Flex + self signed SSL Cert

We have an SSL certificate that is self-signed on our application server. When we run the application flex from outside of our network and try to access the web service, flex throws the following error:

Failed to load the WSDL. If there are currently online, please verify the format of the WSDL and URI file

We did install the certificate on client computers for IE and Firefox, but nothing seems to fix it, as we have tested the service via http and it works fine, but when you switch to https is when it breaks. To test further we loaded the wsdl for the service from outside of our network and were able to see with the crossdomain.xml file that resides on the server. At this point, we are at a loss of what could be the problem.

Does anyone have any suggestions?

Thanks in advance. If you need information additional just ask.

Pony up the $15 for a cert play. You've already spent more in a way that tries to "solve" this problem.

Tags: Flex

Similar Questions

  • Flex iOS app refuses to connect to a self-signed SSL server: error 2032

    Hello everyone, thank you for reading this and I hope you could help me with this problem.

    I'll cut to the Chase. I am currently working on a mobile app in Flex for Android and iOS and the app has to get a few HTTP requests and retrieve information from a server, which is currently developing a teammate.

    Everything had to be working very well until we decided a few days before when we have integrated a SSL self-signed certificate in order to make connections more secure, etc.

    On the side of the app, this change, lying just to replace the http with https url and it seems to work perfectly, or that's what we thought.

    Tests on the Simulator or on an Android device worked well, he just showed the warning provided access to a server that had a rogue certificate that could be ignored without any problem. But when we tried to test a Release on a camera of the iPhone version, it would not just work more. A connection every time trying to be established with the server, error 2032 flash is triggered and it fails miserably does not display not warning about certificates not approved at all. For me, it's really confusing that it works on Android devices, but not on the iPhone device.

    I searched on the Web for people having the same problem but I couldn't find an answer to this specific issue of Flex-iOS-Self-signature-SSL. I found this post unanswered questions: http://forums.adobe.com/message/3359072#3359072 but nothing much.

    I tried to create a crossdomain.xml file on the server with guaranteed set to false, and some other stuff to avoid crossdomain policies, but it changed nothing and the problem persists.

    I'm really out of clues, sort of desperate and have no idea how fix it. If anyone knows something related to this problem, please, help me, I'll be less grateful.

    Thank you!

    We decided to buy a verified SSL certificate, and it worked. We can say that the problem is solved, but it wasn't actually because the connection must be established and that the invited user to accept or decline the self-signed certificate, not only do not make the connection.

  • Flex [mobile] iOS app refuses to connect to a self-signed SSL server: error 2032. Ring the bells?

    Hello everyone, thank you for reading this and I hope you could help me with this problem.

    I'll cut to the Chase. I am currently working on a mobile app in Flex for Android and iOS and the app has to get a few HTTP requests and retrieve information from a server, which is currently developing a teammate.

    Everything had to be working very well until we decided a few days before when we have integrated a SSL self-signed certificate in order to make connections more secure, etc.

    On the side of the app, this change, lying just to replace the http with https url and it seems to work perfectly, or that's what we thought.

    Tests on the Simulator or on an Android device worked well, he just showed the warning provided access to a server that had a rogue certificate that could be ignored without any problem. But when we tried to test a Release on a camera of the iPhone version, it would not just work more. A connection every time trying to be established with the server, error 2032 flash is triggered and it fails miserably does not display not warning about certificates not approved at all. For me, it's really confusing that it works on Android devices, but not on the iPhone device.

    I searched on the Web for people having the same problem but I couldn't find an answer to this specific issue of Flex-iOS-Self-signature-SSL. I found this post unanswered questions: http://forums.adobe.com/message/3359072#3359072 but nothing much.

    I tried to create a crossdomain.xml file on the server with guaranteed set to false, and some other stuff to avoid crossdomain policies, but it changed nothing and the problem persists.

    I'm really out of clues, sort of desperate and have no idea how fix it. If anyone knows something related to this problem, please, help me, I'll be less grateful.

    Thank you!

    We decided to buy a verified SSL certificate, and it worked. We can say that the problem is solved, but it wasn't actually because the connection must be established and that the invited user to accept or decline the self-signed certificate, not only do not make the connection.

  • HPDM: HPDM replace self signed SSL certificates for server HDPM and master repository

    I am trying to replace the automatically generated self-signed certificates (issued to DM) issued by DM server HDPM and master repository.  I'm NOT arbitration FTPS, HTTPS embedded HPDM or CERT Thin Client Agent server.

    I already have CERT for the installation of our own internal domain CA for FTPS in IIS and the built-in Apache HTTPS server.  These work properly and pass tests of repository for both protocols.  I also have questions for Thin Clients of our internal CA very well.

    I am interested in the HPDM real server cert and cert master repository. These are generated automatically when the two services start.  They use a very weak MD5 hash and key RSA 1024.  I can't find any documentation around that, with the exception of troubleshooting, in which you can remove these certificates restart services and they will be regenerated.

    Here are the paths certs\key
    HPDM % install Path%\MasterRepositoryController\Controller.crt (Cert repository)

    HPDM % install Path%\MasterRepositoryController\Controller.key (repository key)

    HPDM % install Path%\MasterRepositoryController\Client.crt (HPDM Server Cert)

    HPDM % install Path%\Server\Bin\hpdmskey.keystore (Both HPDM server and repository Certs and keys) (not sure what format it is in.  It is not PEM and P12 ok I can say)

    There are also some HPDM % install Path%\Server\bin\hpdmcert.key.  Don't know what it is.  It's the key to the server HPDM but deleting it does nothing and it is never re auto generated in one of my tests.

    I am able to replace the Controller.crt and keys with my own files CA internal those emitted very well.  The service started and no errors occur.  However if I replace the Client.cert (HPDM Server Cert) with my own service will start but there are Socket SSL errors in repository logs and the HPDM server could not connect to the master repository. I have no idea where the key file is supposed to be for HPDM Server Cert.

    Can anyone help with this?  I can't find the configuration files for the service to generate their own certificates.  If I did I would try at least to change the config to do not use MD5.

    Hello

    These certiricates between HPDM server and MRC are not designed for customizable. Please submite one scenario if you have concerns of security on it.

    Just for info:

    hpdmcert. Key is for communication between the server HPDM and gateway HPDM

    hpdmskey.keystore is for communication between the server HPDM and MRC

    server_keystore is for the commhucation between HPDM server and the Console HPDM

  • Thunderbird does not recognize a self-signed SSL certificate

    Dear support,

    I have a very strange problem that I don't understand.

    I run a server ISP offering IMAP and TLS/SSL HTTPS encryption. Both services use the same SSL certificate issued by RapidSSL/GeoTrust Server edward.ennabe.de

    When I open an https connection to the server, Firefox correctly solves the certificate chain and use the certification authority root Equifax (which is correct).
    However, when I try to connect to a mailbox via Thunderbird, all I get in the hierarchy of certificates is my server edward.ennabe.de. I don't think that it's "working as intended", or is it?

    Is something wrong with my Thunderbird or My Dovecot configuration? What is really strange that firefox recognizes it correctly.

    Thanks in advance

    Kind regards

    ZeroEnna

    In Thunderbird, click the 'Détails' tab in the display of the certificate.
    See all certificates of CA listed in the field "Certificate hierarchy" also installed in your Thunderbird certificate store?
    When checking this look for the tab 'authorities '.
    If there are no certificates listed in the missing chain in the Thunderbird certificate store (for some reason any), you can try to export it in Firefox and import them into Thunderbird.

  • iDRAC6 - self-signed ssl + intermediate

    Hello

    We strive to set up ssl certificates on our idrac6 enterprise (2.85 (Build 04)) active servers.

    The SSL chain looks like this:

    1. certification authority root

    2 intermediate CA

    3. Certificate SSL iDRAC

    I can't get the intermediate certificate to work OK, whenever I could connect idrac, it does not present the certificate of the idrac and does not include the string my browser continues to complain.

    I tried two different methods of Linux with racadm

    1)

    Cat idrac.crt intermediate.crt > idrac.combo.crt
    racadm - r u root Pei config g cfgRacSecurity o cfgRacSecCsrKeySize 2048
    racadm - r u root Pei t 1 f idrac.key
    racadm - r u root Pei sslcertupload t 1 f idrac.combo.crt

    2)

    Cat ca.crt intermediate.crt > ca + intermediate.crt
    racadm - r u root Pei sslcertupload f intermediate.crt t + ca 2
    racadm - r u root Pei -i sslkeyupload f idrac.key t 1
    racadm - r u root Pei sslcertupload f idrac.crt t 1

    Did anyone ever has it works? I see a lot of post with mixed results.

    Any help would be greatly appreciated!

    -peter

    Hello

    The iDRAC6 can't stand chains of certificates. This is a feature that is supported in iDRAC7 and later versions.

    Thank you

  • Safari no longer works with SSL self-signed certificates?

    With the last Safari (9.0.3) on OS X (running 10.11.3) and iOS (9.2.1) operating system, I can no longer connect to sites that use self-signed SSL certificates. Previously, I was warned that the site certificate was not "valid", but given the opportunity to continue anyway. This is the behavior I want to come back. It still works fine in Chrome, Firefox. but now just Safari gives me an error "Safari can't open the Page" as it would if it could not reach the server. Specifically, it says "Safari can't open the page https://myselfsignedhost.com because Safari is unable to establish a connection to the server myselfsignedhost.com.

    It does not give me the opportunity to inspect the certificate, add the certificate to my keychain, trust the cert, ignore the warning once or anything else that would be useful... He's just pretending like it can't connect. Am I missing something? How to restore old functionality? This 'bug' makes safari completely useless for me.

    OK, some info... This seems to apply only to SOME sites with self signed SSL CERT... The only obvious thing I can think is that maybe it applies to sites where the SSL certificate when the page was first loaded?

    If I open a new window private, I can access the page without problem. If I open a new standard, I can also open the page, until I quit safari. Once I left, it stops loading with the same error...

    If I manually add the SSL certificate to my keychain as being approved, the page also works... There may be a cache of certificate somewhere that is out of date?

  • ASA5505 IPSEC only with self-signed certificates

    Hi all

    I have little Cisco training and was assigned to a pilot project. We have cleaning of the ASA from another Department, but I do not have access to support. It is running ASA v9.1 and ASDM 7.1. If all goes well I'll be sent on training and we can buy a nice 5520.

    So I scoured the internet for a guide that is easy to do as my title says, but I'm having major trouble. I find a lot of outwardly signed with self-signed SSL VPN or VPN IPSEC with CERT support but I can't only get ASA self-signed IPSEC IKEv2 with certificate authentication. Also, to make it even worse, I have to provide the user with the software, the profile and the certificate in hand. No access to the web or download portal.

    If you know where I can get good installation guide for this type of use please by all means save me here. If this isn't possible, I'm cool with that, let me know.

    Thank you fo any help you can provide

    Jay

    If the ASA uses a certificate issued by a certification authority that is in-store customer trust root CA, then the certificate of identity ASA didn't need to be imported by the customer.

    Which is why it's usually recommend to follow the path of using experienced public CA because they are alreay included in most modern browsers and so the client has no need to know how to import certificates etc.

    If you are using a local certification authority that is not in the store trusted CA of the customer to deliver your ASA certificate or identity certificates on the SAA signing root then you must take additional measures at the level of the customer.

    In the first case, you could import the CA certificate in the store root CA of the client trusted root. After that, all the certificates it has issued (the IE the ASA certificate of identity) would automatically be approved by the customer.

    On the second case, certificate of identity of the SAA is would have installed on the client because it (the ASA) basically as it's own root certification authority. Usually, I install them in the CA store root confidence of my client, but I guess that's technically not necessary, as long as the customer knows to trust this certificate.

  • Sefl-signed ssl certificate is not possible?

    Hi all

    the ILO is not yet possible to let flex' webservice or httpservice to connect to a
    WebService https secured by a self-signed certificate? There is absolutely no reason
    for me to buy a 'real' certificate just for encryption purposes.
    I installed crossdomain.xml on the target server, the Web service works well when pasting
    the URL in the browser and I have installed the certificate in IE (which I use here), then
    is no error and shows the OWL small lock in the address bar. But Flex refuses to work,
    except for run the application locally (means by clicking on "run" in flex builder).
    I'm using Flex 2.01 so important.

    So, could someone help me? Or Flex so ignorant for self-signed webservices?

    Good bye
    sysFor

    Hi sysfor,

    I am using the appropriate production and development self-signed SSL certificates in & don't test, no problems so far.
    Flex/Flash is not the authentication of SSL certificates - this task is delegated to the browser.

    So I suppose you are faced with a different type of problem - your crossdomain.xml is not configured correctly.
    Have you checked the log of policyfiles.txt?
    Another point, you're probably doing is called direct URL (https://myhost/path). Instead, you must use a relative path. For example if your swf file has been downloaded from the server myhost, then he should just make the calls in / path.

    See you soon,.
    Dmitri.

  • IdP custom self-signed certificate with error "Exception in law Service...". »

    Hi all

    We strive to use the identity provider 2 OAuth with self-signed SSL certificate and it seems that this approach are not supported by the system.

    OAuth authentication endpoint is not accessible from the mobile application - Chrome debugger HTTP call tells to the endpoint of the status "cancelled".

    Use of "Desktop Web Viewer" gives the possibility to add exceptions for host security, but at the stage of the passage "code" parameter Manager experience Mobile endpoint [1] forwarding flow always breaks with message 'Exception in the Service during processing of the result from the identity provider' passed as parameter in the call to redirect to the Web Viewer [2].

    Here, I would like to note that the right is turned off for the project.

    I wonder, is the error above caused by unreliable connection? Is it possible to use the custom with self-signed SSL certificate identity provider?

    Thank you for considering my question.

    [1] https://es.publish.adobe.com/oauth2?code=AAAAAAAAAAAAAAAAAAAAAA.9lqAHfrL0wjBCcQ-zGCW2Am6E6 M.AHySE6B2oTLWVfJMDVl5ExOct2vY...

    [2] web Viewer

    Hello

    Free signed SSL of entitlement certificates are not supported. The connection is interrupted by the server because the certificate is not approved.

    Tukker - Klaasjan

  • vRops SSL Certs

    Hello

    So, Ive recently rolled out an 8 node vRops enviromnemt and finally had the time to ask the authority of internal certification signed SSL Certs, I created them, convert their PEM format, downloaded 1 cert, had look ok, then did the 2nd node, verified and it looked ok, I then checked the node 1, who pointed out a mistake and said there the same SSL certificate as the crux of the 2nd.

    Now I need to check that documentation does not seem to say that and not see anything on the web it is clear either.

    VROps is the SSL certificate of the same SSL certifiate for each node for an enviromnemt?

    If so what I need to create a single SSL certificate and a subjectAltName for each node intot he asks cert.

    which means that I have put an article like this in my openssl.cnf

    [v3_req]

    subjectAltName = @alt_names

    [alt_names]

    DNS.1 = vropsnode1.internal.domain

    DNS.2 = vropsnode2.internal.domain

    DNS.3 = vropsnode3.internal.domain

    DNS.4 = vropsnode4.internal.domain

    DNS.5 = vropsnode5.internal.domain

    DNS.6 = vropsnode6.internal.domain

    DNS.7 = vropsnode7.internal.domain

    DNS.8 = vropsnode8.internal.domain

    IP.1 = 192.168.1.1

    IP.2 = 192.168.1.2

    IP.3 = 192.168.1.3

    IP.4 = 192.168.1.4

    IP.5 = 192.168.1.5

    IP.6 = 192.168.1.6

    IP.7 = 192.168.1.7

    IP.8 = 192.168.1.8

    see you soon

    John

    The documentation is really poor in this area. but I got this VMware"one certificate will be used by the web server on all nodes, so to do the certificate must be valid for all nodes.  One way to get there is with multiple subject Alternative Name (SAN) entries".  So looks like im on the right track.

    Which is kind of weird, but works as that said, when you look at the certs ssl free signed that they have different names vc-ops-slice-1, vc-ops-slice-2 etc. but then you download an SSL certificate cert of the same is on all nodes.

    Update: Ive had an SSL certificate generated with the subjectAltName as in the example above with the full domain name and IPs for each node in the cluster and created the imported and appropriate to this PEM file, it works and the certificate is valid on all the nodes, this is the solution.

    Also of the impact, that is the question that vRops Government itself to vCenter with the IP address and not FQDN, the SSL certificate needs the IP address, but in my case it causes also connectivity issues in browsers because of our proxy settings, so it must be considered if his need...

    • vRealize extension of Operations Manager is saved using the IP address instead of the DNS name
      By default, vRealize Operations Manager saves its extension with vCenter using the IP address of Operations Manager and not the DNS name vRealize. Users who click on open vRealize Operations Manager tab monitor vCenter open a URL based on the Operations Manager IP address vRealize and not the DNS name.
      Workaround: To allow the registration of the name vRealize Operations Manager with the DNS name extension, follow these steps:

      1. On each node of the cluster of Operations Manager vRealize, follow these steps:

        1. Starting the console, open the following file in a text editor.
          $ALIVE_BASE/user/conf/configuration.properties
        2. Add the following line to the properties.
          extensionUseDNS = true
          Note: You can go back to using the IP address by changing the property to false.
        3. Save and close configuration.properties.
      2. Connect to the Operations Manager vRealize management interface and restart the cluster.

    John

  • Configure SSL for OUD 4444 port Admin port-> replace the self signed certificates used

    Hi Experts,

    When installing OUD choose Certification self-signed for ports 1636 and 4444.

    Later I change the certificates used by the port of 1636 to a new key file containing the CA certificates. (Track the steps of: https://docs.oracle.com/cd/E52734_01/oud/OUDAG/security_clients_severs.htm#OUDAG00050)

    But same procedure does not have to replace the self signed certificates used by ports 4444!  Everyone is configured SSL (with Cert CA) on the Administration port?

    I couldn't even start the servers, you see an error:

    """

    category = gravity CORE = NOTICE msgID = 458891 msg = the directory server sent a notification to alert generated by the class org.opends.server.core.DirectoryServer (org.opends.server.DirectoryServerShutdown alert type, alert ID 458893): the directory server started the shutdown process.  Stop was launched by an instance of the org.opends.server.core.DirectoryServer class and the reason for the closure was an error occurred trying to start the directory server: NullPointerException (File.java:277 AdministrationConnector.java:843 AdministrationConnector.java:675 AdministrationConnector.java:182 ConnectionHandlerConfigManager.java:356 DirectoryServer.java:2932 DirectoryServer.java:1584 DirectoryServer.java:10108)

    «[27/sep / 2015:06:22:53-0400] category = gravity = NOTICE msgID = 458955 msg = the directory server CORE is now stopped "«»

    Post edited by: 1976902

    Sorry, I cannot help here - here are a few possibilities.

    Change connector Administration certificate

    https://docs.Oracle.com/CD/E52668_01/E54669/HTML/ol7-genssc-auth.html

    The failure of the handshake could occur for various reasons:

    • Incompatible encryption suites in use by the client and the server. This would require the customer to use (or allow) a suite of encryption supported by the server.
    • Incompatible versions of SSL in use (the server can only accept TLS v1, while the client is capable of using SSL v3 only).
    • Incomplete trust for the certificate of the server path
    • The certificate is issued to another area.
    • incomplete certificate trust path between the certificate for the server, and a certification authority root.
    • In most cases, this is because the certificate is not present in the trust store

  • WaveMaker 6.5 and vCO 5.1 - default self signed CERT

    This is a little off topic, but I'm curious to know if anyone out there connected WaveMaker 6.5.x (web service) to vCO 5.1 (SOAP or REST) when the vCO is configured using the default self-signed certificates SSL (vanilla vCO 5.1 device).

    I get the following error even after the importation of the "localhost.localdom" of vCO cert in my Java keystore/restart WaveMaker:

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: building way PKIX failed: sun.security.provider.certpath.SunCertPathBuilderException: could not find the path of valid certification for target asked

    Looks like real certs should work or if you have them signed by your own CA, but this isn't the case with the application out-of-the-box vCO.

    Related links:

    http://mighty-virtualization.blogspot.com/2012/09/WaveMaker-handling-SSL-certificates.html?showComment=1351627607456#c2610948026372492253

    http://dev.WaveMaker.com/forums/?q=node/8424

    Hello!

    I think that the host name of the certificate must match the host name you are trying to reach.

    The default certificate localhost.localdom works so that, if you try to connect to vCO with localhost.localdom (it might be useful a quick shot, edit the file hosts on your system wavemaker :-))

    To change the certificate on vCO to match the real hostname of the box of vCO, see here:

    http://www.vcoteam.info/learn-VCO/work-with-VCO-over-SSL.html

    http://EnterpriseAdmins.org/blog/virtualization/VCO-appliance-and-SSL-certificates/

    After chaning and removing the old and import a new keystore wavemaker it should work... Let us know! :-)

    As workaround heavyweights: you can skip using WaveMaker webService tool and create your own JavaService. See an example here: http://blog.mightycare.de/en/2012/06/wavemaker-spring-and-vmware-infrastructure/

    PS: The example he uses the old SOAP API of vCO, but you get the feeling (and links to java for the new REST API of https://yourvcoserver:8281/api/docs/downloads.html

    PPS: It's in German, but you can download the sample project at the end of the article. If you need a discussion translation/more about this, let me know...

    See you soon,.

    Joerg

  • SG300-28 import self-signed SHA2 certificate to the SSL Protocol (including the format? How do I?)

    1. What is the format a certificate and private key combination should play during import to use SSL?

    2. how actually import you - via CLI or web interface.

    I'm trying to import an SSL certificate that is self-signed in the SG300-28 to secure the connection to the web interface of the switch. The certificate is signed by my own 'certification authority' / custom root certificate.

    I tried to do it via the graphical interface of web management (security > SSL server > server SSL authentication) and the command-line via SSH. I will detail my exact process below. I had no problem importing a certificate created in the same way to the Cisco RV320 router, although the web interface is different.

    How to create a certificate that is accepted by the switch?

    (Image Active) firmware version: 1.4.0.88

    My approach:

    1. OpenSSL 1.0.1f January 6, 2014; on an ubuntu 14.04 machine
    2. Create my own, certificate of self-signed root:

     openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem

    3. create a private key and the real certificate and sign them using the rootCA.pem:

     openssl genrsa -out switch.key 2048 openssl req -new -key switch.key -out switch.csr openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

    for later use, export the public key of the switch.key - file using

     openssl rsa -in switch.key -pubout > switch.pubkey

    4. open the web interface of the switch and check for the SSL settings (Security > SSL server > server SSL authentication).

    4.1 click "import certificate".

    4.2 paste the contents of the switch.crt file in the ' certificate:'-textbox

    4.3 to import pair of RSA keys

    4.4. Paste the contents of the switch.pubkey file in the public key field

    4.5 by selecting the 'Clear text' radiobutton control and paste the contents of the inside switch.pubkey

    4.6 click 'apply '.

    4.7 receive an error message 'invalid key head '.

    The private key looks like this (oviously, I created a new one for this example):

     -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA3gOvNzKqULXnT7zL9fl4KJAZMo5eYHfwPSN0wl385na37oHz [23 more lines truncated] aB7Pooa60anjIVJmlSIp4WJ8U+52BMKJZ5rqHnJ1sBBo1zpAtcdspg== -----END RSA PRIVATE KEY-----

    I also receive a header invalid key error when you try to import the private via CLI SSH key using:

     switch(config)#crypto key import rsa

    I also converted the certificate and the private in PKCS12 and then back to the PEM key that gives me the following private key "head" which is not always accepted when pasting in the CLI:

     Bag Attributes localKeyID: FE 24 88 34 66 BE E9 DB CE 4E 91 23 2C 0E 03 B1 A7 58 32 24 Key Attributes:  -----BEGIN PRIVATE KEY----- MIIEvgIBA[...] -----END PRIVATE KEY-----

    What key header miss / what am doing wrong in general?

    It seems that ' import key cryptographic rsa "command is not suitable for import SSL key related private, but rather for the importation of SSH keys. Code "key header is missing" means that switch expects anything other than "-----BEGIN RSA PRIVATE KEY-----", for example the headers that you can see after the execution of ' view keys cryptographic rsa "(- START PRIVATE KEY ENCRYPTED SSH2-).

    To get your SSL certificate installed, you have two options:

    The CLI option:

    • create a RSA private key with command

     switch(config)#crypto certificate 2 generate key-generate 1024

    • create the certificate request with

     switch#crypto certificate 2 request

    (don't forget to provide all information for this order, including '' cn '' and so on). Note that this command must be executed inside the privileged mode and not in mode configuration as the previous command.

    • After you run this command, you'll get sign certificate request (CSR). Copy and paste it into the new file on the server that hosts your certification authority.
    • now sign this CSR file with the command that you have already used:

     openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

    • After signing to just open the file "switch.crt" and copy all content between BEGIN and END section including.
    • and import this certificate with order

     switch(config)#crypto certificate 2 import

    • and finally for your certificate to be active, do it with the following command:

     switch(config)#ip https certificate 2

    WebGUI option:

    Here, the procedure is similar to the CLI:

    • You must click on "Generate certificate request" in the "Security-> SSL server-> server SSL authentication" section, fill in all necessary data and click on "Generate certificate request."
    • you will get CSR data you need to paste into the server with the certificate of the CA.
    • sign the certificate with the command openssl similar as mentioned previously
    • and import a certificate with maintaining "import RSA Key-Pair" unchecked.

    Personally I've never managed to get imported both key and certificate from the outside.

  • Replace self-signed CERT with CA Cert signed

    I have a vCAC 6.1 environment.  I use the vCAC documentation to replace the self signed CERT CERT.  When I get to this step in the documentation it fails - VCloud Automation Center Library

    Is the below error telling me there is a problem with the wstvcacapp01 cert?  Problem RemoteCertificateNameMismatch?

    C:\Program Files (x 86) \VMware\vCAC\Web API\ConfigTool > Vcac - Config.exe DownloadRootCertificates - Pkcs7CertPath "C:\Program Files (x 86) \VMware\vCAC\Web API\SSO.p7b"-v

    System.Data.Services.Client.DataServiceQueryException: An error occurred during the processing of this request. -> System.Data.Services.Client.DataServiceClientException: <! DOCTYPE html >

    < html >

    < head >

    < title > certificate is not approved (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203DBC8256FDB2326A8EA

    C < /title >

    < name meta = "viewport" content = "width = device-width" / > "

    < style >

    body {do-family: "Verdana"; police-weight: normal; do-size: .7em; color: black ;}}

    p {do-family: "Verdana"; font-weight: normal; color: black; margin-top:-5px}}

    b {font family: "Verdana"; make-weight: bold; color: black; margin-top:-5px}}

    H1 {do-family: "Verdana"; police-weight: normal; do-size: 18pt; color: Red}

    H2 {do-family: "Verdana"; police-weight: normal; do-size: 14pt; color: Maroon}

    pre {font family: "Consolas", "Lucida Console", Monospace; do-size: 11pt; margin: 0; padding: 0.5em line-height: 14pt}

    . Marker {make-weight: bold; color: black; text-decoration: none ;}}

    .version {color: gray ;}}

    . Error {margin-bottom: 10px ;}}

    . Expandable {text-decoration: underline; make-weight: bold; color: navy; cursor: hand ;}}

    @media screen and (max-width: 639px) {}

    pre {width: 440px; overflow: auto; white-space: pre-wrap; dressing: break-Word ;}}

    }

    @media screen and (max-width: 479px) {}

    pre {width: 280px ;}}

    }

    < / style >

    < / head >

    < body bgcolor = "white" >

    < span > < H1 > server error in ' / repository ' Application. < hr width = 100% size =-1 color = silver > < / H1 >

    < h2 > < i > certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203DBC8256FDB232

    6A8EAC < /i > < / h2 > < / span >

    < police = "Helvetica, Geneva, Arial, SunSans-Regular, without-serif ' > '"

    < b > Description: < /b > an unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and its origin

    in the code.

    < br > < br >

    < b > Details of Exception: < /b > VMware.Cafe.UntrustedCertificateException: certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR = CTIW, O = NJVC, L = Ofal

    LON, S = HE, C = us fingerprint: 9A80D1EC61170B87C4203DBC8256FDB2326A8EAC < br > < br >

    < b > error Source: < /b > < br > < br >

    < table width = 100% bgcolor = "#ffffcc" >

    < b >

    < td >

    < code >

    An unhandled exception is generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception below stack trace.

    < code >

    < table >

    < /tr >

    < /table >

    < br >

    < b > Stack Trace: < /b > < br > < br >

    < table width = 100% bgcolor = "#ffffcc" >

    < b >

    < td >

    < code > < pre >

    [UntrustedCertificateException: certificate is not reliable (RemoteCertificateNameMismatch).] Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203D

    BC8256FDB2326A8EAC]

    System.Net.TlsStream.EndWrite (IAsyncResult asyncResult) + 8277683

    System.Net.ConnectStream.WriteHeadersCallback (IAsyncResult ar) + 213

    [WebException: the underlying connection was closed: an unexpected error occurred on a send.]

    System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) + 8286956

    System.Net.Http.HttpClientHandler.GetResponseCallback (IAsyncResult ar) + 98

    [HttpRequestException: an error occurred when sending the request.]

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; & lt; GetResource & gt; b__0 & gt; d__3.MoveNext () + 601

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; RetryWebRequestWrapper & gt; d__97.MoveNext () + 1144

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; GetResource & gt; d__7'1. MoveNext() + 692

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; CreateSecurityTokenServiceAsync & gt; d__2f. MoveNext() + 366

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; GetHolderOfKeyTokenAsync & gt; d__4.MoveNext () + 321

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; CreateDefaultSecurityContextAsync & gt; d__34.MoveNext () + 306

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; CreateAsync & gt; d__1d'1. MoveNext() + 397

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; CreateAsync & gt; d__1a'1. MoveNext() + 330

    [AggregateException: one or more errors occurred.]

    System.Threading.Tasks.Task'1.GetResultCore (Boolean waitCompletionNotification) + 5863512

    DynamicOps.Repository.Runtime.SecurityModel.CafeSecurityProvider... ctor (SecurityModelContext CurrentContext) + 172

    DynamicOps.Repository.Runtime.SecurityModel.SecurityModelContext... ctor (String ConnectionString) + 202

    DynamicOps.Repository.Runtime.Common.RepositoryRuntime.Initialize () + 812

    [HttpException (0x80004005): one or more errors occurred.]

    System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode (HttpContext context, HttpApplication app) + 12639357

    System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS (appContext, HttpContext context, MethodInfo [managers] IntPtr) 175

    System.Web.HttpApplication.InitSpecial (HttpApplicationState State, MethodInfo [managers], IntPtr appContext, HttpContext context) + 304

    System.Web.HttpApplicationFactory.GetSpecialApplicationInstance (IntPtr appContext, HttpContext context) + 404

    System.Web.Hosting.PipelineRuntime.InitializeApplication (IntPtr appContext) + 475

    [HttpException (0x80004005): one or more errors occurred.]

    System.Web.HttpRuntime.FirstRequestInit (HttpContext context) + 12656404

    System.Web.HttpRuntime.EnsureFirstRequestInit (HttpContext context) + 159

    System.Web.HttpRuntime.ProcessRequestNotificationPrivate (IIS7WorkerRequest wr, HttpContext context) + 12496021

    < / pre > < / code >

    < table >

    < /tr >

    < /table >

    < br >

    < hr width = 100% size = 1 = silver color >

    < b > Version information: < /b > Microsoft .NET Framework Version: 4.0.30319; ASP.NET Version: 4.0.30319.34237

    < / make >

    < / body >

    < / html >

    <!--

    [UntrustedCertificateException]: certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203

    DBC8256FDB2326A8EAC

    at System.Net.TlsStream.EndWrite (IAsyncResult asyncResult)

    at System.Net.ConnectStream.WriteHeadersCallback (IAsyncResult ar)

    [WebException]: the underlying connection was closed: an unexpected error occurred on a send.

    at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)

    at System.Net.Http.HttpClientHandler.GetResponseCallback (IAsyncResult ar)

    [HttpRequestException]: an error occurred when sending the request.

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to VMware.Cafe.JsonRestClient. <>c__DisplayClass1 1. < < GetResource > b__0 > d__3.MoveNext)

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    at d__97.MoveNext (VMware.Cafe.JsonRestClient). < RetryWebRequestWrapper >

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to VMware.Cafe.JsonRestClient. < GetResource > d__7'1. MoveNext()

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to VMware.Cafe.ComponentRegistryClientFactory. < CreateSecurityTokenServiceAsync > d__2f. MoveNext()

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    at d__4.MoveNext (VMware.Cafe.ComponentRegistryClientFactory). < GetHolderOfKeyTokenAsync >

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    at d__34.MoveNext (VMware.Cafe.ComponentRegistryClientFactory). < CreateDefaultSecurityContextAsync >

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to d__1d'1. MoveNext() VMware.Cafe.ComponentRegistryClientFactory. < CreateAsync >

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to d__1a'1. MoveNext() VMware.Cafe.ComponentRegistryClientFactory. < CreateAsync >

    [AggregateException]: one or more errors occurred.

    to System.Threading.Tasks.Task'1.GetResultCore (Boolean waitCompletionNotification)

    to DynamicOps.Repository.Runtime.SecurityModel.CafeSecurityProvider... ctor (SecurityModelContext currentContext)

    to DynamicOps.Repository.Runtime.SecurityModel.SecurityModelContext... ctor (String connectionString)

    at DynamicOps.Repository.Runtime.Common.RepositoryRuntime.Initialize)

    [HttpException]: one or more errors occurred.

    at System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode (HttpContext context, HttpApplication app)

    at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS (IntPtr appContext, HttpContext context, managers of MethodInfo [])

    to System.Web.HttpApplication.InitSpecial (HttpApplicationState State, MethodInfo [managers], IntPtr appContext, HttpContext context)

    at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance (IntPtr appContext, HttpContext context)

    at System.Web.Hosting.PipelineRuntime.InitializeApplication (IntPtr appContext)

    [HttpException]: one or more errors occurred.

    to System.Web.HttpRuntime.FirstRequestInit (HttpContext context)

    at System.Web.HttpRuntime.EnsureFirstRequestInit (HttpContext context)

    at System.Web.HttpRuntime.ProcessRequestNotificationPrivate (HttpContext context, IIS7WorkerRequest wr)

    ->

    at System.Data.Services.Client.QueryResult.ExecuteQuery)

    to System.Data.Services.Client.DataServiceRequest.Execute [TElement] (DataServiceContext, QueryComponents queryComponents context)

    -End of the exception stack trace internal-

    to System.Data.Services.Client.DataServiceRequest.Execute [TElement] (DataServiceContext, QueryComponents queryComponents context)

    to System.Data.Services.Client.DataServiceQuery'1.Execute)

    to System.Data.Services.Client.DataServiceQuery'1.GetEnumerator)

    to System.Linq.Enumerable.FirstOrDefault [TSource] (IEnumerable 1 source)

    at System.Data.Services.Client.DataServiceQueryProvider.ReturnSingleton [](Expression expression) TElement

    to System.Linq.Queryable.FirstOrDefault [TSource] (IQueryable 1 source)

    at DynamicOps.Repository.CafeClientAbstractFactory.LoadComponentRegistryUri)

    to System.Lazy'1.CreateValue)

    to System.Lazy'1.LazyInitValue)

    at DynamicOps.Repository.CafeClientAbstractFactory.get_CafeUri)

    at VMware.Cafe.ComponentRegistryClientFactory.ctor (ICafeServiceClientFactoryFactory abstractFactory)

    at DynamicOps.Repository.CafeClientAbstractFactory.CreateClientFactory)

    to System.Lazy'1.CreateValue)

    to System.Lazy'1.LazyInitValue)

    at VMware.Cafe.Client.Registration.DownloadRootCertificates (String rootEncryptionCertPath, String rootSigningCertPath, String pkcs7Path)

    to VMware.VcacConfig.ComponentRegistryCommands.DownloadRootCertificates.Execute (CommandLineParser Analyzer)

    WARNING: Zero return Code. The command failed.

    I could be totally wacky, but the first thing vcac devices and server identity must be in pem format.

    Sounds the root string that you import.

    I say the following:

    http://www.virtualizationteam.com/cloud/generating-certificates-for-the-identity-appliancevcac-appliance.html

    This will tell you how to create certificates and import them.

Maybe you are looking for