Update gateway SSL Cert
Hey all we got our SSL Cert for our gateway server but we can't figure out how to update the current cert with our new one.
the orginal was put in by a 3rd party "integrator" adn it's self signed. We have a real cert now which we need to get installed.
any help would be appreciated.
That depends on where you generated the cert request from.
If you did this on the portal server then you can use the web server GUI to import the cert into the database then use pk12util to export to a p12 file (run pk12util -help). On the gateway use certadmin or pk12util to import the cert and key from the p12 file.
If you generated the cert request on the gateway then use certutil to import the cert (certutil -h).
Similar Messages
-
Changing SSL Cert, how do you update the trust profile for devices.
I am in the process of changing out the ssl cert for the trust profile (going from a self-signed to a signed cert). How do you update the trust profile on the devices already paired with the server.
Yes, the linked smart object can be either raster or vector, but they will be placed as raster images, just as the embedded SO are. SO can be embedded or linked to an outside file. Edits to the original will not update in the original until you select "Update modified content from the menu" when you reopen the file that has the place SO in it. otherwise it will update when you save the linked file. Yes, there still is an advantage to having an embedded SO. You may not want to maintain the links - send a file off and forget to include the linked files. You may want to alter the SO, but not the original file.
Ah, thanks. But does this mean that raster and vector smart objects can EITHER be located within the Photoshop file (as they have been since their advent) OR linked to an external file?
And if so,
1. Can this linked file be either raster or vector?
2. Do edits to it automatically update the Photoshop file?
3. Is ther any longer any advantage to having the smart object data stored within the Photoshop file when it can be linked? -
Updating an intermediate CA for a 128 bit SSL cert
We found a 128 bit SSL cert that was affected by the Verisign server shutdown on 1/7/2004. I need to update the intermediate CA for a 5.1 and 6.1 Web Logic server. Where can I find information on how to do this?
Thanks.download from
http://www.verisign.com/support/roots.html
Scott Stanforth <[email protected]> wrote:
We found a 128 bit SSL cert that was affected by the Verisign server
shutdown on 1/7/2004. I need to update the intermediate CA for a 5.1
and 6.1 Web Logic server. Where can I find information on how to do
this?
Thanks. -
Remote Desktop Services Single SSL Cert with multiple hosts
I am trying to use a single SSL Cert from a third party issuer. I have 3 servers in my deployement all are 2012R2. One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role. The other 2 are
RD Session Hosts. I have the SSL cert for the server that has the Gateway and other roles. My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL. It works currently with the
exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match. Is anyone else using a similar setup and had success with it? I am trying
to avoid buying an expensive wildcard cert to cover all of them.Hi,
Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC. To do this, log on to RD Web Access using IE, right-click and choose View Source. Find the goRDP function for the icon you want to examine and copy
the text between the ' marks. Next paste this into the escape text box the below page:
http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
Click complete unescape to get the plain text version. After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file. Once you have the .rdp file created you can compare
it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
Thanks.
-TP -
Coldfusion 11
Windows Server 2012 R2
Both the Coldfusion admin and additonal site work fine on HTTP.
As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
Coldfusion 11 - Web Sockets via SSL
The Coldfusion-error.log shows
Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
Any assistance welcome - I can't allow this site to made publicly available with using SSL.
SM@Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release. And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
Finally, when you say that if you “comment out the SSL sections it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
/charlie -
Expired internal SSL cert on SGD 4.5?
Upgraded Solaris SGD from 4.41.to 4.5. I use a SSL cert for our site, which is working fine. SGD login prompt appears and cert can be viewed and verified.
However after logging in, I get a security warning on tcchelper saying that Sun's own Verisign certificate expired on 8/29/2010. Is a current cert available?yes, please open a case with Oracle Support and we will provide you an update on SGD 4.50.933.
-
Dreaded "must be configured to use a valid SSL cert" - 2008 R2
Hello everybody,
I've been browsing through hundreds of topics on the dreaded "The RD Gateway server must be configured to use
a valid SSL certificate" error using BPA (Windows Server 2008 R2 Std), but still haven't found a proper solution.
Here's the issue: RDGW not operating properly and sometime accepting connections, sometimes not.
I have an external domain example.com and internally, the domain is example.local. I have one server serving Exchange and RD, this is the server responding to mail.example.com and I have an StartSSL issued cert for mail.example.com, which is properly configured
on the server (OWA is working properly with autodiscover etc.). SSL bindings seem alright, default site is using the mail.example.com SSL cert.
If I open the RDGW Manager and go to the SSL Certificate tab, the system looks happy by having the cert installed, everything looks fine. Sometimes I even manage to connect - connection is successful, I can normally connect to any of the servers or computers.
On a second attempt, I just get the message, that the logon attempt had failed. If I run BPA on the server, I get the error of not having a proper SSL cert. If I select a self-signed cert, then also the BPA goes through, but then I have problems with connections
since everybody would need this cert to have installed.
From what I read, my problems are related to the issue that the FQDN of my server is servername.example.local and the cert is issued to mail.example.com. How can I make the thing only to talk via the mail.example.com cert? I don't think I can get a cert
that'd also contain a SAN of servername.example.local from the CA.
What can I do?Hi Andrej,
Thanks for posting in Windows Server Forum.
Here providing you the article for BPA’s configuration logs, where you can check. It also states that certificate are main problem related to this error. Please check certificate which you have bound have FQDN name of gateway server, the certificate is SSL
certificate and it’s a trusted certificate. Also check that certificate which you have importing to RD gateway must be in local computer/personal store. For more information refer below article.
1. Using the Remote Desktop Services BPA to analyze a Remote Desktop Gateway
implementation
2. RDS: The RD Gateway server must be configured to use a valid SSL certificate
In addition, you need to specify the FQDN name of RD gateway under
DefaultTSgateway in IIS setting. Please go through below article for details.
RD Gateway/Web Access Outside the Firewall
Hope it helps!
Thanks,
Dharmesh -
Hi all,
herei is my conf/version :
Software
loader: Version 12.2[123]
system: Version A2(3.2) [build 3.0(0)A2(3.2)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_2.bin
installed license: no feature license is installed
crypto chaingroup myurl.chain
cert myurl.chain
ssl-proxy service MYURL
key myurl.key
cert myurl.cert
chaingroup myurl.chain
yesterday :
# sh crypto files
Filename File File Expor Key/
Size Type table Cert
myurl.cert 16346 PEM Yes CERT
myurl.key 1679 PEM Yes KEY
myurl.chain 4972 PEM Yes CERT
$ curl https://myurl.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
today, no problem with curl :
# sh crypto files
Filename File File Expor Key/
Size Type table Cert
myurl.cert 16253 PEM Yes CERT
myurl.key 1675 PEM Yes KEY
myurl.chain 4972 PEM Yes CERT
Is there an issue with cert or key size ?Sorry, the question was "how did you fix it the first time ?"
Or are you talking about different devices ?
Also, be aware that ACE loads your key/cert in memory and stops using the one in flash.
Even if you modify the files in flash, that does not mean ACE update the info it has in memory.
So if the files got corrupted and you upload new ones using the same name, it is possible that ACE kept using the old ones it has in memory.
I usually recommend to use different names and update the ssl-proxy config with the new names in order to force to reload the new info.
Or remove completely the ssl-proxy config, upload new files and reconfigure the proxy.
Gilles. -
SSL Cert Setup on the Palm Pre
I am having issues setting up my companies email on the Palm Pre. We use an SSL cert and for some reason I get Certificate Error. Is the time and date wrong. I looked at many blogs with other people having this issue and they say a root cert needs to be put on the phone. The only way it says to do this is to install the Microsoft Certificate Authority and then generate the cert that way.
Well, the issues that I am having is I have been generating my cert using the new-exchangecertificate -domainnames mydomain.domain.com, and I do multiples dns names. This cert works fine on all my computers and all other cell phones. When I put it on the pre I get the error above. I read that this is an IIS root cert and the palm does not allow this. I then installed the Certificate Authority and generated a cert and the pre worked fine, the only issue is the cert broke the rest of my external users connections. I need the cert to have dns resolution addresses in it. I found out how to get the Certificate Authority to have san:dns= domain.domain.com names. But when I generate this cert and put it as my primary cert it then brakes the palm and my other systems.
How can I get the Certificate Authority to give me a cert with all the DNS names I need and work on the palm and all my other systems.
Any help is great and thanks in advance.
Post relates to: Pre p100eww (Sprint)We keep any type of updates very close to us. So close in fact that I do not know and only the developers know about this. But if you feel that this should be included there is a feedback link at the bottom of my post click on that and leave the feedback
-
Rolling out SSL cert on CAS array
Hi there,
I have an exchange 2010 CAS array with 2 servers in it. I need to roll out an updated SSL certificate as the old one has expired
however, it only seems to allow me to install this certificate on the CAS1 server.
When I did was I (using the GUI) created a new Exchange certificate. Put in the FQDN of both my CAS servers when I created
it (although only 4 SAN names appear on the cert on Godaddys website, that being imap, pop, mail and autodiscover). Got my SSL cert from the 3rd party. Completed the certificate and it seems to be ok one my CAS1 server. But then there is no SSL cert on the
CAS2 server. I just wondered how I would go about installing it on that server, or even if it is necessary to have it on there.
I tried exporting/importing it from CAS1 to CAS2 but on CAS2 it just shows it as "The certificate is invalid for Exchange
Server usage".
Any help is appreciatedFirst of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware). -
[SOLVED]/etc/ssl/certs/ca-certificates.crt missing from fresh install?
Hi!
I was wondering if any of you could understand why I need to reinstall ca-certificates post-install, so as /etc/ssl/certs/ca-certificates.crt gets generated back?
I'm installing from a netinstall x86_64 image with automatic AIF profile and from [testing] repo?
Since the file gets made when installing post-install, then I thought that it was rather an install issue instead of a [testing] one? I dunno...
I've just run a new install from the usb stick, and still the same, and pacman.log states that ca-certificates is installed fine, but again the file is missing and I get complaints in vt1 when browsing https sites and when using curl and such, unless I do a reinstall of ca-certificates...
Thanks in advance!
-- EDIT --
Problem solved by latest perl from testing repo...
Last edited by mhertz (2012-01-03 01:40:16).. Just wanted to add that of course I know that the ca-certificates.crt isn't in the actual package, but that it _should_ be generated by running update-ca-certificates from the packages install script, but just isn't upon install...
The package is also out of testing now and in core I see...
Anyway, to fix this, I guess I just need to add an extra chroot command in my AIF config which runs 'update-ca-certificates --fresh', since atleast that works i.e. generates ca-certificates.crt, but i've only tried it post-install, and I don't want to do another install again, as I did 2 yesterday...
Again, if anybody could help me with some kind of explanation or theory or whatever for this, then I would really appreciate it!
I _do_ think that the update-ca-certificates command is run correctly during install, as else I guess I wouldn't have all these symlinks in my /etc/ssl/certs/ folder, but then why it dosen't generate that additional ca-certificates.crt file, I really do not understand...
Thanks in advance!
(I don't want to report an error before being absolutelly sure that it is an actual error and that I know exactly what i'm talking about in the report...)
-- EDIT --
I just did a "normal" test-install of arch64-net in a VM, i.e. without using AIF's automatic procedure, and just selected the core repo and to install base(wget depends on ca-certificates), and in the output there where reported:
Installing ca-certificates... Error: Command failed to execute correctly.
There weren't anything more specific in /var/log/{pacman,aif}.log about this, and again there where no ca-certificates.crt generated, and it first appeared after manually running update-ca-certificates post-install...
I'm gonna make a bug-report on the bugtracker now then...
Last edited by mhertz (2011-12-21 03:16:40) -
2012R2 RDS SSL Cert mismatch Issue on alternate port
Hi,I am trying to setup RDS on 2012R2.I only have a single public IP and i already have 443 SSL sent to the Exchange server using a GoDaddy cert for that.Ive got another GoDaddy cert for RDS thats running on a stand alone server.I have changed the RD Gateway to use port 444 for https.Ive added a firewall rule to send 444 to my TS.I can hit https://url:444/rdweb fine - no certificate error, it picks up the correct cert.I can login fine.I try to run a remote app, provide domain creds and then it errors with:Your computer can’t connect to the remote computer because the Remote Desktop Gateway servers address requested and the certificate subject name do not match. Contact your network administrator for assistanceSo it appears at the point of launching the app that its reverting back to 443 and picking up my exchange SSL cert instead....
This topic first appeared in the Spiceworks CommunityHi,I am trying to setup RDS on 2012R2.I only have a single public IP and i already have 443 SSL sent to the Exchange server using a GoDaddy cert for that.Ive got another GoDaddy cert for RDS thats running on a stand alone server.I have changed the RD Gateway to use port 444 for https.Ive added a firewall rule to send 444 to my TS.I can hit https://url:444/rdweb fine - no certificate error, it picks up the correct cert.I can login fine.I try to run a remote app, provide domain creds and then it errors with:Your computer can’t connect to the remote computer because the Remote Desktop Gateway servers address requested and the certificate subject name do not match. Contact your network administrator for assistanceSo it appears at the point of launching the app that its reverting back to 443 and picking up my exchange SSL cert instead....
This topic first appeared in the Spiceworks Community -
I utilized the idea from
http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance. In short, create the new Clustered SQL instance on Node1,
installing Reporting Services with it. Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
feature on Node2. It points out using the SQL Cluster Network name for connecting to Reporting Services.
I verified upon failover that I could still access the Reports and ReportServer URLs. However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert. The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.
-
Is there any way to treat expired SSL certs in HTTPS connections as non-secure?
Is there a way of navigating HTTPS websites as though they were HTTP, without adding any SSL exceptions?
Obviously an expired/self signed SSL cert over HTTPS is no more dangerous than no encryption at all over HTTP.
The Untrusted Connection dialog is a usability nusance, particularly for those of us who understand HTTPS.Check out:
http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
You will need to turn on Client Auth as described above. Hope it helps. -
Using internal SSL Certs for Webview and Reskill (ICM 7.2.X)
Hi,
I would like to use corporate ssl certs for webview and reskill to avoid the user having to install the self signed certificate on the local machine. Has anyone any experience of this? Can it cause any unforseen problems?
My plan for webview is to create the certificate request in IIS for the default website, use this csr to generate the cert, then complete it by uploading the certificate.
For reskilling, I will assume I will have to do some command line stuff here ...
eg: keytool -genkey -keyalg RSA -keystore hostname.key
to create the key,
keytool -certreq -keyalg RSA -keystore hostname.key -file hostname.csr
to create the csr, and
keytool -import -trustcacerts -alias tomcat -file hostname.cer -keystore hostname.key
to import the new cert
Suggestions or comments for anyone who has tried this before would be appreciated.
Regards,
BrianI've never done it on a version so old, but at the end of the day it's just IIS and Tomcat and importing an SSL cert is very standard.
david
Maybe you are looking for
-
Digital camera no longer syncs to iMac 10.6.8
Hello, I have been using a Fuji Finepix E550 digital camera for years and for some reason tonight my iMac (running Snow Leopard) does not recognize it. I've never experienced this before. I've plugged the USB cable into the three different ports, a
-
I hve an error message R6034 when trying to download latest iTunes software?
When I try to download the latest version of iTunes, I get an error message R6034...please help?
-
Is is worth it to install 107? After all the reviews I am still undecided. I have Office 2011 and CS3 and want everything to work.
-
Adobe Reader 9 won't open some files -- jp2klib.dll
I've had this problem for some time, and I think I've at least narrowed it down a bit. The problem is that some (but not all) PDF files cannot be opened in Adobe Reader 9.x on some computers, though they open fine on others. When you click on a probl
-
I have restored my itunes library from a crashed computer (via a hard drive) - how do I get my new laptop to recognise my old itunes library when I fire up itunes?