Self-signed Digital IDs - restrict access to this option?

Similar Questions

• Can I generate self-signed certificates free for Nexus 9 K?

  Hi, I have 22 9Ks Nexus that I just upgraded to 3,0000 I4 so I can use the REST API.

  I use vRealize Orchestrator for automation, and I can't access the REST API on the Orchestrator help link, as certificates are at expiration.

  I can't find much information on this subject for the 9 K, unless the 9Ks are mode of the AIT, in this case I think that TACS are the only people who can generate a certificate.

  Does anyone know otherwise work around this? Otherwise, I'll have to approach a TAC case for 22 certificates generated :-/

  Cheers, Dom

  I'm not familiar with the technology with what you're trying to integrate, but here's a guide on how generate a custom SSC (self-signed Cert) on a device:
  #conf t
  #hostname DEVICE01-NOTE: must not be changed
  #ip - domain test.local

  generate a General key label SSC_KEY module 2048 rsa key #crypto

  #crypto pki trustpoint SSC_LOCAL
  #subject - name, CN = DEVICE, DC = test, DC = local
  #enrollment selfsigned
  # crl revocation checking
  #rsakeypair SSC_KEY 2048

  #crypto ca enroll COMMAND SSC_LOCAL HIDDEN: initiate the creation of SSC

  % Include the serial number of the router in the name of the topic? [Yes/No]: no
  % Include an IP address in the name of the topic? [None]:
  % Generate self signed certificate router? [Yes/No]: Yes

  Router self-signed certificate created successfully

  After this make sure that you do NOT change the host name of the device :)

• Certificate self-signed for remote VPN CLIENT access

  Hi people,

  I am trying to achieve two-factor authentication, first with RADIUS & 2nd with self-signed certificate. If I generated of self-signed certificate & trying to import this certificate but error 39 that occur. Only obstacle that authenticate with certificate. I saw some documents for separate setting certifcate servers (CA) & then to import in the clients but I m curious about a certificate automatically generated can be used to authenticate the remote access client.

  ASA additional server failover mode is Local CA is not supported. Is there a way to support local CA.

  Thank you

  Are you talking about using self-signed client certificates? I guess that it will not work. At least it is not scalable. You must use an internal CA for this task. As the local certification authority cannot be used with failover, you can take a Windows Server 2 k 3 or 2 k 8. Another option is to use a router IOS as CA-server. But what take something else as a second factor? I'm a big fan of the use of smartphones with the www.duosecurity.com service.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• I'm following the steps described in the version beta to build the application of 'Launch' test, but the tool of signed digital app has no ios tab when I go to the for use. Is this a bug or am I missing something?

  I'm following the steps described in the version beta to build the application of 'Launch' test, but the tool of signed digital app has no ios tab when I go to the for use. Is this a bug or am I missing something?

  Note that iOS signature is only available on Mac. If you're on a Windows machine, you won't see the iOS tab.

  Neil

• License restrictions impede access to this address.

  After the CF7 updated to the new DST requirements, we are seeing INTERMITTENT problems with some being not loaded SWF movies.
  
  Flash forms work fine.
  Any indication to examine how would be fabulous.
  
  ColdFusion - err.log shows:
  03/13 15:47:48 Proxy Servlet ERROR: license restrictions prevent xx.xx.xx.xxx access
  03/13 15:47:48 ERROR Proxy Servlet: authorized addresses: [{71.218.19.250} {192.168.1.145} {74.93.23.77} {24.131.24.127} {192.168.1.1}]
  03/13 15:47:48 error Licensing restrictions prevent access to this address.
  java.io.IOException: license restrictions impede access to this address.
  at flex.services.license.AddressRestrictionFilter.invoke(AddressRestrictionFilter.java:28)
  at flex.server.j2ee.cache.CacheFilter.doFilter(CacheFilter.java:165)
  at flex.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:66)
  at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
  at jrun.servlet.FilterChain.service(FilterChain.java:101)
  at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
  at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
  at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257)
  at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541)
  at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204)
  to jrunx.scheduler.ThreadPool$ DownstreamMetrics.invokeRunnable (ThreadPool.java:318)
  to jrunx.scheduler.ThreadPool$ ThreadThrottle.invokeRunnable (ThreadPool.java:426)
  to jrunx.scheduler.ThreadPool$ UpstreamMetrics.invokeRunnable (ThreadPool.java:264)
  at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

  It is not a J2EE installation. It is installed standalone on IIS6.
  Anyway, Jrun is ultimately rejected deploy cfusion on the launch of the service.
  I completely reinstalled the full install of CFMX.

  Thanks anyway.

• I have a Proxy Server that uses a self-signed certificate, and I can't accept this certificate from Firefox

  I have Firefox installed 37.0.1 on OpenSuse 13.2. I have a proxy server that uses a self-signed certificate, and I tried to add my certificate to the list of authorities and to check all the option displayed to be wz trust no chance.

  I tried to restart firefox, but it did not help.

  I did the same steps in chrome and it works fine.

  appreciate any help.

  After removing my .mozilla in my home directory. Add the certificate to the list of authorities in fact work.

• Stopped working self-signed certificates

  All a sudden (and not after a Firefox update) 41.0 Firefox stopped accepting SSL certificates self-signed on various websites that it had been accepted for months. I generated certificates myself.

  The link / button to add exceptions and import the certificate has disappeared from the "Untrusted connection" error page

  Things I've tried so far:

  • Import certificates via preferences > advanced > Certificates > view certificates > servers. The imported certificates, but Firefox seems to ignore.
  • Exit Firefox, remove cert8.db in my profile, then restart Firefox
  • Restart Firefox in safe mode
  • Import the certificate in the keychain of the OS (what makes Web sites work on Chrome and Safari)

  Generated certificates are signed "PKCS #1 SHA-256 with RSA encryption", they are not expired and have been generated with

     openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout server.key -out server.crt
  

  In addition to the issue of trust, https://www.ssllabs.com/ssltest/ reported no problems with these certificates, they are fine ("' If trust issues are ignored: has '")

  The only way I can access these sites Web is via a private window: If the certificate has been imported previously (via preferences) private session window accesses Web sites without problem. If the certificate has not been imported, again, I have the option to add a temporary exception and after that is done, it works fine.

  This problem does not appear on another computer, even if the Firefox profile is synchronized between the two.
  The problem does not appear on Firefox 41.0 a colleague (same OS and hardware)
  Certificates signed by a real certification authority are accepted very well.

  UPDATE:

  I have marked this as resolved, but apparently the problem returned once a week, completely randomly.

  The best solution I've found so far is to leave Firefox, delete the following files from my profile, and then restart Firefox:

  • SiteSecurityServiceState.txt
  • cert_override.txt
  • cert8.DB

  Finally, I fixed that by doing a Firefox "Refresh" (under topic: support) and re - sync my profile.

• Error: The application cannot be run your security settings have blocked a self-signed application to run.

  I tried to save a certificate for digital signature on www.incometaxindiaefiling.gov.in.
  When the site was asked to run the applet Java JRE7, which I have allowed.
  But then the small window appears with the following message;

  Application blocked for security reasons
  Cannot run the Application.
  Name: StoreCertificate
  Location: http://incometaxindiaefiling.gov.in
  Reason: Your security settings have blocked a self-signed application to run

                  [  OK  ]       [   More Information...   ]
  

  Hello darshan_3101, this message is not firefox but the java plugin - please refer to the documentation of oracle on the topic: http://www.java.com/en/download/help/appsecuritydialogs.xml

• Firefox 3.6.3 does not have the option 'Add exception' a self-signed certificate

  Hello. Use the website of the company, I have moved to a new server. The new server needed some modifications apparently, and now I get the message CompanyXYZ .net: 987 uses an invalid security certificate. The certificate is not reliable because it is self-signed. The certificate is valid for the moment, on 1 of my 3 computers, I received the I understand the risks and an option to add an Exception. However, on 2 other computers, I simply receive the popup described previously and no option to move forward. Any suggestion would be appreciated. Thank you for your genius.

  URL of affected sites

  private enterprise server

  If you can not add an exception, but get a pop-up with the error message, you can go the pref browser.xul.error_pages.enabled on the topic: config page and make sure that the value is set to true (the default).

  To open the topic: config page, type Subject: config in the address bar (address) and press the Enter key, as you type the url of a Web site to open a Web site.
  If you see a warning then you can confirm that you want to access this page.

• Safari no longer works with SSL self-signed certificates?

  With the last Safari (9.0.3) on OS X (running 10.11.3) and iOS (9.2.1) operating system, I can no longer connect to sites that use self-signed SSL certificates. Previously, I was warned that the site certificate was not "valid", but given the opportunity to continue anyway. This is the behavior I want to come back. It still works fine in Chrome, Firefox. but now just Safari gives me an error "Safari can't open the Page" as it would if it could not reach the server. Specifically, it says "Safari can't open the page https://myselfsignedhost.com because Safari is unable to establish a connection to the server myselfsignedhost.com.

  It does not give me the opportunity to inspect the certificate, add the certificate to my keychain, trust the cert, ignore the warning once or anything else that would be useful... He's just pretending like it can't connect. Am I missing something? How to restore old functionality? This 'bug' makes safari completely useless for me.

  OK, some info... This seems to apply only to SOME sites with self signed SSL CERT... The only obvious thing I can think is that maybe it applies to sites where the SSL certificate when the page was first loaded?

  If I open a new window private, I can access the page without problem. If I open a new standard, I can also open the page, until I quit safari. Once I left, it stops loading with the same error...

  If I manually add the SSL certificate to my keychain as being approved, the page also works... There may be a cache of certificate somewhere that is out of date?

• ASA uses that certificates self-signed after upgrade to 9.4.1

  I came across a strange issue after upgrade to 9.4.1... (from 9.3)

  However I access the ASA (browser, Anyconnect, etc.), it offers only a self-signed certificate even if an appropriate SSL certificate installed.

  I checked:

  SSL-trust VPN_Portal_TP point
  SSL-trust outside VPN_Portal_TP point
  SSL certificate authentication CAF-timeout 5
  interface outside port 443 SSL certificate authentication

  is configured.

  • CA is installed, too.
  • Reinstalled all certififcates.
  • Reassign the Trustpoints

  Any ideas would be greatly appreciated... Thank you!

  I did have time to test this out on my laboratory unit yet, but there's a thread related here.

  I'm not positive on the standard resolution immediately - it will bring close watch.

  Perhaps the first person to prosecute TAC may share the resolution.

• ASA5505 IPSEC only with self-signed certificates

  Hi all

  I have little Cisco training and was assigned to a pilot project. We have cleaning of the ASA from another Department, but I do not have access to support. It is running ASA v9.1 and ASDM 7.1. If all goes well I'll be sent on training and we can buy a nice 5520.

  So I scoured the internet for a guide that is easy to do as my title says, but I'm having major trouble. I find a lot of outwardly signed with self-signed SSL VPN or VPN IPSEC with CERT support but I can't only get ASA self-signed IPSEC IKEv2 with certificate authentication. Also, to make it even worse, I have to provide the user with the software, the profile and the certificate in hand. No access to the web or download portal.

  If you know where I can get good installation guide for this type of use please by all means save me here. If this isn't possible, I'm cool with that, let me know.

  Thank you fo any help you can provide

  Jay

  If the ASA uses a certificate issued by a certification authority that is in-store customer trust root CA, then the certificate of identity ASA didn't need to be imported by the customer.

  Which is why it's usually recommend to follow the path of using experienced public CA because they are alreay included in most modern browsers and so the client has no need to know how to import certificates etc.

  If you are using a local certification authority that is not in the store trusted CA of the customer to deliver your ASA certificate or identity certificates on the SAA signing root then you must take additional measures at the level of the customer.

  In the first case, you could import the CA certificate in the store root CA of the client trusted root. After that, all the certificates it has issued (the IE the ASA certificate of identity) would automatically be approved by the customer.

  On the second case, certificate of identity of the SAA is would have installed on the client because it (the ASA) basically as it's own root certification authority. Usually, I install them in the CA store root confidence of my client, but I guess that's technically not necessary, as long as the customer knows to trust this certificate.

• Create a self-signed certificate

  When I use ADM to access my router I always get a message that I have established a connection with "ip address", but the certificate belongs to IOS-self-signed-cert... etc. I generated RSA keys with the address. How to generate a new self-signed certificate that includes the ip address of the router? Thank you.

  self-signed certificate

  You can use the "crypto pki trustpoint name" command on the router to create a self-signed certificate.

  Check this link for configurtion:

  http://www.Cisco.com/en/us/products/SW/iosswrel/ps5207/products_feature_guide09186a008040adf0.html#wp1069686

• ASA - a Site with self-signed certificates

  Team,

  ASA version 9.1 (3), ASDM 7.1 (4) on 5505.

  I have a pair of Cisco ASA 5505 that I am trying to establish a tunnel. I do everything with PSK. IKEv2 with AES256 IPSec. No problem...

  However, I learned that I can auto-signer certificates and use them to authenticate each firewall to another. I tried for hours... Generating of certs in all combinations and options, and the export of the P12 in the other firewall, by adding in - no problem

  I have self signed CERTS, so there is no CA.

  Then I'll be back in the connection profile and remove the PSK - flip on to RSA - SIG in the IKE Policy.

  Does anyone have this working with the ASA version, I'm running and care apart from your snippets of configuration especially how you created the pair of keys, self-signed one, exported and adding in the adjacent firewall?

  I don't want to use PSK for authentication.

  Help!

  I never used this way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: you assigned the ID-Cert cert in the crypto-plan?

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Replace self-signed CERT with CA Cert signed

  I have a vCAC 6.1 environment.  I use the vCAC documentation to replace the self signed CERT CERT.  When I get to this step in the documentation it fails - VCloud Automation Center Library

  Is the below error telling me there is a problem with the wstvcacapp01 cert?  Problem RemoteCertificateNameMismatch?

  C:\Program Files (x 86) \VMware\vCAC\Web API\ConfigTool > Vcac - Config.exe DownloadRootCertificates - Pkcs7CertPath "C:\Program Files (x 86) \VMware\vCAC\Web API\SSO.p7b"-v

  System.Data.Services.Client.DataServiceQueryException: An error occurred during the processing of this request. -> System.Data.Services.Client.DataServiceClientException: <! DOCTYPE html >

  < html >

  < head >

  < title > certificate is not approved (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203DBC8256FDB2326A8EA

  C < /title >

  < name meta = "viewport" content = "width = device-width" / > "

  < style >

  body {do-family: "Verdana"; police-weight: normal; do-size: .7em; color: black ;}}

  p {do-family: "Verdana"; font-weight: normal; color: black; margin-top:-5px}}

  b {font family: "Verdana"; make-weight: bold; color: black; margin-top:-5px}}

  H1 {do-family: "Verdana"; police-weight: normal; do-size: 18pt; color: Red}

  H2 {do-family: "Verdana"; police-weight: normal; do-size: 14pt; color: Maroon}

  pre {font family: "Consolas", "Lucida Console", Monospace; do-size: 11pt; margin: 0; padding: 0.5em line-height: 14pt}

  . Marker {make-weight: bold; color: black; text-decoration: none ;}}

  .version {color: gray ;}}

  . Error {margin-bottom: 10px ;}}

  . Expandable {text-decoration: underline; make-weight: bold; color: navy; cursor: hand ;}}

  @media screen and (max-width: 639px) {}

  pre {width: 440px; overflow: auto; white-space: pre-wrap; dressing: break-Word ;}}

  }

  @media screen and (max-width: 479px) {}

  pre {width: 280px ;}}

  }

  < / style >

  < / head >

  < body bgcolor = "white" >

  < span > < H1 > server error in ' / repository ' Application. < hr width = 100% size =-1 color = silver > < / H1 >

  < h2 > < i > certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203DBC8256FDB232

  6A8EAC < /i > < / h2 > < / span >

  < police = "Helvetica, Geneva, Arial, SunSans-Regular, without-serif ' > '"

  < b > Description: < /b > an unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and its origin

  in the code.

  < br > < br >

  < b > Details of Exception: < /b > VMware.Cafe.UntrustedCertificateException: certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR = CTIW, O = NJVC, L = Ofal

  LON, S = HE, C = us fingerprint: 9A80D1EC61170B87C4203DBC8256FDB2326A8EAC < br > < br >

  < b > error Source: < /b > < br > < br >

  < table width = 100% bgcolor = "#ffffcc" >

  < b >

  < td >

  < code >

  An unhandled exception is generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception below stack trace.

  < code >

  < table >

  < /tr >

  < /table >

  < br >

  < b > Stack Trace: < /b > < br > < br >

  < table width = 100% bgcolor = "#ffffcc" >

  < b >

  < td >

  < code > < pre >

  [UntrustedCertificateException: certificate is not reliable (RemoteCertificateNameMismatch).] Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203D

  BC8256FDB2326A8EAC]

  System.Net.TlsStream.EndWrite (IAsyncResult asyncResult) + 8277683

  System.Net.ConnectStream.WriteHeadersCallback (IAsyncResult ar) + 213

  [WebException: the underlying connection was closed: an unexpected error occurred on a send.]

  System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) + 8286956

  System.Net.Http.HttpClientHandler.GetResponseCallback (IAsyncResult ar) + 98

  [HttpRequestException: an error occurred when sending the request.]

  System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

  System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

  VMware.Cafe. & lt; & lt; GetResource & gt; b__0 & gt; d__3.MoveNext () + 601

  System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

  System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

  VMware.Cafe. & lt; RetryWebRequestWrapper & gt; d__97.MoveNext () + 1144

  System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

  System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

  VMware.Cafe. & lt; GetResource & gt; d__7'1. MoveNext() + 692

  System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

  System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

  VMware.Cafe. & lt; CreateSecurityTokenServiceAsync & gt; d__2f. MoveNext() + 366

  System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

  System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

  VMware.Cafe. & lt; GetHolderOfKeyTokenAsync & gt; d__4.MoveNext () + 321

  System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

  System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

  VMware.Cafe. & lt; CreateDefaultSecurityContextAsync & gt; d__34.MoveNext () + 306

  System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

  System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

  VMware.Cafe. & lt; CreateAsync & gt; d__1d'1. MoveNext() + 397

  System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

  System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

  VMware.Cafe. & lt; CreateAsync & gt; d__1a'1. MoveNext() + 330

  [AggregateException: one or more errors occurred.]

  System.Threading.Tasks.Task'1.GetResultCore (Boolean waitCompletionNotification) + 5863512

  DynamicOps.Repository.Runtime.SecurityModel.CafeSecurityProvider... ctor (SecurityModelContext CurrentContext) + 172

  DynamicOps.Repository.Runtime.SecurityModel.SecurityModelContext... ctor (String ConnectionString) + 202

  DynamicOps.Repository.Runtime.Common.RepositoryRuntime.Initialize () + 812

  [HttpException (0x80004005): one or more errors occurred.]

  System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode (HttpContext context, HttpApplication app) + 12639357

  System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS (appContext, HttpContext context, MethodInfo [managers] IntPtr) 175

  System.Web.HttpApplication.InitSpecial (HttpApplicationState State, MethodInfo [managers], IntPtr appContext, HttpContext context) + 304

  System.Web.HttpApplicationFactory.GetSpecialApplicationInstance (IntPtr appContext, HttpContext context) + 404

  System.Web.Hosting.PipelineRuntime.InitializeApplication (IntPtr appContext) + 475

  [HttpException (0x80004005): one or more errors occurred.]

  System.Web.HttpRuntime.FirstRequestInit (HttpContext context) + 12656404

  System.Web.HttpRuntime.EnsureFirstRequestInit (HttpContext context) + 159

  System.Web.HttpRuntime.ProcessRequestNotificationPrivate (IIS7WorkerRequest wr, HttpContext context) + 12496021

  < / pre > < / code >

  < table >

  < /tr >

  < /table >

  < br >

  < hr width = 100% size = 1 = silver color >

  < b > Version information: < /b > Microsoft .NET Framework Version: 4.0.30319; ASP.NET Version: 4.0.30319.34237

  < / make >

  < / body >

  < / html >

  <!--

  [UntrustedCertificateException]: certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203

  DBC8256FDB2326A8EAC

  at System.Net.TlsStream.EndWrite (IAsyncResult asyncResult)

  at System.Net.ConnectStream.WriteHeadersCallback (IAsyncResult ar)

  [WebException]: the underlying connection was closed: an unexpected error occurred on a send.

  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)

  at System.Net.Http.HttpClientHandler.GetResponseCallback (IAsyncResult ar)

  [HttpRequestException]: an error occurred when sending the request.

  to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

  to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

  to VMware.Cafe.JsonRestClient. <>c__DisplayClass1 1. < < GetResource > b__0 > d__3.MoveNext)

  -End of the stack trace from the old location where the exception was thrown-

  to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

  to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

  at d__97.MoveNext (VMware.Cafe.JsonRestClient). < RetryWebRequestWrapper >

  -End of the stack trace from the old location where the exception was thrown-

  to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

  to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

  to VMware.Cafe.JsonRestClient. < GetResource > d__7'1. MoveNext()

  -End of the stack trace from the old location where the exception was thrown-

  to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

  to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

  to VMware.Cafe.ComponentRegistryClientFactory. < CreateSecurityTokenServiceAsync > d__2f. MoveNext()

  -End of the stack trace from the old location where the exception was thrown-

  to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

  to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

  at d__4.MoveNext (VMware.Cafe.ComponentRegistryClientFactory). < GetHolderOfKeyTokenAsync >

  -End of the stack trace from the old location where the exception was thrown-

  to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

  to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

  at d__34.MoveNext (VMware.Cafe.ComponentRegistryClientFactory). < CreateDefaultSecurityContextAsync >

  -End of the stack trace from the old location where the exception was thrown-

  to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

  to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

  to d__1d'1. MoveNext() VMware.Cafe.ComponentRegistryClientFactory. < CreateAsync >

  -End of the stack trace from the old location where the exception was thrown-

  to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

  to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

  to d__1a'1. MoveNext() VMware.Cafe.ComponentRegistryClientFactory. < CreateAsync >

  [AggregateException]: one or more errors occurred.

  to System.Threading.Tasks.Task'1.GetResultCore (Boolean waitCompletionNotification)

  to DynamicOps.Repository.Runtime.SecurityModel.CafeSecurityProvider... ctor (SecurityModelContext currentContext)

  to DynamicOps.Repository.Runtime.SecurityModel.SecurityModelContext... ctor (String connectionString)

  at DynamicOps.Repository.Runtime.Common.RepositoryRuntime.Initialize)

  [HttpException]: one or more errors occurred.

  at System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode (HttpContext context, HttpApplication app)

  at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS (IntPtr appContext, HttpContext context, managers of MethodInfo [])

  to System.Web.HttpApplication.InitSpecial (HttpApplicationState State, MethodInfo [managers], IntPtr appContext, HttpContext context)

  at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance (IntPtr appContext, HttpContext context)

  at System.Web.Hosting.PipelineRuntime.InitializeApplication (IntPtr appContext)

  [HttpException]: one or more errors occurred.

  to System.Web.HttpRuntime.FirstRequestInit (HttpContext context)

  at System.Web.HttpRuntime.EnsureFirstRequestInit (HttpContext context)

  at System.Web.HttpRuntime.ProcessRequestNotificationPrivate (HttpContext context, IIS7WorkerRequest wr)

  ->

  at System.Data.Services.Client.QueryResult.ExecuteQuery)

  to System.Data.Services.Client.DataServiceRequest.Execute [TElement] (DataServiceContext, QueryComponents queryComponents context)

  -End of the exception stack trace internal-

  to System.Data.Services.Client.DataServiceRequest.Execute [TElement] (DataServiceContext, QueryComponents queryComponents context)

  to System.Data.Services.Client.DataServiceQuery'1.Execute)

  to System.Data.Services.Client.DataServiceQuery'1.GetEnumerator)

  to System.Linq.Enumerable.FirstOrDefault [TSource] (IEnumerable 1 source)

  at System.Data.Services.Client.DataServiceQueryProvider.ReturnSingleton [](Expression expression) TElement

  to System.Linq.Queryable.FirstOrDefault [TSource] (IQueryable 1 source)

  at DynamicOps.Repository.CafeClientAbstractFactory.LoadComponentRegistryUri)

  to System.Lazy'1.CreateValue)

  to System.Lazy'1.LazyInitValue)

  at DynamicOps.Repository.CafeClientAbstractFactory.get_CafeUri)

  at VMware.Cafe.ComponentRegistryClientFactory.ctor (ICafeServiceClientFactoryFactory abstractFactory)

  at DynamicOps.Repository.CafeClientAbstractFactory.CreateClientFactory)

  to System.Lazy'1.CreateValue)

  to System.Lazy'1.LazyInitValue)

  at VMware.Cafe.Client.Registration.DownloadRootCertificates (String rootEncryptionCertPath, String rootSigningCertPath, String pkcs7Path)

  to VMware.VcacConfig.ComponentRegistryCommands.DownloadRootCertificates.Execute (CommandLineParser Analyzer)

  WARNING: Zero return Code. The command failed.

  I could be totally wacky, but the first thing vcac devices and server identity must be in pem format.

  Sounds the root string that you import.

  I say the following:

  http://www.virtualizationteam.com/cloud/generating-certificates-for-the-identity-appliancevcac-appliance.html

  This will tell you how to create certificates and import them.