Creation of my own CA, self-signed certificates and the use of these

I'm stupid. Three years ago, I created my own CA and my own wildcard certificate for my OS X Server (always 10.8.5 with Server 2.2.5). I install my public Root CA on clients who make use of my server. At these must not often updated and the work is complex, so I created a CA Vault take care of a few scripts and configuration of openssl. What I forgot is document how to get these used by Server.app. That's why I'm stupid, because I struggle to reproduce what I did and discovered three years ago.

I use two scripts. (MYNAME, mydomain and tld are generic strings, of course in reality I use my own name and mydomain.tld)

The first is for the creation of a root certification authority:

#!/bin/bash

# Only edit these:
mycaname="MYNAME Certificate Authority"
myrootname=mydomaincaroot

# Run in current dir:
mydir=`pwd`

mkdir RootCert >/dev/null 2>&1

if [ ! -e "$mydir"/RootCert/"$myrootname".key -o \
     -e "$mydir"/RootCert/"$myrootname".crt ]
then
    openssl req -config "$mydir"/openssl.cnf \
  -new -x509 \
  -keyout "$mydir"/RootCert/"$myrootname".key \
  -out "$mydir"/RootCert/"$myrootname".crt \
  -days 3650
    openssl pkcs12 -export -clcerts \
  -inkey "$mydir"/RootCert/"$myrootname".key \
  -in "$mydir"/RootCert/"$myrootname".crt \
  -out "$mydir"/RootCert/"$myrootname".p12 \
  -name "$mycaname"

    echo "Now import ""$mydir""/RootCert/""$myrootname"".p12 in KeyChain"
    echo "For this, unlock the System KeyChain first, then import"
    echo "NOTE: this imports your private key in the System Keychain"
    echo "So it can be used for signing activities."
    echo "This is less safe then keeping your private key on media that"
    echo "cannot be accessed from the system, like a safely stored USB stick"
else
    echo "Your root CA crt and key already exist! I will not overwrite this"
    echo "as this could overwrite a still used private key and lose you access"
    echo "to signed certificates, e.g. for revoking them"
fi

I think I know what to do (but Advisor is always welcome). I have to add the certificate of generic identity for the Keychain system, after which I can use in.app.

Now I encounter another problem: when I enter the certificate in the system Keychain, it ends up in/etc/certificates without a. fichier.pem. See: OS X 10.8.5 Server 2.2.5/Keychain Access certificates issue for more details.

Help is always welcome.

Tags: Servers and Enterprise Software

Similar Questions

  • I have a Proxy Server that uses a self-signed certificate, and I can't accept this certificate from Firefox

    I have Firefox installed 37.0.1 on OpenSuse 13.2. I have a proxy server that uses a self-signed certificate, and I tried to add my certificate to the list of authorities and to check all the option displayed to be wz trust no chance.

    I tried to restart firefox, but it did not help.

    I did the same steps in chrome and it works fine.

    appreciate any help.

    After removing my .mozilla in my home directory. Add the certificate to the list of authorities in fact work.

  • Faced with Windows 2008 R2 PKI, self-signed certificates & view iPad customer Secure Authentication to view connection server: UGH!

    Background: I was instructed to create a VMware View isolated laboratory test so that HIGHER-UPS can see how they could access the VM dedicated as well as how their developers could put related clones on-the-fly. The project was successful! Yay!

    Addendum: A boss wants to see how VMware View works when accessing his computer virtual dedicated via his iPad on the internet... And who needs a secure SSL connection.

    The problem is: the domain name I chose casually because the lab did not belong to me... So I can't have a real certificate from a trusted commercial certification authority.

    So I'll try to roll my own public Windows 2008 R2 PKI and... All that forcing the iPad to use DC/DNS server in the lab... Get only the single get iPad trust view connection server by importing a sort of certificate.

    Can I export/import a certificate of the CA of DC to the iPad via an attachment... And it happens with confidence. But how to create a login to view the server certificate and electronic-mail/import in the iPad so it happens with confidence? Whenever I try to export the certificate of the certificate of the view connection server store, send it to the iPad and install... The connection server certificate appears as 'not reliable' and the VMware View client will not connect.

    (Of course, I could get sloppy and set the iPad Client to accept untrusted connections... "But I want to solve the problem of approved connection).

    I could be missing something royally on the self-signed certificates and certificate chains.

    (It is a first for me dealing with Active Directory Windows Certificate Services. In the past, I always just installed expensive commercial SSL CA certificates in the certificates Windows Server stores before.)

    Any help or direction, you can provide would be appreciated. I'm rather confused.

    See you soon!

    Keegan

    Hello

    Maybe was your initial problem that the provided certificate must be a descendant of a trusted root, such as Verisign cert or

    the root certificate must be installed and all the intermediate certificates in the trust chain down to the one you use?

    Concerning

    AndyR

  • Self-signed certificates Z10 blackBerry

    I try to lateral load of the self-signed certificates on the device for testing of the reasons (see various other misfortunes listed elsewhere).  Settings > Security > certificates he seems to have the ability to do.  I can't find any documentation as to where certificates must be located to be detected.

    Some research on Google mentioned something about the process in which concerns the PlayBook, but that requires that they be placed in the Cert folder on the device.  The Z10 is not this standard file and it is not possible (AFAIK) to create this folder at the root of the device.

    Thank you

    The Z10 has the same Cert folder in the same location as the PlayBook, and the installation of a certificate process is the same, so documentation on who should serve you well.

    The folder is visible through network sharing, when you turn on sharing in the settings and display from a PC on your network... in case it wasn't clear.

  • RemoteAccess VPN to ASA 2 7.2 using self-signed certificate

    Dear friends,

    I need help or guide on how to install as State in the title.

    It is this configuration can be made? or the self-signed certificate cannot be used as VPN certificate.

    Unfortunately, we cannot deploy a dedicated CA server.

    But we cannot use as pre-shared key authentication because the configuration would force our ASA to disable the 'disable isakmp am-' which is unacceptable according to our independent auditor.

    So the best solution I can think of is to use the self-signed certificate that is suitable.

    Please advice me if there is somehow I can use 'isakmp am - disable' as well as the pre-shared key.

    Can I generate certificate using my ASA box? or I really need to use the dedicated CA server to make it work.

    This is a self-signed certificate of ASA, but I can't import into my Cisco VPN Client 5.0 it keep saying "error 39: impossible to import the certificate.

    MIIGpwIBAzCCBmEGCSqGSIb3DQEHAaCCBlIEggZOMIIGSjCCBkYGCSqGSIb3DQEH

    .. .removed

    SdCTfNIaE11Fm + rOMD0wITAJBgUrDgMCGgUABBS6s9ZMs6MoqQ0tdZuKRZuebbE3

    owQU/z10f/Ew3XMfWBYSV5Eo3evqqgwCAgQA

    I will be very very grateful for any help provided.

    Best regards

    SAB

    SAB,

    You must have a separate server from CA to issue certificates for the client and register the ASA on the CA server.

    You cannot use the self-signed certificate on the SAA for the VPN client.

    See you soon,.

    Gilbert

  • ASA SHA2 support with self-signed certificates

    Is it possible to use the signature SHA2 algorithm generating a certificate self-signed on an ASA? I can't find any documentation on orders that have control of things like the signature algorithm when you use self-signed certificates. I have seen documentation SHA2 is supported from 8.4.2 for the signature algorithm, but it always refers to the import of a certificate from an external certification authority.

    Hi William,.

    You can only generate self-signed certificate on the SAA SHA1. The solution is to import a certificate from a 3rd party with signature SHA2 algorithm.

    Here is the value for the same application:-

    ASA support for SHA - 2 for crypto IPsec and operations of the public key infrastructure
    CSCuj67576
    https://Tools.Cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Creating a self signed certificate - how do you define the "storepass.

    Hi, I am trying to use ADT to create an AIR 2.7 file, but this is the first time I used the command line tool to build an and have problems to understand the process of signing.

    I can generate a keystore cert.p12 from the flash IDE, and it requires a password to the file (-storepass)

    I can also use ADT to create a certificate self-signed from the command line, you can specify here the - keystore (location cert) and - keypass (password for the key in the store)

    I can't find a way to generate a certificate self-signed, where you can specify the two passwords, one for the store (-storepass) and one for the key (-keypass).

    It is a problem because when I go to my file using ADT AIR package, it takes two passwords - storepass and - keypass seized may publish.

    Is anyone know how generate a .p12 self-signed certificate and have a control on the two keys...?

    I spent hours playing and research now so maybe the wrong end of the stick, could do with some help get beyond this issue.

    Thank you

    Sean

    There is that a single password is mandatory in package for ipa that until now I know

    Example of order:

    C:\AdobeAIRSDK\bin\adt.bat-Paquet - target the ipa-test - stores pkcs12 - keystore [KEYFILE] .p12 - storepassKEY PASSWORD] - set service-profile [FILE of AVAILABLE MOBILE] .mobileprovision [NAME of the IPA] .ipa [NAME of THE XML FILE] .xml [NAME of FILE SWF] .swf Icon_29.png Icon_48.png Icon_57.png Icon_72.png default Icon_512.png - Landscape.png default - default Portrait.png - PortraitUpsideDown.png default - default PortraitLandscapeLeft.png - PortraitLandscapeRight.png

  • Can I generate self-signed certificates free for Nexus 9 K?

    Hi, I have 22 9Ks Nexus that I just upgraded to 3,0000 I4 so I can use the REST API.

    I use vRealize Orchestrator for automation, and I can't access the REST API on the Orchestrator help link, as certificates are at expiration.

    I can't find much information on this subject for the 9 K, unless the 9Ks are mode of the AIT, in this case I think that TACS are the only people who can generate a certificate.

    Does anyone know otherwise work around this? Otherwise, I'll have to approach a TAC case for 22 certificates generated :-/

    Cheers, Dom

    I'm not familiar with the technology with what you're trying to integrate, but here's a guide on how generate a custom SSC (self-signed Cert) on a device:
    #conf t
    #hostname DEVICE01-NOTE: must not be changed
    #ip - domain test.local

    generate a General key label SSC_KEY module 2048 rsa key #crypto

    #crypto pki trustpoint SSC_LOCAL
    #subject - name, CN = DEVICE, DC = test, DC = local
    #enrollment selfsigned
    # crl revocation checking
    #rsakeypair SSC_KEY 2048

    #crypto ca enroll COMMAND SSC_LOCAL HIDDEN: initiate the creation of SSC

    % Include the serial number of the router in the name of the topic? [Yes/No]: no
    % Include an IP address in the name of the topic? [None]:
    % Generate self signed certificate router? [Yes/No]: Yes

    Router self-signed certificate created successfully

    After this make sure that you do NOT change the host name of the device :)

  • How can I make a self-signed certificate trusted root CA?

    Hi all

    I created a certificate self-signed using IIS 7 and he attributed to my local Web site. Looks like my connection to my local server is encrypted; but the problem is that the indicators of certificate in all browsers are red and read the following error message:
    "The identity of the server to which you are connected can not be fully validated. You are connected to a server using a name that is valid only within your network, which has an external certification authority has no way to validate ownership of. Some certification authorities will issue certificates of these names without worrying, not no way to ensure that you are connected to the expected site and not a pirate. »
    What does this error mean? Why isn't this error get away when I add my certificate in "Authorities roots of trust certificate" in the MMC > certificates? I want to get a green light for my certificate in my browser! Is this possible?
    Thanks in advance.

    There is no way to convert a self-signed certificate in a certificate signed by a root CA.  In addition, simply by adding a certificate in a particular area of the crypto shop does not change its abililties.  The trust root certification authorities certificates must be issued by approved certification.  Add your own cert to the store zone does not trust.

  • Cannot use jar with icon files gif and self signed certificate files (Exception in thread "AWT-EventQueue-3" java.lang.NoClassDefFoundError: oracle/ewt/laf/basic/SelColorChange)

    Hi all.

    I use Forms 11 g 11.1.2.1 and updating JRE 7 45.

    I have create a jar file containing gif icons files using this procedure:

    (1) create the jar file:

    set path = % path %; C:\Oracle\Middleware\Oracle_FRHome1\jdk\bin (my ORACLE_HOME/jdk)

    jar - cvf webfigolos.jar *.gif

    (2) self sign the file:

    c:\Oracle\Middleware\asinst_1\bin > sign_webutil.bat c:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

    Jars is signed but with a warning:

    Generate a signature key certificate aaosa2015 = auto...

    keytool error: java.lang.Exception: key pair not generated, al alias < aaosa2015 >

    loan is

    .

    There are errors or warnings while generating a self signed certificate. Pleas

    e revisiting.

    .

    Backup as c: C:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

    \Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar.old...

    1 file (s) copied.

    Signature using ke c:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

    y = aaosa2015...

    .. own made.

    But I can use this file. The application crashes and get this error from the java console:

    network: connection http://myluism-pc:7001/forms/lservlet; jsessionid = p98GTL5Fh6XnQcykySBhLWq2823HwHlPGZ16TYHVv93006N4mmdl!-947562687 with proxy = LIVE

    network: connection http://myluism-PC:7001 / with proxy = LIVE

    Exception in thread "AWT-EventQueue-3" java.lang.NoClassDefFoundError: oracle/ewt/laf/basic/SelColorChange

    at oracle.ewt.laf.oracle.OracleTreeUI.createItemPainter (unknown Source)

    at oracle.ewt.laf.basic.BasicTreeUI._getItemPainter (unknown Source)

    at oracle.ewt.laf.basic.BasicTreeUI.getItemPainter (unknown Source)

    at oracle.ewt.dTree.DTreeBaseItem.getSize (unknown Source)

    at oracle.ewt.dTree.DTree.paintCanvasInterior (unknown Source)

    at oracle.ewt.EwtComponent.paintInterior (unknown Source)

    at oracle.ewt.lwAWT.SharedPainter._paintInterior (unknown Source)

    at oracle.ewt.lwAWT.SharedPainter.paintExtents (unknown Source)

    at oracle.ewt.lwAWT.LWComponent._paintComponent (unknown Source)

    at oracle.ewt.lwAWT.LWComponent.paint (unknown Source)

    at oracle.ewt.EwtComponent.paint (unknown Source)

    at oracle.ewt.lwAWT.SharedPainter.paintExtents (unknown Source)

    at oracle.ewt.lwAWT.LWComponent._paintComponent (unknown Source)

    This used to be a very simple procedure, but it has stopped working...!

    Don't know if the jar file is well born, or if it is corrupt.

    I can't start my application.

    Help, please!

    Best regards, Luis.

    Try again with the JRE 7 10 update, I get a problem with the update of JRE 7 45, but when I tried the update of JRE 7 10, it works fine.

    For the objective test, disable the check

    Java Panel-> advance-> mixed Code-> disable verification (unchecked)

  • TLS fails on linux self-signed certificates

    on firefox 38.1.0 under centOS 6.6 I have some problem with TLS.

    When it first happened I re fact cert using keys of 2048 bytes. It seemed if address the issue when you navigate to similar addresses to https://localhost/somesite, however, I have try https://localhost:10000 with the fact that it still fails:

    An error occurred during a connection to localhost.localdomain:10000. The certificate server included a public key which was too low. (Error code: ssl_error_weak_server_cert_key)

       The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

    The signing certificate is algorithim-> PKCS #1 SHA-1 with RSA encryption

    The algorithim public key is-> PKCS #1 RSA encryption

    The key has been creating 07/06/15 for a period of 10 years is a Version 1 cert issued by myself with the info
    E = [email protected]
    CN = localhost
    UO = hq
    O = permite
    L = Stone Mountain
    ST = ga
    C = us

    It was a problem of webmin.

    To fix this /etc/webmin/miniserv.pem edition replace the cert and private key sections.

    Use a new generated key and self-signed certificate. If you follow the instructions of centOS, the location of the files are /etc/pki/tls/private/ca.key and /etc/pki/tls/certs/ca.crt

  • WPA2 Enterprise signed vs self-signed certificate

    Hello

    What are the risks by using a self-signed certificate on an OS X Server RADIUS client using WPA2-Enterprise?

    The biggest risk is teaching your users to ignore certificate warnings.  But tell all to ignore your warnings cert will be likely to train people to ignore all the warnings, possibly opening security threats.  For non-technical users, it's a bad habit to enforce.

    The cost of a valid certificate is not terrible.  If you have decided to build a wireless infrastructure secure by using certificates and RADIUS, buy a real certificate.  I hope this helps.

    Reid

    Apple Consultants Network

    Author - "El Capitan Server - Foundation Services.

    Author - "El Capitan Server - Collaboration & control»

    Author - "El Capitan Server - Advanced Services '.

    : IBooks exclusively available in Apple store

  • cannot install self-signed certificates sbs2008 on Vista SP2 with IE8

    I use SBS2008 Setup and it is to use self-signed certificates,

    My laptop is Windows Vista SP2 with IE8.

    When I try and connect to my OWA SBS2008 Web site, I get this error: there is a problem with this site's secure certificate.

    I tried to solve my problem with this solution: http://blogs.technet.com/b/sbs/archive/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx , don't worry! In date; May 8, 2008

    I also looked at: http://support.microsoft.com/default.aspx?scid=kb; EN-US; 932156 , dated; November 19, 2008

    This link is on the page above: download the update for Windows Vista (KB932156) package now. , dated March 24, 2008. I understand that all of the above links are ment to work with Vista & IE7, there is no mention of the Service Pack level.

    This patch really works on Vista SP2 with IE8 or do I have to change the registry and if so, this key is always the right pair?

    HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

    Thank you

    Hello

    Questions like these are much better handled in the TechNet IT Pro Forums.

    My moderator tools cannot transfer messages on Windows forums, please re - ask you question there.

    http://social.technet.Microsoft.com/forums/en-us/itprovistanetworking/threads

  • Generate a DRAC 7 - new self-signed certificate

    Try to generate a new cert self-signed by the DRAC, but keep the size to 2048 bits.

    racadm config-g cfgRacSecurity-o cfgRacSecCsrKeySize 2048

    sslresetcfg restores the cert to 1024...

    racadm sslresetcfg

    Counsel on how to obtain a self-signed certificate 2048?

    iDRAC 7 2.10.10.10 Firmware go iDRAC have by default with 2048-bit certificate. You can update iDRAC to 2.10.10.10 and run the command "racadm sslresetcfg" to load the default certificate of 2.10.10.10 firmware.

    iDRAC7 2.10.10.10 Firmware is available @ http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=Y5K20&fileId=3445456701&osCode=NAA&productCode=poweredge-r820&languageCode=EN&categoryId=LC

  • QNXStageWebView and self-signed certificates

    I use the QNXStageWebView control to load HTML pages in my AIR application. I'm testing with OS version 1.0.7.3133 and version 2.7 AIR and Tablet OS SDK 1.1.0.  When I use https and try to access a web site that uses a self-signed certificate (which is not approved on the device), the object of QNXStageWebView does not throw error events. How can I detect that the user tries to access a unreliable website and warn (as the native browser)? I saw the newspapers of Wireshark and I see an error "the handshake failed".

    Hello Kiran,

    After further investigation, the dialog box for the certificate that is popped up by the WebKit is made under the covers. The issue which is seen is actually a bug in sdk. However the bug has been fixed and the fix will be available in the next version of the blackberry Tablet sdk.

    Let me know if you have any questions, and I'll be happy to answer them for you.

Maybe you are looking for