Validate Server Certificate Problem

Similar Messages

• SSL VPN Failed to validate server certificate (cannot access https)

  Hi all,
  I have the next problem.
  I've configured in an UC520 a SSL VPN.
  I can access properly and I can see the labels, but I only can access urls which are http, not https:
  I can access the default ip of the uc520 (192.168.1.10) but
  When I try to get access to a secure url I get the msg: Failed to validate server certificate
  I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
  Does the certificate of both hardware has to be the same?
  How can I add a https?
  Here is the config of the router:
  webvpn gateway SDM_WEBVPN_GATEWAY_1
  ip address 192.168.1.254 port 443 
  ssl trustpoint TP-self-signed-2977472073
  inservice
  webvpn context SDM_WEBVPN_CONTEXT_1
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  url-list "Intranet"
     heading "Corporate Intranet"
     url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
     url-text "Impresora" url-value "http://192.168.10.100"
     url-text "DMM" url-value "https://pc.sumkio.local:8443"
     url-text "DMM 1" url-value "http://192.168.10.10:8080"
     url-text "UC520" url-value "http://192.168.10.1"
  policy group SDM_WEBVPN_POLICY_1
     url-list "Intranet"
     mask-urls
     svc dns-server primary 192.168.10.250
     svc dns-server secondary 8.8.8.8
  default-group-policy SDM_WEBVPN_POLICY_1
  aaa authentication list sdm_vpn_xauth_ml_1
  gateway SDM_WEBVPN_GATEWAY_1
  max-users 10
  inservice
  Any help would be apreciatted.
  Thank you

  Hi, thanks for your advise.
  I'm trying to copy the certificate via cut and paste, but I'm getting a
  % Error in saving certificate: status = FAIL
  I dont know if I'm doing this right.
  I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
  I get a file which if I open with notepad is like
  -----BEGIN CERTIFICATE-----
  MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
  KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
  mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
  nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
  -----END CERTIFICATE-----
  If I try to authenticate the trustpoint, I get that error.
  how can I export the certificate from the DMM?
  I think that this file is not the right file.
  and then, do I have to make some changes in
  webvpn gateway SDM_WEBVPN_GATEWAY_1?
  Should I choose the new trustpoint?
  I understand that the old trustpoint is for the outside connection, no for the LAN connection.
  Dont worry about me, answer when you can but I really need to fix this.
  Thank you so much

• Policy in domai server2008 for remove tick Validate Server Certificate in win7 and xp

  hi
  i have a domain server 2008
  i need create a policy to remove tick Validate Server Certificate in win7 and xp
  please help me

  > i need create a policy to remove tick Validate Server Certificate in
  > win7 and xp
  Deploy your WLAN settings through Group Policy - this will allow you to
  create a WIFI for Vista and above, and another one for XP. Both offer
  you to untick this check box.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Java ME SDK 3.0 server certificates problem

  Hi, I'm having a problem using HTTPS connection with the Java ME 3.0 emulator. We have a server certificate from Thawte, but I get
  javax.microedition.pki.CertificateException: Certificate was issued by an unrecognized entitywhen I try connecting to our server with the MIDlet. I have tried importing the server certificate as well as the Thawte root certificates into the keystore in c:\Documents And Settings\<username>\javame-sdk\3.0\work\<id>\appdb\_main.ks and I see the certificates in the Certificate Manager in the emulator, but I still get the exception.
  What am I supposed to do to get the emulator to accept the server certificate?

  Answering myself, I got it working after I exported the Thawte server certificates from Control Panel -> Internet Options -> Content -> Certificates -> Trusted Root Certificate Authorities and then imported them to the MEkeystores.

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• Error upgrading to 2012 R2 - SQL Server Certificate problems

  We are experiencing some strange errors during the installation of Config Mgr 2012 R2. The installer does not provide any errors, it just exits during the final steps. The c:\configmgrsetup.log file shows:
  INFO: Testing SQL Server [SQL01.ad.edu] connection ...  $$<Configuration Manager Setup><11-21-2013 13:47:25.427+360><thread=1984 (0x7C0)>
  INFO: SQL Connection succeeded. Connection: SQL01.AD.EDU MASTER, Type: Unsecure  $$<Configuration Manager Setup><11-21-2013 13:47:25.433+360><thread=1984 (0x7C0)>
  INFO: Tested SQL Server [SQL01.ad.edu] connection successfully.  Any preceding SQL connection errors may be safely ignored.  $$<Configuration Manager Setup><11-21-2013 13:47:25.438+360><thread=1984 (0x7C0)>
  INFO: Certificate: 3082022B38D<!Removed characters for readability!>C1D9C921A058D19F  $$<Configuration Manager Setup><11-21-2013 13:47:25.443+360><thread=1984 (0x7C0)>
    ERROR: Failed to open certificate store (HRESULT=0x5)  $$<Configuration Manager Setup><11-21-2013 13:47:25.451+360><thread=1984 (0x7C0)>
  Failed to write sql server certificate to store (TrustedPeople) on site server (SCCM.ad.edu).  $$<Configuration Manager Setup><11-21-2013 13:47:25.457+360><thread=1984 (0x7C0)>
  ERROR: Failed to configure SQL Server Certificate.  $$<Configuration Manager Setup><11-21-2013 13:47:25.462+360><thread=1984 (0x7C0)>
  Failed to create SQL Server Certificate, ConfigMgr installation cannot be completed.  $$<Configuration Manager Setup><11-21-2013 13:47:25.468+360><thread=1984 (0x7C0)>
  <11-21-2013 13:47:25> Failed to create process of SetupWpf.exe.
  We are running SQL on our enterprise 2008R2 SQL server and SCCM runs on a dedicated 2012 Server. Certificates are generally signed by our CA but the SQL certificate for ConfigMgr is self signed and appears to be trusted by the SCCM server (it appears in
  the TrustedPeople store). We have been running properly using HTTPS and the only errors prior to attempting the upgrade were with a secondary distribution point that had been removed prior to install. A new SQL certificate has been generated and tested but
  yields the same error messages. All suggestions are appreciated. Thanks,
  -Brandon

  Hi,
  I found a similar article for your reference.
  Fail to create SQL Server Certificate" during installation
  http://henkhoogendoorn.blogspot.nl/2013/01/fail-to-create-sql-server-certificate.html
  Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Has anyone had this problem with VPN iPad vpn connection could not validate the server certificate

  Has anyone had this problem with IPad 3 after upgrade to IOS 7,
  trying to to connect VPN , but I get this messag, "could not validate the server certificate".
  I am trying to connect to Oracle VPN.

  Has anyone found a solution for this yet? I am still getting the could not validate server certificate error. I have tried importing the entire certificate chain as well as importing each individual cert in the chain. My certificate works perfectly with the cisco vpn on my pc.
  This is my first experience owning an apple product, and I am very disappointed with the customer support that I have received. I tried calling the help line and no one would even attempt to answer my question. I was then told that the Mac "geniuses" wouldn't know either and that I may be able to find an answer on the message boards. So I am reaching out to the community...Has anyone been able to figure out how to resolve this issue or even the specific cause? Any help is appreciated.

• Radius certificate problems...

  Hello,
  I am using AirPort Extreme's with Radius configured in Mac OS X Server 10.6. Authenticating works, but only with a certificate error on the clients. So I purchased a certificate and installed it (including the intermediate certificate in the System Keychain. But I keep getting a certificate error, on my iPhone for example I get a display with: "Not Verified", however in the server Certificates page it says: "This certificate is valid". When I use the same certificate on the Web service with SSL, there seems to be no problem at al. See http://www.sslshopper.com/ssl-checker.html?hostname=api.serverdensity.com#hostna me=core.hondsrugcollege.nl
  +I tried several certificates: Comodo, Thawte and now GeoTrust. Neither worked, with Radius. Not with iPhone, not with Windows clients. With Windows clients I got this error when connecting via Radius:+
  +The Credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to security risk by a possible rogue server.+
  +Radius Server: core.hondsrugcollege.nl+
  +Root CA: GeoTrust Global CA+
  +The server "core.hondsrugcollege.nl" presented a valid certificate issued by "GeoTrust Global CA", but "GeoTrust Global CA" is not configured as a valid trust anchor for this profile. Further, the server "core.hondsrugcollege.nl" is not configured as a valid NPS server to connect to for this profile.+
  What should I do to troubleshoot this?
  Message was edited by: Cybex

  One of the key terms I can see in your post is 'Trust Anchor'. Have a search around about this and it may just shed some light.
  In a windows wireless client setup using 802.1x you may notice a screen in the wireless profile setup with a tick box saying 'Validate Server Certificate'. Underneath there you need to select the Trusted Root Authority certificate to use to validate the certificate you have installed. There must be something similar in MacOS and iOS. Alternatively you could untick the 'validate...' check box and the problem should go away, but you are likely reducing security by doing this.
  Sorry i cant help with specifics but hopefully I've pointed you in a direction that can solve the issue.
  Message was edited by: AdventureMatt
  Message was edited by: AdventureMatt

• Need for NPS server certificate with PEAP-MS-CHAPv2

  Hi,
  I have a question about a small setup I'm currently testing. In a Wireless access with 802.1X authentication based on PEAP/MS-CHAPv2, and a NPS server (MS server 2012R2), I've noted reading technet documentation that the NPS server or other RADIUS server
  do have a certificate (issued by a 3rd party CA or by an AD CS environment).
  However, it remains for me a point I would like to clarify (sorry I surely have a bad understanding of documentation). If my client is configured for not "validate server certificate", do I still need to have a certificate on the NPS server ?
  Well, I know it is not secured, but this will permit me to test without configuring an AD CS, and without buying a certificate.
  Many thanks in advance for your answer.
  Regards,
  Fabrice

  You also need a server certificate in this case as the protection in Protected EAP is due to the encryption of the TLS session.
  Not validating the server certificate just means that no additional check of the name is done, so the client would be able to connect to any RADIUS server - given that its certificate chain is valid. But the certificate chain as such is checked as in every
  SSL handshake.
  You don't need a certificate issued by a commercial CA though - you could use an inhouse PKI. For tests you could use a self-signed certificate as well.
  Edit: If you want to test self-signed certificates the easiest way is probably to install the web server role and use its built-in option to create a self-signed certificate.
  Elke

• Certificate error connecting to VPN, can not validate server

  Used the configuration utility to configure a profile for VPN using certificate as authentication.  Keep getting error, can not validate server.  When I export the cert to my desktop, I see the CRL information in it.  When I view the details of the cert after installing on the iPad, I don't see any CRL information.  I'm guessing this may be the problem only not sure how to resolve it. 

  solved the problem by adding an additional attribute in the certificate request to the VPN server (cisco router) and first enable the server SubjectAltName CA
  In CA server:
  certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
  certutil -setreg policy\SubjectAltName enabled
  certutil -setreg policy\SubjectAltName2 enabled
  net stop certsvc
  net start certsvc
  In certificate request for VPN server:
  In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
  san:dns=dns.name[&dns=dns.name]/san:ipaddress=x.x.x.x
  (external dns/ip)
  http://support.microsoft.com/kb/931351

• Problems with server certificate

  Hi,
  i am using Adobe Drive 5.0.2.16 in order to connect to AEM 6 through an SSL connection. According to the Adobe Drive Admin Manual (http://help.adobe.com/en_US/AdobeDrive/5.0/Adobe_Drive_Admin_Guide.pdf), I added the non-trusted certificate hierarchy to the cacerts file in C:\ProgramData\Adobe\CS5\jre\lib\security. Unfortunalty I still get an exception (see below) when connecting to the server.
  Strangely enough, if i write a small java application that connects to the server using the same JRE mentioned above, the connection can be established! Having a closer look to the content of my harddisk, I saw a second JRE that is obviously also related somehow to Adobe Drive: C:\Program Files (x86)\Common Files\Adobe\Adobe Drive 5\jre
  So, my questions are:
  - which JRE is used by Adobe Drive 5?
  - what could be the reason for the exception although the server certificates are added to (all existing) cacert files?
  Thank you in advance
  Holger
  Exception:
  com.adobe.drive.connector.api.exception.RemoteServerUntrustedCertificateException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  I'm glad I'm not the only one with this problem.  I posted a message here regarding this earlier today.  I'm now getting a -1004 error when I try.  I'm assuming it's something on Apple's side at this point.

• Problem with HTTPS requests to host with untrusted server certificate

  Hi,
  I develop an iPhone framework which sends HTTPS requests in order to communicate with a publicly available backend server. Currently I have a big problem regarding untrusted server certificates.
  The certificate of the backend server is not signed by a trusted CA, so my first approach was to use NSURLRequest's private allowsAnyHTTPSCertificateForHost. While this worked as expected an was fine as temporary workaround, our customer demands a clean solution as final result. Therefore I wrote a method which allows to install a provided certificate from the file system in the keychain, but this method does not work as expected in the iPhone Simulator. The certificate is installed in the host machine's Mac OS X keychain instead. Unfortunately, if I call NSURLConnection's sendSynchronousRequest method, I retrieve an "untrusted server certificate" error. It seems as if NSURLConnection is not able to access the host's Mac OS X keychain to retrieve the certificate.
  Is my guess correct or did I miss something?
  Would my approach work if I ran my app on a real iPhone device instead (I do not have one available yet)?
  Does there exist a keychain in the iPhone Simulator at all?
  Is it at all possible to send HTTPS requests to a server with an untrusted certificate on the iPhone Simulator or do I have to use precompiler directives to implement different routines depending on the underlying platform (simulator or device, respectively)?
  Any help is highly appreciated.
  Thanks,
  Matthias

  Indeed this would be a clean and simple solution. But our customer is not willing to get a real certificate, for whatever reasons.
  The question that remains is if the HTTPS requests would succeed on the iPhone device itself if the server certificate was installed in the keychain by the same app beforehand.

• Win2k3 AD problem with autoenrolled Server Certificate

  Hi there
  I was running into some problems using an SSL connection to our company active directory server on the win2k3 plattform. During the SSL Handshake, the AD sends his CertificateChain in which the Server Certificate has marked the alternateSubjectName as critical (inside it is actually the FQDN). Because the RFC says, that all extended fields marked as critical should be known and java 1.5 ssl implementation doesn't, the SSL connection will hang up before the handshake has been made.
  Because the AD's certificate was enrolled automatically and my administrator isn't willing to change the certificate, i hung on this problem now for several days.
  How can I avoid that this field is unknown an will generate an exception? Do I really have to implement my own PKIXCertPathChecker to do a workaround? Any suggestion is welcome.
  Ah and if someone is interested what I am doing: I am using Spring LDAP to do a usermanagement software which has the focus on creating, locking and deleting users. In advance it must be possible to set any password within an administrator account. Spring LDAP is built up on (as far as I know) JNDI.
  The field marked as critical is:
  [5]: ObjectId: 2.5.29.17 Criticality=true
  SubjectAlternativeName [
  [DNSName: server.domain.com]]and the exception (from the ssl debug log):
  http-10001-1, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
  http-10001-1, WRITE: TLSv1 Alert, length = 2
  [Raw write]: length = 7
  0000: 15 03 01 00 02 02 2E                               .......
  http-10001-1, called closeSocket()
  http-10001-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]
  user.SaveAction:persistIfValid() - Unknown error while perstisting object:Unable to communicate with LDAP server; nested exception is javax.naming.CommunicationException: simple bind failed: server.domain.com:
  636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]]

  hi adler_steven
  thanks for your advice. I already read those threads some days ago but nothing helped me. I still got the error because of this subjectAlternativeName field. I tried to write an own implementation of PKIXCertPathChecker which can handle the 2.5.29.17 extension. But I cannot hang in the code where i need it (only possible if I overwrite some JNDI classes which I try to avoid because of future updates!). My last hope is now to implement my own SSLSocketFactory.
  Or does someone of you know how to make an SSLContext static? ;-)
  [edit]
  Chronology of my SSL handshake:
  -- Client Hello
  -- Server Hello, Certificate, Certificate Request, Server Hello Done
  -- Client tries to read the Certificate chain from the server, fails because of unknown extension and sends back an Alert (Certificate Unknown) <-- which is a little bit confusing, because in my official exception is written as javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]
  [edit]
  Edited by: AnAnAsbAnAnAshAkAr on Oct 11, 2007 8:55 AM

• AnyConnect 3.1 - removing Security Warning: Untrusted VPN Server Certificate!

  Hi guys,
  Is there a way to disable the warning generated from using self signed certs?
  I would like to make the process as seamless as possible.
  AnyConnect 3.1
  ASA 8.4(2)
  Thanks.

  Hi,
  We had problem with the above error message with our certificate when we moved to AnyConnect 3.1
  We were instructed to request a new one
  Also here is the link to Cisco site we were provided that explains the changes in 3.1
  IPSec and SSL connections require server  certificates to contain Key Usage attributes of Digital Signature and  Key Encipherment, as well as an Enhanced Key Usage attribute of Server  Authentication or IKE Intermediate. Note that IPSec server certificates  not containing a Key Usage are considered invalid for all Key Usages,  and similarly an IPSec server certificate not containing an Enhanced Key  Usage is considered invalid for all Enhanced Key Usages.
  Link to document
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936
  Sadly I dont dable with certificates myself so I'm not really familiar with this.
  - Jouni

• How can I make Firefox trust a Server Certificate by Default?

  I'm trying to distribute Firefox via Empirum. All settings are made using the CCK-Wizard Addon.
  When I import our Certificates in CCK-Wizard, I can make trust-settings for CA's, but not for Server Certificates, and so the SC isn't trusted by default.
  Is there any way to make the trust Settings for SC's in the install package, maybe through an option in about:config (didn't find any, but maybe somebody knows more than google :P )?
  I tried to do it like PRF_1 suggested here https://support.mozilla.org/de/questions/687296#answer-112220 but in the last step I got an Error 1: C compiler cannot create executables.
  Regards,
  Bowser

  Hello,
  '''Try Firefox Safe Mode''' to see if the problem goes away. Safe Mode is a troubleshooting mode, which disables most add-ons.
  ''(If you're not using it, switch to the Default theme.)''
  * On Windows you can open Firefox 4.0+ in Safe Mode by holding the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
  * On Mac you can open Firefox 4.0+ in Safe Mode by holding the '''option''' key while starting Firefox.
  * On Linux you can open Firefox 4.0+ in Safe Mode by quitting Firefox and then going to your Terminal and running: firefox -safe-mode (you may need to specify the Firefox installation path e.g. /usr/lib/firefox)
  * Or open the Help menu and click on the '''Restart with Add-ons Disabled...''' menu item while Firefox is running.
  [[Image:FirefoxSafeMode|width=520]]
  ''Once you get the pop-up, just select "'Start in Safe Mode"''
  [[Image:Safe Mode Fx 15 - Win]]
  '''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshooting extensions and themes]] article for that.
  ''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
  ''When you figure out what's causing your issues, please let us know. It might help other users who have the same problem.''
  Thank you.