Using a Self Signed Root CA Certificate with Mail

Similar Messages

• Export & Import Self-Signed Root CA Certificate?

  I have created a self-signed Root CA certificate with which I sign all of my other certificates on a leopard Server. This Root CA is installed and trusted on all of our client machines.
  I recently tested exporting and archiving the Root CA in every format available from Keychain Access and then tried to import these files into another Snow Leopard server and was unable to assign the imported Certificates as a "Default Certificate Authority".
  Does anyone know how I can set this Root CA that I created on another server as the default CA on this new machine for signing all future certificates that I create?
  Fore some reason when I go into Keychain Access and select: Keychain Access -> Certificate Assistant -> Set the Default Certificate Authority… I end up with no certificates to choose from and the "Add a Certificate Authority…" button will not allow me to select any of the exported certificate formats that I archived.
  Any thoughts?

  Anyone have any information at all? This seems like a very basic need for maintaining certificates beyond the usable life of the equipment on which they were created.
  I have found precious little information about this specific to Apple OS.

• Replace Self-Signed FAST Search Certificate with Third Party Certificate

  We are trying to replace the Self-Signed FAST Search Certificate with Third Party Certificate in our SP 2010 environment. And are facing issues while enabling the SSL communication between the FAST servers and the corporate servers.
  Our FAST search servers are in a different farm than that of the Corporate Servers.
  The details of the certificate we received is as follows:
  Issued to : FastSearchCert
  Issued By: Issuer Name
  Valid From: 4/21/2015 to 4/20/2017
  We were able to successfully renew the certificate on the FAST Search Server by following the below steps:
  1.  Login to the Administrative and the Non-Administrative nodes 
  of the FAST server. Go to Windows Service and stop the FAST Search for SharePoint and the FAST Search for SharePoint Monitoring services in both the servers.
  Follow the below steps in the Administrative Node followed by the Non-Administrative Node
  2. 
  Install the certificate in the following paths in the certificate store:
  “Certificates(Local Computer)\Personal”
  “Certificates(Local Computer)\Trusted Root Certification Authorities”
  3. Ensure that the user account configured for the “FAST Search Server 2010 for SharePoint” has access to the private key of the certificate.
  4. Go the Administrative node of the FAST farm and follow the below steps:
  Go to the certificate store.
  Expand the Personal folder and then click the Certificates folder. Double-click the third party signed FAST certificate.
  Open the Details tab and then click Thumbprint. Note down this thumbprint.
  5. Next, open
  Microsoft FAST Search Server 2010 for SharePoint with Administrator
  Privileges.
  6.
  Navigate to the directory, “D:\FASTSearch\installer\scripts” and execute the below command to replace the current certificate with the newly created
  third party signed FAST certificate.
  .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint".
  7. The FAST certificate was renewed successfully.
  Once the certificate has been renewed successfully in both the nodes, follow the below step:
  8. Start the FASTSearch for SharePoint and the FAST Search
  for SharePoint Monitoring services in the administrator server.
  Next, while enabling the SSL communication between the FAST servers and the other corporate servers, we follow the below steps:
  1. 
  Copy the new certificate from any of the FAST servers to all the web-front end and application servers in the corporate farm, in order to enable SSL communication between these servers and the FAST farm.
  2.   Also, copy the script
  ‘SecureFASTSearchConnector.ps1’ from the location “%FASTSearchFolder%\installer\scripts” in the FAST servers 
  to the web-front end and application servers of the corporate farm.
  3.  Follow the below steps on each of the servers in the corporate farm:
  Open ‘SharePoint 2010 Management Shell’ with administrator privileges and navigate to the directory in which
  SecureFASTSearchConnector.ps1’ script is located.
  And then, execute the below command:
   .\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" –ssaName “FASTCibtebtSSA” –username “DOMAIN\SP_Farm”
   Where,
  -certThumbprint 
  - Thumbprint of the certificate
  -ssaName – FAST Content SSA
  -username – The account configured to run the SharePoint
  Search Service
  On execution of the above command, we receive an error message stating that the "Connection to the Content Distributor servername.corp.abc.org: 14391 could not be validated...instance of FAST search server backend is running"
  Please help us resolve this issue. We have not been able to find the cause of the above error for a long time.
  Any help is much appreciated.

  Your tip on exporting from eDir to locate a missing private key was very helpful. Here are my steps to renew an expired third party certificate when the private key, generated 30 months ago in my case, could not be located.
  In iManager, browse the tree and locate the likely certificate object. The Attributes for the object show Subject Name = webmail.acme.com. Selected the certificate and exported to webmailcert.pfx.
  Then, the openssl commands in TID 7004039, "How to convert a SSL PFX to a PEM file", were run against the .pfx file to create cert.pem, key.pem and server.key files.
  TID 7015500, "How to determine if private key belongs to public key (certificate)", was followed to determine if the public key (downloaded from third party) and private key (just retrieved from iManager) match - they did - that is, the private key converted from webmailcert.pfx matches the downloaded certificate.
  TID 7013103, "How to create a .pem File for SSL certificate Installations", was followed to manually create a server.pem file using openssl.
  TID 7010584, "How to setup SSL Certificate for Apache", part labeled "Additional Information" was followed to modify /etc/apache2/vhosts.d/vhost-ssl.conf file. Server.pem file created above copied to /etc/apache2/ssl.crt/ and /etc/ssl/servercerts/ directories as specified in vhost-ssl.conf.
  Restarted apache2.
  www.digicert.com has an SSL Certificate Checker that can be used to verify the installation is successful.

• How to import self signed root CA certificates on to playbook.

  Hi, 
  I have a test environment with windows CA configured, and i want to install the root CA of this server on to my playbook device, i followed the steps mentioned in PlayBook user guide for importing root certificates, but 
  when i select the certificate in under Security -> certs and click on import it fails with imported 0 of i certificates. 
  could someone help me how can i install self signed root CA's into playbook. 
  regards,
  kamesh.

  I have the same issue along with repeated prompts to accept cert when I am just trying to access the page internally on my network.. Any help here RIM????????

• How to check if a portal uses a self signed certificate or signed by sap ca

  Hi,
  I am using EP 7.0 with sp 10 and i'm trying to establish sso with SRM 5.0, I wanted to know how can I make sure if the current portal uses a self-signed public-key certificate or a certificate signed by the SAP CA.
  Thanks,
  Swetha

  Hi Swetha
  I'm fairly sure that all SAP logon tickets are self signed. If you download the verify.der and double click it, you may see some usful details...
  Cheers

• Can you use a self signed certificate on an external Edge Server interface?

  Hi,
  I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
  interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
  cert is valid (root and intermediate have been checked for validity).
  At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
  Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
  Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
  I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
  Thx

  Drago,
  Thanks for all your help. I got it working.
  My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
  Let me update everyone about self-signed certificates:
  YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
  I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
  intermediate have been checked for validity).
  Here are my notes:
  Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
  On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
  Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
  You should have already completed: Step1 and Step 2.
  Run or Run Again "Step 3: Request, Install or Assign Certificates".
  Install the "Edge internal" certificate.
  Click "Request" button to run the "Certificate Request" wizard.
  You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
  Once the certificate has been created, use "Import Certificate" to import it.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
  In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
  Install the "Edge External" certificate (public Internet).
  Click the "Request" button to run the "Certificate Request" wizard.
  Press "next"
  Select "Prepare the request now, but send it later (offline certificate request).
  Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
  Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
  Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
  Fill in the organization info.
  Fill in the Geographical Information.
  The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
  Select your "Configured SIP domains"
  "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
  Verify the "certificate Request Summary". Click next.
  Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
   Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
  In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
  For the "External Edge certificate (public Internet), click "Assign".
  The "Certificate Assignment" wizard will run.
  Click next.
  From the list, select your cert "EXTERNAL-EDGE".
  Finish the wizard to "complete".
  You are finished on the server.
  Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
  When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
  Browse
  Select "Trusted Root Certification Authorities"
  Finish the wizard.

• EDirectory install - failed to retrieve self-signed root certificate:142

  Hi,
  My istallation has 2 NICs, public & internal.
  My tree name is IS.
  I have succesfully installed and used RedCarpet. I additionally enabled
  the Firewall and DHCP server to allow internet access to my users.
  On running Yast install for eDirectory I am given the default IP address
  of the server, this is the Public IP address - I decided that eDirectory
  was for internal use so changed IP address to internal one.
  At 50% of installation an error pops up :-
  Error
  The installation failed to retrieve the self-signed root certificate:142
  I aborted the installation.
  I retried the install using the public Ip address, it complains ports are
  already in use, I chose ignore and go ahead. Same error occurs :142.
  Your assistance and guidance would be appreciated.

  > Hi Johan,
  >
  > Thanks for sticking with me... I appreciate your time and help (believe
  > me, It's a great help..)
  >
  > I have cracked it...
  >
  > On a reboot, I chose to press F2 to get rid of the Suse Chameleon screen
  > and watched the boot process progress. I then noticed that it was unable
  > to contact my specified NTP source.
  >
  > I went into Yast Ntp client and changed my NTP source to other published
  > secondary NTP servers and all failed. I then put in the ip address of one
  > of the time servers and Bingo! ntp connected...I think I've seen this
  > before with Netware...where name resolution of the ntp server name does
  > not occur....most ntpserver administrators state they prefer you contact
  > the server by name rather than address...hmmm.....
  >
  > I then retried Yast eDirectory install and it was a breeze, as was the
  > iManager install....
  >
  > GroupWise here I come...
  >
  > Rgds.
  >
  > Stan Chelchowski
  >
  Hi, this is roy.
  had the same issue. using a supermicro with a builtin dual nic.
  disabled it and installed an old pci nic to test and it finally loaded the
  edirectory without an error.
  on another note, i am installing the NLSBS 9.0 and had to manually load
  the disk drivers since i have an adaptec 2010s raid adapter. i had
  installed suse 9.3 on the same machine earlier with absolutely no issues,
  but NLSBS is a pain. if you run red carpet and update all, then the driver
  issue returns.
  how do you get and install the service pack 2?
  thanks,
  roy

• IOS 6.1 upgrade, self signed root certificate not working

  Hello,
  We have been deploying our organizations self signed root CA to the iPhones with Apple Configurator and using that to confirm the identity of our local webservers.
  Has anyone had problems with self signed root certificates after upgrading to 6.1 (same with 6.1.1)?
  Safari complains that "Safari cannot verify the identity of "<servername>", Activesync also stopped working.
  Any ideas to overcome the issue, other than buying a hundred certs from a trusted ca?

  Same thing for me after updating to 6.1.2.  Facebook, gmail, and many US govt sites certificates have been declared invalid by iOS/Safari.  And there is no way to accept and continue, just click "ok" and you are forever prevented from those sites.

• How to use a self-signed certificate

  Hello,
  I am having some troubles understanding how to use a self-signed certificate. I have created one using Keychain Access -> Create Certificate but it never asked me for the private key and it never told me where the certificate is stored. How am I supposed to use it?
  Typically I would like to do two things:
  1) use the certificate to for example sign an email or other document so that the recipient can verify that it was really me. I understand the concept that they have to have my public key and use it to somehow decrypt something that I have encrypted with my private key. But where is my private key? As mentioned, the certificate creation process never at any point asked me to provide a private key.  An example using this process to sign an email would be really appreciated.
  2) I want to be able to decrypt a message that someone sends to me after encrypting it with my public key. Again, I need my private key, where is it? I was never asked to choose one!
  Please note that i am familiar with the whole process using openSSL ssh via command line, I just need to understand how to achieve the same thing using the certificate creation procedure provided via Keychain Access.
  In short, now thta I have created my certificate, how do I use it? Examples for dummies would be really appreciated
  Thanks  in advance
  /Andrea

  Can you import the CA cert under “Your Certificates.”, delete the CA cert, switched to “Authorities”, re-imported the CA cert, and restarted Firefox.

• Why, when I successfully connect to Server 2012 Essentials R2 via Anywhere Access does the Remote Desktop Connection use the self signed certificate for RDP instead of the SSL certificate I installed when I set up access anywhere?

  Scenario:
  Windows Server 2012 R2 Essentials
  I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
  So far so good.
  The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
  a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
  The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local  instead of the SSL Certificate I installed, which is
  remote.acmedomain.com
  If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
  My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?

  Because....
  the server does not have a 'trusted' certificate assigned to it.
  Only the RDP Gateway has the trusted certificate for the external name.
  If you want to remove that error, you have to do one of the following:
  Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
  So, something like,
  server.domain.publicdomain.com
  Or,
  Install that certificate on your remote computer so it is trusted.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• 50.28.68.31:2087 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for a id="cert_

  50.28.68.31:2087 uses an invalid security certificate.
  The certificate is not trusted because it is self-signed.
  The certificate is only valid for <a id="cert_domain_link" title="new.thelifeincomegroup.com">new.thelifeincomegroup.com</a>
  (Error code: sec_error_untrusted_issuer)

  See https://support.mozilla.org/kb/Secure+Connection+Failed

• How to Import Self-signed SSL server certificates in Adobe AIR applications

  Hi,
  I am using secure AMF endpoints for remote object communication from AIR client.
  since i am using a self signed SSL certificate on the server, i am getting a certificate warning message on the AIR client, when ever a remote call is done.
  Is there any mechanism to import the server certificate in AIR application..?
  Please provide suggestions.
  Thanks

  I have the same issue along with repeated prompts to accept cert when I am just trying to access the page internally on my network.. Any help here RIM????????

• Activate https webmail using openssl self-signed cert

  Dear expert,
  Anyone can give me guidance on how to create and activate https webmail, pops using openssl self-signed cert
  thanks

  Thanks jay for your rocket respond
  I make it work after following your guide and follow this link:
  http://swforum.sun.com/jive/thread.jspa?forumID=16&threadID=52981
  Basically the csr created in mail startconsole, I self signed using openssl.
  One more question, can I use the same cert to enable ssl in ldap encryption tab in ldap console.
  thanks

• Does anyone know how to use a self signed certificate with apple mail??

  Ive read about it in mail's help and tried to set it up according to it. Ive created a self-signed certificate but have no idea how to set it up as it would work with Mail so that i would be able to send signed messages. could anyone help me??

  Hello rado:
  Welcome to Apple discussions.
  I am assuming this is what you read:
  http://docs.info.apple.com/article.html?path=Mac/10.5/en/8916.html
  If you follow the instructions when you set up the certificate, you should be fine.
  Incidentally, most +"ordinary users"+ (like me) do not use this function. I am curious as to why you want to jump through hoops in your Mail application.
  Barry

• Self-signed root cert - is it from Lenovo?

  I heard about a small program rcc.exe that will check your Windows SSL cert root store for funny certificates. Out of 350 root certs, there was one flagged. it is marked as permitted for ALL purposes (email, SSL, software signing, etc.). It has NO information whatsoever. Its validity starts sometime in 2009 and runs out to 2060. The identity is a long string of characters, I think it starts with letter M (can't confirm now). Is it possible this cert is used by Lenovo software? it would be just like them to do something sloppy like that. I don't want to remove it and find all sorts of Lenovo tools disabled.

  Sorry for delay - didn't see notification of any reply. I am using Windows. Exact item in question is a self-signed cert that is found in my trusted root store. The only infomration is the long ID, merely a lengthy random character string, so no point in posting it here. There are absolutely no certificate fields with any data in them. The cert claims to be designated for ALL purposes - that would include code-signing I presume! In other words, the Issued-To and Issued-By fields are the same long character string; the expiration date is way out there (did I say 2060?). I was using the most current version of rcc.exe when I posted. However, I can look at my certificate store and see the cert there with absolutely no additional info. I am not able to access that computer right now, but I wouldn't have any more info! I am on another computer now (non-Lenovo) and just scanned the trusted root store and everything in it is identified.