What is an acceptable SSL Cert vendor?

Similar Messages

• How to get OS X to accept an SSL Cert the way other UNIX clients do?

  I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
  I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
  On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
  On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
  How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
  I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
  Any suggestions would be appreciated.
  Thanks in advance--
  =N=

  when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
  what unix apps are you using to connect to this server?

• Webserver refuses to take SSL cert

  My SSL cert is installed on my server and when I go to Settings pane in Server.app for the host and edit "SSL Certificate" and choose my cert, the UI will collapse the pane below showing the various services. This is because it applies the cert to all services. When I click OK to accept the setting, it should show my cert right after "SSL Cert:" because should now be applied to all services.
  Instead it shows "Custom". When click th "Edit" button again to see whats going on, it shows that all services are using my cert - except the last one - "Websites (Server Website - SSL)"
  For that, is simply shows "None". Changing it to my cert then clicking OK, has no effect. It just reverts back to "None".
  Apache wont start because there is no cert specified and specifying it manually in ..
  "/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
  ..does no good because OS X simply overwrites it from some place.
  So at this point it's impossible to get Apache going on this host. The Server application refuses to accept my cert for the website. I dont get any errors and I dont see any in the logs either pertaining to some failure to apply the setting.
  Any ideas?

  I forgot to mention that when the Certificate Assistant ask for the Issuer in one of its screen, choose the Intermediate CA certificate. Also, the four PEM files is created in /etc/certificates.
  On a fresh Server app install after your get OD Master running or after you have done the web:command=restoreFactorySettings, visit Server app Certificates screen and Custom select the just created Leaf SSL Certificate next to the Web (Default Server - SSL). This will create the default SSL certificate in the Web service window.
  Also, if any one of the three *conf files are missing in the sites folder, Server app will hose the folder by renaming it as sites-unusable-nnnn and recreate a fresh sites folder with fresh copies of the *.conf files. In addition, if you read the comments within the 0000_any_80_.conf and 0000_any_443_.conf files, there are certain apache http directives which are off-limits to administrator as Server app will modify their values. It suggests that you create a .conf files with your amendments (of course, they must be within the Virtual Host context) and use an Include directive or through the use of the WebApps mechanism.
  Furthermore, you must not set a specific IP address for all your virtual hosts but use Any instead. Since I want to use the built-in Wiki service, I have added wiki.domain.com as Additional Domains for both the Default Servers (since the Default Servers refuse to use ServerName). For my case, since I have multiple IP addresses, I have to specifically amend the virtual_host_global.conf file with a static IP address for the Listen 80 and 443 directives, and since Server app will undo the amendment within the sites folder, I have to bring the virtual_host_global.conf file up one level to the apache2/ folder, amend httpd_server_app.conf to load this virtual_host_global.conf file instead...see below the relevant section of my httpd_server_app.conf file:
  <IfDefine WEBSERVICE_ON>
      Include /Library/Server/Web/Config/apache2/sites/0000_*.conf     <--- instead of "*.conf"
  </IfDefine>
  <IfDefine !WEBSERVICE_ON>
  #    Include /Library/Server/Web/Config/apache2/sites/virtual_host_global.conf
      Include /Library/Server/Web/Config/apache2/sites/0000_any_80_.conf
      Include /Library/Server/Web/Config/apache2/sites/0000_any_443_.conf
  </IfDefine>
  Include /Library/Server/Web/Config/apache2/virtual_host_global.conf
  Include /Library/Server/Web/Config/apache2/httpd_server_app_tweaks.conf
  The httpd_server_app_tweaks.conf file is my performance tweaks (e.g. StartServers, MinSpareServers, etc.)
  So Server app can happily modify the virtual_host_global.conf file within the sites folder but my settings remain safe one level up.

• Dreaded "must be configured to use a valid SSL cert" - 2008 R2

  Hello everybody,
  I've been browsing through hundreds of topics on the dreaded "The RD Gateway server must be configured to use
  a valid SSL certificate" error using BPA (Windows Server 2008 R2 Std), but still haven't found a proper solution.
  Here's the issue: RDGW not operating properly and sometime accepting connections, sometimes not. 
  I have an external domain example.com and internally, the domain is example.local. I have one server serving Exchange and RD, this is the server responding to mail.example.com and I have an StartSSL issued cert for mail.example.com, which is properly configured
  on the server (OWA is working properly with autodiscover etc.). SSL bindings seem alright, default site is using the mail.example.com SSL cert.
  If I open the RDGW Manager and go to the SSL Certificate tab, the system looks happy by having the cert installed, everything looks fine. Sometimes I even manage to connect - connection is successful, I can normally connect to any of the servers or computers.
  On a second attempt, I just get the message, that the logon attempt had failed. If I run BPA on the server, I get the error of not having a proper SSL cert. If I select a self-signed cert, then also the BPA goes through, but then I have problems with connections
  since everybody would need this cert to have installed.
  From what I read, my problems are related to the issue that the FQDN of my server is servername.example.local and the cert is issued to mail.example.com. How can I make the thing only to talk via the mail.example.com cert? I don't think I can get a cert
  that'd also contain a SAN of servername.example.local from the CA.
  What can I do?

  Hi Andrej,
  Thanks for posting in Windows Server Forum.
  Here providing you the article for BPA’s configuration logs, where you can check. It also states that certificate are main problem related to this error. Please check certificate which you have bound have FQDN name of gateway server, the certificate is SSL
  certificate and it’s a trusted certificate. Also check that certificate which you have importing to RD gateway must be in local computer/personal store. For more information refer below article.
  1. Using the Remote Desktop Services BPA to analyze a Remote Desktop Gateway
  implementation
  2. RDS: The RD Gateway server must be configured to use a valid SSL certificate
  In addition, you need to specify the FQDN name of RD gateway under
  DefaultTSgateway in IIS setting. Please go through below article for details.
  RD Gateway/Web Access Outside the Firewall
  Hope it helps!
  Thanks,
  Dharmesh

• Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

  Coldfusion 11
  Windows Server 2012 R2
  Both the Coldfusion admin and additonal site work fine on HTTP.
  As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
  Coldfusion 11 - Web Sockets via SSL
  The Coldfusion-error.log shows
  Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
  INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
  Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
  Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
  If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
  Any assistance welcome - I can't allow this site to made publicly available with using SSL.
  SM

  @Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release.  And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
  If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
  First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
  Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
  You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
  Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
  Finally, when you say that if you “comment out the SSL sections  it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
  To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
  /charlie

• SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

  I utilized the idea from
  http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance.  In short, create the new Clustered SQL instance on Node1,
  installing Reporting Services with it.  Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
  feature on Node2.  It points out using the SQL Cluster Network name for connecting to Reporting Services.
  I verified upon failover that I could still access the Reports and ReportServer URLs.  However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
  this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
  I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert.  The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
  cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
  What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• Install GoDaddy Wildcard SSL cert on GW WebAccess - ver.8

  I have followed all of the documentation regarding generating a CSR, creating the new eDirectory object from which that CSR is generated, then subsequently downloading and doing the "read from file" SSL cert installation, and it won't validate.
  I have a NetWare 6.5, SP8 server running Apache/Tomcat and it's our GroupWise WebAccess server (version 8).
  I want to encrypt the sessions as well as the authentication from the GW WebAccess login screen (right now, it's just http://).
  Our institution purchased a wildcard, unlimited subdomain, SSL certificate from GoDaddy to use for this, and other, SSL cert. needs.
  No matter what I do, it won't work.
  I am using ConsoleOne to create the new eDirectory object according to the documentation, generate the CSR, and install the certificate, but to no avail.
  Can anyone help?

  Originally Posted by AndersG
  Fmcunningham,
  > > I am looking at installing a cert as well. I have NOWS SBE 2.0
  > > upgrading to SBE 2.5 this weekend and would like to add a CA Cert. Do I
  > > need a Wild card cert to be able to accomplish this?
  >
  Only difference between a wildcard and a regular (apart from price) is that
  a wildcard covers all hosts in a domain,. Ie *.acme.com, whereas a regular
  cert only covers a named host, homer.acme.com
  - Anders Gustafsson (Sysop)
  The Aaland Islands (N60 E20)
  Novell has a new enhancement request system,
  or what is now known as the requirement portal.
  If customers would like to give input in the upcoming
  releases of Novell products then they should go to
  http://www.novell.com/rms
  I am running SBE 2.0 upgrading soon to SBE 2.5. I am not using sub domains, so I think I should be fine with just a normal cert. The real reason I want to go with a cert from a CA instead of a self signed is for webaccess.

• Wildcard SSL Cert on ASA 5500

  What do I need to do on the ASA 5520 to be able to use a wildcard SSL cert?  I'm running 8.2.5 code.

  Make sure you get the cert in pkcs12 format and no fqdn. Other than that, just follow the config guide.
  Sent from Cisco Technical Support Android App

• SSL Cert Renewal w/Org Name Change

  Hello,
  We get our SSL certs from a central agency that deals with Verisign. The central agency changed their name, which changes the Organization Name on the cert. That prevents the cert from being imported by the server. On the advice of a Windows admin, I tried to fake it by creating a new site on that server, importing the new cert (all good), but then the new server won't start.
  Is there a better way to get the new-org-named cert accepted by the original site?
  Steve Kayner

  Are you talking about changing your SMTP domain name? Or you want to change AD DS domain name? If you want to change/add SMTP domain that you Exchange is using, just add accepted domain that you wish to use.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Damir

• SSL cert on ASA 5512 from Thwate or Digitcert

  I ran into the issue when I install SSL123 cert from Thwate . I did not have issue with SSL cert from DIgitcert- their process and steps are simple and using better encryoption - SHA256. Compare to Thwate - their support did not let me use SHA2 and I had to use SHA1 - according to some organisation SHA1 will be retired soon 
  Let me explain how to install SSL123 from Thwate into ASA 5510- you can follow their instruction - but generate CSR with 2048 - with 4096 did not work .Once you apply into their portal use SHA1 ( SHA2 did not work ) . Before you get email with their CA -  install Root and Secondary intermidiate certificate - located in their website . After you get email with the new cert - you can install under Idendity certificates where still says pending .Note - there are CSR checker tools - before you apply it into CA _ google CSR checker - make sure your CSR does not have any errors
  Note - When you install each certificate - trustpoint association could be in different order - example - ASDM_trustpoint0 , ASDM_trustpoint1 , ASDM_trustpoint2   etc . If you use the same ASDM_trustpoint0 for all certs- root , intermidiate and signed certificate - Did not work and you are getting ERROR - :Failed to parse or verify imported certificate
  here is the link you can follow - https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16141&actp=search&viewlocale=en_US&searchid=1429125296765
  Finally you can check your SSL cert - google SSL checker to see if your chain as good all the way and what need to be fixed 

  First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
  When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
  If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
  Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

• SSL Cert used to sign Jars for distribution via WebStart

  Hi,
  I have an SSL cert (Comodo InstallSSL) for my website and wondered if I can use it to sign jars so, when distributed via webstart, the old "untrusted source" message doesn't get displayed. I've been doing a lot of reading but, to be honest, I can't really find my bearings! I have imported the cert into my keystore but get the message when I try to sign a jar:
  Certificate chain not found for: myalias  myalias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.I have the following files in relation to my cert:
  xxx.cabundle (this can be imported into keytool easily)
  cert/xxx.crt (looks like a PGP file, cannot be imported (-import) into keytool)
  private/xxx.key
  My questions I suppose are:
  1. Can I use a cert issued for SSL to sign jars for webstart distribution?
  2. If yes to 1; what steps other than importing the cert alone (which generates the message above) do I need to do to achieve this?
  Any help would be appreciated!
  Rich

  Hi,
  yes, the pkcs12 certificate includes the private key, as opposed to pb7 which does not.
  Sent from Cisco Technical Support Android App

• Multiple SSL Certs in one SSL Proxy/VIP

  Guys
  I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
  However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
  Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
  Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
  Thanks

  Cathy
  Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for www.website.com and ww2.website.com due to cost.
  Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?
  Can SAN certs not be used in this example?
  Thanks

• [SOLVED]/etc/ssl/certs/ca-certificates.crt missing from fresh install?

  Hi!
  I was wondering if any of you could understand why I need to reinstall ca-certificates post-install, so as /etc/ssl/certs/ca-certificates.crt gets generated back?
  I'm installing from a netinstall x86_64 image with automatic AIF profile and from [testing] repo?
  Since the file gets made when installing post-install, then I thought that it was rather an install issue instead of a [testing] one? I dunno...
  I've just run a new install from the usb stick, and still the same, and pacman.log states that ca-certificates is installed fine, but again the file is missing and I get complaints in vt1 when browsing https sites and when using curl and such, unless I do a reinstall of ca-certificates...
  Thanks in advance!
  -- EDIT --
  Problem solved by latest perl from testing repo...
  Last edited by mhertz (2012-01-03 01:40:16)

  .. Just wanted to add that of course I know that the ca-certificates.crt isn't in the actual package, but that it _should_ be generated by running update-ca-certificates from the packages install script, but just isn't upon install...
  The package is also out of testing now and in core I see...
  Anyway, to fix this, I guess I just need to add an extra chroot command in my AIF config which runs 'update-ca-certificates --fresh', since atleast that works i.e. generates ca-certificates.crt, but i've only tried it post-install, and I don't want to do another install again, as I did 2 yesterday...
  Again, if anybody could help me with some kind of explanation or theory or whatever for this, then I would really appreciate it!
  I _do_ think that the update-ca-certificates command is run correctly during install, as else I guess I wouldn't have all these symlinks in my /etc/ssl/certs/ folder, but then why it dosen't generate that additional ca-certificates.crt file, I really do not understand...
  Thanks in advance!
  (I don't want to report an error before being absolutelly sure that it is an actual error and that I know exactly what i'm talking about in the report...)
  -- EDIT --
  I just did a "normal" test-install of arch64-net in a VM, i.e. without using AIF's automatic procedure, and just selected the core repo and to install base(wget depends on ca-certificates), and in the output there where reported:
  Installing ca-certificates... Error: Command failed to execute correctly.
  There weren't anything more specific in /var/log/{pacman,aif}.log about this, and again there where no ca-certificates.crt generated, and it first appeared after manually running update-ca-certificates post-install...
  I'm gonna make a bug-report on the bugtracker now then...
  Last edited by mhertz (2011-12-21 03:16:40)

• IMAP Mail Setup with self-signed SSL certs

  I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
  Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

  If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
  And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

• Creating "Valid" SSL Cert

  Hi.
  I have a small webserver and I want to run ssl for my webmail and I created a ssl cert by running
  openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
  Firefox 2, and IE 7 both give me a nice warning that the cert might not be valid. Firefox 3 (cvs) however completely blocks from going the site. So how can I make a "valid" ssl cert?
  Thanks!

  Well I found how to do it...
  http://boblord.livejournal.com/18402.html wrote:To override the error, you need to create an exception. The SSL exception dialog is located in the Preferences window, under Advanced/Encryption/View Certificates. Once there, click on the Servers tab, and then on "Add Exception...". The UI should be straightforward from there.
  It suppose to be a new feature, but I do hope they add some button to easily add a cert or else I'm afraid the user base might drop drastically as there are many sites that have "untrusted" ssl certs.
  For those interested in seeing what the error looks like... http://mezoko.net/stuff/fxsslcerterror.png