Validating a server's certificate

I am writing an app that does an https post of a request and gets a result returned. The company that I am interacting with has a certificate from verisign. I know nothing about certificates! I need to validate their certificate in code as I do this transaction. I need to validate that their cert is current, check the authority and the url. Anyone have an example of this type of action? Do I do this right before the post or does this happen during the post? Sorry I am such a newbie!
Thanks!
Bill

Hello!!!
I've a similar problem. I need validate a client certificate against my server. I'm researching in this field and I've learning some things. You need have one keystore, this is the place where the certificates are stored. In this keystore you need have the CA root certificates (Certificate Authory or similar), so to speak, the trusted certificates (verisign, thawte, etc). Your application trust by default in this entities. You can add more entities when you want, only you need the CA root certificates to import them. Afterwards, you need validate a client certificate against this keystore, so the client cert must have a sign from a CA inside it. Then we're going to validate the cert asking to the keystore if the client cert exists inside it, first look for the same CA root that the client cert have and if this CA root exists then we will look for final client cert, and if this certificate exists then the process will be ok.
This is the process more or less, I'm sorry if I can't explain me better, so you can read more of this in the java tutorial or the JSSE tutorial, or JCE tutorial.
If you have installed J2SE in your machine, you will see the keystore in C:\Documents and Settings\<your_user>\.keystore
and c:\j2sdk1.4.1_02\jre\lib\security\cacert
This is my code, works, but I need do finish it:
package autenticacion;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.*;
import com.novell.ldap.LDAPConnection;
import com.novell.ldap.LDAPException;
import com.novell.ldap.LDAPJSSESecureSocketFactory;
import com.sun.net.ssl.SSLContext;
import java.io.*;
public class TestCert {
KeyStore keyStore;
String keyStorePath;
char[] keyStorePassword;
public TestCert(){
     this.keyStore = null;
     this.keyStorePath = "";
     this.keyStorePassword = null;
public TestCert(KeyStore keyStore, String keyStorePath, char[] keyStorePassword){
     this.keyStore = keyStore;
     this.keyStorePath = keyStorePath;
     this.keyStorePassword = keyStorePassword;
public static void main( String[] args )
     FileInputStream keyStoreIStream = null;
try
String keyStorePath = "D:/JAVA/j2sdk1.4.1_02/jre/lib/security/cacerts";//"c:/Documents and Settings/instalador/.keystore";
char[] keyStorePassword = "changeit".toCharArray();//"password".toCharArray();
String pathFileName = "c:/mykeyFile.cert";
//dynamically set SunJSSE as a security provider
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// Open the keystore file.
try
// Open the stream to read in the keystore.
keyStoreIStream = new FileInputStream(keyStorePath);
catch( FileNotFoundException e )
// If the path does not exist then a null stream means
// the keystore is initialized empty. If an untrusted
// certificate chain is trusted by the user, then it will be
// saved in the file pointed to by keyStorePath.
keyStoreIStream = null;
// Create a KeyStore Object
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
// Init the Keystore with the contents of the keystore file.
// If the input stream is null the keystore is initialized empty.
keyStore.load(keyStoreIStream, keyStorePassword);
// Close keystore input stream
if(keyStoreIStream != null)
keyStoreIStream.close();
keyStoreIStream = null;
          //Array en el que se guardan todos los certificados que nos envien.
               //X509Certificate[] chain = (X509Certificate[]) request.getAttribute("java.security.cert.X509Certificate");
//isChainTrusted
               TestCert test = new TestCert( keyStore, keyStorePath, keyStorePassword );
               X509Certificate[] cert = test.getCertFromFile(pathFileName);
               test.getAcceptedIssuers();
               System.out.println(test.isChainTrusted(cert));
catch( Exception e )
     e.printStackTrace();
System.out.println( "main Error: " + e.toString() );
} finally{
     try{
          if(keyStoreIStream!=null){
               keyStoreIStream.close();
     }catch( Exception e){
          e.printStackTrace();
     System.out.println( "main Error: " + e.toString() );
// getAcceptedIssuers retrieves all of the certificates in the keyStore
// and returns them in an X509Certificate array.
public X509Certificate[] getAcceptedIssuers()
X509Certificate[] X509Certs = null;
try
// See how many certificates are in the keystore.
int numberOfEntry = keyStore.size();
// If there are any certificates in the keystore.
if(numberOfEntry > 0)
// Create an array of X509Certificates
X509Certs = new X509Certificate[numberOfEntry];
// Get all of the certificate alias out of the keystore.
Enumeration aliases = keyStore.aliases();
// Retrieve all of the certificates out of the keystore
// via the alias name.
int i = 0;
while (aliases.hasMoreElements())
     String alias = (String)aliases.nextElement();
System.out.println(alias);
X509Certs[i] = (X509Certificate)keyStore.getCertificate(alias);
System.out.println(X509Certs);
i++;
catch( Exception e )
System.out.println( "getAcceptedIssuers Exception: "
+ e.toString() );
X509Certs = null;
return X509Certs;
// isChainTrusted searches the keyStore for any certificate in the
// certificate chain.
private boolean isChainTrusted(X509Certificate[] chain)
boolean trusted = false;
try
// Start with the root and see if it is in the Keystore.
// The root is at the end of the chain.
for (int i = chain.length - 1; i >= 0; i-- )
if (keyStore.getCertificateAlias(chain[i]) != null)
trusted = true;
break;
catch( Exception e )
System.out.println( "isChainTrusted Exception: "
+ e.toString() );
trusted = false;
return trusted;
* Obtiene el certificado de un fichero y lo pasa a un objeto de la clase X509Certificate.
private X509Certificate[] getCertFromFile(String filename){
          X509Certificate chain[] = null;
          FileInputStream fis = null;
          try{
          //The following example parses a PKCS#7-formatted certificate reply stored in a file and extracts all the certificates from it:
          Vector v = new Vector();
          fis = new FileInputStream(filename);
          CertificateFactory cf = CertificateFactory.getInstance("X.509");
          Collection c = cf.generateCertificates(fis);
          Iterator i = c.iterator();
          while (i.hasNext()) {
          X509Certificate cert = (X509Certificate)i.next();
          System.out.println(cert);
          v.add(cert);
               chain = new X509Certificate[v.size()];
               chain = (X509Certificate [] ) v.toArray(chain);
          } catch (Exception ex){
               ex.printStackTrace();
          } finally {
               try{
                    fis.close();
               }catch (Exception ex){
                    ex.printStackTrace();
          return chain;
If you do finish your code I'd like you tell me something.
Bye.

Similar Messages

Steps involved in validating a server's certificate

Hello All,
I'm writing a custom trust manager and wondering if anyone can tell me all the steps that are involved in validating a certificate presented by the server during an SSL handshake. The following are the things I think are must to check if a certificate is valid/trusted.
1. Date verification: The certificate date is valid.
2. Host name verification: The subject's common name matches the host name that your application is trying to connect to.
3. Do you trust the CA: Check if the certificate is signed by a CA that you trust.
Are there any other low level things that we need to check for? I looked at some of the J2SDK code... X509TrustManagerImpl, SimpleValidator etc. and they do a lot of other things which I never thought of. Can some one educate me a bit on this?
I thought of using the default trust manager provided by sun in my own trust manager as suggested in the JSSE reference guide. But I guess, it is hard to find what exactly was the problem for not trusting a certificate as the default implementation always throws CertificateExcption no matter what the case is. Instead, it would be nice to throw sub classes of CertificateException, such as CertificateExpiredException or HostNameNotValidException (This class does not exisits in the the API ofcourse). What are your opinions on this?
Thanks
Sai Pullabhotla

Depending on whether or not uour SSL container (eg. servlet etc..) has already done some of these things, but you may want to think about these:
1. IF you use CRL, does the server cert exist in your CRL?
2. In verifying the CA, if there's an intermediate one, you should
also verify that the entire CA chain is valid and trusted by you.
3. Purpose of the server cert. Does it meet your requirement?
4. IF you use and require strong encryption, does the server cert support it?

SSL Certificate appears valid in Server Admin, but as expired in browsers

I've imported a certificate from Thawte that expires June 29 2008. It shows the correct dates within the Certificates tab of Server Admin, and everthing looks fine, but when I load an https: page on my server, the browser tells me that the certificate expired June 30 2007.
This is a fairly new Mac Pro running OSX 10.5.2 Leopard Server, and Apache 2.2.
If you click on the embedded icon from Thawte that links to their site for verification, it also shows that the certificate is valid.
I've deleted and re-imported it a few times, and rebooted the server, but it always shows as expired in browsers.
Sample page with link to Thawte;
https://cstore.uvic.ca/index-ssl.lasso
Thanks in advance to anyone who can help me get this fixed.
Brad.
Message was edited by: FastCompany

Camelot,
Thanks for the reply. I'm not offended by your suggestion that it's something simple that I've overlooked, rather I'm hoping that it is.
I have selected the certificate on the appropriate site on the web panel. When you visit the site link In my original message, you'll see that the correct certificate is being served, but it appears as expired to the browser, even though it shows as valid in Server Admin.
I also found it in the Keychain utility, and it also shows as a valid certifcate there. I did find an entry in the Keychain utility for an earlier attempt at installing an expired certificate, so I deleted that entry.

Error in authentication with ldap server with certificate

Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Ranga

sorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance

Sun.security.validator.ValidatorException: No trusted certificate found

Hello,
I am using Java 1.6.0_04 (JBoss-4.2.2.GA application). My application implements a WS client which needs to integrate with an external Web Service. This communication needs to be handled through https.
I have created a jks keystore with the server certificate, and passed its details to JBoss through the System Properties:
-Djavax.net.ssl.trustStore=/Path-to-file -Djavax.net.ssl.trustStorePassword=password     On my development environment I can call the Web Service correctly.
Although, on the production environment, I am getting the following exception:
javax.xml.ws.WebServiceException: java.io.IOException: Could not transmit message
     at org.jboss.ws.core.jaxws.client.ClientImpl.handleRemoteException(ClientImpl.java:317)
     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:255)
     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:164)
     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:150)
     at $Proxy171.send(Unknown Source)
     at com.xpto.integration.SmsHelper.send(SmsHelper.java:57)
     at com.xpto.services.sms.SMSSenderServiceMBean.run(SMSSenderServiceMBean.java:106)
     at java.lang.Thread.run(Thread.java:619)
Caused by: java.io.IOException: Could not transmit message
     at org.jboss.ws.core.client.RemotingConnectionImpl.invoke(RemotingConnectionImpl.java:204)
     at org.jboss.ws.core.client.SOAPRemotingConnection.invoke(SOAPRemotingConnection.java:77)
     at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:337)
     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:243)
     ... 6 more
Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker.
     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:
333)
     at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:135)
     at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:122)
     at org.jboss.remoting.Client.invoke(Client.java:1634)
     at org.jboss.remoting.Client.invoke(Client.java:548)
     at org.jboss.ws.core.client.RemotingConnectionImpl.invoke(RemotingConnectionImpl.java:183)
     ... 9 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No truste
d certificate found
     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
     at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLCo
nnection.java:166)
     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:832)
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:23
0)
     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:
275)
     ... 14 more
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
     at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
     at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
     at sun.security.validator.Validator.validate(Validator.java:218)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:2
09)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:2
49)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
     ... 26 more     Both systems are configured with the same JBoss, JVM, ...
The certificate details are:
Owner=
CN=*...., OU=..., O=..., L=..., ST=..., C=PT
Issuer=
CN=..., O=..., C=PT
Version=3
Serial Number=BC81A81843E26C2597CD10354588F61E
Valid From=Monday, 3 March 2008 18:50
Valid Until=Tuesday, 3 March 2009 18:50
Signature Algorithm=SHA1withRSA
Fingerprints=
    MD5:     0A:A6:89:92:A4:CF:17:74:7C:4E:20:63:6B:81:AE:85
    SHA1:    35:01:74:8C:35:AB:9F:02:7B:23:3F:15:5E:73:C6:4D:DD:BB:C0:7A
Key Usage= critical
    List:
    . digitalSignature
    . keyEncipherment
    . dataEncipherment
    . keyAgreement
Extended Key Usage= none
     On production I have also tried adding the following properties:
-Djavax.net.ssl.keyStore=/Path-to-file -Djavax.net.ssl.keyStorePassword=password     But I still get the error.
Any one has any hint for this problem? Is there any property which I can define to ignore untrusted certificates?
Any help would really be welcome.
Thanks in advance.
Best regards,
Victor Batista

Hi,
Thanks for your prompt reply.
I have also tried to add all the chain of certificates on my truststore, although I get the exception:
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Mar 07 12:54:22 WET 2008
     at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
     at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
     at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:123)
     at sun.security.validator.Validator.validate(Validator.java:218)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
     ... 26 moreAnd all the certificates are valid.
I really don't understand what is going on.
Can I Ignore expired certificates? Any property?
When I use -Djavax.net.ssl.trustStore pointing to my keystore, will cacerts be also used?
Do I need to import all the certificates in the chain of the server, or the top most is sufficient?
The server where I am having the problem has limited connectivity. It should have connectivity to the issuers of the certificates, in order to validate them, or not?
Thanks in advance,
Victor

Missing the "Microsoft Exchange Server Auth Certificate"

Hi Everyone,
I have a single Exchange box.
Was integrating my Lync and Exchange and noticed some issues after configuring my Lync pre-reqs: http://technet.microsoft.com/en-us/library/jj721919.aspx
Following the line of communication and event logs, I quickly saw that the error was not on my Lync Server, but on my Exchange. The "Microsoft Exchange Server Auth Certificate" that is created during Ex2013 install was missing.
It was not there to give out tokens for the Server to Server authentication required to integrate Lync, Exchange, and Sharepoint.
Running Get-AuthConfig: http://technet.microsoft.com/en-us/library/jj215766(v=exchg.150).aspx
pointed to a thumbprint that did not exist anymore.
I confirmed this by checking the local cert store (local computer>personal>certificates), looking in the ECP (servers>certificates), and also running Get-ExchangeCertificate
In my Exchange Server event log, I found the following errors:
Log Name: Application
Source: MSExchange Certificate Deployment
Date: 6/8/2014 4:00:50 AM
Event ID: 2005
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: server.domain.com
Description:
Federation or Auth certificate not found: ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation
Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites.
Event Xml:
2005
3
1
0x80000000000000
2391484
Application
server.domain.com
ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3
AND
Log Name: Application
Source: MSExchange OAuth
Date: 6/8/2014 1:25:41 PM
Event ID: 2004
Task Category: Configuration
Level: Warning
Keywords: Classic
User: N/A
Computer: server.domain.com
Description:
Unable to find the certificate with thumbprint ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3 in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.
Event Xml:
2004
3
2
0x80000000000000
2397430
Application
server.domain.com
ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3
Googling has only produced one article that is about another issue that I would have found further down the line if I wasn't testing within the pre-reqs. The solution is the same, but the article is somewhat poorly written and does not respond to all
the comments enough to leave one feeling it's 100% correct.
http://blogs.technet.com/b/jenstr/archive/2012/11/22/getting-internal-server-error-500-when-creating...
The broad strokes are clear:
The fix is to create a new "Microsoft Exchange Server Auth Certificate" by using the following sequence of cmdlets In EMS on the MBX server:
1. New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -Services smtp
Do not accept to replace the SMTP certificate when prompted
2. Note the thumbprint of the new certificate. Let us assume it is 7A39541F8DF58D4821967DD8F899B27410F7C081
3. $a=get-date
4. Set-AuthConfig -NewCertificateThumbprint 7A39541F8DF58D4821967DD8F899B27410F7C081 –NewCertificateEffectiveDate $a
Accept to continue despite the fact that the certificate effective date is not 48 hours into the future
5. Set-AuthConfig –PublishCertificate
6. Make sure to remove any potential reference to the previous certificate (which might not exist anymore) by doing Set-AuthConfig -ClearPreviousCertificate.
Remember to do iisreset on both CAS and MBX servers. Then finally, you can try to re-issue the New-CsPartnerApplication cmdlet.
65 Million Dollar question:
Is the syntax in part 1 correct? Two people says to add the domain? Jens responds, but it's vague. What would the correct command look like? I do not know where to add the -DomainName within the command and which name I
should add? The FQDN of the CAS?
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services
smtp
Thank you everyone

Hi,
Yes, we need to specify a valid FQDN for either the Subject or the DomainName parameter. Please run the following command:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services
smtp
Then following the other steps in your posting to re-create the Microsoft Exchange Server Auth Certificate.
Regards,
Winnie Liang
TechNet Community Support

The verification of the server's certificate chain failed

Hi All,
Not sure this is the right forum for this but never mind.
I am trying to get abap2GApps working and am having problems with the client certificates.
I am getting the below error in ICM :-
[Thr 06] Mon Jul 30 09:34:47 2012
[Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 06]    session uses PSE file "/usr/sap/BWD/DVEBMGS58/sec/SAPSSLC.pse"
[Thr 06] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 06] >>            Begin of Secude-SSL Errorstack            >>
[Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
[Thr 06] <<            End of Secude-SSL Errorstack
[Thr 06]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 06]   SSL NI-sock: local=172.30.7.170:59036 peer=172.30.8.100:80
[Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000053910f0)==SSSLERR_SSL_CONNECT
[Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000726d5} [icxxconn_mt.c 2031]
Having already got the accounts.google.com SSL certificate chain installed and working I can't get the docs.google.com SSL chain working.
For accounts.google.com they use (this set works) :-
1) CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
2) CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
3) OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
For docs.google.com they use a different set of SSL certs. :-
1) CN=*.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
2) CN=Google Internet Authority, O=Google Inc, C=US
3) OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Can anyone explain what I am doing wrong or how to correct this?
Thanks
Craig

Further UPDATE
After removing every certificate related to docs.google.com I still get the same error!
I have even tried downloading the root certificate directly from GeoTrust themselves and yet I still get the same error.
I have even resorted to running SAP program ZSSF_TEST_PSE from note 800240 to check the PSE and all is well!
Referring to SAP Note 1318906 suggests I am missing a certificate in the chain but I am not!
"Situation: The ICM is in the client role and the following entry is displayed in the trace:
ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required certificates are not available.
Solution:The missing certificates are listed in the trace file. You must use transaction STRUST to insert these certificates in the Personal Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there."
What could possibly causing this?
Please help!
Craig

Microsoft Exchange Server Auth Certificate Error

I have new install the Exchange server 2013. I accidentally assigned the IIS service to the Microsoft Exchange Auth Certificate. now i'm facing problem to connect exchange server from outlook.
The Error shows
"There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site
name. Outlook is unable to connect to the proxy server. (Error Code 10)."
Certificate shows error
"This CA root Certificate is nit trusted because it is not in the Trusted Root Certificate Authorities store"
Please help me...
Thanks

HI Winnie,
if i use root CA from AD CA can solve this issue?
Please see the result:
[PS] C:\Windows\system32>Get-ExchangeCertificate | FL
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {DBH-EX01, DBH-EX01.deltabrac.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 12/19/2018 12:37:13 PM
NotBefore          : 12/19/2013 12:37:13 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 30F29F3C289D448A4244C95D267B9976
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : 514DDBBDAB0878766B9D305A0D500CBEA334E109
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 12/18/2018 3:51:00 PM
NotBefore          : 12/18/2013 3:51:00 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 2AAA1A565B385794473CE3AC8D3A85F4
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : 5E6026E8C9CC18BFE3684E58CD2876AC97A2514D
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {DBH-EX01, DBH-EX01.deltabrac.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=DBH-EX01
NotAfter           : 12/11/2018 7:25:05 PM
NotBefore          : 12/11/2013 7:25:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1C611FA9102B64B3462A0100FEF74A12
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=DBH-EX01
Thumbprint         : 2FD1A8D2141DCA036F3DD5BE1191FD1FB6966EE9
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-DBH-EX01}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-DBH-EX01
NotAfter           : 12/9/2023 5:03:46 PM
NotBefore          : 12/11/2013 5:03:46 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 4013857FC4683FA940C6DCC87A83A05F
Services           : None
Status             : Valid
Subject            : CN=WMSvc-DBH-EX01
Thumbprint         : BAE5A99C48FDFDBDBDE1E158833F862BB977DC01

SCCM 2007 Site Server Signing Certificate - Any Way to Extend Life of Template

Good morning,
It looks like my Site Server Signing certificate can't be renewed past the five year validity that the template was given. So, come Feb. 14th, I can't renew my existing Site Server Signing certificate. Is there any way to extend the life of the
certificate template so I can just "renew" the existing certificate on my server as opposed to creating and distributing a new one? Thanks for any help anyone can provide.

Good morning,
It looks like my Site Server Signing certificate can't be renewed past the five year validity that the template was given. So, come Feb. 14th, I can't renew my existing Site Server Signing certificate. Is there any way to extend the life of the
certificate template so I can just "renew" the existing certificate on my server as opposed to creating and distributing a new one? Thanks for any help anyone can provide.

TLS get server's certificate

Hello,
I'm connecting with java mail to a smtp server which offers STARTTLS. I would like to know if there is a way to get the server's certificate to my application using the java mail API. Basically, I just want to show the server certificate in the same way the openssl command does it :
openssl s_client -connect 192.168.0.1:25 -starttls smtp -showcerts EDIT: ok I think I have to do this on a lower level with a SSL Socket:
    SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
    SSLSocket socket = (SSLSocket) factory.createSocket("127.0.0.1", 8888);
    socket.startHandshake();
    SSLSession session = socket.getSession();
    java.security.cert.Certificate[] servercerts = session.getPeerCertificates()The problem is that when I do not have the remote certificate in my keystore, the "startHandshake" will fail. What I want to do is to offer the user the possibility to accept/refuse the certificate. How can I do this ?
EDIT2: I did the following workaround by implementing a dummy X509TrustManager : http://forums.sun.com/thread.jspa?threadID=183410
But now I don't know how to 1st connect in clear, then issue STARTTLS and then use a SSL socket to get the certificate.
Thanks,
Tex
Edited by: Tex-Twil on Jul 13, 2010 2:31 AM
Edited by: Tex-Twil on Jul 13, 2010 2:56 AM

I think I found a solution. Basically I connect manually to the smtp using a normal socket, issue "EHLO" and "STARTTLS" commands. Then I wrap the clear socket into a SSL Socket and start the handshake. Then I can get the certificates:
public static void main(String[] args) {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
Socket clearSocket = null;
PrintWriter out = null;
BufferedReader in = null;
clearSocket = new Socket("192.168.0.1", 25);
out = new PrintWriter(clearSocket.getOutputStream(), true);
in = new BufferedReader(new InputStreamReader(clearSocket.getInputStream()));
readServerResponse(in);
out.println("ehlo test");
readServerResponse(in);
out.println("starttls");
readServerResponse(in);
// SSL
TrustManager[] tm = { new RelaxedX509TrustManager() };
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, tm, new java.security.SecureRandom());
SSLSocketFactory factory = sslContext.getSocketFactory();
SSLSocket sslSocket = (SSLSocket)factory.createSocket(clearSocket, "192.168.0.1", 25, true);
sslSocket.startHandshake();
Certificate[] servercerts = sslSocket.getSession().getPeerCertificates();
private static String readServerResponse(BufferedReader in) throws IOException {
        String serverResponse = null;
        String line = null;
        StringBuffer buf = new StringBuffer(100);
        do {
            line = in.readLine();
            if (line == null) {
                serverResponse = buf.toString();
                if (serverResponse.length() == 0)
                    serverResponse = "[EOF]";
            buf.append(line);
            buf.append("\n");
        while (isNotLastLine(line));
        System.out.println(buf.toString());
        return buf.toString();
class RelaxedX509TrustManager implements X509TrustManager {
    public boolean isClientTrusted(java.security.cert.X509Certificate[] chain) {
        return true;
    public boolean isServerTrusted(java.security.cert.X509Certificate[] chain) {
        return true;
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
    public void checkClientTrusted(java.security.cert.X509Certificate[] chain) {
    public void checkServerTrusted(java.security.cert.X509Certificate[] chain) {
    public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
    public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
}

Use custom not ConfigMgr SQL Server Identification Certificate

Hello,
I noticed that during the database creation steps in System Center 2012 Configuration Manager, the SQL server's instance gets assigned a SSL Certificate called ConfigMgr SQL Server Identification Certificate. I currently have one that
I have assigned by our own PKI solution as I am pointing this to our SQL cluster.
Is there anyway to use my PKI issued certificate over the self-signed one that gets deployed by System Center during the installation process? When I use my own PKI issued certificate, System Center is unable to connect saying there is an issue with
the certificate (which I know is untrue as other applications can communicate to the cluster fine with my PKI issued certificate).
Thanks in advance!

Hi,
This technet article might be of more help.
PKI Certificate Requirements for Configuration Manager
http://technet.microsoft.com/en-us/library/gg699362.aspx
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

How to get a server chain certificate

Hi all,
I'm installing SSL on Bea Logic server 6.0, but i dont know how to get a server
chain certificate.
Does any body know how to get this certificate?
Also, I read in the e-docs site that we can use utility der2pem and vice versa
to convert between them, but i odnt know where to get the tools.(It's not in the
utils.jar)
thanks for any answer.
Uy

Hi all,
I'm installing SSL on Bea Logic server 6.0, but i dont know how to get a server
chain certificate.
Does any body know how to get this certificate?
Also, I read in the e-docs site that we can use utility der2pem and vice versa
to convert between them, but i odnt know where to get the tools.(It's not in the
utils.jar)
thanks for any answer.
Uy

Error: -26 Detail: no valid destination server available for '!ALL' rc=14

Hello,
i can access portal, but when i click on a link i receive the error message bellow:
500 Dispatching Error
Error: -26
Version: 7000
Component: HTTP_ROUTE
Date/Time: Thu May 27 11:18:55 2010
Module: http_route.c
Line: 3139
Server: PCLIWDI1_WDP_01
Error Tag:
Detail: no valid destination server available for '!ALL' rc=14
u00A9 2001-2009, SAP AG
the web dispatcher is UP,
on instance profile on web dispatcher , i have data bellow:
SAPSYSTEMNAME = WDP
SAPGLOBALHOST = PCLIWDI1
SAPSYSTEM = 01
INSTANCE_NAME = W01
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
Accesssability of Message Server
rdisp/mshost = pclieci1.oranginagroup.net
ms/http_port = 8080
Configuration for large scenario
icm/max_conn = 16384
icm/max_sockets = 16384
icm/req_queue_len = 6000
icm/min_threads = 100
icm/max_threads = 250
mpi/total_size_MB = 500
mpi/max_pipes = 21000
SAP Web Dispatcher Ports
##icm/server_port_0 = PROT=HTTP,PORT=1080
Capgemini - RGC. SSL
DIR_INSTANCE = G:\usr\sap\secudir
DIR_HOME = G:\usr\sap\WDP\W01\work
icm/server_port_0 = PROT=HTTP,PORT=8001
icm/server_port_1 = PROT=HTTPS,PORT=1080
icm/HTTPS/verify_client = 0
wdisp/ssl_encrypt = 0
wdisp/add_client_protocol_header = true
wdisp/shm_attach_mode = 6
ssl/ssl_lib = G:\usr\sap\secudir\sapcrypto.dll
ssl/server_pse = G:\usr\sap\secudir\SAPSSLS.pse
is/http/default_root_hdl = abap
#icm/HTTP/redirect_0 = PREFIX=/sap/bc/gui/sap/its/webgui, HOST=pclieci1.oranginagroup.net, PORT=1080
i have the same error when i lunch https://WDISERV:1080
Thank's for help

Following the check i did, please find out the result:
C:\Users\wdpadm>sapwebdisp pf=G:\usr\sap\WDP\SYS\profile\WDP_W01_PCLIWDI1 -check
config
Checking SAP Web Dispatcher Configuration
=========================================
maximum number of sockets supported on this host: 32768
Server info will be retrieved from host: pclieci1.oranginagroup.net:8080 with pr
otocol: http
Checking connection to message server...OK
Retrieving server info from message server...OK
Message Server instance list:
------++--
+
instance name
hostname
HTTP port
HTTPS port
------++--
+
------++--
+
ERROR: no servers in list
Check ended with 1 errors, 0 warnings

Validating Essbase server connection

Hello Everyone
I installed and configured EPM 11.1.2.2. After running the validate.bat file I found the error for validation Essbase server connection to my server name. The error is as follows
FAILED
EAS: Essbase Server
Validating Essbase Server startup using MaxL command
Error: EPMVLD-01010: Cannot connect to Essbase Server using MaxL.
Recommended Action: Check Essbase Server is started.
68 seconds
FAILED
EAS: Essbase Server
Validating Essbase Server connection to EPM122
Error: Cannot connect to olap service. Cannot connect to Essbase Server at "EPM122:1423". Network error [10061]: Failed to connect to [EPM122:1423]
Recommended Action: Check Essbase Server is started.
16 seconds
Please Provide me a solution for this error

Thanks John for addressing my issue
yes I've checked the logs
The Essbase agent log is the one I was interested into. The logs are as follows
Fatal Error: Unexpected Condition detected at Shared Services, please check Essbase.log
[Thu Jun 20 22:58:14 2013]Local/ESSBASE0///5064/
Info(1051283)
Retrieving License Information Please Wait...
[Thu Jun 20 22:58:14 2013]Local/ESSBASE0///5064/Info(1051286)
License information retrieved.
[Thu Jun 20 22:58:15 2013]Local/ESSBASE0///5064/Info(1311019)
Classpath during JVM initialization: [;C:\Oracle\Middleware\EPMSystem11R1\common\jlib\11.1.2.0\epm_j2se.jar;C:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseServer\java\essbase.jar;C:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseServer\java\essbaseRegistry.jar]
[Thu Jun 20 22:59:00 2013]Local/ESSBASE0///5064/Info(1051199)
Single Sign-On Initialization Succeeded !
[Thu Jun 20 22:59:00 2013]Local/ESSBASE0///5064/Info(1056815)
Essbase - Release 11.1.2 (ESB11.1.2.2.100B2166)
[Thu Jun 20 22:59:00 2013]Local/ESSBASE0///5064/Info(1051232)
Using English_UnitedStates.Latin1@Binary as the Essbase Locale
[Thu Jun 20 22:59:01 2013]Local/ESSBASE0///5064/Error(1051518)
Essbase global application does not exist at Shared Services

WRVS4400n, QuickVPN, Server's certificate doesn't exist on local computer

Hi,
I bought a new WRVS400n recently because it had Gigabit speed, wireless n and a built in VPN server. The device works perfect except for the Quick VPN client. I'm a system engineer so I thought I could set it up quite easy just like any other device I configured in the past. Painfull but it isn't like this.
I set up the VPN on the WRVS4400n and generated a certificate. I saved both the client and admin certificate to my pc, I gave them a name to easily make up the difference between both of them. When placing the certificate in the installed QuickVPN folder, it doesn't seem to get recognised by the QuickVPN software. When I try to connect, it says 'Server's certificate doens't exist on your local computer'. I guess the naming convention must meet some kind of format, is that correct? If so, this should have been described in the documentation.
Besides that I checked if the required ports used by the VPN server are open on the public port of the device, that is the case. So It seems I'm quite close to get it working.
The version of QuickVPN I used is 1.4.2.1. The WRVS4400n has the latest firmware loaded.
Kind regards,
Pieter.

>I set up the VPN on the WRVS4400n and generated a certificate. I saved both the client and admin certificate to my pc
The "certificate for client" should be saved as a .pem file and copied into the install directory of QuickVPN client.
The "certificate for admin" is used as a backup, which can be used to re-provision the router in case admin needs to reset the router to factory default for any reason.

Validating a server's certificate

Similar Messages

Maybe you are looking for