Using a CA digitally signed certificate for RMI
Okay, now that my app works with a self signed certificate, we have now send a CSR to verisign and are awaiting to get the SSL certificate from them.
Once we have that, on the server side,all we have to do is import the verisign certificate into our server keystore, where we have the original public/private key pair, and that's it, correct?
Or should we create a new keystore with just that certificate? (I highly doubt this is right).
And of course I assume that there is zero amount of work that has to be done for the client, since verisign should be in the client's jre cacerts file...
Also, when I was using a self signed certificate I was able to sign my jars using my server keystore which contained only my public and private key pairs. Now verisign is telling me I need to buy a digital code signing package to do that. Why can't I use my keystore to still sign the jars for my webstart app?
Thanks in advance...
Edited by: Sal_C on Jan 9, 2008 10:16 AM
Once we have that, on the server side,all we have to do is import the verisign certificate into our server keystore, where we have the original public/private key pair, and that's it, correct?
it seems correct, but you have to remove the autosigned keys, probably (keep a backup of the private key, if you loose it your certificate is dead)
Also, when I was using a self signed certificate I was able to sign my jars using my server keystore which contained only my public and private key pairs.
Yes, with the jarsigner tool. From what I understand, it is necessary to buy something from verisign to be able to sign your jars. Without that, you could not sign with the whole certificate chain :
http://www.verisign.com/support/code-signing-support/code-signing/digital-id.html
NephYliM
Similar Messages
-
Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS
In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
on this computer" and un-checked "Use simple certificate selection".
My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
drop down.
Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
TIA,
-RickHi Rick,
Thank you for your patience.
According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Self Signed Certificate for Web Proxy 4.0.2
Does anyone have instructions on how to create and install self signed Certificate for Web Proxy Server 4.0.2? My OS is RHEL 4.
Shed.Unfortunately you will not be able to do that from the GUI.
You will have to use certutil frin proxy-install/bin/proxy/admin/bin/certutil
Make sure that your LD_LIBRARY_PATH includes proxy-install/bin/proxy/lib
(start -shell will give you a shell with all necessary paths set.)
create a file called password-file which contains your password to your cert database
your cert database resides in the alias directory of proxy installation.
certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
-f password-file -d certdir -
CA signed certificate for Jabber 4 windows
Hi,
I have a CA signed certificate for my J4W which is working my question is how can I get J4W when you login the first time after installation not to prompt for you to accept the certificate and it does it 4 times, after that you never get it a again, but for bulk roll out purposes is there a way I can bypass this issue?
Thanks in advance.I'm just working through this too, with a Microsoft domain-integrated CA.
Some of the other posts were not clear in regard to WHICH cert gets dealt with in which way. Someone please let me know if this process below is inaccurate or incomplete.
Assuming you have three different severs and only one of each type: CUCM, IMPS, UCxN
-Generate CSRs for the CUCM, IMPS, UCxN tomcat self-signed certs and export them as clearly named CSR files (3 of).
-Generate a CSR for the IMPS xmpp self-signed cert and export it as a clearly named CSR file (1 of).
-Sign all four CSRs with the CA web browser https://ipaddress/certsrv.
-Export the CA's root certificate in Base64 format using the cert authority name as the file name (only for clarity) e.g. mydomain-AD-CA.cer. Do not rename the file after download.
-Import the CA's root certificate into each Cisco UC server's tomcat-trust and into the IMPS xmpp-trust. This must be done before the next step.
-import the CA-signed Cisco UC server SSL certs (that started out as CSRs) as tomcat certs. Import the CA-signed xmpp cert as an IMPS xmpp cert. This replaces the tomcat (and IMPS xmpp) certs with certs that have been signed by the CA.
-restart the Cisco Tomcat feature service and the Cisco XMPP Router service on each Cisco UC appliance using the CLI "utils service restart Cisco Tomcat"
-restart the Cisco XCP Router network service on IMPS.
-Install the CA's root certificate into the client's (assuming Windows) Manage User Certificates > User > Trusted Root Certification Authorities cert store. If you have a domain-integrated MS CA, this will already exist (and should exist, or something else is wrong, or not completed yet with the PKI Infrastructure setup). Look in the User > Trusted Root Certification Authorities cert store - if you can see the CA's root cert that you just installed = great.
-Test 1: Browse to CUCM by FQDN using IE. https://cucm.mydomain.com/ccmadmin. You should get a perfect alert-free connection to CUCM. This proves that the PKI infrastructure is good.
-Test 2: Start J4W. It should start up without any popup alerts providing the UC Service Profile and CSF Device config only use FQDNs, that match the certificates you signed with the CA
-BTW: If you've previously manually accepted J4W popup alerts, before starting J4W go into Manage User Certificates on the Windows client and find and remove all self-signed Cisco UC appliance certs. Leaving them there will fool you into thinking you've done a complete job when in fact it's not the case.
---Well that 's the theory anyway. -
Generating Self Signed Certificate for iPlanet Directory Server for testing
Hi Experts,
I am unable to find how to generate self signed certificate for iPlanet Directory Server for testing purpose. Actually what i mean is i want to connect to the iPlanet LDAP Server with LDAPS:// rather than LDAP:// for Secured LDAP Authentication. For this purpose How to create a Dummy Certificate to enable iPlanet Directory Server SSL. I searched in google but no help. Please provide me the solution how to test it.
Thanks in Advance,
KalyanHere's one I did earlier.
Refers to Solaris 10
SSL Security
add a new certificate that lasts for ten years (120 months).
stop the instance:
dsadm stop <instance>
Remove DS from smf control:
dsadm disable-service <instance>
Change Certificate Database Password:
dsadm set-flags <instance> cert-pwd-prompt=on
Choose the new certificate database password:
Confirm the new certificate database password:
Certificate database password successfully updated.
Restart the instance from the dscc:
DSCC -> start <instance>
Now add a new Certificate which lasts for ten years (120 months; -v 120):
`cd <instance_path>`
`certutil -S -d . -P slapd- -s "CN=<FQDN_server_name>" �n testcert �v 120 -t T,, -x`
Enter Password or Pin for "NSS Certificate DB":
Stop the Instance.
On the DSCC Security -> Certificates tab:
select option to "Do not Prompt for Password"
Restart the instance.
On the Security -> General tab, select the new certificate to use for ssl encryption
Restart the instance
Stop the instance
Put DS back into smf control:
dsadm enable-service <instance>
Check the smf:
svcs -a | grep ds
# svcs -a|grep ds
disabled Aug_16 svc:/application/sun/ds:default
online Aug_16 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads
online 17:04:28 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1 -
I am using iPad 3 and I try to use 30-pin Digital AV adaptor for mirroring on my Samsung HD TV. Unfortunately it is not a full screen projection. Anyone can help?
The iPad Screen is almost square, HD TVs are rectangular so will never be full screen. When watching movies, the movies native aspect ratio will be used rather than the iPads screen aspect ratio so will look full screen if the movie is full screen, but most likely will be seen in wide screen letter box format. with black bars across the top and bottom as that what most movies from iTunes are in, format wise
-
SCCM 2012 has been successfully installed on the server:
SRVSCCM.
The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
The cluster service is running on the account: sqlclusteruser
The account has the appropriate SPN are registered:
setspn -L domain\sqlclusteruser
Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
MSSQLSvc/CLS-SQL4
MSSQLSvc/CLS-SQL4.domain.local
MSSQLSvc/CLS-SQL4:11434
MSSQLSvc/CLS-SQL4.domain.local:11434
After some time on the cluster hosts every day started appearing new folders with files inside:
srvboot.exe
srvboot.ini
srvboot.log
srvboot.log contains the following information:
SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
Copyright (C) 2011 Microsoft Corp.
Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
Failed to retrieve SQL Server service account.
Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
Disconnecting from Site Server.
SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
Without successfull bootstrap the siteserver backup is not able to run successfully.
Try grant everyone the read permisson on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
This worked for me.
After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER" -
I do not use or have not signed up for a MobileMe Account but I am getting duplicates in my iCal for some reason. All discussions I read are pointing to the MobileMe being the problem but it is not. Please help me. There must be another reason all my entries appear twice.
If you wish to submit comments to Apple, the best way is to use their feedback pages.
http://www.apple.com/feedback/itunesapp.html
It's not likely that anyone from Apple will see your comments here among the thousands of other posts.
Regards. -
How to replace self-signed certificate for enterprise manager console
Does anyone know how to change self-signed certificate for https access to Enterprise Manager console, which is issued during installation of Oracle 11g?
Well, this might not be much help, but for 10g, on AIX, docID 1171558.1 describes how to create a new certificate.
Not sure how relevant it will be for 11g, sorry :( -
Scenario:
Windows Server 2012 R2 Essentials
I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
So far so good.
The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local instead of the SSL Certificate I installed, which is
remote.acmedomain.com
If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?Because....
the server does not have a 'trusted' certificate assigned to it.
Only the RDP Gateway has the trusted certificate for the external name.
If you want to remove that error, you have to do one of the following:
Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
So, something like,
server.domain.publicdomain.com
Or,
Install that certificate on your remote computer so it is trusted.
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+ -
Using a Code Signing Certificate for download on Azure
Currently, I have a hosted web application and Web API on a VM that I use to allow users to download an executable file that is signed with a Code Signing certificate. My question is how would I do the same thing with a Web Role or Cloud Service? The
goal is to move to PAAS in Azure with our web application.
Thanks for any help in advance.I appreciate the link to the article, but I don't need an SSL certificate, I need a code signing certificate. I'm afraid this post does not help me at all. What I need is a certificate to sign my downloadable applications with. I have
an .exe file that users can download, and I need those people to know my code can be trusted, which is why I need the code signing certificate. My problem is how do I utilize this with a Web Role or Cloud Service? -
Using self-signed certificates for HTTPS
I want to enable HTTPS protocol with WebLogic Server 5.1
I want to use a self signed certificate generated with the JDK keytool.
I've successfuly generated it and exported a dummy.cer file.
I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
and I've got this exception
java.lang.NullPointerException:
at weblogic.security.RSAKey.toString(RSAKey.java:203)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled Code)
at weblogic.security.X509.toString(X509.java:261)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled Code)
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java, Compiled
Code)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
What's the right way to do this ?
[dummy.cer]H Jerome,
The certificate may have been generated incorrectly but I would suggest logging
a support case.
Kind Regards,
Richard Wallace
Senior Developer Relations Engineer
BEA Support.
"Jerome Cahuzac" <[email protected]> wrote:
>
>
>
I want to enable HTTPS protocol with WebLogic Server 5.1
I want to use a self signed certificate generated with the JDK keytool.
I've successfuly generated it and exported a dummy.cer file.
I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
and I've got this exception
java.lang.NullPointerException:
at weblogic.security.RSAKey.toString(RSAKey.java:203)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled
Code)
at weblogic.security.X509.toString(X509.java:261)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled
Code)
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java,
Compiled
Code)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
What's the right way to do this ? -
CA-signed certificate for admin server
hi,
how can i make the admin-server use a CA signed certificate instead of self-signed? i only see an option to renew the self-signed certificates.okay, this is the method i used:
webserver$ cd /var/opt/SUNWwbsvr7/admin-server/config
# Save the CA certificate in cacert.crt, and import it into the database:
webserver$ certutil -d . -A -n Example-Inc-CA -t CTu -a -i cacert.crt
# Generate a new CSR on stdout:
webserver$ certutil -R -d . -s 'CN=ws.example.org,O=Example, Inc.' -a -g 2048 -k rsa
# Sign the CSR and save the certificate to 'newcert.crt', then import it:
webserver$ certutil -d . -A -n cert-ws.example.org -t u -a -i newcert.cert
webserver$ vi server.xml
# Look for <server-cert-nickname>, and change it from 'Admin-Server-Cert' (the default)
# to 'cert-ws.example.org'.
webserver$ ../bin/stopserv
webserver$ ../bin/startservreplace 'ws.example.org' with the hostname the admin server runs on.
this seemed to work for me; after the restart, the admin server was using the new certificate, and the browser accepted it. -
How to assign digitally signed certificates to soap clients?
Hi,
I create a webservice proxy for DRM api service which needs a x509 certificate for digital signature. I added the certificate to jre's keystore since it is not signed. But I am getting some strange error when I run the proxy.
Certificate path validation failed. No trusted certificates present in the keystore
SEVERE: WSM-07501 Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.client, application=null, composite=null, modelObj=DrmService, policy=null, policyVersion=null, assertionName=null.
oracle.wsm.common.sdk.WSMException: WSM-00138 : The path to the certificate is invalid due to Certificate path validation failed for identity in WSDL certificate "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown", Issuer of certificate is "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown".
I am sure that it is not hitting the server. Any help would be appreciated.
Thanks,
~Sri.
Edited by: user1643647 on Jan 19, 2012 2:09 PMSave a copy before signing - important. Think of signing as final.
-
Self Signed Certificate for Exchange 2013
What's the draw back for using self sign certificate in production enviromentHi,
Based on my research, here are the disadvantages of self-signed certificate:
1. The certificates aren’t trusted by other applications/operating systems. This may lead to authentications errors etc.
Note: To overcome this limitation, some IT staff add the self-signed certificates to the Trusted Roots Certificate Authorities. However, using this workaround may to additional time that needed for management and troubleshooting.
2. Self-signed certificates life time is usually 1 years. Before the year is ended, the certificate may need to renew/replace.
3. Self-signed certificates may use low hash and cipher technologies. Due this, the security level that implemented by self-signed certificates may not satisfy the current Security Policy etc. .
4. No support for advanced PKI (Public Key Infrastructure) functions (e.g. Online checking of the revocation list etc.).
5. Most of the advanced feathers of the server side applications required to impended a PKI (Public Key Infrastructure). By this, self-signed certificates advantages cant be used.
For more information, you can refer to the following article:
http://blogs.microsoft.co.il/yuval14/2011/09/23/the-advantages-and-disadvantages-of-using-self-signed-certificates/
Thanks,
Angela Shi
TechNet Community Support
Maybe you are looking for
-
I can't figure out how to use my Apple Store gift card in the Apple store app
I received and Apple store gift card (not iTunes gift card) and loaded it into passbook. When I use the Apple store app on my iPad, I don't see an option to use the Apple store gift card as a payment option. Any suggestions?
-
HT201177 MacBook Air to my TV thru the MiniDisplay Port to HDMI.
When I connect my MacBook Air to my TV thru the MiniDisplay Port to HDMI I only see the MacBook Universe Desktop Display. How do I see what is displayed on my screen?
-
What video file format should i use for a banner mpu ad
Hi, I have to make a banner mpu ad which plays video, the file i have is a wmv file (3000k). Should i convert this file to a flash video file and drop it in the flash file or should i convert it to another video file format bearing in mind that the f
-
Heads-up: bug introduced into CFABORT & CFLOCATION in CF9
G'day This is just a heads-up about a not-insignificant bug Ben Nadel has spotted with CFABORT (and the same thing applies to CFLOCATION) in CF9. The blog entry is here: http://www.bennadel.com/blog/2221-CFAbort-And-OnRequestEnd-Behavior-In-ColdFusio
-
Non-controllable device/ audio video still out of sync?
importing dv tape with time code breaks. i was told that by setting "non-controllable device" that fc would ignore time code and import without sync problems. is this possible ? thanks to you guys who helped me on my previous post.