Why ASA creates self assigned certificate on each reboot

Similar Messages

• How do we create self-signed certificate using java packages

  Hi All,
  I require some information on creating self-signed certificate using java packages.
  The java.security.cert.* package allows you to read Certificates from an existing store or a file etc. but there is no way to generate one afresh. See CertificateFactory and Certificate classes. Even after loading a certificate you cannot regenerate some of its fields to embed the new public key – and hence regenerate the fingerprints etc. – and mention a new DN. Essentially, I see no way from java to self-sign a certificate that embeds a public key that I have already generated.
  I want to do the equivalent of ‘keytool –selfcert’ from java code. Please note that I am not trying to do this by using the keytool command line option – it is always a bad choice to execute external process from the java code – but if no other ways are found then I have to fall back on it.
  Regards,
  Chandra

  I require some information on creating self-signed certificate using java packages. Its not possible because JCE/JCA doesn't have implementation of X509Certificate. For that you have to use any other JCE Provider e.g. BouncyCastle, IAIK, Assembla and etc.
  I'm giving you sample code for producing self-signed certificate using IAIK JCE. Note that IAIK JCE is not free. But you can use BouncyCastle its open source and free.
  **Generating and Initialising the Public and Private Keys*/
    public KeyPair generateKeys() throws Exception
        //1 - Key Pair Generated [Public and Private Key]
        m_objkeypairgen = KeyPairGenerator.getInstance("RSA");
        m_objkeypair = m_objkeypairgen.generateKeyPair();
        System.out.println("Key Pair Generated....");
        //Returns Both Keys [Public and Private]*/
        return m_objkeypair;
  /**Generating and Initialising the Self Signed Certificate*/
    public X509Certificate generateSSCert() throws Exception
      //Creates Instance of X509 Certificate
      m_objX509 = new X509Certificate();
      //Creatting Calender Instance
      GregorianCalendar obj_date = new GregorianCalendar();
      Name obj_issuer = new Name();
      obj_issuer.addRDN(ObjectID.country, "CountryName");
      obj_issuer.addRDN(ObjectID.organization ,"CompanyName");
      obj_issuer.addRDN(ObjectID.organizationalUnit ,"Deptt");
      obj_issuer.addRDN(ObjectID.commonName ,"Valid CA Name");
      //Self Signed Certificate
      m_objX509.setIssuerDN(obj_issuer); // Sets Issuer Info:
      m_objX509.setSubjectDN(obj_issuer); // Sets Subjects Info:
      m_objX509.setSerialNumber(BigInteger.valueOf(0x1234L));
      m_objX509.setPublicKey(m_objkeypair.getPublic());// Sets Public Key
      m_objX509.setValidNotBefore(obj_date.getTime()); //Sets Starting Date
      obj_date.add(Calendar.MONTH, 6); //Extending the Date [Cert Validation Period (6-Months)]
      m_objX509.setValidNotAfter(obj_date.getTime()); //Sets Ending Date [Expiration Date]
      //Signing Certificate With SHA-1 and RSA
      m_objX509.sign(AlgorithmID.sha1WithRSAEncryption, m_objkeypair.getPrivate()); // JCE doesn't have that specific implementation so that why we need any //other provider e.g. BouncyCastle, IAIK and etc.
      System.out.println("Start Certificate....................................");
      System.out.println(m_objX509.toString());
      System.out.println("End Certificate......................................");
      //Returns Self Signed Certificate.
      return m_objX509;
    //****************************************************************

• Exchange 2007 self assigned certificates

  Hello
  we are receiving the following event 12018.......
  The STARTTLS certificate will expire soon: subject: remote.domain.com, hours remaining: BB13C8B6855C95ABDB325D7ED3254CAD19723E75. Run the New-ExchangeCertificate cmdlet to create a new certificate. We ran through the steps of creating a new certificate and
  it expires in 2020.
  Why are we continuing to receive this event?
  Thank you

  Hi,
  The Event 12018 in your original posting indicates that the certificate BB13C8B6855C95ABDB325D7ED3254CAD19723E75 would be expired. You have 2020 hours to renew a certificate by using New-ExchangeCertificate cmdlet.
  Please check whether there is any error when you use Exchange service. If the certificate issue still persists, please run the following command to check your Exchange certificate configuration:
  Get-ExchangeCertificate | fl
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Cookbook for creating Self Signed Certificates using certutil

  Hi,
  I am trying to create a self signed certifcate for internal use. Can anyone point to a step by step procedure? The few that I have found on the web don't seem to work.
  Thanks
  david

  Check out the examples at the bottom of this page:
  http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

• Why does extension loader check extension's certificate during each loading?

  Hello,
  We are having some problems with an expired code signing certificate.
  We sell a commercial extension which is signed with our code signing certificate. Recently our certificate expired, and we started to receive reports that our extension had stopped working in CS5.
  It looks like CS5 checks the extension's certificate not only during installation, but also at each loading.
  This behavior looks like a serious bug in Creative Suite extension loader since all certificates will expire sooner or later, and this means that all extensions are doomed to stop working at some point, unless they are timely updated.
  Why does CS5 check the certificate at each start up? This doesn't make sense at all, certificates are only used to check that the code is authentic during installation. An authentic extension cannot turn into malware after installation, so there is absolutely no point in checking the certificate after installation.
  Can someone from the CS SDK team comment on this issue? This turned into a major problem for us.
  Thank you in advance,
  Anatoly Paraev
  PixelNovel 

  Anatoly, let me summarise my thoughts/findings on this:
  - Your extension's signature is invalid now that your certificate has expired (as you have reported)
  - Your extension's signature is not timestamped with a timestamp certificate. A signature without a timestamp is only valid till the signing certificate expires. A signature with a timestamp is valid until the timestamp certificate expires, typically a much longer period.
       - As you can infer from this, Extension Builder does not create timestamped signatures and does not give any warning about this. Apologies that we failed to anticipate this problem during CS SDK and Extension Builder development. You will probably agree this is not good enough, and I have filed a bug (#2916071) to ensure this is dealt with in future releases.
  As I mentioned earlier, extension signature validation is performed on extension load to ensure an extension's footprint has not been maliciously modified since installation. I think it is very unlikely that we can remove this signature validation for security reasons, nonetheless I've started a conversation about it internally and can let you know the outcome.
  To help your users now, I think you will need re-sign and re-deploy your extension with a new certificate. So you can timestamp the signature, use ucf.jar in the Packaging and Signing Toolkitto sign the extension rather than Extension Builder. Pass the argument -tsa=<your_chosen_timestamp_server> to ucf.jar when signing and check the signature is timestamped

• "Self Assigned IP Address" - connected, no internet access

  I have a Netgear WGT624 v2 wireless router that is hard wired to one iMac while other laptops have wireless access to it. This set-up has been working fine for awhile - but now the laptops are saying that they are connected via the router, but they've created "self assigned IP addresses."
  I called Netgear tech support and they had no answers, all they would do was make sure that the laptops were able to find the router, which they can, they just can't connect. Why are they creating their own IP addresses?
  Is there a solution to this problem? What causes it?

  Check your setup in the router for wireless clients. Log on to it and make sure that DHCP is enabled if you use it and you are in infrastructure mode ( wired/wireless combo ). Also, if the clients are B or G mode, make sure the router is set correctly to that mode or mixed. If the IP addresses are 169.254.xxx.xxx then they aren't really getting an address ( this may only happen in Windows, don't remember). If you don't use MAC address filtering for security, a blank list could have been turned on........ anyways, go through all your router configurations for wireless and make sure they are the same or close to the settings for the wired Mac that works. Probably just a checkmark somewhere that isn't supposed to be. Has anyone been in there messing with it? Good luck.
  Michael
  MBP 2.16 & 20" iMac Core Duo   Mac OS X (10.4.5)   Large Windows network & Canon DSLRs

• Using an ASA 5505 as a Certificate Authority and Distribution Point?

  I had a question about the limitations of an ASA 5505 and using it as CA. The setup would be as follows:
  2 ASA 5520's in set up for high availability failover.
  1 ASA set up with a local CA server.
  If I had to set up VPN to connect to an interface on the ASA 5520's and wanted to require certificates as a secondary authentication could they use an ASA 5505 as a CA to retrieve and verify stored certificates? The issue I ran in to was not being able to set up a local CA server on the failover pair and was hoping to use an ASA 5505 with a local CA server to act as a distribution point. I have been researching various configurations similar to this but have not found definitive information if it is even possible.
  If someone could verify if this is even possible and / or point me in the right direction it would be greatly appreciated.
  Thank you,
  Rick

  You can only create self signed certificates using the ASA, or import a identity certificate from a 3rd party CA.  The ASA unfortunately can only issue user certificates to users or PCs via downloading from a website, they cannot complete CSR requests.

• Portal Self Sgned Certificates

  Gurus,
  Is there a way to create self signed certificates for use in portal for development/testing purposes.
  If so pls let me know the way to create those.
  I want to test out SSL in my SP11 Sneak preview system.
  Thanks.
  Nirmal

  hi
  please go through this link
  http://help.sap.com/saphelp_nw04/helpdata/en/94/f2503ede925441e10000000a114084/content.htm it gives you lot more detail
  http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
  Use the self-signed certs first to get the configuration proper.
  Use SAP-TCS (alias /tcs) certs to test with signed certificates, they are only good for a limited time so you will ultimately need real ones, from SAP or some other authority
  When you use X.509 certs this is NOT THE SAME as MYSAPSSO2 cookies. Yes, the cookie is in X.509 format but it is NOT AN X.509 certificate.
  For X.509 certs you MUST use SSL and you MUST import the root certificate of the CA that issued the clients their X.509 certificates. You also need to assign the root cert to a specific TCP port. SSL is implemented at the socket level.
  hope this helps u
  please don,t forget to give points
  with regards
  subrato kundu

• Safari could not establish secure connection to my localhost with self signed certificate

  was using maven+grizzly+jersey to start my own server. I created self signed certificate so that my server can support https. I case you are curious, following is how I generated my certificate
  I was testing this on my iMac (Running Mavericks) Now, I added the server.cert to the system keychain so that all users can trust this certificate. Also, I change the trust level to "Always Trust".
  I get this work in Chrome and Firefox. They asked me to add exception for this certificate, I did and then everything goes fine. However, I have never make Safari(7.0) happy. I always get the error saying that Safari cannot establish secure connection to my localhost.
  Does anyone have any idea why it happened? Or is there better way to debug this problem so that I will be able to tell at which step things goes wrong.
  Thank you in advance. I really appreciated it.

  Any help much appreciated!

• Virtual Machine Manager. Assigning certificate.

  Hi all.
  I'm deploying hyper-v cluster with VMM managment.
  I have wildcard certificate for my domain.
  I've attached this certificate to AppController, installed this certificate according to this article (http://technet.microsoft.com/en-us/library/dn469415.aspx) and installed it to hyper-v
  nodes.
  Access to AppController works fine.
  But when I try to launch Console to VM, I've got error:
  Your remote desktop connection failed because the remote computer cannot be authenicated.
  And I see, that there using Self-assigned certificate.
  How can I change used self-assigned certificate to new wildcard?
  Thanks you.

  Hi,
  if you try to connect via RDP to the VMs, you must change the self signed certificate for the RDP listener on the VMs:
  http://www.it-training-grote.de/download/RDS-2012R2-SelfSignedCertificate.pdf
  (german article but hopefully the screenshots give you some ideas how to do this).
  It is also possible and IMHO recommended to use Group policies to issue certificates to all VMs:
  http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx?PageIndex=2
  best regards Marc Grote - www.it-training-grote.de

• Keytool self-signed certificate.

  Using Keyman on hp-unix. Wanted to create self-signed certificate.
  When I tried to create, it asked to create keys. I created them. Then I could select self-signed and create it. This is listed under private certificates. Now what to do? For somebody to trust this certificate, do I have to take it to another database on another box?
  Say, I created a private certificate pc1 at Box1. For Box2 to trust Box1, I guess I need to take this certificate and put it on Box2. (exporting from box1 and importing to box2). Is this what I am supposed to do? Or am I understanding something different? If I am correct, it(keyman) is not giving me option to export the certificate.
  Please help.

  Using ikeyman, Not keytool

• Problems generating a self-signed certificate using SDK

  Adobe AIR 1.1 SDK was extracted to "D:\AIR\SDK\" in XP Pro
  SP2 system. Also Java 2 runtime version 1.4 installed.
  When I'm trying to generate a self-signed certificate I typed
  the following in command line:
  D:\AIR\SDK\bin\adt.bat -certificate -cn SelfSign 2048-RSA
  newcert.p12 pass123
  After a short delay an "unable to create output file" message
  appears in command console and an empty (0 byte length) newcert.p12
  created.
  What may be the problem?
  Also I would like to know if there was another way to create
  self-signed certificates or is it possible to build air packages
  without signing the source code?
  Thanks in advance and sorry for bad English!

  I haven't seen this error occur before. It could indicate a
  full drive or similar condition that might prevent writing to the
  file.
  Can you try using Java 1.5? Although 1.4 is officially
  supported, I think 1.5 receives much more testing.
  You can create self-signed certificates using other tools. If
  you do that, make sure the certificate is marked as usable for
  code-signing; otherwise, adt won't accept it.
  You cannot create air packages without signing them.

• Self signed certificate for web service security !!

  i've created self-signed certificate using keytool for web serivce security. But i'm unable to implement from the client side. When i'm giving "dn=localhost" it's working fine. But when i'm giving other than that it's throwing me error as :
  java.io.IOException: HTTPS hostname wrong: should be <192.168.2.36>
  I don't know what's the problem. Could any tell me where i'm wrong. In the CN i've given my ip address. Please help me out.
  Do i need to do something else?

  thanks for your kind help.
  But i follwed the same which are given. Do i need to set something in netbeans? i'm usign netbeans 5.5,tomcat 5.5 and jdk5. Still i'm getting the same error as "https hostname is wrong: it should be <192.168.2.278>", which my ip address. I've created my self signed certificate and given the path to it by mentioning in System.setProperty("javax.net.ssl.trustStore","d:/keystore/auth.keystore"); and for password to. Do i need to do something else?
  Please help me out in this reagard. I'm startup of this technology.
  in advance thanks.

• Hi, is there any way to forbid access to web site with self-signed certificate or obsolete certificate and disable exceptions, in Firefox V17+ ?

  (There should be the warning message, without the ability to add any exceptions.)

  Hi,
  There are Certificate preferences in Options> Advanced, I recommend exploring these options and testing a few self-assigned certificates.
  Third Party Reference:
  [http://www.hackerfactor.com/blog/index.php?/categories/3-Network]

• Problem with importing and creating self signed SSL certificate

  Mac Pro, 10.7.2 Server.  Attempting to import or create a self signed certificate for use as ichat.domain.com to encrypt iChat service.  Server is acutally called server.domain.com but has an alias of ichat.domain.com.  I understand that this is probably not best practice but I would like to keep things this way since we have one server, run multiple services on it, but want to continue to connect to each service at SERVICE.domain.com.  We have been using this type of mismatched certificate with success since 10.4 or so.
  I am working through setup of 10.7 Server to replace our 10.6 server. 
  Tried upgrade of 10.6 to 10.7 installation.  The installation made a mess of some services and our Open Directory, but did move the certificate over and allowed iChat service to function properly.
  Clean install and setup of 10.7 Server.  Exported self signed certificate, private key, and encryption password from 10.6 Server and functioning 10.7 upgraded Server.
  On import or manual creation of certificate get the following error:
  Error
  Check your server's logs for more information.  The error (code 5001) was: Expected SecKeychainItemImport to return a SecIdentityRef, but it did not
  Log shows:
  Dec 29 17:56:55 server servermgrd[498]: -[CertsRequestHandler(HelperAdditions) importP12Data:passphrase:error:]: importedItems = (
                "<SecCertificate 0x7fcf6ed43c00 [0x7fff78d96f40]>"
  I have tried importing and manually creating other certificates with a variety of names with success.  I assume that there is something buried somewhere that is causing this particular one to be a problem.  Other than manually removing any remnants of the certificate from /etc/certficates I do not have any ideas what to try.  I am essentially ready to move this server to 10.7 except for this problem and would like to avoid a reinstall.
  Suggestions?
  -Erich

  Take a look here.
  https://bbs.archlinux.org/viewtopic.php?id=146649
  Maybe it's a problem with your network.