WILL MAC OS 10.4 server SUPPORT SHA-2 SSL CERTIFICATES

Am running Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) and currently have SHA-1 SSL certificate from GoDaddy.
They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
Is Mac OS Server 10.4.11 capable of serving up a SHA-2 SSL certificate?  (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.

Hi, I do not know, but I doubt it.
Here's the 10.4 Server forum if you want to ask over there...
Mac OS X Server v10.4 and earlier

Similar Messages

  • I want to use a mac mini as a server supporting storage. Can I pair my macair to it for when I need to perform updates and maintenance ?

    I want to use a mac mini as a server supporting storage. I have other devices such as an iMac and iPad that will access information from the server. I do not want to purchase a monitor and keyboard as the unit will sit in a cupboard out of sight. Can I pair my macair to it for when I need to perform updates and maintenance ?

    I have a 2010 Mac Mini running Yosemite and Server which I use
    as a headless home server.
    I have is set up to allow screen sharing and can connect to it and
    control it with my iMac, Macbook Pro, iPhone, and a 2011 Mini Server
    that I use as an HTPC.
    You can check this out for all the Yosemite Server capabilities:
    https://help.apple.com/advancedserveradmin/mac/4.0/
    I have iTunes Home Sharing set up on it and have my entire iTunes
    library on it.  I can then use any of my Macs to play Movies or Songs
    from it and only keep locally a select subset of that on my individual
    devices.
    Rather than and update server, I utilize Server's Caching Service.  The caching
    server will duplicate any update download (system or MacApp Store purchases)
    any time a device that is connected to my network down loads one.  The update will
    then be stored locally and all other devices will download the update from it which
    can be faster than from Apple directly.  This has the advantage of only having to download
    once with limited bandwidth internet connections.  There is also an Update Server service
    available, but it is some what more involved in setting up.  However, it will download
    and store all available updates.
    There is another thing as well if you do not care for syncing things like Contacts, Calendar, etc.
    to iCloud, you can set Server up to sync these items across devices locally.

  • SHA-2 SSL certificates supported on Server v10.5?

    Am upgrading Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) to Server 10.5  and currently have SHA-1 SSL certificate from GoDaddy.
    They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
    Is Mac OS Server 10.5 capable of serving up a SHA-2 SSL certificate?  (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.
    Mac mini, Mac OS X Server (10.4.11, upgrading to 10.5.x), Power PC 1.42GHz

    Hi, I do not know, but I doubt it.
    Here's the 10.4 Server forum if you want to ask over there...
    Mac OS X Server v10.4 and earlier

  • Expert advice needed: Why could I not connect to my own server after deletion of SSL certificate?

    Issue: Could not connect to my own server after deletion of SSL certificate despite having SSL disabled
    Hello,
    I admit I am lay user with rudimentary SSL knowledge and I therefore messed up my certificates and I could no longer access my own server (Wikis, WebDav, Device Manager) with Safari. (error: Safari can't connect to server)
    Eventually, I could resolve the problem but I do not understand why there was problem in the first place.
    Maybe someone can explain that to me ?
    OK, here is what I did:
    I created a Certificate Authority because I wanted to use a free SSL Server certificate for our private server.
    (I followed  http://www.techrepublic.com/blog/mac/create-your-own-ssl-ca-with-the-os-x-keycha in/388 )
    Despite several attempts I never got the server to accept the certificate for web services, the certificate was accepted for iCal, Mail and iChat but not for Web services. I tested an older certificate that was created when I set up the server and that that worked for all services incl. Web. So the problem was with my certificate only.
    Out of desperation and lack of concentration I deleted the "original" certificate.
    Now, I soon noticed that I could no longer log in to my server. I solved the problem by restoring the original certificate.
    My question:
    I had SSL disabled in the Server app settings. Why does Safari still look for a proper certicate ? (the server logfile had an entry that a .pem file could not be found which makes sense if the cert has been deleted)
    I would be very grateful for an expert advice.
    Regards,
    Twistan

    Because....
    the server does not have a 'trusted' certificate assigned to it.
    Only the RDP Gateway has the trusted certificate for the external name.
    If you want to remove that error, you have to do one of the following:
    Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
    So, something like,
    server.domain.publicdomain.com
    Or,
    Install that certificate on your remote computer so it is trusted.
    Robert Pearman SBS MVP
    itauthority.co.uk |
    Title(Required)
    Facebook |
    Twitter |
    Linked in |
    Google+

  • Support for Global SSL certificates  - not

    Hello,
    Just found out the hard way that 10g does not support Verisign Global Certificates (Secure Site Pro).
    BEA, IBM, and MICROSOFT support global certificates.
    Oracle is the only one that does not!
    If customer requirements dictate global certificates Oracle AS is not the product to use.
    Hernando

    See my reply in the other thread:
    Re: SSL certificates not visible while RFC destination creation
    Cheers, Wolfgang

  • Will Mac Mini with OSX Server 10.6 Snow Leopard be able to fit my needs?

    Hello,
    The office i work in is a Mac environment.
    Is this unit powerful enough to support 20 people? This is the setup i was thinking:
    Mac mini with Snow Leopard Server - 2.66GHz : Dual 500GB:
    1st Internal drive - OS only
    2nd Internal drive - OS backup via CarbonCopyCloner
    Ministack USB drive - Data backup via Time Machine (file shares etc on server from services)
    Firewire DroboPro 16TB - Client Time Machine Backups via the Network.
    Would the Mac Mini be powerfull enough to support normal OS X Server services, and at the same time act as a client Time-Machine backup via the network?
    Thanks,
    -Mike

    The answer to your question depends on how many of the services you intend to offer.
    If you are just going to use the Mini as a File, Print, and directory server, then it will work fine.
    If you intend it to run as your web, email, database, and iChat server, you might be pushing things a bit much.
    Your drive layout looks appropriate for a simple file server, so I would tentatively say yes, it looks like it would do what you currently require.
    G. Discenza

  • Can Mac 10.5 OD Server support AD schema neccesary for Microsoft Exchange

    Does anyone know if the Active Directory schema in Open Directory 10.5 is sufficent to support a bound Microsoft exchange server running 2003 or 2007?
    By that I mean could I utilize user accounts on a 10.5 Mac OD server on an internal exchange server in the same domain, so that the Mac Server authenticates the user and the exchange can deliver the mail?
    All comments gratefully received
    Philip

    Thanks for the quick read and response. Do you feel the issue might lie with the fact that it is a Mac Mini? And possibly just not powerful enough to run Leopard Server? I have to say in our trials with MacPro it was like night and day as to how they performed. And if you could elaborate on this "Many VPNs don't play well with NAT so your VPN server should have a direct connection to the public network (preferably firewalled, of course, but not NATted)." Most every SoHo and for that matter uses simple NAT translation for security even our multi thousand dollar Cisco PIX and ASA's are basic NAT devices to start with. How would you put the VPN on public net while keeping the attack surface low for the rest of the services like file, web, mail and print?
    Don't get me wrong I want this to work more than you can imagine. We are so tired of supporting MSFT technologies that cost thousands a year in antivirus, antispyware, antispam and other malware protection for the enterprise. We know that Leopard has great potential but for an integrator, getting this system up and functional is not an easy task. And the worst part of it is every time we have called for support the tech always lets out a sigh when they hear we have run standard setup because they are not allowed to walk us thru the server console to make repairs. And have been told by 3 techs so far that this is a new product and the support avenues are not there for standard since it just supposed to work out of the box. But when it doesn't then ohh well. Which is sorta sad...
    DM

  • Does mac os/os server support parallel or multiprocessing?

    Looking for the simplest way to increase processing power for some projects and have several mac desktops. Was wondering if mac os or os server support parallel or multiprocessing?

    No, you cannot combine multiple computers to increase total processing power. Apple no longer supports the software for it.

  • How to findout whether the mail server supports STARTTLS or not?

    Hi,
    In my application I want to use explict SSL over SMTP, IMAP and POP3 by using the property "mail.<protocol>.starttls.enable"
    . I did see the documentation for mail.<protocol>.starttls.enable property as
    "If true, enables the use of the <code>STARTTLS</code> command (if
    supported by the server) to switch the connection to a TLS-protected
    connection before issuing any login commands".
    How do I findout whether the server supports STARTTLS or not?
    What will be the outcome if I use the property "mail.<protocol>.starttls.enable" though the server doe's not support STARTTLS? plain text connection will be there or will it throw any exception?
    Thanks in advance!
    PrasadKT

    The "mail.<protocol>.starttls.enable" property will use STARTTLS if the server
    supports it, and won't if it doesn't. Not using it might cause later commands to fail.
    Newer versions of JavaMail also have a "mail.<protocol>.starttls.required"
    property that will cause the connection to fail if the server doesn't support
    STARTTLS.

  • IE 9, Windows 7, Windows 8, SHA-2 encryption, certificate

    Currently, I have I have an Exchange 2010 Service with 2 client access/ transport servers and 2 mailbox servers.  I use a barracuda load balance appliance to manage the CASarray.   Our SSL certificate for the service is currently SHA-1. 
    I would like to replace  the SSL certificate so that it using SHA-2 encyption keys.  What compatibility issues do I need to be concerned about?  Most of our users are running Windows 7 with Outlook 2010 and/or Outlook 2007 to the Exchange 2010
    service.    We also have a few Apple users running OS X and Office 2011 for the MAC.   We have a lot of ipad ii and above and iphone 4 and above users  using ios to connect to the service as well.    People  use a variety
    of web browsers:  firefox, chrome, internet explorer, safarii.  Most of my users are still using IE 9.x due to better compatibility with some of our SAP software.
    Will my users have problems using a comodo sha-2 ssl certificate in my environment?  Specifically, will there be issues with IE9.x on Windows 7?  Any issues with Apple devices?

    Hi,
    In order to both sign and validate SHA2 messages, Windows Vista or 7 with Outlook 2007 or 2010 is needed, so according to your description, it's fine to move to SHA-2 in your corporation.
    Please see detailed information about SHA-2 with Windows in the following blog, some recommendations for Outlook and Windows are included in this link
    http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
    For mac users, it's better to contact the Apple support, for they're more familiar with their products like ipad, iphone and other Apple devices.
    Yolanda Zhu
    TechNet Community Support

  • How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

    I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
    Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
    Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
    Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
    DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
    DVD>Install Lion
    Reboot, hopefully Lion install kicks in
    Update, update, update Lion (NOT Lion Server yet) until no more updates
    System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
    Terminal>$ sudo scutil --set HostName server.domain.com
    App Store>Install Lion Server and run through the Setup
    Download install Server Admin Tools, then update, update, update until no more updates
    Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
    System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
    A few DNS set-up steps and these most important steps:
    A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
    B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
    C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
    D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
    E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
    F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
    G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
    H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
    I. Test from web browser server.domain.com/mydevices: Lock Device to test
    J. ??? Profit
    12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
    You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
    Firewall
    Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
    SSH
    Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
    PermitRootLogin no
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
    Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
    client$ ssh-keygen -t rsa -b 2048 -C client_name
    [Securely copy ~/.ssh/id_rsa.pub from client to server.]
    server$ cat id_rsa.pub > ~/.ssh/known_hosts
    I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
    $ diff denyhosts.cfg-dist denyhosts.cfg
    12c12
    < SECURE_LOG = /var/log/secure
    > #SECURE_LOG = /var/log/secure
    22a23
    > SECURE_LOG = /var/log/secure.log
    34c35
    < HOSTS_DENY = /etc/hosts.deny
    > #HOSTS_DENY = /etc/hosts.deny
    40a42,44
    > #
    > # Mac OS X Lion Server
    > HOSTS_DENY = /private/etc/hosts.deny
    195c199
    < LOCK_FILE = /var/lock/subsys/denyhosts
    > #LOCK_FILE = /var/lock/subsys/denyhosts
    202a207,208
    > LOCK_FILE = /var/denyhosts/denyhosts.pid
    > #
    219c225
    < ADMIN_EMAIL =
    > ADMIN_EMAIL = [email protected]
    286c292
    < #SYSLOG_REPORT=YES
    > SYSLOG_REPORT=YES
    Network Accounts
    User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
    2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
         User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
    Oh well.
    Email
    Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
    root:           myname
    admin:          myname
    sysadmin:       myname
    certadmin:      myname
    webmaster:      myname
    my_alternate:   myname
    Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
    cd /etc/postfix
    sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
    sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
    sudo serveradmin stop mail
    sudo serveradmin start mail
    Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
    If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
    iCal Server
    Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
    Web
    The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
    $ diff httpd.conf.default httpd.conf
    95c95
    < #LoadModule ssl_module libexec/apache2/mod_ssl.so
    > LoadModule ssl_module libexec/apache2/mod_ssl.so
    111c111
    < #LoadModule php5_module libexec/apache2/libphp5.so
    > LoadModule php5_module libexec/apache2/libphp5.so
    139,140c139,140
    < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
    < #LoadModule encoding_module libexec/apache2/mod_encoding.so
    > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
    > LoadModule encoding_module libexec/apache2/mod_encoding.so
    146c146
    < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
    > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
    177c177
    < ServerAdmin [email protected]
    > ServerAdmin [email protected]
    186c186
    < #ServerName www.example.com:80
    > ServerName domain.com:443
    677a678,680
    > # Server-specific configuration
    > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
    > Include /etc/apache2/mydomain/*.conf
    I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
    Alias /eyetv /Users/uname/Sites/EyeTV
    <Directory "/Users/uname/Sites/EyeTV">
        AuthType Digest
        AuthName "EyeTV"
        AuthUserFile /Users/uname/.htdigest
        AuthGroupFile /dev/null
        Require user uname
        Options Indexes MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
    <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
        AuthType Digest
        AuthName "EyeTV"
        AuthUserFile /Users/uname/.htdigest
        AuthGroupFile /dev/null
        Require user uname
        Options Indexes MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
    Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
    One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
    Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
    User-agent: *
    Disallow: /
    Misc
    VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

    Privacy Enhancing Filtering Proxy and SSH Tunnel
    Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
    If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
    $ ./ssht 8080:[email protected]:3128
    $ ./ssht 8080:alice@:
    $ ./ssht 8080:
    $ ./ssht 8018::8123
    $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
    $ vi ./ssht
    #!/bin/sh
    # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
    USERNAME_DEFAULT=username
    HOSTNAME_DEFAULT=domain.com
    SSHPORT_DEFAULT=22
    # SSH port forwarding specs, e.g. 8080:localhost:3128
    LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
    REMOTEHOST_DEFAULT=localhost    # Default is localhost
    REMOTEPORT_DEFAULT=3128         # Default is Squid port
    # Parse ssh port and tunnel details if specified
    SSHPORT=$SSHPORT_DEFAULT
    TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
    while [ "$1" != "" ]
    do
      case $1
      in
        -p) shift;                  # -p option
            SSHPORT=$1;
            shift;;
         *) TUNNEL_DETAILS=$1;      # 1st argument option
            shift;;
      esac
    done
    # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
    shopt -s extglob                        # needed for +(pattern) syntax; man sh
    LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
    USERNAME=$USERNAME_DEFAULT
    HOSTNAME=$HOSTNAME_DEFAULT
    REMOTEHOST=$REMOTEHOST_DEFAULT
    REMOTEPORT=$REMOTEPORT_DEFAULT
    # LOCALHOSTPORT
    CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
    CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR%:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        LOCALHOSTPORT=$CAR
    fi
    TUNNEL_DETAILS=$CDR
    # REMOTEPORT
    CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
    CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR#:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        REMOTEPORT=$CAR
    fi
    TUNNEL_DETAILS=$CDR
    # REMOTEHOST
    CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
    CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR#:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        REMOTEHOST=$CAR
    fi
    TUNNEL_DETAILS=$CDR
    # USERNAME
    CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
    CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR%@}                            # delete @
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        USERNAME=$CAR
    fi
    TUNNEL_DETAILS=$CDR
    # HOSTNAME
    HOSTNAME=$TUNNEL_DETAILS
    if [ "$HOSTNAME" == "" ]                # no hostname given
    then
        HOSTNAME=$HOSTNAME_DEFAULT
    fi
    ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
        && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
        || echo "SSH tunnel FAIL."

  • SQL Server cannot Find SSL Certificate

    We need help solve an issue we are having with SQL Server 2008 recognizing certificates (for supporting SSL communications) we generate through the MakeCert.exe utility. We have followed all instructions available in the MSDN SQL Server 2008 online books, including using the mmc console utility to verify that the certificates are valid, but the certificates we make fail to be seen by the SQL Server 2008 Configuration Management application.

    Hi,
    I’m not sure what instructions you read from MSDN. Do you follow the steps described in http://msdn.microsoft.com/en-us/library/ms191192.aspx?  If not, please try it. Additionally, I suggest you refer to the following content from MSDN:
    For SQL Server to load a SSL certificate, the certificate must meet the following conditions:
    1. The certificate must be in either the local computer certificate store or the current user certificate store.
    2. The current system time must be after the Valid from property of the certificate and before the Valid to property of the certificate.
    3. The certificate must be meant for server authentication. This requires the Enhanced Key Usage property of the certificate to specify Server Authentication (1.3.6.1.5.5.7.3.1).
    4. The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. Usually, the certificate's key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).
    5. The Subject property of the certificate must indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer. If SQL Server is running on a failover cluster, the common name must match the host name or FQDN of the virtual server and the certificates must be provisioned on all nodes in the failover cluster.
    If there are any more questions, please let me know.
    Thanks.
    ***Xiao Min Tan***Microsoft Online Community***

  • Copying SSL Certificates from one server to another.

    I have a question that hopefully someone might have the answer for... I have a IPlanet 6.0 SP4 server that has an SSL certificate I'm trying to move to a new server that's on SunOne 6.1. I was under the impression that I could easily copy the <Iplanet_Root>/alias/https-<ServerInstance>-<server>-<key3/cert7>.db files to the new server from that server's alias directory. However before I copied the files, I immediately noticed the new server's cert file is called cert8 instead of cert7 and is 64K as opposed to the 6.0 server's 16K.
    I stopped the web instance and renamed the current db files and copied in the new and changed the cert7 to cert8. When I restarted the server, it stayed up and didn't report any problems. However, when I go the security tab and click on any of the links on the left column, an internal server error (http500) page is displayed. No additional errors show up in the errors log.
    Unfortunately, we don't have the original certificate request. I'm sure when it was applied for; it was cut and pasted into the install certificate page. Otherwise, I'd simply do the install on the other server. Is there a simply means to copy an already installed cert from one sever to another?
    Any assistance would be greatly appreciated.

    Migration from 6.0 to 6.1 should take care of this. You don't have to rename the files to cert7.db after the migration, just leave them with their new names and size as is. The new file created in 6.1(after migration is complete) will be called cert8 and this is fine because 6.1 uses newer version of security libs. Doc links:
    http://docs.sun.com/source/817-1830-10/migrate2.html
    http://docs.sun.com/source/817-1831-10/agcert.html#wp1017112
    Thanks,
    Manish

  • How Server can read client side SSL certificates through java code?

    My code will be running on server which will be a java class that should read any SSL certificates for the user that is logging in to the application.
    Kindly let me know how it can be achieved ? I have very rare knowldge on Security. how i can read SSL certificates of the client machine.
    Also let me know the possible solutions for above question.

    For my mud written in java, I used TCP/IP for the connections. When a client connects, he gets his own thread. Those threads are held in a vector in a manager class. each tick of the server does a quick run thru the vector and if the current thread/socket its on is null or !isAlive() its remove from the vector(which in turn removes it from getting any more game updates. This removal can be caused by two things. The clients disconnects by accident(kills his game, locks up has an internet connection hiccup, etc.) or he uses the games "quit" method. The quit method calls a method that does any player saving of data, etc then closes the socket, and sets it to null. thus the manager sees this and removes him frm the vecotr list on the next server tick. Seems to work great form a mud and worked really well in a multiplayer applet game I had up for a while.

  • Why, when I successfully connect to Server 2012 Essentials R2 via Anywhere Access does the Remote Desktop Connection use the self signed certificate for RDP instead of the SSL certificate I installed when I set up access anywhere?

    Scenario:
    Windows Server 2012 R2 Essentials
    I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
    So far so good.
    The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
    a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
    The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local  instead of the SSL Certificate I installed, which is
    remote.acmedomain.com
    If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
    My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?

    Because....
    the server does not have a 'trusted' certificate assigned to it.
    Only the RDP Gateway has the trusted certificate for the external name.
    If you want to remove that error, you have to do one of the following:
    Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
    So, something like,
    server.domain.publicdomain.com
    Or,
    Install that certificate on your remote computer so it is trusted.
    Robert Pearman SBS MVP
    itauthority.co.uk |
    Title(Required)
    Facebook |
    Twitter |
    Linked in |
    Google+

Maybe you are looking for