalid Profile - Profile format not recognized."
  Any other ideas. I may have to just set up another sure email account with another server.

• Keychain root certificate not trusted (?)

  I see a couple of items in keychain access that say "root certificate not trusted"
  what is this and should they be deleted or somehow modified?
  I looked at certificates with Certificate assistant "evaluate certificate"
  but do not quite understand.
  Thanks

  Ok I'll try not to...
  Thanks

• How to include a new root certificate in BlackBerry device

  Dear Sir/Madam,
  　TWCA is a certification authority in Taiwan provides security system for internet banking, stock trading, e-commerce and SSL certification service in Asia-Pacific region. TWCA wish to add its' root certificate into BlackBerry mobile device in order that our customers may use BlackBerry mobile device to do internet banking and stock trading on secured SSL Website. Could you provide some information about BlackBerry/RIM root certificate program?
  Thanks and Regards.
   Blues Lin
  Solved!
  Go to Solution.

  Hi and Welcome to the Forums!
  It sounds like your question is of a formal nature -- as in you wish to communicate directly with RIM for your query. Unfortunately, these forums are not a user-to/from-RIM communication vehicle -- rather, they are a user-to-user support forum. As such, it is unlikely that anyone from RIM will see and respond to your question. Hopefully some other user knows how to advise you, but I just wanted to set your expectation correctly about what to expect from these forums.
  Good luck!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Windows Root Certificate authority questions.

  hello,
  I have 2 questions with regards to Offline ROOT CA in a 2 TIER Hierarchy :
  (1) Is it necessary to to ” map the Namespace of Active Directory to an Offline CA’s Registry Configuration” ? I didn’t do this step in my lab env and find this in some but
  but not all the online posts as well. what happens if we don't run this command on offline CA ?
  For instance:  certutil.exe –setreg ca\DSConfigDN CN=Configuration,DC=lab,DC=com 
  (2) What happens if i do not publish the ROOT CA certificate via "certutil -dspublish -f xxx.cer ROOTCA " command but instead just  push the root certificate  using Default Domain Group Policy Object to "Trusted Root Auth" store
  on all the domain machines ?  What are the pros/cons of using the certutil method vs the GPO method ?  
  Thanks
  Neeraj

  > Is it necessary to to ” map the Namespace of Active Directory to an Offline CA’s Registry Configuration” ?
  it is necessary only if you configure LDAP URLs for CRL Dsitribution Points and Authority Information Access extensions on Root CA (not recommended).
  > What are the pros/cons of using the certutil method vs the GPO method ?  
  different scopes. When publishing in Active Directory, it is downloaded to all
  *forest* members, while GPO covers only limited scope (domain, site or OU).
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• WHere are the root certificates stored on the iPhone 5C, there is nothing in settings for profile?

  WHere can I find the Application Root certificates on my 5C, I need to delete one so I can reload it?

    Reinstall the certificate and then navigate to your profiles- is the certificate provisioning, configuration, or wifi certificate based. Or is it other?  Please restate...

• Problem updating CA root certificates in cacerts file

  I've searched all over for this problem, and none of the posting seems to apply
  to my situation. Hope this is not a repeat post.
  I'm running WLS7 SP2 on W2K AS. I had SSL configured and working properly, until
  1/7/2004 came along, of course. I followed the directions in http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57436
  to update the Verisign Class2 and 3 root certificates in the cacerts file without
  any problem. I also verified from the WL log that the server is reading the "cacerts"
  file located in <bea_home>\server\lib. However, when I pulled up my website using
  https://, I still get the "...security certificate has expired ..." message.
  Why is my browser not getting the updated CA certificates from WLS?
  Any help you can provide is much appreciated.
  Michael An

  Is the server's identity certificate issued by Verisign? Have you updated it? Does
  the identity certificate chain include the root CA certificate? It might be that
  the browser contains the expired certs among its trusted ca certificates, uses
  them to complete the chain and then complains about it.
  Pavel.
  "Michael An" <[email protected]> wrote:
  >
  I've searched all over for this problem, and none of the posting seems
  to apply
  to my situation. Hope this is not a repeat post.
  I'm running WLS7 SP2 on W2K AS. I had SSL configured and working properly,
  until
  1/7/2004 came along, of course. I followed the directions in http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57436
  to update the Verisign Class2 and 3 root certificates in the cacerts
  file without
  any problem. I also verified from the WL log that the server is reading
  the "cacerts"
  file located in <bea_home>\server\lib. However, when I pulled up my
  website using
  https://, I still get the "...security certificate has expired ..." message.
  Why is my browser not getting the updated CA certificates from WLS?
  Any help you can provide is much appreciated.
  Michael An