Search Results

Search found 3266 results on 131 pages for 'san certificate'.

Page 9/131 | < Previous Page | 5 6 7 8 9 10 11 12 13 14 15 16  | Next Page >

  • OpenVPN: Single certificate authority, multiple VPNs

    - by darwish
    The company in which I work has a single site (I'll refer it as "Site A"). There are several private networks within site A. We have a running instance of OpenVPN which allows some employees to connect to one of the private networks in site A. We're planning to extend our facilities to another site (which I'll refer as "Site B") and we wish to connect both sites using OpenVPN. The VPN which will connect sites A to B will be a trunk link, meaning it will have access to all networks. If we use the same certificate authority for both VPN servers, this will allow the employees, which can only to one of the private networks within site A, to connect to the site-to-site link, which will give them access to all networks. Off course this is undesirable. Using 2 different certificate authorities seems like the obvious solution, but it doesn't feel right. I wounder if there's a way to maintain permission control within a single certificate authority.

    Read the article

  • Replace Certificate using Plesk 11

    - by Lambda Dusk
    I am not an admin, but a programmer. But how it is, if you're the only guy who knows about computers, everyone shoves those tasks to you. A certificate of a domain recently expired. The domains are managed using Plesk 11, on a Linux system, Apache2.2. I was given a new certificate from the host, and it is one single .pem file. However, Plesk asks me for a .crt file, a private key and some CA file. I have neither, only this single .pem file the host claims to be the certificate. Since I myself never did anything with SSL certificates, I would really appreciate if anyone can tell me what to do with this file and how to properly add a new one so the old one can be removed.

    Read the article

  • How can you import a root certificate to a machine level store in Windows 7

    - by ReluctantAdmin01
    I have a service (Running as local system) that uses an SSL connection. Currently this connection fails because the remote host used a private CA to sign it's certificate. For previous operating systems, I used to use the certificate manager to import the CA cert into the local machine's Trusted Root certificates store. Though I can do the steps with a windows 7 machine, it seems after a reboot that the imported certificates are gone. Here are the steps I'm doing in Windows 7: Open mmc Add Certificates Snap-in for Local Machine Navigate to Third-Party Root Certification Authorities/Certificates Import Root CA Cert. The certificate seems to work fine, using internet explorer or the service to test the SSL connection works, but after a reboot it seems like the change is reverted.

    Read the article

  • Establishing WebLogic Server HTTPS Trust of IIS Using a Microsoft Local Certificate Authority

    - by user647124
    Everyone agrees that self-signed and demo certificates for SSL and HTTPS should never be used in production and preferred not to be used elsewhere. Most self-signed and demo certificates are provided by vendors with the intention that they are used only to integrate within the same environment. In a vendor’s perfect world all application servers in a given enterprise are from the same vendor, which makes this lack of interoperability in a non-production environment an advantage. For us working in the real world, where not only do we not use a single vendor everywhere but have to make do with self-signed certificates for all but production, testing HTTPS between an IIS ASP.NET service provider and a WebLogic J2EE consumer application can be very frustrating to set up. It was for me, especially having found many blogs and discussion threads where various solutions were described but did not quite work and were all mostly similar but just a little bit different. To save both you and my future (who always seems to forget the hardest-won lessons) all of the pain and suffering, I am recording the steps that finally worked here for reference and sanity. How You Know You Need This The first cold clutches of dread that tells you it is going to be a long day is when you attempt to a WSDL published by IIS in WebLogic over HTTPS and you see the following: <Jul 30, 2012 2:51:31 PM EDT> <Warning> <Security> <BEA-090477> <Certificate chain received from myserver.mydomain.com - 10.555.55.123 was not trusted causing SSL handshake failure.> weblogic.wsee.wsdl.WsdlException: Failed to read wsdl file from url due to -- javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from myserver02.mydomain.com - 10.555.55.123 was not trusted causing SSL handshake failure. The above is what started a three day sojourn into searching for a solution. Even people who had solved it before would tell me how they did, and then shrug when I demonstrated that the steps did not end in the success they claimed I would experience. Rather than torture you with the details of everything I did that did not work, here is what finally did work. Export the Certificates from IE First, take the offending WSDL URL and paste it into IE (if you have an internal Microsoft CA, you have IE, even if you don’t use it in favor of some other browser). To state the semi-obvious, if you received the error above there is a certificate configured for the IIS host of the service and the SSL port has been configured properly. Otherwise there would be a different error, usually about the site not found or connection failed. Once the WSDL loads, to the right of the address bar there will be a lock icon. Click the lock and then click View Certificates in the resulting dialog (if you do not have a lock icon but do have a Certificate Error message, see http://support.microsoft.com/kb/931850 for steps to install the certificate then you can continue from the point of finding the lock icon). Figure 1: View Certificates in IE Next, select the Details tab in the resulting dialog Figure 2: Use Certificate Details to Export Certificate Click Copy to File, then Next, then select the Base-64 encoded option for the format Figure 3: Select the Base-64 encoded option for the format For the sake of simplicity, I choose to save this to the root of the WebLogic domain. It will work from anywhere, but later you will need to type in the full path rather than just the certificate name if you save it elsewhere. Figure 4: Browse to Save Location Figure 5: Save the Certificate to the Domain Root for Convenience This is the point where I ran into some confusion. Some articles mentioned exporting the entire chain of certificates. This supposedly works for some types of certificates, or if you have a few other tools and the time to learn them. For the SSL experts out there, they already have these tools, know how to use them well, and should not be wasting their time reading this article meant for folks who just want to get things wired up and back to unit testing and development. For the rest of us, the easiest way to make sure things will work is to just export all the links in the chain individually and let WebLogic Server worry about re-assembling them into a chain (which it does quite nicely). While perhaps not the most elegant solution, the multi-step process is easy to repeat and uses only tools that are immediately available and require no learning curve. So… Next, go to Tools then Internet Options then the Content tab and click Certificates. Go to the Trust Root Certificate Authorities tab and find the certificate root for your Microsoft CA cert (look for the Issuer of the certificate you exported earlier). Figure 6: Trusted Root Certification Authorities Tab Export this one the same way as before, with a different name Figure 7: Use a Unique Name for Each Certificate Repeat this once more for the Intermediate Certificate tab. Import the Certificates to the WebLogic Domain Now, open an command prompt, navigate to [WEBLOGIC_DOMAIN_ROOT]\bin and execute setDomainEnv. You should then be in the root of the domain. If not, CD to the domain root. Assuming you saved the certificate in the domain root, execute the following: keytool -importcert -alias [ALIAS-1] -trustcacerts -file [FULL PATH TO .CER 1] -keystore truststore.jks -storepass [PASSWORD] An example with the variables filled in is: keytool -importcert -alias IIS-1 -trustcacerts -file microsftcert.cer -keystore truststore.jks -storepass password After several lines out output you will be prompted with: Trust this certificate? [no]: The correct answer is ‘yes’ (minus the quotes, of course). You’ll you know you were successful if the response is: Certificate was added to keystore If not, check your typing, as that is generally the source of an error at this point. Repeat this for all three of the certificates you exported, changing the [ALIAS-1] and [FULL PATH TO .CER 1] value each time. For example: keytool -importcert -alias IIS-1 -trustcacerts -file microsftcert.cer -keystore truststore.jks -storepass password keytool -importcert -alias IIS-2 -trustcacerts -file microsftcertRoot.cer -keystore truststore.jks -storepass password keytool -importcert -alias IIS-3 -trustcacerts -file microsftcertIntermediate.cer -keystore truststore.jks -storepass password In the above we created a new JKS key store. You can re-use an existing one by changing the name of the JKS file to one you already have and change the password to the one that matches that JKS file. For the DemoTrust.jks  that is included with WebLogic the password is DemoTrustKeyStorePassPhrase. An example here would be: keytool -importcert -alias IIS-1 -trustcacerts -file microsoft.cer -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase keytool -importcert -alias IIS-2 -trustcacerts -file microsoftRoot.cer -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase keytool -importcert -alias IIS-2 -trustcacerts -file microsoftInter.cer -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase Whichever keystore you use, you can check your work with: keytool -list -keystore truststore.jks -storepass password Where “truststore.jks” and “password” can be replaced appropriately if necessary. The output will look something like this: Figure 8: Output from keytool -list -keystore Update the WebLogic Keystore Configuration If you used an existing keystore rather than creating a new one, you can restart your WebLogic Server and skip the rest of this section. For those of us who created a new one because that is the instructions we found online… Next, we need to tell WebLogic to use the JKS file (truststore.jks) we just created. Log in to the WebLogic Server Administration Console and navigate to Servers > AdminServer > Configuration > Keystores. Scroll down to “Custom Trust Keystore:” and change the value to “truststore.jks” and the value of “Custom Trust Keystore Passphrase:” and “Confirm Custom Trust Keystore Passphrase:” to the password you used when earlier, then save your changes. You will get a nice message similar to the following: Figure 9: To Be Safe, Restart Anyways The “No restarts are necessary” is somewhat of an exaggeration. If you want to be able to use the keystore you may need restart the server(s). To save myself aggravation, I always do. Your mileage may vary. Conclusion That should get you there. If there are some erroneous steps included for your situation in particular, I will offer up a semi-apology as the process described above does not take long at all and if there is one step that could be dropped from it, is still much faster than trying to figure this out from other sources.

    Read the article

  • Question about SSL Certificate.

    - by smwikipedia
    Hi experts, I am trying to make a SSL connection to a web site. Each time I enter the https:// address and press enter, the IE8 prompts me to select the Certificate (Client Certificate) to send to the server. I got 2 certificates to choose from. And they are stored in the IE8 - Internet Options - Content - Certificates - Personal. Since my server and client are the same machine, I want to use a single certificate for both server and client. And this certificate is a IIS generated self signed certificate. I do the following steps: 1- Generate a self-signed-cert in IIS; 2- Bind my site to https and choose the above self-signed-cert 3- Import the self-signed-cert at the IE8 - Internet Options - Content - Certificates - Personal. Then I use the https link to access my page, it is still prompts me to choose a certificate. But I cannot see my newly imported self-signed-cert. Why?

    Read the article

  • Export Certificate Windows Server 2008

    - by user1432032
    I need to export the private key of a self-created SSL-certificate on a Windows Server 2008. However at Microsoft Management Console (the certificate is located, if it matter, in Personal-Certificate folder) the option "Yes, export the private key" is greyed out. Reading the provided help section it tells that the certificate needed to "be made exportable" during creation. However it also says that it is ONLY a limitation if it was created using Windows Server 2003. It doesn´t say anything how to fix it though on a Windows 2008 Server. The certificate is self-signed. I want to export to PKCS12 format. I´m accessing MMC as administrator so there should not be any permission issues. How can I make this certificate "exportable"?

    Read the article

  • Cannot find the certificate

    - by user409756
    We get a T-SQL (SQL Server 2008 R2) error on BACKUP CERTIFICATE: ERROR_NUMBER 15151, SEVERITY 16, STATE 1, PROCEDURE -, LINE 8, MESSAGE: Cannot find the certificate 'certificate1', because it does not exist or you do not have permission. We can see the certificate in master.sys.certificates. Our pseudo-code: copy an unattached template_db to db1 attach db1 create certificate1 (in stored procedure in master db) generate @password CREATE DATABASE ENCRYPTION KEY … ENCRYPTION BY SERVER CERTIFICATE '+@certificate_name +… (in stored procedure in db1) turn on Transparent Database Encryption for db1 using certificate1. (N'ALTER DATABASE '+@db_name+N' SET ENCRYPTION ON') N’BACKUP CERTIFICATE '+@certificate_name+N' TO FILE = '''+@certificate_file_path+N''' WITH PRIVATE KEY ( FILE = '''+@private_key_file_path+N''', ENCRYPTION BY PASSWORD = '''+@password+N'''' To try to work-around the error, we tested three ways with the BACKUP CERTIFICATE code in a different databases each time, including db1 and master. All get the same error. Any ideas? Thanks.

    Read the article

  • Redirect request from https domain to https subdomain with only one certificate

    - by Sean K.
    I'm trying to redirect users to a subdomain in server2 if they make an https request to server1. I only have one certificate, and that's installed on server2. So for instance, from (server1) https://www.example.com to (server2) https://ssl.example.com My best guess is that I will need a certificate for https://www.example.com as the hostname is encrypted inside the HTTP header so my server won't know to redirect until it's decrypted. However, I'm curious if this is possible without two certificates?

    Read the article

  • How to configure apache and mod_proxy_ajp in order to forward ssl client certificate

    - by giovanni.cuccu
    I've developed a java application that need a ssl client certificate and in the staging environment with apache 2.2 and mod_jk it is working fine. In production the configuration is not using mod_jk but mod_proxy_ajp. I'm looking for an apache configuration example that configure ssl and mod_proxy_ajp for sending the ssl client certificate to the java application server (which listens with the ajp protocol). Thanks a lot

    Read the article

  • Certificate Authentication

    - by steve.mccall1
    Hi, I am currently working on deploying a website for staff to use remotely and would like to make sure it is secure. I was thinking would it be possible to set up some kind of certificate authentication where I would generate a certificate and install it on their laptop so they could access the website? I don't really want them to generate the certificates themselves though as that could easily go wrong. How easy / possible is this and how do I go about doing it? Thanks, Steve

    Read the article

  • How to configure apache and mod_proxy_ajp in order to forward ssl client certificate

    - by giovanni.cuccu
    Hi, I've developed a java application that need a ssl client certificate and in the staging environment with apache 2.2 and mod_jk it is working fine. In production the configuration is not using mod_jk but mod_proxy_ajp. I'm looking for an apache configuration example that configure ssl and mod_proxy_ajp for sending the ssl client certificate to the java application server (which listens with the ajp protocol). Thanks a lot

    Read the article

  • ssl certificate for www.domain.com and domain.com

    - by user12145
    I used make-dummmy-cert that comes with apache 2.2 and ssl_mod to make a self-signed certificate, I tried www.domain.com domain.com *.domain.com, none of them would work for both www.domain.com and domain.com. The browser would say The certificate is only valid for domain.com( or www.domain.com or *.domain.com respectively) how do I make a self-signed cert that would work for both cases?

    Read the article

  • SSL certificate only valid when viewed externally

    - by user23522
    We have a SSL certificate installed on our server. When viewed externally it validates correctly, however when the website is viewed from the server it gets an invalid certificate error. We are using the fully qualified domain name to access it for both? Is there any reason this should be happening? Cheers.

    Read the article

  • Buying a certificate - what to spend and where

    - by bergin
    Hi there My boss wants to buy a certificate for his SBS so external connection can be made. they access on an IP number. What should he spend on the certificate? Where should he buy from? Verisign seems like overkill as its not an ecommerce site, just needs some security. Ive seen some cheap ones at $20 / yr - are there any problems with getting cheap certificates?

    Read the article

  • Multiple websites each with an SSL certificate of its own

    - by ServerDown
    Hi, We run cent os, plesk with apache and php, mysql. There are around 25 sites and each of them need an SSL certificate now. The host cannot have more than 16 IPs on the same server. Is it possible to have all these sites use just one IP address and have SSL certificate setup for each site? If yes, please let me know how I can set this up. Thanks

    Read the article

  • Partial Client Certificate request for Apache HTTP

    - by Joshua
    I have an Apache HTTP Server with SSL enabled and requesting a Client Certificate. How do I set up Apache to only request the certificate when a user hits a certain part of the website? Example: /myapp/ should not request the cert /myapp2/ should request the cert Note: These applications are being served using the mod-jk

    Read the article

  • Really remove non-permanent certificate exception in firefox

    - by user1719315
    I visited japan.indymedia.org and firefox gave me the "Invalid certificate" screen. I added an exception, but did not click "Store this exception permanently." But now firefox still happily visits the same site without giving any warnings, even after a restart of the browser. I tried going to the Options-Advanced-Encryption-View Certificates-Servers to remove the certificate but I did not find it there. How to remove this exception and make firefox give me the warning when visiting the site?

    Read the article

  • Create a certificate file

    - by saeed hardan
    I have a proxy that I want to test. The proxy generates a private key and a certificate like here . I have tried to copy the content as in the link in a file and name it x.CER , then clicked on it and i got the message : This file is invalid for use as the following : Security Certificate how can i install them on windows ? note: I have set in internet options that all the traffic goes throw the proxy

    Read the article

  • Certificate Authentication

    - by Steve McCall
    I am currently working on deploying a website for staff to use remotely and would like to make sure it is secure. I was thinking would it be possible to set up some kind of certificate authentication where I would generate a certificate and install it on their laptop so they could access the website? I don't really want them to generate the certificates themselves though as that could easily go wrong. How easy / possible is this and how do I go about doing it?

    Read the article

  • Make Nginx fail when SSL certificate not present, instead of hopping to only available certificate

    - by Oli
    I've got a bunch of websites on a server, all hosted through nginx. One site has a certificate, the others do not. Here's an example of two sites, using (fairly accurate) representations of real configuration: server { listen 80; server_name ssl.example.com; return 301 https://ssl.example.com$request_uri; } server { listen 443 ssl; server_name ssl.example.com; } server { listen 80; server_name nossl.example.com; } SSL works on ssl.example.com great. If I visit http://nossl.example.com, that works great, but if I try to visit https://nossl.example.com (note the SSL), I get ugly warnings about the certificate being for ssl.example.com. By the sounds of it, because ssl.example.com is the only site listening on port 443, all requests are being sent to it, regardless of domain name. Is there anything I can do to make sure a Nginx server directive only responds to domains it's responsible for?

    Read the article

  • SSL Authentication with Certificates: Should the Certificates have a hostname?

    - by sixtyfootersdude
    Summary JBoss allows clients and servers to authenticate using certificates and ssl. One thing that seems strange is that you are not required to give your hostname on the certificate. I think that this means if Server B is in your truststore, Sever B can pretend to be any server that they want. (And likewise: if Client B is in your truststore...) Am I missing something here? Authentication Steps (Summary of Wikipeida Page) Client Server ================================================================================================= 1) Client sends Client Hello ENCRIPTION: None - highest TLS protocol supported - random number - list of cipher suites - compression methods 2) Sever Hello ENCRIPTION: None - highest TLS protocol supported - random number - choosen cipher suite - choosen compression method 3) Certificate Message ENCRIPTION: None - 4) ServerHelloDone ENCRIPTION: None 5) Certificate Message ENCRIPTION: None 6) ClientKeyExchange Message ENCRIPTION: server's public key => only server can read => if sever can read this he must own the certificate - may contain a PreMasterSecerate, public key or nothing (depends on cipher) 7) CertificateVerify Message ENCRIPTION: clients private key - purpose is to prove to the server that client owns the cert 8) BOTH CLIENT AND SERVER: - use random numbers and PreMasterSecret to compute a common secerate 9) Finished message - contains a has and MAC over previous handshakes (to ensure that those unincripted messages did not get broken) 10) Finished message - samething Sever Knows The client has the public key for the sent certificate (step 7) The client's certificate is valid because either: it has been signed by a CA (verisign) it has been self-signed BUT it is in the server's truststore It is not a replay attack because presumably the random number (step 1 or 2) is sent with each message Client Knows The server has the public key for the sent certificate (step 6 with step 8) The server's certificate is valid because either: it has been signed by a CA (verisign) it has been self-signed BUT it is in the client's truststore It is not a replay attack because presumably the random number (step 1 or 2) is sent with each message Potential Problem Suppose the client's truststore has certs in it: Server A Server B (malicous) Server A has hostname www.A.com Server B has hostname www.B.com Suppose: The client tries to connect to Server A but Server B launches a man in the middle attack. Since server B: has a public key for the certificate that will be sent to the client has a "valid certificate" (a cert in the truststore) And since: certificates do not have a hostname feild in them It seems like Server B can pretend to be Server A easily. Is there something that I am missing?

    Read the article

  • Trouble understanding SSL certificate chain verification

    - by Josh K
    My app uses SSL to communicate securely with a server and it's having trouble verifying the certificate chain. The chain looks like this: Entrust.net Secure Server Certification Authority - DigiCert Global CA - *.ourdomain.com We are using a certificate store pulled from Mozilla. It contains the Entrust.net certificate, but not the DigiCert Global CA one. My understanding is that an intermediate authority doesn't have to be trusted as long as the root authority is, but the verification fails: % openssl verify -CAfile mozilla-root-certs.crt ourdomain.com.crt error 20 at 0 depth lookup:unable to get local issuer certificate So do I need to explicitly trust the DigiCert Global CA in order for verification to pass? That seems wrong. But you tell me! EDIT: I now understand that the certificate file needs to be available to OpenSSL up front. Something like this works: % openssl verify -CAfile mozilla-root-certs.crt -untrusted digicert.crt ourdomain.com.crt ourdomain.com.crt: OK This allows me to provide a copy of the DigiCert CA without explicitly saying "I trust it", the whole chain still needs to be verified. But surely browsers like Firefox won't always ship with a copy of every single certificate it'll ever need. There's always going to be new CAs and the point is to use the security of the root certificate to make sure all intermediate CAs are valid. Right? So how does this work? Is it really as silly as it looks?

    Read the article

  • WCF Certificates without Certificate Store

    - by Kane
    My team is developing a number of WPF plug-ins for a 3rd party thick client application. The WPF plug-ins use WCF to consume web services published by a number of TIBCO services. The thick client application maintains a separate central data store and uses a proprietary API to access the data store. The thick client and WPF plug-ins are due to be deployed onto 10,000 workstations. Our customer wants to keep the certificate used by the thick client in the central data store so that they don't need to worry about re-issuing the certificate (current re-issue cycle takes about 3 months) and also have the opportunity to authorise the use of the certificate. The proposed architecture offers a form of shared secret / authentication between the central data store and the TIBCO services. Whilst I don’t necessarily agree with the proposed architecture our team is not able to change it and must work with what’s been provided. Basically our client wants us to build into our WPF plug-ins a mechanism which retrieves the certificate from the central data store (which will be allowed or denied based on roles in that data store) into memory then use the certificate for creating the SSL connection to the TIBCO services. No use of the local machine's certificate store is allowed and the in memory version is to be discarded at the end of each session. So the question is does anyone know if it is possible to pass an in-memory certificate to a WCF (.NET 3.5) service for SSL transport level encryption? Note: I had asked a similar question (here) but have since deleted it and re-asked it with more information.

    Read the article

< Previous Page | 5 6 7 8 9 10 11 12 13 14 15 16  | Next Page >