ACS SE and Self sign Cert
How can I get the certificate generated automatically from the SE of GBA. Is the only option for FTP? I already have the TEC installed on the ACS but I need to get a copy of it.
You need FTP. To get it, there is no other choice.
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
Replace self-signed CERT with CA Cert signed
I have a vCAC 6.1 environment. I use the vCAC documentation to replace the self signed CERT CERT. When I get to this step in the documentation it fails - VCloud Automation Center Library
Is the below error telling me there is a problem with the wstvcacapp01 cert? Problem RemoteCertificateNameMismatch?
C:\Program Files (x 86) \VMware\vCAC\Web API\ConfigTool > Vcac - Config.exe DownloadRootCertificates - Pkcs7CertPath "C:\Program Files (x 86) \VMware\vCAC\Web API\SSO.p7b"-v
System.Data.Services.Client.DataServiceQueryException: An error occurred during the processing of this request. -> System.Data.Services.Client.DataServiceClientException: <! DOCTYPE html >
< html >
< head >
< title > certificate is not approved (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203DBC8256FDB2326A8EA
C < /title >
< name meta = "viewport" content = "width = device-width" / > "
< style >
body {do-family: "Verdana"; police-weight: normal; do-size: .7em; color: black ;}}
p {do-family: "Verdana"; font-weight: normal; color: black; margin-top:-5px}}
b {font family: "Verdana"; make-weight: bold; color: black; margin-top:-5px}}
H1 {do-family: "Verdana"; police-weight: normal; do-size: 18pt; color: Red}
H2 {do-family: "Verdana"; police-weight: normal; do-size: 14pt; color: Maroon}
pre {font family: "Consolas", "Lucida Console", Monospace; do-size: 11pt; margin: 0; padding: 0.5em line-height: 14pt}
. Marker {make-weight: bold; color: black; text-decoration: none ;}}
.version {color: gray ;}}
. Error {margin-bottom: 10px ;}}
. Expandable {text-decoration: underline; make-weight: bold; color: navy; cursor: hand ;}}
@media screen and (max-width: 639px) {}
pre {width: 440px; overflow: auto; white-space: pre-wrap; dressing: break-Word ;}}
}
@media screen and (max-width: 479px) {}
pre {width: 280px ;}}
}
< / style >
< / head >
< body bgcolor = "white" >
< span > < H1 > server error in ' / repository ' Application. < hr width = 100% size =-1 color = silver > < / H1 >
< h2 > < i > certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203DBC8256FDB232
6A8EAC < /i > < / h2 > < / span >
< police = "Helvetica, Geneva, Arial, SunSans-Regular, without-serif ' > '"
< b > Description: < /b > an unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and its origin
in the code.
< br > < br >
< b > Details of Exception: < /b > VMware.Cafe.UntrustedCertificateException: certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR = CTIW, O = NJVC, L = Ofal
LON, S = HE, C = us fingerprint: 9A80D1EC61170B87C4203DBC8256FDB2326A8EAC < br > < br >
< b > error Source: < /b > < br > < br >
< table width = 100% bgcolor = "#ffffcc" >
< b >
< td >
< code >
An unhandled exception is generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception below stack trace.
< code >
< table >
< /tr >
< /table >
< br >
< b > Stack Trace: < /b > < br > < br >
< table width = 100% bgcolor = "#ffffcc" >
< b >
< td >
< code > < pre >
[UntrustedCertificateException: certificate is not reliable (RemoteCertificateNameMismatch).] Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203D
BC8256FDB2326A8EAC]
System.Net.TlsStream.EndWrite (IAsyncResult asyncResult) + 8277683
System.Net.ConnectStream.WriteHeadersCallback (IAsyncResult ar) + 213
[WebException: the underlying connection was closed: an unexpected error occurred on a send.]
System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) + 8286956
System.Net.Http.HttpClientHandler.GetResponseCallback (IAsyncResult ar) + 98
[HttpRequestException: an error occurred when sending the request.]
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84
VMware.Cafe. & lt; & lt; GetResource & gt; b__0 & gt; d__3.MoveNext () + 601
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84
VMware.Cafe. & lt; RetryWebRequestWrapper & gt; d__97.MoveNext () + 1144
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84
VMware.Cafe. & lt; GetResource & gt; d__7'1. MoveNext() + 692
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84
VMware.Cafe. & lt; CreateSecurityTokenServiceAsync & gt; d__2f. MoveNext() + 366
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84
VMware.Cafe. & lt; GetHolderOfKeyTokenAsync & gt; d__4.MoveNext () + 321
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84
VMware.Cafe. & lt; CreateDefaultSecurityContextAsync & gt; d__34.MoveNext () + 306
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84
VMware.Cafe. & lt; CreateAsync & gt; d__1d'1. MoveNext() + 397
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84
VMware.Cafe. & lt; CreateAsync & gt; d__1a'1. MoveNext() + 330
[AggregateException: one or more errors occurred.]
System.Threading.Tasks.Task'1.GetResultCore (Boolean waitCompletionNotification) + 5863512
DynamicOps.Repository.Runtime.SecurityModel.CafeSecurityProvider... ctor (SecurityModelContext CurrentContext) + 172
DynamicOps.Repository.Runtime.SecurityModel.SecurityModelContext... ctor (String ConnectionString) + 202
DynamicOps.Repository.Runtime.Common.RepositoryRuntime.Initialize () + 812
[HttpException (0x80004005): one or more errors occurred.]
System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode (HttpContext context, HttpApplication app) + 12639357
System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS (appContext, HttpContext context, MethodInfo [managers] IntPtr) 175
System.Web.HttpApplication.InitSpecial (HttpApplicationState State, MethodInfo [managers], IntPtr appContext, HttpContext context) + 304
System.Web.HttpApplicationFactory.GetSpecialApplicationInstance (IntPtr appContext, HttpContext context) + 404
System.Web.Hosting.PipelineRuntime.InitializeApplication (IntPtr appContext) + 475
[HttpException (0x80004005): one or more errors occurred.]
System.Web.HttpRuntime.FirstRequestInit (HttpContext context) + 12656404
System.Web.HttpRuntime.EnsureFirstRequestInit (HttpContext context) + 159
System.Web.HttpRuntime.ProcessRequestNotificationPrivate (IIS7WorkerRequest wr, HttpContext context) + 12496021
< / pre > < / code >
< table >
< /tr >
< /table >
< br >
< hr width = 100% size = 1 = silver color >
< b > Version information: < /b > Microsoft .NET Framework Version: 4.0.30319; ASP.NET Version: 4.0.30319.34237
< / make >
< / body >
< / html >
<!--
[UntrustedCertificateException]: certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203
DBC8256FDB2326A8EAC
at System.Net.TlsStream.EndWrite (IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback (IAsyncResult ar)
[WebException]: the underlying connection was closed: an unexpected error occurred on a send.
at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback (IAsyncResult ar)
[HttpRequestException]: an error occurred when sending the request.
to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)
to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)
to VMware.Cafe.JsonRestClient. <>c__DisplayClass1 1. < < GetResource > b__0 > d__3.MoveNext)
-End of the stack trace from the old location where the exception was thrown-
to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)
to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)
at d__97.MoveNext (VMware.Cafe.JsonRestClient). < RetryWebRequestWrapper >
-End of the stack trace from the old location where the exception was thrown-
to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)
to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)
to VMware.Cafe.JsonRestClient. < GetResource > d__7'1. MoveNext()
-End of the stack trace from the old location where the exception was thrown-
to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)
to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)
to VMware.Cafe.ComponentRegistryClientFactory. < CreateSecurityTokenServiceAsync > d__2f. MoveNext()
-End of the stack trace from the old location where the exception was thrown-
to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)
to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)
at d__4.MoveNext (VMware.Cafe.ComponentRegistryClientFactory). < GetHolderOfKeyTokenAsync >
-End of the stack trace from the old location where the exception was thrown-
to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)
to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)
at d__34.MoveNext (VMware.Cafe.ComponentRegistryClientFactory). < CreateDefaultSecurityContextAsync >
-End of the stack trace from the old location where the exception was thrown-
to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)
to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)
to d__1d'1. MoveNext() VMware.Cafe.ComponentRegistryClientFactory. < CreateAsync >
-End of the stack trace from the old location where the exception was thrown-
to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)
to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)
to d__1a'1. MoveNext() VMware.Cafe.ComponentRegistryClientFactory. < CreateAsync >
[AggregateException]: one or more errors occurred.
to System.Threading.Tasks.Task'1.GetResultCore (Boolean waitCompletionNotification)
to DynamicOps.Repository.Runtime.SecurityModel.CafeSecurityProvider... ctor (SecurityModelContext currentContext)
to DynamicOps.Repository.Runtime.SecurityModel.SecurityModelContext... ctor (String connectionString)
at DynamicOps.Repository.Runtime.Common.RepositoryRuntime.Initialize)
[HttpException]: one or more errors occurred.
at System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode (HttpContext context, HttpApplication app)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS (IntPtr appContext, HttpContext context, managers of MethodInfo [])
to System.Web.HttpApplication.InitSpecial (HttpApplicationState State, MethodInfo [managers], IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance (IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication (IntPtr appContext)
[HttpException]: one or more errors occurred.
to System.Web.HttpRuntime.FirstRequestInit (HttpContext context)
at System.Web.HttpRuntime.EnsureFirstRequestInit (HttpContext context)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate (HttpContext context, IIS7WorkerRequest wr)
->
at System.Data.Services.Client.QueryResult.ExecuteQuery)
to System.Data.Services.Client.DataServiceRequest.Execute [TElement] (DataServiceContext, QueryComponents queryComponents context)
-End of the exception stack trace internal-
to System.Data.Services.Client.DataServiceRequest.Execute [TElement] (DataServiceContext, QueryComponents queryComponents context)
to System.Data.Services.Client.DataServiceQuery'1.Execute)
to System.Data.Services.Client.DataServiceQuery'1.GetEnumerator)
to System.Linq.Enumerable.FirstOrDefault [TSource] (IEnumerable 1 source)
at System.Data.Services.Client.DataServiceQueryProvider.ReturnSingleton [](Expression expression) TElement
to System.Linq.Queryable.FirstOrDefault [TSource] (IQueryable 1 source)
at DynamicOps.Repository.CafeClientAbstractFactory.LoadComponentRegistryUri)
to System.Lazy'1.CreateValue)
to System.Lazy'1.LazyInitValue)
at DynamicOps.Repository.CafeClientAbstractFactory.get_CafeUri)
at VMware.Cafe.ComponentRegistryClientFactory.ctor (ICafeServiceClientFactoryFactory abstractFactory)
at DynamicOps.Repository.CafeClientAbstractFactory.CreateClientFactory)
to System.Lazy'1.CreateValue)
to System.Lazy'1.LazyInitValue)
at VMware.Cafe.Client.Registration.DownloadRootCertificates (String rootEncryptionCertPath, String rootSigningCertPath, String pkcs7Path)
to VMware.VcacConfig.ComponentRegistryCommands.DownloadRootCertificates.Execute (CommandLineParser Analyzer)
WARNING: Zero return Code. The command failed.
I could be totally wacky, but the first thing vcac devices and server identity must be in pem format.
Sounds the root string that you import.
I say the following:
This will tell you how to create certificates and import them.
-
WaveMaker 6.5 and vCO 5.1 - default self signed CERT
This is a little off topic, but I'm curious to know if anyone out there connected WaveMaker 6.5.x (web service) to vCO 5.1 (SOAP or REST) when the vCO is configured using the default self-signed certificates SSL (vanilla vCO 5.1 device).
I get the following error even after the importation of the "localhost.localdom" of vCO cert in my Java keystore/restart WaveMaker:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: building way PKIX failed: sun.security.provider.certpath.SunCertPathBuilderException: could not find the path of valid certification for target asked
Looks like real certs should work or if you have them signed by your own CA, but this isn't the case with the application out-of-the-box vCO.
Related links:
http://dev.WaveMaker.com/forums/?q=node/8424
Hello!
I think that the host name of the certificate must match the host name you are trying to reach.
The default certificate localhost.localdom works so that, if you try to connect to vCO with localhost.localdom (it might be useful a quick shot, edit the file hosts on your system wavemaker :-))
To change the certificate on vCO to match the real hostname of the box of vCO, see here:
http://www.vcoteam.info/learn-VCO/work-with-VCO-over-SSL.html
http://EnterpriseAdmins.org/blog/virtualization/VCO-appliance-and-SSL-certificates/
After chaning and removing the old and import a new keystore wavemaker it should work... Let us know! :-)
As workaround heavyweights: you can skip using WaveMaker webService tool and create your own JavaService. See an example here: http://blog.mightycare.de/en/2012/06/wavemaker-spring-and-vmware-infrastructure/
PS: The example he uses the old SOAP API of vCO, but you get the feeling (and links to java for the new REST API of https://yourvcoserver:8281/api/docs/downloads.html
PPS: It's in German, but you can download the sample project at the end of the article. If you need a discussion translation/more about this, let me know...
See you soon,.
Joerg
-
QNXStageWebView and self-signed certificates
I use the QNXStageWebView control to load HTML pages in my AIR application. I'm testing with OS version 1.0.7.3133 and version 2.7 AIR and Tablet OS SDK 1.1.0. When I use https and try to access a web site that uses a self-signed certificate (which is not approved on the device), the object of QNXStageWebView does not throw error events. How can I detect that the user tries to access a unreliable website and warn (as the native browser)? I saw the newspapers of Wireshark and I see an error "the handshake failed".
Hello Kiran,
After further investigation, the dialog box for the certificate that is popped up by the WebKit is made under the covers. The issue which is seen is actually a bug in sdk. However the bug has been fixed and the fix will be available in the next version of the blackberry Tablet sdk.
Let me know if you have any questions, and I'll be happy to answer them for you.
-
Hi all.
I use Forms 11 g 11.1.2.1 and updating JRE 7 45.
I have create a jar file containing gif icons files using this procedure:
(1) create the jar file:
set path = % path %; C:\Oracle\Middleware\Oracle_FRHome1\jdk\bin (my ORACLE_HOME/jdk)
jar - cvf webfigolos.jar *.gif
(2) self sign the file:
c:\Oracle\Middleware\asinst_1\bin > sign_webutil.bat c:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar
Jars is signed but with a warning:
Generate a signature key certificate aaosa2015 = auto...
keytool error: java.lang.Exception: key pair not generated, al alias < aaosa2015 >
loan is
.
There are errors or warnings while generating a self signed certificate. Pleas
e revisiting.
.
Backup as c: C:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar
\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar.old...
1 file (s) copied.
Signature using ke c:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar
y = aaosa2015...
.. own made.
But I can use this file. The application crashes and get this error from the java console:
network: connection http://myluism-pc:7001/forms/lservlet; jsessionid = p98GTL5Fh6XnQcykySBhLWq2823HwHlPGZ16TYHVv93006N4mmdl!-947562687 with proxy = LIVE
network: connection http://myluism-PC:7001 / with proxy = LIVE
Exception in thread "AWT-EventQueue-3" java.lang.NoClassDefFoundError: oracle/ewt/laf/basic/SelColorChange
at oracle.ewt.laf.oracle.OracleTreeUI.createItemPainter (unknown Source)
at oracle.ewt.laf.basic.BasicTreeUI._getItemPainter (unknown Source)
at oracle.ewt.laf.basic.BasicTreeUI.getItemPainter (unknown Source)
at oracle.ewt.dTree.DTreeBaseItem.getSize (unknown Source)
at oracle.ewt.dTree.DTree.paintCanvasInterior (unknown Source)
at oracle.ewt.EwtComponent.paintInterior (unknown Source)
at oracle.ewt.lwAWT.SharedPainter._paintInterior (unknown Source)
at oracle.ewt.lwAWT.SharedPainter.paintExtents (unknown Source)
at oracle.ewt.lwAWT.LWComponent._paintComponent (unknown Source)
at oracle.ewt.lwAWT.LWComponent.paint (unknown Source)
at oracle.ewt.EwtComponent.paint (unknown Source)
at oracle.ewt.lwAWT.SharedPainter.paintExtents (unknown Source)
at oracle.ewt.lwAWT.LWComponent._paintComponent (unknown Source)
This used to be a very simple procedure, but it has stopped working...!
Don't know if the jar file is well born, or if it is corrupt.
I can't start my application.
Help, please!
Best regards, Luis.
Try again with the JRE 7 10 update, I get a problem with the update of JRE 7 45, but when I tried the update of JRE 7 10, it works fine.
For the objective test, disable the check
Java Panel-> advance-> mixed Code-> disable verification (unchecked)
-
TLS fails on linux self-signed certificates
on firefox 38.1.0 under centOS 6.6 I have some problem with TLS.
When it first happened I re fact cert using keys of 2048 bytes. It seemed if address the issue when you navigate to similar addresses to https://localhost/somesite, however, I have try https://localhost:10000 with the fact that it still fails:
An error occurred during a connection to localhost.localdomain:10000. The certificate server included a public key which was too low. (Error code: ssl_error_weak_server_cert_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
The signing certificate is algorithim-> PKCS #1 SHA-1 with RSA encryption
The algorithim public key is-> PKCS #1 RSA encryption
The key has been creating 07/06/15 for a period of 10 years is a Version 1 cert issued by myself with the info
E = [email protected]
CN = localhost
UO = hq
O = permite
L = Stone Mountain
ST = ga
C = usIt was a problem of webmin.
To fix this /etc/webmin/miniserv.pem edition replace the cert and private key sections.
Use a new generated key and self-signed certificate. If you follow the instructions of centOS, the location of the files are /etc/pki/tls/private/ca.key and /etc/pki/tls/certs/ca.crt
-
Can I generate self-signed certificates free for Nexus 9 K?
Hi, I have 22 9Ks Nexus that I just upgraded to 3,0000 I4 so I can use the REST API.
I use vRealize Orchestrator for automation, and I can't access the REST API on the Orchestrator help link, as certificates are at expiration.
I can't find much information on this subject for the 9 K, unless the 9Ks are mode of the AIT, in this case I think that TACS are the only people who can generate a certificate.
Does anyone know otherwise work around this? Otherwise, I'll have to approach a TAC case for 22 certificates generated :-/
Cheers, Dom
I'm not familiar with the technology with what you're trying to integrate, but here's a guide on how generate a custom SSC (self-signed Cert) on a device:
#conf t
#hostname DEVICE01-NOTE: must not be changed
#ip - domain test.localgenerate a General key label SSC_KEY module 2048 rsa key #crypto
#crypto pki trustpoint SSC_LOCAL
#subject - name, CN = DEVICE, DC = test, DC = local
#enrollment selfsigned
# crl revocation checking
#rsakeypair SSC_KEY 2048#crypto ca enroll COMMAND SSC_LOCAL HIDDEN: initiate the creation of SSC
% Include the serial number of the router in the name of the topic? [Yes/No]: no
% Include an IP address in the name of the topic? [None]:
% Generate self signed certificate router? [Yes/No]: YesRouter self-signed certificate created successfully
After this make sure that you do NOT change the host name of the device :)
-
ASA - a Site with self-signed certificates
Team,
ASA version 9.1 (3), ASDM 7.1 (4) on 5505.
I have a pair of Cisco ASA 5505 that I am trying to establish a tunnel. I do everything with PSK. IKEv2 with AES256 IPSec. No problem...
However, I learned that I can auto-signer certificates and use them to authenticate each firewall to another. I tried for hours... Generating of certs in all combinations and options, and the export of the P12 in the other firewall, by adding in - no problem
I have self signed CERTS, so there is no CA.
Then I'll be back in the connection profile and remove the PSK - flip on to RSA - SIG in the IKE Policy.
Does anyone have this working with the ASA version, I'm running and care apart from your snippets of configuration especially how you created the pair of keys, self-signed one, exported and adding in the adjacent firewall?
I don't want to use PSK for authentication.
Help!
I never used this way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: you assigned the ID-Cert cert in the crypto-plan?
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Replace the certificate self-signed prominent 5.3
Select a certificate:
1 Subject: C = US, S = CA, L = CA, O = VMware Inc., unit of ORGANIZATION = VMware Inc., CN = VVVDCVDID03, [email protected]
Valid from: 31/12/2013-15:56:35
Valid until the: 31/12/2015-15:56:35
Footprint: E93EDE1797C55BC61E95DF625AC33EC8D30DD0892 object: CN = .net, OR default certificate of VMware View = VVVDCVDID03.mydomain, O = "VMware, Inc.."
Valid from: 12/30/2013 15:24:20
Valid until the: 28/12/2023-15:24:20
Footprint: 671E847CA3A55FC31AA62034174B29EC37D4DF383 object: CN = * .mydomain .net, O is my company Holdings LLC, L = Grant Park, S = Illinois, C = US
Valid from: 01/08/2014-19:00
Valid until the: 14/01/2015-07:00
Footprint: 1D976E97E9B9C55A02470F45618F7E2CD8763B43Enter the choice (0-3, 0 to abort): 3
Remove the link to certificate successfully 18443 port.
Bind the new certificate to the port.
ReplaceCertificate successful operation.Yet the certificate still shows as invalid and self-signed view Admin and when I join on the site. It's showing that ranked #2 in the SVICONFIG.
In addition to this SVICONFIG does not appear to be installed facing the connection to the server at the point 5.3. Or at least I can't. 5.3 documents do not appear to exist. 5.2 only.
How can I replace the self-signed certificate in my servers connection and security now?
The solution in the end was that the self singing and new cert had the same friendly name of "vrm". Changed the name of the car to "oldcert" sign and restarted the server connection. That solved.
-
Problem with Extensions self-signed
I am packing my extension with self signed cert that is created with the ZXPSignCmd executable.
It works properly and the - verify command confirms the ZXP is good to go.
When a user install the extension, however, it works only once the first time they open Illustrator after installing it. Every time after that, opening of Illustrator, the Panel is completely empty.
This problem can be solved by enabling PlayerDebugMode on file .plist to the end user (as indicated for developers in the blog), but obviously this is something that I'm not the final user does. Does anyone have insight as to why the extension Panel does not load once and then breaks? Activation PlayerDebugMode addresses the issue, but I can't understand why. I guess that is has something to do with the way in which it is signed, but I'd like confirmation/clarification if someone knows what's going on.
Sounds... headscratchy... It is possible to activate the debug (at least in Photoshop) mode so that you can get more information directly in the sandbox. See below
HTML panels advice: debugging #1 | Photoshop, etc.
A small Guide to HTML5 Extensions | Adobe Developer Connection
-
Updating JRE 7 45 and JAR signing mess
I'm at my wits end with Java. Ask for assistance with a person who has done this successfully, especially with the cards to chip/PKCS11. My problem is that no matter how I sign the deploymentruleset.jar, my test sites, I'm going to continue to get the warning pop up with "the certifica is not valid and cannot be used to verify the identity of the Web site" as well as "this request will be blocked in a future update of security Java because the manifest files JAR does not contain the permissions attribute." I changed my ruleset.xml a billion times, even try to whitelist as a last resort for at least check if it is reading the file, but nothing helped. All of this seems to come from the way in which the JAR file is signed.
The documentation for java that I see is basically stating as, 'oh, just go buy a certificate. For many of us, this isn't an option, and we are forced to rely on our internal case. In addition, you need a certificate for code signing to do this, so I I was handed a certificate based on the chips for this, which forced me to invoke - stores ZERO and all that jazz. So I have provided a certificate based on the chips to run the task. After a long and brutal journey, I was finally able to sign without getting "the certificate of the signer chain is not validated. Now, it seems validated. It was a week in the process. It was downloading and adding certificates into the cacerts keystore. It was after another brutal trip, trying to figure out how to read my card chip with ActivClient, then another trip brutal trying to read a secondary card reader (slot = 1 must be added to the cfg file). Yes, I modify the security attributes (and others) a million different ways and test. Same result.
So now, no matter what I do, the sites I have test on do not feel that the jar file is a certificate chain. Yes, I added the item to the white list, and after I proceed after the warning, told me so I can't continue "Blocked by deployment Application rule set" because "Cannot verify the self-signed deployment rule POT Set". Several variations of the test site (including wildcard characters) are in the ruleset.xml. The ruleset.xml displays correctly when in the Java Control Panel console.
Why it has become ridiculously difficult for anyone to deploy it? I get security, but if you can't document correctly different methods to do this, with traps and the FAQ, it is rather useless. Before you point me to a document Oracle, rest assured, I read all of them.
Has anyone out there successfully done this with a cert a code of a CA signing token-based internal? What is an obligation to buy a cert based on external files for this?
Thank you
Nate
A member of my team was able to identify a step that missed me. I wrote a 20 step guide on how to do it, but the forums won't let me copy and paste. Let me give you a few highlights...
(1) If you have ActivClient, you need to add a line of code at the end of the java.security file, but also to create a file cfg somewhere on your machine and point the java.security file cfg code.
Line at the end of the java.security file... "#configuration for security omitted 1.6 security.provider.7 sun.security.pkcs11.SunPKCS11 c:/temp/pkcs11.cfg = providers (or what you call the cfg).
Inside the cfg file, you must specify the location of your ActiveClient acpkcs211.dll. If you use a secondary smart card reader, you must also specify the location = 1 at the end of the cfg file.
name = ActivCard
Library = c:\program files\actividentity\activclient\acpkcs211.dll
location = 1
(2) create the ruleset.xml according to your needs
(3) create a file named security.txt and place "permissions: all-permissons ' on line 1 and ' codebase: *" on line 2.
(4) copy the two files above to the JDK\bin
(5) your certificates root export to an x.509 .cer file.
(6) to export the file RECs certificate of Internet Explorer (it was a step that I missed) code signing.
(7) import the code signing certificate in your trusted root certificates (it was a step that I missed).
(8) import your root certificates and signature of the certs (cer files) into the code cacerts file. (I missed the part of code signing cert)
For example
keytool - keystore "c:\program files\Java\jdk1.7.0_45\jre\lib\security\cacerts" - importcert-alias alias rootcert.cer
Repeat the steps for the other roots, middle and code signing cert
(9) create the jar file
(10) find the alias of the certificate code using keytool - keystore NONE - stores PKCS11-list - v
(11) sign the jar file with the code inserted into a smart card reader, using the alias from above as the last parameter of the token-signing certificate
jarsigner - keystore NONE - PKCS - signedjar alias DeploymentRuleSet.jar DeploymentRuleset.jar stores
(12) copy the jar signed at c:\windows\sun\java\deployment
(13) check the ruleset works by checking Java in the control panel
(14) to test your Web site
-
Create a self-signed certificate
When I use ADM to access my router I always get a message that I have established a connection with "ip address", but the certificate belongs to IOS-self-signed-cert... etc. I generated RSA keys with the address. How to generate a new self-signed certificate that includes the ip address of the router? Thank you.
self-signed certificate
You can use the "crypto pki trustpoint name" command on the router to create a self-signed certificate.
Check this link for configurtion:
-
HPDM: HPDM replace self signed SSL certificates for server HDPM and master repository
I am trying to replace the automatically generated self-signed certificates (issued to DM) issued by DM server HDPM and master repository. I'm NOT arbitration FTPS, HTTPS embedded HPDM or CERT Thin Client Agent server.
I already have CERT for the installation of our own internal domain CA for FTPS in IIS and the built-in Apache HTTPS server. These work properly and pass tests of repository for both protocols. I also have questions for Thin Clients of our internal CA very well.
I am interested in the HPDM real server cert and cert master repository. These are generated automatically when the two services start. They use a very weak MD5 hash and key RSA 1024. I can't find any documentation around that, with the exception of troubleshooting, in which you can remove these certificates restart services and they will be regenerated.
Here are the paths certs\key
HPDM % install Path%\MasterRepositoryController\Controller.crt (Cert repository)HPDM % install Path%\MasterRepositoryController\Controller.key (repository key)
HPDM % install Path%\MasterRepositoryController\Client.crt (HPDM Server Cert)
HPDM % install Path%\Server\Bin\hpdmskey.keystore (Both HPDM server and repository Certs and keys) (not sure what format it is in. It is not PEM and P12 ok I can say)
There are also some HPDM % install Path%\Server\bin\hpdmcert.key. Don't know what it is. It's the key to the server HPDM but deleting it does nothing and it is never re auto generated in one of my tests.
I am able to replace the Controller.crt and keys with my own files CA internal those emitted very well. The service started and no errors occur. However if I replace the Client.cert (HPDM Server Cert) with my own service will start but there are Socket SSL errors in repository logs and the HPDM server could not connect to the master repository. I have no idea where the key file is supposed to be for HPDM Server Cert.
Can anyone help with this? I can't find the configuration files for the service to generate their own certificates. If I did I would try at least to change the config to do not use MD5.
Hello
These certiricates between HPDM server and MRC are not designed for customizable. Please submite one scenario if you have concerns of security on it.
Just for info:
hpdmcert. Key is for communication between the server HPDM and gateway HPDM
hpdmskey.keystore is for communication between the server HPDM and MRC
server_keystore is for the commhucation between HPDM server and the Console HPDM
-
We have an SSL certificate that is self-signed on our application server. When we run the application flex from outside of our network and try to access the web service, flex throws the following error:
Failed to load the WSDL. If there are currently online, please verify the format of the WSDL and URI file
We did install the certificate on client computers for IE and Firefox, but nothing seems to fix it, as we have tested the service via http and it works fine, but when you switch to https is when it breaks. To test further we loaded the wsdl for the service from outside of our network and were able to see with the crossdomain.xml file that resides on the server. At this point, we are at a loss of what could be the problem.
Does anyone have any suggestions?
Thanks in advance. If you need information additional just ask.
Pony up the $15 for a cert play. You've already spent more in a way that tries to "solve" this problem.
-
I have Firefox installed 37.0.1 on OpenSuse 13.2. I have a proxy server that uses a self-signed certificate, and I tried to add my certificate to the list of authorities and to check all the option displayed to be wz trust no chance.
I tried to restart firefox, but it did not help.
I did the same steps in chrome and it works fine.
appreciate any help.
After removing my .mozilla in my home directory. Add the certificate to the list of authorities in fact work.
Maybe you are looking for
-
iPADs repeat network WPA2 Enterprise authentication
Hi all I have the following problem with our network wireless company. We are able to connect to our network wireless with iPad and iPhone successfully. But with the iPad when you leave the office and come back a few hours later he asks for to re-aut
-
Why my app Apple News shows me Australian information when I am in the United Kingdom?
Hi, I can't understand what is happening with my Apple News app. I like the service, but have recently begun to use the version of Google (which is not quite as nice) because Google shows me UK news and things interest me, while the Apple News app ju
-
I upgraded my router (modem). Now my wifi has a different name and different password. What should I do to ensure that my Airport time capsule is always related to the router - even if it always shows the green light. How will I know if the airpor
-
Corrupt Windows installation program?
I am runing Windows XP - SP3. At one time in the last month, I think that my windows install or .net Framework has become corrupted. I used the dotnetfx_cleanup tool and tried the msiexec /unreg & msiexec/regserver command to reset the .net service
-
When I click on a link in an email, need me is no longer the chosen source. I have to manually click on copy the address of the site and then go to windows and paste on the toolbar. This occurred only lately, but I don't know why. What should I do to