• RELEVANCY SCORE 3.56

    DB:3.56:Certpathvalidatorexception When Extra Cert Is Present fj





    When I access the https url of companyA.com, the web site sends 2 certs

    one for companyA.com
    and another for companyB.com

    Bot the certs are valid and signed by CAs whose certs are present in Java's cacerts store.

    I am testing with a Java 1.5 app using using Apache Commons httpclient and I get the following exception

    sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed

    Is the cert path validation failing because of the presence of the extra cert for companyB.com?

    Is there any option to ignore the unrelated certs sent by the website?

    Or is the only way to get cert validation to work in this case is to have companyA.com not send the cert for companyB.com?

    Thanks,
    Dave

  • RELEVANCY SCORE 3.01

    DB:3.01:Thread: Java.Security.Cert.Certpathvalidatorexception ka





    I am getting the following error while trying to update the update list: java.security.cert.CertPathValidatorException: timestamp check failed

    From what I can tell the ssl certificate on Novell.com expired earlier today, can anyone confirm this ?

    DB:3.01:Thread: Java.Security.Cert.Certpathvalidatorexception ka

    Flushing just the dns cache didn\'t work (nscd), I had to restart Zenworks itself before it would pick up on the change.

    Thanks for the pointers :-)

  • RELEVANCY SCORE 2.79

    DB:2.79:Problem Configuring Ocsp For Anyconnect Clients. zx






    hi forum,

    I have done all the configuration for cisco anyconnect using certificates and revocation check using CRL. I am successful on this. now the problem is I want to configure OCSP for revocation. I am stuck here i am not able to successfully check the revocation however configuration is just 3 lines.

    crypto ca trustpoint ABC_SUBCA_TRUSTPOINT

    revocation-check ocsp

    enrollment terminal

    ocsp disable-nonce

    ocsp url http://ocsp.abc.local/ocsp

    ================ when client tries to login using any connect i recieve following debug messages ===================

    CRYPTO_PKI: Sorted chain size is: 1

    CRYPTO_PKI: Found ID cert. serial number: 123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2

    CRYPTO_PKI: Verifying certificate with serial number: 4123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2, issuer_name: c=ab,o=localcompany, ou= localcompany Section,cn=sub-ca, signature alg: SHA1/RSA.

    CRYPTO_PKI(Cert Lookup) issuer="c=ab,o=localcompany,ou=localcompany Section,cn=sub-ca" serial number=123456789                            |  C.]*R.7.

    CRYPTO_PKI: Verify cert is polling for revocation status.

    CRYPTO_PKI: Starting OCSP revocation

    CRYPTO_PKI: no responder matching this URL; create one!

    CRYPTO_PKI: http connection opened%ASA-3-717032: OCSP status check failed. Reason: OCSP Responder cert validation failed.

    %ASA-3-717032: OCSP status check failed. Reason: Failed to verify OCSP response.

    %ASA-3-717027: Certificate chain failed validation. Revocation status check polling failed for certificate, serial number: 123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2.

    CRYPTO_PKI: OCSP response received successfully.

    CRYPTO_PKI: OCSP found in-band certificate: serial number: 12345678988E3, subject name: c=ab,o=localcompany,ou=localcompany security,cn=OCSP Signer, issuer_name: c=ab,o=localcompany, ou= localcompany Section,cn=sub-ca

    CRYPTO_PKI: OCSP found in-band certificate: serial number: 1234567890B6D, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=sub-ca, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn= Root CA

    CRYPTO_PKI: OCSP found in-band certificate: serial number: 123456789FE02, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA

    CRYPTO_PKI: OCSP responderID byKeyHash

    CRYPTO_PKI: OCSP response contains 1 cert singleResponses responseData sequence.

    Found response for request certificate!

    CRYPTO_PKI: Verifying OCSP response with 3 certs in the responder chain

    CRYPTO_PKI: Validating OCSP response using trusted CA cert: serial number: 123456789DBC24, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=SUB-CA, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA

    CRYPTO_PKI: Searching for ResponderID cert by keyhash

    CRYPTO_PKI: Validating OCSP responder certificate: serial number: 12345678988E3, subject name: c=abc,o=localcompany,ou=localcompany security,cn=OCSP Signer, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=SUB-CA , signature alg: SHA1/RSA

    CRYPTO_PKI: verifyResponseSig:3111

    CRYPTO_PKI: OCSP Responder cert validation failed -1

    CRYPTO_PKI: Failed to verify response - invalid status being returned -1

    CRYPTO_PKI: failed to verify OCSP response - -1

    CRYPTO_PKI: transaction GetOCSP completed

    CRYPTO_PKI: Process next cert in chain entered with status: 7.

    CRYPTO_PKI: Process next cert, Invalid or CRL get failed.status: 7

    CRYPTO_PKI: Calling callback with chain validation status: 7.

    DB:2.79:Problem Configuring Ocsp For Anyconnect Clients. zx


    Hello John,

    It looks like ASA is trying to check CRL for your OCSP responder certificate.

    Are you sure you have the correct extension in your OCSP responder certificate:

    OCSP no revocation checking

    That extension will tell ASA not to check revocation list for your OSCP responder certificate

    (without that we are trying to eat our own tail).

    That extension is attached automatically if you have used template "OCSP Response Signing" (when generating cert on Microsoft OSCP responder)

    Also please make sure that OCSP responder cert is trusted by ASA (signed by the CA which is installed on ASA)

    Example can be found in this article:

    http://www.cisco.com/en/US/products/ps12726/products_configuration_example09186a0080c1ea59.shtml

  • RELEVANCY SCORE 2.72

    DB:2.72:How To Revoke Ssl Certificate, If Ca Service Is Not Starting With Message: Could Not Build A Certificate Chain For Ca Certificate 5 For Mydomain Ca. The Signature Of The Certificate Can Not Be Verified. 0x80096004 (-2146869244). s3


    Greetings!
    There is 2003 server with CA service installed.
    Root cert is about to expire, and is not going to update automatically, so I'v tried to do it manually.
    I have generated request on my CA server, copy it to root carrier machine (2003 server, not in local domain but with CA service tuned for my domain and it holds main root cert), issued this request, and copy this issued cert back to CA machine.
    When i apply it, CA service going down with the next to error messages:

    Could not build a certificate chain for CA certificate 5 for mydomain CA. The signature of the certificate can not be verified. 0x80096004 (-2146869244).

    Certificate Services did not start: Could not load or verify the current CA certificate. mydomain CA The signature of the certificate can not be verified. 0x80096004 (-2146869244).

    After trying some steps, I found certutil command and begin to experiment with it. This is what I have found:

    C:\CAConfigcertutil -store
    ================ Certificate 0 ================
    Serial Number: 06376c00aa00648a11cfb8d4aa5c35f4
    Issuer: CN=Root Agency
    Subject: CN=Root Agency
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): fe e4 49 ee 0e 39 65 a5 24 6f 00 0e 87 fd e2 a0 65 fd 89 d4
    No key provider information
    No stored keyset property
    ================ Certificate 1 ================
    Serial Number: 61505f7c00030000000d
    Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
    Subject: CN=mydomain CA, DC=mydomain, DC=ru
    CA Version: V5.0
    Certificate Template Name: SubCA
    Non-root Certificate
    Template: SubCA, Subordinate Certification Authority
    Cert Hash(sha1): dc 90 96 9e 3e 10 6e 44 39 85 c3 cb ae 38 b2 4b bc ec 6c 96
    Key Container = mydomain CA
    Provider = Microsoft Strong Cryptographic Provider
    Signature test passed
    ================ Certificate 2 ================
    Serial Number: 236c971e2bc60d0bf97460def108c3c3
    Issuer: OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=U
    S
    Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU
    =VeriSign International Server CA - Class 3, OU=VeriSign, Inc., O=VeriSign Trust
    Network
    Non-root Certificate
    Cert Hash(sha1): 8b 24 cd 8d 8b 58 c6 da 72 ac e0 97 c7 b1 e3 ce a4 dc 3d c6
    No key provider information
    No stored keyset property
    ================ Certificate 3 ================
    Serial Number: 52c820137c85a7edf217ce82c8451673
    Issuer: OU=Class 2 Public Primary Certification Authority, O=VeriSign, Inc., C=U
    S
    Subject: CN=VeriSign Class 2 CA - Individual Subscriber, OU=www.verisign.com/rep
    ository/RPA Incorp. By Ref.,LIAB.LTD(c)98, OU=VeriSign Trust Network, O=VeriSign
    , Inc.
    Non-root Certificate
    Cert Hash(sha1): 7b 02 31 2b ac c5 9e c3 88 fe ae 12 fd 27 7f 6a 9f b4 fa c1
    No key provider information
    No stored keyset property
    ================ Certificate 4 ================
    Serial Number: 61079602000000000007
    Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
    Subject: CN=mydomain CA, DC=mydomain, DC=ru
    CA Version: V4.0
    Certificate Template Name: SubCA
    Non-root Certificate
    Template: SubCA, Subordinate Certification Authority
    Cert Hash(sha1): 3c f2 9f c9 5d b5 05 b1 27 4c 54 3b d4 bd 82 f5 61 6a 62 3d
    No key provider information
    Signature test passed
    ================ Certificate 5 ================
    Serial Number: 0d8b4feeaad2185bf4756a9d29e17ffb
    Issuer: OU=Class 1 Public Primary Certification Authority, O=VeriSign, Inc., C=U
    S
    Subject: CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated, OU=
    there_was_verisign_addressIncorp. By Ref.,LIAB.LTD(c)98, OU=VeriSign Trust
    Network, O=VeriSign, Inc.
    Non-root Certificate
    Cert Hash(sha1): 12 51 9a e9 cd 77 7a 56 01 84 f1 fb d5 42 15 22 2e 95 e7 1f
    No key provider information
    No stored keyset property
    ================ Certificate 6 ================
    Serial Number: 198b11d13f9a8ffe69a0
    Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c)
    1997 Microsoft Corp.
    Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation,
    OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19
    97 Microsoft Corp.
    Non-root Certificate
    Cert Hash(sha1): 10 9f 1c ae d6 45 bb 78 b3 ea 2b 94 c0 69 7c 74 07 33 03 1c
    No key provider information
    No stored keyset property
    ================ CRL 0 ================
    Issuer:
    OU=VeriSign Commercial Software Publishers CA
    O=VeriSign, Inc.
    L=Internet
    CRL Hash(sha1): a3 77 d1 b1 c0 53 88 33 03 52 11 f4 08 3d 00 fe cc 41 4d ab
    ================ CRL 1 ================
    Issuer:
    CN=mydomain CA
    DC=mydomain
    DC=ru
    CA Version: V4.0
    CRL Number: CRL Number=1681
    Delta CRL Indicator: Minimum Base CRL Number=1677
    CRL Hash(sha1): a1 b9 a7 98 fe fa 30 86 2f 09 7d d9 2a b5 ed 1a 6b 40 b7 81
    ================ CRL 2 ================
    Issuer:
    CN=mydomain CA
    DC=mydomain
    DC=ru
    CA Version: V4.0
    CRL Number: CRL Number=1677
    CRL Hash(sha1): 18 d2 11 01 68 b6 32 b1 6b 2a 24 75 56 ea 56 a0 27 69 07 5a
    CertUtil: -store command completed successfully.

    ************************************************************************************************************************

    C:\CAConfigcertutil -TCAinfo
    ================================================================
    CA Name: mydomain CA
    Machine Name: ca.mydomain.ru
    DS Location: CN=mydomain CA,CN=Enrollment Services,CN=Public Key Services,CN=Servi
    ces,CN=Configuration,DC=mydomain,DC=ru
    Cert DN: CN=mydomain CA, DC=mydomain, DC=ru
    CA Expiration (Years): 1
    Connecting to ca.mydomain.ru\mydomain CA ...
    Server could not be reached: Server execution failed 0x80080005 (-2146959355)

    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CertContext[0][0]: dwInfoStatus=4 dwErrorStatus=1000048
    Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
    Subject: CN=mydomain CA, DC=mydomain, DC=ru
    Serial: 61505f7c00030000000d
    Template: SubCA
    dc 90 96 9e 3e 10 6e 44 39 85 c3 cb ae 38 b2 4b bc ec 6c 96
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
    Subject: CN=mydomain CA Root, DC=mydomain, DC=ru
    Serial: 71bb096f0958139c43d5cd6e049c57ed
    be 83 f9 0e 95 f9 bb 99 65 35 96 62 a9 99 19 18 21 90 64 63
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    dc 90 96 9e 3e 10 6e 44 39 85 c3 cb ae 38 b2 4b bc ec 6c 96
    Full chain:
    7d b0 cc de b7 19 5d 65 62 5f fc 30 2c 72 0d b7 32 66 03 3c
    Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
    Subject: CN=mydomain CA, DC=mydomain, DC=ru
    Serial: 61505f7c00030000000d
    Template: SubCA
    dc 90 96 9e 3e 10 6e 44 39 85 c3 cb ae 38 b2 4b bc ec 6c 96
    The signature of the certificate can not be verified. 0x80096004 (-2146869244)
    ------------------------------------
    Supported Certificate Templates:
    Cert Type[0]: IPSECIntermediateOffline (IPSec (Offline request))
    Cert Type[1]: Computer(Non-Domain) (Computer (Non-Domain))
    Cert Type[2]: WebServer(mydomain) (Web Server (mydomain))
    Cert Type[3]: CodeSigning(mydomain) (Code Signing (mydomain))
    Cert Type[4]: DirectoryEmailReplication (Directory Email Replication)
    Cert Type[5]: DomainControllerAuthentication (Domain Controller Authentication)
    Cert Type[6]: EFSRecovery (EFS Recovery Agent)
    Cert Type[7]: EFS (Basic EFS)
    Cert Type[8]: DomainController (Domain Controller)
    Cert Type[9]: Machine (Computer)
    Cert Type[10]: User (User)
    Cert Type[11]: SubCA (Subordinate Certification Authority)
    Validated Cert Types: 12
    ================================================================
    ca.mydomain.ru\mydomain CA:
    The signature of the certificate can not be verified. 0x80096004 (-2146869244)
    OFFLINE
    CertUtil: -TCAInfo command completed successfully.

    DB:2.72:How To Revoke Ssl Certificate, If Ca Service Is Not Starting With Message: Could Not Build A Certificate Chain For Ca Certificate 5 For Mydomain Ca. The Signature Of The Certificate Can Not Be Verified. 0x80096004 (-2146869244). s3

    I'v managed this.
    Just exported Root cert and CRL from an offline CA root server as it was sayed by Brian Komar in
    the Revocation server - offline topic.
    Thanks to him and cheers =)

  • RELEVANCY SCORE 2.70

    DB:2.70:Need Help With Vpn Remote Access Certificates 3c



    helllo ,im trying to use my router as remote access vpn with certificates , but still no lucki have implemented windows 2003 as CA , i have issued CA   identy certificates on my vpn client and it enrolled successfullyalso , i enrolled CA idnetity cert to my router and it enrolled successfull.but when i try to connect based on the certificate on the client , it dont work and it  say that the router "didnt respond " ??!!!!on the router logs , i have :Jul 11 20:28:54.051: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from zz.64.5 is bad: CA request failed!Jul 11 20:28:55.175: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from zz.64.5 is bad: certificate invalidJul 11 20:30:08.163: IPSEC(key_engine): got a queue event with 1 KMI message(s)couple of days with no luck !===============i will paste the config of my router :===============!!aaa authentication login default localaaa authentication login VPN_CLIENT_LOGIN localaaa authentication login AUTH localaaa authentication ppp DRVIRUS localaaa authorization exec default localaaa authorization network DRVIRUS localaaa authorization network VPN_CLIENT_GROUP localaaa authorization network AUTH local!!!!!aaa session-id common!!no ipv6 cefip source-routeip cef!!!ip multicast-routing!!ip domain name cisco900.comip host win2008 xx.79.13ip host win2003 xx.79.16ip name-server 8.8.8.8!multilink bundle-name authenticated!vpdn enable!vpdn-group 1! Default PPTP VPDN groupaccept-dialin  pr!!!crypto pki token default removal timeout 0!crypto pki trustpoint TP-self-signed-1296895960enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1296895960revocation-check nonersakeypair TP-self-signed-1296895960!crypto pki trustpoint win2003enrollment mode raenrollment url http://win2003:80/certsrv/mscep/mscep.dllserial-numberrevocation-check crl!!crypto pki certificate chain TP-self-signed-1296895960certificate self-signed 01  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274  69666963 6174652D 31323936 38393539 3630301E 170D3134 30323032 30333437  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393638  39353936 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281  8100C287 3A3D8545 48E04187 0A64C08E F215DA6E 77B897D9 7B4C051D B99F53BF  9907D29E 4879A60A 84D0D659 78236289 55B0526B EC4412CD E47F6F1E A242BE25  04A38A6C 42E8B9CF 825B12CC CA51DB11 CAEF652B FE055213 AB25ED4E 17E52FE1  837B1C73 4C893BA2 16F479D1 E5581987 B112D596 1F6222E4 2C70EBAE F0966EBB  864D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603  551D2304 18301680 14D3CA37 2B7C53C7 BD65854C C54BA199 19EB09D4 3E301D06  03551D0E 04160414 D3CA372B 7C53C7BD 65854CC5 4BA19919 EB09D43E 300D0609  2A864886 F70D0101 05050003 8181008D A055CFCB 6D14F998 339A54FD A987E1DE  8EDC8DCF 4BBA24B8 BA5FC21A E7B05CF0 BE559325 9F25E08D BC16C5F9 A0B7C103  DA687526 ECB1571C D6F9948D 7960F06C 20E89702 1686EBBA 377B2169 80D8867B  E12B370B 419B9F6B B73F3B3F B4D1B390 3ACB15A9 763CAEFE 8041B24A AD2247E1  C3C4D905 C6C3AE0F 3F6D7D36 3CBC8Aquitcrypto pki certificate chain win2003certificate 111C4AA0000000000011  308203CF 308202B7 A0030201 02020A11 1C4AA000 00000000 11300D06 092A8648  86F70D01 01050500 300F310D 300B0603 55040313 04636572 74301E17 0D313430  37313131 35343930 365A170D 31353037 31313135 35393036 5A303C31 14301206  03550405 130B4643 5A313633 32433556 38312430 2206092A 864886F7 0D010902  13156369 73636F39 30302E63 6973636F 3930302E 636F6D30 819F300D 06092A86  4886F70D 01010105 0003818D 00308189 02818100 8455B1EF DDC5DF88 E4D5091B  92C63762 34CFCCAD D736376D 8FA4F9C4 F5C05FE3 750F623F 6FFA4CF7 D9960432  931EB086 C3B100BB 74C90D18 5CAEF069 2DE72234 EE911C1A 5C15498D 3F8D988B  D6CFB73D 882D4635 91E5D540 C4FA62E3 E7559D69 C49023C9 DEB27927 A7433171  BE7B7D69 CEB5741D 573B26AD 27026B1C 85AF835F 02030100 01A38201 82308201  7E300B06 03551D0F 04040302 05A0301D 0603551D 0E041604 1414BD1F 2A27D537  FC92C81C C1919772 DB15AE19 09301F06 03551D23 04183016 80145EFB 7EDC6795  00CEAD58 F96E3E82 B119A2F9 4DEB3053 0603551D 1F044C30 4A3048A0 46A04486  1F687474 703A2F2F 63657274 2F436572 74456E72 6F6C6C2F 63657274 2E63726C  86216669 6C653A2F 2F5C5C63 6572745C 43657274 456E726F 6C6C5C63 6572742E  63726C30 7406082B 06010505 07010104 68306630 3006082B 06010505 07300286  24687474 703A2F2F 63657274 2F436572 74456E72 6F6C6C2F 63657274 5F636572  742E6372 74303206 082B0601 05050730 02862666 696C653A 2F2F5C5C 63657274  5C436572 74456E72 6F6C6C5C 63657274 5F636572 742E6372 74302306 03551D11  0101FF04 19301782 15636973 636F3930 302E6369 73636F39 30302E63 6F6D303F  06092B06 01040182 37140204 321E3000 49005000 53004500 43004900 6E007400  65007200 6D006500 64006900 61007400 65004F00 66006600 6C006900 6E006530  0D06092A 864886F7 0D010105 05000382 01010050 F13B1BC4 DA3143D7 91B58BD1  8490EF35 CEF8F080 37E6D62D A3F3474C 138EC2D6 19D94817 EDCDE4F4 7C638AC9  51956038 984189CB 9F0EBAF9 FECF0434 0028F534 65F2EBC2 9BDCE952 71A14979  4609D958 14C7ADC4 5340DDBD 784A8F12 A71FEA74 CC6CC6B2 5C1C673E 0903206C  1B7AB2B3 CFF053D0 4F70D0C0 527A9C52 C68CED94 0404B65A BA79A6FD 4F09B9A2  BA18E88F 6723429A 260DE77A 2E7F3386 889B7250 0289159A 17EFD6BC 551F38AF  DA92C48A 4D9662ED 341A547D 0C86629A F411CA62 B2652349 26B910AC E6DE412C  90AE2D7F F64425AF 5ADD7B43 B9E0D364 D0BC3789 1B652C43 803F2799 1F1026CA  646E8F0F DDBC8D61 60AC3055 D42EA85D DA6F96quitcertificate ca 4DB8E7F344319392444ADC1DFF12209B  30820350 30820238 A0030201 0202104D B8E7F344 31939244 4ADC1DFF 12209B30  0D06092A 864886F7 0D010105 0500300F 310D300B 06035504 03130463 65727430  1E170D31 34303731 31313034 3431305A 170D3139 30373131 31303531 32395A30  0F310D30 0B060355 04031304 63657274 30820122 300D0609 2A864886 F70D0101  01050003 82010F00 3082010A 02820101 00A31734 F2C925EE 25015A31 9A1EA353  9DBABA4E EB7B839E 5170F810 5AF9FE8D 132FE955 C0E7B500 4DE48838 D0A583D4  7D9480E9 95C27430 1733F968 B2E0C31F 5EC77B63 6213C9EA 9856ED90 66910420  41857EE5 9342EF7A DB06DF97 FC1821CA 0CE8EADD 1CAC81AF BEBEE09D 7274D819  8C4DF21D 1A632DD3 08EA5489 5A9C1187 9DBD61EA 5C4BE321 8EDCBA80 A1B4AF91  B4AA0A40 C5A49129 E87AC560 F7046608 9830EDF8 C80502EB 3D80C0DD 7BB1A9A9  0E59EBB4 94960D38 4611851B 7C50F738 7C118F5A 9ECAE17F 98BFC4AC BF9C8180  A86976C5 16E1BBE3 2E23DCC5 8BBD0F4B EA7C7CE7 C692D87C 167CA3E3 9A5F723B  F65A827F 1FC45DB9 9991FA63 5693D6DD F5020301 0001A381 A73081A4 300B0603  551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D  0E041604 145EFB7E DC679500 CEAD58F9 6E3E82B1 19A2F94D EB305306 03551D1F  044C304A 3048A046 A044861F 68747470 3A2F2F63 6572742F 43657274 456E726F  6C6C2F63 6572742E 63726C86 2166696C 653A2F2F 5C5C6365 72745C43 65727445  6E726F6C 6C5C6365 72742E63 726C3010 06092B06 01040182 37150104 03020100  300D0609 2A864886 F70D0101 05050003 82010100 8FB13DDF 32D56714 2A2D97FF  59F8F46D FD4BFE5C 455D6BEB 96629987 EB4CB503 63ED6ED6 5CE149D5 0B04B19A  8F34BD38 89B69FC7 87C1B672 8A376E9F DDC126E1 F77DB8B3 C39634C1 902D374D  FA067950 D3EDD29B B530AF53 35CF1FF5 99CF5FA1 2A7D9901 7ACF5561 475D839C  0832C548 30338250 225B6736 02F897A7 C7FF9B99 3BD7AA7A B52E5080 0E6B4184  D1A08ACC 07FAB699 DBB9F972 668152D8 A6631039 5ACFBED6 EA05E454 B5932A86  EE190F5D E6AF4B43 C3FBBFD3 5285F177 02885940 869D772F 9C075DD4 2BB37152  A356B586 3C55EE79 9817F642 C4794AB2 4CBD08A0 B8541E3D D8390107 3B2D153E  0465AABC 08B97A3F 13D42DF7 17C1B05B 4759F3F7quitvoice-card 0!!!!!!!license udi pid CISCO2901/K9 sn FCZ1632C5V8license accept end user agreementlicense boot module c2900 technology-package securityk9license boot module c2900 technology-package uck9license boot module c2900 technology-package datak9!!username xxx privilege 0 password 7 xxx!redundancy!!!!!!crypto isakmp policy 10encr aes 256group 2crypto isakmp keepalive 10 3crypto isakmp xauth timeout 5!crypto isakmp client configuration group EZ_VPN_CLIENTdns 8.8.8.8domain abc.compool EZVPN_POOLpfsmax-logins 5netmask 255.255.255.0banner ^Cheyyyyyyyyyyyyyyyyy^Ccrypto isakmp profile EZVPN_PROFILE   self-identity fqdn   ca trust-point win2003   match identity group EZ_VPN_CLIENT   isakmp authorization list AUTH   client configuration address respond!!crypto ipsec transform-set ESP_AES_256_SHA esp-aes 256 esp-sha-hmac!!crypto dynamic-map EZVPN_MAP 10set security-association lifetime seconds 28800set transform-set ESP_AES_256_SHAset pfs group2set isakmp-profile EZVPN_PROFILEreverse-route!!!crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP!!!!!iinterface Embedded-Service-Engine0/0no ip addressshutdown!interface GigabitEthernet0/0ip address zzzz 255.255.255.0ip pim dense-modeip nat outsideip virtual-reassembly induplex autospeed autocrypto map VPN_MAP!!ip local pool PPTP 10.11.12.1 10.11.12.100ip local pool VPN_CLIENT_POOL 192.168.20.200 192.168.20.210ip local pool EZVPN_POOL 172.16.100.32 172.16.100.63ip forward-protocol nd!ip http serverip http authentication localip http secure-server!!ip access-list extended EZVPN_ST_ACLpermit ip 172.16.32.0 0.0.0.255 any!access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255!!!!!cisco900# =============================here is some verification on my certificates on the router :cisco900#cisco900#cisco900#sho crypto pki certificates verboseCertificate  Status: Available  Version: 3  Certificate Serial Number (hex): 111C4AA0000000000011  Certificate Usage: General Purpose  Issuer:     cn=cert  Subject:    Name: cisco900.cisco900.com    Serial Number: FCZ1632C5V8    hostname=cisco900.cisco900.com    serialNumber=FCZ1632C5V8  CRL Distribution Points:     http://cert/CertEnroll/cert.crl  Validity Date:     start date: 15:49:06 UTC Jul 11 2014    end   date: 15:59:06 UTC Jul 11 2015  Subject Key Info:    Public Key Algorithm: rsaEncryption    RSA Public Key: (1024 bit)  Signature Algorithm: SHA1 with RSA Encryption  Fingerprint MD5: 46027481 691F481C D2FAA9CB 468D075E   Fingerprint SHA1: 38F97C00 689F56FA D3619AD1 55450A5F 771875FE   X509v3 extensions:    X509v3 Key Usage: A0000000      Digital Signature      Key Encipherment    X509v3 Subject Key ID: 14BD1F2A 27D537FC 92C81CC1 919772DB 15AE1909     X509v3 Subject Alternative Name:        cisco900.cisco900.com    X509v3 Authority Key ID: 5EFB7EDC 679500CE AD58F96E 3E82B119 A2F94DEB     Authority Info Access:  Associated Trustpoints: win2003   Storage: nvram:cert#11.cer  Key Label: cisco900.cisco900.com  Key storage device: private configCA Certificate  Status: Available  Version: 3  Certificate Serial Number (hex): 4DB8E7F344319392444ADC1DFF12209B  Certificate Usage: Signature  Issuer:     cn=cert  Subject:     cn=cert  CRL Distribution Points:     http://cert/CertEnroll/cert.crl  Validity Date:     start date: 10:44:10 UTC Jul 11 2014    end   date: 10:51:29 UTC Jul 11 2019  Subject Key Info:    Public Key Algorithm: rsaEncryption    RSA Public Key: (2048 bit)  Signature Algorithm: SHA1 with RSA Encryption  Fingerprint MD5: CDDDE878 90927F76 657B3ADF E1CB5B0D   Fingerprint SHA1: D9925BC2 5D19FBB2 25E78B25 E4A85E82 FC29A02E   X509v3 extensions:    X509v3 Key Usage: 86000000      Digital Signature      Key Cert Sign      CRL Signature    X509v3 Subject Key ID: 5EFB7EDC 679500CE AD58F96E 3E82B119 A2F94DEB     X509v3 Basic Constraints:        CA: TRUE    Authority Info Access:  Associated Trustpoints: win2003   Storage: nvram:cert#209BCA.cerRouter Self-Signed Certificate  Status: Available  Version: 3  Certificate Serial Number (hex): 01  Certificate Usage: General Purpose  Issuer:     cn=IOS-Self-Signed-Certificate-1296895960  Subject:    Name: IOS-Self-Signed-Certificate-1296895960    cn=IOS-Self-Signed-Certificate-1296895960  Validity Date:     start date: 03:47:43 UTC Feb 2 2014    end   date: 00:00:00 UTC Jan 1 2020  Subject Key Info:    Public Key Algorithm: rsaEncryption    RSA Public Key: (1024 bit)  Signature Algorithm: SHA1 with RSA Encryption  Fingerprint MD5: C4A5FA8A F94892D0 B786D359 804B996F   Fingerprint SHA1: 8745F674 0C73D562 35F771D9 CB976840 A43698E5   X509v3 extensions:    X509v3 Subject Key ID: D3CA372B 7C53C7BD 65854CC5 4BA19919 EB09D43E     X509v3 Basic Constraints:        CA: TRUE    X509v3 Authority Key ID: D3CA372B 7C53C7BD 65854CC5 4BA19919 EB09D43E     Authority Info Access:  Associated Trustpoints: TP-self-signed-1296895960   Storage: nvram:IOS-Self-Sig#2.cerCertificate  Subject:    Name: cisco900.cisco900.com   Status: Pending   Key Usage: General Purpose   Certificate Request Fingerprint MD5: 00000000 00000000 00000000 00000000    Certificate Request Fingerprint SHA1: 00000000 00000000 00000000 00000000 00000000    Associated Trustpoint: win2003 cisco900# cisco900#cisco900#cisco900#cisco900#sho crypto key mypubkey rsa% Key pair was generated at: 03:47:43 UTC Feb 2 2014Key name: TP-self-signed-1296895960Key type: RSA KEYSStorage Device: private-configUsage: General Purpose KeyKey is not exportable.Key Data:  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C2873A   3D854548 E041870A 64C08EF2 15DA6E77 B897D97B 4C051DB9 9F53BF99 07D29E48   79A60A84 D0D65978 23628955 B0526BEC 4412CDE4 7F6F1EA2 42BE2504 A38A6C42   E8B9CF82 5B12CCCA 51DB11CA EF652BFE 055213AB 25ED4E17 E52FE183 7B1C734C   893BA216 F479D1E5 581987B1 12D5961F 6222E42C 70EBAEF0 966EBB86 4D020301 0001% Key pair was generated at: 20:18:15 UTC Jul 6 2014Key name: key-set-1Key type: RSA KEYSStorage Device: private-configUsage: General Purpose KeyKey is not exportable.Key Data:  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D0EDBE   1BB275A4 7800C7C7 FD064DE3 7599D016 C3C828B2 BBC97431 3B749009 77852E9D   3B055386 A1CE06AA 384EC3C2 F11430FA 2E3A9701 EFC63A5D 5AB53FEA 21231A15   AA84EF20 F2312BEB 00EAF7DA 6D8D6082 4888CD79 8BEA2502 E45D6455 B3C76F2C   CDE83DEA 783F35F0 9D7D9D93 52BDCF32 0DEFF52A D2817BA8 6DDC9B2B 9D020301 0001% Key pair was generated at: 14:38:33 UTC Jul 11 2014Key name: cisco900.cisco900.comKey type: RSA KEYSStorage Device: private-configUsage: General Purpose KeyKey is not exportable.Key Data:  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 008455B1   EFDDC5DF 88E4D509 1B92C637 6234CFCC ADD73637 6D8FA4F9 C4F5C05F E3750F62   3F6FFA4C F7D99604 32931EB0 86C3B100 BB74C90D 185CAEF0 692DE722 34EE911C   1A5C1549 8D3F8D98 8BD6CFB7 3D882D46 3591E5D5 40C4FA62 E3E7559D 69C49023   C9DEB279 27A74331 71BE7B7D 69CEB574 1D573B26 AD27026B 1C85AF83 5F020301 0001% Key pair was generated at: 19:56:29 UTC Jul 11 2014Key name: TP-self-signed-1296895960.serverKey type: RSA KEYSTemporary keyUsage: Encryption KeyKey is not exportable.Key Data:  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00EB3AD7 13D30788   3A4FC63C 960DE5DE 65A137BC FB533042 936E0F8E 8E869A74 F346DC92 732F08E5   E7AA58B8 F6D6184F FEF739CC 574EB98B E4BFA828 BED54D2B F22F203D 1370BCCF   44E4C22D 6BE6F9A0 A3AB49D6 009F85F4 B4A3464F E8C7BD96 01020301 0001cisco900# ===========================is there anything wrong on router ??any suggest , any help ??!!!

    DB:2.70:Need Help With Vpn Remote Access Certificates 3c


    here is my running :

     

    !aaa authentication login default localaaa authentication login VPN_CLIENT_LOGIN localaaa authentication login AUTH localaaa authentication ppp DRVIRUS localaaa authorization exec default local aaa authorization network DRVIRUS local aaa authorization network VPN_CLIENT_GROUP local aaa authorization network AUTH local !!!!!aaa session-id common!!no ipv6 cefip source-routeip cef!!!ip multicast-routing !!         ip domain name cbt.comip host cert xx.79.16ip name-server 8.8.8.8!         multilink bundle-name authenticated!         v!         !crypto pki trustpoint win2003 revocation-check crl!         crypto pki trustpoint cert enrollment mode ra serial-number revocation-check crl!crypto pki trustpoint now enrollment mode ra enrollment url http://cert:80/certsrv/mscep/mscep.dll revocation-check crl rsakeypair now!!         crypto pki certificate chain win2003crypto pki certificate chain certcrypto pki certificate chain now certificate 1ABDB172000000000019  308203A9 30820291 A0030201 02020A1A BDB17200 00000000 19300D06 092A8648   86F70D01 01050500 300F310D 300B0603 55040313 04636572 74301E17 0D313430   37313331 32343431 335A170D 31353037 31333132 35343133 5A301E31 1C301A06   092A8648 86F70D01 0902130D 696E7465 6C2E6362 742E636F 6D30819F 300D0609   2A864886 F70D0101 01050003 818D0030 81890281 8100B710 2F4F5622 A17327D9   6425BE52 778C5D5A 0194F2BF A6FC8B94 5D91D620 A29A94FD 88EF18CC 77C9AA1F   060B507C A6A47D3A FDB9B9E7 453B8DDB E2A8705B A2370483 BCE2FB24 38D577B4   7710E095 AFF8CB17 091A93B8 C7BDD952 9C6E25A7 4A6C9D29 10C3F352 6987AE21   9982FCE6 7004B85C 127FA41F 8F71B757 3348D716 2F1F0203 010001A3 82017A30   82017630 0B060355 1D0F0404 030205A0 301D0603 551D0E04 16041474 19D6349E   AE67E461 E2A1BFE3 E7E69BD7 513D8930 1F060355 1D230418 30168014 5EFB7EDC   679500CE AD58F96E 3E82B119 A2F94DEB 30530603 551D1F04 4C304A30 48A046A0   44861F68 7474703A 2F2F6365 72742F43 65727445 6E726F6C 6C2F6365 72742E63   726C8621 66696C65 3A2F2F5C 5C636572 745C4365 7274456E 726F6C6C 5C636572   742E6372 6C307406 082B0601 05050701 01046830 66303006 082B0601 05050730   02862468 7474703A 2F2F6365 72742F43 65727445 6E726F6C 6C2F6365 72745F63   6572742E 63727430 3206082B 06010505 07300286 2666696C 653A2F2F 5C5C6365   72745C43 65727445 6E726F6C 6C5C6365 72745F63 6572742E 63727430 1B060355   1D110101 FF041130 0F820D69 6E74656C 2E636274 2E636F6D 303F0609 2B060104   01823714 0204321E 30004900 50005300 45004300 49006E00 74006500 72006D00   65006400 69006100 74006500 4F006600 66006C00 69006E00 65300D06 092A8648   86F70D01 01050500 03820101 009836A4 BE3212BF 20FBA518 70BEDAC0 CC3651AC   24072368 4FAB81FB A70CE272 5EF7B8C5 B5053727 05A23445 BB61F5BA 8995B3A5   D4A26148 7EE514BE 861269B9 6F03E959 0D947CE0 AA3FF5E6 9D732EF8 B0B3A542   B1B3F7B2 0FB06E22 711431D1 EFAD3A2E 37658A9A 14C750C4 D5E95CFD 97569AB7   7790390B A64E9C68 C4478019 E19228A7 1C6E22B6 73EA3AAA 9F6C4792 3F5498EB   5A0DFB17 0008729D 69488204 99B5BAE2 D392F60B A618A003 A4E1CB42 35FC8A9C   9CB60FAC 00D830D5 5D1697AE 1B91095F 3C92030B 89D4577E 8AD00095 4AB40674   5FE09AB4 E607DD66 5798A12B 2EEC94BF 0A3F56D1 D810D371 14E105FF 07E1CBFE   45D8EF6E 9266DA5D 95536AB2 2C        quit certificate ca 4DB8E7F344319392444ADC1DFF12209B  30820350 30820238 A0030201 0202104D B8E7F344 31939244 4ADC1DFF 12209B30   0D06092A 864886F7 0D010105 0500300F 310D300B 06035504 03130463 65727430   1E170D31 34303731 31313034 3431305A 170D3139 30373131 31303531 32395A30   0F310D30 0B060355 04031304 63657274 30820122 300D0609 2A864886 F70D0101   01050003 82010F00 3082010A 02820101 00A31734 F2C925EE 25015A31 9A1EA353   9DBABA4E EB7B839E 5170F810 5AF9FE8D 132FE955 C0E7B500 4DE48838 D0A583D4   7D9480E9 95C27430 1733F968 B2E0C31F 5EC77B63 6213C9EA 9856ED90 66910420   41857EE5 9342EF7A DB06DF97 FC1821CA 0CE8EADD 1CAC81AF BEBEE09D 7274D819   8C4DF21D 1A632DD3 08EA5489 5A9C1187 9DBD61EA 5C4BE321 8EDCBA80 A1B4AF91   B4AA0A40 C5A49129 E87AC560 F7046608 9830EDF8 C80502EB 3D80C0DD 7BB1A9A9   0E59EBB4 94960D38 4611851B 7C50F738 7C118F5A 9ECAE17F 98BFC4AC BF9C8180   A86976C5 16E1BBE3 2E23DCC5 8BBD0F4B EA7C7CE7 C692D87C 167CA3E3 9A5F723B   F65A827F 1FC45DB9 9991FA63 5693D6DD F5020301 0001A381 A73081A4 300B0603   551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D   0E041604 145EFB7E DC679500 CEAD58F9 6E3E82B1 19A2F94D EB305306 03551D1F   044C304A 3048A046 A044861F 68747470 3A2F2F63 6572742F 43657274 456E726F   6C6C2F63 6572742E 63726C86 2166696C 653A2F2F 5C5C6365 72745C43 65727445   6E726F6C 6C5C6365 72742E63 726C3010 06092B06 01040182 37150104 03020100   300D0609 2A864886 F70D0101 05050003 82010100 8FB13DDF 32D56714 2A2D97FF   59F8F46D FD4BFE5C 455D6BEB 96629987 EB4CB503 63ED6ED6 5CE149D5 0B04B19A   8F34BD38 89B69FC7 87C1B672 8A376E9F DDC126E1 F77DB8B3 C39634C1 902D374D   FA067950 D3EDD29B B530AF53 35CF1FF5 99CF5FA1 2A7D9901 7ACF5561 475D839C   0832C548 30338250 225B6736 02F897A7 C7FF9B99 3BD7AA7A B52E5080 0E6B4184   D1A08ACC 07FAB699 DBB9F972 668152D8 A6631039 5ACFBED6 EA05E454 B5932A86   EE190F5D E6AF4B43 C3FBBFD3 5285F177 02885940 869D772F 9C075DD4 2BB37152   A356B586 3C55EE79 9817F642 C4794AB2 4CBD08A0 B8541E3D D8390107 3B2D153E   0465AABC 08B97A3F 13D42DF7 17C1B05B 4759F3F7        quitvoice-card 0!         !!         !!         !!         !!redundancy!!         !!         ! !         crypto isakmp policy 10 encr aes 256 group 2crypto isakmp keepalive 10 3crypto isakmp xauth timeout 5          !crypto isakmp client configuration group EZ_VPN_CLIENT dns 172.16.32.40 domain abc.com pool EZVPN_POOL acl EZVPN_ST_ACL pfs max-logins 5 netmask 255.255.255.0 banner ^Cddddddddddddddddddddddd           ^Ccrypto isakmp profile EZVPN_PROFILE   self-identity fqdn   ca trust-point now   match identity group EZ_VPN_CLIENT   isakmp authorization list AUTH   client configuration address respond!         !crypto ipsec transform-set ESP_AES_256_SHA esp-aes 256 esp-sha-hmac !!         crypto dynamic-map EZVPN_MAP 10 set security-association lifetime seconds 28800 set transform-set ESP_AES_256_SHA  set pfs group2 set isakmp-profile EZVPN_PROFILE reverse-route!!         !crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP !!         !

    !nterface GigabitEthernet0/0 ip address 85.252.xxx 255.255.255.0 crypto map VPN_MAP

  • RELEVANCY SCORE 2.65

    DB:2.65:How Use Privatekey In Usbkey With Mscapi Provider? fx


    I write some code under jdk6,to show certificate in windows-my store,and use a certificate which common name is "3year" and it's privatekey is in a usbkey.I can show certificate ok,but can not get privatekey.

    code:

    KeyStore ks = KeyStore.getInstance("Windows-MY","SunMSCAPI");
    ks.load(null );
    EnumerationString as1 = ks.aliases();
    while(as1.hasMoreElements()){
    String ss = as1.nextElement();
    X509Certificate cert = (X509Certificate)ks.getCertificate(ss);
    System.out.println( "SN =" + cert.getSerialNumber().toString(16) );
    System.out.println( "Issuer =" + cert.getIssuerDN().toString() );
    System.out.println( "subject=" + cert.getSubjectDN().toString() );
    System.out.println("-------------------------------------------");
    }
    PrivateKey pk = (PrivateKey)ks.getKey("3year", "11111111".toCharArray());
    Cipher c2 = Cipher.getInstance("RSA/ECB/PKCS1Padding","SunMSCAPI");
    System.out.println(pk);
    c2.init(Cipher.DECRYPT_MODE, pk);
    c2.update(d1);
    byte[] d2 = c2.doFinal();
    //System.out.println( new String(d2) );

    it print privatekey is null,but what?
    I use PrivateKey pk = (PrivateKey)ks.getKey("3year", null),print privatekey is null also.

    DB:2.65:How Use Privatekey In Usbkey With Mscapi Provider? fx

    ghstark wrote:
    windshome wrote:
    ...,but can not get privatekey.That is true and by design.I agree with this BUT I thought there was more to it. It was my understanding that, although one can't get the private key as a key usable by any provider, one is given a token that can be used by the SunMSCAPI provider in place of the private key. Therefore I don't understand why the OP gets 'null'.

  • RELEVANCY SCORE 2.64

    DB:2.64:Outlook Anywhere Issue dm


    I have Exchange 2003 and Exchange 2007 coexisting with migrated test e-mail
    addresses on the Ex07 box. I have OWA working well (no certificate issues)
    and I HAD activesync working well also. When I went to get Outlook Anywhere
    going I made a mistake in renewing the certificate via IIS and knocked out
    ActiveSync. Now I can't get AS or OA to work.

    I have OA enabled with NTLM authentication and port 443 open on my firewall.
    My server name is mail.xyz.com and here are my certs setup:

    Thumbprint Services Subject
    ---------- -------- -------
    E6C0BD5855D6F1D35367D872A1C4E449C185C28E SIPUW CN=mail
    8707C9BFA6DD72D51D1A0579A2CA400A61A1FF11 ...U. CN=mail.xyz.com

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System
    .Security.AccessControl.CryptoKeyAccessRule,
    System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail, mail.xyz.com, autodiscover.xyz.com, exchange.
    xyz.com, webmail.xyz.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=cert, DC=xyz, DC=com
    NotAfter : 2/26/2009 11:14:28 PM
    NotBefore : 2/27/2007 11:14:28 PM
    PublicKeySize : 2048
    SerialNumber : 2A3F020700000000002A
    Status : Valid
    Subject : CN=mail
    Thumbprint : E6C0BD5855D6F1D35367D872A1C4E449C185C28E

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System
    .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.xyz.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=cert, DC=xyz, DC=com
    NotAfter : 2/20/2008 2:55:26 PM
    NotBefore : 2/20/2007 2:55:26 PM
    PublicKeySize : 1024
    SerialNumber : 14695F81000000000020
    Status : Valid
    Subject : CN=mail.xyz.com
    Thumbprint : 8707C9BFA6DD72D51D1A0579A2CA400A61A1FF11

    By the way, I have the default web site directing to /owa so that
    https://mail.xyz.com will work (this probably isn't a good way of doing this
    right?). I have tried turning this off to see if that is blocking RPC but it
    doesn't help.

    I have tried outlook /rpcdiag and it just sits there trying to connect. I
    get a bunch of referral, directory type connections.

    rpcping is giving me Exception 1722 (0x000006BA) for
    rpcping -t ncacn_http -s mail.xyz.com -o RpcProxy=mail.xyz.com -P
    "peterzog,xyz,PASSWORD" -H 1 -u 10 -a connect -F 3

    I tried this with basic and NTLM. Outlook does pop up with a user name and
    password one time for basic and repeatedly for NTLM.

    DB:2.64:Outlook Anywhere Issue dm

    I have Exchange 2003 and Exchange 2007 coexisting with migrated test e-mail
    addresses on the Ex07 box. I have OWA working well (no certificate issues)
    and I HAD activesync working well also. When I went to get Outlook Anywhere
    going I made a mistake in renewing the certificate via IIS and knocked out
    ActiveSync. Now I can't get AS or OA to work.

    I have OA enabled with NTLM authentication and port 443 open on my firewall.
    My server name is mail.xyz.com and here are my certs setup:

    Thumbprint Services Subject
    ---------- -------- -------
    E6C0BD5855D6F1D35367D872A1C4E449C185C28E SIPUW CN=mail
    8707C9BFA6DD72D51D1A0579A2CA400A61A1FF11 ...U. CN=mail.xyz.com

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System
    .Security.AccessControl.CryptoKeyAccessRule,
    System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail, mail.xyz.com, autodiscover.xyz.com, exchange.
    xyz.com, webmail.xyz.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=cert, DC=xyz, DC=com
    NotAfter : 2/26/2009 11:14:28 PM
    NotBefore : 2/27/2007 11:14:28 PM
    PublicKeySize : 2048
    SerialNumber : 2A3F020700000000002A
    Status : Valid
    Subject : CN=mail
    Thumbprint : E6C0BD5855D6F1D35367D872A1C4E449C185C28E

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System
    .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.xyz.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=cert, DC=xyz, DC=com
    NotAfter : 2/20/2008 2:55:26 PM
    NotBefore : 2/20/2007 2:55:26 PM
    PublicKeySize : 1024
    SerialNumber : 14695F81000000000020
    Status : Valid
    Subject : CN=mail.xyz.com
    Thumbprint : 8707C9BFA6DD72D51D1A0579A2CA400A61A1FF11

    By the way, I have the default web site directing to /owa so that
    https://mail.xyz.com will work (this probably isn't a good way of doing this
    right?). I have tried turning this off to see if that is blocking RPC but it
    doesn't help.

    I have tried outlook /rpcdiag and it just sits there trying to connect. I
    get a bunch of referral, directory type connections.

    rpcping is giving me Exception 1722 (0x000006BA) for
    rpcping -t ncacn_http -s mail.xyz.com -o RpcProxy=mail.xyz.com -P
    "peterzog,xyz,PASSWORD" -H 1 -u 10 -a connect -F 3

    I tried this with basic and NTLM. Outlook does pop up with a user name and
    password one time for basic and repeatedly for NTLM.

  • RELEVANCY SCORE 2.59

    DB:2.59:1042ap Not Joining Wlc5508 s1



    Brand new 1042 APS are not joining the WLC with this error "RADIUS authorization is pending for the AP". Radius server is set up on server 08.

    Additionally, I cannot find the SSC key hash in the WLC for any AP's.  It's simply missing.  Thoughts??

    cscoDefaultIdCert

    *Sep 26 10:15:16.770: sshpmGetSshPrivateKeyFromCID: match in row 2

    *Sep 26 10:15:16.936: sshpmGetIssuerHandles: locking ca cert table

    *Sep 26 10:15:16.936: sshpmGetIssuerHandles: calling x509_alloc() for user cert

    *Sep 26 10:15:16.936: sshpmGetIssuerHandles: calling x509_decode()

    *Sep 26 10:15:16.941: sshpmGetIssuerHandles: subject C=US, ST=California, L=Sa

    n Jose, O=Cisco Systems, CN=C1140-30e4db8271a1, MAILTO=support@cisco.com

    *Sep 26 10:15:16.941: sshpmGetIssuerHandles: issuer  O=Cisco Systems, CN=Cisco

    Manufacturing CA

    *Sep 26 10:15:16.941: sshpmGetIssuerHandles: Mac Address in subject is 30:e4:db:

    82:71:a1

    *Sep 26 10:15:16.941: sshpmGetIssuerHandles: Cert Name in subject is C1140-30e4d

    b8271a1

    *Sep 26 10:15:16.941: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

    *Sep 26 10:15:16.941: sshpmGetCID: called to evaluate cscoDefaultMfgCaCert

    *Sep 26 10:15:16.941: sshpmGetCID: comparing to row 0, CA cert bsnOldDefaultCaC

    ert

    *Sep 26 10:15:16.941: sshpmGetCID: comparing to row 1, CA cert bsnDefaultRootCa

    Cert

    *Sep 26 10:15:16.941: sshpmGetCID: comparing to row 2, CA cert bsnDefaultCaCert

    *Sep 26 10:15:16.941: sshpmGetCID: comparing to row 3, CA cert bsnDefaultBuildC

    ert

    *Sep 26 10:15:16.941: sshpmGetCID: comparing to row 4, CA cert cscoDefaultNewRo

    otCaCert

    *Sep 26 10:15:16.941: sshpmGetCID: comparing to row 5, CA cert cscoDefaultMfgCa

    Cert

    *Sep 26 10:15:16.941: sshpmGetCertFromCID: called to get cert for CID 23941ba2

    *Sep 26 10:15:16.941: sshpmGetCertFromCID: comparing to row 0, certname bsnOldD

    efaultCaCert

    *Sep 26 10:15:16.941: sshpmGetCertFromCID: comparing to row 1, certname bsnDefa

    ultRootCaCert

    *Sep 26 10:15:16.941: sshpmGetCertFromCID: comparing to row 2, certname bsnDefa

    ultCaCert

    *Sep 26 10:15:16.941: sshpmGetCertFromCID: comparing to row 3, certname bsnDefaultBuildCert

    *Sep 26 10:15:16.941: sshpmGetCertFromCID: comparing to row 4, certname cscoDefaultNewRootCaCert

    *Sep 26 10:15:16.941: sshpmGetCertFromCID: comparing to row 5, certname cscoDefaultMfgCaCert

    *Sep 26 10:15:16.941: ssphmUserCertVerify: calling x509_decode()

    *Sep 26 10:15:16.952: ssphmUserCertVerify: user cert verfied using cscoDefaultMgCaCert

    *Sep 26 10:15:16.952: sshpmGetIssuerHandles: ValidityString (current): 2011/09/26/15:15:16

    *Sep 26 10:15:16.952: sshpmGetIssuerHandles: ValidityString (NotBefore): 2011/06/23/07:20:50

    *Sep 26 10:15:16.952: sshpmGetIssuerHandles: ValidityString (NotAfter): 2021/06/23/07:30:50

    *Sep 26 10:15:16.952: sshpmGetIssuerHandles: getting cisco ID cert handle...

    *Sep 26 10:15:16.952: sshpmGetCID: called to evaluate cscoDefaultIdCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 0, CA cert bsnOldDefaultCaCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 1, CA cert bsnDefaultRootCaCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 2, CA cert bsnDefaultCaCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 3, CA cert bsnDefaultBuildCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 4, CA cert cscoDefaultNewRootCaCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 5, CA cert cscoDefaultMfgCaCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 0, ID cert bsnOldDefaultIdCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 1, ID cert bsnDefaultIdCert

    *Sep 26 10:15:16.952: sshpmGetCID: comparing to row 2, ID cert cscoDefaultIdCer

    *Sep 26 10:15:16.954: sshpmFreePublicKeyHandle: called with 0x1c9d5da4

    *Sep 26 10:15:16.954: sshpmFreePublicKeyHandle: freeing public key

    DB:2.59:1042ap Not Joining Wlc5508 s1


    If the the managment IP Vlan is diffrent and the access switch port Ap connected try to connect Ap one of the management Vlan port on the switch, once it get registered than again put it in the vlan which ever you are trying to.

  • RELEVANCY SCORE 2.59

    DB:2.59:Application Throws Error In Adfs Authentication 37


    Dear All,
    My application is using ADFS authentication, it was working till 14-Nov-2011 (IST) and stopped working from 15-Nov-2011 morning. I get the below error.
    Error thrown :
    ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.:ID4175: The issuer of the security token was not recognized
    by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

    point to be noted:
    1. No change in application after 31-Oct-2011.
    2. No change in configuration fileafter 31-Oct-2011.

    DB:2.59:Application Throws Error In Adfs Authentication 37

    Maybe your signing certificate in ADFS was rolled over on that date. That would mean that the new signing cert is not considered trusted anymore.Dominick Baier | thinktecture |
    http://www.leastprivilege.com

  • RELEVANCY SCORE 2.58

    DB:2.58:Issuer Issue From Sap Sso Ticket 8m



    Hello,

    I got an issue with SAP Security library.

    I'm trying to validate a SSO Ticket. It seems the SAP Security library cannot find the certificate for a space issue.

    Indeed, the issuer of my certificate is "OU=J2EE, CN=TEST" and the issuer from SSO ticket seems to be "OU=J2EE,CN=TEST".

    For the issuer from SSO ticket, I'm not really sure because SAP Security library doesn't provide method to extract issuer field.

    In fact, I'm using the same ticket and library in Production environment.

    And I'm trying to reproduce the ticket validation in Java.

    My questions are:

    - Can we force the issuer value to use on SAP Security library side ?

    - Do this issue is known bug ? If yes, which SAP Security library version I should use ?

    - Is there a workaround ?

    ===== Ticket.toString() =====

    Ticket Version = 2

    Ticket Codepage = 1100 (Encoding=ISO8859_1)

    User = Z99999990742

    Issuing System ID = TEST

    Issuing System Client = 000

    Creation Time = 201307230729

    Valid Time = 8 h 0 min

    Valid from Tue Jul 23 09:29:00 CEST 2013 until Tue Jul 23 17:29:00 CEST 2013

    Signature (length=261 bytes)

    InfoUnit 32, length=19

    InfoUnit 136, length=19

    InfoUnit 10, length=12

    ===== Some Test =====

    com.sap.security.core.ticket.imp.Ticket.findCertificates(certificates, "OU=J2EE, CN=TEST", BigInteger.ZERO); -- Found

    com.sap.security.core.ticket.imp.Ticket.findCertificates(certificates, "OU=J2EE,CN=TEST", BigInteger.ZERO); -- Didn't find

    ====== Certificate.toString() ======

    [

    Version: V1

    Subject: OU=J2EE, CN=TEST

    Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

    Key: Sun DSA Public Key

    Parameters:DSA

    p: X

    q: X

    g: X

    y: X

    Validity: [From: Fri Mar 23 14:54:28 CET 2007,

    To: Tue Mar 23 14:54:28 CET 2027]

    Issuer: OU=J2EE, CN=TEST

    SerialNumber: [ 00]

    ]

    ====== Certificate Importation ======

    keytool -import -alias certificate -file TEST_000.crt -keypass password -keystore storekey.jks -storepass password

    Propritaire : OU=J2EE, CN=TEST

    Emetteur : OU=J2EE, CN=TEST Numro de srie : 0

    Valide du : Mon Sep 24 11:12:42 CEST 2007 au : Fri Sep 24 11:12:42 CEST 2027

    Empreintes du certificat :

    MD5: X

    SHA1 : X

    SHA256 : X

    Nom de l'algorithme de signature : SHA1withDSA

    Version : 1

    Faire confiance ce certificat ? [non] : oui

    Certificat ajout au fichier de cls

    ===== Error raised =====

    Caused by: java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=TEST", S/N=0) not found.

    at com.sap.security.core.ticket.imp.Ticket.verify(Ticket.java:1016)

    at org.eurocopter.sap.security.impl.SAPTicketValidation.verifyTicket(SAPTicketValidation.java:231)

    ==== Java version ======

    java version "1.7.0_25"

    Java(TM) SE Runtime Environment (build 1.7.0_25-b17)

    Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode)

    ==== SAP Security version ======

    environment: com.sap.security.api

    Implementation-Vendor-Id: sap.com

    Implementation-Version: 7.0107.20120601132146.0000

    environment: com.sap.security.core

    Implementation-Vendor-Id: sap.com

    Implementation-Version: 7.0107.20120601132146.0000

    DB:2.58:Issuer Issue From Sap Sso Ticket 8m


    Hi Joris,

    please create a support ticket and provide more details about the versions and historie.

    Thanx,

    Frane

  • RELEVANCY SCORE 2.56

    DB:2.56:How Do I Renew The Certificate Generated By The Ldms Agents? fd



    Apparently, the LDMS agents have a cert that currently appears to be both weak and expired:

    When I view that key it was generated with only 1000 bits

    Certificate:

    Data:

    Version: 1 (0x0)

    Serial Number:

    [censored]

    Signature Algorithm: md2WithRSAEncryption

    Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority

    Validity

    Not Before: Nov 9 00:00:00 1994 GMT

    Not After : Jan 7 23:59:59 2010 GMT

    Subject: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority

    Subject Public Key Info:

    Public Key Algorithm: rsaEncryption

    RSA Public Key: (1000 bit)

    Networking team is requesting an update to this but I can't figure it out.

    How does one renew these certs? How can the security be increased for them beyond 1000 bits?

    DB:2.56:How Do I Renew The Certificate Generated By The Ldms Agents? fd


    Chewie,

    That certificate doesn't look like anything created or used by LANDesk. I went back to several certificates from previous version of LANDesk and none of them have a key length of 1000 bits and none of them have the issuer you outline. My certificates have key lengths of 1024 or 2048, and are issued by my "Core cert" or CBA. None of them expire before 2025. You can look at them in the \ldlogon folder. The public key is the .0 file. Copy it and rename it to .crt and you can open it and look at the values.

    I'm not sure how this certificate information is getting there. Is there perhaps something in between? Your certificate appears to have been issued by RSA Data Security Inc., so are you using something from RSA?

    In 9.5 SP1 there is a way to recreate the client certificates with a higher security level, but I'm not sure that will address your concern because you are describing a certificate that doesn't seem related to LANDesk.

  • RELEVANCY SCORE 2.55

    DB:2.55:How Do I Trust A Self-Signed Issuer Certificate? 3k



    I created a self-signed CA cert using openssl, and imported it into Firefox, but when I select it in the Certificate Manager under “Your Certificates” and click “View…”, I see the message “Could not verify this certificate because the issuer is not trusted.”

    https://www.dropbox.com/s/i38v78802ym9fug/Screenshot%202014-04-15%2010.49.14.png

    When I visit the site that I set up with an SSL cert signed by that same self-signed CA cert, I get an untrusted connection warning with the following technical details: “staging.cakemade.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)”

    https://www.dropbox.com/s/rvq00r0pdn99rd6/Screenshot%202014-04-15%2010.57.54.png

    When I view the site certificate, it correctly identifies the issuer as the CA cert that I imported, but also displays the message “Could not verify this certificate because the issuer is not trusted.”

    https://www.dropbox.com/s/b3no5pdhf9ddx5h/Screenshot%202014-04-15%2010.57.29.png

    I am using Firefox Aurora, and apply updates daily. I am using the default settings for OCSP.

    https://www.dropbox.com/s/in58viu3q6wkxvn/Screenshot%202014-04-15%2011.02.22.png

    What do I need to do to get Firefox to trust the CA cert that I imported?

    DB:2.55:How Do I Trust A Self-Signed Issuer Certificate? 3k

    Question owner


    I had imported the CA cert under “Your Certificates.” I deleted the CA cert, switched to “Authorities”, re-imported the CA cert, and restarted Firefox. This fixed the problem.

    Thanks for your help!

  • RELEVANCY SCORE 2.54

    DB:2.54:Javax.Net.Ssl.Sslexception: Received Fatal Alert: Unexpected_Message 71


    I am using JSSE for submit https request to Quickbooks.Here is code of Test JSSE Client for connecting to other web hosted system, I am getting error when Out strreaming the request means in following line in below code:-
    OutputStream os = con.getOutputStream(); // --- Error Here

    System.setProperty("javax.net.debug", "all");
    System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
    java.io.File keyStoreFile = new java.io.File("C:/keystore/efleetTestKey");
    java.security.KeyStore ks = java.security.KeyStore.getInstance("JKS");
    java.io.InputStream is = new java.io.FileInputStream(keyStoreFile);
    String keyStorePass = "eFleet4DDS";
    String certPass = "eFleet4DDS";
    String certAlias = "intuit";

    ks.load(is, keyStorePass.toCharArray());

    // Define SSL context
    javax.net.ssl.KeyManager[] km = { new MyKeyManager(ks, certAlias,
    certPass) };
    javax.net.ssl.TrustManager[] tm = { new MyTrustManager() };
    javax.net.ssl.SSLContext sslcontext = javax.net.ssl.SSLContext
    .getInstance("TLS");
    sslcontext.init(km, tm, null);
    sslFactory = sslcontext.getSocketFactory();
    System.setProperty("javax.net.debug", "ssl");
    System.setProperty("java.protocol.handler.pkgs", "javax.net.ssl");
    java.security.Security.addProvider(new sun.net.ssl.internal.www.protocol());

    String pURL =
    "https://webmerchantaccount.ptc.quickbooks.com/j/AppGateway";


    String postReq = "?xml version='1.0' ??qbmsxml version='2.0'?QBMSXMLSignonMsgsRqSignonAppCertRqClientDateTime2007-04-12T18:35:26 /ClientDateTime ApplicationLogin efleet1.ddwf.com/ApplicationLoginConnectionTicket
    TGT-112-y1ThPfRFGfhTy8z2PsEg$w/ConnectionTicket
    /SignonAppCertRq/SignonMsgsRq/QBMSXML";

    java.net.URL rqURL = new java.net.URL(pURL);
    javax.net.ssl.HttpsURLConnection con = (javax.net.ssl.HttpsURLConnection)
    rqURL.openConnection();
    con.setSSLSocketFactory(sslFactory);
    con.setRequestMethod("POST");
    con.setFollowRedirects(true);
    con.setAllowUserInteraction(true);
    con.setRequestProperty("content-type", "application/x-qbmsxml");
    con.setDoOutput(true);
    con.setDoInput(true);

    [u]OutputStream os = con.getOutputStream(); // --- Error Here[/u]
    os.write(postReq.getBytes());I am getting following Error :-Error Message:-

    main, RECV TLSv1 ALERT: fatal, unexpected_message

    main, called closeSocket()

    main, handling exception: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
    javax.net.ssl.SSLException: Received fatal alert: unexpected_message
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1542)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)

    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)

    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)

    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:836)

    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)

    at SSLClient.quickBooksWebConnection(SSLClient.java:252)

    Here is full SSL Debug:-
    X509KeyManager passed to SSLContext.init(): need an X509ExtendedKeyManager for SSLEngine use

    trigger seeding of SecureRandom

    done seeding SecureRandom

    setting up default SSLSocketFactory

    use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl

    class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded

    keyStore is : C:/keystore/efleetKeyStore

    keyStore type is : jks

    keyStore provider is :

    init keystore

    init keymanager of type SunX509

    trustStore is: C:\Java\jdk1.5.0_06\jre\lib\security\cacerts

    trustStore type is : jks

    trustStore provider is :

    init truststore

    adding as trusted cert:

    Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority,

    O="ValiCert, Inc.", L=ValiCert Validation Network

    Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority,

    O="ValiCert, Inc.", L=ValiCert Validation Network

    Algorithm: RSA; Serial number: 0x1

    Valid from Fri Jun 25 17:19:54 PDT 1999 until Tue Jun 25 17:19:54 PDT 2019

    adding as trusted cert:

    Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE

    Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE

    Algorithm: RSA; Serial number: 0x20000bf

    Valid from Wed May 17 07:01:00 PDT 2000 until Sat May 17 16:59:00 PDT 2025

    adding as trusted cert:

    Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS

    incorp. by ref. (limits liab.), O=Entrust.net, C=US

    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS

    incorp. by ref. (limits liab.), O=Entrust.net, C=US

    Algorithm: RSA; Serial number: 0x374ad243

    Valid from Tue May 25 09:09:40 PDT 1999 until Sat May 25 09:39:40 PDT 2019

    adding as trusted cert:

    Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

    Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

    Algorithm: RSA; Serial number: 0x20000b9

    Valid from Fri May 12 11:46:00 PDT 2000 until Mon May 12 16:59:00 PDT 2025

    adding as trusted cert:

    Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized

    use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized

    use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57

    Valid from Thu Sep 30 17:00:00 PDT 1999 until Wed Jul 16 16:59:59 PDT 2036

    adding as trusted cert:

    Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US

    Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US

    Algorithm: RSA; Serial number: 0x0

    Valid from Tue Jun 29 10:39:16 PDT 2004 until Thu Jun 29 10:39:16 PDT 2034

    adding as trusted cert:

    Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Th

    awte Consulting, L=Cape Town, ST=Western Cape, C=ZA

    Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Th

    awte Consulting, L=Cape Town, ST=Western Cape, C=ZA

    Algorithm: RSA; Serial number: 0x0

    Valid from Sun Dec 31 16:00:00 PST 1995 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:

    Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf

    Valid from Sun Jan 28 16:00:00 PST 1996 until Tue Aug 01 16:59:59 PDT 2028

    adding as trusted cert:

    Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US

    Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US

    Algorithm: RSA; Serial number: 0x3770cfb5

    Valid from Wed Jun 23 05:14:45 PDT 1999 until Sun Jun 23 05:14:45 PDT 2019

    adding as trusted cert:

    Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US

    Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US

    Algorithm: RSA; Serial number: 0x35def4cf

    Valid from Sat Aug 22 09:41:51 PDT 1998 until Wed Aug 22 09:41:51 PDT 2018

    adding as trusted cert:

    Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division

    , O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA

    Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division

    , O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA

    Algorithm: RSA; Serial number: 0x0

    Valid from Sun Dec 31 16:00:00 PST 1995 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:

    Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US

    Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US

    Algorithm: RSA; Serial number: 0x4

    Valid from Sun Jun 20 21:00:00 PDT 1999 until Sat Jun 20 21:00:00 PDT 2020

    adding as trusted cert:

    Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division,

    O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA

    Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division,

    O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA

    Algorithm: RSA; Serial number: 0x0

    Valid from Sun Dec 31 16:00:00 PST 1995 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:

    Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

    Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

    Algorithm: RSA; Serial number: 0x1b6

    Valid from Fri Aug 14 07:50:00 PDT 1998 until Wed Aug 14 16:59:00 PDT 2013

    adding as trusted cert:

    Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

    Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55

    Valid from Sun Jan 28 16:00:00 PST 1996 until Tue Aug 01 16:59:59 PDT 2028

    adding as trusted cert:

    Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US

    Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US

    Algorithm: RSA; Serial number: 0x1a3

    Valid from Fri Feb 23 15:01:00 PST 1996 until Thu Feb 23 15:59:00 PST 2006

    adding as trusted cert:

    Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL

    _CPS incorp. by ref. (limits liab.), O=Entrust.net

    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL

    _CPS incorp. by ref. (limits liab.), O=Entrust.net

    Algorithm: RSA; Serial number: 0x389b113c

    Valid from Fri Feb 04 09:20:00 PST 2000 until Tue Feb 04 09:50:00 PST 2020

    adding as trusted cert:

    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary

    Certification Authority - G2, O="VeriSign, Inc.", C=US

    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary

    Certification Authority - G2, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6

    Valid from Sun May 17 17:00:00 PDT 1998 until Tue Aug 01 16:59:59 PDT 2028

    adding as trusted cert:

    Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Th

    awte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

    Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Th

    awte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

    Algorithm: RSA; Serial number: 0x1

    Valid from Wed Jul 31 17:00:00 PDT 1996 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:

    Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US

    Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US

    Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0

    Valid from Tue Nov 08 16:00:00 PST 1994 until Thu Jan 07 15:59:59 PST 2010

    adding as trusted cert:

    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_

    Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US

    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_

    Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US

    Algorithm: RSA; Serial number: 0x380391ee

    Valid from Tue Oct 12 12:24:30 PDT 1999 until Sat Oct 12 12:54:30 PDT 2019

    adding as trusted cert:

    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS i

    ncorp. by ref. (limits liab.), O=Entrust.net

    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS i

    ncorp. by ref. (limits liab.), O=Entrust.net

    Algorithm: RSA; Serial number: 0x389ef6e4

    Valid from Mon Feb 07 08:16:40 PST 2000 until Fri Feb 07 08:46:40 PST 2020

    adding as trusted cert:

    Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

    Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b

    Valid from Sun Jan 28 16:00:00 PST 1996 until Tue Aug 01 16:59:59 PDT 2028

    adding as trusted cert:

    Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized

    use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized

    use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a

    Valid from Thu Sep 30 17:00:00 PDT 1999 until Wed Jul 16 16:59:59 PDT 2036

    adding as trusted cert:

    Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

    Algorithm: RSA; Serial number: 0x1a5

    Valid from Wed Aug 12 17:29:00 PDT 1998 until Mon Aug 13 16:59:00 PDT 2018

    adding as trusted cert:

    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consu

    lting cc, L=Cape Town, ST=Western Cape, C=ZA

    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consu

    lting cc, L=Cape Town, ST=Western Cape, C=ZA

    Algorithm: RSA; Serial number: 0x1

    Valid from Wed Jul 31 17:00:00 PDT 1996 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:

    Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

    Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

    Algorithm: RSA; Serial number: 0x23456

    Valid from Mon May 20 21:00:00 PDT 2002 until Fri May 20 21:00:00 PDT 2022

    adding as trusted cert:

    Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 i

    ncorp. by ref. (limits liab.), O=Entrust.net

    Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 i

    ncorp. by ref. (limits liab.), O=Entrust.net

    Algorithm: RSA; Serial number: 0x3863b966

    Valid from Fri Dec 24 09:50:51 PST 1999 until Tue Dec 24 10:20:51 PST 2019

    adding as trusted cert:

    Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

    Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

    Algorithm: RSA; Serial number: 0x1

    Valid from Sun Jun 20 21:00:00 PDT 1999 until Sat Jun 20 21:00:00 PDT 2020

    adding as trusted cert:

    Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US

    Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US

    Algorithm: RSA; Serial number: 0x0

    Valid from Tue Jun 29 10:06:20 PDT 2004 until Thu Jun 29 10:06:20 PDT 2034

    adding as trusted cert:

    Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized

    use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized

    use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4

    Valid from Thu Sep 30 17:00:00 PDT 1999 until Wed Jul 16 16:59:59 PDT 2036

    adding as trusted cert:

    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary

    Certification Authority - G2, O="VeriSign, Inc.", C=US

    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary

    Certification Authority - G2, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf

    Valid from Sun May 17 17:00:00 PDT 1998 until Tue Aug 01 16:59:59 PDT 2028

    adding as trusted cert:

    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary

    Certification Authority - G2, O="VeriSign, Inc.", C=US

    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary

    Certification Authority - G2, O="VeriSign, Inc.", C=US

    Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192

    Valid from Sun May 17 17:00:00 PDT 1998 until Tue Aug 01 16:59:59 PDT 2028

    init context

    trigger seeding of SecureRandom

    done seeding SecureRandom

    instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl

    con is= sun.net.www.protocol.https.DelegateHttpsURLConnection:https://webmerchantaccount.ptc.quickbooks.com/j/AppGatewa

    y

    %% No cached client session

    *** ClientHello, TLSv1

    RandomCookie: GMT: 1176913820 bytes = { 96, 17, 110, 153, 49, 81, 58, 232, 207, 60, 235, 223, 97, 178, 168, 173, 83, 20

    1, 70, 122, 124, 143, 253, 6, 87, 176, 138, 79 }

    Session ID: {}

    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_1

    28_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_

    DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA

    _EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WI

    TH_DES40_CBC_SHA]

    Compression Methods: { 0 }

    ***

    [write] MD5 and SHA1 hashes: len = 73

    0000: 01 00 00 45 03 01 46 26 48 9C 60 11 6E 99 31 51 ...E..FH.`.n.1Q

    0010: 3A E8 CF 3C EB DF 61 B2 A8 AD 53 C9 46 7A 7C 8F :....a...S.Fz..

    0020: FD 06 57 B0 8A 4F 00 00 1E 00 04 00 05 00 2F 00 ..W..O......../.

    0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............

    0040: 03 00 08 00 14 00 11 01 00 .........

    main, WRITE: TLSv1 Handshake, length = 73

    [write] MD5 and SHA1 hashes: len = 98

    0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......

    0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....

    0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...

    0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................

    0040: 00 11 46 26 48 9C 60 11 6E 99 31 51 3A E8 CF 3C ..FH.`.n.1Q:..

    0050: EB DF 61 B2 A8 AD 53 C9 46 7A 7C 8F FD 06 57 B0 ..a...S.Fz....W.

    0060: 8A 4F .O

    main, WRITE: SSLv2 client hello message, length = 98

    [Raw write]: length = 100

    0000: 80 62 01 03 01 00 39 00 00 00 20 00 00 04 01 00 .b....9... .....

    0010: 80 00 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A ....../..3..2...

    0020: 07 00 C0 00 00 16 00 00 13 00 00 09 06 00 40 00 ..............@.

    0030: 00 15 00 00 12 00 00 03 02 00 80 00 00 08 00 00 ................

    0040: 14 00 00 11 46 26 48 9C 60 11 6E 99 31 51 3A E8 ....FH.`.n.1Q:.

    0050: CF 3C EB DF 61 B2 A8 AD 53 C9 46 7A 7C 8F FD 06 ...a...S.Fz....

    0060: 57 B0 8A 4F W..O

    [Raw read]: length = 5

    0000: 16 03 01 00 4A ....J

    [Raw read]: length = 74

    0000: 02 00 00 46 03 01 46 26 48 9F 3A 6A CA E5 43 B1 ...F..FH.:j..C.

    0010: 51 A3 39 A3 B4 6E 6A 21 55 71 BE 39 40 B8 C5 99 Q.9..nj!Uq.9@...

    0020: FF 4D B1 F2 F4 53 20 AB BA 47 DE F3 D4 B1 91 2B .M...S ..G.....+

    0030: 5F E5 4E B9 17 EB C6 23 44 C8 73 05 74 B5 07 DE _.N....#D.s.t...

    0040: 41 85 C7 63 5D EF 78 00 04 00 A..c].x...

    main, READ: TLSv1 Handshake, length = 74

    *** ServerHello, TLSv1

    RandomCookie: GMT: 1176913823 bytes = { 58, 106, 202, 229, 67, 177, 81, 163, 57, 163, 180, 110, 106, 33, 85, 113, 190,

    57, 64, 184, 197, 153, 255, 77, 177, 242, 244, 83 }

    Session ID: {171, 186, 71, 222, 243, 212, 177, 145, 43, 95, 229, 78, 185, 23, 235, 198, 35, 68, 200, 115, 5, 116, 181,

    7, 222, 65, 133, 199, 99, 93, 239, 120}

    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5

    Compression Method: 0

    ***

    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]

    ** SSL_RSA_WITH_RC4_128_MD5

    [read] MD5 and SHA1 hashes: len = 74

    0000: 02 00 00 46 03 01 46 26 48 9F 3A 6A CA E5 43 B1 ...F..FH.:j..C.

    0010: 51 A3 39 A3 B4 6E 6A 21 55 71 BE 39 40 B8 C5 99 Q.9..nj!Uq.9@...

    0020: FF 4D B1 F2 F4 53 20 AB BA 47 DE F3 D4 B1 91 2B .M...S ..G.....+

    0030: 5F E5 4E B9 17 EB C6 23 44 C8 73 05 74 B5 07 DE _.N....#D.s.t...

    0040: 41 85 C7 63 5D EF 78 00 04 00 A..c].x...

    [Raw read]: length = 5

    0000: 16 03 01 03 E5 .....

    [Raw read]: length = 997

    0000: 0B 00 03 E1 00 03 DE 00 03 DB 30 82 03 D7 30 82 ..........0...0.

    0010: 03 44 A0 03 02 01 02 02 10 61 3F A2 B0 77 41 2F .D.......a?..wA/

    0020: 02 DD 65 FE 0C 37 46 E6 61 30 0D 06 09 2A 86 48 ..e..7F.a0...*.H

    0030: 86 F7 0D 01 01 05 05 00 30 5F 31 0B 30 09 06 03 ........0_1.0...

    0040: 55 04 06 13 02 55 53 31 20 30 1E 06 03 55 04 0A U....US1 0...U..

    0050: 13 17 52 53 41 20 44 61 74 61 20 53 65 63 75 72 ..RSA Data Secur

    0060: 69 74 79 2C 20 49 6E 63 2E 31 2E 30 2C 06 03 55 ity, Inc.1.0,..U

    0070: 04 0B 13 25 53 65 63 75 72 65 20 53 65 72 76 65 ...%Secure Serve

    0080: 72 20 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 r Certification

    0090: 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 30 37 30 Authority0...070

    00A0: 32 30 35 30 30 30 30 30 30 5A 17 0D 30 38 30 32 205000000Z..0802

    00B0: 30 35 32 33 35 39 35 39 5A 30 81 90 31 0B 30 09 05235959Z0..1.0.

    00C0: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 ..U....US1.0...U

    00D0: 04 08 13 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 ....California1.

    00E0: 30 10 06 03 55 04 07 14 09 53 61 6E 20 44 69 65 0...U....San Die

    00F0: 67 6F 31 0F 30 0D 06 03 55 04 0A 14 06 49 6E 74 go1.0...U....Int

    0100: 75 69 74 31 17 30 15 06 03 55 04 0B 14 0E 54 65 uit1.0...U....Te

    0110: 63 68 6E 6F 6C 6F 67 79 20 4F 70 73 31 2E 30 2C chnology Ops1.0,

    0120: 06 03 55 04 03 14 25 77 65 62 6D 65 72 63 68 61 ..U...%webmercha

    0130: 6E 74 61 63 63 6F 75 6E 74 2E 70 74 63 2E 71 75 ntaccount.ptc.qu

    0140: 69 63 6B 62 6F 6F 6B 73 2E 63 6F 6D 30 81 9F 30 ickbooks.com0..0

    0150: 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 ...*.H..........

    0160: 8D 00 30 81 89 02 81 81 00 B5 D4 09 0E 1C B6 E3 ..0.............

    0170: A5 C4 7C E1 88 E7 6C E3 FC 7B 3D 4C 3B C3 9C 97 ......l...=L;...

    0180: AF D5 F6 B1 25 FD 76 85 18 B8 5C BC AD CF FD 34 ....%.v...\....4

    0190: D4 3E 62 2D 3A FB D8 26 5B 7F 42 8B 56 39 19 0A .b-:..[.B.V9..

    01A0: 8B EA 18 6A 33 3D 89 3C 9C 06 01 DE 46 E8 A9 E5 ...j3=.....F...

    01B0: 94 62 23 6D 79 CD DF C1 74 03 9A DA 99 15 ED E6 .b#my...t.......

    01C0: 3A ED 36 DE 81 81 D3 9A DC 1E EB 2C 74 35 82 1D :.6........,t5..

    01D0: DA E9 DF 96 2C 9C FE 11 DA 45 31 F8 BD DF A8 A7 ....,....E1.....

    01E0: 09 7E 8F 62 26 97 85 54 91 02 03 01 00 01 A3 82 ...b..T........

    01F0: 01 64 30 82 01 60 30 09 06 03 55 1D 13 04 02 30 .d0..`0...U....0

    0200: 00 30 0B 06 03 55 1D 0F 04 04 03 02 05 A0 30 3C .0...U........0

    0210: 06 03 55 1D 1F 04 35 30 33 30 31 A0 2F A0 2D 86 ..U...50301./.-.

    0220: 2B 68 74 74 70 3A 2F 2F 63 72 6C 2E 76 65 72 69 +http://crl.veri

    0230: 73 69 67 6E 2E 63 6F 6D 2F 52 53 41 53 65 63 75 sign.com/RSASecu

    0240: 72 65 53 65 72 76 65 72 2E 63 72 6C 30 44 06 03 reServer.crl0D..

    0250: 55 1D 20 04 3D 30 3B 30 39 06 0B 60 86 48 01 86 U. .=0;09..`.H..

    0260: F8 45 01 07 17 03 30 2A 30 28 06 08 2B 06 01 05 .E....0*0(..+...

    0270: 05 07 02 01 16 1C 68 74 74 70 73 3A 2F 2F 77 77 ......https://ww

    0280: 77 2E 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 w.verisign.com/r

    0290: 70 61 30 1D 06 03 55 1D 25 04 16 30 14 06 08 2B pa0...U.%..0...+

    02A0: 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 .........+......

    02B0: 02 30 34 06 08 2B 06 01 05 05 07 01 01 04 28 30 .04..+........(0

    02C0: 26 30 24 06 08 2B 06 01 05 05 07 30 01 86 18 68 0$..+.....0...h

    02D0: 74 74 70 3A 2F 2F 6F 63 73 70 2E 76 65 72 69 73 ttp://ocsp.veris

    02E0: 69 67 6E 2E 63 6F 6D 30 6D 06 08 2B 06 01 05 05 ign.com0m..+....

    02F0: 07 01 0C 04 61 30 5F A1 5D A0 5B 30 59 30 57 30 ....a0_.].[0Y0W0

    0300: 55 16 09 69 6D 61 67 65 2F 67 69 66 30 21 30 1F U..image/gif0!0.

    0310: 30 07 06 05 2B 0E 03 02 1A 04 14 8F E5 D3 1A 86 0...+...........

    0320: AC 8D 8E 6B C3 CF 80 6A D4 48 18 2C 7B 19 2E 30 ...k...j.H.,...0

    0330: 25 16 23 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 %.#http://logo.v

    0340: 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F erisign.com/vslo

    0350: 67 6F 2E 67 69 66 30 0D 06 09 2A 86 48 86 F7 0D go.gif0...*.H...

    0360: 01 01 05 05 00 03 7E 00 6C E7 AC 88 E6 B1 1B 88 ........l.......

    0370: E3 BE 2D BA F6 EA E0 9D 98 55 63 59 DF 77 8C 20 ..-......UcY.w.

    0380: E9 DD D6 B4 33 22 0B F0 D4 70 E2 E5 7F 1E 41 66 ....3"...p....Af

    0390: 91 80 94 9A 25 8C B3 E3 91 F6 BF 2C F7 A5 25 C5 ....%......,..%.

    03A0: 5E AE FB 4F EE C7 8D FB F2 A6 55 3C 62 2F 7E E2 ^..O......Ub/..

    03B0: B6 73 84 3F C5 41 BC BB 13 12 1E 1B 82 05 25 C3 .s.?.A........%.

    03C0: 07 0F BD 76 5C 45 E9 BE 77 60 A0 5D 0F B1 0A 1D ...v\E..w`.]....

    03D0: 40 37 14 FA 47 67 9C 48 2A FA 60 E1 FC 91 82 C3 @7..Gg.H*.`.....

    03E0: 41 E2 C2 AB 75 A...u

    main, READ: TLSv1 Handshake, length = 997

    *** Certificate chain

    chain [0] = [

    [

    Version: V3

    Subject: CN=webmerchantaccount.ptc.quickbooks.com, OU=Technology Ops, O=Intuit, L=San Diego, ST=California, C=US

    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 1024 bits

    modulus: 1276841486035550110763176162219426343163808882681890562977407676865156905088567183557644835948301554155873380

    699914783977891493264859649229877494166434239709384484860831022174593926975616505487718752385517716292811070248424223623

    30465768350599000946116302876724788473937520907122096172842219518298891422618769

    public exponent: 65537

    Validity: [From: Sun Feb 04 16:00:00 PST 2007,

    To: Tue Feb 05 15:59:59 PST 2008]

    Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US

    SerialNumber: [ 613fa2b0 77412f02 dd65fe0c 3746e661]

    Certificate Extensions: 7

    [1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false

    Extension unknown: DER encoded OCTET string =

    0000: 04 61 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 .a0_.].[0Y0W0U..

    0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..

    0020: 05 2B 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E .+..............

    0030: 6B C3 CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 k...j.H.,...0%.#

    0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri

    0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E sign.com/vslogo.

    0060: 67 69 66 gif

    [2]: ObjectId: 2.5.29.31 Criticality=false

    CRLDistributionPoints [

    [DistributionPoint:

    [URIName: http://crl.verisign.com/RSASecureServer.crl]

    ]]

    [3]: ObjectId: 2.5.29.37 Criticality=false

    ExtendedKeyUsages [

    [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]

    [4]: ObjectId: 2.5.29.32 Criticality=false

    CertificatePolicies [

    [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]

    [PolicyQualifierInfo: [

    qualifierID: 1.3.6.1.5.5.7.2.1

    qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve

    0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa

    ]] ]

    ]

    [5]: ObjectId: 2.5.29.15 Criticality=false

    KeyUsage [

    DigitalSignature

    Key_Encipherment

    ]

    [6]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

    AuthorityInfoAccess [

    [accessMethod: 1.3.6.1.5.5.7.48.1

    accessLocation: URIName: http://ocsp.verisign.com]

    ]

    [7]: ObjectId: 2.5.29.19 Criticality=false

    BasicConstraints:[

    CA:false

    PathLen: undefined

    ]

    ]

    Algorithm: [SHA1withRSA]

    Signature:

    0000: 6C E7 AC 88 E6 B1 1B 88 E3 BE 2D BA F6 EA E0 9D l.........-.....

    0010: 98 55 63 59 DF 77 8C 20 E9 DD D6 B4 33 22 0B F0 .UcY.w. ....3"..

    0020: D4 70 E2 E5 7F 1E 41 66 91 80 94 9A 25 8C B3 E3 .p....Af....%...

    0030: 91 F6 BF 2C F7 A5 25 C5 5E AE FB 4F EE C7 8D FB ...,..%.^..O....

    0040: F2 A6 55 3C 62 2F 7E E2 B6 73 84 3F C5 41 BC BB ..Ub/...s.?.A..

    0050: 13 12 1E 1B 82 05 25 C3 07 0F BD 76 5C 45 E9 BE ......%....v\E..

    DB:2.54:Javax.Net.Ssl.Sslexception: Received Fatal Alert: Unexpected_Message 71

    The server has generated an unexpected_message alert: in other words it hasn't understood the last message your code sent. I would take this up with Quickbooks. It may be a problem in the implementation of TLS/SSL they are using.

    You could also try getting an SSLContext for "SSL" instead of "TLS".

  • RELEVANCY SCORE 2.53

    DB:2.53:San Cert. s7


    Hey Guys,
    I have a SAN cert. w/ Subject name webmail.domain.com and Alternative names autodiscover.domain.com and legacy.domain.com
    I was under the impresion that i don't need a cert for my CAS Array FQDN - outlook.domain.com since it's mapi and it doesn't use https
    It seems like few clients are getting security alert for outlook.domain.com
    Is there anything i can do to fix this?

    DB:2.53:San Cert. s7

    Killerbe,
    You are correct. That seems to be the case.

  • RELEVANCY SCORE 2.51

    DB:2.51:Add Subject Alterntive Name To Existing Cert c7


    Hello,
    I have an Exchange 2010 environmnet that I need to add an additional Subject Alternative Name (SAN) to the existing cert. I'd like to do this using the CertUtil command and just add the SAN to the cert, but I don't know the entire process.
    Can someone please explain it to me. The name of the cert is Forestar Exchange 2010 andI need to addthe nameRaustpsw0211.real.local to the cert.

    DB:2.51:Add Subject Alterntive Name To Existing Cert c7

    Hello
    Inaddition to Brian You can also use CSR creation tool where you can add SAN (Subject Alternate Names)
    https://www.digicert.com/easy-csr/exchange2010.htm

    Thanks Mhussain

  • RELEVANCY SCORE 2.51

    DB:2.51:Updating Ad Cs To Issue Sha256 Certificates 33


    I tried to follow this Microsoft publication on Migrating a Certification Authority Key from a Cryptographic Service Provider to a Key Storage Provider. http://technet.microsoft.com/en-us/library/dn771627.aspx

    However at the end of the document when you go to verify CA services, it fails. Under investigation when you issue the start-service command, the service starts and immediately stops. In the Event Viewer there is this following error:
    Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. Companyname-CA Key does not exist.
    0x8009000d (-2146893811).

    I thought this may of had to do with the part around Step 5 where you take the certificate to a Windows 8 / 2012 machine import it and then export it again.
    My first attempt was on my Windows 8.1 laptop, and I exported it back out, copied it to the server and this did not seem to work. So my second attempt I took the original CA cert to a Server 2012 R2 server and then exported it back out. Same
    issue.
    Any idea what could be going wrong?
    I also just tried changing CNGHashAlgorithm to SHA256 and renew my CA cert, but the renewed cert ends up SHA1 and not SHA256.

    This is Server 2008 R2.
    This is the root cert
    C:\Users\certutil -store my Companyname-CA
    my
    ================ Certificate 9 ================
    Serial Number: 6260xxxxxxx
    Issuer: CN=Companyname-CA, DC=companyname, DC=com
    NotBefore: 5/19/2011 10:50 AM
    NotAfter: 5/19/2016 10:56 AM
    Subject: CN=Companyname-CA, DC=companyname, DC=com
    Certificate Template Name (Certificate Type): CA
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority

    Cert Hash(sha1): 0e 6a xx xx

    Key Container = Companyname-CA

    Provider = Microsoft Strong Cryptographic Provider

    Encryption test FAILED
    CertUtil: -store command completed successfully.

    DB:2.51:Updating Ad Cs To Issue Sha256 Certificates 33

    I was able to complete the rest of the article.
    glad to hear that!
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • RELEVANCY SCORE 2.49

    DB:2.49:Ssl Https Error pp


    I am trying to post multi-part form data to an https url and receive the response. If I post to the site with my form data I get no response at all just a weird Premature EOF error . If I post to the site with no request data I get the html page as the response but I still get the weird Premature EOF error. My code for just connecting to the url without the form request data is as follows:

    URL url1 =new java.net.URL("https", "cert.access.webmd.com", 443, "/ITS/post.aspx");
    URLConnection connection = url1.openConnection();
    connection.setUseCaches( false );
    connection.setDoOutput( true );
    connection.setDoInput( true );
    InputStream inputStream = connection.getInputStream();
    InputStreamReader isr = new InputStreamReader(inputStream );
    BufferedReader br = new BufferedReader(isr);
    try
    {
    String line = "";
    int c= 0;
    while ((line= br.readLine()) !=null)//line where i get the premature Eof error
    {
    System.err.println(line);
    }
    br.close();
    isr.close();
    }
    catch (Exception x)
    {
    x.printStackTrace();
    }

    If I run this code with the -Djavax.net.debug=ssl property i get all the exchange output, it is quite verbose but notice the "main, received EOFException: ignored". It is hard for me to tell what the problem is here, i am guessing there is an error in the ssl exchange. What am i missing?

    Thanks,
    Ryan

    Below is the output produced:

    keyStore is :
    keyStore type is : jks
    init keystore
    init keymanager of type SunX509
    trustStore is: /usr/lib/java/j2sdk1.4.2_03/jre/lib/security/cacerts
    trustStore type is : jks
    init truststore
    adding as trusted cert:
    Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x1
    Valid from Wed Jul 31 17:00:00 PDT 1996 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:
    Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
    Valid from Tue Nov 08 16:00:00 PST 1994 until Thu Jan 07 15:59:59 PST 2010

    adding as trusted cert:
    Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    Algorithm: RSA; Serial number: 0x20000bf
    Valid from Wed May 17 07:01:00 PDT 2000 until Sat May 17 16:59:00 PDT 2025

    adding as trusted cert:
    Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Algorithm: RSA; Serial number: 0x374ad243
    Valid from Tue May 25 09:09:40 PDT 1999 until Sat May 25 09:39:40 PDT 2019

    adding as trusted cert:
    Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    Algorithm: RSA; Serial number: 0x20000b9
    Valid from Fri May 12 11:46:00 PDT 2000 until Mon May 12 16:59:00 PDT 2025

    adding as trusted cert:
    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
    Algorithm: RSA; Serial number: 0x380391ee
    Valid from Tue Oct 12 12:24:30 PDT 1999 until Sat Oct 12 12:54:30 PDT 2019

    adding as trusted cert:
    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x389ef6e4
    Valid from Mon Feb 07 08:16:40 PST 2000 until Fri Feb 07 08:46:40 PST 2020

    adding as trusted cert:
    Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b
    Valid from Sun Jan 28 16:00:00 PST 1996 until Tue Aug 01 16:59:59 PDT 2028

    adding as trusted cert:
    Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Algorithm: RSA; Serial number: 0x1a5
    Valid from Wed Aug 12 17:29:00 PDT 1998 until Mon Aug 13 16:59:00 PDT 2018

    adding as trusted cert:
    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x1
    Valid from Wed Jul 31 17:00:00 PDT 1996 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:
    Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
    Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
    Algorithm: RSA; Serial number: 0x23456
    Valid from Mon May 20 21:00:00 PDT 2002 until Fri May 20 21:00:00 PDT 2022

    adding as trusted cert:
    Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x3863b966
    Valid from Fri Dec 24 09:50:51 PST 1999 until Tue Dec 24 10:20:51 PST 2019

    adding as trusted cert:
    Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
    Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
    Algorithm: RSA; Serial number: 0x1
    Valid from Sun Jun 20 21:00:00 PDT 1999 until Sat Jun 20 21:00:00 PDT 2020

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Sun Dec 31 16:00:00 PST 1995 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:
    Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
    Valid from Sun Jan 28 16:00:00 PST 1996 until Tue Aug 01 16:59:59 PDT 2028

    adding as trusted cert:
    Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
    Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
    Algorithm: RSA; Serial number: 0x3770cfb5
    Valid from Wed Jun 23 05:14:45 PDT 1999 until Sun Jun 23 05:14:45 PDT 2019

    adding as trusted cert:
    Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x325033cf50d156f35c81ad655c4fc825
    Valid from Sun Jan 28 16:00:00 PST 1996 until Tue Jan 07 15:59:59 PST 2020

    adding as trusted cert:
    Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Algorithm: RSA; Serial number: 0x35def4cf
    Valid from Sat Aug 22 09:41:51 PDT 1998 until Wed Aug 22 09:41:51 PDT 2018

    adding as trusted cert:
    Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
    Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
    Algorithm: RSA; Serial number: 0x4
    Valid from Sun Jun 20 21:00:00 PDT 1999 until Sat Jun 20 21:00:00 PDT 2020

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Sun Dec 31 16:00:00 PST 1995 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services
    Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services
    Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Sun Dec 31 16:00:00 PST 1995 until Thu Dec 31 15:59:59 PST 2020

    adding as trusted cert:
    Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Algorithm: RSA; Serial number: 0x1b6
    Valid from Fri Aug 14 07:50:00 PDT 1998 until Wed Aug 14 16:59:00 PDT 2013

    adding as trusted cert:
    Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
    Algorithm: RSA; Serial number: 0x1a3
    Valid from Fri Feb 23 15:01:00 PST 1996 until Thu Feb 23 15:59:00 PST 2006

    adding as trusted cert:
    Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x389b113c
    Valid from Fri Feb 04 09:20:00 PST 2000 until Tue Feb 04 09:50:00 PST 2020

    init context
    trigger seeding of SecureRandom
    done seeding SecureRandom

    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1100967656 bytes = { 85, 249, 69, 69, 84, 99, 204, 44, 225, 76, 212, 143, 63, 8, 61, 193,
    69, 146, 30, 191, 221, 252, 41, 29, 186, 237, 103, 108 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, READ: TLSv1 Handshake, length = 2158
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1100967656 bytes = { 193, 116, 29, 174, 183, 129, 191, 46, 16, 88, 69, 237, 173, 125, 77,
    154, 26, 184, 42, 203, 76, 175, 127, 87, 142, 197, 202, 212 }
    Session ID: {66, 30, 0, 0, 221, 118, 170, 131, 208, 222, 7, 40, 191, 245, 26, 201, 36, 112, 168, 211, 159, 138, 187, 132, 206, 103, 72, 22, 250, 92, 6, 85}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    ***
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    [
    Version: V3
    Subject: CN=cert.access.webmd.com, OU=Terms of use at www.verisign.com/rpa (c)00, OU=Web Operations2, O=WebMD Corporation, L=Nashville, ST=Tennessee, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    e7096ecb b34ae0e4 fa49f05c c1cc6059 d7bb5a83 4981a2ca 2bc6ff06 add7b5bd
    78c02292 637c441e f25ec1ea 237276d4 8f47fb99 a0851eec 934c1f2d 44cb16df
    6b9b2e63 79fb1f38 945df9df ea8652d2 ea7068a5 debd9517 8016599e 13acf96c
    99e1e318 94ebacd7 2d563d05 6e90f055 c8ef9c13 a93333b2 c1c01285 8acabfc9
    Validity: [From: Tue Oct 05 17:00:00 PDT 2004,
    To: Thu Oct 06 16:59:59 PDT 2005]
    Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
    SerialNumber: [ 0c844a2c e47020eb 3079ddc8 a3603dca]

    Certificate Extensions: 7
    [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 28 30 26 30 24 06 08 2B 06 01 05 05 07 30 01 .(00$..+.....0.
    0010: 86 18 68 74 74 70 3A 2F 2F 6F 63 73 70 2E 76 65 ..http://ocsp.ve
    0020: 72 69 73 69 67 6E 2E 63 6F 6D risign.com

    [2]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 61 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 .a0_.].[0Y0W0U..
    0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..
    0020: 05 2B 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E .+..............
    0030: 6B C3 CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 k...j.H.,...0%.#
    0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri
    0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E sign.com/vslogo.
    0060: 67 69 66 gif

    [3]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: http://crl.verisign.com/Class3InternationalServer.crl]
    ]]

    [4]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    [2.16.840.1.113730.4.1, 1.3.6.1.4.1.311.10.3.3, 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]

    [5]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
    [PolicyQualifierInfo: [
    qualifierID: 1.3.6.1.5.5.7.2.1
    qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
    0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa

    ]] ]
    ]

    [6]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Key_Encipherment
    ]

    [7]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:false
    PathLen: undefined
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 27 4A B6 66 AF 20 70 F4 FC 5F 17 80 05 8D 04 37 'J.f. p.._.....7
    0010: 04 8B ED 00 F5 21 F6 48 70 70 25 79 DC 04 1D 64 .....!.Hpp%y...d
    0020: B0 89 55 BA BD F3 26 AB 82 63 5F 8B D2 65 B2 A3 ..U.....c_..e..
    0030: F9 CE A3 E6 FE A0 30 95 5C 0E 26 8E 4D 64 59 52 ......0.\..MdYR
    0040: 4C 2F DE C1 12 FD EB 12 8C 70 2C 09 52 96 9B E3 L/.......p,.R...
    0050: F8 74 60 13 03 74 26 DA 28 24 6A 1F AC C0 A6 96 .t`..t.($j.....
    0060: BA D4 8C 7C 1D BF E4 13 EB FE 75 6D 23 37 D2 13 ..........um#7..
    0070: C3 AD D7 19 D4 D4 A8 F9 94 3A A1 83 E9 74 BD 99 .........:...t..

    ]
    chain [1] = [
    [
    Version: V3
    Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network

    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    d88280e8 d619027d 1f851839 25a2652b e1bfd405 d3bce636 3baaf04c 6c5bb6e7
    aa3c7345 55b2f1bd ea9742ed 9a340a15 d4a95cf5 4025ddd9 07c132b2 756cc4ca
    bba3fe56 277143aa 63f5303e 9328e5fa f1093bf3 b74d4e39 f75c495a b8c11dd3
    b28afe70 309542cb fe2b518b 5a3c3af9 224f90b2 02a7539c 4f34e7ab 04b27b6f
    Validity: [From: Wed Apr 16 17:00:00 PDT 1997,
    To: Mon Oct 24 16:59:59 PDT 2011]
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ 254b8a85 3842cce3 58f8c5dd ae226ea4]

    Certificate Extensions: 6
    [1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
    NetscapeCertType [
    SSL CA
    S/MIME CA
    ]

    [2]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: http://crl.verisign.com/pca3.crl]
    ]]

    [3]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [4]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 2.16.840.1.113730.4.1, 2.16.840.1.113733.1.8.1]]

    [5]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
    [PolicyQualifierInfo: [
    qualifierID: 1.3.6.1.5.5.7.2.1
    qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
    0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS

    ]] ]
    ]

    [6]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:true
    PathLen:0
    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 08 01 EC E4 68 94 03 42 F1 73 F1 23 A2 3A DE E9 ....h..B.s.#.:..
    0010: F1 DA C6 54 C4 23 3E 86 EA CF 6A 3A 33 AB EA 9C ...T.#...j:3...
    0020: 04 14 07 36 06 0B F9 88 6F D5 13 EE 29 2B C3 E4 ...6....o...)+..
    0030: 72 8D 44 ED D1 AC 20 09 2D E1 F6 E1 19 05 38 B0 r.D... .-.....8.
    0040: 3D 0F 9F 7F F8 9E 02 DC 86 02 86 61 4E 26 5F 5E =..........aN_^
    0050: 9F 92 1E 0C 24 A4 F5 D0 70 13 CF 26 C3 43 3D 49 ....$...p...C=I
    0060: 1D 9E 82 2E 52 5F BC 3E C6 66 29 01 8E 4E 92 2C ....R_..f)..N.,
    0070: BC 46 75 03 82 AC 73 E9 D9 7E 0B 67 EF 54 52 1A .Fu...s....g.TR.

    ]
    ***
    Found trusted certificate:
    [
    [
    Version: V1
    Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    c95c599e f21b8a01 14b410df 0440dbe3 57af6a45 408f840c 0bd133d9 d911cfee
    02581f25 f72aa844 05aaec03 1f787f9e 93b99a00 aa237dd6 ac85a263 45c77227
    ccf44cc6 7571d239 ef4f42f0 75df0a90 c68e206f 980ff8ac 235f7029 36a4c986
    e7b19a20 cb53a585 e73dbe7d 9afe2445 33dc7615 ed0fa271 644c652e 816845a7
    Validity: [From: Sun Jan 28 16:00:00 PST 1996,
    To: Tue Aug 01 16:59:59 PDT 2028]
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ 70bae41d 10d92934 b638ca7b 03ccbabf]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: BB 4C 12 2B CF 2C 26 00 4F 14 13 DD A6 FB FC 0A .L.+.,.O.......
    0010: 11 84 8C F3 28 1C 67 92 2F 7C B6 C5 FA DF F0 E8 ....(.g./.......
    0020: 95 BC 1D 8F 6C 2C A8 51 CC 73 D8 A4 C0 53 F0 4E ....l,.Q.s...S.N
    0030: D6 26 C0 76 01 57 81 92 5E 21 F1 D1 B1 FF E7 D0 ..v.W..^!......
    0040: 21 58 CD 69 17 E3 44 1C 9C 19 44 39 89 5C DC 9C !X.i..D...D9.\..
    0050: 00 0F 56 8D 02 99 ED A2 90 45 4C E4 BB 10 A4 3D ..V......EL....=
    0060: F0 32 03 0E F1 CE F8 E8 C9 51 8C E6 62 9F E6 9F .2.......Q..b...
    0070: C0 7D B7 72 9C C9 36 3A 6B 9F 4E A8 FF 64 0D 64 ...r..6:k.N..d.d

    ]
    *** ServerHelloDone
    JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    Random Secret: { 3, 1, 187, 229, 102, 174, 93, 53, 156, 155, 226, 41, 166, 195, 186, 45, 100, 182, 228, 29, 242, 129, 236, 142, 130, 65, 9, 135, 77, 3, 242, 180, 92, 128, 47, 242, 101, 158, 7, 2, 29, 252, 93, 8, 182, 220, 120, 86 }
    main, WRITE: TLSv1 Handshake, length = 134
    SESSION KEYGEN:

    PreMaster Secret:
    0000: 03 01 BB E5 66 AE 5D 35 9C 9B E2 29 A6 C3 BA 2D ....f.]5...)...-
    0010: 64 B6 E4 1D F2 81 EC 8E 82 41 09 87 4D 03 F2 B4 d........A..M...
    0020: 5C 80 2F F2 65 9E 07 02 1D FC 5D 08 B6 DC 78 56 \./.e.....]...xV
    CONNECTION KEYGEN:
    Client Nonce:
    0000: 42 9F 6F E8 55 F9 45 45 54 63 CC 2C E1 4C D4 8F B.o.U.EETc.,.L..
    0010: 3F 08 3D C1 45 92 1E BF DD FC 29 1D BA ED 67 6C ?.=.E.....)...gl
    Server Nonce:
    0000: 42 9F 6F E8 C1 74 1D AE B7 81 BF 2E 10 58 45 ED B.o..t.......XE.
    0010: AD 7D 4D 9A 1A B8 2A CB 4C AF 7F 57 8E C5 CA D4 ..M...*.L..W....
    Master Secret:
    0000: 7B 07 3F 13 1A 30 22 04 D6 3E FD 68 04 32 B9 DA ..?..0"...h.2..
    0010: F7 47 70 EC 7B 33 88 97 30 D6 36 36 AD A7 97 69 .Gp..3..0.66...i
    0020: 69 E5 AB 16 60 40 A4 21 68 86 DC B9 79 20 26 CA i...`@.!h...y .
    Client MAC write Secret:
    0000: 5A F0 42 9E C3 67 CD 0F 34 D5 35 B3 65 B0 D5 9D Z.B..g..4.5.e...
    Server MAC write Secret:
    0000: 60 72 14 01 1C 76 91 F1 9A B0 23 8F A4 A6 22 56 `r...v....#..."V
    Client write key:
    0000: E1 75 7E F5 E0 1E 7F 63 72 B6 A8 88 61 5E F3 BB .u.....cr...a^..
    Server write key:
    0000: 98 CE 75 9B BD E5 5A 64 5F 20 8E 73 DD F3 82 23 ..u...Zd_ .s...#
    ... no IV for cipher
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    JsseJCE: Using JSSE internal implementation for cipher RC4
    *** Finished
    verify_data: { 80, 164, 180, 17, 161, 82, 70, 35, 38, 132, 139, 152 }
    ***
    main, WRITE: TLSv1 Handshake, length = 32
    main, READ: TLSv1 Change Cipher Spec, length = 1
    JsseJCE: Using JSSE internal implementation for cipher RC4
    main, READ: TLSv1 Handshake, length = 32
    *** Finished
    verify_data: { 144, 96, 219, 60, 29, 131, 19, 37, 231, 58, 220, 11 }
    ***
    %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    main, WRITE: TLSv1 Application Data, length = 236
    main, READ: TLSv1 Application Data, length = 4645
    html
    head
    titleInternet Transaction Services HTTP Post Version 1.0/title
    /head
    body
    h1centerITS HTTP Request Keys and Descriptions/center/h1
    table border=1
    tr
    tdwsUserID/td
    tdThe single identifier for the client/td
    tdRequired for all message types/td
    /tr
    .
    .
    .//HTML OUTPUT ABBREVIATED
    .
    .
    /table
    /body
    /html

    main, received EOFException: ignored
    main, called closeInternal(false)
    main, SEND TLSv1 ALERT: warning, description = close_notify
    main, WRITE: TLSv1 Alert, length = 18
    java.io.IOException: Premature EOF
    at sun.net.www.http.ChunkedInputStream.readAheadBlocking(ChunkedInputStream.java:538)
    at sun.net.www.http.ChunkedInputStream.readAhead(ChunkedInputStream.java:582)
    at sun.net.www.http.ChunkedInputStream.read(ChunkedInputStream.java:669)
    at java.io.FilterInputStream.read(FilterInputStream.java:111)
    at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:408)
    at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:450)
    at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:182)
    at java.io.InputStreamReader.read(InputStreamReader.java:167)
    at java.io.BufferedReader.fill(BufferedReader.java:136)
    at java.io.BufferedReader.readLine(BufferedReader.java:299)
    at java.io.BufferedReader.readLine(BufferedReader.java:362)
    at mbs.net.ClientHttpRequest.main(ClientHttpRequest.java:573)

    DB:2.49:Ssl Https Error pp

    Hi there, I am involved in a project to integrate our tools to send to webMD as well and I have just begun coding to the ITS protocol. I have run across this error too. I believe it is because webmd is disconnecting the connection as opposed to sending an EOF? this is my hunch anyways. I am interested to know if you have completed coding to the ITS spec? if so, could you help me out and provide some of your code as example?

  • RELEVANCY SCORE 2.47

    DB:2.47:Cannot Import Wildcard Cert On Asa xm



    Dear all,

     

    I'm in the process of implementing a GoDaddy Wildcard (*.mydomain.mytld) cert for a number of boxes amongst which there is our ASA. I have scrapped the old certs and did some housekeeping on their trustpoints etc, resulting in a pretty much clean config. ( I'm on 8.3).

    I needed to enroll for the cert from a different box (Exchange 2010) and I exported the cert into cisco-pasteable CER format to have it ready for further deployment onto the ASA. Following is what I did (with cry ca debugging on), resulting in failure to import the wildcard cert. Can someone shed some light on what I'm doing wrong ? What I did was basically setup TP's for root and intermediate and then import the actual device cert.

     

    Setup two trustpoints for RootCA and Intermediate TP:

    gate0(config)# crypto ca trustpoint gdrootgate0(config-ca-trustpoint)# enrollment terminalgate0(config-ca-trustpoint)# revo none---------

    gate0(config)# crypto ca trustpoint gdintergate0(config-ca-trustpoint)# enroll terminalgate0(config-ca-trustpoint)# fqdn mydomain.tld

    ----------------

    Authenticate these:

    gate0(config)# cry ca authenticate gdrootEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itself-----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----quit

    INFO: Certificate has the following attributes:Fingerprint:     [snip]Do you accept this certificate? [yes/no]: yes

    Trustpoint CA certificate accepted.

    % Certificate successfully importedCRYPTO_PKI: Cert record not found, returning E_NOT_FOUNDCurrent Certificate list contents:Certificate 1:  SERIAL: 00  ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=USCRYPTO_PKI: crypto_process_ra_certs(trust_point=gdroot)

    gate0(config)# cry ca authenticate gdinterEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itself-----BEGIN CERTIFICATE----------END CERTIFICATE-----quit

    INFO: Certificate has the following attributes:Fingerprint:     [snip]Do you accept this certificate? [yes/no]: yes

    Trustpoint 'gdinter' is a subordinate CA and holds a non self-signed certificate.

    Trustpoint CA certificate accepted.

    % Certificate successfully importedgate0(config)# CRYPTO_PKI: Cert record not found, returning E_NOT_FOUNDCRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0301, subject name: serialNumber=07969287,cn=Go Daddy Secure Certification Authority,ou=http://certificates.godaddy.com/repository,o=GoDaddy.com\, Inc.,l=Scottsdale,st=Arizona,c=US, issuer name: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US .

    CRYPTO_PKI: Cert record not found, returning E_NOT_FOUNDCurrent Certificate list contents:Certificate 1:  SERIAL: 0301  ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=USCertificate 2:  SERIAL: 00  ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=USCRYPTO_PKI: crypto_process_ra_certs(trust_point=gdinter)

     

    Import the "device" wildcard cert:

     

     crypto ca import gdinter cerWARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will beused for VPN authentication this may cause connection problems.

    Would you like to continue with this enrollment? [yes/no]: yes

    % The fully-qualified domain name in the certificate will be: mydomain.tld

    Enter the base 64 encoded certificate.End with the word "quit" on a line by itself

    -----BEGIN CERTIFICATE----------END CERTIFICATE-----quit

    ERROR: Failed to parse or verify imported certificateCRYPTO_PKI: can not set ca cert object (0x722)CRYPTO_PKI: status = 65535: failed to get key usage from cert

     

     

    DB:2.47:Cannot Import Wildcard Cert On Asa xm


    Yep, but the culprit was:

     

    I did enter both the IP and the hostname in the .xml which in turn resulted that the ip would not authenticte while the fqdn would. I did that to make sure it works even in case of DNS issues on the client. I removed the IP and we're up and running.

     

    Kudos Thanks for your help, Marvin.

     

    Dan 

     

    EDIT:

    To anyone else reading this, I did exactly what marvin suggested, save that I was still on 8.x resulting in failure to import the cert which I prepared according to the process in the linked discussion. What I finally did was to upgrade to ASA 9.x latest and repeat it, resulting in the ASA nicely chewing everything up.

     

  • RELEVANCY SCORE 2.46

    DB:2.46:The Revocation Function Was Unable To Check Revocation Because The Revocation Server Was Offline. s9



    Hi there

    I just set up a pki: 1 offline root CA 1 online issuing CA.

    OS: Windows server 2k8 R2

    I run the Certutil -verify -urlfetch certfilename.cer (where certifilename.cer its the name of the certificate installed on my exchange server), and I get the following results:, its says the revocation check failed
    Issuer:
    CN=CAISSUING
    O=COMPANY
    C=CO
    Subject:
    CN=server01.mydomain.corp
    OU=IT
    O=COMAPNY
    C=CO
    Cert Serial Number: 1848d547000000000012

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
    (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
    (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
    (0x1000000)

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
    (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
    (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
    (0x1000000)

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=CAISSUING, O=COMPANY, C=CO
    NotBefore: 05/06/2013 08:39 a.m.
    NotAfter: 05/06/2015 08:39 a.m.
    Subject: CN=server01.mydomain.corp, OU=IT, O=COMPANY,C=CO
    Serial: 1848d547000000000012
    SubjectAltName: DNS Name=server01.mydomain.corp, DNS Name=mail.mydomain.com, DNS Name=autodiscover.mydomain.corp,
    DNS Name=server01, DNS Name=outlook.mydomain.com
    Template: TemplateWeb
    49 a8 b4 95 51 f5 f1 bb 10 ee 61 e9 1d 1f 27 12 51 fb 72 89
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    Revocation Check Failed Certificate (0) Time: 0
    [0.0] http://pki.mydomain.corp/AIA/CAISSUING.crt

    ---------------- Certificate CDP ----------------
    Verified Base CRL (0b) Time: 0
    [0.0] http://pki.mydomain.corp/CDP/CAISSUING.crl

    ---------------- Base CRL CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------
    CRL 0b:
    Issuer: CN=CAISSUING, O=COMPANY, C=CO
    ea bc f1 ce 2c 44 e9 55 76 2e a5 fb 10 7b 43 0e 2c 1f ba 2a
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: CN=ROOTCA, O=COMPANY, C=CO
    NotBefore: 30/05/2013 04:15 p.m.
    NotAfter: 30/05/2023 04:25 p.m.
    Subject: CN=CAISSUING, O=COMPANY, C=CO
    Serial: 11cd98ed000000000002
    Template: SubCA
    0a 5f 70 ec f5 01 9f 65 a3 c6 0a 65 ef c8 07 9f 6b 53 5a df
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ---------------- Certificate AIA ----------------
    Failed AIA Time: 0
    Error retrieving URL: The request is
    not supported. 0x80070032 (WIN32: 50)
    file://SERVERPKI/CertEnroll/SERVERPKI_ROOTCA.crt

    ---------------- Certificate CDP ----------------
    Failed CDP Time: 0
    Error retrieving URL: The request is
    not supported. 0x80070032 (WIN32: 50)
    file://SERVERPKI/CertEnroll/ROOTCA.crl

    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------

    CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=ROOTCA, O=COMPANY, C=CO
    NotBefore: 30/05/2013 11:49 a.m.
    NotAfter: 30/05/2033 11:59 a.m.
    Subject: CN=ROOTCA, O=COMPANY, C=CO
    Serial: 663ed3499da366b1481e9d523010061c
    03 2f b6 77 4c a4 3c 3e 52 78 22 4d 2c e7 35 3a d7 75 8f b7
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    No URLs None Time: 0
    ---------------- Certificate CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------

    Exclude leaf cert:
    21 73 9a 59 1b 53 fb 24 11 b5 e3 52 2a e8 a0 de e8 9e 40 b0
    Full chain:
    f3 c1 25 66 20 6e 23 52 e9 de f1 ef 59 f2 54 44 68 d1 77 a2
    Issuer: CN=CAISSUING, O=COMPANY, C=CO
    NotBefore: 05/06/2013 08:39 a.m.
    NotAfter: 05/06/2015 08:39 a.m.
    Subject: CN=server01.mydomain.corp, OU=IT, O=COMPANY, C=CO
    Serial: 1848d547000000000012
    SubjectAltName: DNS Name=server01.mydomain.corp, DNS Name=mail.mydomain.com, DNS Name=autodiscover.mydomain.corp,
    DNS Name=server01, DNS Name=outlook.mydomain.com
    Template: TemplateWeb
    49 a8 b4 95 51 f5 f1 bb 10 ee 61 e9 1d 1f 27 12 51 fb 72 89
    The revocation function was unable to check revocation
    because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.

    Any advices?

    Regards,

    CAS

    DB:2.46:The Revocation Function Was Unable To Check Revocation Because The Revocation Server Was Offline. s9


    Hi

    The solution was, re-issue the CA issuing certificate, due to this certificate was issuing from the root to the issuing ca before were change the default URL path, so the PKIHealth was showing file://SERVERPI instead of HTTP://PKISERVER

    That was all.

    Thanks Regards,CAS

  • RELEVANCY SCORE 2.46

    DB:2.46:Wcf Client To Java Server Using Sts 38


     
    I have a security token string (SAML, not x509) that i have to include in the SOAP header when calling a java webserver.  Can anyone point me in the right direction as I've no idea how to do this in WCF.
     
    Microsoft MSDN tech support have been unable (or rather unwilling) to help me resolve this issue.
     
    for info, here's the string I need to include..
     

    Assertion MinorVersion=1 MajorVersion=1 Issuer=http://www.bea.com/saml IssueInstant=2007-11-20T17:02:00.049Z AssertionID=HRMC-SM172.26.5.143.1106860829320 xmlns=urn:oasis:names:tc:SAML:1.0:assertion  Conditions NotOnOrAfter=2007-11-20T21:02:00.049Z NotBefore=2007-11-20T16:57:00.049Z /  AuthenticationStatement AuthenticationMethod=urn:oasis:names:tc:SAML:1.0:am:unspecified AuthenticationInstant=2007-11-20T17:02:00.049Z    Subject      NameIdentifier Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedISV900/NameIdentifier      SubjectConfirmation        ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:sender-vouches/ConfirmationMethod      /SubjectConfirmation    /Subject  /AuthenticationStatement/Assertion

    DB:2.46:Wcf Client To Java Server Using Sts 38

    AdrianPlease see this thread for a working WCF solution to communicating with the HMRC Java Web Services:http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/b864ff0d-f17b-417a-a137-9eda96bb6df9CheersDJ

  • RELEVANCY SCORE 2.45

    DB:2.45:Lync Server Front-End Service Can Not Start xc



    Hello.
    I'm installing Lync server 2013 on virtual machine with win server 2012R2.
    I choose enterprise edition and successfully prepare AD, publish topology,
    install server and receive certificate.
    All of this was completed without any errors...but service front-end just can't
    start. in event viewer there is one error message:

    the lync server front-end service terminated with following service-specific
    error: %%3287185928.
    Lyncnc server response group and lynk server call park also can't start but
    don'generatetan error messagege.
    server name was not changed. this is clean setup. I'm pretty sure there isn't any trouble with certificate because this script .

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File c:\computer_filtered.txt
    What can be reason of this ?

    DB:2.45:Lync Server Front-End Service Can Not Start xc

    Hi,
    Please double check if the needed firewall ports opened on BE servers.
    You can check with the help with the help of the link below of “Understanding Firewall Requirements for SQL Server”
    http://technet.microsoft.com/en-us/library/gg425818.aspx
    Best Regards,
    Eason HuangEason Huang
    TechNet Community Support

  • RELEVANCY SCORE 2.45

    DB:2.45:Wildcard Cert For Exchange 2010 d7


    Подскажите в  чем проблема. Есть купленный Wildcard сертификат для   *.domain.net  хочу прикрутить его на Exchange. Создаю новый сертификат вводу Root Domain  *.domain.net  .   Потом делаю  Complate Pending Request ошибок  нет.  После   :   Enable-ExchangeCertificate -Services IMAP,POP,IIS,SMTP  сыпятся ошибки  WARNING: This certificate with thumbprint E0CF63E562B57D04AFFC07F7C77CC2DD87B030AA and subject '*.domain.net' cannotused for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command      Set-IMAPSettings to set X509CertificateName to the FQDN of the service.                    Для  POP тоже самое.   При вводе    Get-ExchangeCertificate | fl   видим:  AccessRules        :                                                                     CertificateDomains : {*.domain.net}                                                      HasPrivateKey      : True                                                                IsSelfSigned       : False                                                               Issuer             : CN=Alpha CA, O=Alpha, OU=Alpha CA                                   NotAfter           : 1/15/2010 5:22:10 PM                                                NotBefore          : 11/23/2009 12:29:58 PM                                              PublicKeySize      : 2048                                                                RootCAType         : Unknown                                                             SerialNumber       : 20100346500012530B84274                                              Services           : SMTP                                                                Status             : Invalid                                                             Subject            : CN=*.domain.net, O=*. domain.net , OU=Domain Control Validated, C=UA  Thumbprint         : E0CF24E562B57D01AFFC05F7C77CC2DD61D030BA                Как  єто побороть ?            

    DB:2.45:Wildcard Cert For Exchange 2010 d7

    Решил проблему самоподписным с СAN доменами временно. Оказалось  что *.domain.com прикрутить на ПОП и ИМАП не получится они требуют FQDN.

  • RELEVANCY SCORE 2.45

    DB:2.45:Re: Pkix Path Validation Failed | Subject/Issuer Name Chaining Check Failed dc


    why does this topic have 12,299 views? What is so interesting?

    DB:2.45:Re: Pkix Path Validation Failed | Subject/Issuer Name Chaining Check Failed dc

    Thanks, but please don't revive years old threads.

    Moderator action: I'm locking this thread.

  • RELEVANCY SCORE 2.44

    DB:2.44:Samlsecuritytokenhandler.Validatetoken / The Method Or Operation Is Not Implemented (.Net 4.5) kj


    In the process of porting our ASP.NET MVC3/WIF 3.51 token-issuer/relying-party to ASP.NET MVC4/WIF/.NET 4.5. The FAM successfully redirects un-authenticated requests to SignIn. SignIn authenticates the user and HTTP POSTs the resulting
    SAML token to the relying party. We then see this error:

    [NotImplementedException: The method or operation is not implemented.]
    System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token) 2621
    System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) 454
    System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) 502
    System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) 1508
    System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) 700
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 416
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean completedSynchronously) 206

    Here is our identity model configuration from relying party web.config:
    system.identityModel
    !-- Service Configuration --
    identityConfiguration
    securityTokenHandlers

    !-- The default session security token handler relies on DAPI which is not web farm friendly. Swap it out for one that is based upon web farm machines having a common machine key. --
    remove type=System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 /
    add type=System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 /

    securityTokenHandlerConfiguration

    !-- If the STS posts a security token to a URI not in this list then FAM throws an exception. URI's are case sensitive!!!!!!!!!!!! --
    audienceUris
    add value=http://localhost:81/zfp/ /
    /audienceUris

    !-- Token Signature Verification Cert
    The trustedIssuer section specifies which token issuers (either SAML or certificate) are trusted.
    These correspond to the STS.GetScope SIGNING credentials.
    The signature is important – it gives you assurance that the user didn’t just make up a bunch of claims and send them to you
    ConfigurationBasedIssuerNameRegistry compares the thumbprint of the STS issuer cert with the certs list in web.config.
    IMPORTANT, this cert must match the signing credentials cert used by the STS.
    Use MMC Certificate SnapIn to verify thumbprint of siging CERT. Make sure this setting jives with 'InternalTokenSigningCertDN' in /signin/web.config.
    Name can be anything we want. Thumbprint gets validated and name is the result/output of a validated token signature.
    --
    issuerNameRegistry
    trustedIssuers
    add thumbprint=6a aa a9 c3 54 0b 59 42 72 d0 92 94 ca aae9 bf d9 96 9d 54 name=Foo1 /
    add thumbprint=2b dc aa 56 56 b6 11 aa 10 5e 47 ae e0 44 fb 24 7e aa 95 c8 name=Foo2 /
    /trustedIssuers
    /issuerNameRegistry
    /securityTokenHandlerConfiguration
    /securityTokenHandlers
    /identityConfiguration
    /system.identityModel

    What am I doing wrong?

    DB:2.44:Samlsecuritytokenhandler.Validatetoken / The Method Or Operation Is Not Implemented (.Net 4.5) kj


    @scott_m - Is there something you did to the WIF dll because when I step through it, it seems to skip code, can't show all the variables etc?
    I have V7 Pro.

    I believe JIT inlining will foul up the debugging experience. You need to disable JIT inlining. It's possible that V8 may do this automatically. V8 recently came out and is a free upgrade for owners with V7 licenses. If V8 doesn't
    fix it, follow the steps in this post:

    Reflector / Visual Studio Debugging experience

  • RELEVANCY SCORE 2.44

    DB:2.44:"Validity Interval Out Of Date" Exception zm


    I am trying to query my OCSP server to check certificate status. If I use openssl to do this with the same server URL and same certificate, it works. But I need to do it in Java. CRLs are being properly issued every hour also.

    When I run my code, I get:

    java.security.cert.CertPathValidatorException: java.io.IOException: Response is unreliable: its validity interval is out-of-date
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
    at OCSPtest.OCSPtest.main(OCSPtest.java:127)I have the CA cert as a trusted ca cert in my jre.lib/security/cacerts file, and I have the strng encryption extensions installed.

    Here is the code:
    package OCSPtest;

    //~--- JDK imports ------------------------------------------------------------

    import java.io.*;

    import java.net.URI;

    import java.security.*;
    import java.security.cert.*;
    import java.security.cert.PKIXParameters;
    import java.security.cert.X509Certificate;

    import java.util.*;

    /**
    * Class description
    *
    *
    * @version Enter version here..., 07/10/15
    * @author Enter your name here...
    */
    public class OCSPtest{

    /**
    * Check the revocation status of a public key certificate using OCSP.
    */

    /*
    * Filename that contains the OCSP server's cert.
    */
    private static final String OCSP_SERVER_CERT =
    "/Users/jar/certs/OCSPSignerCertificate.pem";

    /*
    * Filename that contains the root CA cert of the OCSP server's cert.
    */
    private static final String ROOT_CA_CERT =
    "/Users/jar/certs/SensorNetCA.pem";

    /**
    * Checks the revocation status of a public key certificate using OCSP.
    *
    * Usage: java ValidateCert cert-file [OCSP-server]
    * cert-file is the filename of the certificate to be checked.
    * The certificate must be in PEM format.
    * OCSP-server is the URL of the OCSP server to use.
    * If not supplied then the certificate must identify an OCSP
    * server by means of its AuthorityInfoAccess extension.
    * If supplied then it overrides any URL which may be present
    * in the certificate's AuthorityInfoAccess extension.
    *
    * Example: java \
    * -Dhttp.proxyHost=proxy.example.net \
    * -Dhttp.proxyPort=8080 \
    * ValidateCert \
    * mycert.pem \
    * http://ocsp.openvalidation.org:80
    */
    public static void main(String[] args) {
    try {
    CertPath cp = null;
    Vector certs = new Vector();
    URI ocspServer = null;
    String ocspServerString =
    "https://ca2.sensornet.gov:8442/ejbca/publicweb/status/ocsp";

    /*
    * if (args.length == 0 || args.length 2) {
    * System.out.println(
    * "Usage: java ValidateCert cert-file [OCSP-server]");
    * System.exit(-1);
    * }
    */

    // load the cert to be checked
    certs.add(
    getCertFromFile(
    "/Users/jar/certs/jarSensornet.cer"));

    // handle location of OCSP server
    ocspServer = new URI(ocspServerString);
    System.out.println("Using the OCSP server at: ca2");
    System.out.println("to check the revocation status of: "
    + certs.elementAt(0));
    System.out.println();

    // init cert path
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    cp = (CertPath) cf.generateCertPath(certs);

    // load the root CA cert for the OCSP server cert
    X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);

    // init trusted certs
    TrustAnchor ta = new TrustAnchor(rootCACert, null);
    Set trustedCertsSet = new HashSet();

    trustedCertsSet.add(ta);

    // init cert store
    // Set certSet = new HashSet();
    // X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
    //System.out.println("OCSP Responder cert: " + ocspCert);
    //certSet.add(ocspCert);

    // init PKIX parameters
    PKIXParameters params = null;

    params = new PKIXParameters(trustedCertsSet);
    //params.addCertStore(store);

    // enable OCSP
    Security.setProperty("ocsp.enable", "true");

    if (ocspServer != null) {
    Security.setProperty("ocsp.responderURL", ocspServerString);
    // Security.setProperty(
    // "ocsp.responderCertSubjectName",
    // ocspCert.getSubjectX500Principal().getName());
    }

    // perform validation
    CertPathValidator cpv =
    CertPathValidator.getInstance("PKIX");
    PKIXCertPathValidatorResult cpv_result =
    (PKIXCertPathValidatorResult) cpv.validate(cp, params);
    X509Certificate trustedCert =
    (X509Certificate) cpv_result.getTrustAnchor().getTrustedCert();

    if (trustedCert == null) {
    System.out.println("Trsuted Cert = NULL");
    } else {
    System.out.println("Trusted CA DN = "
    + trustedCert.getSubjectDN());
    }
    } catch (CertPathValidatorException e) {
    e.printStackTrace();
    System.exit(1);
    } catch (Exception e) {
    e.printStackTrace();
    System.exit(-1);
    }

    System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
    System.exit(0);
    }

    /**
    * Read a certificate from the specified filepath.
    */
    private static X509Certificate getCertFromFile(String path) {
    X509Certificate cert = null;

    try {
    File certFile = new File(path);

    if (!certFile.canRead()) {
    throw new IOException(" File " + certFile.toString()
    + " is unreadable");
    }

    FileInputStream fis = new FileInputStream(path);
    CertificateFactory cf = CertificateFactory.getInstance("X509");

    cert = (X509Certificate) cf.generateCertificate(fis);
    } catch (Exception e) {
    System.out.println("Can't construct X509 Certificate. " + path
    + " " + e.getMessage());
    }

    return cert;
    }
    }

    DB:2.44:"Validity Interval Out Of Date" Exception zm

    Err, no they're not. The validity interval is out of date on at least one of them. This is the only rational deduction from the evidence. Try printing out the notBefore and notAfter dates and see.

  • RELEVANCY SCORE 2.44

    DB:2.44:Ssl Cert Error 1x



    Hi

    After installing cert on ace for oracle ebussiness suite server team is getting following errror. can someone have tell me what would be the sloution for this error.

    sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed

    oracle.apps.fnd.cp.request.FileAccessException

            at oracle.apps.fnd.cp.request.RemoteFile.getFile(RemoteFile.java:441)

            at oracle.apps.icx.loader.LoadRequest.runProgram(LoadRequest.java:51)

            at oracle.apps.fnd.cp.request.Run.main(Run.java:161)

    I am new to this LB SSL please need ur help

    Thanks in advance

    DB:2.44:Ssl Cert Error 1x


    Hi Sagar,

    Looks that the chain is not complete.   You need to import the intermediate certicate, configure a chaingroup and associate it to the ssl-proxy-list.

    -------------------

    Cesar R

  • RELEVANCY SCORE 2.43

    DB:2.43:Java.Net.Socketexception: Software Caused Connection Abort: Recv Failed jc


    Hi,

    I have configured James Mail Server with SSL (used key pair generated by Keytool) and it has started without any error. But when I try to connect using stand alone program (imported the self-signed certificate in Java trust store) , I am getting the exception "java.net.SocketException: Software caused connection abort: recv failed" and here is the protocol trace.

    DEBUG: setDebug: JavaMail version 1.4.3
    DEBUG: getProvider() returning javax.mail.Provider[STORE,pop3s,com.sun.mail.pop3.POP3SSLStore,Sun Microsystems, Inc]
    DEBUG POP3: connecting to host "inenthotapl1c", port 995, isSSL true
    keyStore is :
    keyStore type is : jks
    keyStore provider is :
    init keystore
    init keymanager of type SunX509
    trustStore is: C:\Java\jdk1.6.0_18\jre\lib\security\cacerts
    trustStore type is : jks
    trustStore provider is :
    init truststore
    adding as trusted cert:
    Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
    Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
    Algorithm: RSA; Serial number: 0x4eb200670c035d4f
    Valid from Wed Oct 25 14:06:00 IST 2006 until Sat Oct 25 14:06:00 IST 2036

    adding as trusted cert:
    Subject: CN=inenthotapl1c
    Issuer: CN=inenthotapl1c
    Algorithm: RSA; Serial number: 0x4d0b797f
    Valid from Fri Dec 17 20:23:51 IST 2010 until Thu Mar 17 20:23:51 IST 2011

    adding as trusted cert:
    Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
    Valid from Fri Oct 01 05:30:00 IST 1999 until Thu Jul 17 05:29:59 IST 2036

    adding as trusted cert:
    Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Algorithm: RSA; Serial number: 0x1
    Valid from Sat Jun 26 05:49:54 IST 1999 until Wed Jun 26 05:49:54 IST 2019

    adding as trusted cert:
    Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
    Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
    Algorithm: RSA; Serial number: 0x1
    Valid from Tue May 30 16:08:31 IST 2000 until Sat May 30 16:08:31 IST 2020

    adding as trusted cert:
    Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a
    Valid from Fri Nov 10 05:30:00 IST 2006 until Mon Nov 10 05:30:00 IST 2031

    adding as trusted cert:
    Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
    Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
    Algorithm: RSA; Serial number: 0x1
    Valid from Tue May 30 16:18:38 IST 2000 until Sat May 30 16:18:38 IST 2020

    adding as trusted cert:
    Subject: CN=Class 2 Primary CA, O=Certplus, C=FR
    Issuer: CN=Class 2 Primary CA, O=Certplus, C=FR
    Algorithm: RSA; Serial number: 0x85bd4bf3d8dae369f694d75fc3a54423
    Valid from Wed Jul 07 22:35:00 IST 1999 until Sun Jul 07 05:29:59 IST 2019

    adding as trusted cert:
    Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Algorithm: RSA; Serial number: 0x35def4cf
    Valid from Sat Aug 22 22:11:51 IST 1998 until Wed Aug 22 22:11:51 IST 2018

    adding as trusted cert:
    Subject: CN=TCMENGW2K3EXCH, OU=EXCH, O=EMC, L=Bangalore, ST=Karnataka, C=IN
    Issuer: CN=TCMENGW2K3EXCH, OU=EXCH, O=EMC, L=Bangalore, ST=Karnataka, C=IN
    Algorithm: RSA; Serial number: 0x4a7133da
    Valid from Thu Jul 30 11:17:06 IST 2009 until Fri Jul 31 11:17:06 IST 2009

    adding as trusted cert:
    Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
    Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
    Algorithm: RSA; Serial number: 0xa3da427ea4b1aeda
    Valid from Fri Aug 01 17:59:50 IST 2008 until Sat Jul 31 17:59:50 IST 2038

    adding as trusted cert:
    Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
    Valid from Fri Oct 01 05:30:00 IST 1999 until Thu Jul 17 05:29:59 IST 2036

    adding as trusted cert:
    Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
    Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
    Algorithm: RSA; Serial number: 0x1
    Valid from Thu Jan 01 05:30:00 IST 2004 until Mon Jan 01 05:29:59 IST 2029

    adding as trusted cert:
    Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
    Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
    Algorithm: RSA; Serial number: 0x4
    Valid from Mon Jun 21 09:30:00 IST 1999 until Sun Jun 21 09:30:00 IST 2020

    adding as trusted cert:
    Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
    Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
    Algorithm: RSA; Serial number: 0x0
    Valid from Tue Jun 29 23:09:16 IST 2004 until Thu Jun 29 23:09:16 IST 2034

    adding as trusted cert:
    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
    Valid from Mon May 18 05:30:00 IST 1998 until Wed Aug 02 05:29:59 IST 2028

    adding as trusted cert:
    Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Algorithm: RSA; Serial number: 0xce7e0e517d846fe8fe560fc1bf03039
    Valid from Fri Nov 10 05:30:00 IST 2006 until Mon Nov 10 05:30:00 IST 2031

    adding as trusted cert:
    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
    Valid from Mon May 18 05:30:00 IST 1998 until Wed Aug 02 05:29:59 IST 2028

    adding as trusted cert:
    Subject: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
    Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
    Algorithm: RSA; Serial number: 0x5c6
    Valid from Sat Nov 25 00:41:23 IST 2006 until Tue Nov 25 00:36:44 IST 2031

    adding as trusted cert:
    Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
    Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
    Algorithm: RSA; Serial number: 0x10020
    Valid from Tue Jun 11 16:16:39 IST 2002 until Fri Jun 11 16:16:39 IST 2027

    adding as trusted cert:
    Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
    Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
    Algorithm: RSA; Serial number: 0x4000000000121585308a2
    Valid from Wed Mar 18 15:30:00 IST 2009 until Sun Mar 18 15:30:00 IST 2029

    adding as trusted cert:
    Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
    Valid from Fri Oct 01 05:30:00 IST 1999 until Thu Jul 17 05:29:59 IST 2036

    trigger seeding of SecureRandom
    done seeding SecureRandom
    main, setSoTimeout(30000) called
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1292535513 bytes = { 80, 149, 82, 71, 48, 28, 7, 48, 62, 89, 98, 107, 69, 243, 218, 66, 242, 252, 246, 151, 251, 224, 111, 128, 151, 108, 212, 216 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    main, WRITE: TLSv1 Handshake, length = 73
    main, READ: TLSv1 Handshake, length = 510
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1292535513 bytes = { 172, 115, 215, 117, 107, 95, 2, 232, 211, 91, 109, 40, 21, 150, 192, 39, 130, 119, 132, 205, 20, 146, 28, 221, 171, 237, 250, 42 }
    Session ID: {77, 11, 135, 217, 148, 28, 74, 88, 12, 70, 50, 90, 153, 42, 152, 221, 27, 209, 17, 18, 196, 27, 159, 161, 126, 179, 202, 179, 121, 143, 103, 159}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    ***
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    [
    Version: V1
    Subject: CN=inenthotapl1c
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: Sun RSA public key, 1024 bits
    modulus: 100746153626772380323303648658870070106863391015695246025204815976287595495907058283516121160001124559621739363730729057670951189969880962173035638241125927007904648572639604211500921898265691580498056772247017875596545782618773771012080708411850537554023805618091783458960955941721838725823477579438664531497
    public exponent: 65537
    Validity: [From: Fri Dec 17 20:23:51 IST 2010,
    To: Thu Mar 17 20:23:51 IST 2011]
    Issuer: CN=inenthotapl1c
    SerialNumber: [ 4d0b797f]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 7F A1 66 C4 A3 15 AB D7 A0 50 A6 FF DB 00 1A 1E ..f......P......
    0010: BC B5 49 2C 7C 1A 42 24 27 E0 84 95 6C 39 6D FE ..I,..B$'...l9m.
    0020: 87 B5 10 63 BA ED 87 95 B5 D5 0D 69 BE F8 63 E6 ...c.......i..c.
    0030: 5E 72 78 AA 39 87 5B EC 74 03 7B 3E DA 8C F3 14 ^rx.9.[.t......
    0040: A7 2E 25 72 7A ED 06 DF A9 D4 CC 54 A0 AC 52 C5 ..%rz......T..R.
    0050: B9 09 04 1E 64 1A E0 E6 98 31 E8 15 23 88 77 FD ....d....1..#.w.
    0060: 27 85 B9 38 94 E0 4B DD 97 FE B8 54 7D C4 71 E3 '..8..K....T..q.
    0070: 97 F7 04 C3 6E 69 48 CE 9D 03 52 34 C9 E9 40 68 ....niH...R4..@h

    ]
    ***
    Found trusted certificate:
    [
    [
    Version: V1
    Subject: CN=inenthotapl1c
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: Sun RSA public key, 1024 bits
    modulus: 100746153626772380323303648658870070106863391015695246025204815976287595495907058283516121160001124559621739363730729057670951189969880962173035638241125927007904648572639604211500921898265691580498056772247017875596545782618773771012080708411850537554023805618091783458960955941721838725823477579438664531497
    public exponent: 65537
    Validity: [From: Fri Dec 17 20:23:51 IST 2010,
    To: Thu Mar 17 20:23:51 IST 2011]
    Issuer: CN=inenthotapl1c
    SerialNumber: [ 4d0b797f]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 7F A1 66 C4 A3 15 AB D7 A0 50 A6 FF DB 00 1A 1E ..f......P......
    0010: BC B5 49 2C 7C 1A 42 24 27 E0 84 95 6C 39 6D FE ..I,..B$'...l9m.
    0020: 87 B5 10 63 BA ED 87 95 B5 D5 0D 69 BE F8 63 E6 ...c.......i..c.
    0030: 5E 72 78 AA 39 87 5B EC 74 03 7B 3E DA 8C F3 14 ^rx.9.[.t......
    0040: A7 2E 25 72 7A ED 06 DF A9 D4 CC 54 A0 AC 52 C5 ..%rz......T..R.
    0050: B9 09 04 1E 64 1A E0 E6 98 31 E8 15 23 88 77 FD ....d....1..#.w.
    0060: 27 85 B9 38 94 E0 4B DD 97 FE B8 54 7D C4 71 E3 '..8..K....T..q.
    0070: 97 F7 04 C3 6E 69 48 CE 9D 03 52 34 C9 E9 40 68 ....niH...R4..@h

    ]
    *** ServerHelloDone
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    main, WRITE: TLSv1 Handshake, length = 134
    SESSION KEYGEN:
    PreMaster Secret:
    0000: 03 01 2A CF 2C 62 D8 65 FB 77 4E 91 02 6B EA 22 ..*.,b.e.wN..k."
    0010: 02 CB 4C 71 29 17 52 77 80 4F 53 4A 1B 6C 1C 20 ..Lq).Rw.OSJ.l.
    0020: 07 52 0E C4 D3 FB 7E 23 C2 34 BC ED 8A 34 9D BB .R.....#.4...4..
    CONNECTION KEYGEN:
    Client Nonce:
    0000: 4D 0B 87 D9 50 95 52 47 30 1C 07 30 3E 59 62 6B M...P.RG0..0Ybk
    0010: 45 F3 DA 42 F2 FC F6 97 FB E0 6F 80 97 6C D4 D8 E..B......o..l..
    Server Nonce:
    0000: 4D 0B 87 D9 AC 73 D7 75 6B 5F 02 E8 D3 5B 6D 28 M....s.uk_...[m(
    0010: 15 96 C0 27 82 77 84 CD 14 92 1C DD AB ED FA 2A ...'.w.........*
    Master Secret:
    0000: 62 BC 9F BB ED C9 58 E2 E3 18 EE 06 E6 0F 97 4F b.....X........O
    0010: 59 72 B0 0C 13 EE CD 93 BF 22 A8 C9 BE 94 C5 BB Yr......."......
    0020: A9 5B BC 14 6B 9A 92 4F 60 83 2C B4 5D 34 8C 7A .[..k..O`.,.]4.z
    Client MAC write Secret:
    0000: E1 B0 A3 D9 56 B9 05 59 DF AC 59 FE D5 E9 2B 4B ....V..Y..Y...+K
    Server MAC write Secret:
    0000: 1D E6 10 7E 7E 65 20 F0 9C AF 95 87 A1 FE 9A 43 .....e ........C
    Client write key:
    0000: 60 3E EB 94 C9 05 22 19 1F B3 A7 97 2C 2F E5 52 `....".....,/.R
    Server write key:
    0000: A6 B9 9A C6 E7 10 76 63 AD 51 AD 0C 19 3F F5 4A ......vc.Q...?.J
    ... no IV used for this cipher
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    *** Finished
    verify_data: { 171, 150, 237, 61, 115, 89, 84, 195, 40, 197, 113, 109 }
    ***
    main, WRITE: TLSv1 Handshake, length = 32
    main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
    javax.mail.MessagingException: Connect failed;
    nested exception is:
    java.net.SocketException: Software caused connection abort: recv failed
    at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:176)
    at javax.mail.Service.connect(Service.java:291)
    at com.prasad.mail.utils.EmailReaderUtils.createEmailStore(EmailReaderUtils.java:88)
    at com.prasad.mail.utils.EmailReaderUtilsTest.testCreateEmailStore(EmailReaderUtilsTest.java:36)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.junit.internal.runners.TestMethod.invoke(TestMethod.java:59)
    at org.junit.internal.runners.MethodRoadie.runTestMethod(MethodRoadie.java:98)
    at org.junit.internal.runners.MethodRoadie$2.run(MethodRoadie.java:79)
    at org.junit.internal.runners.MethodRoadie.runBeforesThenTestThenAfters(MethodRoadie.java:87)
    at org.junit.internal.runners.MethodRoadie.runTest(MethodRoadie.java:77)
    at org.junit.internal.runners.MethodRoadie.run(MethodRoadie.java:42)
    at org.junit.internal.runners.JUnit4ClassRunner.invokeTestMethod(JUnit4ClassRunner.java:88)
    at org.junit.internal.runners.JUnit4ClassRunner.runMethods(JUnit4ClassRunner.java:51)
    at org.junit.internal.runners.JUnit4ClassRunner$1.run(JUnit4ClassRunner.java:44)
    at org.junit.internal.runners.ClassRoadie.runUnprotected(ClassRoadie.java:27)
    at org.junit.internal.runners.ClassRoadie.runProtected(ClassRoadie.java:37)
    at org.junit.internal.runners.JUnit4ClassRunner.run(JUnit4ClassRunner.java:42)
    at com.intellij.rt.junit4.Junit4TestMethodAdapter.run(Junit4TestMethodAdapter.java:49)
    at junit.textui.TestRunner.doRun(TestRunner.java:116)
    at com.intellij.rt.execution.junit.IdeaTestRunner.doRun(IdeaTestRunner.java:65)
    at junit.textui.TestRunner.doRun(TestRunner.java:109)
    at com.intellij.rt.execution.junit.IdeaTestRunner.startRunnerWithArgs(IdeaTestRunner.java:24)
    at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:118)
    at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:40)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:90)
    Caused by: java.net.SocketException: Software caused connection abort: recv failed
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.read(SocketInputStream.java:129)
    at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
    at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
    at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:503)
    at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:234)
    at com.sun.mail.pop3.Protocol.init(Protocol.java:98)
    at com.sun.mail.pop3.POP3Store.getPort(POP3Store.java:227)
    at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:172)
    ... 31 more

    Any pointers to trace out issue or solution greatly appreciated.

    Thanks,
    PrasadKT

    DB:2.43:Java.Net.Socketexception: Software Caused Connection Abort: Recv Failed jc

    That wouldn't cause that problem, and the JCE jar files have been bundled with Java since at least 1.4, probably 1.3. The explanation lies elsewhere.

  • RELEVANCY SCORE 2.42

    DB:2.42:Client-Auth Reports: Http4031: Unexpected Error Receiving Data: -5938 kp


    I am trying to deploy the clientcert sample applcation that comes with the platform edition of SunOne V7.
    I have used openssl as a CA and have created client and server certs.
    I get the following problem.

    Sun ONE Application Server - HTTP Status 403 Error
    Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
    Type: Status Report
    Message: Access to the requested resource has been denied.

    As can be seen from the server.log below, some form of authentication succeeds:
    [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
    Note, common name is that of my client cert.

    However there is a severe error:
    [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938

    Also, HTTPS works with server side authentication and I signed both client and server certs with same private "CA" certification.

    Question: Do I need any special extentions in the certs for use with SSL?

    Thanks in advance.

    server.log fragment:

    [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
    [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-4
    [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
    [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
    [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
    [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
    [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET -- true
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
    [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
    [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: No certificates included with this request
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Failed authenticate() test
    [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
    [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-5
    [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
    [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
    [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
    [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
    [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET -- true
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
    [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
    [12/Aug/2004:08:56:11] FINEST ( 2392): Processing login with credentials of type: class sun.security.x509.X500Name
    [12/Aug/2004:08:56:11] FINE ( 2392): Processing X.500 name login.
    [12/Aug/2004:08:56:11] FINEST ( 2392): Certificate realm setting up security context for: CN=tweekes, O=tester, C=ie
    [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
    [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Authenticated 'CN=tweekes, O=tester, C=ie' with type 'CLIENT-CERT'
    [12/Aug/2004:08:56:11] FINE ( 2392): SingleSignOn[server1]: Registering sso id '6264FF86CB3151E572951CB77D0C515F' for user 'CN=tweekes, O=tester, C=ie' with auth type 'CLIENT-CERT'
    [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Calling accessControl()
    [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL : CN=tweekes, O=tester, C=ie hasRole?: staffmember
    [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL TABLE: {staff=[staffmember], C=ie, O=tester, CN=tweekes=[staffmember]}

    DB:2.42:Client-Auth Reports: Http4031: Unexpected Error Receiving Data: -5938 kp

    I am trying to deploy the clientcert sample applcation that comes with the platform edition of SunOne V7.
    I have used openssl as a CA and have created client and server certs.
    I get the following problem.

    Sun ONE Application Server - HTTP Status 403 Error
    Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
    Type: Status Report
    Message: Access to the requested resource has been denied.

    As can be seen from the server.log below, some form of authentication succeeds:
    [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
    Note, common name is that of my client cert.

    However there is a severe error:
    [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938

    Also, HTTPS works with server side authentication and I signed both client and server certs with same private "CA" certification.

    Question: Do I need any special extentions in the certs for use with SSL?

    Thanks in advance.

    server.log fragment:

    [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
    [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-4
    [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
    [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
    [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
    [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
    [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET -- true
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
    [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
    [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: No certificates included with this request
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Failed authenticate() test
    [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
    [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-5
    [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
    [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
    [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
    [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
    [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
    [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET -- true
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
    [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
    [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
    [12/Aug/2004:08:56:11] FINEST ( 2392): Processing login with credentials of type: class sun.security.x509.X500Name
    [12/Aug/2004:08:56:11] FINE ( 2392): Processing X.500 name login.
    [12/Aug/2004:08:56:11] FINEST ( 2392): Certificate realm setting up security context for: CN=tweekes, O=tester, C=ie
    [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
    [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Authenticated 'CN=tweekes, O=tester, C=ie' with type 'CLIENT-CERT'
    [12/Aug/2004:08:56:11] FINE ( 2392): SingleSignOn[server1]: Registering sso id '6264FF86CB3151E572951CB77D0C515F' for user 'CN=tweekes, O=tester, C=ie' with auth type 'CLIENT-CERT'
    [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Calling accessControl()
    [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL : CN=tweekes, O=tester, C=ie hasRole?: staffmember
    [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL TABLE: {staff=[staffmember], C=ie, O=tester, CN=tweekes=[staffmember]}

  • RELEVANCY SCORE 2.42

    DB:2.42:Certpathvalidatorexception: Its Validity Interval Is Out Of Date am


    I am trying to query my OCSP server to check certificate validity. My CA is EJBCA. I checked the clocks on my client and the server, and they are within a few seconds of each other. But when my code runs, I get:

    java.security.cert.CertPathValidatorException: java.io.IOException: Response is unreliable: its validity interval is out-of-date
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
    at validatecertuseocsp.ValidateCertUseOCSP.main(ValidateCertUseOCSP.java:120)I cannot find anything on what this means or how to fix it. My CA is issuing CRLs, every hour, and their time validity is correct. Here is the code I am trying (which I got from Sun):

    /*
    * Main.java
    *
    * Created on Oct 12, 2007, 3:21:59 PM
    *
    * To change this template, choose Tools | Templates
    * and open the template in the editor.
    */

    package validatecertuseocsp;

    import java.io.*;
    import java.net.URI;
    import java.security.*;
    import java.security.cert.*;
    import java.util.*;
    import java.security.cert.X509Certificate;
    import java.security.cert.PKIXParameters;

    /**
    * Check the revocation status of a public key certificate using OCSP.
    */

    public class ValidateCertUseOCSP {

    /*
    * Filename that contains the root CA cert of the OCSP server's cert.
    */
    private static final String ROOT_CA_CERT = "/opt/jboss/Certificates/SensorNetCA.pem";

    /*
    * Filename that contains the OCSP server's cert.
    */
    private static final String OCSP_SERVER_CERT = "/opt/jboss/Certificates/OCSPSignerCertificate.pem";

    /**
    * Checks the revocation status of a public key certificate using OCSP.
    *
    * Usage: java ValidateCert cert-file [OCSP-server]
    * cert-file is the filename of the certificate to be checked.
    * The certificate must be in PEM format.
    * OCSP-server is the URL of the OCSP server to use.
    * If not supplied then the certificate must identify an OCSP
    * server by means of its AuthorityInfoAccess extension.
    * If supplied then it overrides any URL which may be present
    * in the certificate's AuthorityInfoAccess extension.
    *
    * Example: java \
    * -Dhttp.proxyHost=proxy.example.net \
    * -Dhttp.proxyPort=8080 \
    * ValidateCert \
    * mycert.pem \
    * http://ocsp.openvalidation.org:80
    */
    public static void main(String[] args) {
    try {
    CertPath cp = null;
    Vector certs = new Vector();
    URI ocspServer = null;
    /*
    if (args.length == 0 || args.length 2) {
    System.out.println(
    "Usage: java ValidateCert cert-file [OCSP-server]");
    System.exit(-1);
    }
    */
    // load the cert to be checked
    certs.add(getCertFromFile("/Users/jar/Documents/keys/jarSensornet.cer"));

    // handle location of OCSP server
    if (args.length == 2) {
    ocspServer = new URI(
    "https://ca2.sensornet.gov:8442/ejbca/publicweb/webdist/certdist?cmd=crlissuer=CN%3DSensorNetCA%2CDC%3Dsensornet%2CDC%3Dgov");
    System.out.println("Using the OCSP server at: ca2");
    System.out.println("to check the revocation status of: " +
    certs.elementAt(0));
    System.out.println();
    } else {
    System.out.println("Using the OCSP server specified in the " +
    "cert to check the revocation status of: " +
    certs.elementAt(0));
    System.out.println();
    }

    // init cert path
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    cp = (CertPath)cf.generateCertPath(certs);

    // load the root CA cert for the OCSP server cert
    X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);

    // init trusted certs
    TrustAnchor ta = new TrustAnchor(rootCACert, null);
    Set trustedCertsSet = new HashSet();
    trustedCertsSet.add(ta);

    // init cert store
    Set certSet = new HashSet();
    X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
    certSet.add(ocspCert);
    CertStoreParameters storeParams =
    new CollectionCertStoreParameters(certSet);
    CertStore store = CertStore.getInstance("Collection", storeParams);

    // init PKIX parameters
    PKIXParameters params = null;
    params = new PKIXParameters(trustedCertsSet);
    params.addCertStore(store);

    // enable OCSP
    Security.setProperty("ocsp.enable", "true");
    if (ocspServer != null) {
    Security.setProperty("ocsp.responderURL", args[1]);
    Security.setProperty("ocsp.responderCertSubjectName",
    ocspCert.getSubjectX500Principal().getName());
    }

    // perform validation
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    PKIXCertPathValidatorResult cpv_result =
    (PKIXCertPathValidatorResult) cpv.validate(cp, params);
    X509Certificate trustedCert = (X509Certificate)
    cpv_result.getTrustAnchor().getTrustedCert();

    if (trustedCert == null) {
    System.out.println("Trsuted Cert = NULL");
    } else {
    System.out.println("Trusted CA DN = " +
    trustedCert.getSubjectDN());
    }

    } catch (CertPathValidatorException e) {
    e.printStackTrace();
    System.exit(1);

    } catch(Exception e) {
    e.printStackTrace();
    System.exit(-1);
    }
    System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
    System.exit(0);
    }

    /*
    * Read a certificate from the specified filepath.
    */
    private static X509Certificate getCertFromFile(String path) {
    X509Certificate cert = null;
    try {

    File certFile = new File(path);
    if (!certFile.canRead())
    throw new IOException(" File " + certFile.toString() +
    " is unreadable");

    FileInputStream fis = new FileInputStream(path);
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    cert = (X509Certificate)cf.generateCertificate(fis);

    } catch(Exception e) {
    System.out.println("Can't construct X509 Certificate. " + path + " " +
    e.getMessage());
    }
    return cert;
    }
    }

    DB:2.42:Certpathvalidatorexception: Its Validity Interval Is Out Of Date am

    Well, I found a few errors in this. It is still not working, but the validity interval is not the problem.

  • RELEVANCY SCORE 2.42

    DB:2.42:How To Use Custom Truststore? 3a


    Hi, I've written a simple ssl client (basing on jakarta commons httpclient project) that connects to IIS with SSL and it works only i f I add ssl certificate from IIS to the jre cacerts (using keytool import). The cacerts are automatically readed somehow (don't know how)
    I want to make the whole thing more elastic and be able to provide my client with a path to cacerts / truststore / keystore. Am I doing it OK? I Currently it works...

    BUT the loops that print certificates and trustores to screen are empty - for example keystore.getCertificateChain(alias); always returns null....

    But IIS cert is inside
    C:\\Program Files\\Java\\jre1.5.0_09\\lib\\security\\cacertsbbb

    PS. I would like to avoid setting System properties in my code like System.setTruststore etc.
    PS. Should be without sockets. Just extension of what i got.

    import java.io.FileInputStream;
    import java.io.IOException;
    import java.io.InputStream;
    import java.io.OutputStream;
    import java.net.InetAddress;
    import java.net.InetSocketAddress;
    import java.net.MalformedURLException;
    import java.net.Socket;
    import java.net.SocketAddress;
    import java.net.URL;
    import java.net.UnknownHostException;
    import java.security.GeneralSecurityException;
    import java.security.KeyStore;
    import java.security.KeyStoreException;
    import java.security.NoSuchAlgorithmException;
    import java.security.UnrecoverableKeyException;
    import java.security.cert.Certificate;
    import java.security.cert.CertificateException;
    import java.security.cert.X509Certificate;
    import java.util.Enumeration;

    import javax.net.SocketFactory;
    import javax.net.ssl.HostnameVerifier;
    import javax.net.ssl.HttpsURLConnection;
    import javax.net.ssl.KeyManager;
    import javax.net.ssl.KeyManagerFactory;
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.SSLSession;
    import javax.net.ssl.SSLSocketFactory;
    import javax.net.ssl.TrustManager;
    import javax.net.ssl.TrustManagerFactory;
    import javax.net.ssl.X509TrustManager;

    import org.apache.commons.httpclient.ConnectTimeoutException;
    import org.apache.commons.httpclient.params.HttpConnectionParams;
    import org.apache.log4j.Logger;

    import junit.framework.TestCase;

    public class SSLSocketClient extends TestCase {

    private URL keystoreUrl = null;

    private String mockKeystoreUrl = "C:\\Program Files\\Java\\jre1.5.0_09\\lib\\security\\cacertsbbb";

    private String keystorePassword = "changeit";

    private URL truststoreUrl = null;

    private String mockTruststoreUrl = "C:\\Program Files\\Java\\jre1.5.0_09\\lib\\security\\cacertsbbb";

    private String truststorePassword = null;

    private SSLContext sslcontext = null;

    //

    public void testSSLSocket() {
    try {
    SSLSocketClient client = new SSLSocketClient();

    // client.createSocket("10.63.29.50", 443);

    HttpConnectionParams params = new HttpConnectionParams();
    InetAddress ia = InetAddress.getLocalHost();
    // params.setParameter(arg0, arg1)

    //client.createSocket("10.63.29.50", 443, ia, 444, params);

    client.connect("10.63.29.50", 443, "/ssl2/index.html", params);
    } catch (ConnectTimeoutException e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
    } catch (UnknownHostException e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
    } catch (IOException e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
    }

    }

    private static Logger log = Logger.getLogger(SSLSocketClient.class);

    /*
    * private static KeyStore createKeyStore(final URL url, final String
    * password) throws KeyStoreException, NoSuchAlgorithmException,
    * CertificateException, IOException { if (url == null) { throw new
    * IllegalArgumentException("Keystore url may not be null"); }
    *
    * KeyStore keystore = KeyStore.getInstance("jks");
    * keystore.load(url.openStream(), password != null ? password
    * .toCharArray() : null); return keystore; }
    */

    private KeyStore mockCreateKeyStore(final String url, final String password)
    throws KeyStoreException, NoSuchAlgorithmException,
    CertificateException, IOException {
    if (url == null) {
    throw new IllegalArgumentException("Keystore url may not be null");
    }
    InputStream keystoreStream = new FileInputStream(url);

    KeyStore keystore = KeyStore.getInstance("jks");
    keystore.load(keystoreStream, password != null ? password.toCharArray()
    : null);
    return keystore;
    }

    private KeyManager[] createKeyManagers(final KeyStore keystore,
    final String password) throws KeyStoreException,
    NoSuchAlgorithmException, UnrecoverableKeyException {
    if (keystore == null) {
    throw new IllegalArgumentException("Keystore may not be null");
    }

    KeyManagerFactory kmfactory = KeyManagerFactory
    .getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmfactory.init(keystore, password != null ? password.toCharArray()
    : null);
    return kmfactory.getKeyManagers();
    }

    private TrustManager[] createTrustManagers(final KeyStore keystore)
    throws KeyStoreException, NoSuchAlgorithmException {
    if (keystore == null) {
    throw new IllegalArgumentException("Keystore may not be null");
    }

    TrustManagerFactory tmfactory = TrustManagerFactory
    .getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmfactory.init(keystore);
    TrustManager[] trustmanagers = tmfactory.getTrustManagers();
    for (int i = 0; i trustmanagers.length; i++) {
    if (trustmanagers[i] instanceof X509TrustManager) {
    trustmanagers[i] = new AuthSSLX509TrustManager(
    (X509TrustManager) trustmanagers);
    }
    }
    return trustmanagers;
    }

    private SSLContext createSSLContext() {
    try {
    KeyManager[] keymanagers = null;
    TrustManager[] trustmanagers = null;
    if (this.mockKeystoreUrl != null) {
    KeyStore keystore = mockCreateKeyStore(this.mockKeystoreUrl,
    this.keystorePassword);
    //if (log.isDebugEnabled()) {
    Enumeration aliases = keystore.aliases();
    while (aliases.hasMoreElements()) {
    String alias = (String) aliases.nextElement();
    Certificate[] certs = keystore
    .getCertificateChain(alias);
    if (certs != null) {
    log.info("Certificate chain '" + alias + "':");
    for (int c = 0; c certs.length; c++) {
    if (certs[c] instanceof X509Certificate) {
    X509Certificate cert = (X509Certificate) certs[c];
    log.info(" Certificate " + (c + 1) + ":");
    log.info(" Subject DN: "
    + cert.getSubjectDN());
    log.info(" Signature Algorithm: "
    + cert.getSigAlgName());
    log.info(" Valid from: "
    + cert.getNotBefore());
    log.info(" Valid until: "
    + cert.getNotAfter());
    log
    .info(" Issuer: "
    + cert.getIssuerDN());
    }
    }
    }
    }
    //}
    keymanagers = createKeyManagers(keystore, this.keystorePassword);
    }
    if (this.mockTruststoreUrl != null) {
    KeyStore keystore = mockCreateKeyStore(this.mockKeystoreUrl,
    this.truststorePassword);
    //if (log.isDebugEnabled()) {
    Enumeration aliases = keystore.aliases();
    while (aliases.hasMoreElements()) {
    String alias = (String) aliases.nextElement();
    log.debug("Trusted certificate '" + alias + "':");
    Certificate trustedcert = keystore
    .getCertificate(alias);
    if (trustedcert != null
    trustedcert instanceof X509Certificate) {
    X509Certificate cert = (X509Certificate) trustedcert;
    log.info(" Subject DN: " + cert.getSubjectDN());
    log.info(" Signature Algorithm: "
    + cert.getSigAlgName());
    log.info(" Valid from: " + cert.getNotBefore());
    log.info(" Valid until: " + cert.getNotAfter());
    log.info(" Issuer: " + cert.getIssuerDN());
    }
    }
    //}
    trustmanagers = createTrustManagers(keystore);
    }
    SSLContext sslcontext = SSLContext.getInstance("SSL");
    ///sslcontext.
    sslcontext.init(keymanagers, trustmanagers, null);
    return sslcontext;
    } catch (NoSuchAlgorithmException e) {
    log.error(e.getMessage(), e);
    throw new RuntimeException("Unsupported algorithm exception: "
    + e.getMessage());
    // throw new AuthSSLInitializationError("Unsupported algorithm
    // exception: " + e.getMessage());
    } catch (KeyStoreException e) {
    log.error(e.getMessage(), e);
    throw new RuntimeException("Keystore exception: " + e.getMessage());
    // throw new AuthSSLInitializationError("Keystore exception: " +
    // e.getMessage());
    } catch (GeneralSecurityException e) {
    log.error(e.getMessage(), e);
    throw new RuntimeException("Key management exception: "
    + e.getMessage());
    // throw new AuthSSLInitializationError("Key management exception: "
    // + e.getMessage());
    } catch (IOException e) {
    log.error(e.getMessage(), e);
    throw new RuntimeException(
    "I/O error reading keystore/truststore file: "
    + e.getMessage());
    // throw new AuthSSLInitializationError("I/O error reading
    // keystore/truststore file: " + e.getMessage());
    }
    }

    private SSLContext getSSLContext() {
    if (this.sslcontext == null) {
    this.sslcontext = createSSLContext();
    }
    return this.sslcontext;
    }

    /**
    * Attempts to get a new socket connection to the given host within the
    * given time limit.
    * p
    * To circumvent the limitations of older JREs that do not support connect
    * timeout a controller thread is executed. The controller thread attempts
    * to create a new socket within the given limit of time. If socket
    * constructor does not return until the timeout expires, the controller
    * terminates and throws an {@link ConnectTimeoutException}
    * /p
    *
    * @param host
    * the host name/IP
    * @param port
    * the port on the host
    * @param clientHost
    * the local host name/IP to bind the socket to
    * @param clientPort
    * the port on the local machine
    * @param params
    * {@link HttpConnectionParams Http connection parameters}
    *
    * @return Socket a new socket
    * @throws IOException
    * @throws IOException
    * if an I/O error occurs while creating the socket
    * @throws UnknownHostException
    * if the IP address of the host cannot be determined
    */

    public void connect(final String host, final int sport, final String query,
    final HttpConnectionParams params) throws IOException {

    HostnameVerifier hv = new HostnameVerifier() {
    public boolean verify(String arg0, SSLSession arg1) {
    System.out.println("Bartek: Hostname is not matched for cert.");
    return true;
    }
    };
    URL wlsUrl = null;

    wlsUrl = new URL("https", host, Integer.valueOf(sport).intValue(),
    query);
    System.out
    .println(" Trying a new HTTPS connection using WLS client classes - "
    + wlsUrl.toString());
    HttpsURLConnection sconnection = (HttpsURLConnection) wlsUrl
    .openConnection();
    SocketFactory socketfactory = getSSLContext().getSocketFactory();
    /*
    * HttpsURLConnection sconnection = new HttpsURLConnection( wlsUrl);
    */
    sconnection.setHostnameVerifier(hv);
    //sconnection.setSSLSocketFactory((SSLSocketFactory) socketfactory);
    sconnection.setSSLSocketFactory((SSLSocketFactory) socketfactory);

    //sconnection.setHostnameVerifier(hv);

    tryConnection(sconnection, System.out);
    }

    public static void tryConnection(HttpsURLConnection connection,
    OutputStream stream) throws IOException {
    connection.connect();

    String responseStr = "\t\t" + connection.getResponseCode() + " -- "
    + connection.getResponseMessage() + "\n\t\t"
    + connection.getContent().getClass().getName() + "\n";
    connection.disconnect();
    System.out.print(responseStr);
    }

    }

    Message was edited by:
    herbatniczek

    DB:2.42:How To Use Custom Truststore? 3a

    Case 3 above is completely insecure, and its getAcceptedIssuers() method doesn't obey the specification.

  • RELEVANCY SCORE 2.41

    DB:2.41:Acs In Azure jc


    I've finished this lab,Introduction
    to the AppFabric Access Control Service (September 2010 Labs Release)and everything works fine in my computer.
    But when I deploy it in Azure it gives me this error:ID4175: The issuer of the security
    token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

    Stack Trace:

    [SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.]
    Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.CreateClaims(Saml2SecurityToken samlToken) 1648
    Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) 1261
    Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) 227
    Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) 342
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) 1154
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) 761
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 161
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean completedSynchronously) 115

    You can see the complete error message inhttp://cuandotoca.cloudapp.net/

    DB:2.41:Acs In Azure jc

    Hi,
    One tip to seamlessly do deployment is to add a local DNS item to map
    http://yourdomainname.cloudapp.net/to 127.0.0.1 on the dev machine, and use it as return URL so that you don't need to change it after deployment. You can do so by opening C:\Windows\System32\drivers\etc\host file
    in notepad and add an entry:
    127.0.0.1 yourdomainname.cloudapp.net
    After successful deployment you can delete this entry.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. Windows Azure Platform China Blog: http://blogs.msdn.com/azchina/default.aspx

  • RELEVANCY SCORE 2.41

    DB:2.41:Wlc 5760, Public Portal Certificate Issues, Webauth 8z



     

     

    I am setting up a public portal on WLC 5760. I have my certificate installed and I am not finding how to make my cert tie into the portal for the public SSID I have set.  It keeps using the self signed IOS cert and not my DIGICERT cert I have in. Yes I have rebooted . I'm sure I am missing 1 or 2 lines of code that make this work. Thanks for you help in advance. I also used the cisco documentation to build the trustpoints.

     

    I am running

    03.03.02SE RELEASE SOFTWARE (fc2)

    Trustpoint trustp1:    Subject Name:    cn=bcwifi.*********    o=*******    l=*****    st=*****    c=******          Serial Number (hex): **********    Certificate configured.

    Trustpoint digicert:    Subject Name:    cn=DigiCert High Assurance CA-3    ou=www.digicert.com    o=DigiCert Inc    c=US          Serial Number (hex): **********    Certificate configured.

    Trustpoint TP-self-signed-2492061061:    Subject Name:    cn=IOS-Self-Signed-Certificate-********          Serial Number (hex): 01    Persistent self-signed certificate trust point

    Trustpoint CISCO_IDEVID_SUDI:    Subject Name:    cn=Cisco Manufacturing CA    o=Cisco Systems          Serial Number (hex): *****    Certificate configured.

    Trustpoint CISCO_IDEVID_SUDI0:    Subject Name:    cn=Cisco Root CA 2048    o=Cisco Systems          Serial Number (hex): 5*******    Certificate configured.

    BCWLC01#

     

     

    BCWLC01#sh crypto pki certificatesCA Certificate  Status: Available  Certificate Serial Number (hex): 5***************  Certificate Usage: Signature  Issuer:    cn=Cisco Root CA 2048    o=Cisco Systems  Subject:    cn=Cisco Root CA 2048    o=Cisco Systems  Validity Date:    start date: 13:17:12 mst May 14 2004    end   date: 13:25:42 mst May 14 2029  Associated Trustpoints: CISCO_IDEVID_SUDI0

    Certificate  Status: Available  Certificate Serial Number (hex): ***************  Certificate Usage: General Purpose  Issuer:    cn=Cisco Manufacturing CA    o=Cisco Systems  Subject:    Name: AIR-CT5760-6C9989EE2000    Serial Number: PID:AIR-CT5760 SN:*************    cn=AIR-CT5760-6C9989EE2000    serialNumber=PID:AIR-CT5760 SN:**************  CRL Distribution Points:    http://www.cisco.com/security/pki/crl/cmca.crl  Validity Date:    start date: 05:13:07 mst Dec 26 2013    end   date: 05:23:07 mst Dec 26 2023  Associated Trustpoints: CISCO_IDEVID_SUDI

    CA Certificate  Status: Available  Certificate Serial Number (hex): ************  Certificate Usage: Signature  Issuer:    cn=Cisco Root CA 2048    o=Cisco Systems  Subject:    cn=Cisco Manufacturing CA    o=Cisco Systems  CRL Distribution Points:    http://www.cisco.com/security/pki/crl/crca2048.crl  Validity Date:    start date: 15:16:01 mst Jun 10 2005    end   date: 13:25:42 mst May 14 2029  Associated Trustpoints: CISCO_IDEVID_SUDI

    Router Self-Signed Certificate  Status: Available  Certificate Serial Number (hex): 01  Certificate Usage: General Purpose  Issuer:    cn=IOS-Self-Signed-Certificate-***************  Subject:    Name: IOS-Self-Signed-Certificate-************    cn=IOS-Self-Signed-Certificate-************  Validity Date:    start date: 14:33:15 mst Mar 28 2014    end   date: 17:00:00 mst Dec 31 2019  Associated Trustpoints: TP-self-signed-********  Storage: nvram:IOS-Self-Sig#1.cer

    CA Certificate  Status: Available  Certificate Serial Number (hex): ************  Certificate Usage: Signature  Issuer:    cn=DigiCert High Assurance EV Root CA    ou=www.digicert.com    o=DigiCert Inc    c=US  Subject:    cn=DigiCert High Assurance CA-3    ou=www.digicert.com    o=DigiCert Inc    c=US  CRL Distribution Points:    http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl    http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl  Validity Date:    start date: 05:00:00 mst Apr 2 2008    end   date: 17:00:00 mst Apr 2 2022  Associated Trustpoints: digicert  Storage: nvram:DigiCertHigh#3F3BCA.cer

    CA Certificate  Status: Available  Certificate Serial Number (hex): **************  Certificate Usage: General Purpose  Issuer:    cn=DigiCert High Assurance CA-3    ou=www.digicert.com    o=DigiCert Inc    c=US  Subject:    cn=bcwifi*******    o=******    l=B*****    st=*****    c=*******  CRL Distribution Points:    http://crl3.digicert.com/ca3-g27.crl    http://crl4.digicert.com/ca3-g27.crl  Validity Date:    start date: 17:00:00 mst Aug 31 2011    end   date: 05:00:00 mst Nov 26 2014  Associated Trustpoints: trustp1  Storage: nvram:DigiCertHigh#1D41CA.cer

    BCWLC01#

    DB:2.41:Wlc 5760, Public Portal Certificate Issues, Webauth 8z


    Duplicate posts.  

     

    Go here:  http://supportforums.cisco.com/discussion/12159641/wlc-5760-public-portal-certificate-issues-webauth

  • RELEVANCY SCORE 2.41

    DB:2.41:Need Help With Untrusted Vpn Server Certificate Warning. f9



    I've been over the many other posts on this issue, and they all seem a little different, so I started my own thread.

    I have deployed AnyConnect 3.1.02026 to my users via the ASA, and we all get the Untrusted VPN Server Cert warning when connecting.

    When the ASA deploys the client, it puts the outside IP of the ASA as the hostname, which is causing the error.

    So I have two questions: 1. How do I get the ASA to make the hostname "vpn.cfo.com" when a user installs the client and 2. How do I change my cert so it doesn't show the internal name of the ASA and uses "vpn.cfo.com" instead?

    Here's all the info anyone should need to help (I think)

    ssl trust-point ASDM_TrustPoint0 OUTSIDE_PRIMARY

    Certificate

      Status: Available

      Certificate Serial Number: *********

      Certificate Usage: Signature

      Public Key Type: RSA (1024 bits)

      Signature Algorithm: SHA1 with RSA Encryption

      Issuer Name:

        hostname=ambossfw01.cfopub.net

        cn=ambossfw01

      Subject Name:

        hostname=ambossfw01.cfopub.net

        cn=ambossfw01

      Validity Date:

        start date: 15:17:42 EDT Jun 2 2011

        end   date: 15:17:42 EDT May 30 2021

      Associated Trustpoints: ASDM_TrustPoint0

    CA Certificate

      Status: Available

      Certificate Serial Number: ******************************

      Certificate Usage: General Purpose

      Public Key Type: RSA (2048 bits)

      Signature Algorithm: SHA1 with RSA Encryption

      Issuer Name:

        cn=VeriSign Class 3 Public Primary Certification Authority - G5

        ou=(c) 2006 VeriSign\, Inc. - For authorized use only

        ou=VeriSign Trust Network

        o=VeriSign\, Inc.

        c=US

      Subject Name:

        cn=VeriSign Class 3 Secure Server CA - G3

        ou=Terms of use at https://www.verisign.com/rpa (c)10

        ou=VeriSign Trust Network

        o=VeriSign\, Inc.

        c=US

      OCSP AIA:

        URL: http://ocsp.verisign.com

      CRL Distribution Points:

        [1]  http://crl.verisign.com/pca3-g5.crl

      Validity Date:

        start date: 19:00:00 EST Feb 7 2010

        end   date: 18:59:59 EST Feb 7 2020

      Associated Trustpoints: _SmartCallHome_ServerCA

    Any help would be greatly appreciated.

    DB:2.41:Need Help With Untrusted Vpn Server Certificate Warning. f9


    https://secure.comodo.net/products/frontpage?reseller=yap=BranhamITSolutionsLLCarea=SSLproduct=488days=365

  • RELEVANCY SCORE 2.41

    DB:2.41:Saml Authentication - Trusted Issuer jj


    Is it a requirement that the /saml:Assertion/@Issuer equals the Subject DN of the issuer's certificate? Within Oracle Weblogic Server the issuer name is mapped to the certificate, but the names don't have to be equal. Within OEG the trusted issuers seem to be listed as distinguished names. Is it possible to define an alias?

    Thx

    DB:2.41:Saml Authentication - Trusted Issuer jj

    Great! I didn't realize I could input free text. Thanks for your answer

  • RELEVANCY SCORE 2.41

    DB:2.41:Where Are Certificates Used On This Asa (8.4)? cs



    I have access to an ASA running 8.4 and I need to copy the config to another one, to have it has as a spare.

    All configuration has coppied fine except for this part in the config;

    crypto ca trustpoint ASDM_TrustPoint0

    enrollment self

    subject-name CN=GS2-NT-FIR-01

    proxy-ldc-issuer

    crl configure

    crypto ca certificate chain ASDM_TrustPoint0

    certificate c4999f4f

        30820248 308201b1 a0030201 020204c4 999f4f30 0d06092a 864886f7 0d010105

        05003036 31163014 06035504 03130d47 53322d4e 542d4649 522d3031 311c301a

    ........

    .......lots of HEX

    .......

    quit

    So firstly, I assume this certificate is for the SSL vpn that is configured on the ASA? Secondly, this wouldn't copy across (the HEX part). But I believe this ASA is using a self signed cert so instead I probably ned to generate a new one on this spare ASA, so how do I do that?

    Many thanks,

    J.

    DB:2.41:Where Are Certificates Used On This Asa (8.4)? cs


    There are also hidden files for things like Bookmarks and so on. These are not that easy to backup by hand ... Don't forget them if you have them used.

    --  Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

  • RELEVANCY SCORE 2.40

    DB:2.40:Wlc 5760, Public Portal Certificate Issues, Webauth ff



     

     

    I am setting up a public portal on WLC 5760. I have my certificate installed and I am not finding how to make my cert tie into the portal for the public SSID I have set.  It keeps using the self signed IOS cert and not my DIGICERT cert I have in. Yes I have rebooted . I'm sure I am missing 1 or 2 lines of code that make this work. Thanks for you help in advance. I also used the cisco documentation to build the trustpoints.

     

    I am running

    03.03.02SE RELEASE SOFTWARE (fc2)

    Trustpoint trustp1:    Subject Name:    cn=bcwifi.*********    o=*******    l=*****    st=*****    c=******          Serial Number (hex): **********    Certificate configured.

    Trustpoint digicert:    Subject Name:    cn=DigiCert High Assurance CA-3    ou=www.digicert.com    o=DigiCert Inc    c=US          Serial Number (hex): **********    Certificate configured.

    Trustpoint TP-self-signed-2492061061:    Subject Name:    cn=IOS-Self-Signed-Certificate-********          Serial Number (hex): 01    Persistent self-signed certificate trust point

    Trustpoint CISCO_IDEVID_SUDI:    Subject Name:    cn=Cisco Manufacturing CA    o=Cisco Systems          Serial Number (hex): *****    Certificate configured.

    Trustpoint CISCO_IDEVID_SUDI0:    Subject Name:    cn=Cisco Root CA 2048    o=Cisco Systems          Serial Number (hex): 5*******    Certificate configured.

    BCWLC01#

     

     

    BCWLC01#sh crypto pki certificatesCA Certificate  Status: Available  Certificate Serial Number (hex): 5***************  Certificate Usage: Signature  Issuer:    cn=Cisco Root CA 2048    o=Cisco Systems  Subject:    cn=Cisco Root CA 2048    o=Cisco Systems  Validity Date:    start date: 13:17:12 mst May 14 2004    end   date: 13:25:42 mst May 14 2029  Associated Trustpoints: CISCO_IDEVID_SUDI0

    Certificate  Status: Available  Certificate Serial Number (hex): ***************  Certificate Usage: General Purpose  Issuer:    cn=Cisco Manufacturing CA    o=Cisco Systems  Subject:    Name: AIR-CT5760-6C9989EE2000    Serial Number: PID:AIR-CT5760 SN:*************    cn=AIR-CT5760-6C9989EE2000    serialNumber=PID:AIR-CT5760 SN:**************  CRL Distribution Points:    http://www.cisco.com/security/pki/crl/cmca.crl  Validity Date:    start date: 05:13:07 mst Dec 26 2013    end   date: 05:23:07 mst Dec 26 2023  Associated Trustpoints: CISCO_IDEVID_SUDI

    CA Certificate  Status: Available  Certificate Serial Number (hex): ************  Certificate Usage: Signature  Issuer:    cn=Cisco Root CA 2048    o=Cisco Systems  Subject:    cn=Cisco Manufacturing CA    o=Cisco Systems  CRL Distribution Points:    http://www.cisco.com/security/pki/crl/crca2048.crl  Validity Date:    start date: 15:16:01 mst Jun 10 2005    end   date: 13:25:42 mst May 14 2029  Associated Trustpoints: CISCO_IDEVID_SUDI

    Router Self-Signed Certificate  Status: Available  Certificate Serial Number (hex): 01  Certificate Usage: General Purpose  Issuer:    cn=IOS-Self-Signed-Certificate-***************  Subject:    Name: IOS-Self-Signed-Certificate-************    cn=IOS-Self-Signed-Certificate-************  Validity Date:    start date: 14:33:15 mst Mar 28 2014    end   date: 17:00:00 mst Dec 31 2019  Associated Trustpoints: TP-self-signed-********  Storage: nvram:IOS-Self-Sig#1.cer

    CA Certificate  Status: Available  Certificate Serial Number (hex): ************  Certificate Usage: Signature  Issuer:    cn=DigiCert High Assurance EV Root CA    ou=www.digicert.com    o=DigiCert Inc    c=US  Subject:    cn=DigiCert High Assurance CA-3    ou=www.digicert.com    o=DigiCert Inc    c=US  CRL Distribution Points:    http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl    http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl  Validity Date:    start date: 05:00:00 mst Apr 2 2008    end   date: 17:00:00 mst Apr 2 2022  Associated Trustpoints: digicert  Storage: nvram:DigiCertHigh#3F3BCA.cer

    CA Certificate  Status: Available  Certificate Serial Number (hex): **************  Certificate Usage: General Purpose  Issuer:    cn=DigiCert High Assurance CA-3    ou=www.digicert.com    o=DigiCert Inc    c=US  Subject:    cn=bcwifi*******    o=******    l=B*****    st=*****    c=*******  CRL Distribution Points:    http://crl3.digicert.com/ca3-g27.crl    http://crl4.digicert.com/ca3-g27.crl  Validity Date:    start date: 17:00:00 mst Aug 31 2011    end   date: 05:00:00 mst Nov 26 2014  Associated Trustpoints: trustp1  Storage: nvram:DigiCertHigh#1D41CA.cer

    BCWLC01#

    DB:2.40:Wlc 5760, Public Portal Certificate Issues, Webauth ff


    Please refer the commands from http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-5700-cr-book/sec-a1-xe-3se-5700-cr-book_chapter_0101.html in case you want to enroll CA

     

  • RELEVANCY SCORE 2.40

    DB:2.40:Client Certificate Authentication - Left With 0 Client Certificates To Choose From. kj



    I am working on a client program written in C# for a customer. The program connects to a service that the customer uses which requires a client certificate for authentication (they already have a java client connecting to this service using the same cert).
    When attempting to establish a connection from the customer box to the service it fails (log below). I do not have direct access to the service we are attempting to connect to, so I test locally best I can, then send customer a version of program to test with.

    Some notes:

    My code is working locally using self-signed certs for both client and a mock server I put together.For the moment I'm using ServicePointManager.ServerCertificateValidationCallback to always accept server cert (temporary / just trying to isolate to client cert issues for the time being).I am using HttpWebRequest.ClientCertificates.Add(...) to set the client cert.The customer is using certificate issued from a CA as their client cert (ie: not a self-signed cert).
    The client cert is stored in a p12 file, which our program opens directly by file path (ie: not from Windows Certificate Store).
    Based on some other logging I have the p12 cert is loading OK and has private key.

    Below is the log from the customer system. I'm really not sure how to interpret it. These lines seems important:

    We have user-provided certificates. The server has specified 6 issuer(s). Looking for certificates that match any of the issuers.

    Left with 0 client certificates to choose from.

    Does this indicate a problem with the client certificate or server certificate?

    Does this mean the client certificate issuer needs to match one of the issuers the server specified? How can I see what that list is, it doesn't seem to be in the network trace log anywhere (I can see the client cert issuer, but not issuers the server has specified).
    System.Net Warning: 0 : [1272] The Registry value 'Software\Microsoft\Windows NT\CurrentVersion\InstallationType' was either empty or not a string type.
    System.Net Information: 0 : [1272] Current OS installation type is 'Unknown'.
    System.Net Verbose: 0 : [1272] WebRequest::Create(https://[redacted])
    System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::HttpWebRequest(https://[redacted]#-921164489)
    System.Net Information: 0 : [1272] RAS supported: True
    System.Net Verbose: 0 : [1272] Exiting HttpWebRequest#27504314::HttpWebRequest()
    System.Net Verbose: 0 : [1272] Exiting WebRequest::Create() - HttpWebRequest#27504314
    System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::GetRequestStream()
    System.Net Information: 0 : [1272] Associating HttpWebRequest#27504314 with ServicePoint#46212239
    System.Net Information: 0 : [1272] Associating Connection#13256970 with HttpWebRequest#27504314
    System.Net Information: 0 : [1272] Connection#13256970 - Created connection from [redacted] to [redacted].
    System.Net Information: 0 : [1272] TlsStream#52203868::.ctor(host=[redacted], #certs=1)
    System.Net Information: 0 : [1272] Associating HttpWebRequest#27504314 with ConnectStream#72766
    System.Net Verbose: 0 : [1272] Exiting HttpWebRequest#27504314::GetRequestStream() - ConnectStream#72766
    System.Net Verbose: 0 : [1272] ConnectStream#72766::Write()
    System.Net Verbose: 0 : [1272] Data from ConnectStream#72766::Write
    [redacted (xml)]
    System.Net Verbose: 0 : [1272] Exiting ConnectStream#72766::Write()
    System.Net Verbose: 0 : [1272] ConnectStream#72766::Close()
    System.Net Verbose: 0 : [1272] Exiting ConnectStream#72766::Close()
    System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::GetResponse()
    System.Net Information: 0 : [1272] HttpWebRequest#27504314 - Request: POST [redacted] HTTP/1.1

    System.Net Information: 0 : [1272] SecureChannel#5894079::.ctor(hostname=[redacted], #clientCertificates=1, encryptionPolicy=RequireEncryption)
    System.Net Information: 0 : [1272] Enumerating security packages:
    System.Net Information: 0 : [1272] Negotiate
    System.Net Information: 0 : [1272] Kerberos
    System.Net Information: 0 : [1272] NTLM
    System.Net Information: 0 : [1272] Schannel
    System.Net Information: 0 : [1272] Microsoft Unified Security Protocol Provider
    System.Net Information: 0 : [1272] WDigest
    System.Net Information: 0 : [1272] DPA
    System.Net Information: 0 : [1272] Digest
    System.Net Information: 0 : [1272] MSN
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Attempting to restart the session using the user-provided certificate: [Version]
    V3

    [Subject]
    CN=[redacted]
    Simple Name: [redacted]
    DNS Name: [redacted]

    [Issuer]
    CN=[redacted]
    Simple Name: [redacted]
    DNS Name: [redacted]

    [Serial Number]
    [redacted]

    [Not Before]
    5/8/2013 9:34:17 AM

    [Not After]
    4/28/2015 9:34:17 AM

    [Thumbprint]
    [redacted]

    [Signature Algorithm]
    [redacted]

    [Public Key]
    Algorithm: RSA
    Length: 2048
    Key Blob: [redacted]
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Left with 1 client certificates to choose from.
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Trying to find a matching certificate in the certificate store.
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Locating the private key for the certificate: [Version]
    V3

    [Subject]
    CN=[redacted]
    Simple Name: [redacted]
    DNS Name: [redacted]

    [Issuer]
    CN=[redacted]
    Simple Name: [redacted]
    DNS Name: [redacted]

    [Serial Number]
    [redacted]

    [Not Before]
    5/8/2013 9:34:17 AM

    [Not After]
    4/28/2015 9:34:17 AM

    [Thumbprint]
    [redacted]

    [Signature Algorithm]
    [redacted]

    [Public Key]
    Algorithm: RSA
    Length: 2048
    Key Blob: [redacted]
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Certificate is of type X509Certificate2 and contains the private key.
    System.Net Information: 0 : [1272] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
    System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=77, returned code=ContinueNeeded).
    System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
    System.Net Information: 0 : [1272] SecureChannel#5894079 - We have user-provided certificates. The server has specified 6 issuer(s). Looking for certificates that match any of the issuers.
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Left with 0 client certificates to choose from.
    System.Net Information: 0 : [1272] Using the cached credential handle.
    System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=317, returned code=ContinueNeeded).
    System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CertUnknown).
    System.Net Error: 0 : [1272] Exception in the HttpWebRequest#27504314:: - The request was aborted: Could not create SSL/TLS secure channel.
    System.Net Error: 0 : [1272] Exception in the HttpWebRequest#27504314::GetResponse - The request was aborted: Could not create SSL/TLS secure channel.

    DB:2.40:Client Certificate Authentication - Left With 0 Client Certificates To Choose From. kj

    Hi,
    From the error message, it seems that the certificate in the chain is not placed in the appropriate position. See a

    post for similar issue.
    The problemalso couldbe you haven't granted permission to the correct application pool identity, please try temporarygrant read access to everyone on the certificate's private key.As a reference:

    http://social.msdn.microsoft.com/Forums/vstudio/en-US/e2a2fc05-17c9-45ad-a532-7eb80cdb4626/
    Regards.We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • RELEVANCY SCORE 2.40

    DB:2.40:Enabling Subject Alternative Name Support On Root / Issuer Server Certificate Environment ss


    In order to set up SSL bridging within ISA I am looking to enable SAN support on our certificate issuer but am unsure how this will affect the way we have set up our
    certificate issuing environment.

    Our set upis as follows, We have a certificate Root server which is switched off as standard and our issuer server which is where we generate our certificates
    from which is constantly available. (both are server 2003 R2)

    Do I need to enable SAN Support on both the root server and the issuer or can it just need to be enabled on the Issuer server without causing any problems on the root
    server when it is turned on for any reason?

    My main concern is by changing the configuration of the issuer server the root server will no longer recognise it.

  • RELEVANCY SCORE 2.40

    DB:2.40:Propagating Web Application Authenticated Identity In Saml Assertions z1


    The steps for using SSO with SAML, are here:
    http://download.oracle.com/docs/cd/B25221_01/web.1013/b15979/adminasc.htm#BABJJBBB

    In step 3a it says:
    Set the oracle.security.wss.propagate.identity property at the port level to true.
    property name="oracle.security.wss.propagate.identity" value ="true"/

    I don't know where exactly I should do this. My stub xml looks like this:
    webservice-client
    service-qname namespaceURI="http://project1/" localpart="sayFiveMethod"/
    port-infowsdl-port .../
    runtime enabled="security"
    security
    inbound/
    outbound
    saml-token issuer-name="mycompany" name="mycompany" name-format="..."
    subject-confirmation-method
    confirmation-methodSENDER-VOUCHES/confirmation-method
    /subject-confirmation-method
    /saml-token
    /outbound
    /security
    /runtime
    operations
    operation name='sayFive'
    runtime
    security
    inbound/
    outbound
    saml-token......
    /saml-token
    /outbound
    /security
    /runtime
    /operation
    /operations
    /port-info
    /webservice-client

    Where exactly should I put the tag?
    Best Regards
    Farbod

    DB:2.40:Propagating Web Application Authenticated Identity In Saml Assertions z1

    According to Todd's answer here:
    Re: Propagation of SAML assertions
    The right place is not where I had suggested but after security tag:
    port-info
    wsdl-port .../
    runtime enabled="security"
    security
    property name="oracle.security.wss.propagate.identity" value ="true"/

    Just for the record.
    Regards
    Farbod

  • RELEVANCY SCORE 2.39

    DB:2.39:Cert Is Not Valid As Per Profile 3c



    I have a cisco 3945E which is able to successfully establish a IPSec connection.  But after about 15 minutes the connect drops and I get the below error.

    CERT is NOT valid as per profile.

    I am trying to determine why the certs would initially be valid fail later.

    I am using certificate match under the profile.  the certificate match using the subject name and the issuer name.

    Has anyone ever seen this?

    thanks.

    DB:2.39:Cert Is Not Valid As Per Profile 3c


    There is more than subject and issuer in a certificate. Do a detailed debug (pki transactions detailed) or pki messages and decode the ceritificates yourself.

    What is the peer? Are there any additional isakmp resp. ikev2 negotiations close to the error message?

  • RELEVANCY SCORE 2.39

    DB:2.39:Root Certificates In Ssl c8



    Hi!

    I am working on an implementation of ssl/tls and I have a question about root-certs.

    Wen receiving a certificate chain the RFC 4346 says:

    "the root certificate authority may optionally be omitted from the chain,

    under the assumption that the remote end must already possess it

    in order to validate it in any case."

    But how do I find the root cert already in my possession when I only have

    the issuer name (from the cert before it in the chain) and a cert is uniquely

    identified by the serial number and the issuer ?

    Is it not so that I could have several root certificates with the same issuer but

    different serial numbers or am I mistaken ? Or are you supposed to brutally traverse all candidates and test the signature until you find a match?

    Thanks to anyone who might help to spread some light on this.

    Regards Ingela

    DB:2.39:Root Certificates In Ssl c8


    Hi!

    I am working on an implementation of ssl/tls and I have a question about root-certs.

    Wen receiving a certificate chain the RFC 4346 says:

    "the root certificate authority may optionally be omitted from the chain,

    under the assumption that the remote end must already possess it

    in order to validate it in any case."

    But how do I find the root cert already in my possession when I only have

    the issuer name (from the cert before it in the chain) and a cert is uniquely

    identified by the serial number and the issuer ?

    Is it not so that I could have several root certificates with the same issuer but

    different serial numbers or am I mistaken ? Or are you supposed to brutally traverse all candidates and test the signature until you find a match?

    Thanks to anyone who might help to spread some light on this.

    Regards Ingela

  • RELEVANCY SCORE 2.39

    DB:2.39:Remote Desktop Revocation List Error 79


    I have an issue I have no clue how to fix it. I have been discussing this on the 2008 R2 foruns, but maybe this is a client side issue. (the details are herehttp://social.technet.microsoft.com/Forums/en/winserversecurity/thread/91c05025-f18a-4839-973f-42fceaf66a77#ca5aad74-89c2-4093-88df-9215e0a32d49)
    But focusing on the issue. From all my W7 machines (Ultimate and Professional) I get certificates revocation list errors that prevent my to use my RemoteApps. (the error just prevents me to continue).
    From my Vista clients (RDP 6.1) everything works just fine.
    My setting is:

    2008 R2 (DC, CA, DNS, IIS, DCHP, Hyper-V, RRAS) several Windows 7 Ultimate Professional 32bit, 64 bitNOT in the domain.
    Created certificates on the server with alternative names (that match the public DNS names)and configured the CDP and AIA on the CA management to use HTTP. For troubleshooting I disabled the LDAP entries on CDP and AIA (just to eliminate causes),created
    new certs, and configured all the relevant services to use them.
    When issuing "certutil –verify –urlfetch corp.cer"I have the confirmation that the revocation URLs are fine. Additionaly I tried it on a Unix machine throughwget utility on a diferent subnet (paranoid) and was able to download
    the crl files correctly. This IIS is available on the internet, there is no doubt and the files can be downloaded (see extract for one of the files fetch and the certutil results):
    R:\wget -S
    http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl
    --2010-06-12 20:35:16--
    http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl
    Resolving corp.webdisplay.pt... 213.22.80.170
    Connecting to corp.webdisplay.pt|213.22.80.170|:80... connected.
    HTTP request sent, awaiting response...
    HTTP/1.1 200 OK
    Content-Type: application/pkix-crl
    Last-Modified: Sat, 12 Jun 2010 17:32:32 GMT
    Accept-Ranges: bytes
    ETag: "4856c3d55acb1:0"
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Date: Sat, 12 Jun 2010 19:35:15 GMT
    Connection: keep-alive
    Content-Length: 1839
    Length: 1839 (1.8K) [application/pkix-crl]
    Saving to: `corp-WDSRV01-CA.crl'
    100%[==================================================================================================] 1,839
    2010-06-12 20:35:16 (19.6 MB/s) - `corp-WDSRV01-CA.crl' saved [1839/1839]
    ----------------------------------------------
    C:\tempcertutil -verify -urlfetch corp.cer
    Issuer:
    CN=corp-WDSRV01-CA
    DC=corp
    DC=webdisplay
    DC=pt
    Subject:
    CN=corp.webdisplay.pt
    Cert Serial Number: 1c41fbdb000000000023
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 2 Hours, 31 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 2 Hours, 31 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
    NotBefore: 12-06-2010 12:31
    NotAfter: 11-06-2012 12:31
    Subject: CN=corp.webdisplay.pt
    Serial: 1c41fbdb000000000023
    SubjectAltName: DNS Name=corp.webdisplay.pt, DNS Name=wdsrv01.corp.webdisplay
    pt, DNS Name=wdsrv02.corp.webdisplay.pt, DNS Name=redmine.corp.webdisplay.pt
    Template: WebServer
    b7 f3 7b 69 a5 48 6f 44 27 f9 2a 9e 17 1a f9 9f e0 08 b0 76
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    Verified "Certificate (0)" Time: 0
    [0.0] http://corp.webdisplay.pt/CertEnroll/WDSRV01.corp.webdisplay.pt_corp-
    DSRV01-CA.crt
    ---------------- Certificate CDP ----------------
    Verified "Base CRL (56)" Time: 0
    [0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl
    Verified "Delta CRL (56)" Time: 0
    [0.0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA+.crl
    ---------------- Base CRL CDP ----------------
    OK "Delta CRL (57)" Time: 0
    [0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA+.crl
    ---------------- Certificate OCSP ----------------
    No URLs "None" Time: 0
    --------------------------------
    CRL 56:
    Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
    ec 77 b7 4a 5f b8 e4 71 23 b2 06 6f 5e 61 37 0c 74 f7 f1 74
    Delta CRL 57:
    Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
    08 f3 d8 d9 59 35 51 f3 22 76 5a be cf 90 8b 5b 0a bc 77 a8
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
    NotBefore: 21-03-2010 23:01
    NotAfter: 21-03-2015 23:11
    Subject: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
    Serial: 15da4ae6996d23a44c896079f8451e47
    c9 3b 77 24 aa 61 c9 e5 30 06 1c 55 3a 09 9b cf 26 ef fc 3f
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    No URLs "None" Time: 0
    ---------------- Certificate CDP ----------------
    No URLs "None" Time: 0
    ---------------- Certificate OCSP ----------------
    No URLs "None" Time: 0
    --------------------------------
    Exclude leaf cert:
    e2 02 cc 23 b6 19 09 64 e2 f2 a6 2e a5 d6 31 d2 9c a3 e9 ce
    Full chain:
    5b 64 0e 51 15 0d 7e 93 13 2f 1c b0 55 83 b4 51 f0 8a c9 a9
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.
    I am out of ideias! I read thru tons of documents (both on technet and outside) and this seems to be a somewaht common problem to many using 2008 R2 and W7.
    As far as I know everything is correctly configured and the CRL are available.
    Before you ask, the CA root certificate is on the trusted root certificates of the Computer and not the user.
    I starting to feel this is an OS W7 bug; not sure...
    Thank you all for your help.
    Luis Cordeiro

    DB:2.39:Remote Desktop Revocation List Error 79

    Hi mate, same issue here with win7 and other 2k8r2 servers doing rdp7 with custom certs.
    pkiview and -fetchurl checks all were clean as well but it was failing.
    We had parent/child domain structure and added child domain users read only access to Certenroll path (CRL published location) it seemed to work ok after that.
    We could also use IE or Firefox to hit the CRL or CRT files no problem prior.
    So maybe check the ntfs permissions on the CRL location especially in multidomain model.

    Onion

  • RELEVANCY SCORE 2.39

    DB:2.39:Subject Alternate Name And Wildcard Cert. ss


    I have OCS 2007 SE running all the parts on 1 server, I was not sure who supported certificates with SAN so I opted to
    get a Wildcard Certificate from Godaddy.  I need outside people to be able to get to the Livemeeting server and the Communicator.  If I change to the Godaddy Cert I get this error.
     
    The subject name *.projecthope.org of the certificate assigned to process DataMCUSvc(5504) was not found in the trusted server list. Certificate serial number: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US Certificate issuer name: 416CE4.Resolution:Verify that the Subject Name of the certificate presented by the remote peer is configured in the trusted server list
    If I reboot the server with the godaddy cert picked None of the services start and I get this error.
    Event Type:      ErrorEvent Source:      Service Control ManagerEvent Category:      NoneEvent ID:      7024Computer:      HQ-APPS2Description:The Office Communications Server Front-End service terminated with service-specific error 3287185878 (0xC3EE79D6).For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    I have tried adding the cert to my trusted certs list and adding a godaddy intermediate cert, Nothing has helped.
     
    Will OCS 2007 work with a wildcard cert, does anyone have it running??
     
    Thanks
     
    Scott

    DB:2.39:Subject Alternate Name And Wildcard Cert. ss

    SANs should work fine - I've used the Entrust UC cert on a few occasions now (it takes up to 10 names).  Just make sure your federation/PIC A record is in the subject - I've seen issues when this is not the case.
     
    On a side note, you only need to worry about sip.domain.com if you're not publishing a SRV record that uses a different record.  That's Communicator's fall back if it doesn't find anything else.

  • RELEVANCY SCORE 2.39

    DB:2.39:Certificate Services Error On Windows Server 2003 Pdc Ca xz


    Hi to all,
    On winsrv 2003 standard: PDC, Exchange and ISA server (small enviroment),
    since afer restarted, i am getting certification related erros.
    Event Type: Error
    Event Source: CertSvc
    Event Category: None
    Event ID: 5
    Date: 21.8.2013
    Time: 10:43:16
    User: N/A
    Computer: PDC
    Description:
    Certificate Services could not find required registry information. The Certificate Services may need to be reinstalled.

    Using certutil (-schema, -isvalid, -cainfo,) I got: command FAILED: 0x80080005 (-2146959355)
    Using certutil -tcainfo:
    ================================================================
    CA Name: TCCA
    Machine Name: pdc.domain.local
    DS Location: CN=TCCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,
    N=Configuration,DC=tc,DC=local
    Cert DN: CN=TCCA, DC=tc, DC=local
    CA Expiration (Years): 1
    Connecting to tcdomain.tc.local\TCCA ...
    Server could not be reached: Server execution failed 0x80080005 (-2146959355)

    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    Serial: 2e33c2078416ca994b2ddb90abb3804a
    56 c1 e0 cc 16 46 c6 ac 4b 60 76 33 c5 b3 40 6b 90 16 d2 bf
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
    Full chain:
    56 c1 e0 cc 16 46 c6 ac 4b 60 76 33 c5 b3 40 6b 90 16 d2 bf
    ------------------------------------
    Verified Issuance Policies: All
    Verified Application Policies: All
    Supported Certificate Templates:
    Cert Type[0]: EFSRecovery (EFS Recovery Agent)
    Cert Type[1]: EFS (Basic EFS)
    Cert Type[2]: DomainController (Domain Controller)
    Cert Type[3]: WebServer (Web Server)
    Cert Type[4]: Machine (Computer)
    Cert Type[5]: User (User)
    Cert Type[6]: SubCA (Subordinate Certification Authority)
    Cert Type[7]: Administrator (Administrator)
    Validated Cert Types: 8
    ================================================================
    pdc.domain.local\TCCA:
    OFFLINE

    and using certutil -dcinfo:
    *** Testing DC[0]: PDC
    ** Enterprise Root Certificates for DC PDC
    Certificate 0:
    Serial Number: 0790b86f118570ac4460d9a5999fe073
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    CA Version: V2.2
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 6f bf c0 63 26 95 13 36 5f a1 36 ef b1 4f 9f 22 9d b7 15 c6
    Certificate 1:
    Serial Number: 2e33c2078416ca994b2ddb90abb3804a
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    CA Version: V3.3
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 56 c1 e0 cc 16 46 c6 ac 4b 60 76 33 c5 b3 40 6b 90 16 d2 bf
    Certificate 2:
    Serial Number: 09e2bff9433f529a4f1ff53135f0c7a8
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 2f ff 30 b0 fb 21 e4 1d c8 c8 bf b9 6a a2 24 72 7d d3 13 3a
    Certificate 3:
    Serial Number: 04aecc03749b428d4aeb2ea4fffd97a8
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    CA Version: V1.1
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 0c a4 bd 7d 6d 70 07 f5 42 37 19 d1 75 3e a3 14 fc 88 c8 d5
    ** KDC Certificates for DC TCDOMAIN
    0 KDC certs for TCDOMAIN
    No KDC Certificate in MY store
    KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

    I can't manualy start Certificate services. Tryed this: http://support.microsoft.com/kb/842210 but it didn't help.
    How could I find what cause this behavior?
    Is it safe to simply reinstall CA on PDC, Exchange server, ISA server ?
    Please for help with this issue. Any advice would be appreciated.
    neno.c

  • RELEVANCY SCORE 2.39

    DB:2.39:Crl Check For Sstp Failing (0x80092013) mz


    I am attempting to setup SSTP. Here is the environment.

    Cert. Authority - Server 2003R2- residing on the Exchange Server Domain controllers are Server 2003R2 as wellVPN is Server 2012VPN client is Windows 7
    I have spent about 1 1/2 days researching and troubleshooting this. If I ignore the crl, it will connect over SSTP, so port forwarding and firewall settings seem correct.

    I have read the following post about CDP's and CRL's/delta and made some modifications to the CA server but it is still not working and still get the 80092013 error. http://social.technet.microsoft.com/Forums/windowsserver/en-US/d8fe8fe7-8036-49c4-bf33-92ca28b9f863/win-7-sstp-vpn-client-fails-with-error-0x80092013-when-rras-certificate-issued-by-enterprise-ca?forum=winserversecurity

    Below is the output to certutil -urlfetch -verify vpn.cer
    (which was ran on the vpn client laptop, on an external network)
    Issuer:
    CN=CA.mydomain.com
    DC=mydomain
    DC=Local
    Subject:
    CN=VPN.mydomain.com
    Cert Serial Number: 4bb1df910002000001ba

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 2 Hours, 41 Minutes, 6 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 2 Hours, 41 Minutes, 6 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=CA.mydomain.com, DC=mydomain, DC=Local
    NotBefore: 1/29/2014 12:07 PM
    NotAfter: 1/29/2016 12:17 PM
    Subject: CN=VPN.mydomain.com
    Serial: 4bb1df910002000001ba
    SubjectAltName: DNS Name=VPN.mydomain.com
    Template: 1.3.6.1.4.1.311.21.8.7162773.12354232.4148156.5417495.11387803.206.13619044.6996949
    fd 71 00 ea 70 17 d8 b2 9d 5e 76 3f 3b 27 97 b0 2a 3c eb b7
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    Failed AIA Time: 0
    Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55)
    ldap:///CN=CA.mydomain.com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=Local?cACertificate?base?objectClass=certificationAuthority

    Failed AIA Time: 0
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
    http://CAserver.mydomain.local/CertEnroll/CAserver.mydomain.Local_CA.mydomain.com(2).crt

    ---------------- Certificate CDP ----------------
    Verified Base CRL (0992) Time: 0
    [0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl

    Verified Delta CRL (0992) Time: 0
    [0.0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl

    ---------------- Base CRL CDP ----------------
    OK Delta CRL (0992) Time: 0
    [0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl

    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------
    CRL 0992:
    Issuer: CN=CA.mydomain.com, DC=mydomain, DC=Local
    ef 97 87 b3 50 75 1c cf 5c fe f5 df 2a 3a 8b 7f e9 3e 8a 7b
    Delta CRL 0992:
    Issuer: CN=CA.mydomain.com, DC=mydomain, DC=Local
    e9 3f ed 40 b8 0e 95 49 c5 e2 8f ca 7c 82 66 f1 99 c5 88 15
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=CA.mydomain.com, DC=mydomain, DC=Local
    NotBefore: 5/17/2007 12:32 PM
    NotAfter: 1/30/2019 11:35 AM
    Subject: CN=CA.mydomain.com, DC=mydomain, DC=Local
    Serial: 6be70935b971c19840ca54c62ca9a02f
    Template: CA
    8b 7b c1 ef 55 1a 1c 8a fd a0 e9 ae 01 05 4a 6a d8 25 ba 6c
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    No URLs None Time: 0
    ---------------- Certificate CDP ----------------
    Verified Base CRL (0992) Time: 0
    [0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl

    Verified Delta CRL (0992) Time: 0
    [0.0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl

    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------

    Exclude leaf cert:
    5b a0 99 e3 ba 13 91 bf a4 6d 5d 7e fa ec 69 63 cc 90 67 73
    Full chain:
    5c 80 5e 69 49 d2 6a 81 bb be 29 50 31 17 50 dc fb 20 6c 75
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.8.2.2 IP security IKE intermediate
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.

    I can also retrieve the CRL from http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl from the vpn client laptop
    I appreacate any advice or pointers... I have really hit a wall here.

    Thanks,
    Sam

    DB:2.39:Crl Check For Sstp Failing (0x80092013) mz

    WOOT!! You rock Paul. It was the AIA location. Fixed that, reissued certs. and it's fixed.
    Thanks a bunch. I was almost to the point of just adding the registry entry to ignore the CRL check.

  • RELEVANCY SCORE 2.39

    DB:2.39:Renew The Ios-Ca Expired Certificate fa



    Hi,

    I am currently renewing the IOS-CA certificate because it is expired. The new certificate is in place and I am signing new certificate request with the new IOS-CA certificate.

    The only problem is when I am trying to authenticate with the VPN client, on the router I am receiving the error below.

    Sep 27 10:37:10.381: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.1.25 is bad: certificate invalid

    If I check the CA server.

    ROUTER#sh crypto pki servCertificate Server IOS-CA:    Status: disabled, HTTP Server is disabled    State: check failed    Server's configuration is locked  (enter "shut" to unlock it)    Issuer name: CN=IOS-CA    CA cert fingerprint: xxxxxxxxxxxxxxxxxx

        Granting mode is: manual    Last certificate issued serial number: 0x2    CA certificate expiration timer: 10:25:33 EST Sep 26 2016    CRL NextUpdate timer: 16:26:39 EST Sep 27 2011    Current primary storage dir: nvram:    Current storage dir for .cnm files: flash:    Current storage dir for .crt files: flash:    Database Level: Complete - all issued certs written as serialnum.cer

    But if I check the ca certificate.

    ROUTER#sh crypto ca certCertificate  Status: Available  Certificate Serial Number: xxxx

      Certificate Usage: General Purpose  Issuer:    cn=IOS-CA  Subject:    Name: ROUTER.domainname.com

        Serial Number: xxxxxxxx    serialNumber=xxxxxxxxx+hostname=ROUTER.domainname.com

      Validity Date:    start date: 15:57:36 EST Oct 4 2010    end   date: 11:37:48 EST Oct 2 2011  Associated Trustpoints: localtrust  Storage: nvram:xxx.cer

    CA Certificate  Status: Available  Certificate Serial Number: 0x1  Certificate Usage: Signature  Issuer:    cn=IOS-CA  Subject:    cn=IOS-CA  Validity Date:    start date: 11:37:48 EST Oct 2 2008    end   date: 11:37:48 EST Oct 2 2011  Associated Trustpoints: IOS-CA localtrust  Storage: nvram:xxxx.cer

    Is there a way I can tell the router to use the new certificate?

    Thanks

    DB:2.39:Renew The Ios-Ca Expired Certificate fa


    Hi,

    Just define a new trustpoint and authentica+enroll them.

    By default IOS and ASA use any trustpoint defined to verify received certificate.

    Possible certificates are exchanged in MM3 and MM4 in CERT_REQ payload.

    Now if you want to send a specific certificate back to the peer, typically no problem there but in addition you can specify "ca trust-point" under isakmp profile.

    On a separate note can I suggest to use auto rollover and automatically granting rollover certs?

    Marcin

  • RELEVANCY SCORE 2.39

    DB:2.39:Cert Path Api Question m9


    Hi,

    I am attempting to validate a cert chain using the new certificate validation API in 1.4. I get a validation error on the final cert in the chain (the chain only contains two certs). The cert is a version 1 certificate from VeriSign. The validation error is as follows:

    java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate
    Index of cert causing problem: 1

    The subject and issuer DNs are identical. They have the value: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"

    Is this an incorrect error since V1 certs don't have extensions?

    Thanks,
    Tom

    DB:2.39:Cert Path Api Question m9

    I just run into this problem, too.
    After several times try-and-fail, I realize that the problem about this
    exception is caused by the intermediate certificate.

    If your intermediate cert is a V-1 version certificate, which means it doesn't
    contain a essential column, basic constrain, in the certificate.
    In this column of V3 version x509 certificate, the basic constrain, it defines if
    this specific certificate is a CA one.

    So, if you are using JSDK1.4 above which has the JCE implemented, and your intermidate certificate is a V1 version, than, the run time error will happen when you try to use a V1 certificate as the intermediate certificate.

    Untill now, I still have not find out the solution for this problem, maybe someone out there who is kind enough for providing some tips for this problem.

    TKS!!

    Jeff

  • RELEVANCY SCORE 2.39

    DB:2.39:Problema With Web Services Over Ssl pp


    I'm trying to consume a web service that require ssql. i enabled ssl debug, but i can't understand what's wrong. :-(

    keyStore is :
    keyStore type is : jks
    keyStore provider is :
    init keystore
    init keymanager of type SunX509
    trustStore is: C:\Arquivos de programas\Java\jdk1.6.0_06\jre\lib\security\cacerts
    trustStore type is : jks
    trustStore provider is :
    init truststore
    adding as trusted cert:
    Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
    Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
    Algorithm: RSA; Serial number: 0x20000000000d678b79405
    Valid from Tue Sep 01 09:00:00 GMT-03:00 1998 until Tue Jan 28 09:00:00 GMT-03:00 2014

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Sun Dec 31 21:00:00 GMT-03:00 1995 until Thu Dec 31 20:59:59 GMT-03:00 2020

    adding as trusted cert:
    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x1
    Valid from Wed Jul 31 21:00:00 GMT-03:00 1996 until Thu Dec 31 20:59:59 GMT-03:00 2020

    adding as trusted cert:
    Subject: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
    Issuer: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
    Algorithm: RSA; Serial number: 0x1
    Valid from Tue May 30 07:44:50 GMT-03:00 2000 until Sat May 30 07:44:50 GMT-03:00 2020

    adding as trusted cert:
    Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
    Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
    Algorithm: RSA; Serial number: 0x1
    Valid from Mon Jun 21 01:00:00 GMT-03:00 1999 until Sun Jun 21 01:00:00 GMT-03:00 2020

    adding as trusted cert:
    Subject: CN=ZEMA CIA DE PETROLEO LTDA, OU=GIT, O=ICP-SEFAZGO, ST=GO, C=BR
    Issuer: CN=Autoridade Certificadora SEFAZ Goias, OU=GIT, O=ICP-SEFAZGO, L=Goiania, ST=GO, C=BR
    Algorithm: RSA; Serial number: 0x10a
    Valid from Wed Feb 14 14:58:31 GMT-03:00 2007 until Mon Feb 13 14:58:31 GMT-03:00 2012

    adding as trusted cert:
    Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Algorithm: RSA; Serial number: 0x1a5
    Valid from Wed Aug 12 21:29:00 GMT-03:00 1998 until Mon Aug 13 20:59:00 GMT-03:00 2018

    adding as trusted cert:
    Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    Algorithm: RSA; Serial number: 0x20000b9
    Valid from Fri May 12 15:46:00 GMT-03:00 2000 until Mon May 12 20:59:00 GMT-03:00 2025

    adding as trusted cert:
    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x389ef6e4
    Valid from Mon Feb 07 13:16:40 GMT-03:00 2000 until Fri Feb 07 13:46:40 GMT-03:00 2020

    adding as trusted cert:
    Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
    Valid from Sun Jan 28 21:00:00 GMT-03:00 1996 until Tue Aug 01 20:59:59 GMT-03:00 2028

    adding as trusted cert:
    Subject: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Algorithm: RSA; Serial number: 0x2ac5c266a0b409b8f0b79f2ae462577
    Valid from Thu Nov 09 21:00:00 GMT-03:00 2006 until Sun Nov 09 21:00:00 GMT-03:00 2031

    adding as trusted cert:
    Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    Algorithm: RSA; Serial number: 0x20000bf
    Valid from Wed May 17 11:01:00 GMT-03:00 2000 until Sat May 17 20:59:00 GMT-03:00 2025

    adding as trusted cert:
    Subject: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, O=TC TrustCenter GmbH, C=DE
    Issuer: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, O=TC TrustCenter GmbH, C=DE
    Algorithm: RSA; Serial number: 0x5c00001000241d0060a4dce7510
    Valid from Thu Mar 23 11:10:23 GMT-03:00 2006 until Wed Dec 31 19:59:59 GMT-03:00 2025

    adding as trusted cert:
    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf
    Valid from Sun May 17 21:00:00 GMT-03:00 1998 until Tue Aug 01 20:59:59 GMT-03:00 2028

    adding as trusted cert:
    Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b
    Valid from Sun Jan 28 21:00:00 GMT-03:00 1996 until Tue Aug 01 20:59:59 GMT-03:00 2028

    adding as trusted cert:
    Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Algorithm: RSA; Serial number: 0x374ad243
    Valid from Tue May 25 13:09:40 GMT-03:00 1999 until Sat May 25 13:39:40 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, O=TC TrustCenter GmbH, C=DE
    Issuer: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, O=TC TrustCenter GmbH, C=DE
    Algorithm: RSA; Serial number: 0x1da200010002ecb76080788db606
    Valid from Wed Mar 22 12:54:28 GMT-03:00 2006 until Wed Dec 31 19:59:59 GMT-03:00 2025

    adding as trusted cert:
    Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x1
    Valid from Wed Jul 31 21:00:00 GMT-03:00 1996 until Thu Dec 31 20:59:59 GMT-03:00 2020

    adding as trusted cert:
    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
    Algorithm: RSA; Serial number: 0x380391ee
    Valid from Tue Oct 12 16:24:30 GMT-03:00 1999 until Sat Oct 12 16:54:30 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
    Valid from Thu Sep 30 21:00:00 GMT-03:00 1999 until Wed Jul 16 20:59:59 GMT-03:00 2036

    adding as trusted cert:
    Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Algorithm: RSA; Serial number: 0x1
    Valid from Fri Jun 25 21:19:54 GMT-03:00 1999 until Tue Jun 25 21:19:54 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
    Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
    Algorithm: RSA; Serial number: 0x1
    Valid from Tue May 30 07:38:31 GMT-03:00 2000 until Sat May 30 07:38:31 GMT-03:00 2020

    adding as trusted cert:
    Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a
    Valid from Thu Nov 09 21:00:00 GMT-03:00 2006 until Sun Nov 09 21:00:00 GMT-03:00 2031

    adding as trusted cert:
    Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
    Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
    Algorithm: RSA; Serial number: 0x1
    Valid from Tue May 30 07:48:38 GMT-03:00 2000 until Sat May 30 07:48:38 GMT-03:00 2020

    adding as trusted cert:
    Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Algorithm: RSA; Serial number: 0x35def4cf
    Valid from Sat Aug 22 13:41:51 GMT-03:00 1998 until Wed Aug 22 13:41:51 GMT-03:00 2018

    adding as trusted cert:
    Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
    Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
    Algorithm: RSA; Serial number: 0x0
    Valid from Tue Jun 29 14:39:16 GMT-03:00 2004 until Thu Jun 29 14:39:16 GMT-03:00 2034

    adding as trusted cert:
    Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
    Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
    Algorithm: RSA; Serial number: 0x4
    Valid from Mon Jun 21 01:00:00 GMT-03:00 1999 until Sun Jun 21 01:00:00 GMT-03:00 2020

    adding as trusted cert:
    Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
    Valid from Thu Sep 30 21:00:00 GMT-03:00 1999 until Wed Jul 16 20:59:59 GMT-03:00 2036

    adding as trusted cert:
    Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
    Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
    Algorithm: RSA; Serial number: 0x1
    Valid from Wed Dec 31 21:00:00 GMT-03:00 2003 until Sun Dec 31 20:59:59 GMT-03:00 2028

    adding as trusted cert:
    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
    Valid from Sun May 17 21:00:00 GMT-03:00 1998 until Tue Aug 01 20:59:59 GMT-03:00 2028

    adding as trusted cert:
    Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Algorithm: RSA; Serial number: 0xce7e0e517d846fe8fe560fc1bf03039
    Valid from Thu Nov 09 21:00:00 GMT-03:00 2006 until Sun Nov 09 21:00:00 GMT-03:00 2031

    adding as trusted cert:
    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
    Valid from Sun May 17 21:00:00 GMT-03:00 1998 until Tue Aug 01 20:59:59 GMT-03:00 2028

    adding as trusted cert:
    Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
    Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
    Algorithm: RSA; Serial number: 0x3770cfb5
    Valid from Wed Jun 23 09:14:45 GMT-03:00 1999 until Sun Jun 23 09:14:45 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
    Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
    Algorithm: RSA; Serial number: 0x400000000010f8626e60d
    Valid from Fri Dec 15 05:00:00 GMT-03:00 2006 until Wed Dec 15 05:00:00 GMT-03:00 2021

    adding as trusted cert:
    Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x389b113c
    Valid from Fri Feb 04 14:20:00 GMT-03:00 2000 until Tue Feb 04 14:50:00 GMT-03:00 2020

    adding as trusted cert:
    Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
    Valid from Tue Nov 08 21:00:00 GMT-03:00 1994 until Thu Jan 07 20:59:59 GMT-03:00 2010

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Sun Dec 31 21:00:00 GMT-03:00 1995 until Thu Dec 31 20:59:59 GMT-03:00 2020

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Sun Dec 31 21:00:00 GMT-03:00 1995 until Thu Dec 31 20:59:59 GMT-03:00 2020

    adding as trusted cert:
    Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
    Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
    Algorithm: RSA; Serial number: 0x23456
    Valid from Tue May 21 01:00:00 GMT-03:00 2002 until Sat May 21 01:00:00 GMT-03:00 2022

    adding as trusted cert:
    Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
    Valid from Sun Jan 28 21:00:00 GMT-03:00 1996 until Tue Aug 01 20:59:59 GMT-03:00 2028

    adding as trusted cert:
    Subject: CN=Sonera Class1 CA, O=Sonera, C=FI
    Issuer: CN=Sonera Class1 CA, O=Sonera, C=FI
    Algorithm: RSA; Serial number: 0x24
    Valid from Fri Apr 06 07:49:13 GMT-03:00 2001 until Tue Apr 06 07:49:13 GMT-03:00 2021

    adding as trusted cert:
    Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
    Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
    Algorithm: RSA; Serial number: 0x0
    Valid from Tue Jun 29 14:06:20 GMT-03:00 2004 until Thu Jun 29 14:06:20 GMT-03:00 2034

    adding as trusted cert:
    Subject: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362afe650afd
    Valid from Fri Jul 09 15:10:42 GMT-03:00 1999 until Tue Jul 09 15:19:22 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Issuer: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Algorithm: RSA; Serial number: 0x44be0c8b500024b411d336252567c989
    Valid from Fri Jul 09 14:28:50 GMT-03:00 1999 until Tue Jul 09 14:36:58 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=America Online Root Certification Authority 1, O=America Online Inc., C=US
    Issuer: CN=America Online Root Certification Authority 1, O=America Online Inc., C=US
    Algorithm: RSA; Serial number: 0x1
    Valid from Tue May 28 03:00:00 GMT-03:00 2002 until Thu Nov 19 17:43:00 GMT-03:00 2037

    adding as trusted cert:
    Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
    Valid from Thu Sep 30 21:00:00 GMT-03:00 1999 until Wed Jul 16 20:59:59 GMT-03:00 2036

    adding as trusted cert:
    Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x3863b966
    Valid from Fri Dec 24 14:50:51 GMT-03:00 1999 until Tue Dec 24 15:20:51 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Algorithm: RSA; Serial number: 0x1b6
    Valid from Fri Aug 14 11:50:00 GMT-03:00 1998 until Wed Aug 14 20:59:00 GMT-03:00 2013

    adding as trusted cert:
    Subject: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362de0b35f1b
    Valid from Fri Jul 09 15:31:20 GMT-03:00 1999 until Tue Jul 09 15:40:36 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Issuer: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Algorithm: RSA; Serial number: 0x44be0c8b500021b411d32a6806a9ad69
    Valid from Thu Jun 24 15:57:21 GMT-03:00 1999 until Mon Jun 24 16:06:30 GMT-03:00 2019

    adding as trusted cert:
    Subject: CN=Sonera Class2 CA, O=Sonera, C=FI
    Issuer: CN=Sonera Class2 CA, O=Sonera, C=FI
    Algorithm: RSA; Serial number: 0x1d
    Valid from Fri Apr 06 04:29:40 GMT-03:00 2001 until Tue Apr 06 04:29:40 GMT-03:00 2021

    adding as trusted cert:
    Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
    Issuer: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
    Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b
    Valid from Thu Jan 12 11:38:43 GMT-03:00 2006 until Wed Dec 31 19:59:59 GMT-03:00 2025

    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1213102186 bytes = { 150, 70, 222, 91, 1, 159, 135, 122, 245, 66, 221, 50, 113, 8, 128, 154, 68, 232, 127, 215, 140, 215, 148, 147, 58, 93, 236, 23 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, READ: TLSv1 Handshake, length = 10761
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1213102414 bytes = { 186, 36, 22, 99, 140, 117, 31, 5, 231, 216, 148, 205, 190, 127, 202, 37, 111, 176, 39, 77, 137, 208, 110, 239, 167, 210, 211, 160 }
    Session ID: {72, 78, 121, 78, 23, 96, 172, 97, 143, 196, 65, 95, 90, 198, 182, 217, 85, 189, 237, 255, 214, 174, 250, 18, 138, 100, 13, 130, 185, 47, 30, 194}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    ***
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    [
    Version: V3
    Subject: CN=homolog.sefaz.go.gov.br, OU=Equipamento A1, OU=SEFAZ, OU=Autoridade Certificadora SERPROACF, O=ICP-Brasil, C=BR
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 1024 bits
    modulus: 121822830792857140980544413730208327423965418338836769494531514391506636002202311770038004646445375567736723855328246700773881808368957013969090425291780159678803518407365187798936095103086486699406270894225547100200566740997780387564247231686362223169873014182514927324634241630443664842180597672619260289963
    public exponent: 65537
    Validity: [From: Mon Aug 20 15:22:15 GMT-03:00 2007,
    To: Tue Aug 19 15:22:15 GMT-03:00 2008]
    Issuer: CN=Autoridade Certificadora do SERPRO Final v1, OU=CSPB-1, OU=Servico Federal de Processamento de Dados - SERPRO, O=ICP-Brasil, C=BR
    SerialNumber: [ 32303037 30383230 31373434 35343032]

    Certificate Extensions: 7
    [1]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 32 38 96 C7 EE 44 64 E9 9A AA 15 5D E0 08 B4 8D 28...Dd....]....
    0010: 89 47 51 A2 .GQ.
    ]

    ]

    [2]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: http://ccd.serpro.gov.br/lcr/serproacfv1.crl]
    ]]

    [3]: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
    Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.4
    Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.2
    Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.3
    Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.7
    Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.8
    RFC822Name: jorcelino-jb@sefaz.go.gov.br
    ]

    [4]: ObjectId: 2.5.29.37 Criticality=true
    ExtendedKeyUsages [
    serverAuth
    clientAuth
    ]

    [5]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [2.16.76.1.2.1.16]
    [PolicyQualifierInfo: [
    qualifierID: 1.3.6.1.5.5.7.2.1
    qualifier: 0000: 16 39 68 74 74 70 73 3A 2F 2F 63 63 64 2E 73 65 .9https://ccd.se
    0010: 72 70 72 6F 2E 67 6F 76 2E 62 72 2F 73 65 72 70 rpro.gov.br/serp
    0020: 72 6F 61 63 66 2F 64 6F 63 73 2F 64 70 63 73 65 roacf/docs/dpcse
    0030: 72 70 72 6F 61 63 66 2E 70 64 66 rproacf.pdf

    ]] ]
    ]

    [6]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    DigitalSignature
    Non_repudiation
    Key_Encipherment
    ]

    [7]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:false
    PathLen:2147483647
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 5B 3B 86 9B 76 9A 9E 5A 21 53 38 A2 38 F8 53 00 [;..v..Z!S8.8.S.
    0010: DA 12 46 B4 18 77 7E 12 8F A8 BE 36 DC C8 FB 50 ..F..w.....6...P
    0020: 75 AA 4B 53 62 68 8A 5E 89 BB A5 96 54 75 4B DE u.KSbh.^....TuK.
    0030: A5 C8 B8 85 5F 37 D5 A9 AC 9D 06 9E 31 B3 E0 E7 ...._7......1...
    0040: BF AC B5 87 9F 24 AB 9D B5 C1 20 6B 63 B4 77 7E .....$.... kc.w.
    0050: 83 1D 59 2F 81 B7 3D 02 45 D3 26 C4 A8 09 6E 3A ..Y/..=.E....n:
    0060: 16 A3 0B 35 EE 06 4E 98 20 BD B3 92 90 50 C1 ED ...5..N. ....P..
    0070: 2D 00 66 2D D0 C7 7D 7A 54 2B 1F 7D 68 11 C9 D8 -.f-...zT+..h...
    0080: D4 45 5A 7D C4 C3 55 E6 0F 6D A1 5C D4 69 AC 04 .EZ...U..m.\.i..
    0090: DB 0F FC 02 DF 63 17 17 A2 DD 9D 3E C6 6A 1E F2 .....c......j..
    00A0: 9B 6B 27 48 B2 52 75 8A B1 8B 6B 05 0D 7A 83 7E .k'H.Ru...k..z..
    00B0: 3B 4D 5F 13 4D 69 7D 98 BF D0 29 86 43 01 1F F0 ;M_.Mi....).C...
    00C0: DD D9 4D 41 D2 27 82 B3 D6 48 3B A6 CA 7B 18 21 ..MA.'...H;....!
    00D0: E0 8A D0 07 EF 1F 4F 6D DA 74 BC AC 64 99 9C 80 ......Om.t..d...
    00E0: FD EC 89 22 AE 18 D3 1A 1B C8 D4 D8 EC 69 80 99 ...".........i..
    00F0: 43 5B 91 1C E3 28 5F 4C 51 71 F4 4D 85 01 71 E7 C[...(_LQq.M..q.

    ]
    chain [1] = [
    [
    Version: V3
    Subject: CN=Autoridade Certificadora do SERPRO Final v1, OU=CSPB-1, OU=Servico Federal de Processamento de Dados - SERPRO, O=ICP-Brasil, C=BR
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 2048 bits
    modulus: 23659367425961339986383814473655435770305076360336120846402324294010759604691167341796796450718297422937486485989173997689009435615853573479123246742093161509679795253583183150516996100507241385700603597169864442790237544440295928051568067762067963906038465181975829517141032706152589802921982785603244093509126659971216775796468681697846064212891335993008177024582806600140619329189802486109058177503824508848203446928569492107040513868017002818333597993397664228505910643929070063949422917116775478325433437537593716368812763202859366097841062831999053298446527212103412654663554371896386629504450969081314886684871
    public exponent: 58865
    Validity: [From: Mon Apr 04 13:26:59 GMT-03:00 2005,
    To: Mon Oct 24 20:59:00 GMT-03:00 2011]
    Issuer: CN=Autoridade Certificadora do SERPRO v1, OU=Servico Federal de Processamento de Dados - SERPRO, O=ICP-Brasil, C=BR
    SerialNumber: [ 32303035 30343034 31353530 35363030 3031]

    Certificate Extensions: 6
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 32 38 96 C7 EE 44 64 E9 9A AA 15 5D E0 08 B4 8D 28...Dd....]....
    0010: 89 47 51 A2 .GQ.
    ]
    ]

    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: E2 8B 15 41 DB 75 39 29 BC 1C 54 7B FB 51 3F 14 ...A.u9)..T..Q?.
    0010: 09 12 F2 B4 ....
    ]

    ]

    [3]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: http://ccd.serpro.gov.br/lcr/acserpro.crl]
    ]]

    [4]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [2.16.76.1.2.1.16]
    [PolicyQualifierInfo: [
    qualifierID: 1.3.6.1.5.5.7.2.1
    qualifier: 0000: 16 37 68 74 74 70 73 3A 2F 2F 63 63 64 2E 73 65 .7https://ccd.se
    0010: 72 70 72 6F 2E 67 6F 76 2E 62 72 2F 61 63 73 65 rpro.gov.br/acse
    0020: 72 70 72 6F 2F 64 6F 63 73 2F 64 70 63 61 63 73 rpro/docs/dpcacs
    0030: 65 72 70 72 6F 2E 70 64 66 erpro.pdf

    ]] ]
    [CertificatePolicyId: [2.16.76.1.2.3.13]
    [PolicyQualifierInfo: [
    qualifierID: 1.3.6.1.5.5.7.2.1
    qualifier: 0000: 16 37 68 74 74 70 73 3A 2F 2F 63 63 64 2E 73 65 .7https://ccd.se
    0010: 72 70 72 6F 2E 67 6F 76 2E 62 72 2F 61 63 73 65 rpro.gov.br/acse
    0020: 72 70 72 6F 2F 64 6F 63 73 2F 64 70 63 61 63 73 rpro/docs/dpcacs
    0030: 65 72 70 72 6F 2E 70 64 66 erpro.pdf

    ]] ]
    [CertificatePolicyId: [2.16.76.1.2.1.17]
    [PolicyQualifierInfo: [
    qualifierID: 1.3.6.1.5.5.7.2.1
    qualifier: 0000: 16 37 68 74 74 70 73 3A 2F 2F 63 63 64 2E 73 65 .7https://ccd.se
    0010: 72 70 72 6F 2E 67 6F 76 2E 62 72 2F 61 63 73 65 rpro.gov.br/acse
    0020: 72 70 72 6F 2F 64 6F 63 73 2F 64 70 63 61 63 73 rpro/docs/dpcacs
    0030: 65 72 70 72 6F 2E 70 64 66 erpro.pdf

    ]] ]
    ]

    [5]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [6]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:0
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 20 D5 4E 17 91 54 10 D5 3C 8C A0 3F F3 5D 23 FB .N..T....?.]#.
    0010: 03 83 C8 92 59 13 58 E1 DA 37 3E B6 85 00 F2 F5 ....Y.X..7.....
    0020: C2 5E 27 DE C6 DD 30 F1 F8 8D CB DF E0 79 42 52 .^'...0......yBR
    0030: E8 8A 9C C0 39 40 67 E2 32 19 05 0F C3 8A 62 7C ....9@g.2.....b.
    0040: 44 D8 AB 1C 02 90 BF 4A 0D 85 89 D9 28 3C 19 6A D......

    DB:2.39:Problema With Web Services Over Ssl pp

    The server is still sending the same certificate, serial no 32303037 30383230 31373434 35343032, and you are still getting the same error: certificate_unknown.

    Either they gave you the wrong certificate offline or you didn't import into the correct truststore.

  • RELEVANCY SCORE 2.39

    DB:2.39:(Ssl) Does Firefox Use The Android Ca Storage Or Its Own? 8a



    Hi, I have installed a CA-Cert onto the android device through: Settings Security Credential Storage Install from device storage.

    The CA-Cert is visible and installed successfully.

    When I try to make an SSL connection via https:// I get:

    "This Connection is Untrusted"
    Technical Details: The certificate is not trusted because the issuer is not trusted.

    When I remove the CA-Cert I get the exact same problem, this suggests to me that Firefox is using its own list of CA's.

    Could you please verify the above (any proof would be great!)

    Many Thanks,

    Mitch.

  • RELEVANCY SCORE 2.39

    DB:2.39:X509 Subject Name 39


    Does anyone know how I can get the subject or issuer name from a X509 certificate. I know it's simple to get it as Strings, but I want them as byte arrays or something like that, which is suitable for getting the SHA1 or MD5 hash of it.
    Any ideas?

    DB:2.39:X509 Subject Name 39

    X509Certificate.getIssuerX500Principal().getEncoded() and X509Certificate.getSubjectX500Principal().getEncoded()

  • RELEVANCY SCORE 2.38

    DB:2.38:Godaddy Cert, Exchange 2013 Enterprise, No Proxy, Revocation Check Failed a9


    Really, REALLY frustrated with this. So I done extensive research and none of the articles I have looked at has fixed the issue. Exchange 2013 running on Windows Server 2012

    I have run get-exchangecertificate -server servername Documented the thumbprint

    enable-exchangecertificate - server servername -thumbprint
    No go
    I have no proxy server
    I have a juniper firewall and setup a MIP and policies to allow 443, 25 and 80 to go to my CAS server.
    When I put the machine in the public, it works fine. In other words, no firewall open to everyone on the web. I'm thinking there is some port that needs to be opened to have the cert revocation work.

    Here is the dump of my certutil -verify -urlfetch.

    PS C:\sysadmin certutil -urlfetch -verify webmail.mydomain.com.crt
    Issuer:
    SERIALNUMBER=07969287
    CN=Go Daddy Secure Certification Authority
    OU=http://certificates.godaddy.com/repository
    O=GoDaddy.com, Inc.
    L=Scottsdale
    S=Arizona
    C=US
    Name Hash(sha1): 70292276537f1abc8fd53c9484e914cb762a052a
    Name Hash(md5): 042d5597d3d5978836f3cc27bc59f931
    Subject:
    CN=webmail.mydomain.com
    OU=Domain Control Validated
    Name Hash(sha1): be557be1c137c978cecf6d1606a078f0ba75be6e
    Name Hash(md5): 0a63e2b3f2bb7f91e01ef58b983fa711
    Cert Serial Number: 07887e2158c42d

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 327 Days, 2 Hours, 40 Minutes, 58 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 327 Days, 2 Hours, 40 Minutes, 58 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposit
    ry, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
    NotBefore: 3/18/2013 2:49 PM
    NotAfter: 3/15/2014 8:46 PM
    Subject: CN=webmail.mydomain.com, OU=Domain Control Validated
    Serial: 07887e2158c42d
    SubjectAltName: DNS Name=webmail.mydomain.com, DNS Name=www.webmail.mydomain.com, DNS Name=aas-ex-cas
    01.apex.prod, DNS Name=APEX.PROD, DNS Name=mydomain.com, DNS Name=AutoDiscover.APEX.PROD, DNS Name=AutoDiscover
    mydomain.com, DNS Name=webmail.apex.prod
    2d f3 08 88 cd f7 69 a3 40 6b ed 8a 76 2c 8a 3c c6 6d 2e 6d
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ---------------- Certificate AIA ----------------
    Verified Certificate (0) Time: 0
    [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt

    ---------------- Certificate CDP ----------------
    Expired Base CRL (0c) Time: 0
    [0.0] http://crl.godaddy.com/gds1-87.crl

    ---------------- Base CRL CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    Expired OCSP Time: 0
    [0.0] http://ocsp.godaddy.com/

    --------------------------------
    CRL (null):
    Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O=GoDaddy.com, LLC, L=Scottsda
    e, S=Arizona, C=US
    ThisUpdate: 3/18/2013 4:02 PM
    NextUpdate: 3/18/2013 10:02 PM
    39 7b 2a 5f 78 d5 36 62 2c eb 50 6a cd 39 6c 31 dc 90 e4 dd
    Issuance[0] = 2.16.840.1.114413.1.7.23.1
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: OU=Go Daddy Class 2 Certification Authority, O=The Go Daddy Group, Inc., C=US
    NotBefore: 11/15/2006 7:54 PM
    NotAfter: 11/15/2026 7:54 PM
    Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposi
    ory, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
    Serial: 0301
    7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    No URLs None Time: 0
    ---------------- Certificate CDP ----------------
    Verified Base CRL Time: 0
    [0.0] http://certificates.godaddy.com/repository/gdroot.crl

    ---------------- Base CRL CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    Expired OCSP Time: 0
    [0.0] http://ocsp.godaddy.com

    --------------------------------
    CRL (null):
    Issuer: OU=Go Daddy Class 2 Certification Authority, O=The Go Daddy Group, Inc., C=US
    ThisUpdate: 4/26/2012 2:03 PM
    NextUpdate: 4/26/2013 2:03 PM
    d2 73 ad 70 39 95 10 c4 f1 7f d5 0f d7 8c 4f 2c 11 c7 61 a1
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
    Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

    CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
    Issuer: OU=Go Daddy Class 2 Certification Authority, O=The Go Daddy Group, Inc., C=US
    NotBefore: 6/29/2004 11:06 AM
    NotAfter: 6/29/2034 11:06 AM
    Subject: OU=Go Daddy Class 2 Certification Authority, O=The Go Daddy Group, Inc., C=US
    Serial: 00
    27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
    Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    No URLs None Time: 0
    ---------------- Certificate CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
    Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

    Exclude leaf cert:
    83 1c c7 85 83 73 fb 26 ce 79 12 ef 9d ef f1 d1 c3 c9 05 23
    Full chain:
    b4 b3 8e 61 f8 e1 0b 9d 5a 46 67 69 83 40 35 68 27 00 1c a1
    Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposit
    ry, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
    NotBefore: 3/18/2013 2:49 PM
    NotAfter: 3/15/2014 8:46 PM
    Subject: CN=webmail.mydomain.com, OU=Domain Control Validated
    Serial: 07887e2158c42d
    SubjectAltName: DNS Name=webmail.mydomain.com, DNS Name=www.webmail.mydomain.com, DNS Name=aas-ex-cas
    01.apex.prod, DNS Name=APEX.PROD, DNS Name=mydomain.com, DNS Name=AutoDiscover.APEX.PROD, DNS Name=AutoDiscover
    mydomain.com, DNS Name=webmail.apex.prod
    2d f3 08 88 cd f7 69 a3 40 6b ed 8a 76 2c 8a 3c c6 6d 2e 6d
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-21468856
    3)
    ------------------------------------
    Revocation check skipped -- server offline
    Cert is an End Entity certificate

    ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation bec
    use the revocation server was offline. 0x80092013 (-2146885613)
    CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

    CertUtil: -verify command completed successfully.

    DB:2.38:Godaddy Cert, Exchange 2013 Enterprise, No Proxy, Revocation Check Failed a9

    Thanks for the information.
    the problem for us was internal rules for getting access to the Internet.
    Thanks
    ====

  • RELEVANCY SCORE 2.38

    DB:2.38:Ocsp Validation zk


    Hi All, I'm trying to validate a X.509 certificate using java. But it always gives a error "Validation failure, cert :java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses", I also added certificate to windows certificate store. any clue to resolve this ?

    =========================Code ===========================================================

    import java.security.cert.*;
    import java.security.*;
    import java.util.*;
    import java.io.*;

    public class OCSPCheck {

    // OCSP URL http://ocsp.lankaclear.lk:11080/ocsp/ee/ocsp

    private static final String TEST_RESPONDER_URL = "http://172.18.60.100:11080/ocsp/ee/ocsp";
    // private static final String TEST_RESPONDER_URL = "http://ocsp-commercial.lankaclear.lk:11080/ocsp/ee/ocsp";
    public static void main(String [] args){
    try {

    // X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
    // X509Certificate clientCert = readCert("PIDTestBruger2.cer");

    // CA Certificate
    X509Certificate caCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-ROOT-PUB.cer");
    // Client Cerificate
    X509Certificate clientCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-Intermediate-Pub.cer");

    List certList = new Vector();
    certList.add(clientCert);
    certList.add(caCert);
    validateCertPath(certList, caCert, TEST_RESPONDER_URL);
    } catch (Exception e){
    e.printStackTrace();
    }
    }
    private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
    try {

    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    CertPath cp = cf.generateCertPath(certList);
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

    // Set the Trust anchor
    TrustAnchor anchor = new TrustAnchor(trustedCert, null);
    try{
    //System.out.println(anchor.toString() + "CA NAME");
    }catch(Exception e)
    {

    }
    PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
    params.setRevocationEnabled(true);

    Security.setProperty("ocsp.enable", "true");
    Security.setProperty("ocsp.responderURL", responderUrl);
    //Security.setProperty("ocsp.responderURL", responderUrl);

    // Validate and obtain results
    try {

    PKIXCertPathValidatorResult result =
    (PKIXCertPathValidatorResult) cpv.validate(cp, params);
    PolicyNode policyTree = result.getPolicyTree();
    PublicKey subjectPublicKey = result.getPublicKey();

    System.out.println("Query Result ");
    System.out.println("Policy Tree:\n" + policyTree);
    System.out.println("Subject Public key:\n" + subjectPublicKey);
    } catch (Exception cpve) {
    System.out.println("Validation failure, cert :"
    + cpve.toString());
    }
    // } catch (CertPathValidatorException cpve) {
    // System.out.println("Validation failure, cert["
    // + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
    // }

    } catch (Exception e) {
    e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
    }
    }
    private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
    InputStream is = new FileInputStream(fileName);
    BufferedInputStream bis = new BufferedInputStream(is);
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
    return cert;
    }
    }

    ===========================================================================================================

    DB:2.38:Ocsp Validation zk

    Hi All, I'm trying to validate a X.509 certificate using java. But it always gives a error "Validation failure, cert :java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses", I also added certificate to windows certificate store. any clue to resolve this ?

    =========================Code ===========================================================

    import java.security.cert.*;
    import java.security.*;
    import java.util.*;
    import java.io.*;

    public class OCSPCheck {

    // OCSP URL http://ocsp.lankaclear.lk:11080/ocsp/ee/ocsp

    private static final String TEST_RESPONDER_URL = "http://172.18.60.100:11080/ocsp/ee/ocsp";
    // private static final String TEST_RESPONDER_URL = "http://ocsp-commercial.lankaclear.lk:11080/ocsp/ee/ocsp";
    public static void main(String [] args){
    try {

    // X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
    // X509Certificate clientCert = readCert("PIDTestBruger2.cer");

    // CA Certificate
    X509Certificate caCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-ROOT-PUB.cer");
    // Client Cerificate
    X509Certificate clientCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-Intermediate-Pub.cer");

    List certList = new Vector();
    certList.add(clientCert);
    certList.add(caCert);
    validateCertPath(certList, caCert, TEST_RESPONDER_URL);
    } catch (Exception e){
    e.printStackTrace();
    }
    }
    private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
    try {

    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    CertPath cp = cf.generateCertPath(certList);
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

    // Set the Trust anchor
    TrustAnchor anchor = new TrustAnchor(trustedCert, null);
    try{
    //System.out.println(anchor.toString() + "CA NAME");
    }catch(Exception e)
    {

    }
    PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
    params.setRevocationEnabled(true);

    Security.setProperty("ocsp.enable", "true");
    Security.setProperty("ocsp.responderURL", responderUrl);
    //Security.setProperty("ocsp.responderURL", responderUrl);

    // Validate and obtain results
    try {

    PKIXCertPathValidatorResult result =
    (PKIXCertPathValidatorResult) cpv.validate(cp, params);
    PolicyNode policyTree = result.getPolicyTree();
    PublicKey subjectPublicKey = result.getPublicKey();

    System.out.println("Query Result ");
    System.out.println("Policy Tree:\n" + policyTree);
    System.out.println("Subject Public key:\n" + subjectPublicKey);
    } catch (Exception cpve) {
    System.out.println("Validation failure, cert :"
    + cpve.toString());
    }
    // } catch (CertPathValidatorException cpve) {
    // System.out.println("Validation failure, cert["
    // + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
    // }

    } catch (Exception e) {
    e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
    }
    }
    private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
    InputStream is = new FileInputStream(fileName);
    BufferedInputStream bis = new BufferedInputStream(is);
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
    return cert;
    }
    }

    ===========================================================================================================

  • RELEVANCY SCORE 2.38

    DB:2.38:Oss Note 701205 Sso Using Sap Logon Tickets Dual Stack Environment p9



    Hi I recently upgraded from BW 3.x to NW2004s BI 7.0 SP12. I am trying to set up BEx Web integration. I created a system in the portal that has Authentication Ticket Type = SAP Assertion Ticket, BI Master system set to true , Logon Method = SAPLOGONTICKET and gave it a system alias of SAP_BW. Via The visual admin tool, I created the SAPLogonTicketKeypair and Keypair-cert using a Common Name = ABC. I understand that in a dual stack situation the Portal SID cannot be the same as the ABAP sid. I imported the portal cert into BI Using STRUSTSSO2, added the cert to the certificate list and added it to the ACL. Now, when I try connection tests on my SAP_BW system in the portal it fails. I turned on tracing in SM50 to level 3, security only. This is what I see in the logs of the dialog process:

    dy_signi_ext: SSO TICKET logon (client 090)

    mySAPUnwrapCookie: was called.

    HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

    HmskiFindTicketInCache: Try to find ticket with cache key: 090:90BA87457002F62A1F3317888C62CDEC .

    HmskiFindTicketInCache: Couldn't find ticket in ticket cache

    snip

    Got content client = 999.

    N Got content sysid = BWP .

    N No entry in TWPSSO2ACL for SYS BWP and CLI 999.

    N CheckSubject failed (rc=19). Verifying if ticket was issued by me.

    N *** ERROR = System ID and client from ticket are not the same than mine. [ssoxxkrn.c 841]

    N Data from ticket: sysid=BWP , client=999

    N My system data: sysid=BWP , client=090

    N *** ERROR = Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL.

    So why is the portal sending sysid=BWP and not the common name ABC? Or is there another parameter where I can change the portal sid?

    I asked SAP via an OSS message and they said that the ABAP stack has to be 1 level higher than the Java Stack. Unfortunately, SP13 hasn't been released yet

    DB:2.38:Oss Note 701205 Sso Using Sap Logon Tickets Dual Stack Environment p9


    Stephen,

    follow this method...

    Note 937697 SAP NetWeaver BI Diagnostics Support Desk Tool

    and Note 983156 BI configuration w. Template Installer

    Also check these reports..

    1. RSPOR_SETUP

    1. Execute the report RSPOR_SETUP with transaction SE38 (or SA38; or you can execute the report from the SAP Reference IMG, see Documentation below)

    2. Use value help of entry field Program ID (or RFC Destination) to choose __ as RFC Destination (this destination is created by the Template Installer)

    3. Enter Portal SID (required to check step 10)

    4. Press button Execute

    2. RS_TEMPLATE_MAINTAIN_70

    Run Report RS_TEMPLATE_MAINTAIN_70 and Enter Template ID 0ANALYSIS_PATTERN Choose Program / Execute

    Choose Analyse / Validate , Choose Analyse / Execute in Debug Mode ,A Web Browser is opened and you have to logon to the Portal. Finally, an empty Analysis Pattern (without data) should appear. After these tests you can continue your testing by creating and using your own Queries (with BEx Query Designer), Web Templates (BEx Web Application Designer) and Reports (BEx Report Designer).

    SAP Note 917950 , 937697 and note 917950 for further help...

    Common troubleshooting errors:

    1.User ID should be the same in the portal and the BI 7.0

    2.Make sure Portal and BW are on the same domain.

    Also check and make sure you added following entry into strustsso2 transaction of BW.

    a) Add to Certificate List

    b) Add to ACL. When you add to ACL, make sure to enter client number as 000. Enter system name as actual name.

    3.Did you restart the BWserver after setting the profile parameters (using admin rights) in RZ10?

    4.To see if SSO is configured properly, in your BWSERVER, go to transaction SE80, under dropdown select BSP application and open the application "SYSTEM". Under page with flow logic you will find the page sso2test.htm. Test that page, after opening; you should see a message "Found SSO2 Cookie" in the iframe. This message must be displayed without any further popup boxes asking for name and password information!

    Else the SSO is not enabled.

    hope that helps...

  • RELEVANCY SCORE 2.38

    DB:2.38:Jar Signing/Import Comodo Cert Problem x9


    Hi,

    I've been battling with this off and on for months now, problem is trying to get my comodo code cert installed into linux keystore and code sign jar files.

    at some point i managed to get the cert into the keystore and it gives this on query:

    Alias name: brilliant scm's the usertrust network id
    Creation date: Jul 6, 2008
    Entry type: keyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=Brilliant SCM, OU=NetBriller, O=Brilliant SCM, STREET=LLYS BRIALLEN, L=BRIDGEND, ST=MID GLAMORGAN, OID.2.5.4.17=CF31 4BG, C=GB
    Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Serial number: 42120be7f479264ee9238f3912158738
    Valid from: Sat Jun 21 01:00:00 BST 2008 until: Mon Jun 22 00:59:59 BST 2009
    Certificate fingerprints:
    MD5: CB:B6:E7:38:91:D4:F5:5F:2E:E2:3C:55:69:33:98:B8
    SHA1: 71:71:72:1D:73:9E:EB:20:E9:CB:B7:D8:70:40:C7:AC:AB:A7:94:80
    Certificate[2]:
    Owner: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Serial number: 44be0c8b500024b411d3362de0b35f1b
    Valid from: Fri Jul 09 19:31:20 BST 1999 until: Tue Jul 09 19:40:36 BST 2019
    Certificate fingerprints:
    MD5: A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
    SHA1: E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46which all looks ok? and signing the jar with

    jarsigner -signedjar sVMS_Config.jar VMS_Config.jar "brilliant scm's the usertrust network id"(lovely alias name) does give a runnable jar'd applet ([http://www.netbriller.com/vms_config.jsp|jar prob]) but it throws a security warning, cert not validated (image here [http://www.netbriller.com/images/certProblem.gif|prob pic]) where the cert seems to bear no resemblance to either cert in the chain i signed it with!

    this is driving me mad, and despite copious googling I can't find a really good explanation of what's going on with the whole import sign process for Java.

    If anyone can help with this I'll do them a great deal on a pair of specs as thanks.

    Thanks for reading

    Mark

    DB:2.38:Jar Signing/Import Comodo Cert Problem x9

    Hi,

    I've been battling with this off and on for months now, problem is trying to get my comodo code cert installed into linux keystore and code sign jar files.

    at some point i managed to get the cert into the keystore and it gives this on query:

    Alias name: brilliant scm's the usertrust network id
    Creation date: Jul 6, 2008
    Entry type: keyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=Brilliant SCM, OU=NetBriller, O=Brilliant SCM, STREET=LLYS BRIALLEN, L=BRIDGEND, ST=MID GLAMORGAN, OID.2.5.4.17=CF31 4BG, C=GB
    Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Serial number: 42120be7f479264ee9238f3912158738
    Valid from: Sat Jun 21 01:00:00 BST 2008 until: Mon Jun 22 00:59:59 BST 2009
    Certificate fingerprints:
    MD5: CB:B6:E7:38:91:D4:F5:5F:2E:E2:3C:55:69:33:98:B8
    SHA1: 71:71:72:1D:73:9E:EB:20:E9:CB:B7:D8:70:40:C7:AC:AB:A7:94:80
    Certificate[2]:
    Owner: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
    Serial number: 44be0c8b500024b411d3362de0b35f1b
    Valid from: Fri Jul 09 19:31:20 BST 1999 until: Tue Jul 09 19:40:36 BST 2019
    Certificate fingerprints:
    MD5: A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
    SHA1: E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46which all looks ok? and signing the jar with

    jarsigner -signedjar sVMS_Config.jar VMS_Config.jar "brilliant scm's the usertrust network id"(lovely alias name) does give a runnable jar'd applet ([http://www.netbriller.com/vms_config.jsp|jar prob]) but it throws a security warning, cert not validated (image here [http://www.netbriller.com/images/certProblem.gif|prob pic]) where the cert seems to bear no resemblance to either cert in the chain i signed it with!

    this is driving me mad, and despite copious googling I can't find a really good explanation of what's going on with the whole import sign process for Java.

    If anyone can help with this I'll do them a great deal on a pair of specs as thanks.

    Thanks for reading

    Mark

  • RELEVANCY SCORE 2.37

    DB:2.37:Why Are My (Third Party Ca) Smarrt Card Logins Not Working? zm


    we've been working on implementing a third party CA to use with smart card logins.As far as I'm aware we've followed all the guidelines (KB291010, kb281245).When I view the certificates (CA, Domain Conroller, and client) they all seem to ok.  The trust chain appears valid.When I run certutil -dcinfo verify I get the following output (which seems to indicate all is ok):0: BELGIAN
    *** Testing DC[0]: BELGIAN** Enterprise Root Certificates for DC BELGIANCertificate 0:Serial Number: 012025e033baIssuer: CN=Waffles2 Admin Server, OU=SW, O=Auth, S=CA, L=Concord, C=USNotBefore: 3/19/2009 2:53 PMNotAfter: 3/19/2039 2:53 PMSubject: CN=Waffles2 Admin Server, OU=SW, O=Auth, S=CA, L=Concord, C=USSignature matches Public KeyRoot Certificate: Subject matches IssuerCert Hash(sha1): 23 26 ff b1 fd 02 e4 d1 92 fb d0 a8 22 55 4a f8 95 69 19 20
    ** KDC Certificates for DC BELGIANCertificate 0:Serial Number: 012062aa27e6Issuer: CN=Waffles2 Admin Server, OU=SW, O=Auth, S=CA, L=Concord, C=USNotBefore: 3/31/2009 10:11 AMNotAfter: 2/28/2010 6:11 PMSubject: CN=belgian.waffles2.sys, OU=Doman Controllers, DC=waffles2, DC=sysCertificate Template Name (Certificate Type): DomainControllerNon-root CertificateTemplate: DomainControllerCert Hash(sha1): 48 49 02 54 33 2d 28 0e 7f 46 cb 03 66 bc 3d eb 06 91 5b 43
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)Application[0] = 1.3.6.1.5.5.7.3.1 Server AuthenticationApplication[1] = 1.3.6.1.5.5.7.3.2 Client AuthenticationChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)HCCE_LOCAL_MACHINECERT_CHAIN_POLICY_NT_AUTH-------- CERT_CHAIN_CONTEXT --------ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)ChainContext.dwRevocationFreshnessTime: 11 Days, 21 Hours, 34 Minutes, 30 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)SimpleChain.dwRevocationFreshnessTime: 11 Days, 21 Hours, 34 Minutes, 30 Seconds
    CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=0  Issuer: CN=Waffles2 Admin Server, OU=SW, O=Auth, S=CA, L=Concord, C=US  NotBefore: 3/31/2009 10:11 AM  NotAfter: 2/28/2010 6:11 PM  Subject: CN=belgian.waffles2.sys, OU=Doman Controllers, DC=waffles2, DC=sys  Serial: 012062aa27e6  SubjectAltName: Other Name:DS Object Guid=04 10 38 ce af fa 05 b2 3f 4b 81 18 2a 8e 26 8b 2c eb, DNS Name=belgian.waffles2.sys  Template: DomainController  48 49 02 54 33 2d 28 0e 7f 46 cb 03 66 bc 3d eb 06 91 5b 43  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)    CRL 0:    Issuer: CN=Waffles2 Admin Server, OU=SW, O=Auth, S=CA, L=Concord, C=US    37 aa 78 25 21 09 78 6b f8 1b 5a de 3e 06 a6 d8 91 47 3f 0a  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0  Issuer: CN=Waffles2 Admin Server, OU=SW, O=Auth, S=CA, L=Concord, C=US  NotBefore: 3/19/2009 2:53 PM  NotAfter: 3/19/2039 2:53 PM  Subject: CN=Waffles2 Admin Server, OU=SW, O=Auth, S=CA, L=Concord, C=US  Serial: 012025e033ba  23 26 ff b1 fd 02 e4 d1 92 fb d0 a8 22 55 4a f8 95 69 19 20  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:  f5 1c 63 bd 91 da 86 e1 19 52 0e 3d 6d 21 ee 12 83 47 47 0dFull chain:  ec e4 74 3b b4 72 ac 10 91 f8 5b 9d fa 5d 15 f9 8d 50 67 11------------------------------------Verified Issuance Policies: NoneVerified Application Policies:    1.3.6.1.5.5.7.3.2 Client Authentication    1.3.6.1.5.5.7.3.1 Server Authentication1 KDC certs for BELGIAN
    CertUtil: -DCInfo command completed successfully.I've turned on all the diagnostic logging that I can find.The errors that I see in the event viewer are:From the security log:

    +
    System

     
     

    -
    Provider

     
     
     
    [ Name]
    Microsoft-Windows-Security-Auditing

     
     
     
    [ Guid]
    {54849625-5478-4994-a5ba-3e3b0328c30d}

    DB:2.37:Why Are My (Third Party Ca) Smarrt Card Logins Not Working? zm

    Is there anything new on this thread. I have a similar problem althought it is intermittent. I can reboot the client node and the smartcard logon may begin to work again. Also when I am experiencing the problem I can still logon using a
    smart card if I use an interactive login using an invalid logon then I can select other credentials and the smart card will then logon correctly. So it seems that when in the problem state it only seems to fail sending the smartcard creds initially but
    after the first attempt at logging in and failing the smartcard can then be used to logon.

  • RELEVANCY SCORE 2.37

    DB:2.37:Nps Server: A Certification Chain Processed Correctly, But One Of The Ca Certificates Is Not Trusted By The Policy Provider mj


    Following on from my earlier thread, one of my DCs that also functions as an NPS server seems to still have an issue:
    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/82610054-7d9f-4c62-b2e0-06ea676a5166
    Turnign up the SChannel logging, I get this error message:

    Log Name: System
    Source: Schannel
    Date: 11/05/2012 4:32:24 p.m.
    Event ID: 36877
    Task Category: None
    Level: Warning
    Keywords:
    User: SYSTEM
    Computer: DC.MY.LAN
    Description:
    The certificate received from the remote client application has not validated correctly. The error code is 0x80092013. The attached data contains the client certificate.
    Event Xml:
    Event xmlns=http://schemas.microsoft.com/win/2004/08/events/event
    System
    Provider Name=Schannel Guid={1F678132-5938-4686-9FDC-C8FF68F15C85} /
    EventID36877/EventID
    Version0/Version
    Level3/Level
    Task0/Task
    Opcode0/Opcode
    Keywords0x8000000000000000/Keywords
    TimeCreated SystemTime=2012-05-11T04:32:24.368328000Z /
    EventRecordID17319/EventRecordID
    Correlation /
    Execution ProcessID=504 ThreadID=3012 /
    ChannelSystem/Channel
    ComputerDC.MY.LAN/Computer
    Security UserID=S-1-5-18 /
    /System
    EventData
    Data Name=ErrorCode0x80092013/Data
    Binary308204923082037AA003020102020A1A57ACCF000100000446300D06092A864886F70D0101050500303E31133011060A0992268993F22C64011916034C414E31133011060A0992268993F22C64011916034348433112301006035504031309434843574E45583031301E170D3132303531313033333835395A170D3133303531313033333835395A301E311C301A0603550403131343484343485043303036332E4348432E4C414E30819F300D06092A864886F70D010101050003818D0030818902818100C9FB69439A9BE31C83311D635A4C0DF134CC03E5AD36533EC4787A1F71C359D8D8917348864951C17E3CB0028059994591390F6BFCC2EF59E9565A7A20DD27C002FD519CE87512A205A7CD7BE87836CCC13C9A5F4EB6CBF847865B82AB4FB663CE121F9F1DEFAB90C3C2C816D9FFB38EF7E8DC8B8C0C89F3ECEEFEFFAC4E54150203010001A382023430820230301D06092B060104018237140204101E0E004D0061006300680069006E0065301D0603551D250416301406082B0601050507030206082B06010505070301300B0603551D0F0404030205A0301E0603551D1104173015821343484343485043303036332E4348432E4C414E301D0603551D0E04160414A7CCC5A4F0A0736EB0B6B218122DA13C05F918F9301F0603551D2304183016801439F9E4BE91CCD55ECEF4A4EC857537B53A4783BE3081C80603551D1F0481C03081BD3081BAA081B7A081B48681B16C6461703A2F2F2F434E3D434843574E455830312831292C434E3D434843574E535632322C434E3D4344502C434E3D5075626C69632532304B657925323053657276696365732C434E3D53657276696365732C434E3D436F6E66696775726174696F6E2C44433D4348432C44433D4C414E3F63657274696669636174655265766F636174696F6E4C6973743F626173653F6F626A656374436C6173733D63524C446973747269627574696F6E506F696E743081B706082B060105050701010481AA3081A73081A406082B060105050730028681976C6461703A2F2F2F434E3D434843574E455830312C434E3D4149412C434E3D5075626C69632532304B657925323053657276696365732C434E3D53657276696365732C434E3D436F6E66696775726174696F6E2C44433D4348432C44433D4C414E3F634143657274696669636174653F626173653F6F626A656374436C6173733D63657274696669636174696F6E417574686F72697479300D06092A864886F70D0101050500038201010055D9E6265721316CB9D4DC3886C595553CF52CE90E12385B527506DF530EC5579646E13377C82D9A67CBF0E7B09205ABA845A53BD577B67CA895A3719FD8BDD5BA4390686CC37565A935871A4B9D44E809393147506392FA7F34C011DE37EA0ADBE2145D643C2CD90CF45F6E52B527192D53B64984B2711A0626E12BA573370482B1769A09F62158183EA260324CECCDC64A924F6713E97D2186D95987D5B5B8A10022EAF7B544CAAC1C8273AE71FC58E50F8F440C58EAFC31DC8E0F3C59EAE0DD9850E550A20D8EDB8CEA1E09F0FDEC4830063112E7C31C25AB255EBB00E1E1C21F1D0B110BA3CDE424BA3544665502BE76ACAE53AC18D63D5AF3593185E66B/Binary
    /EventData
    /Event

    Runnign a Certutil -TCAInfo comand, i get this

    ===============================================================
    CA Name: EXCHANGE
    Machine Name: NEWCA.MY.LAN
    DS Location: CN=EXCHANGE,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=MY,DC=LAN
    Cert DN: CN=EXCHANGE, DC=MY, DC=LAN
    CA Registry Validity Period: 2 Years -- 11/05/2014 4:49 p.m.
    NotAfter: 24/03/2017 7:38 a.m.
    Connecting to NEWCA.MY.LAN\EXCHANGE ...
    Server EXCHANGE ICertRequest2 interface is alive
    Enterprise Root CA
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_NT_AUTH
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=EXCHANGE, DC=MY, DC=LAN
    NotBefore: 23/03/2012 7:29 a.m.
    NotAfter: 24/03/2017 7:38 a.m.
    Subject: CN=EXCHANGE, DC=MY, DC=LAN
    Serial: 2305fccace68e1ba4f407e110bdc05ba
    0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
    Full chain:
    0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
    Issuer: CN=EXCHANGE, DC=MY, DC=LAN
    NotBefore: 23/03/2012 7:29 a.m.
    NotAfter: 24/03/2017 7:38 a.m.
    Subject: CN=EXCHANGE, DC=MY, DC=LAN
    Serial: 2305fccace68e1ba4f407e110bdc05ba
    0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
    ------------------------------------
    Supported Certificate Templates:
    Cert Type[0]: CodeSigning (Code Signing)
    Cert Type[1]: Copy of RAS and IAS Server (Copy of RAS and IAS Server)
    Cert Type[2]: DirectoryEmailReplication (Directory Email Replication)
    Cert Type[3]: DomainControllerAuthentication (Domain Controller Authentication)
    Cert Type[4]: EFSRecovery (EFS Recovery Agent)
    Cert Type[5]: EFS (Basic EFS)
    Cert Type[6]: DomainController (Domain Controller)
    Cert Type[7]: WebServer (Web Server)
    Cert Type[8]: Machine (Computer)
    Cert Type[9]: User (User)
    Cert Type[10]: SubCA (Subordinate Certification Authority)
    Cert Type[11]: Administrator (Administrator)
    Validated Cert Types: 12
    ================================================================
    NEWCA.MY.LAN\EXCHANGE:
    Enterprise Root CA
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
    Online
    If I point the Wireless AP to a differnt NPS server it works fine, so it's something on this particluar one (have uninstalled and reinstalled NPS)
    Something obvioulsy still a little screwy - any suggestions?

    DB:2.37:Nps Server: A Certification Chain Processed Correctly, But One Of The Ca Certificates Is Not Trusted By The Policy Provider mj

    Yes, please remove old CDP path and add correct path.Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • RELEVANCY SCORE 2.37

    DB:2.37:Rdp Ssl Failed A Revocation Check Could Not Be Performed On This Certificate k3


    Been searching all morning for a resolution to this with no luck.
    Topology:

    Offline Root CA (Windows 2012)Enterprise Subordinate CA (Windows 2012)
    Current Issue:

    Deployed certificate template and setup for Windows 7 / Windows 2012 to secure RDP sessions with SSL (used this http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html)RDP Security set to Negotiate (since there is a certificate present, it defaults to SSL)When connecting from Windows 7/8 client that is
    NOT domain joined to Windows 7/2012 via RDP, am presented with a warning/failure that A revocation check could not be performed on this certificate
    Troubleshooting steps already taken:

    Verified that the CDP and AIA settings for all certificates (server and subCA) are pointed to http://certificates.domain.com/pkiVerified that the URL has theallowDoubleEscaping=True
    flag set within IISVerified permissions to write to the directory and shareVerified IIS authentication set to AnonymousVerified non-domain joined client computers can successfully read published CRLsVerified all proper CRLs and delta CRLs are being publishedFrom a domain-joined computer, this does not happenVerified that computer which is impacted by this does have all root and sub certs installed in correct stores on the local computerTried to save .rdp connection file and update the setting for credSSP with no luckVerified all certificates visually check out, nothing expired, all certificates presentran certutil -url against one of my rdpAuth certificates, all URLs check outran certutil -verify -fetchurl against the same rdpAuth certificate, I get the following output (bolding mine):

    PS C:\ certutil –verify –urlfetch sfxxxxad01.cer
    Issuer:
    CN=domainSubCA
    DC=domain
    DC=com
    Name Hash(sha1): 1d446a6b39e7014d113319d1a22f74523a10a597
    Name Hash(md5): 16d7a89801f784479045ce3c8c5693fb
    Subject:
    CN=sfxxxxad01.domain.com
    Name Hash(sha1): fd94f9031c4082755c836f3c28fb6d7597efcccc
    Name Hash(md5): ac2a34cdb755bf174dd92869cda9cb6c
    Cert Serial Number: 6d0000019999ee0fc78f46427d000000000199

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: CN=domainSubCA, DC=domain, DC=com
    NotBefore: 6/13/2013 11:56 AM
    NotAfter: 6/13/2015 11:56 AM
    Subject: CN=sfxxxxad01.domain.com
    Serial: 6d0000019999ee0fc78f46427d000000000199
    SubjectAltName: DNS Name=sfxxxxad01.domain.com
    Template: domainRemoteDesktopServerAuth
    cb c6 fd 8f 3a cf 0e 0e 75 79 4e 8e 7f d7 d4 e8 28 55 3f ca
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ---------------- Certificate AIA ----------------
    Verified Certificate (0) Time: 0
    [0.0] http://certificates.domain.com/pki/sfxxxxpki02.domain.com_domainSubCA.crt

    ---------------- Certificate CDP ----------------
    Expected Base CRL Delta CRL (26) Time: 0
    [0.0] http://certificates.domain.com/pki/domainSubCA.crl

    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------
    Application[0] = 1.3.6.1.4.1.311.54.1.2 Remote Desktop Authentication

    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=domainRootCA
    NotBefore: 5/29/2013 11:31 PM
    NotAfter: 5/29/2023 11:41 PM
    Subject: CN=domainSubCA, DC=domain, DC=com
    Serial: 3000000002216518440a315c0b000000000002
    Template: SubCA
    cb f7 3c 87 7c 29 a4 95 e9 7d ad 74 60 63 0b f0 fe 78 c5 12
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    Verified Certificate (0) Time: 0
    [0.0] http://certificates.domain.com/pki/sfxxxxpki01_domainRootCA.crt

    ---------------- Certificate CDP ----------------
    Verified Base CRL (02) Time: 0
    [0.0] http://certificates.domain.com/pki/domainRootCA.crl

    ---------------- Base CRL CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------
    CRL 02:
    Issuer: CN=domainRootCA
    ThisUpdate: 5/29/2013 9:26 PM
    NextUpdate: 11/28/2013 9:46 AM
    a7 e4 d2 ec b7 56 ee 6a 55 df 20 f2 8e 31 ca 2e f4 4d d2 a9
    Issuance[0] = 1.2.3.4.1455.67.89.5

    CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=domainRootCA
    NotBefore: 5/29/2013 9:08 PM
    NotAfter: 5/29/2033 9:18 PM
    Subject: CN=domainRootCA
    Serial: 1bda28d10cdb878345810344527c3c5e
    b1 74 73 fd 92 3c df 84 ee 2e 04 d9 c1 42 85 97 f9 f0 56 c8
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    No URLs None Time: 0
    ---------------- Certificate CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------
    Issuance[0] = 1.2.3.4.1455.67.89.5

    Exclude leaf cert:
    4a ac 1a b3 f6 95 f6 3c 11 fc 2d a9 a7 83 c6 9a 01 79 cb 2f
    Full chain:
    9e 09 5d fe 89 2c 20 d3 77 79 cd 39 cd 40 0f 63 ca a8 3b f4
    Issuer: CN=domainSubCA, DC=domain, DC=com
    NotBefore: 6/13/2013 11:56 AM
    NotAfter: 6/13/2015 11:56 AM
    Subject: CN=sfxxxxad01.domain.com
    Serial: 6d0000019999ee0fc78f46427d000000000199
    SubjectAltName: DNS Name=sfxxxxad01.domain.com
    Template: domainRemoteDesktopServerAuth
    cb c6 fd 8f 3a cf 0e 0e 75 79 4e 8e 7f d7 d4 e8 28 55 3f ca
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-214688561
    3)
    ------------------------------------
    Revocation check skipped -- server offline

    ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation beca
    use the revocation server was offline. 0x80092013 (-2146885613)
    CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

    CertUtil: -verify command completed successfully.
    So, to me, everything checks out, but still seeing this issue with non-domain computers, even though the URL for the distribution point is fully accessible and all the certificates are there. This PKI was planned appropriately, even the offline rootCA
    is publishing correctly to the same distribution point.
    Any guidance would be appreciated!

    DB:2.37:Rdp Ssl Failed A Revocation Check Could Not Be Performed On This Certificate k3

    Hi Justin,
    Thank you for sharing your finding with us. The OCSP related troubleshooting is precious supplement to the Forum. Thank you for your valuable contribution!

    Thanks, BrianPlease remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • RELEVANCY SCORE 2.37

    DB:2.37:Directaccess Server 2012 - Ipsec Not Working 1x


    I had DA working in 2008R2 Win7. I turned off that server and disabled the GPO's that were created. I installed Server2012 with 1 NIC (same servername as 2008 server). I joined it to the domain and obtained a computer cert for it
    from my internal enterprise CA. I have moved the public IP's behind a 1 to 1 NAT. On the Operations Status page it indicates that IPsec is critical. There is no valid certificate to be used by IPsec which chains to the root/intermediate
    certificate configured to be used by IPsec in the DirectAccess Configuration. For a resolution I'm supposed to make sure:
    1. Cert not expired (expires in 2016)
    2. Should have a private key (might be this one)
    3. Should be configured to be used for Client Authentication (perhaps)
    4. Should chain to the root/intermediate cert. (it is the root!)

    The cert that is selected is my Entperise Root CA (we don't have an intermediate CA).

    Powershell Get-DAServer shows this
    PS C:\Users\administrator.mydomain Get-DAServer

    DAInstallType : FullInstall
    InternetInterface : Ethernet
    InternalInterface : Ethernet
    ConnectToAddress : Home.mypublicdomain.com
    SslCertificate : [Subject]
    CN=*.mypublicdomain.com, OU=Secure Link SSL Wildcard, OU=IT, O=My Business
    Name
    , STREET=35My Rd, STREET=Suite ,
    L=Columbus, S=OH, PostalCode=12345, C=US
    [Issuer]
    CN=Network Solutions Certificate Authority, O=Network Solutions L.L.C.,
    C=US
    [Serial Number]
    46XXXXXXXXXXXXXXXXXXXX99C54XXXXX
    [Not Before]
    4/8/2012 8:00:00 PM
    [Not After]
    3/27/2014 7:59:59 PM
    [Thumbprint]
    F9XXXXXXXXXXXXXXXXXXXX773674A45XXXXXXXXD
    GpoName : mydomain.local\DirectAccess Server Settings
    InternalIPv6Prefix : {xxxx:yyyy:6821:1::/64}
    ClientIPv6Prefix : xxxx:yyyy:6821:1000::/64
    UserAuthentication : UserPasswd
    ComputerCertAuthentication : Enabled
    IPsecRootCertificate : [Subject]
    CN=CompCA, DC=mydomain, DC=local
    [Issuer]
    CN=CompCA, DC=mydomain, DC=local
    [Serial Number]
    6949XXXXXXXXXXXXXXXXXXXXXXXX3FF5
    [Not Before]
    8/12/2009 3:11:36 PM
    [Not After]
    8/12/2016 3:21:34 PM
    [Thumbprint]
    B9XXXXXXXXXXXXXXXXXXXX95642B978XXXXXXXXX
    IntermediateRootCertificate : False
    TeredoState : Disabled
    IsSingleNic : True
    IsNatDeployed : True
    HealthCheck : Disabled

    How can I fix this? Do I have the wrong certificate selected for the IPsec cert? If so, how do I change it? I can purchase a new public cert or obtain a new cert from my internal CA. I'd rather not set up an intermediate CA if I don't
    have to.

    DB:2.37:Directaccess Server 2012 - Ipsec Not Working 1x

    That was my understanding, but let me check...the IPsec/AuthIP code may specifically look for specific EKUs or something...Jason Jones | Security Consultant | Microsoft Consultant Services (MCS)

  • RELEVANCY SCORE 2.36

    DB:2.36:Do Certificates Genrated By Fedutil.Exe Have To Be Installed On All Development Machines? 93


    Or what is FedUtil.exe doing?
    I have created a Relying party app, and then I used the Set STS Reference choosing the create new STS server option. I have copied these applications to a different development server. The result is I get an Error The issueer of the security Token
    was not recognised by the IssuerName Registry. To accept security tokens from this issuer Configure the IssuerNameRegistry to return a valid name for this issuer. If I look in my web.config the configuration is unchanged. Is it because the FedUtil installs
    the certificate being used on the first development machine? Do I have another problem. Do I need to install the cert on the second development machie?
    I thought the FederatonMetadate.xml file in the STS website contained all of the needed configuration (for development). Is this true?

    DB:2.36:Do Certificates Genrated By Fedutil.Exe Have To Be Installed On All Development Machines? 93

    It may just be easier to generate the Federation Metadata dynamically in this case for the STS. I did a quick write up on how to do it a few months ago:

    http://blogs.objectsharp.com/cs/blogs/steve/archive/2010/11/04/generating-federation-metadata-dynamically.aspxDeveloper Security MVP | http://www.steveonsecurity.com

  • RELEVANCY SCORE 2.36

    DB:2.36:Exchange 2010 And Outlook 2010 Certificate Error pf


    We have an exchange 2010 mailbox serverat a remote site with the CAS role loaded on it. Outlook Anywhere is not configured for that site at all as there is no local internet connection.We find that when connecting to this site remotley,people
    are getting a certificate error The server certificate was issued by a company you have not chosen to trust the fqdn internal name of the server is displayed and correct. Site affinityis set up to focus on this CAS server and we are using
    a CAS Clusteralias at the site.We are using the defaultself signed cert as this server doesnot need to be accessed directly form the internet.There are no Exchange 2007 CAS servers brokering the connection, it's all
    Exchange 2010 SP3.

    The self signed cert is current and does indeed match the internal FQDN of the server
    Checking Get-ClientAccessServerAutoDiscoverServiceInternalUri is set to the internal fqdn
    Below shows the output from Get-ExchangeCertificate
    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
    ule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {Federation}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=Federation
    NotAfter : 6/14/2018 1:41:00 AM
    NotBefore : 6/14/2013 1:41:00 AM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : 15632891161DC396469D023{Not Showing}
    Services : SMTP
    Status : Valid
    Subject : CN=Federation
    Thumbprint : EEBA66E40601F56844816A{Not Showing}
    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
    ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
    essRule}
    CertificateDomains : {EX02, EX02.sherrittogp.com}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=EX02
    NotAfter : 5/1/2018 11:51:04 AM
    NotBefore : 5/1/2013 11:51:04 AM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : 7F10845AAB587DB944{Not Showing}
    Services : IMAP, POP, IIS, SMTP
    Status : Valid
    Subject : CN=EX02
    Thumbprint : 658F976F5B38600B3CFDD7BC4{Not Showing}

    DB:2.36:Exchange 2010 And Outlook 2010 Certificate Error pf

    Hi,
    Please install the self-signed certificate from the Exchange 2010 server in remote site into the Trusted Root Certification Authority store on the workstation.
    For more detailed steps, please refer to the following KB:
    http://support.microsoft.com/kb/2006728/en-us
    Just for your reference, in multiple sites scenario, it’s not recommended to use an Exchange self-singed certificate. A third-party SAN certificate is great. At least, you can use an Enterprise CA.
    Thanks,
    Winnie

  • RELEVANCY SCORE 2.36

    DB:2.36:Propagation Of Saml Assertions cs


    The steps for using SSO with SAML, are here:
    http://download.oracle.com/docs/cd/B25221_01/web.1013/b15979/adminasc.htm#BABJJBBB
    In step 3a it says:
    Set the oracle.security.wss.propagate.identity property at the port level to true.
    property name="oracle.security.wss.propagate.identity" value ="true"/

    I don't know where exactly I should do this. My stub xml looks like this:
    webservice-client
    service-qname namespaceURI="http://project1/" localpart="sayFiveMethod"/
    port-infowsdl-port .../
    runtime enabled="security"
    security
    inbound/
    outbound
    saml-token issuer-name="mycompany" name="mycompany" name-format="..."
    subject-confirmation-method
    confirmation-methodSENDER-VOUCHES/confirmation-method
    /subject-confirmation-method
    /saml-token
    /outbound
    /security
    /runtime
    operations
    operation name='sayFive'
    runtime
    security
    inbound/
    outbound
    saml-token......
    /saml-token
    /outbound
    /security
    /runtime
    /operation
    /operations
    /port-info
    /webservice-client

    Where exactly should I put the tag?
    Best Regards
    Farbod

    DB:2.36:Propagation Of Saml Assertions cs

    Yes -- no application code is required, only the discussed property value setting in the JAX-RPC client configuration stub.

    -Todd

  • RELEVANCY SCORE 2.36

    DB:2.36:2 Way Ssl Configuration xp



    Hi
    I would like to get help on configuring 2 way SSL in weblogic 8.1.2. I tried the
    default certificates and keystores provided. Only changed to Client Certs Requested
    and enforced. Then added the trusted.crt and CertGenCA.der to the client browser.

    After these configurations I tried to access a webapplication through https. After
    a while I am getting a warning message on the console as follows

    [java] Feb 24, 2004 6:35:18 PM GMT+05:30 Warning Security BEA-090508
    Certificate chain received from deepak - 192.168.3.87 was incomplete.[java] Feb 24, 2004 6:35:18 PM GMT+05:30 Warning Security BEA-090477
    Certificate chain received from deepak - 192.168.3.87 was not trusted causingSSL handshake failure.

    Also page cannot be displayed error is comming on the browser..

    I tried the ssl2way webservice example from weblogic it is giving the result even
    though the following warning is comming on the client window
    [java] Warning: cert chain incomplete
    [java] Warning: cert chain untrusted
    [java] Warning: subject (deepak, OU=FOR TESTING ONLY, O=MyOrganization, L=M
    yTown, ST=MyState, C=US) does not match server name (null)

    Pls help to solve this problem

    Thanks in advance
    Deepak

    DB:2.36:2 Way Ssl Configuration xp


    Do your security policies work when you access the page over non-ssl port with
    the non-certificate-based authentication? Make sure they are working, then configure
    WL to use certificate based authentication, and try to access the page over two-way
    ssl using the certificate. IdentityAsserter should map your certificate to a WL
    user according to the rule you specified. After that everything should work the
    same way as with the usual login.

    This page lists configuration steps for different types of user authentication:
    http://e-docs.bea.com/workshop/docs81/doc/en/portal/security/securityAuthentication.html

    Pavel.

    "Deepak" deepakkm@aalayance.com wrote:

    Thanks.. I used the CLIENT-CERT as authentication method in the web.xml
    and in
    the realm i configured for "ALL EJB and WebApplication". Then protected
    the deployed
    web app with a scopped policy by mentioning that all administrators can
    access.
    Now if i create a user with the same as in the subject of the personal
    certificate,
    i am able to access the web application irrespective of his group. Can
    you pls
    tell me abt. this abnormal behaviour? Or do i need to configure somewhere
    else?
    Thanks in advance
    Deepak

    "Pavel" PavelS@no.spam wrote:
    You were able to connect to the server over 2-way ssl, because the server
    is configured
    to trust verisign CA. This is not the same as being authenticated on
    the server,
    though you could configure the server to use the certificate for authentication.
    See documentation about the IdentityAsserter on this.
    When using the default demo SSL configuration the server trusts theweblogic
    Demo
    CA from DemoTrust.jks keystore, and the ca certs from the jdk cacerts
    keystore
    (this is where the verisign CA cert is). This configuration should be
    used only
    for development. The Demo CA private key is shipped with Weblogic. So
    anyone could
    use it to issue a certificate which will be trusted by your server.

    Pavel.

    "Deepak" deepakkm@aalayance.com wrote:
    Thanks a lot... I downloaded a trial personal certificate from verisign
    and it
    worked..
    But I am having a doubt that if any one downloads such trial certificate,
    can
    access the weblogic
    resources as authenticated user..Is it a right approch? Is it because
    i am using
    the demo certificate in weblogic? If in production enveronment a real
    certificate
    is used this type of threts will happen?
    Thanks in advance
    Deepak

    "Pavel" PavelS@no.spam wrote:
    The connection fails because "Required peer certificates not supplied
    by peer".
    I.e. the browser did not send the identity certificate. If you areusing
    IExplorer
    you will need to import an identity certificate/private key in pkcs12
    format.
    You could use weblogic utils.CertGen tool to generate a certificate/key
    files,
    and then use openssl or some other tool to convert them to pkcs12.

    The hostname verification property in the WLS administration console
    applies only
    to the SSL clients running on the WL server. Your browser might have
    its own configuration
    for this.

    Pavel.

    "Deepak" deepakkm@aalayance.com wrote:
    Hi,
    I am able to open the application page with 1 way SSL. But on 2 waySSL
    it is
    failing during the SSL handshake. I put the host name verificationto
    none. The
    exact messages i am geting while started weblogic with debug optionas
    follows

    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 writeHANDSHAKE
    off
    set = 0 length = 4370
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 writeHANDSHAKE
    off
    set = 0 length = 4
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 SSLFilter.isActivat
    ed: false
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 isMuxerActivated:
    f
    alse
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 SSLFilter.isActivat
    ed: false
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 749595readRecord()

    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 749595SSL3/TLS
    MAC

    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 749595received
    HAN
    DSHAKE
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 HANDSHAKEMESSAGE:
    C
    ertificate
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 validationCallback:
    validateErr = 16
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 Required
    peer certi
    ficates not supplied by peer
    Feb 25, 2004 11:50:31 AM GMT+05:30 Warning Security BEA-090508
    Certific
    ate chain received from deepak - 192.168.3.87 was incomplete.
    Feb 25, 2004 11:50:31 AM GMT+05:30 Warning Security BEA-090477
    Certific
    ate chain received from deepak - 192.168.3.87 was not trusted causing
    SSL handsh
    ake failure.
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 Validation
    error
    =
    20
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 Certificate
    chain
    i
    s incomplete
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 Certificate
    chain
    i
    s untrusted
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 Userdefined
    JSSE
    t
    rustmanagers not allowed to override
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 SSLTrustValidator
    r
    eturns: 84
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 Trustfailure
    (84):
    CERT_CHAIN_INCOMPLETE CERT_CHAIN_UNTRUSTED
    Feb 25, 2004 11:50:31 AM GMT+05:30 Debug TLS 000000 NEWALERT:
    com.cert
    icom.tls.record.alert.Alert@18d77fe Severity: 2 Type: 40
    java.lang.Throwable: Stack trace
    at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
    at com.certicom.tls.record.alert.Alert.init(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
    Source)
    at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unk
    nown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMes
    sage(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMes
    sages(Unknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
    Source)
    at com.certicom.tls.record.ReadHandler.readRecord(UnknownSource)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknow
    n Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Un
    known Source)
    at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedS
    ocket(Unknown Source)
    at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)

    Thanks
    Deepak

    "Pavel" PavelS@no.spam wrote:
    Were you able to open the application page over 1 way SSL?
    For 2 way SSL, have you set the browser's identity certificate/private
    key?
    The last warning indicates that the server's certificate is failingthe
    hostname
    verification check: the host name in the URL does not match theCN
    field
    value
    of the certificate. Different browsers can handle this differently.IExplorer
    opens a warning dialog and allows to ignore this warning and connect.

    Pavel.

    "Deepak" deepakkm@aalayance.com wrote:
    Hi
    I would like to get help on configuring 2 way SSL in weblogic 8.1.2.
    I tried the
    default certificates and keystores provided. Only changed to ClientCerts
    Requested
    and enforced. Then added the trusted.crt and CertGenCA.der to theclient
    browser.

    After these configurations I tried to access a webapplication through
    https. After
    a while I am getting a warning message on the console as follows

    [java] Feb 24, 2004 6:35:18 PM GMT+05:30 Warning Security
    BEA-090508
    Certificate chain received from deepak - 192.168.3.87 was incomplete.[java] Feb 24, 2004 6:35:18 PM GMT+05:30 Warning Security
    BEA-090477
    Certificate chain received from deepak - 192.168.3.87 was nottrusted
    causing
    SSL handshake failure.

    Also page cannot be displayed error is comming on the browser..I tried the ssl2way webservice example from weblogic it is givingthe
    result even
    though the following warning is comming on the client window
    [java] Warning: cert chain incomplete
    [java] Warning: cert chain untrusted
    [java] Warning: subject (deepak, OU=FOR TESTING ONLY, O=MyOrganization,
    L=M
    yTown, ST=MyState, C=US) does not match server name (null)

    Pls help to solve this problem

    Thanks in advance
    Deepak

  • RELEVANCY SCORE 2.35

    DB:2.35:Unable To Establish Ssl Session With Mutual Authentication On Vista/Server 2008 dc


    Hi, I'm attempting to call an external web service that requires SSL and uses client certificate authentication. I am able to successfully do this on windows XP and server 2003, but the code will not work on Vista/Server 2008.  The web service call returns an exception The request was aborted: Could not create SSL/TLS secure channel. I've confirmed the user account that is running the client code has read and write access to the client cert's private key, and that the certificate for the issuing CA (same for both ends) is installed. I've enabled a debug trace, the code successfully reads the cert and key from the store, then the following happens: System.Net Information: 0 : [4140] SecureChannel#11622431 - Certificate is of type X509Certificate2 and contains the private key. System.Net Information: 0 : [4140] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential) System.Net Information: 0 : [4140] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4dfba60:15852f0, targetName = datapower.test.eai.srv.westpac.com.au, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation) System.Net Information: 0 : [4140] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=InternalError). System.Net.Sockets Verbose: 0 : [4140] Socket#59312024::Dispose() System.Net Error: 0 : [4140] Exception in the HttpWebRequest#23397093:: - The request was aborted: Could not create SSL/TLS secure channel. System.Net Error: 0 : [4140] Exception in the HttpWebRequest#23397093::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel. The following Audit Failure event is logged in the windows security log: Cryptographic operation. Subject:       Security ID:            account details       Account Name:            account name       Account Domain:            domain       Logon ID:            logonID Cryptographic Parameters:       Provider Name:      Microsoft Software Key Storage Provider       Algorithm Name:      RSA       Key Name:      {25957D21-7338-42F4-950A-22513D14CA38}       Key Type:      Machine key. Cryptographic Operation:       Operation:      Sign hash. To try to debug further I put together code that establishes a TCP connection then tries to set up a ssl session (see below).  This code returns an exception: System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. --- System.ComponentModel.Win32Exception: The Local Security Authority cannot be contacted, and the same event as above is logged in the Security event log Here's the code:
    using

    System
    ;

    using

    System
    .
    Collections
    .
    Generic
    ;

    using

    System
    .
    Linq
    ;

    using

    System
    .
    Text
    ;

    using

    System
    .
    Net
    .
    Sockets
    ;

    using

    System
    .
    Net
    .
    Security
    ;

    using

    System
    .
    Security
    .
    Authentication
    ;

    using

    System
    .
    Security
    .
    Cryptography
    .
    X509Certificates
    ;

     
     
     
     

    namespace
    ConsoleApplication1

    {

       
    class

    Program

       
    {

     
         
    // The following method is invoked by the RemoteCertificateValidationDelegate.

         
    public

    static

    bool

    ValidateServerCertificate
    (

               
    object
    sender
    ,

                X509Certificate certificate
    ,

                X509Chain chain
    ,

               
    SslPolicyErrors
    sslPolicyErrors
    )

         
    {

             
    if

    (
    sslPolicyErrors
    ==

    SslPolicyErrors
    .
    None
    )

               
    return

    true
    ;

     
             
    Console
    .
    WriteLine
    (
    Certificate error: {0}
    ,
    sslPolicyErrors
    );

     
             
    // Do not allow this client to communicate with unauthenticated servers.

             
    return

    false
    ;

         
    }

     
         
    public

    static
    X509Certificate
    SelectLocalCertificate
    (

    object
    sender
    ,

    string
    targetHost
    ,

    X509CertificateCollection localCertificates
    ,

    X509Certificate remoteCertificate
    ,

    string
    []
    acceptableIssuers
    )

         
    {

             
    Console
    .
    WriteLine
    (
    Client is selecting a local certificate.
    );

             
    if

    (
    acceptableIssuers
    !=

    null

                 acceptableIssuers
    .
    Length


    0

                 localCertificates
    !=

    null

                 localCertificates
    .
    Count


    0
    )

             
    {

               
    // Use the first certificate that is from an acceptable issuer.

               
    foreach

    (
    X509Certificate certificate
    in
    localCertificates
    )

               
    {

                   
    string
    issuer
    =
    certificate
    .
    Issuer
    ;

                   
    if

    (
    Array
    .
    IndexOf
    (
    acceptableIssuers
    ,
    issuer
    )

    !=

    -
    1
    )

                     
    return
    certificate
    ;

               
    }

             
    }

             
    if

    (
    localCertificates
    !=

    null

                 localCertificates
    .
    Count


    0
    )

               
    return
    localCertificates
    [
    0
    ];

     
             
    return

    null
    ;

         
    }

     
     
     
         
    static

    void

    Main
    (
    string
    []
    args
    )

         
    {

             
    // Get the client cert name to use for certificate auth

             
    string
    certName
    =

    DN of the client cert for authentication
    ;

             
    TcpClient
    client
    ;

             
    SslStream
    sslStream
    ;

             
    //load the cert from the personal machine store

             X509Store store
    =

    new
    X509Store
    (
    StoreName
    .
    My
    ,

    StoreLocation
    .
    LocalMachine
    );

     
     
             store
    .
    Open
    (
    OpenFlags
    .
    ReadOnly
    );

     
             X509Certificate2 cert
    =

    null
    ;

             X509Certificate2Collection certs
    =

    (
    X509Certificate2Collection
    )
    store
    .
    Certificates
    ;

     
             
    foreach

    (
    X509Certificate2 computerCert
    in
    certs
    )

             
    {

               
    if

    (
    computerCert
    .
    Subject
    .
    ToString
    ()

    ==
    certName
    )

               
    {

                   cert
    =
    computerCert
    ;

               
    }

             
    }

             
    if

    (
    cert
    ==

    null
    )

             
    {

               
    throw

    new

    Exception
    (
    Errror: Certificate with subject name

    +
    certName
    +

    could not be loaded from the personal cert store of this machine
    );

             
    }

             
    else

             
    {

     
               
    // Create a TCP/IP client socket.

               
    // machineName is the host running the server application.

                client
    =

    new

    TcpClient
    (
    target server
    ,

    7163
    );

               
    Console
    .
    WriteLine
    (
    Client connected.
    );

               
    // Create an SSL stream that will close the client's stream.

                sslStream
    =

    new

    SslStream
    (

                    client
    .
    GetStream
    (),

                   
    false
    ,

                   
    new

    RemoteCertificateValidationCallback
    (
    ValidateServerCertificate
    ),

                   
    new

    LocalCertificateSelectionCallback
    (
    SelectLocalCertificate
    )

                   
    );

               
               
    // The server name must match the name on the server certificate.

               
    try

               
    {

                   
    Console
    .
    WriteLine
    (
    SslProtocols
    .
    Default
    .
    ToString
    ());

                   sslStream
    .
    AuthenticateAsClient
    (
    target server
    ,
    certs
    ,

    SslProtocols
    .
    Default
    ,

    true
    );

                   client
    .
    Close
    ();

               
    }

               
    catch

    (
    AuthenticationException
    e
    )

               
    {

                   
    Console
    .
    WriteLine
    (
    Exception: {0}
    ,
    e
    .
    Message
    );

                   
    if

    (
    e
    .
    InnerException

    !=

    null
    )

                   
    {

                     
    Console
    .
    WriteLine
    (
    Inner exception: {0}
    ,
    e
    .
    InnerException
    .
    Message
    );

                   
    }

                   
    Console
    .
    WriteLine
    (
    Authentication failed - closing the connection.
    );

                   client
    .
    Close
    ();

                   
    Console
    .
    ReadLine
    ();

                   
    return
    ;

               
    }

             
    }

             
    Console
    .
    ReadLine
    ();

         
    }

       
    }

    }

    I've confirmed that the web service I'm calling supports SSL3 and TLS so I don't think the SSL protocol version is the problem.   Any ideas what I'm doing wrong?

    DB:2.35:Unable To Establish Ssl Session With Mutual Authentication On Vista/Server 2008 dc

    Did you find a solution to this Keith?  A google search led by an odd route (http://community.codemasters.com/forum/showthread.php?t=349887) to a report of a Avast virus checker false positive?  Anything to do with that?!http://www.alanjmcf.me.uk/ Please follow-up in the newsgroup. If I help, mark the question answered

  • RELEVANCY SCORE 2.35

    DB:2.35:Dps Cert San Request 81


    I am running dsee 11.1.1.7.0 directory proxy server.Is there a way to request a cert with a dns alias, also known as a Subject Alternative Name (SAN)? Or am I stuck creating the cert with a SANS name on my CA, importing the cert and letting the system define the cert alias?Thanks

    DB:2.35:Dps Cert San Request 81

    We decided to add the subject alternative names from the CA to the cert requests from the proxy.

  • RELEVANCY SCORE 2.35

    DB:2.35:Cisco Vpn Client And Certificates p1



    I am stuck with this issue for the last 2 days now . Everything looks configured here , I configured a router to be CA server . I used another IOS device to get CA from it and it  works very fine with NTP setup along with timezones . However when I do it with a Cisco VPN Client software it says

    Error 42 : Unable to create certificate enrollment request .

    Clock and Timezone perfectly matches the CA server . The URL i tried was http://ip_address/cgi-bin/pkiclient.exe . . The VPN Client is 5.x . I did some debugs crypto pki trans and got following messeges there

    Oct  7 03:41:02.255: ../cert-c/source/p7encryp.c(368) : E_DATA : generic data error

    Oct  7 03:41:02.259: ../cert-c/source/p7spprt.c(2030) : E_INPUT_DATA : invalid encoding format for input data

    Below are some show commands :

    Rack1R3#sh crypto pki certificates

    CA Certificate

      Status: Available

      Certificate Serial Number: 0x1

      Certificate Usage: Signature

      Issuer:

        cn=cisco

      Subject:

        cn=cisco

      Validity Date:

        start date: 08:34:27 KHI Oct 7 2011

        end   date: 08:34:27 KHI Oct 6 2014

      Associated Trustpoints: cisco

    Rack1R3#sh crypto pki server

    Certificate Server cisco:

        Status: enabled

        State: enabled

        Server's configuration is locked  (enter "shut" to unlock it)

        Issuer name: CN=cisco

        CA cert fingerprint: 71314758 587A132C A4527FC1 1F80B73B

        Granting mode is: auto

        Last certificate issued serial number: 0x2

        CA certificate expiration timer: 08:34:27 KHI Oct 6 2014

        CRL NextUpdate timer: 14:34:28 KHI Oct 7 2011

        Current primary storage dir: nvram:

        Database Level: Minimum - no cert data written to storage

    DB:2.35:Cisco Vpn Client And Certificates p1


    Read the below how to

    http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/win/user/guide/vc6.html

  • RELEVANCY SCORE 2.35

    DB:2.35:Exchange 2007 Activesync Error - Motorola Q Verizon ap


    I moved my mailbox from Exchange 2003 to Exchange 2007, synced my Motorola Q and everything worked fine.  Syncing over USB and OTA was great.
    Then I worked on getting Outlook Anywhere going.  Unfortunately, I hit renew certificate under IIS and my Q quit syncing (Security Certificate on the server is invalid. 0x80072F0D)
    So I went to default web site and copied a new certificate and installed that on the Q.  Same error. 
    Here are the certificates that I have setup:
    Thumbprint                                Services  Subject
    ----------                                --------  -------
    E6C0BD5855D6F1D35367D872A1C4E449C185C28E  SIPUW      CN=mail
    8707C9BFA6DD72D51D1A0579A2CA400A61A1FF11  ...U.      CN=mail.xyz.com

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
    System
                        .Security.AccessControl.CryptoKeyAccessRule,
    System.Securi
                        ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail, mail.xyz.com, autodiscover.xyz.com, exchange.
                        xyz.com, webmail.xyz.com}
    HasPrivateKey      : True
    IsSelfSigned      : False
    Issuer            : CN=cert, DC=xyz, DC=com
    NotAfter          : 2/26/2009 11:14:28 PM
    NotBefore          : 2/27/2007 11:14:28 PM
    PublicKeySize      : 2048
    SerialNumber      : 2A3F020700000000002A
    Status            : Valid
    Subject            : CN=mail
    Thumbprint        : E6C0BD5855D6F1D35367D872A1C4E449C185C28E

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
    System
                        .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.xyz.com}
    HasPrivateKey      : True
    IsSelfSigned      : False
    Issuer            : CN=cert, DC=xyz, DC=com
    NotAfter          : 2/20/2008 2:55:26 PM
    NotBefore          : 2/20/2007 2:55:26 PM
    PublicKeySize      : 1024
    SerialNumber      : 14695F81000000000020
    Status            : Valid
    Subject            : CN=mail.xyz.com
    Thumbprint        : 8707C9BFA6DD72D51D1A0579A2CA400A61A1FF11

    DB:2.35:Exchange 2007 Activesync Error - Motorola Q Verizon ap

    We are looking at possibly choosing Verizon Wireless and the Motorola Q for our remote email access solution. However, I cannot get a definitive answer from anyone at Verizon as to whether their wireless network will allow tranffic that is encrypted using Secure Client Mobile. I've had several cases where Verizon's DSL service did not seems to support Smart Client (in Baltimore and in the case of another user in Florida). Do you know of an instance where Smart Client Remote is being used successfully with Verizon Wireless.
     
    tanx
    Glenn White
    Washington, DC

  • RELEVANCY SCORE 2.35

    DB:2.35:Bea Webservice Client Has Problem In Talking To Secured Microsoft Webservic z8


    Hi,

    I am developing a BEA client (standalone java client using BEA 10 MP1 install) to invoke a microsoft secured webservice which requires a X509 token in the request. I am able to invoke the service successfully but can not validate the response which is signed by server.

    Here is the client code, I am using -

    *************
    import javax.xml.rpc.ServiceException;
    import javax.xml.rpc.Stub;

    import weblogic.security.SSL.TrustManager;
    import weblogic.xml.crypto.wss.provider.CredentialProvider;
    import weblogic.xml.crypto.wss.WSSecurityContext;
    import weblogic.wsee.security.bst.ClientBSTCredentialProvider;
    import weblogic.wsee.security.unt.ClientUNTCredentialProvider;
    import weblogic.wsee.security.util.CertUtils;

    import java.util.List;
    import java.util.ArrayList;
    import java.security.cert.X509Certificate;

    import com.accenture.tarpon.*;

    public class Test {
    public static void main(String[] args) throws Exception {

    String username = args[2];
    String password = args[3];
    String wsdl = args[4];

    String clientKeyStore=args[0];
    String clientKeyStorePass=args[1];
    String clientKeyAlias = args[5];
    String clientKeyPass = args[6];
    String serverCertFile = args[7];

    X509Certificate serverCert = (X509Certificate) CertUtils.getCertificate(serverCertFile);

    GetAddress service = new GetAddress_Impl(wsdl);
    Microsoft_X0020_GetAddress port = service.getBasicHttpBinding_Microsoft_X0020_GetAddress();
    List credProviders = new ArrayList();

    //client side BinarySecurityToken credential provider -- x509

    credProviders.add(new ClientBSTCredentialProvider(clientKeyStore, clientKeyStorePass,
    clientKeyAlias, clientKeyPass, "JKS", serverCert));

    credProviders.add(new ClientUNTCredentialProvider(username.getBytes(), password.getBytes()));

    Stub stub = (Stub)port;
    stub._setProperty(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);

    stub._setProperty(WSSecurityContext.TRUST_MANAGER,
    new TrustManager(){
    public boolean certificateCallback(X509Certificate[] chain, int validateErr){
    //need to validate if the server cert can be trusted
    for (int i = 0; i chain.length; i++) {
    System.out.println("Server cert chain: " + chain);
    }
    return true;
    }
    }
    );

    System.out.println("\n\n *** before forming getAddressRequest \n\n");

    GetAddressRequest getAddressRequest = new GetAddressRequest();
    getAddressRequest.setTaxPayerID("MicrosoftGetAddressX509Sign_123");
    GetAddressResponse getAddressResponse = port.getTaxPayerAddress(getAddressRequest);
    System.out.println("\n\n *** after invocation getAddressRequest \n\n");
    printGetAddressResponse(getAddressResponse);

    }

    private static void printGetAddressResponse(GetAddressResponse getAddressResponse){

    System.out.println("\n\n ***** Response from MicrosoftGetAddressService : ***** ");
    System.out.println("\nAddress Line 1 - "+getAddressResponse.getAddressLine1());
    System.out.println("\nAddress Line 2 - "+getAddressResponse.getAddressLine2());
    System.out.println("\nCity - "+getAddressResponse.getCity());
    System.out.println("\nCompany - "+getAddressResponse.getCompany());
    System.out.println("\nState - "+getAddressResponse.getState());
    System.out.println("\nTaxPayerID - "+getAddressResponse.getTaxPayerID());
    System.out.println("\nZip - "+getAddressResponse.getZip());
    System.out.println("\nFirst Name - "+getAddressResponse.getTaxpayerFirstName());
    System.out.println("\nMiddle Name - "+getAddressResponse.getTaxpayerMiddleInitial());
    System.out.println("\nLast Name - "+getAddressResponse.getTaxpayerLastName());

    }
    }

    *************

    When I run this, I get this message -

    *****************
    [java] Exception in thread "main" java.rmi.RemoteException: SOAPFaultException - Faul
    tCode [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
    InvalidSecurity] FaultString [weblogic.xml.dom.marshal.MarshalException: weblogic.xml.cryp
    to.wss.WSSecurityException: Failed to validate signature.] FaultActor [null]No Detail; nes
    ted exception is:
    [java] javax.xml.rpc.soap.SOAPFaultException: weblogic.xml.dom.marshal.MarshalExc
    eption: weblogic.xml.crypto.wss.WSSecurityException: Failed to validate signature.
    [java] at com.accenture.tarpon.Microsoft_X0020_GetAddress_Stub.getTaxPayerAddress
    (Unknown Source)
    [java] at Test.main(Unknown Source)
    [java] Caused by: javax.xml.rpc.soap.SOAPFaultException: weblogic.xml.dom.marshal.Mar
    shalException: weblogic.xml.crypto.wss.WSSecurityException: Failed to validate signature.
    [java] at weblogic.wsee.codec.soap11.SoapCodec.decodeFault(SoapCodec.java:311)
    [java] at weblogic.wsee.ws.dispatch.client.CodecHandler.decodeFault(CodecHandler.
    java:114)
    [java] at weblogic.wsee.ws.dispatch.client.CodecHandler.decode(CodecHandler.java:
    99)
    [java] at weblogic.wsee.ws.dispatch.client.CodecHandler.handleFault(CodecHandler.
    java:87)
    [java] at weblogic.wsee.handler.HandlerIterator.handleFault(HandlerIterator.java:
    304)
    [java] at weblogic.wsee.handler.HandlerIterator.handleResponse(HandlerIterator.ja
    va:264)
    [java] at weblogic.wsee.ws.dispatch.client.ClientDispatcher.handleResponse(Client
    Dispatcher.java:193)
    [java] at weblogic.wsee.ws.dispatch.client.ClientDispatcher.dispatch(ClientDispat
    cher.java:148)
    [java] at weblogic.wsee.ws.WsStub.invoke(WsStub.java:89)
    [java] at weblogic.wsee.jaxrpc.StubImpl._invoke(StubImpl.java:332)
    [java] ... 2 more
    [java] Caused by: weblogic.xml.crypto.wss.WSSecurityException: weblogic.xml.dom.marsh
    al.MarshalException: weblogic.xml.crypto.wss.WSSecurityException: Failed to validate signa
    ture.
    [java] at weblogic.wsee.security.wssp.handlers.WssClientHandler.processInbound(Ws
    sClientHandler.java:144)
    [java] at weblogic.wsee.security.wssp.handlers.WssClientHandler.processResponse(W
    ssClientHandler.java:130)
    [java] at weblogic.wsee.security.wssp.handlers.WssHandler.handleResponse(WssHandl
    er.java:128)
    [java] at weblogic.wsee.handler.HandlerIterator.handleResponse(HandlerIterator.ja
    va:282)
    [java] at weblogic.wsee.handler.HandlerIterator.handleResponse(HandlerIterator.ja
    va:266)
    [java] ... 6 more
    [java] Caused by: weblogic.xml.dom.marshal.MarshalException: weblogic.xml.crypto.wss.
    WSSecurityException: Failed to validate signature.
    [java] at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.jav
    a:411)
    [java] at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:375)
    [java] at weblogic.xml.crypto.wss11.internal.WSS11Factory.unmarshalAndProcessSecu
    rity(WSS11Factory.java:33)
    [java] at weblogic.wsee.security.wssp.handlers.WssClientHandler.processInbound(Ws
    sClientHandler.java:141)
    [java] ... 10 more
    [java] Caused by: weblogic.xml.crypto.wss.WSSecurityException: Failed to validate sig
    nature.
    [java] at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(Secur
    ityImpl.java:576)
    [java] at weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.jav
    a:435)
    [java] at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.jav
    a:399)
    [java] ... 13 more
    [java] Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
    [java] at weblogic.xml.crypto.dsig.SignedInfoImpl.validateSignature(SignedInfoImp
    l.java:112)
    [java] at weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.jav
    a:233)
    [java] at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(Secur
    ityImpl.java:568)
    [java] ... 15 more
    [java] Caused by: weblogic.xml.crypto.api.KeySelectorException: weblogic.xml.crypto.w
    ss.WSSecurityException: Failed to resolve security token for issuer serial weblogic.xml.cr
    ypto.dsig.keyinfo.X509IssuerSerialImpl@df9095
    [java] at weblogic.xml.crypto.common.keyinfo.KeyResolver.setupKeyProviderFromCont
    ext(KeyResolver.java:312)
    [java] at weblogic.xml.crypto.common.keyinfo.KeyResolver.getKeyFromSTR(KeyResolve
    r.java:269)
    [java] at weblogic.xml.crypto.common.keyinfo.KeyResolver.select(KeyResolver.java:
    124)
    [java] at weblogic.xml.crypto.dsig.SignedInfoImpl.getVerifyKey(SignedInfoImpl.jav
    a:223)
    [java] at weblogic.xml.crypto.dsig.SignedInfoImpl.validateSignature(SignedInfoImp
    l.java:110)
    [java] ... 17 more
    [java] Caused by: weblogic.xml.crypto.wss.WSSecurityException: Failed to resolve secu
    rity token for issuer serial weblogic.xml.crypto.dsig.keyinfo.X509IssuerSerialImpl@df9095
    [java] at weblogic.xml.crypto.wss.BinarySecurityTokenHandler.getTokenByIssuerSeri
    al(BinarySecurityTokenHandler.java:147)
    [java] at weblogic.xml.crypto.wss.BinarySecurityTokenHandler.getSecurityToken(Bin
    arySecurityTokenHandler.java:81)
    [java] at weblogic.xml.crypto.common.keyinfo.KeyResolver.setupKeyProviderFromCont
    ext(KeyResolver.java:304)
    [java] ... 21 more

    *****************

    At the server side, Microsoft has imported client cert and also on the client side, I have imported server cert in jdk's cacerts file.

    Please help.

    Thanks in advance,
    Manoj

    DB:2.35:Bea Webservice Client Has Problem In Talking To Secured Microsoft Webservic z8

    Hello experts,

    Do you know is there a way to avoid "SSL handshake failure." error without importing a public key to the default keystore?

    When I access WebLogic WebServices over SSL from Service Control which is generated by WL WorkSpaces 10.2,
    it used default key and there is no additional key manipulation required.

    Is there any way to configure a flag to the service control or WL server to automatically trust the end point host.

    As far as I know at this point is that I need to have public key in PEM format and use keytool to import that into client skystore file. Is this the only way it can solve this handshake issue?

    Any pointers are appreciated. _J

  • RELEVANCY SCORE 2.35

    DB:2.35:Ssl Cert For Owa And Autdiscover x3



    Is it possible to have a cert for two websites on one server\ip? I have autodiscover.domain.com and exchange2010.domain.com on the same machine. When I go to the OWA site I get a warning, something like,

    In this case, the certificate has not been verified by a third party that your computer trusts, but I can process. And when a mobile device is setup manually it works. Depending on the device I get a similar cert warning, but I'm able to proceed and
    connect just fine. I figure once I move\reassigned the cert from the old exchange server ( from godaddy), it'll connect without the warning. The problem is autodiscover doesn't work. when I test it at www.testexchangeconnectivity.com I get the message
    below. My thought is that I need to get both autodiscover and exchange2010 on the same cert. I also read that I could somehow create the self signed cert and have another one of my servers, that has a standard cert from godaddy, verify it. Any suggestions/
    guidance?

    Test Steps
    Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
    Testing of this potential Autodiscover URL failed.
    Test Steps
    Attempting to resolve the host name autodiscover.domain.com in DNS.
    The host name resolved successfully.
    Additional Details
    Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
    The port was opened successfully.
    Testing the SSL certificate to make sure it's valid.
    The SSL certificate failed one or more certificate validation checks.
    Test Steps
    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate
    from remote server autodiscover.domain.com on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
    Additional Details
    Remote Certificate Subject: CN=exchange2010.domain.com, Issuer: CN=domaincontroller, DC=domain, DC=com.
    Validating the certificate name.
    Certificate name validation failed.

    Additional Details
    Host name autodiscover.domain.com doesn't match any name found on the server certificate CN=exchange2010.domain.com.

    DB:2.35:Ssl Cert For Owa And Autdiscover x3

    I went to godaddy and bought a UCC, listed autodiscover.domain.com as the common name and then added the others as SANs. Now the SSL part works. I;m hoping that since I used autodiscover as the common name that I can rekey the cert and use
    it for the Exchange 2013 server when it get's turned on. still have problems with Autodiscover giving me the info on mobile devices, but that's for another tread. Thank for the help.

  • RELEVANCY SCORE 2.35

    DB:2.35:Ambiguity In Certificate Validation Path Construction z1


    Hello,
    I have two "root" certificates. Both have the same public key. The second one have certificate policy restriction. So when I manually find the certificatiion path for an end user certificate the path is uniquely defined. The same result give me Windows.
    When I use java.security.cert.CertPathValidator this class randomly detect anchors (path). One time to the first root, next time to the second root. I think there is a bug in the jdk or I do something wrong.

    I've also tries to explicitly set
    pkixParameters.setPolicyMappingInhibited(false);
    pkixParameters.setPolicyQualifiersRejected(true);
    but nothing helped.

    Details: The "root" certs are
    * http://xien.jikos.cz/czp/ICA_Czech.der
    * http://xien.jikos.cz/czp/ICA_Slovak.der
    ICA_Slovak.der has the same public key included as the ICA_Czech.der. ICA_Slovak.der is signed by http://xien.jikos.cz/czp/NBU_Slovak.der - National Security Agency in the Slovak Republic.

    Both certificates are from www.ica.cz certification authority. ICA comes from Czech Rep. and has opened its office in the Slovak Rep. So this is a real case, all certificates can be downloaded from TSL list, see http://ec.europa.eu/information_society/policy/esignature/eu_legislation/trusted_lists/index_en.htm

    I have an end user certificate:
    * http://xien.jikos.cz/czp/Bc.%20Konvalinka.der
    When I try construct a certificate path I get ambiguousresults. With the same inputs the results differ. One call returns different results than the next call.
    I find the path in two steps:

    1. Recursively find parent:

    public ListX509Certificate getValidationPath(KeyStore keyStore, X509Certificate cert)
    throws Exception {
    ArrayListX509Certificate path = new ArrayListX509Certificate();

    TrustAnchor trustedAnchor = null;
    while (cert!=null) {
    trustedAnchor = getTrustedAnchor(keyStore, cert);
    if ( trustedAnchor==null
    || trustedAnchor.getTrustedCert()==null
    || trustedAnchor.getTrustedCert().equals(cert)) {
    break;
    }
    cert = trustedAnchor.getTrustedCert();
    path.add(cert);
    }

    return path;
    }2. Find the parent:

    public TrustAnchor getTrustedAnchor(KeyStore keyStore, X509Certificate cert) throws Exception {
    if (keyStore.size() == 0) {
    throw new PathValidationException("KeyStore is empty, cannot continue");
    }

    CertificateFactory fact = CertificateFactory.getInstance("X.509", CertTool.PROVIDER_DEFAULT);

    PKIXParameters pkixParameters = new PKIXParameters(keyStore);
    pkixParameters.setRevocationEnabled(false);
    pkixParameters.setDate(cert.getNotAfter());
    CertPath certPath = fact.generateCertPath(Collections.singletonList(cert));
    CertPathValidator validator = CertPathValidator.getInstance("PKIX", CertTool.PROVIDER_DEFAULT);

    PKIXCertPathChecker checker602 = new IgnoreCriricalPathChecker();
    ArrayListPKIXCertPathChecker checkers = new ArrayListPKIXCertPathChecker();
    checkers.add(checker602);
    pkixParameters.setCertPathCheckers(checkers);

    pkixParameters.setPolicyMappingInhibited(false);
    pkixParameters.setPolicyQualifiersRejected(true);

    PKIXCertPathValidatorResult result = null;
    TrustAnchor trustAnchor = null;
    try {
    result = (PKIXCertPathValidatorResult) validator.validate(certPath, pkixParameters);
    trustAnchor = result.getTrustAnchor();
    if (trustAnchor == null) {
    log.error("Parentcert wasn't found for: " + cert + ", " + Utils.bytesToBase64(cert.getEncoded()));
    }
    } catch (CertPathValidatorException ex) {
    log.error("Parent cert wasn't found for: " + cert + ", " + Utils.bytesToBase64(cert.getEncoded()));
    }

    return trustAnchor;
    }As a provider I've used "SUN" or "BC" with the same bad results.
    Can anybody help?

    Thanks.
    Jan Vavra

    Edited by: jan.vavra on 14.7.2011 0:57

    DB:2.35:Ambiguity In Certificate Validation Path Construction z1

    Is there an other way how to use java crypto to build cert path?
    The piece of code I've posted is only for verification the path not for building?

    I'm writing software that validates certs against the TSL list. So I cannot ignore certs of CAs from the TSL.

  • RELEVANCY SCORE 2.35

    DB:2.35:Security Certificate Warning Error On The Computer. xa


    Security Certificate Warning

    When starting AOL version 9.5, we are getting a security certificate warning. The warning states "The name on the SC is invalid or does not match the name of the site". SC Subject: CN =a248.e.akamai.net
    O = Akamai Technologies Inc L = Cambridge S = MA C=US Issuer is CN = Cybertrust Public SureServer SV CA Why is this happening, how to resolve??

    DB:2.35:Security Certificate Warning Error On The Computer. xa

    The security cert problem occurs only when starting AOL software itself.

    If AOL is accessed as a web address through IE, then there is no warning.

    On the instructions to run IE troubleshooter......After clicking on "VIEW ALL" in the left pane, a list of 18 items comes up, but, "Internet Explorer Perfomance" is not an item on the list, nor are any IE items on the list.

  • RELEVANCY SCORE 2.35

    DB:2.35:Steve (Mccrew02 ) And Other Experts..Can You Look Into This? s3


    Hi Steve and other experts ,

    Pl..look into this..if you have time to do so...and gimme your valuable suggestions or soultions.

    My objective is to make an HTTPS request(GET) to a server.
    That server checks for client certificates.
    So I have to make a CSR(Client Certificate Signing Request) and send to that server and get it signed.
    On obtaining signed certificate (in X509 format), keep it in the store and send it to the server and fulfill the request.

    I use J2sdk1.4 on Red Hat Linux.

    I have generated a private key and CSR using these commands:

    keytool -genkey -dname "cn= Client, ou=OU,o=O, c=CC, st=ST" -alias "ppkeystore" -keypass "111123" -keystore "pp.keystore" -storepass "111123" -keyalg "RSA" -keysize 2048

    Generated a private key ..and in a store

    keytool -keystore pp.keystore -keypass "111123" -storepass "111123" -alias "ppkeystore" -certreq -file client.csr

    Generate a Certificate Signing Request

    I have sent client.csr to the server guys in US
    they have signed the certificate with their CA cert and their CA cert is issued by Thawte.

    I have imported the csr reply(signed cert paypro.crt----it is in X509 format) into the keystore

    keytool -keystore pp.keystore -storepass 111123 -import -file paypro.crt

    csr reply is added to store with default alias name 'client'---- the cert alias name is client

    my keystore is pp.keystore
    and trust store is cacerts
    I dont have to add anything into truststore as the CA certitificate used to sign my certificate is used by Thawte
    Thawte root CA is in jre/lib/security/cacerts by default

    now the code is

    KeyStore keystore = null;
    try{
    keystore = KeyStore.getInstance("JKS");
    keystore.load(new FileInputStream("pp.keystore"), "111123".toCharArray());
    }catch(Exception exception1){
    System.err.println("ERR1 ERR1 POSTURL ::"+exception1);
    }
    KeyStore keystore2 = null;
    try{
    keystore2 = KeyStore.getInstance("JKS");
    keystore2.load(new FileInputStream("/usr/java/j2sdk1.4.1_02/jre/lib/security/cacerts"), "changeit".toCharArray());
    }catch(Exception exception1){
    System.err.println("ERR1 ERR1 POSTURL ::"+exception1);
    }
    Certificate cert = keystore.getCertificate("client");
    System.err.println("CERT::"+cert.toString());//this is printing the certificate properly..it means nothing wrong with the keystore that I loaded
    TrustManagerFactory trustmanagerfactory = TrustManagerFactory.getInstance("SunX509");
    trustmanagerfactory.init(keystore2);
    SSLContext sslcontext = SSLContext.getInstance("SSLv3");
    KeyManagerFactory keymanagerfactory = KeyManagerFactory.getInstance("SunX509");
    keymanagerfactory.init(keystore,"111123".toCharArray());
    sslcontext.init(keymanagerfactory.getKeyManagers(), trustmanagerfactory.getTrustManagers(), null);
    HttpsURLConnection.setDefaultSSLSocketFactory(sslcontext.getSocketFactory());

    URL u = new URL(url+getString);
    HttpsURLConnection h = (HttpsURLConnection)u.openConnection();
    h.setRequestMethod("GET");
    h.setSSLSocketFactory(sslcontext.getSocketFactory());
    h.connect();
    InputStream is = h.getInputStream();
    int ch;
    StringBuffer sb = new StringBuffer(2000);
    while((ch = is.read()) != -1){
    sb.append((char)ch);
    }
    System.err.println(sb.toString());

    //so the problem occurs at InputStream is = h.getInputStream(); statement

    error is

    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:183)
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:222)
    at java.io.BufferedInputStream.read(BufferedInputStream.java:277)
    at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:741)
    at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:702)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:583)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)

    and debug statements are ::

    trigger seeding of SecureRandom
    done seeding SecureRandom
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services
    Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@269
    Validity: [From: Sun Dec 31 19:00:00 EST 1995,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services
    Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 00]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: C7 EC 92 7E 4E F8 F5 96 A5 67 62 2A A4 F0 4D 11 ....N....gb*..M.
    0010: 60 D0 6F 8D 60 58 61 AC 26 BB 52 35 5C 08 CF 30 `.o.`Xa..R5\..0
    0020: FB A8 4A 96 8A 1F 62 42 23 8C 17 0F F4 BA 64 9C ..J...bB#.....d.
    0030: 17 AC 47 29 DF 9D 98 5E D2 6C 60 71 5C A2 AC DC ..G)...^.l`q\...
    0040: 79 E3 E7 6E 00 47 1F B5 0D 28 E8 02 9D E4 9A FD y..n.G...(......
    0050: 13 F4 A6 D9 7C B1 F8 DC 5F 23 26 09 91 80 73 D0 ........_#...s.
    0060: 14 1B DE 43 A9 83 25 F2 E6 9C 2F 15 CA FE A6 AB ...C..%.../.....
    0070: 8A 07 75 8B 0C DD 51 84 6B E4 F8 D1 CE 77 A2 81 ..u...Q.k....w..

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Divis
    ion, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@f8
    Validity: [From: Sun Dec 31 19:00:00 EST 1995,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Divisi
    on, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 00]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 2D E2 99 6B B0 3D 7A 89 D7 59 A2 94 01 1F 2B DD -..k.=z..Y....+.
    0010: 12 4B 53 C2 AD 7F AA A7 00 5C 91 40 57 25 4A 38 .KS......\.@W%J8
    0020: AA 84 70 B9 D9 80 0F A5 7B 5C FB 73 C6 BD D7 8A ..p......\.s....
    0030: 61 5C 03 E3 2D 27 A8 17 E0 84 85 42 DC 5E 9B C6 a\..-'.....B.^..
    0040: B7 B2 6D BB 74 AF E4 3F CB A7 B7 B0 E0 5D BE 78 ..m.t..?.....].x
    0050: 83 25 94 D2 DB 81 0F 79 07 6D 4F F4 39 15 5A 52 .%.....y.mO.9.ZR
    0060: 01 7B DE 32 D6 4D 38 F6 12 5C 06 50 DF 05 5B BD ...2.M8..\.P..[.
    0070: 14 4B A1 DF 29 BA 3B 41 8D F7 63 56 A1 DF 22 B1 .K..).;A..cV..".

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffff94f
    Validity: [From: Wed May 17 10:01:00 EDT 2000,
    To: Sat May 17 19:59:00 EDT 2025]
    Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    SerialNumber: [ 020000bf]

    Certificate Extensions: 4
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: C8 41 34 5C 15 15 04 E5 40 F2 D1 AB 9A 6F 24 92 .A4\....@....o$.
    0010: 7A 87 42 5A z.BZ
    ]
    ]

    [2]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [3]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    [1.3.6.1.5.5.7.3.3]]

    [4]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:3
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 52 74 AA 95 4B 22 8C C7 3D 96 A4 FE 5D FA 2F B5 Rt..K"..=...]./.
    0010: BC EB F0 0B E9 56 38 1D D1 6D 0D A1 BC 68 8B F0 .....V8..m...h..
    0020: C5 80 A5 24 34 FD F2 96 18 11 86 A1 36 F5 37 E7 ...$4.......6.7.
    0030: 54 40 D5 64 1F C3 5F 70 42 6B 2D 39 C7 9E 52 05 T@.d.._pBk-9..R.
    0040: CE E7 6A 72 D2 8D 72 3F 47 50 83 AB C7 8D 25 C9 ..jr..r?GP....%.
    0050: B0 E3 A7 53 16 95 A6 6A 53 EA 18 9D 8F 78 A9 77 ...S...jS....x.w
    0060: 77 1A F9 B4 97 47 59 88 27 28 B5 CA E1 2E D7 3E w....GY.'(.....
    0070: 0E A2 0D B8 22 44 03 E3 D1 63 B0 41 3A A1 F5 A4 ...."D...c.A:...
    0080: 2D F7 76 1E 04 54 99 78 32 40 D7 2B 7C 4D BA A6 -.v..T.x2@.+.M..
    0090: 9C B0 79 6E 07 BE 8C EC EE D7 38 69 5B C1 0C 56 ..yn......8i[..V
    00A0: 68 9F FE EB D1 E1 C8 88 F9 F2 CD 7F BE 85 B4 44 h..............D
    00B0: 67 00 50 3E F4 26 03 64 EA 77 7D E8 5E 3E 1C 37 g.P..d.w..^.7
    00C0: 47 C8 D6 EA A4 F3 36 3C 97 C2 39 72 05 94 19 25 G.....6..9r...%
    00D0: C3 D7 37 41 0F C1 1F 87 8A FD AA BE E9 B1 64 57 ..7A..........dW
    00E0: E4 DB 92 A1 CF E1 49 E8 3B 1F 91 13 5A C3 8F D9 ......I.;...Z...
    00F0: 25 58 49 80 47 0F C6 03 AE AC E3 BF B7 C0 AA 2A %XI.G..........*

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@3e
    Validity: [From: Sun Jan 28 19:00:00 EST 1996,
    To: Wed Jan 07 18:59:59 EST 2004]
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ e49efdf3 3ae80ecf a5113e19 a4240232]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: 61 70 EC 2F 3F 9E FD 2B E6 68 54 21 B0 67 79 08 ap./?..+.hT!.gy.
    0010: 0C 20 96 31 8A 0D 7A BE B6 26 DF 79 2C 22 69 49 . .1..z...y,"iI
    0020: 36 E3 97 77 62 61 A2 32 D7 7A 54 21 36 BA 02 C9 6..wba.2.zT!6...
    0030: 34 E7 25 DA 44 35 B0 D2 5C 80 5D B3 94 F8 F9 AC 4.%.D5..\.].....
    0040: EE A4 60 75 2A 1F 95 49 23 B1 4A 7C F4 B3 47 72 ..`u*..I#.J...Gr
    0050: 21 5B 7E 97 AB 54 AC 62 E7 5D EC AE 9B D2 C9 B2 ![...T.b.]......
    0060: 24 FB 82 AD E9 67 15 4B BA AA A6 F0 97 A0 F6 B0 $....g.K........
    0070: 97 57 00 C8 0C 3C 09 A0 82 04 BA 41 DA F7 99 A4 .W........A....

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffc86
    Validity: [From: Wed Aug 12 20:29:00 EDT 1998,
    To: Mon Aug 13 19:59:00 EDT 2018]
    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    SerialNumber: [ 01a5]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 6D EB 1B 09 E9 5E D9 51 DB 67 22 61 A4 2A 3C 48 m....^.Q.g"a.*H
    0010: 77 E3 A0 7C A6 DE 73 A2 14 03 85 3D FB AB 0E 30 w.....s....=...0
    0020: C5 83 16 33 81 13 08 9E 7B 34 4E DF 40 C8 74 D7 ...3.....4N.@.t.
    0030: B9 7D DC F4 76 55 7D 9B 63 54 18 E9 F0 EA F3 5C ....vU..cT.....\
    0040: B1 D9 8B 42 1E B9 C0 95 4E BA FA D5 E2 7C F5 68 ...B....N......h
    0050: 61 BF 8E EC 05 97 5F 5B B0 D7 A3 85 34 C4 24 A7 a....._[....4.$.
    0060: 0D 0F 95 93 EF CB 94 D8 9E 1F 9D 5C 85 6D C7 AA ...........\.m..
    0070: AE 4F 1F 22 B5 CD 95 AD BA A7 CC F9 AB 0B 7A 7F .O."..........z.

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services D
    ivision, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@52b
    Validity: [From: Sun Dec 31 19:00:00 EST 1995,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Di
    vision, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 00]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 69 36 89 F7 34 2A 33 72 2F 6D 3B D4 22 B2 B8 6F i6..4*3r/m;."..o
    0010: 9A C5 36 66 0E 1B 3C A1 B1 75 5A E6 FD 35 D3 F8 ..6f....uZ..5..
    0020: A8 F2 07 6F 85 67 8E DE 2B B9 E2 17 B0 3A A0 F0 ...o.g..+....:..
    0030: 0E A2 00 9A DF F3 14 15 6E BB C8 85 5A 98 80 F9 ........n...Z...
    0040: FF BE 74 1D 3D F3 FE 30 25 D1 37 34 67 FA A5 71 ..t.=..0%.74g..q
    0050: 79 30 61 29 72 C0 E0 2C 4C FB 56 E4 3A A8 6F E5 y0a)r..,L.V.:.o.
    0060: 32 59 52 DB 75 28 50 59 0C F8 0B 19 E4 AC D9 AF 2YR.u(PY........
    0070: 96 8D 2F 50 DB 07 C3 EA 1F AB 33 E0 F5 2B 31 89 ../P......3..+1.

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Tha
    wte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1b5
    Validity: [From: Wed Jul 31 20:00:00 EDT 1996,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thaw
    te Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 01]
    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 07 FA 4C 69 5C FB 95 CC 46 EE 85 83 4D 21 30 8E ..Li\...F...M!0.
    0010: CA D9 A8 6F 49 1A E6 DA 51 E3 60 70 6C 84 61 11 ...oI...Q.`pl.a.
    0020: A1 1A C8 48 3E 59 43 7D 4F 95 3D A1 8B B7 0B 62 ...HYC.O.=....b
    0030: 98 7A 75 8A DD 88 4E 4E 9E 40 DB A8 CC 32 74 B9 .zu...NN.@...2t.
    0040: 6F 0D C6 E3 B3 44 0B D9 8A 6F 9A 29 9B 99 18 28 o....D...o.)...(
    0050: 3B D1 E3 40 28 9A 5A 3C D5 B5 E7 20 1B 8B CA A4 ;..@(.Z... ....
    0060: AB 8D E9 51 D9 E2 4C 2C 59 A9 DA B9 B2 75 1B F6 ...Q..L,Y....u..
    0070: 42 F2 EF C7 F2 18 F9 89 BC A3 FF 8A 23 2E 70 47 B...........#.pG

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffff8f8
    Validity: [From: Sun Jan 28 19:00:00 EST 1996,
    To: Fri Dec 31 18:59:59 EST 1999]
    Issuer: OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ 02a60000 01]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: 53 DD D3 F0 9C 24 7E 40 AA E2 FC 00 1A D7 DA 0C S....$.@........
    0010: FC 32 61 B8 15 0D 96 F3 FA 57 1B 7F 33 7C AF E9 .2a......W..3...
    0020: 98 9A 61 C8 7A B3 B7 FF B1 DC 99 83 DC AC 12 FC ..a.z...........
    0030: 70 C9 1F 38 42 ED 44 F6 80 2E 5B 6B 33 69 AC 9C p..8B.D...[k3i..
    0040: D3 5C E7 5F 5A 18 C7 B1 2D 79 04 96 41 91 99 41 .\._Z...-y..A..A
    0050: B1 3C 0D BA 84 39 C6 3B 97 F0 26 C9 8E EE BD CC ....9.;.......
    0060: 42 95 FF 1E C7 02 3F 54 0C 78 F5 BC AA 60 7C 02 B.....?T.x...`..
    0070: 69 E8 DC AC E2 02 76 61 C4 3E 03 EA D2 8A 24 D1 i.....va.....$.

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffbdf
    Validity: [From: Fri May 12 14:46:00 EDT 2000,
    To: Mon May 12 19:59:00 EDT 2025]
    Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    SerialNumber: [ 020000b9]

    Certificate Extensions: 3
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A ..Y0.GX....T6..:
    0010: B5 04 4D F0 ..M.
    ]
    ]

    [2]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [3]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:3
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 85 0C 5D 8E E4 6F 51 68 42 05 A0 DD BB 4F 27 25 ..]..oQhB....O'%
    0010: 84 03 BD F7 64 FD 2D D7 30 E3 A4 10 17 EB DA 29 ....d.-.0......)
    0020: 29 B6 79 3F 76 F6 19 13 23 B8 10 0A F9 58 A4 D4 ).y?v...#....X..
    0030: 61 70 BD 04 61 6A 12 8A 17 D5 0A BD C5 BC 30 7C ap..aj........0.
    0040: D6 E9 0C 25 8D 86 40 4F EC CC A3 7E 38 C6 37 11 ...%..@O....8.7.
    0050: 4F ED DD 68 31 8E 4C D2 B3 01 74 EE BE 75 5E 07 O..h1.L...t..u^.
    0060: 48 1A 7F 70 FF 16 5C 84 C0 79 85 B8 05 FD 7F BE H..p..\..y......
    0070: 65 11 A3 0F C0 02 B4 F8 52 37 39 04 D5 A9 31 7A e.......R79...1z
    0080: 18 BF A0 2A F4 12 99 F7 A3 45 82 E3 3C 5E F5 9D ...*.....E..^..
    0090: 9E B5 C8 9E 7C 2E C8 A4 9E 4E 08 14 4B 6D FD 70 .........N..Km.p
    00A0: 6D 6B 1A 63 BD 64 E6 1F B7 CE F0 F2 9F 2E BB 1B mk.c.d..........
    00B0: B7 F2 50 88 73 92 C2 E2 E3 16 8D 9A 32 02 AB 8E ..P.s.......2...
    00C0: 18 DD E9 10 11 EE 7E 35 AB 90 AF 3E 30 94 7A D0 .......5...0.z.
    00D0: 33 3D A7 65 0F F5 FC 8E 9E 62 CF 47 44 2C 01 5D 3=.e.....b.GD,.]
    00E0: BB 1D B5 32 D2 47 D2 38 2E D0 FE 81 DC 32 6A 1E ...2.G.8.....2j.
    00F0: B5 EE 3C D5 FC E7 81 1D 19 C3 24 42 EA 63 39 A9 .........$B.c9.

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffc9e
    Validity: [From: Sun Jan 28 19:00:00 EST 1996,
    To: Tue Jan 07 18:59:59 EST 2020]
    Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ 325033cf 50d156f3 5c81ad65 5c4fc825]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: 4B 44 66 60 68 64 E4 98 1B F3 B0 72 E6 95 89 7C KDf`hd.....r....
    0010: DD 7B B3 95 C0 1D 2E D8 D8 19 D0 2D 34 3D C6 50 ...........-4=.P
    0020: 9A 10 86 8C AA 3F 3B A8 04 FC 37 52 95 C3 D9 C9 .....?;...7R....
    0030: DB CD F2 86 06 C4 B1 1B F0 82 88 30 42 8E 17 50 ...........0B..P
    0040: 1C 64 7A B8 3E 99 49 74 97 FC AC 02 43 FB 96 0C .dz..It....C...
    0050: 56 04 25 0C 7C 7C 87 9D 24 A7 D8 F0 32 29 B5 A4 V.%.....$...2)..
    0060: DF 5D A2 4C C5 16 32 A8 42 F6 45 A6 B6 36 B9 E0 .].L..2.B.E..6..
    0070: BF 65 36 93 C2 D2 D7 6B DC DE 59 D6 A2 35 F8 45 .e6....k..Y..5.E

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1e2
    Validity: [From: Tue Nov 08 19:00:00 EST 1994,
    To: Thu Jan 07 18:59:59 EST 2010]
    Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    SerialNumber: [ 02ad667e 4e45fe5e 576f3c98 195eddc0]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: 65 DD 7E E1 B2 EC B0 E2 3A E0 EC 71 46 9A 19 11 e.......:..qF...
    0010: B8 D3 C7 A0 B4 03 40 26 02 3E 09 9C E1 12 B3 D1 ......@.......
    0020: 5A F6 37 A5 B7 61 03 B6 5B 16 69 3B C6 44 08 0C Z.7..a..[.i;.D..
    0030: 88 53 0C 6B 97 49 C7 3E 35 DC 6C B9 BB AA DF 5C .S.k.I.5.l....\
    0040: BB 3A 2F 93 60 B6 A9 4B 4D F2 20 F7 CD 5F 7F 64 .:/.`..KM. .._.d
    0050: 7B 8E DC 00 5C D7 FA 77 CA 39 16 59 6F 0E EA D3 ....\..w.9.Yo...
    0060: B5 83 7F 4D 4D 42 56 76 B4 C9 5F 04 F8 38 F8 EB ...MMBVv.._..8..
    0070: D2 5F 75 5F CD 7B FC E5 8E 80 7C FC 50 ._u_........P

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Divis
    ion, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@ffffffa6
    Validity: [From: Wed Jul 31 20:00:00 EDT 1996,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Divisi
    on, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 01]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 26 48 2C 16 C2 58 FA E8 16 74 0C AA AA 5F 54 3F H,..X...t..._T?
    0010: F2 D7 C9 78 60 5E 5E 6E 37 63 22 77 36 7E B2 17 ...x`^^n7c"w6...
    0020: C4 34 B9 F5 08 85 FC C9 01 38 FF 4D BE F2 16 42 .4.......8.M...B
    0030: 43 E7 BB 5A 46 FB C1 C6 11 1F F1 4A B0 28 46 C9 C..ZF......J.(F.
    0040: C3 C4 42 7D BC FA AB 59 6E D5 B7 51 88 11 E3 A4 ..B....Yn..Q....
    0050: 85 19 6B 82 4C A4 0C 12 AD E9 A4 AE 3F F1 C3 49 ..k.L.......?..I
    0060: 65 9A 8C C5 C8 3E 25 B7 94 99 BB 92 32 71 07 F0 e....%.....2q..
    0070: 86 5E ED 50 27 A6 0D A6 23 F9 BB CB A6 07 14 42 .^.P'...#......B

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffc3f
    Validity: [From: Fri Feb 23 18:01:00 EST 1996,
    To: Thu Feb 23 18:59:00 EST 2006]
    Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
    SerialNumber: [ 01a3]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 12 B3 75 C6 5F 1D E1 61 55 80 00 D4 81 4B 7B 31 ..u._..aU....K.1
    0010: 0F 23 63 E7 3D F3 03 F9 F4 36 A8 BB D9 E3 A5 97 .#c.=....6......
    0020: 4D EA 2B 29 E0 D6 6A 73 81 E6 C0 89 A3 D3 F1 E0 M.+)..js........
    0030: A5 A5 22 37 9A 63 C2 48 20 B4 DB 72 E3 C8 F6 D9 .."7.c.H ..r....
    0040: 7C BE B1 AF 53 DA 14 B4 21 B8 D6 D5 96 E3 FE 4E ....S...!......N
    0050: 0C 59 62 B6 9A 4A F9 42 DD 8C 6F 81 A9 71 FF F4 .Yb..J.B..o..q..
    0060: 0A 72 6D 6D 44 0E 9D F3 74 74 A8 D5 34 49 E9 5E .rmmD...tt..4I.^
    0070: 9E E9 B4 7A E1 E5 5A 1F 84 30 9C D3 9F A5 25 D8 ...z..Z..0....%.

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd47
    Validity: [From: Fri Aug 14 10:50:00 EDT 1998,
    To: Wed Aug 14 19:59:00 EDT 2013]
    Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    SerialNumber: [ 01b6]

    Certificate Extensions: 4
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 76 0A 49 21 38 4C 9F DE F8 C4 49 C7 71 71 91 9D v.I!8L....I.qq..
    ]
    ]

    [2]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [1.2.840.113763.1.2.1.3]
    [] ]
    ]

    [3]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [4]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:5
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 41 3A D4 18 5B DA B8 DE 21 1C E1 8E 09 E5 F1 68 A:..[...!......h
    0010: 34 FF DE 96 F4 07 F5 A7 3C F3 AC 4A B1 9B FA 92 4.........J....
    0020: FA 9B ED E6 32 21 AA 4A 76 C5 DC 4F 38 E5 DF D5 ....2!.Jv..O8...
    0030: 86 E4 D5 C8 76 7D 98 D7 B1 CD 8F 4D B5 91 23 6C ....v......M..#l
    0040: 8B 8A EB EA 7C EF 14 94 C4 C6 F0 1F 4A 2D 32 71 ............J-2q
    0050: 63 2B 63 91 26 02 09 B6 80 1D ED E2 CC B8 7F DB c+c............
    0060: 87 63 C8 E1 D0 6C 26 B1 35 1D 40 66 10 1B CD 95 .c...l.5.@f....
    0070: 54 18 33 61 EC 13 4F DA 13 F7 99 AF 3E D0 CF 8E T.3a..O........
    0080: A6 72 A2 B3 C3 05 9A C9 27 7D 92 CC 7E 52 8D B3 .r......'....R..
    0090: AB 70 6D 9E 89 9F 4D EB 1A 75 C2 98 AA D5 02 16 .pm...M..u......
    00A0: D7 0C 8A BF 25 E4 EB 2D BC 98 E9 58 38 19 7C B9 ....%..-...X8...
    00B0: 37 FE DB E2 99 08 73 06 C7 97 83 6A 7D 10 01 2F 7.....s....j.../
    00C0: 32 B9 17 05 4A 65 E6 2F CE BE 5E 53 A6 82 E9 9A 2...Je./..^S....
    00D0: 53 0A 84 74 2D 83 CA C8 94 16 76 5F 94 61 28 F0 S..t-.....v_.a(.
    00E0: 85 A7 39 BB D7 8B D9 A8 B2 13 1D 54 09 34 24 7D ..9........T.4$.
    00F0: 20 81 7D 66 7E A2 90 74 5C 10 C6 BD EC AB 1B C2 ..f...t\.......

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@29
    Validity: [From: Sun Jan 28 19:00:00 EST 1996,
    To: Wed Jan 07 18:59:59 EST 2004]
    Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ ba5ac94c 053b92d6 a7b6df4e d053920d]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: B6 00 1F 93 57 A4 07 A7 40 CE 65 40 3F 55 5E ED ....W...@.e@?U^.
    0010: EF FA 54 49 A5 30 D6 21 7C 61 87 EE 83 93 0B BF ..TI.0.!.a......
    0020: B4 33 F2 98 AC 9F 06 BF 4E A8 CE 14 81 4C CB 04 .3......N....L..
    0030: 4E 58 C3 CF 5F EE 7C D7 9A 6F CB 41 8A B7 7F 81 NX.._....o.A....
    0040: B8 FF 84 61 C6 27 43 65 1D 0C EC B1 00 0A DD 1B ...a.'Ce........
    0050: A4 BB C7 78 20 28 B2 A2 DD 36 95 2E E1 54 4F BF ...x (...6...TO.
    0060: 60 B9 77 68 11 99 23 E8 EA 52 E8 AA 00 4E 67 4E `.wh..#..R...NgN
    0070: BB 90 B5 45 9B 46 EB 8E 16 EF C4 33 5B 33 3D D5 ...E.F.....3[3=.

    ]
    ***
    found key for : payprokeystore
    chain [0] = [
    [
    Version: V1
    Subject: CN=Client, OU=OU, O=O, C=CC, ST=ST
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffcaa
    Validity: [From: Wed Jul 02 06:43:12 EDT 2003,
    To: Tue Sep 30 06:43:12 EDT 2003]
    Issuer: CN=Client, OU=OU, O=O, C=CC, ST=ST
    SerialNumber: [ 3f02b740]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 78 26 84 94 7A 3F 4A 4F 76 97 AB 17 80 DB 98 04 x..z?JOv.......
    0010: E2 2F 9B DF 8B 43 09 1C 01 7C 9B 53 E2 31 83 16 ./...C.....S.1..
    0020: 0D C9 5D 1F 7D ED C0 D3 34 38 0D 72 CD 1B 4E E2 ..].....48.r..N.
    0030: 54 B2 97 BB 70 4E 74 9B BD AE D1 CB B8 A0 E1 E2 T...pNt.........
    0040: C4 F4 3C 58 EB CE 09 CE 29 96 49 12 68 4F 15 7C ..X....).I.hO..
    0050: AE C7 03 0B 11 9E 37 CB 95 16 FC DA B7 68 67 0E ......7......hg.
    0060: 0E 35 D2 88 6E E7 6C 98 70 C9 C8 78 1D E2 D7 75 .5..n.l.p..x...u
    0070: B5 C7 C5 E7 25 85 3A D4 0C 04 D3 0C AF 10 91 FE ....%.:.........
    0080: 29 36 86 71 8F 87 1A 53 5E B6 F9 07 58 CF 1E 8F )6.q...S^...X...
    0090: 3A 7D C1 D7 CD 08 D3 19 3C 2C B4 CA C8 A8 C2 7D :.......,......
    00A0: AE DA 5E 41 B2 D0 3E F1 C6 3B 21 E8 6C 32 3E 0C ..^A....;!.l2.
    00B0: 65 64 C6 54 0A DE CA A7 93 E8 C3 8A 7C 33 C2 79 ed.T.........3.y
    00C0: 8C 18 97 5E 36 1B 0C 95 E2 66 FB 0C E6 23 FD B4 ...^6....f...#..
    00D0: 62 4A 82 5C A7 98 26 1B 47 3A 5F 72 94 1A CD 3C bJ.\...G:_r...
    00E0: E3 75 66 83 E4 AC 45 2E B8 7E 35 31 51 A1 D7 22 .uf...E...51Q.."
    00F0: BA FD 61 CE 9A EB B7 49 9A FC AA 4B 36 A7 CC 41 ..a....I...K6..A

    ]
    ***
    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1057567723 bytes = { 25, 202, 66, 170, 104, 162, 12, 82, 27, 86, 30, 144, 171, 41, 91, 2, 3
    4, 131, 123, 32, 87, 7, 208, 193, 154, 97, 234, 206 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_
    WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    [write] MD5 and SHA1 hashes: len = 59
    0000: 01 00 00 37 03 01 3F 09 34 EB 19 CA 42 AA 68 A2 ...7..?.4...B.h.
    0010: 0C 52 1B 56 1E 90 AB 29 5B 02 22 83 7B 20 57 07 .R.V...)[.".. W.
    0020: D0 C1 9A 61 EA CE 00 00 10 00 04 00 05 00 0A 00 ...a............
    0030: 13 00 09 00 12 00 03 00 11 01 00 ...........
    main, WRITE: TLSv1 Handshake, length = 59
    [write] MD5 and SHA1 hashes: len = 77
    0000: 01 03 01 00 24 00 00 00 20 00 00 04 01 00 80 00 ....$... .......
    0010: 00 05 00 00 0A 07 00 C0 00 00 13 00 00 09 06 00 ................
    0020: 40 00 00 12 00 00 03 02 00 80 00 00 11 3F 09 34 @............?.4
    0030: EB 19 CA 42 AA 68 A2 0C 52 1B 56 1E 90 AB 29 5B ...B.h..R.V...)[
    0040: 02 22 83 7B 20 57 07 D0 C1 9A 61 EA CE .".. W....a..
    main, WRITE: SSLv2 client hello message, length = 77
    main, READ: TLSv1 Handshake, length = 74
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1057567724 bytes = { 245, 15, 204, 200, 236, 164, 113, 86, 80, 143, 98, 29, 219, 159, 108,
    112, 120, 69, 90, 122, 105, 175, 98, 38, 113, 132, 190, 181 }
    Session ID: {247, 236, 43, 119, 75, 176, 31, 31, 178, 1, 32, 50, 103, 28, 175, 200, 135, 33, 11, 221, 183, 47,
    169, 63, 192, 67, 13, 247, 166, 141, 110, 11}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    ***
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    [read] MD5 and SHA1 hashes: len = 74
    0000: 02 00 00 46 03 01 3F 09 34 EC F5 0F CC C8 EC A4 ...F..?.4.......
    0010: 71 56 50 8F 62 1D DB 9F 6C 70 78 45 5A 7A 69 AF qVP.b...lpxEZzi.
    0020: 62 26 71 84 BE B5 20 F7 EC 2B 77 4B B0 1F 1F B2 bq... ..+wK....
    0030: 01 20 32 67 1C AF C8 87 21 0B DD B7 2F A9 3F C0 . 2g....!.../.?.
    0040: 43 0D F7 A6 8D 6E 0B 00 04 00 C....n....
    main, READ: TLSv1 Handshake, length = 728
    *** Certificate chain
    chain [0] = [
    [
    Version: V3
    Subject: CN=www.epassporte.com, O=Epassporte N.V., L=Newbury, ST=Curacao, C=AN
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    DB:2.35:Steve (Mccrew02 ) And Other Experts..Can You Look Into This? s3

    Hi,

    This reply contains the SSL debug statements for the request.

    trigger seeding of SecureRandom
    done seeding SecureRandom
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services
    Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@269
    Validity: [From: Sun Dec 31 19:00:00 EST 1995,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services
    Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 00]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: C7 EC 92 7E 4E F8 F5 96 A5 67 62 2A A4 F0 4D 11 ....N....gb*..M.
    0010: 60 D0 6F 8D 60 58 61 AC 26 BB 52 35 5C 08 CF 30 `.o.`Xa..R5\..0
    0020: FB A8 4A 96 8A 1F 62 42 23 8C 17 0F F4 BA 64 9C ..J...bB#.....d.
    0030: 17 AC 47 29 DF 9D 98 5E D2 6C 60 71 5C A2 AC DC ..G)...^.l`q\...
    0040: 79 E3 E7 6E 00 47 1F B5 0D 28 E8 02 9D E4 9A FD y..n.G...(......
    0050: 13 F4 A6 D9 7C B1 F8 DC 5F 23 26 09 91 80 73 D0 ........_#...s.
    0060: 14 1B DE 43 A9 83 25 F2 E6 9C 2F 15 CA FE A6 AB ...C..%.../.....
    0070: 8A 07 75 8B 0C DD 51 84 6B E4 F8 D1 CE 77 A2 81 ..u...Q.k....w..

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Divis
    ion, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@f8
    Validity: [From: Sun Dec 31 19:00:00 EST 1995,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Divisi
    on, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 00]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 2D E2 99 6B B0 3D 7A 89 D7 59 A2 94 01 1F 2B DD -..k.=z..Y....+.
    0010: 12 4B 53 C2 AD 7F AA A7 00 5C 91 40 57 25 4A 38 .KS......\.@W%J8
    0020: AA 84 70 B9 D9 80 0F A5 7B 5C FB 73 C6 BD D7 8A ..p......\.s....
    0030: 61 5C 03 E3 2D 27 A8 17 E0 84 85 42 DC 5E 9B C6 a\..-'.....B.^..
    0040: B7 B2 6D BB 74 AF E4 3F CB A7 B7 B0 E0 5D BE 78 ..m.t..?.....].x
    0050: 83 25 94 D2 DB 81 0F 79 07 6D 4F F4 39 15 5A 52 .%.....y.mO.9.ZR
    0060: 01 7B DE 32 D6 4D 38 F6 12 5C 06 50 DF 05 5B BD ...2.M8..\.P..[.
    0070: 14 4B A1 DF 29 BA 3B 41 8D F7 63 56 A1 DF 22 B1 .K..).;A..cV..".

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffff94f
    Validity: [From: Wed May 17 10:01:00 EDT 2000,
    To: Sat May 17 19:59:00 EDT 2025]
    Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    SerialNumber: [ 020000bf]

    Certificate Extensions: 4
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: C8 41 34 5C 15 15 04 E5 40 F2 D1 AB 9A 6F 24 92 .A4\....@....o$.
    0010: 7A 87 42 5A z.BZ
    ]
    ]

    [2]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [3]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    [1.3.6.1.5.5.7.3.3]]

    [4]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:3
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 52 74 AA 95 4B 22 8C C7 3D 96 A4 FE 5D FA 2F B5 Rt..K"..=...]./.
    0010: BC EB F0 0B E9 56 38 1D D1 6D 0D A1 BC 68 8B F0 .....V8..m...h..
    0020: C5 80 A5 24 34 FD F2 96 18 11 86 A1 36 F5 37 E7 ...$4.......6.7.
    0030: 54 40 D5 64 1F C3 5F 70 42 6B 2D 39 C7 9E 52 05 T@.d.._pBk-9..R.
    0040: CE E7 6A 72 D2 8D 72 3F 47 50 83 AB C7 8D 25 C9 ..jr..r?GP....%.
    0050: B0 E3 A7 53 16 95 A6 6A 53 EA 18 9D 8F 78 A9 77 ...S...jS....x.w
    0060: 77 1A F9 B4 97 47 59 88 27 28 B5 CA E1 2E D7 3E w....GY.'(.....
    0070: 0E A2 0D B8 22 44 03 E3 D1 63 B0 41 3A A1 F5 A4 ...."D...c.A:...
    0080: 2D F7 76 1E 04 54 99 78 32 40 D7 2B 7C 4D BA A6 -.v..T.x2@.+.M..
    0090: 9C B0 79 6E 07 BE 8C EC EE D7 38 69 5B C1 0C 56 ..yn......8i[..V
    00A0: 68 9F FE EB D1 E1 C8 88 F9 F2 CD 7F BE 85 B4 44 h..............D
    00B0: 67 00 50 3E F4 26 03 64 EA 77 7D E8 5E 3E 1C 37 g.P..d.w..^.7
    00C0: 47 C8 D6 EA A4 F3 36 3C 97 C2 39 72 05 94 19 25 G.....6..9r...%
    00D0: C3 D7 37 41 0F C1 1F 87 8A FD AA BE E9 B1 64 57 ..7A..........dW
    00E0: E4 DB 92 A1 CF E1 49 E8 3B 1F 91 13 5A C3 8F D9 ......I.;...Z...
    00F0: 25 58 49 80 47 0F C6 03 AE AC E3 BF B7 C0 AA 2A %XI.G..........*

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@3e
    Validity: [From: Sun Jan 28 19:00:00 EST 1996,
    To: Wed Jan 07 18:59:59 EST 2004]
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ e49efdf3 3ae80ecf a5113e19 a4240232]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: 61 70 EC 2F 3F 9E FD 2B E6 68 54 21 B0 67 79 08 ap./?..+.hT!.gy.
    0010: 0C 20 96 31 8A 0D 7A BE B6 26 DF 79 2C 22 69 49 . .1..z...y,"iI
    0020: 36 E3 97 77 62 61 A2 32 D7 7A 54 21 36 BA 02 C9 6..wba.2.zT!6...
    0030: 34 E7 25 DA 44 35 B0 D2 5C 80 5D B3 94 F8 F9 AC 4.%.D5..\.].....
    0040: EE A4 60 75 2A 1F 95 49 23 B1 4A 7C F4 B3 47 72 ..`u*..I#.J...Gr
    0050: 21 5B 7E 97 AB 54 AC 62 E7 5D EC AE 9B D2 C9 B2 ![...T.b.]......
    0060: 24 FB 82 AD E9 67 15 4B BA AA A6 F0 97 A0 F6 B0 $....g.K........
    0070: 97 57 00 C8 0C 3C 09 A0 82 04 BA 41 DA F7 99 A4 .W........A....

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffc86
    Validity: [From: Wed Aug 12 20:29:00 EDT 1998,
    To: Mon Aug 13 19:59:00 EDT 2018]
    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    SerialNumber: [ 01a5]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 6D EB 1B 09 E9 5E D9 51 DB 67 22 61 A4 2A 3C 48 m....^.Q.g"a.*H
    0010: 77 E3 A0 7C A6 DE 73 A2 14 03 85 3D FB AB 0E 30 w.....s....=...0
    0020: C5 83 16 33 81 13 08 9E 7B 34 4E DF 40 C8 74 D7 ...3.....4N.@.t.
    0030: B9 7D DC F4 76 55 7D 9B 63 54 18 E9 F0 EA F3 5C ....vU..cT.....\
    0040: B1 D9 8B 42 1E B9 C0 95 4E BA FA D5 E2 7C F5 68 ...B....N......h
    0050: 61 BF 8E EC 05 97 5F 5B B0 D7 A3 85 34 C4 24 A7 a....._[....4.$.
    0060: 0D 0F 95 93 EF CB 94 D8 9E 1F 9D 5C 85 6D C7 AA ...........\.m..
    0070: AE 4F 1F 22 B5 CD 95 AD BA A7 CC F9 AB 0B 7A 7F .O."..........z.

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services D
    ivision, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@52b
    Validity: [From: Sun Dec 31 19:00:00 EST 1995,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Di
    vision, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 00]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 69 36 89 F7 34 2A 33 72 2F 6D 3B D4 22 B2 B8 6F i6..4*3r/m;."..o
    0010: 9A C5 36 66 0E 1B 3C A1 B1 75 5A E6 FD 35 D3 F8 ..6f....uZ..5..
    0020: A8 F2 07 6F 85 67 8E DE 2B B9 E2 17 B0 3A A0 F0 ...o.g..+....:..
    0030: 0E A2 00 9A DF F3 14 15 6E BB C8 85 5A 98 80 F9 ........n...Z...
    0040: FF BE 74 1D 3D F3 FE 30 25 D1 37 34 67 FA A5 71 ..t.=..0%.74g..q
    0050: 79 30 61 29 72 C0 E0 2C 4C FB 56 E4 3A A8 6F E5 y0a)r..,L.V.:.o.
    0060: 32 59 52 DB 75 28 50 59 0C F8 0B 19 E4 AC D9 AF 2YR.u(PY........
    0070: 96 8D 2F 50 DB 07 C3 EA 1F AB 33 E0 F5 2B 31 89 ../P......3..+1.

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Tha
    wte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1b5
    Validity: [From: Wed Jul 31 20:00:00 EDT 1996,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thaw
    te Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 01]
    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 07 FA 4C 69 5C FB 95 CC 46 EE 85 83 4D 21 30 8E ..Li\...F...M!0.
    0010: CA D9 A8 6F 49 1A E6 DA 51 E3 60 70 6C 84 61 11 ...oI...Q.`pl.a.
    0020: A1 1A C8 48 3E 59 43 7D 4F 95 3D A1 8B B7 0B 62 ...HYC.O.=....b
    0030: 98 7A 75 8A DD 88 4E 4E 9E 40 DB A8 CC 32 74 B9 .zu...NN.@...2t.
    0040: 6F 0D C6 E3 B3 44 0B D9 8A 6F 9A 29 9B 99 18 28 o....D...o.)...(
    0050: 3B D1 E3 40 28 9A 5A 3C D5 B5 E7 20 1B 8B CA A4 ;..@(.Z... ....
    0060: AB 8D E9 51 D9 E2 4C 2C 59 A9 DA B9 B2 75 1B F6 ...Q..L,Y....u..
    0070: 42 F2 EF C7 F2 18 F9 89 BC A3 FF 8A 23 2E 70 47 B...........#.pG

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffff8f8
    Validity: [From: Sun Jan 28 19:00:00 EST 1996,
    To: Fri Dec 31 18:59:59 EST 1999]
    Issuer: OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ 02a60000 01]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: 53 DD D3 F0 9C 24 7E 40 AA E2 FC 00 1A D7 DA 0C S....$.@........
    0010: FC 32 61 B8 15 0D 96 F3 FA 57 1B 7F 33 7C AF E9 .2a......W..3...
    0020: 98 9A 61 C8 7A B3 B7 FF B1 DC 99 83 DC AC 12 FC ..a.z...........
    0030: 70 C9 1F 38 42 ED 44 F6 80 2E 5B 6B 33 69 AC 9C p..8B.D...[k3i..
    0040: D3 5C E7 5F 5A 18 C7 B1 2D 79 04 96 41 91 99 41 .\._Z...-y..A..A
    0050: B1 3C 0D BA 84 39 C6 3B 97 F0 26 C9 8E EE BD CC ....9.;.......
    0060: 42 95 FF 1E C7 02 3F 54 0C 78 F5 BC AA 60 7C 02 B.....?T.x...`..
    0070: 69 E8 DC AC E2 02 76 61 C4 3E 03 EA D2 8A 24 D1 i.....va.....$.

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffbdf
    Validity: [From: Fri May 12 14:46:00 EDT 2000,
    To: Mon May 12 19:59:00 EDT 2025]
    Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    SerialNumber: [ 020000b9]

    Certificate Extensions: 3
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A ..Y0.GX....T6..:
    0010: B5 04 4D F0 ..M.
    ]
    ]

    [2]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [3]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:3
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 85 0C 5D 8E E4 6F 51 68 42 05 A0 DD BB 4F 27 25 ..]..oQhB....O'%
    0010: 84 03 BD F7 64 FD 2D D7 30 E3 A4 10 17 EB DA 29 ....d.-.0......)
    0020: 29 B6 79 3F 76 F6 19 13 23 B8 10 0A F9 58 A4 D4 ).y?v...#....X..
    0030: 61 70 BD 04 61 6A 12 8A 17 D5 0A BD C5 BC 30 7C ap..aj........0.
    0040: D6 E9 0C 25 8D 86 40 4F EC CC A3 7E 38 C6 37 11 ...%..@O....8.7.
    0050: 4F ED DD 68 31 8E 4C D2 B3 01 74 EE BE 75 5E 07 O..h1.L...t..u^.
    0060: 48 1A 7F 70 FF 16 5C 84 C0 79 85 B8 05 FD 7F BE H..p..\..y......
    0070: 65 11 A3 0F C0 02 B4 F8 52 37 39 04 D5 A9 31 7A e.......R79...1z
    0080: 18 BF A0 2A F4 12 99 F7 A3 45 82 E3 3C 5E F5 9D ...*.....E..^..
    0090: 9E B5 C8 9E 7C 2E C8 A4 9E 4E 08 14 4B 6D FD 70 .........N..Km.p
    00A0: 6D 6B 1A 63 BD 64 E6 1F B7 CE F0 F2 9F 2E BB 1B mk.c.d..........
    00B0: B7 F2 50 88 73 92 C2 E2 E3 16 8D 9A 32 02 AB 8E ..P.s.......2...
    00C0: 18 DD E9 10 11 EE 7E 35 AB 90 AF 3E 30 94 7A D0 .......5...0.z.
    00D0: 33 3D A7 65 0F F5 FC 8E 9E 62 CF 47 44 2C 01 5D 3=.e.....b.GD,.]
    00E0: BB 1D B5 32 D2 47 D2 38 2E D0 FE 81 DC 32 6A 1E ...2.G.8.....2j.
    00F0: B5 EE 3C D5 FC E7 81 1D 19 C3 24 42 EA 63 39 A9 .........$B.c9.

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffc9e
    Validity: [From: Sun Jan 28 19:00:00 EST 1996,
    To: Tue Jan 07 18:59:59 EST 2020]
    Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ 325033cf 50d156f3 5c81ad65 5c4fc825]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: 4B 44 66 60 68 64 E4 98 1B F3 B0 72 E6 95 89 7C KDf`hd.....r....
    0010: DD 7B B3 95 C0 1D 2E D8 D8 19 D0 2D 34 3D C6 50 ...........-4=.P
    0020: 9A 10 86 8C AA 3F 3B A8 04 FC 37 52 95 C3 D9 C9 .....?;...7R....
    0030: DB CD F2 86 06 C4 B1 1B F0 82 88 30 42 8E 17 50 ...........0B..P
    0040: 1C 64 7A B8 3E 99 49 74 97 FC AC 02 43 FB 96 0C .dz..It....C...
    0050: 56 04 25 0C 7C 7C 87 9D 24 A7 D8 F0 32 29 B5 A4 V.%.....$...2)..
    0060: DF 5D A2 4C C5 16 32 A8 42 F6 45 A6 B6 36 B9 E0 .].L..2.B.E..6..
    0070: BF 65 36 93 C2 D2 D7 6B DC DE 59 D6 A2 35 F8 45 .e6....k..Y..5.E

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1e2
    Validity: [From: Tue Nov 08 19:00:00 EST 1994,
    To: Thu Jan 07 18:59:59 EST 2010]
    Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    SerialNumber: [ 02ad667e 4e45fe5e 576f3c98 195eddc0]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: 65 DD 7E E1 B2 EC B0 E2 3A E0 EC 71 46 9A 19 11 e.......:..qF...
    0010: B8 D3 C7 A0 B4 03 40 26 02 3E 09 9C E1 12 B3 D1 ......@.......
    0020: 5A F6 37 A5 B7 61 03 B6 5B 16 69 3B C6 44 08 0C Z.7..a..[.i;.D..
    0030: 88 53 0C 6B 97 49 C7 3E 35 DC 6C B9 BB AA DF 5C .S.k.I.5.l....\
    0040: BB 3A 2F 93 60 B6 A9 4B 4D F2 20 F7 CD 5F 7F 64 .:/.`..KM. .._.d
    0050: 7B 8E DC 00 5C D7 FA 77 CA 39 16 59 6F 0E EA D3 ....\..w.9.Yo...
    0060: B5 83 7F 4D 4D 42 56 76 B4 C9 5F 04 F8 38 F8 EB ...MMBVv.._..8..
    0070: D2 5F 75 5F CD 7B FC E5 8E 80 7C FC 50 ._u_........P

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Divis
    ion, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@ffffffa6
    Validity: [From: Wed Jul 31 20:00:00 EDT 1996,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Divisi
    on, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 01]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 26 48 2C 16 C2 58 FA E8 16 74 0C AA AA 5F 54 3F H,..X...t..._T?
    0010: F2 D7 C9 78 60 5E 5E 6E 37 63 22 77 36 7E B2 17 ...x`^^n7c"w6...
    0020: C4 34 B9 F5 08 85 FC C9 01 38 FF 4D BE F2 16 42 .4.......8.M...B
    0030: 43 E7 BB 5A 46 FB C1 C6 11 1F F1 4A B0 28 46 C9 C..ZF......J.(F.
    0040: C3 C4 42 7D BC FA AB 59 6E D5 B7 51 88 11 E3 A4 ..B....Yn..Q....
    0050: 85 19 6B 82 4C A4 0C 12 AD E9 A4 AE 3F F1 C3 49 ..k.L.......?..I
    0060: 65 9A 8C C5 C8 3E 25 B7 94 99 BB 92 32 71 07 F0 e....%.....2q..
    0070: 86 5E ED 50 27 A6 0D A6 23 F9 BB CB A6 07 14 42 .^.P'...#......B

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffc3f
    Validity: [From: Fri Feb 23 18:01:00 EST 1996,
    To: Thu Feb 23 18:59:00 EST 2006]
    Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
    SerialNumber: [ 01a3]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 12 B3 75 C6 5F 1D E1 61 55 80 00 D4 81 4B 7B 31 ..u._..aU....K.1
    0010: 0F 23 63 E7 3D F3 03 F9 F4 36 A8 BB D9 E3 A5 97 .#c.=....6......
    0020: 4D EA 2B 29 E0 D6 6A 73 81 E6 C0 89 A3 D3 F1 E0 M.+)..js........
    0030: A5 A5 22 37 9A 63 C2 48 20 B4 DB 72 E3 C8 F6 D9 .."7.c.H ..r....
    0040: 7C BE B1 AF 53 DA 14 B4 21 B8 D6 D5 96 E3 FE 4E ....S...!......N
    0050: 0C 59 62 B6 9A 4A F9 42 DD 8C 6F 81 A9 71 FF F4 .Yb..J.B..o..q..
    0060: 0A 72 6D 6D 44 0E 9D F3 74 74 A8 D5 34 49 E9 5E .rmmD...tt..4I.^
    0070: 9E E9 B4 7A E1 E5 5A 1F 84 30 9C D3 9F A5 25 D8 ...z..Z..0....%.

    ]
    adding as trusted cert: [
    [
    Version: V3
    Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd47
    Validity: [From: Fri Aug 14 10:50:00 EDT 1998,
    To: Wed Aug 14 19:59:00 EDT 2013]
    Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    SerialNumber: [ 01b6]

    Certificate Extensions: 4
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 76 0A 49 21 38 4C 9F DE F8 C4 49 C7 71 71 91 9D v.I!8L....I.qq..
    ]
    ]

    [2]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [1.2.840.113763.1.2.1.3]
    [] ]
    ]

    [3]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [4]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:5
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 41 3A D4 18 5B DA B8 DE 21 1C E1 8E 09 E5 F1 68 A:..[...!......h
    0010: 34 FF DE 96 F4 07 F5 A7 3C F3 AC 4A B1 9B FA 92 4.........J....
    0020: FA 9B ED E6 32 21 AA 4A 76 C5 DC 4F 38 E5 DF D5 ....2!.Jv..O8...
    0030: 86 E4 D5 C8 76 7D 98 D7 B1 CD 8F 4D B5 91 23 6C ....v......M..#l
    0040: 8B 8A EB EA 7C EF 14 94 C4 C6 F0 1F 4A 2D 32 71 ............J-2q
    0050: 63 2B 63 91 26 02 09 B6 80 1D ED E2 CC B8 7F DB c+c............
    0060: 87 63 C8 E1 D0 6C 26 B1 35 1D 40 66 10 1B CD 95 .c...l.5.@f....
    0070: 54 18 33 61 EC 13 4F DA 13 F7 99 AF 3E D0 CF 8E T.3a..O........
    0080: A6 72 A2 B3 C3 05 9A C9 27 7D 92 CC 7E 52 8D B3 .r......'....R..
    0090: AB 70 6D 9E 89 9F 4D EB 1A 75 C2 98 AA D5 02 16 .pm...M..u......
    00A0: D7 0C 8A BF 25 E4 EB 2D BC 98 E9 58 38 19 7C B9 ....%..-...X8...
    00B0: 37 FE DB E2 99 08 73 06 C7 97 83 6A 7D 10 01 2F 7.....s....j.../
    00C0: 32 B9 17 05 4A 65 E6 2F CE BE 5E 53 A6 82 E9 9A 2...Je./..^S....
    00D0: 53 0A 84 74 2D 83 CA C8 94 16 76 5F 94 61 28 F0 S..t-.....v_.a(.
    00E0: 85 A7 39 BB D7 8B D9 A8 B2 13 1D 54 09 34 24 7D ..9........T.4$.
    00F0: 20 81 7D 66 7E A2 90 74 5C 10 C6 BD EC AB 1B C2 ..f...t\.......

    ]
    adding as trusted cert: [
    [
    Version: V1
    Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@29
    Validity: [From: Sun Jan 28 19:00:00 EST 1996,
    To: Wed Jan 07 18:59:59 EST 2004]
    Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    SerialNumber: [ ba5ac94c 053b92d6 a7b6df4e d053920d]

    ]
    Algorithm: [MD2withRSA]
    Signature:
    0000: B6 00 1F 93 57 A4 07 A7 40 CE 65 40 3F 55 5E ED ....W...@.e@?U^.
    0010: EF FA 54 49 A5 30 D6 21 7C 61 87 EE 83 93 0B BF ..TI.0.!.a......
    0020: B4 33 F2 98 AC 9F 06 BF 4E A8 CE 14 81 4C CB 04 .3......N....L..
    0030: 4E 58 C3 CF 5F EE 7C D7 9A 6F CB 41 8A B7 7F 81 NX.._....o.A....
    0040: B8 FF 84 61 C6 27 43 65 1D 0C EC B1 00 0A DD 1B ...a.'Ce........
    0050: A4 BB C7 78 20 28 B2 A2 DD 36 95 2E E1 54 4F BF ...x (...6...TO.
    0060: 60 B9 77 68 11 99 23 E8 EA 52 E8 AA 00 4E 67 4E `.wh..#..R...NgN
    0070: BB 90 B5 45 9B 46 EB 8E 16 EF C4 33 5B 33 3D D5 ...E.F.....3[3=.

    ]
    ***
    found key for : ppkeystore
    chain [0] = [
    [
    Version: V1
    Subject: CN=Client, OU=OU, O=O, C=CC, ST=ST
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffcaa
    Validity: [From: Wed Jul 02 06:43:12 EDT 2003,
    To: Tue Sep 30 06:43:12 EDT 2003]
    Issuer: CN=Client, OU=OU, O=O, C=CC, ST=ST
    SerialNumber: [ 3f02b740]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 78 26 84 94 7A 3F 4A 4F 76 97 AB 17 80 DB 98 04 x..z?JOv.......
    0010: E2 2F 9B DF 8B 43 09 1C 01 7C 9B 53 E2 31 83 16 ./...C.....S.1..
    0020: 0D C9 5D 1F 7D ED C0 D3 34 38 0D 72 CD 1B 4E E2 ..].....48.r..N.
    0030: 54 B2 97 BB 70 4E 74 9B BD AE D1 CB B8 A0 E1 E2 T...pNt.........
    0040: C4 F4 3C 58 EB CE 09 CE 29 96 49 12 68 4F 15 7C ..X....).I.hO..
    0050: AE C7 03 0B 11 9E 37 CB 95 16 FC DA B7 68 67 0E ......7......hg.
    0060: 0E 35 D2 88 6E E7 6C 98 70 C9 C8 78 1D E2 D7 75 .5..n.l.p..x...u
    0070: B5 C7 C5 E7 25 85 3A D4 0C 04 D3 0C AF 10 91 FE ....%.:.........
    0080: 29 36 86 71 8F 87 1A 53 5E B6 F9 07 58 CF 1E 8F )6.q...S^...X...
    0090: 3A 7D C1 D7 CD 08 D3 19 3C 2C B4 CA C8 A8 C2 7D :.......,......
    00A0: AE DA 5E 41 B2 D0 3E F1 C6 3B 21 E8 6C 32 3E 0C ..^A....;!.l2.
    00B0: 65 64 C6 54 0A DE CA A7 93 E8 C3 8A 7C 33 C2 79 ed.T.........3.y
    00C0: 8C 18 97 5E 36 1B 0C 95 E2 66 FB 0C E6 23 FD B4 ...^6....f...#..
    00D0: 62 4A 82 5C A7 98 26 1B 47 3A 5F 72 94 1A CD 3C bJ.\...G:_r...
    00E0: E3 75 66 83 E4 AC 45 2E B8 7E 35 31 51 A1 D7 22 .uf...E...51Q.."
    00F0: BA FD 61 CE 9A EB B7 49 9A FC AA 4B 36 A7 CC 41 ..a....I...K6..A

    ]
    ***
    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1057567723 bytes = { 25, 202, 66, 170, 104, 162, 12, 82, 27, 86, 30, 144, 171, 41, 91, 2, 3
    4, 131, 123, 32, 87, 7, 208, 193, 154, 97, 234, 206 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_
    WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    [write] MD5 and SHA1 hashes: len = 59
    0000: 01 00 00 37 03 01 3F 09 34 EB 19 CA 42 AA 68 A2 ...7..?.4...B.h.
    0010: 0C 52 1B 56 1E 90 AB 29 5B 02 22 83 7B 20 57 07 .R.V...)[.".. W.
    0020: D0 C1 9A 61 EA CE 00 00 10 00 04 00 05 00 0A 00 ...a............
    0030: 13 00 09 00 12 00 03 00 11 01 00 ...........
    main, WRITE: TLSv1 Handshake, length = 59
    [write] MD5 and SHA1 hashes: len = 77
    0000: 01 03 01 00 24 00 00 00 20 00 00 04 01 00 80 00 ....$... .......
    0010: 00 05 00 00 0A 07 00 C0 00 00 13 00 00 09 06 00 ................
    0020: 40 00 00 12 00 00 03 02 00 80 00 00 11 3F 09 34 @............?.4
    0030: EB 19 CA 42 AA 68 A2 0C 52 1B 56 1E 90 AB 29 5B ...B.h..R.V...)[
    0040: 02 22 83 7B 20 57 07 D0 C1 9A 61 EA CE .".. W....a..
    main, WRITE: SSLv2 client hello message, length = 77
    main, READ: TLSv1 Handshake, length = 74
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1057567724 bytes = { 245, 15, 204, 200, 236, 164, 113, 86, 80, 143, 98, 29, 219, 159, 108,
    112, 120, 69, 90, 122, 105, 175, 98, 38, 113, 132, 190, 181 }
    Session ID: {247, 236, 43, 119, 75, 176, 31, 31, 178, 1, 32, 50, 103, 28, 175, 200, 135, 33, 11, 221, 183, 47,
    169, 63, 192, 67, 13, 247, 166, 141, 110, 11}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    ***
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    [read] MD5 and SHA1 hashes: len = 74
    0000: 02 00 00 46 03 01 3F 09 34 EC F5 0F CC C8 EC A4 ...F..?.4.......
    0010: 71 56 50 8F 62 1D DB 9F 6C 70 78 45 5A 7A 69 AF qVP.b...lpxEZzi.
    0020: 62 26 71 84 BE B5 20 F7 EC 2B 77 4B B0 1F 1F B2 bq... ..+wK....
    0030: 01 20 32 67 1C AF C8 87 21 0B DD B7 2F A9 3F C0 . 2g....!.../.?.
    0040: 43 0D F7 A6 8D 6E 0B 00 04 00 C....n....
    main, READ: TLSv1 Handshake, length = 728
    *** Certificate chain
    chain [0] = [
    [
    Version: V3
    Subject: CN=www.epassporte.com, O=Epassporte N.V., L=Newbury, ST=Curacao, C=AN
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd30
    Validity: [From: Fri Jan 03 02:35:32 EST 2003,
    To: Thu Nov 13 12:43:24 EST 2003]
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thaw
    te Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 09c710]

    Certificate Extensions: 2
    [1]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    [1.3.6.1.5.5.7.3.1]]

    [2]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:false
    PathLen: undefined
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 13 45 A9 11 FE B5 14 C8 59 73 0E 0A 3E BA 38 41 .E......Ys...8A
    0010: A8 3D 7A 27 54 76 A9 86 2B 40 65 F2 2A BF B7 F1 .=z'Tv..+@e.*...
    0020: 95 9C 8E 3B D2 57 85 55 2F C8 BE 5D B5 AE 69 83 ...;.W.U/..]..i.
    0030: D6 A2 33 C5 93 E8 9E 61 0B 64 13 79 EF 76 00 F6 ..3....a.d.y.v..
    0040: 7D B3 3A 00 4A 8A 08 78 58 B4 6C 2E 6B 3C D0 4D ..:.J..xX.l.k.M
    0050: F2 5E 70 C1 C7 B9 56 A8 B7 AD 47 F3 83 8B D4 05 .^p...V...G.....
    0060: C1 65 37 87 69 BA 78 4B 20 52 36 37 E8 BC 7D 52 .e7.i.xK R67...R
    0070: 6A AB 51 32 B4 F5 3C B8 42 58 65 7C A6 33 90 AD j.Q2...BXe..3..

    ]
    ***
    add missing root cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Tha
    wte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1b5
    Validity: [From: Wed Jul 31 20:00:00 EDT 1996,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thaw
    te Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 01]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 07 FA 4C 69 5C FB 95 CC 46 EE 85 83 4D 21 30 8E ..Li\...F...M!0.
    0010: CA D9 A8 6F 49 1A E6 DA 51 E3 60 70 6C 84 61 11 ...oI...Q.`pl.a.
    0020: A1 1A C8 48 3E 59 43 7D 4F 95 3D A1 8B B7 0B 62 ...HYC.O.=....b
    0030: 98 7A 75 8A DD 88 4E 4E 9E 40 DB A8 CC 32 74 B9 .zu...NN.@...2t.
    0040: 6F 0D C6 E3 B3 44 0B D9 8A 6F 9A 29 9B 99 18 28 o....D...o.)...(
    0050: 3B D1 E3 40 28 9A 5A 3C D5 B5 E7 20 1B 8B CA A4 ;..@(.Z... ....
    0060: AB 8D E9 51 D9 E2 4C 2C 59 A9 DA B9 B2 75 1B F6 ...Q..L,Y....u..
    0070: 42 F2 EF C7 F2 18 F9 89 BC A3 FF 8A 23 2E 70 47 B...........#.pG

    ]
    stop on trusted cert: [
    [
    Version: V3
    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Tha
    wte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1b5
    Validity: [From: Wed Jul 31 20:00:00 EDT 1996,
    To: Thu Dec 31 18:59:59 EST 2020]
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thaw
    te Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 01]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 07 FA 4C 69 5C FB 95 CC 46 EE 85 83 4D 21 30 8E ..Li\...F...M!0.
    0010: CA D9 A8 6F 49 1A E6 DA 51 E3 60 70 6C 84 61 11 ...oI...Q.`pl.a.
    0020: A1 1A C8 48 3E 59 43 7D 4F 95 3D A1 8B B7 0B 62 ...HYC.O.=....b
    0030: 98 7A 75 8A DD 88 4E 4E 9E 40 DB A8 CC 32 74 B9 .zu...NN.@...2t.
    0040: 6F 0D C6 E3 B3 44 0B D9 8A 6F 9A 29 9B 99 18 28 o....D...o.)...(
    0050: 3B D1 E3 40 28 9A 5A 3C D5 B5 E7 20 1B 8B CA A4 ;..@(.Z... ....
    0060: AB 8D E9 51 D9 E2 4C 2C 59 A9 DA B9 B2 75 1B F6 ...Q..L,Y....u..
    0070: 42 F2 EF C7 F2 18 F9 89 BC A3 FF 8A 23 2E 70 47 B...........#.pG

    ]
    [read] MD5 and SHA1 hashes: len = 728
    0000: 0B 00 02 D4 00 02 D1 00 02 CE 30 82 02 CA 30 82 ..........0...0.
    0010: 02 33 A0 03 02 01 02 02 03 09 C7 10 30 0D 06 09 .3..........0...
    0020: 2A 86 48 86 F7 0D 01 01 04 05 00 30 81 C4 31 0B *.H........0..1.
    0030: 30 09 06 03 55 04 06 13 02 5A 41 31 15 30 13 06 0...U....ZA1.0..
    0040: 03 55 04 08 13 0C 57 65 73 74 65 72 6E 20 43 61 .U....Western Ca
    0050: 70 65 31 12 30 10 06 03 55 04 07 13 09 43 61 70 pe1.0...U

  • RELEVANCY SCORE 2.34

    DB:2.34:Describes How To Get The Cert_Trust_Is_Partial_Chain Error When Mixing Java And Crypto Api Generated Certificates 9d


    (This is to record a problem, the cause, and the solution. )
    A certificate created by CryptSignAndEncodeCertificate gave a CERT_TRUST_IS_PARTIAL_CHAIN error when trying to use CertGetCertificateChain with a certstore that had a parent certificate created with Java libraries. The problem was that I passed the
    issuer's subject name as a string, and CertStrToName encoded the newly created certificates issuer name differently than the parent certificate's subject name.

    Even though the names were textually the same, the Java encoding used UTF8String, and CertStrToName used String.

    JAVA
    universal Sequence of len 12
    universal Object Identifier 2.5.4.3 szOID_COMMON_NAME
    universal UTF8String IdentityN

    CRYPTOAPI
    universal Sequence of len 12
    universal Object Identifier 2.5.4.3 szOID_COMMON_NAME
    universal UTF8String IdentityN

    and that difference caused a failure to find the parent certificate, and thus a CERT_TRUST_IS_PARTIAL_CHAIN error.

    The solution is to copy the encoded subject name from the parent cert into the Issuer field.

    PCCERT_CONTEXT issuerCertContext; CERT_INFO cert_info;
    // Use the already encoded Issuer name from the issuerCertContext
    // We cannot use the cryptoapi to encode Issuer subject name strings because they do not use UTF8String per rfc3280 section 4.1.2.4 Issuer
    //
    cert_info.Issuer.pbData= issuerCertContext-pCertInfo-Subject.pbData;
    cert_info.Issuer.cbData= issuerCertContext-pCertInfo-Subject.cbData;

    DB:2.34:Describes How To Get The Cert_Trust_Is_Partial_Chain Error When Mixing Java And Crypto Api Generated Certificates 9d

    (This is to record a problem, the cause, and the solution. )
    A certificate created by CryptSignAndEncodeCertificate gave a CERT_TRUST_IS_PARTIAL_CHAIN error when trying to use CertGetCertificateChain with a certstore that had a parent certificate created with Java libraries. The problem was that I passed the
    issuer's subject name as a string, and CertStrToName encoded the newly created certificates issuer name differently than the parent certificate's subject name.

    Even though the names were textually the same, the Java encoding used UTF8String, and CertStrToName used String.

    JAVA
    universal Sequence of len 12
    universal Object Identifier 2.5.4.3 szOID_COMMON_NAME
    universal UTF8String IdentityN

    CRYPTOAPI
    universal Sequence of len 12
    universal Object Identifier 2.5.4.3 szOID_COMMON_NAME
    universal UTF8String IdentityN

    and that difference caused a failure to find the parent certificate, and thus a CERT_TRUST_IS_PARTIAL_CHAIN error.

    The solution is to copy the encoded subject name from the parent cert into the Issuer field.

    PCCERT_CONTEXT issuerCertContext; CERT_INFO cert_info;
    // Use the already encoded Issuer name from the issuerCertContext
    // We cannot use the cryptoapi to encode Issuer subject name strings because they do not use UTF8String per rfc3280 section 4.1.2.4 Issuer
    //
    cert_info.Issuer.pbData= issuerCertContext-pCertInfo-Subject.pbData;
    cert_info.Issuer.cbData= issuerCertContext-pCertInfo-Subject.cbData;

  • RELEVANCY SCORE 2.34

    DB:2.34:3rd Party Ssl Cert Is Being Used Instead Of Self Signed Cert Of Smtp Exchange 2007 91


    On our Exchange server we have one SAN cert and one self-signed cert.

    Outlook is now complaining with an ssl warning because it is defaulting to the 3rd party cert for SMTP. I have only enabled SMTP for the self-signed cert. How can I make it that Exchange uses the self-signed cert for SMTP instead of the 3rd party.
    The reason I need to do this is that the our internal
    domain name is an actual domain name that we do not own. I cannot get a 3rd party SSL for our internal
    domain name because of this.

    below is the configuration I get when I run get-exchangecertificate |fl . I have striped any data like
    domain names and such from the below information.
    I have tried enable-exchangecertificate -thumbprint self signed -Services SMTP this does not work. I keep getting a SSL error when I open outlook.

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cry
    CertificateDomains : {mail, mail..domainname.ca
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=mail
    NotAfter : 7/20/2015 5:04:34 PM
    NotBefore : 7/20/2010 5:04:34 PM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber :
    Services : UM, SMTP
    Status : Valid
    Subject : CN=mail
    Thumbprint :

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cry
    CertificateDomains : {mail.domainname2.com, autodiscover.domainname2.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    NotAfter : 6/4/2012 12:04:12 PM
    NotBefore : 6/1/2010 2:50:45 AM
    PublicKeySize : 2048
    RootCAType : ThirdParty
    SerialNumber :
    Services : IMAP, POP, IIS
    Status : Valid

    DB:2.34:3rd Party Ssl Cert Is Being Used Instead Of Self Signed Cert Of Smtp Exchange 2007 91

    Hi,
    The self-signed certificate is from exchange, so it cannot be trusted by any computers (User Trusting CA means that CA certificate held in user's Trusted CAs store). You need
    to store this certificate on the user's Trusted CA store:
    1. When you receive the warning, click View Certificate.
    2. In detail tab, click Copy to file, save the certificate on a local drive.
    3. Double click the certificate (*.cer) you just saved and click Install Certificate.
    4. Select Place all certificates in the following store.

    5. Click Browse, select Trusted Root certificate Authorities. Click Ok to install.
    You can also use Group Policy to deploy this certificate for all users. More information, please refer the following article:
    http://technet.microsoft.com/en-us/library/cc770315(WS.10).aspx

  • RELEVANCY SCORE 2.34

    DB:2.34:Bad_Certificate Alert Was Received From Localhost 99


    This is my situation .............. for a week now ... I have tried any number of combinations but still cant get past this problem ....
    All help is really appreciated.

    CLIENT CODE
    private static final String CLIENT_KEYSTORE = "last_keystore.jks";
    private static final String KEYSTORE_PASS = "last123";
    private static final String CLIENT_KEYNAME = "last_key";
    private static final String CLIENT_KEYPASS = "last_key_password";

    // instantiate an adapter...
    SSLAdapterFactory sslAdapterFactory = SSLAdapterFactory.getDefaultFactory();
    WLSSLAdapter adapter = (WLSSLAdapter) sslAdapterFactory.getSSLAdapter();
    X509Certificate[] clientcert = { getCertificate(CLIENT_KEYNAME, CLIENT_KEYSTORE) };
    PrivateKey clientprivate = (PrivateKey) getPrivateKey(CLIENT_KEYNAME, CLIENT_KEYPASS, CLIENT_KEYSTORE);
    adapter.addIdentity(clientcert, clientprivate);
    sslAdapterFactory.setDefaultAdapter(adapter);
    // optionally set the Adapter factory to use this instance always...
    SSLAdapterFactory.getDefaultFactory().setDefaultAdapter(adapter);

    SSLAdapterFactory.getDefaultFactory().setUseDefaultAdapter(true);
    // create service factory
    ServiceFactory servicefactory;

    servicefactory = ServiceFactory.newInstance();

    ===============================================================================

    PROBLEM

    23.04.2010 17.35 Uhr CEST Warning Security BEA-090482 BAD_CERTIFICATE alert was received from localhost - 127.0.0.1. Chec
    k the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing
    may be required to determine the exact reason the certificate was rejected.

    ==========================================================================

    WEBLOGIC OPTIONS

    set WLS_JAVA_PROPERTIES=%WLS_JAVA_PROPERTIES% -Dweblogic.system.BootIdentityFile=./security/boot.properties
    set WLS_JAVA_PROPERTIES=%WLS_JAVA_PROPERTIES% -Dweblogic.ProductionModeEnabled=%PRODUCTION_MODE%
    set WLS_JAVA_PROPERTIES=%WLS_JAVA_PROPERTIES% -Dweblogic.security.SSL.enforceConstraints=off
    set WLS_JAVA_PROPERTIES=%WLS_JAVA_PROPERTIES% -Dweblogic.security.SSL.allowSmallRSAExponent=true
    set WLS_JAVA_PROPERTIES=%WLS_JAVA_PROPERTIES% -Dweblogic.security.SSL.ignoreHostnameVerification=true
    set WLS_JAVA_PROPERTIES=%WLS_JAVA_PROPERTIES% -Dssl.debug=true
    set WLS_JAVA_PROPERTIES=%WLS_JAVA_PROPERTIES% -Dweblogic.StdoutDebugEnabled=true

    ===============================================================================

    KEYSTORE CREATED AS FOLLOWS

    CASE ONE
    keytool -genkey -keyalg RSA -keystore C:\last_keystore.jks -storepass last123 -alias last_key -keypass last_key_password -dname "CN=169.59.84.6, OU=169.59.84.6, C=US" -keysize 1024 -validity 1460

    keytool -list -keystore C:\last_keystore.jks -storepass last123 -v | findstr Alias

    keytool -export -alias last_key -file last_cert.der -keystore C:\last_keystore.jks -storepass last123

    java -cp C:\bea920\weblogic92\server\lib\weblogic.jar utils.der2pem last_cert.der

    keytool -import -alias last_key -file last_cert.pem -keystore C:\bea920\jdk150_04\jre\lib\security\cacerts

    CASE TWO
    keytool -genkey -keyalg RSA -keystore C:\localhost_keystore.jks -storepass localhost1 -alias localhost_key -keypass localhost_key_password -dname "CN=localhost, OU=localhost, C=US" -keysize 1024 -validity 1460

    keytool -list -keystore C:\localhost_keystore.jks -storepass localhost1 -v | findstr Alias

    keytool -export -alias localhost_key -file localhost_cert.der -keystore C:\localhost_keystore.jks -storepass localhost1

    java -cp C:\bea920\weblogic92\server\lib\weblogic.jar utils.der2pem localhost_cert.der

    keytool -import -alias localhost_key -file localhost_cert.pem -keystore C:\bea920\jdk150_04\jre\lib\security\cacerts

    =================================================================================

    DESCRIPTION

    A:: I have identified the truststore I am using is actually being picked up ...

    23.04.2010 17.40 Uhr CEST Info Management BEA-141052 The auto deployment poller has started.
    23.04.2010 17.40 Uhr CEST Info JMS BEA-040010 JMSServer "TDCJMSServer" configured no session pools.
    23.04.2010 17.40 Uhr CEST Info JMS BEA-040109 JMSServer "TDCJMSServer" is started.
    23.04.2010 17.40 Uhr CEST Notice Security BEA-090171 Loading the identity certificate and private key stored under the al
    ias DemoIdentity from the jks keystore file c:\bea920\weblogic92\server\lib\DemoIdentity.jks.
    23.04.2010 17.40 Uhr CEST Notice Security BEA-090169 Loading trusted certificates from the jks keystore file c:\bea920\we
    blogic92\server\lib\DemoTrust.jks.
    23.04.2010 17.40 Uhr CEST Notice Security BEA-090169 Loading trusted certificates from the jks keystore file c:\bea920\jd
    k150_04\jre\lib\security\cacerts.
    23.04.2010 17.40 Uhr CEST Info WebLogicServer BEA-000307 Exportable key maximum lifespan set to 500 uses.

    ============================================================================
    B:: I also identified the certificates as being loaded.
    23.04.2010 17.51 Uhr CEST Notice Security BEA-090169 Loading trusted certificates from the jks keystore file c:\bea920\jd
    k150_04\jre\lib\security\cacerts.
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 SSLContextManager: loaded 9 trusted CAs from c:\bea920\jdk150_04\jre\l
    ib\security\cacerts
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=Client, OU=WEB AGE, C=US; Issuer: CN=Client, OU=WEB AGE, C
    =US
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=Santa, OU=WEB AGE, C=US; Issuer: CN=Santa, OU=WEB AGE, C=U
    S
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=fairy, OU=WEB AGE, C=US; Issuer: CN=fairy, OU=WEB AGE, C=U
    S
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=Bunny, OU=WEB AGE, C=US; Issuer: CN=Bunny, OU=WEB AGE, C=U
    S
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=127.0.0.1, OU=WEB AGE, C=US; Issuer: CN=127.0.0.1, OU=WEB
    AGE, C=US
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=169.59.84.6, OU=169.59.84.6, C=US; Issuer: CN=169.59.84.6,
    OU=169.59.84.6, C=US
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=localhost, OU=WEB AGE, C=US; Issuer: CN=localhost, OU=WEB
    AGE, C=US
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=angel, OU=WEB AGE, C=US; Issuer: CN=angel, OU=WEB AGE, C=U
    S
    23.04.2010 17.51 Uhr CEST Debug SecuritySSL 000000 Subject: CN=local, OU=WEB AGE, C=US; Issuer: CN=local, OU=WEB AGE, C=U
    S

    This is driving me CRAZY ... any help is greatly appreciated.

    DB:2.34:Bad_Certificate Alert Was Received From Localhost 99

    well hello user4183287

    Prior to the aforementioned code I had
    // Setup the global JAXM message factory
    System.setProperty("javax.xml.soap.MessageFactory", "weblogic.webservice.core.soap.MessageFactoryImpl");
    // Setup the global JAX-RPC service factory
    System.setProperty("javax.xml.rpc.ServiceFactory", "weblogic.webservice.core.rpc.ServiceFactoryImpl");
    The libraries I imported are as follows ...

    import java.io.FileInputStream;
    import java.io.IOException;
    import java.net.MalformedURLException;
    import java.net.URL;
    import java.rmi.RemoteException;
    import java.security.Key;
    import java.security.KeyStore;
    import java.security.KeyStoreException;
    import java.security.NoSuchAlgorithmException;
    import java.security.PrivateKey;
    import java.security.UnrecoverableKeyException;
    import java.security.cert.CertificateException;
    import java.security.cert.X509Certificate;
    import java.sql.SQLException;

    import javax.xml.namespace.QName;
    import javax.xml.rpc.Call;
    import javax.xml.rpc.Service;
    import javax.xml.rpc.ServiceException;
    import javax.xml.rpc.ServiceFactory;
    import javax.xml.rpc.encoding.TypeMappingRegistry;
    import weblogic.webservice.client.SSLAdapterFactory;
    import weblogic.webservice.client.WLSSLAdapter;
    import weblogic.webservice.encoding.DefaultTypeMapping;

    hope this helps

    Margarita

  • RELEVANCY SCORE 2.34

    DB:2.34:Has Anyone Ever Validated Certpath Using J2sdk1.4.0? pk


    I only installed J2SDK1.4.0

    I tried many example, but always got such error info:

    Validation failure, cert[2] :basic constraints check failed: this is not a CA certificate

    I have tried many situation, including creat and sign certificate with my own CA, or certificate signed by Verusign, or just Certpath from other website. All with same error.

    It seems it only works when there is only one Certification in CertPATH.

    below is a example I used, it got CerPath from website of www.ftc.gov and verify it.

    import java.net.*;
    import javax.net.*;
    import java.io.*;
    import javax.net.ssl.*;
    import java.security.cert.*;
    import java.util.*;
    import java.math.*;
    import java.security.*;

    public class t {
    public static void main(String args[ ])throws Exception {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    try {
    // Create the client socket
    int port = 443;

    String hostname =args[0];
    SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
    SSLSocket socket = (SSLSocket)factory.createSocket(hostname, port);

    // Connect to the server
    socket.startHandshake();

    // Retrieve the server's certificate chain
    java.security.cert.Certificate[] serverCerts =
    socket.getSession().getPeerCertificates();
    System.out.println(serverCerts.length);
    List mylist = new ArrayList();
    for(int i=0;iserverCerts.length;i++){
    mylist.add((X509Certificate)serverCerts);
    }
    CertPath cp = cf.generateCertPath(mylist);

    TrustAnchor anchor = new TrustAnchor((X509Certificate)serverCerts[serverCerts.length-1],null);
    PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
    params.setRevocationEnabled(false);

    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

    try {
    PKIXCertPathValidatorResult result =
    (PKIXCertPathValidatorResult) cpv.validate(cp, params);
    PolicyNode policyTree = result.getPolicyTree();
    PublicKey subjectPublicKey = result.getPublicKey();
    System.out.println("Certificate validated");
    System.out.println("Policy Tree:\n" + policyTree);
    System.out.println("Subject Public key:\n" +subjectPublicKey);

    } catch (CertPathValidatorException cpve) {
    System.out.println("Validation failure, cert["
    + cpve.getIndex() + "] :" + cpve.getMessage());
    }

    // Close the socket
    socket.close();
    } catch (SSLPeerUnverifiedException e) {
    System.out.println(e);
    } catch (IOException e) {
    System.out.println(e);
    }
    }

    }

    DB:2.34:Has Anyone Ever Validated Certpath Using J2sdk1.4.0? pk

    Do not include the trust anchor (root) certificate in the CertPath that is to be
    validated. Trust anchor certificates should not be included in the chain, they
    should only be specified separately in the PKIXParameters. It looks like this
    is the cause of the problem. Your trust anchor certificate is probably an
    X.509 V1 certificate and the PKIX CertPathValidator is rejecting it, since it
    is looking for a Basic Constraints extension to confirm that is a CA certificate,
    but X.509 V1 certificates do not have extensions. See RFC 3280 for more
    information.

    --Sean

  • RELEVANCY SCORE 2.34

    DB:2.34:Issue With Thawte Ssl123 Certificate Intermediate Chain sz



    Hi,

    I have a problem getting correct chain verification I think while using a Thawte SSL123 certificate on an ASA 5520 running AnyConnect SSL VPN. I noticed when both using the client as well as when using AnyConnect mobile that a security error results, forcing the user to accept before connecting.

    Thawte issues the 123 series certs with both a first intermediate and second intermediate cert for the entire chain. I think I may have missed one of these in my installation of the certs onto the ASA, but I'm unsure if I can just add another CA cert on that same trustpoint, or what I need to do. Specifically, help for fixing the issue, and/or how to handle multiple intermediate certs for a chain issued ssl cert on an ASA.

    A copy of my show crypto ca cert is below, names changed to protect the innocent:

    CA Certificate

      Status: Available

      Certificate Serial Number: 7610128a17b682bb3a1f9d1a9a35c092

      Certificate Usage: General Purpose

      Public Key Type: RSA (2048 bits)

      Signature Algorithm: SHA1 with RSA Encryption

      Issuer Name:

        cn=thawte Primary Root CA

        ou=(c) 2006 thawte\, Inc. - For authorized use only

        ou=Certification Services Division

        o=thawte\, Inc.

        c=US

      Subject Name:

        cn=Thawte DV SSL CA

        ou=Domain Validated SSL

        o=Thawte\, Inc.

        c=US

      OCSP AIA:

        URL: http://ocsp.thawte.com

      CRL Distribution Points:

        [1]  http://crl.thawte.com/ThawtePCA.crl

      Validity Date:

        start date: 19:00:00 EST Feb 17 2010

        end   date: 18:59:59 EST Feb 17 2020

      Associated Trustpoints: mysite.mycompany.com.trustpoint

    Certificate

      Status: Available

      Certificate Serial Number: 17f7b3d30f075a368aefbdbc410d291d

      Certificate Usage: General Purpose

      Public Key Type: RSA (2048 bits)

      Signature Algorithm: SHA1 with RSA Encryption

      Issuer Name:

        cn=Thawte DV SSL CA

        ou=Domain Validated SSL

        o=Thawte\, Inc.

        c=US

      Subject Name:

        cn=vpn-na.doosan.com

        ou=Domain Validated

        ou=Thawte SSL123 certificate

        ou=Go to https://www.thawte.com/repository/index.html

        o=vpn-na.doosan.com

      OCSP AIA:

        URL: http://ocsp.thawte.com

      CRL Distribution Points:

        [1]  http://svr-dv-crl.thawte.com/ThawteDV.crl

      Validity Date:

        start date: 20:00:00 EDT May 14 2012

        end   date: 19:59:59 EDT May 14 2016

      Associated Trustpoints: mysite.mycompany.com.trustpoint

    DB:2.34:Issue With Thawte Ssl123 Certificate Intermediate Chain sz


    There is a chain command under tunnel-group ipsec attributes:

    tunnel-group GROUPNAME ipsec-attributes

    chain

    That should do it, but i never tried)

  • RELEVANCY SCORE 2.33

    DB:2.33:Sbs 2008 Autodiscovery Error 18


    Hello,
    I've inherited a problem which I'm not quite sure how to fix. A customer of ours has a SBS 2008 server which was not properly setup (ie: the original tech did not run the wizards, but manually configured a bunch of the options). We are running
    Vipre Email Security for antivirus and antispam. We've found that the antispam isn't actually stopping spam the way it should, so contacted GFI for support. They had me run a few commands and said that there is a problem with the autodiscovery.
    Vipre logs:
    Info3228442011-07-07T22:38:261188995861048[Autodiscovery] !! SSL policy error: RemoteCertificateNameMismatch
    Info3228442011-07-07T22:38:261188995917687[Autodiscovery] !! Error: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --- System.Security.Authentication.AuthenticationException:
    The remote certificate is invalid according to the validation procedure.
    It appears there is an issue with the remote certificate. This could cause the issues you are facing with Vipre Email Security.

    Here's an output of test-outlookwebservices | fl (domain name changed for privacy):
    [PS] C:\Windows\system32test-outlookwebservices | fl

    Id : 1003
    Type : Information
    Message : About to test AutoDiscover with the e-mail address
    administrator@customerllc.com.
    Id : 1007
    Type : Information
    Message : Testing server SERVER.customer.local with the published name https:/
    /sites/EWS/Exchange.asmx .
    Id : 1019
    Type : Information
    Message : Found a valid AutoDiscover service connection point. The AutoDiscover
    URL on this object is
    https://sites/Autodiscover/Autodiscover.xml.
    Id :1005
    Type : Error
    Message : When accessing https://sites/Autodiscover/Autodiscover.xml the error
    RemoteCertificateNameMismatch:CN=customerllc.com, OU=Domain Control
    Validated, O=customerllc.com was reported.
    Id : 1006
    Type : Information
    Message : The Autodiscover service was contacted at
    https://sites/Autodiscover/
    Autodiscover.xml.
    Id : 1016
    Type : Success
    Message : [EXCH]-Successfully contacted the AS service at
    https://sites/EWS/Exc
    hange.asmx. The elapsed time was 329 milliseconds.
    Id : 1015
    Type : Success
    Message : [EXCH]-Successfully contacted the OAB service at
    https://sites/EWS/Ex
    change.asmx. The elapsed time was 0 milliseconds.
    Id : 1014
    Type : Success
    Message : [EXCH]-Successfully contacted the UM service at
    https://sites/Unified
    Messaging/Service.asmx. The elapsed time was 657 milliseconds.
    Id : 1016
    Type : Information
    Message : [EXPR]-The AS is not configured for this user.
    Id : 1015
    Type : Information
    Message : [EXPR]-The OAB is not configured for this user.
    Id : 1014
    Type : Information
    Message : [EXPR]-The UM is not configured for this user.
    Id : 1017
    Type : Success
    Message : [EXPR]-Successfully contacted the RPC/HTTP service at
    https://mail.customerllc.com/Rpc. The elapsed time was 584 milliseconds.
    Id : 1006
    Type : Success
    Message : The Autodiscover service was tested successfully.

    GFI is saying the problem lies with id 1005 where an externally trusted cert isn't matching something. I've noticed that the internet connection wizard was never ran on the server, which means the cert wizard won't run. Any help would be much
    appreciated!

    Here's the get-certificate output if that's helpful:
    [PS] C:\Windows\system32get-exchangecertificate | fl

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {SERVER.customer.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=customer-SERVER-CA
    NotAfter : 6/7/2012 5:54:40 PM
    NotBefore : 6/8/2011 5:54:40 PM
    PublicKeySize : 2048
    RootCAType : Registry
    SerialNumber : 584EF805000000000009
    Services : POP
    Status : Valid
    Subject : CN=SERVER.customer.local
    Thumbprint : DD4AA8E745F3130DB34E001EE5F48FB929C6C325
    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {customerllc.com, www.customerllc.com, mail.customerllc
    .com, autodiscover.customerllc.com, server.customerllc.c
    om, server.customer.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
    thority, OU=http://certificates.godaddy.com/repository, O=
    GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
    NotAfter : 9/21/2012 8:07:44 AM
    NotBefore : 9/21/2009 8:07:44 AM
    PublicKeySize : 2048
    RootCAType : ThirdParty
    SerialNumber : 00B5ADF4795B0E
    Services : IMAP, POP, IIS, SMTP
    Status : Valid
    Subject : CN=customerllc.com, OU=Domain Control Validated, O=tradew
    indllc.com
    Thumbprint : C0A9B380B37023683BA608822026702148E6A301
    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {Sites, SERVER.customer.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=customer-SERVER-CA
    NotAfter : 8/31/2011 10:31:58 AM
    NotBefore : 8/31/2009 10:31:58 AM
    PublicKeySize : 2048
    RootCAType : Registry
    SerialNumber : 61069387000000000002
    Services : POP, IIS, SMTP
    Status : Valid
    Subject : CN=Sites
    Thumbprint : 40FEF6A08DF05396C8491C0C0CC33CBEC0E06247
    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {customer-SERVER-CA}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=customer-SERVER-CA
    NotAfter : 8/31/2014 10:41:15 AM
    NotBefore : 8/31/2009 10:31:16 AM
    PublicKeySize : 2048
    RootCAType : Registry
    SerialNumber : 04C5F07EC998988B434183A0E69A3F40
    Services : None
    Status : Valid
    Subject : CN=customer-SERVER-CA
    Thumbprint : 4A349C81DE68D2E83A10A473E0F4DDC465EF30A1
    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-WIN-GP4LAC309SP}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=WMSvc-WIN-GP4LAC309SP
    NotAfter : 8/22/2019 10:32:26 PM
    NotBefore : 8/24/2009 10:32:26 PM
    PublicKeySize : 2048
    RootCAType : Registry
    SerialNumber : 90846D8CE7DB9A8644FD7A5B05F02F76
    Services : None
    Status : Valid
    Subject : CN=WMSvc-WIN-GP4LAC309SP
    Thumbprint : 4B0824259DF18799E453AE16EAF2DE5FDCFA2B22

    Thanks!
    Joe

    DB:2.33:Sbs 2008 Autodiscovery Error 18


    Hi,

    How is everything going? If there is anything unclear or any inquires towards the issue. Please drop me a note!

    Thx,

    James
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • RELEVANCY SCORE 2.33

    DB:2.33:Lync 2013 Server Standard Edition- Ls User Services Event Id 30988 k1


    Getting the following repeatedly throughout the day:
    Log Name: Lync Server
    Source: LS User Services
    Date: 10/22/2014 12:21:35 PM
    Event ID: 30988
    Task Category: (1006)
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: SSFLYNC1.company.com
    Description:
    Sending HTTP request failed. Server functionality will be affected if messages are failing consistently.
    Sending the message to
    https://ssflync1.company.com:444/LiveServer/DataMcu/ failed. IP Address is 10.10.27.30. Error code is 2EFE. Content-Type is application/cccpxml. Http Error Code is 0.
    Cause: Network connectivity issues or an incorrectly configured certificate on the destination server. Check the eventlog description for more information.
    Resolution:
    Check the destination server to see that it is listening on the same URI and it has certificate configured for MTLS. Other reasons might be network connectivity issues between the two servers.
    Event Xml:
    Event xmlns=http://schemas.microsoft.com/win/2004/08/events/event
    System
    Provider Name=LS User Services /
    EventID Qualifiers=5015830988/EventID
    Level2/Level
    Task1006/Task
    Keywords0x80000000000000/Keywords
    TimeCreated SystemTime=2014-10-22T19:21:35.000000000Z /
    EventRecordID29521/EventRecordID
    ChannelLync Server/Channel
    ComputerSSFLYNC1.company.com/Computer
    Security /
    /System
    EventData
    Datahttps://ssflync1.company.com:444/LiveServer/DataMcu//Data
    Data10.10.27.30/Data
    Data2EFE/Data
    Dataapplication/cccpxml/Data
    Data0/Data
    /EventData
    /Event
    I have run the follwoign and it gave no results back:
    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List *
    System was migrated from Lync 2010, but that has now been removed from topology.
    Any other ideas?

    DB:2.33:Lync 2013 Server Standard Edition- Ls User Services Event Id 30988 k1

    Looks like an issue with the backup software on the server.
    Backup software was causing issues this would be fixed using the reset-cspoolregistrarstate fullreset. occurred again after backup ran. turned off the backup ran the reset and no issues since.

  • RELEVANCY SCORE 2.33

    DB:2.33:Crm 2011: Claims Based Authentication No Longer Works (Error 401.1) z1


    Our on premise CRM was working fine until it broke on Wednesday. We can no longer connect from Outlook or from the internal web page. Error 401.1 on the web. The user name and passwords are correct and not expired. The only thing I SEE that changed is the
    KB2718704 patch (cert revocation) on both the workstations and servers. We are self-signed on the internal server - could the patch have broken it? I tried removing the patch from workstations and the server (if that is possible with this patch) and it did
    not help.
    Most hits I found on 2011 CRM 401.1 errors were mistakes in the install and did not seem relevant to our issue.
    I see these in the event log (but I see similar events from when it worked):

    Event detail code: 0

    Application information:
    Application domain: /LM/W3SVC/1/ROOT-1-129836390312139036
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\

    Machine name: CRM

    Process information:
    Process ID: 5024
    Process name: w3wp.exe
    Account name: INFOLINK\CRMADMIN

    Exception information:
    Exception type: SecurityTokenException
    Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
    at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
    at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
    at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
    at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
    at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean completedSynchronously)

    I see this in the security event log starting when it failed;

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 6/8/2012 11:10:12 AM
    Event ID: 4625
    Task Category: Logon
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: CRM
    Description:
    An account failed to log on.
    Subject:
    Security ID:NULL SID
    Account Name:-
    Account Domain:-
    Logon ID:0x0
    Logon Type:3
    Account For Which Logon Failed:
    Security ID:NULL SID
    Account Name:crmuser
    Account Domain:infolink
    Failure Information:
    Failure Reason:An Error occured during Logon.
    Status:0xc000006d
    Sub Status:0x0
    Process Information:
    Caller Process ID:0x0
    Caller Process Name:-
    Network Information:
    Workstation Name:CRM
    Source Network Address:192.168.1.78
    Source Port:49632
    Detailed Authentication Information:
    Logon Process:
    Authentication Package:NTLM
    Transited Services:-
    Package Name (NTLM only):-
    Key Length:0
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    Event xmlns=http://schemas.microsoft.com/win/2004/08/events/event
    System
    Provider Name=Microsoft-Windows-Security-Auditing Guid={54849625-5478-4994-A5BA-3E3B0328C30D} /
    EventID4625/EventID
    Version0/Version
    Level0/Level
    Task12544/Task
    Opcode0/Opcode
    Keywords0x8010000000000000/Keywords
    TimeCreated SystemTime=2012-06-08T16:10:12.667129600Z /
    EventRecordID1887829/EventRecordID
    Correlation /
    Execution ProcessID=504 ThreadID=5060 /
    ChannelSecurity/Channel
    ComputerCRM/Computer
    Security /
    /System
    EventData
    Data Name=SubjectUserSidS-1-0-0/Data
    Data Name=SubjectUserName-/Data
    Data Name=SubjectDomainName-/Data
    Data Name=SubjectLogonId0x0/Data
    Data Name=TargetUserSidS-1-0-0/Data
    Data Name=TargetUserNamecrmuser/Data
    Data Name=TargetDomainNameinfolink/Data
    Data Name=Status0xc000006d/Data
    Data Name=FailureReason%%2304/Data
    Data Name=SubStatus0x0/Data
    Data Name=LogonType3/Data
    Data Name=LogonProcessName
    /Data
    Data Name=AuthenticationPackageNameNTLM/Data
    Data Name=WorkstationNameCRM/Data
    Data Name=TransmittedServices-/Data
    Data Name=LmPackageName-/Data
    Data Name=KeyLength0/Data
    Data Name=ProcessId0x0/Data
    Data Name=ProcessName-/Data
    Data Name=IpAddress192.168.1.78/Data
    Data Name=IpPort49632/Data
    /EventData
    /Event

    DB:2.33:Crm 2011: Claims Based Authentication No Longer Works (Error 401.1) z1

    Thanks, that fixed it!!!
    I found info here: http://forums.iis.net/t/1100044.aspx on a regedit fix to change this without using netsh. So I set DefaultSslCertCheckMode to 1 and rebooted the server. I ran 'netsh http show sslcert'
    to check it was now disabled. Tried it froma browser and got logged in to CRM, then had users try from Outlook and it worked there as well.
    I guess we need to buy a real cert or perhaps create a new one, post KB2718704 ?

  • RELEVANCY SCORE 2.33

    DB:2.33:Smart Card Logon Didnt Work j7


    Hello.
    We deploy Smart Card Logon. We install Enterprise Root CA, installDomain Controller Authentication certificate.
    certutil -dcinfo verify doesnt show any troubles, but in Event Log I still see Kerberos-Key-Distribution-Center Event ID 29 and couldn't connect to server with smart card.

    Certificate 0:
    Serial Number: 19ca067b000000000010
    Issuer: CN=Root CA, DC=contoso, DC=net
    NotBefore: 25.04.2012 17:07
    NotAfter: 25.04.2013 17:07
    Subject: EMPTY (DNS Name=DC1.contoso.net)
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    Cert Hash(sha1): d3 67 bf c9 df c3 c8 8b 8f 0d 0d dc 94 83 14 ce d4 21 38 2f

    certutil -verify -fetchurl

    Issuer:
    CN=Root CA
    DC=contoso
    DC=net
    Subject:
    EMPTY (DNS Name=DC1.contoso.net)
    Cert Serial Number: 19ca067b000000000010

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x400000
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 1 Hours, 22 Minutes, 57 Secon

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 1 Hours, 22 Minutes, 57 Second

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=Root CA, DC=contoso, DC=net
    NotBefore: 25.04.2012 17:07
    NotAfter: 25.04.2013 17:07
    Subject:
    Serial: 19ca067b000000000010
    SubjectAltName: DNS Name=DC1.contoso.net
    Template: Domain Controller Authentication
    d3 67 bf c9 df c3 c8 8b 8f 0d 0d dc 94 83 14 ce d4 21 38 2f
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    Verified Certificate (0) Time: 4
    [0.0] http://ca1.contoso.net/root.crt

    ---------------- Certificate CDP ----------------
    Verified Base CRL (04) Time: 4
    [0.0] http://ca1.contoso.net/root.crl

    ---------------- Base CRL CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------
    CRL 04:
    Issuer: CN=Root CA, DC=contoso, DC=net
    60 b9 ee 76 b3 94 f8 63 38 51 58 a4 7b 48 2a 03 51 1a 12 e1
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=Root CA, DC=contoso, DC=net
    NotBefore: 23.04.2012 20:03
    NotAfter: 23.04.2017 20:13
    Subject: CN=Root CA, DC=contoso, DC=net
    Serial: 192b6f6c23654fa34c4a725cf61db276
    f9 30 57 c7 33 79 56 28 b7 aa 3f cd e7 d7 f1 87 66 f1 f7 ae
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ---------------- Certificate AIA ----------------
    No URLs None Time: 0
    ---------------- Certificate CDP ----------------
    No URLs None Time: 0
    ---------------- Certificate OCSP ----------------
    No URLs None Time: 0
    --------------------------------

    Exclude leaf cert:
    32 8a 29 fb 21 2d cf 61 1f 87 d3 ee 56 e8 e6 a3 03 9b 74 cf
    Full chain:
    40 2e d4 aa 20 4e af 08 2f 05 b8 53 f4 a6 95 5c d3 73 18 e6
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    Leaf certificate revocation check passed

    DB:2.33:Smart Card Logon Didnt Work j7

    Hello,
    For security questions, ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
    Guidelines for enabling smart card logon with third-party certification authorities: http://support.microsoft.com/kb/281245
    When Smartcard Logon Doesn't: http://blogs.technet.com/b/ad/archive/2009/04/06/when-smartcard-logon-doesn-t.aspx

    This
    posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Microsoft
    Student Partner 2010 / 2011
    Microsoft
    Certified Professional
    Microsoft
    Certified Systems Administrator: Security
    Microsoft
    Certified Systems Engineer: Security
    Microsoft
    Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft
    Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft
    Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft
    Certified Technology Specialist: Windows 7, Configuring
    Microsoft
    Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft
    Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

  • RELEVANCY SCORE 2.33

    DB:2.33:Creative Cloud Failed To Install Osx 8z



    Hello all

    I have seen similar post on windows but I am having this issue on osx (10.9.5) , the log is saying "uninstall falled installation is not present" thing is im trying to install. just out of curiosity I then ran the "uninstall pkg" and get identical errors. I have recreated the packages using creative cloud packager and this is on multiple computers so is this in the packager and is there a work around?

    thanks in advance for any assistance

    Jeff Peters

    Log file for failed set up:

    Mon Jun 9 11:33:31 PDT 2014

    creating system keychain entries

    ...Generating key pair...

    ...creating certificate...

    Serial Number : 0A B5 10 63

    Issuer Name :

    Common Name : com.apple.systemdefault

    Org : System Identity

    Subject Name :

    Common Name : com.apple.systemdefault

    Org : System Identity

    Cert Sig Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 05

    alg params : 05 00

    Not Before : 18:33:31 Jun 9, 2014

    Not After : 18:33:31 Jun 4, 2034

    Pub Key Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 01

    alg params : 05 00

    Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 ED ...

    CSSM Key :

    Algorithm : RSA

    Key Size : 1024 bits

    Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP

    Signature : 128 bytes : 80 6B 85 82 DA FC A3 21 ...

    Extension struct : OID : 06 03 55 1D 0F

    Critical : FALSE

    usage : DigitalSignature KeyEncipherment DataEncipherment

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 09 2A 86 48 86 F7 63 64 04 04

    ..cert stored in Keychain.

    ..identity registered for domain com.apple.systemdefault.

    ...Generating key pair...

    ...creating certificate...

    Serial Number : 28 54 53 AB

    Issuer Name :

    Common Name : com.apple.kerberos.kdc

    Org : System Identity

    Subject Name :

    Common Name : com.apple.kerberos.kdc

    Org : System Identity

    Cert Sig Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 05

    alg params : 05 00

    Not Before : 18:33:31 Jun 9, 2014

    Not After : 18:33:31 Jun 4, 2034

    Pub Key Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 01

    alg params : 05 00

    Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 C4 ...

    CSSM Key :

    Algorithm : RSA

    Key Size : 1024 bits

    Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP CSSM_KEYUSE_DERIVE

    Signature : 128 bytes : 2D 43 C9 F8 DE 1F 9A E6 ...

    Extension struct : OID : 06 03 55 1D 0F

    Critical : FALSE

    usage : DigitalSignature KeyEncipherment

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 08 2B 06 01 05 05 07 03 01

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 07 2B 06 01 05 02 03 05

    ..cert stored in Keychain.

    ..identity registered for domain com.apple.kerberos.kdc.

    added /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc to acl for com.apple.kerberos.kdc

    hod-admin: krb5_kt_start_seq_get: keytab /etc/krb5.keytab access failed: No such file or directory

    Done LKDC setup

    No matching processes were found

    Mon Jun 9 11:33:33 PDT 2014

    creating system keychain entries

    ...System identity already exists for domain com.apple.systemdefault. Done.

    ...System identity already exists for domain com.apple.kerberos.kdc. Done.

    /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc already in acl

    Done LKDC setup

    Wed Jul 9 12:00:15 CDT 2014

    creating system keychain entries

    ...Generating key pair...

    ...creating certificate...

    Serial Number : 3F 29 82 99

    Issuer Name :

    Common Name : com.apple.systemdefault

    Org : System Identity

    Subject Name :

    Common Name : com.apple.systemdefault

    Org : System Identity

    Cert Sig Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 05

    alg params : 05 00

    Not Before : 17:00:15 Jul 9, 2014

    Not After : 17:00:15 Jul 4, 2034

    Pub Key Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 01

    alg params : 05 00

    Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 B6 ...

    CSSM Key :

    Algorithm : RSA

    Key Size : 1024 bits

    Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP

    Signature : 128 bytes : A7 34 D5 CE F4 45 AB 0F ...

    Extension struct : OID : 06 03 55 1D 0F

    Critical : FALSE

    usage : DigitalSignature KeyEncipherment DataEncipherment

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 09 2A 86 48 86 F7 63 64 04 04

    ..cert stored in Keychain.

    ..identity registered for domain com.apple.systemdefault.

    ...Generating key pair...

    ...creating certificate...

    Serial Number : 70 E5 7A 47

    Issuer Name :

    Common Name : com.apple.kerberos.kdc

    Org : System Identity

    Subject Name :

    Common Name : com.apple.kerberos.kdc

    Org : System Identity

    Cert Sig Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 05

    alg params : 05 00

    Not Before : 17:00:15 Jul 9, 2014

    Not After : 17:00:15 Jul 4, 2034

    Pub Key Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 01

    alg params : 05 00

    Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 CD ...

    CSSM Key :

    Algorithm : RSA

    Key Size : 1024 bits

    Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP CSSM_KEYUSE_DERIVE

    Signature : 128 bytes : 51 DA AE DD 43 35 A2 16 ...

    Extension struct : OID : 06 03 55 1D 0F

    Critical : FALSE

    usage : DigitalSignature KeyEncipherment

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 08 2B 06 01 05 05 07 03 01

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 07 2B 06 01 05 02 03 05

    ..cert stored in Keychain.

    ..identity registered for domain com.apple.kerberos.kdc.

    added /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc to acl for com.apple.kerberos.kdc

    hod-admin: krb5_kt_start_seq_get: keytab /etc/krb5.keytab access failed: No such file or directory

    Done LKDC setup

    No matching processes were found

    DB:2.33:Creative Cloud Failed To Install Osx 8z


    Hello all

    I have seen similar post on windows but I am having this issue on osx (10.9.5) , the log is saying "uninstall falled installation is not present" thing is im trying to install. just out of curiosity I then ran the "uninstall pkg" and get identical errors. I have recreated the packages using creative cloud packager and this is on multiple computers so is this in the packager and is there a work around?

    thanks in advance for any assistance

    Jeff Peters

    Log file for failed set up:

    Mon Jun 9 11:33:31 PDT 2014

    creating system keychain entries

    ...Generating key pair...

    ...creating certificate...

    Serial Number : 0A B5 10 63

    Issuer Name :

    Common Name : com.apple.systemdefault

    Org : System Identity

    Subject Name :

    Common Name : com.apple.systemdefault

    Org : System Identity

    Cert Sig Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 05

    alg params : 05 00

    Not Before : 18:33:31 Jun 9, 2014

    Not After : 18:33:31 Jun 4, 2034

    Pub Key Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 01

    alg params : 05 00

    Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 ED ...

    CSSM Key :

    Algorithm : RSA

    Key Size : 1024 bits

    Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP

    Signature : 128 bytes : 80 6B 85 82 DA FC A3 21 ...

    Extension struct : OID : 06 03 55 1D 0F

    Critical : FALSE

    usage : DigitalSignature KeyEncipherment DataEncipherment

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 09 2A 86 48 86 F7 63 64 04 04

    ..cert stored in Keychain.

    ..identity registered for domain com.apple.systemdefault.

    ...Generating key pair...

    ...creating certificate...

    Serial Number : 28 54 53 AB

    Issuer Name :

    Common Name : com.apple.kerberos.kdc

    Org : System Identity

    Subject Name :

    Common Name : com.apple.kerberos.kdc

    Org : System Identity

    Cert Sig Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 05

    alg params : 05 00

    Not Before : 18:33:31 Jun 9, 2014

    Not After : 18:33:31 Jun 4, 2034

    Pub Key Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 01

    alg params : 05 00

    Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 C4 ...

    CSSM Key :

    Algorithm : RSA

    Key Size : 1024 bits

    Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP CSSM_KEYUSE_DERIVE

    Signature : 128 bytes : 2D 43 C9 F8 DE 1F 9A E6 ...

    Extension struct : OID : 06 03 55 1D 0F

    Critical : FALSE

    usage : DigitalSignature KeyEncipherment

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 08 2B 06 01 05 05 07 03 01

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 07 2B 06 01 05 02 03 05

    ..cert stored in Keychain.

    ..identity registered for domain com.apple.kerberos.kdc.

    added /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc to acl for com.apple.kerberos.kdc

    hod-admin: krb5_kt_start_seq_get: keytab /etc/krb5.keytab access failed: No such file or directory

    Done LKDC setup

    No matching processes were found

    Mon Jun 9 11:33:33 PDT 2014

    creating system keychain entries

    ...System identity already exists for domain com.apple.systemdefault. Done.

    ...System identity already exists for domain com.apple.kerberos.kdc. Done.

    /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc already in acl

    Done LKDC setup

    Wed Jul 9 12:00:15 CDT 2014

    creating system keychain entries

    ...Generating key pair...

    ...creating certificate...

    Serial Number : 3F 29 82 99

    Issuer Name :

    Common Name : com.apple.systemdefault

    Org : System Identity

    Subject Name :

    Common Name : com.apple.systemdefault

    Org : System Identity

    Cert Sig Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 05

    alg params : 05 00

    Not Before : 17:00:15 Jul 9, 2014

    Not After : 17:00:15 Jul 4, 2034

    Pub Key Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 01

    alg params : 05 00

    Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 B6 ...

    CSSM Key :

    Algorithm : RSA

    Key Size : 1024 bits

    Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP

    Signature : 128 bytes : A7 34 D5 CE F4 45 AB 0F ...

    Extension struct : OID : 06 03 55 1D 0F

    Critical : FALSE

    usage : DigitalSignature KeyEncipherment DataEncipherment

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 09 2A 86 48 86 F7 63 64 04 04

    ..cert stored in Keychain.

    ..identity registered for domain com.apple.systemdefault.

    ...Generating key pair...

    ...creating certificate...

    Serial Number : 70 E5 7A 47

    Issuer Name :

    Common Name : com.apple.kerberos.kdc

    Org : System Identity

    Subject Name :

    Common Name : com.apple.kerberos.kdc

    Org : System Identity

    Cert Sig Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 05

    alg params : 05 00

    Not Before : 17:00:15 Jul 9, 2014

    Not After : 17:00:15 Jul 4, 2034

    Pub Key Algorithm : OID : 06 09 2A 86 48 86 F7 0D 01 01 01

    alg params : 05 00

    Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 CD ...

    CSSM Key :

    Algorithm : RSA

    Key Size : 1024 bits

    Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP CSSM_KEYUSE_DERIVE

    Signature : 128 bytes : 51 DA AE DD 43 35 A2 16 ...

    Extension struct : OID : 06 03 55 1D 0F

    Critical : FALSE

    usage : DigitalSignature KeyEncipherment

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 08 2B 06 01 05 05 07 03 01

    Extension struct : OID : 06 03 55 1D 25

    Critical : FALSE

    purpose 0 : OID : 06 07 2B 06 01 05 02 03 05

    ..cert stored in Keychain.

    ..identity registered for domain com.apple.kerberos.kdc.

    added /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc to acl for com.apple.kerberos.kdc

    hod-admin: krb5_kt_start_seq_get: keytab /etc/krb5.keytab access failed: No such file or directory

    Done LKDC setup

    No matching processes were found

  • RELEVANCY SCORE 2.33

    DB:2.33:Using Keytool And Cacerts In Java1.4.2 7p


    Hello:

    We are currently using java1.4.2 with Websphere Commerce. Locally, I am trying to make a web service call to a vendors test server (They updated their certs recently). I have a standalone application using java6 that makes the call successfully.

    But, when using the application and java1.4.2 I get an exception:

    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Subject nane of signer cert does not match issuer name of supplied cert chain

    After talking to the vendor they provided me with a new .cer file. But, when I try to use keytool to import that into the cacerts file I get an exception which says "input not an x.509 certifiacte".

    I read that this is an issue with older 1.4.2 jvm implementations - so I downloaded the most recent 1.4.2_19 and tried that with no luck.

    ANY help would be greatly appreciated!!

    DB:2.33:Using Keytool And Cacerts In Java1.4.2 7p

    You were right about the BEGIN and END piece the file I was given did not have these.
    After adding them I am able to import the certificate, but for some reason I am still getting the SSL exception I mention earlier.

    I spent 3.5 to 4 hours on the phone with the vendor yesterday trying to figure this out. They (and I) have no idea why this is not working.

    Admittedly - I do not have much knowledge with certificates etc....

  • RELEVANCY SCORE 2.33

    DB:2.33:Error Encountered With Saml Token For Inbound Sync Web Service am


    Hi,

    I am trying to use the SAML (v1.1) for authenticating inbound IB web service call to a synchronous service operation.
    If I send a basic message (with SOAPUI) without signed SAML token (i.e. no WSSE header), it works (i.e. server response with correct xml message).
    If I send a message with signed SAML token header, i got a SOAP Fault response from server with error "SAML Authentication failed for Service Operation XXXX".
    Can someone advise what am i missing? App serv log shows only a single entry without much elaboration:
    PS@JavaClient IntegrationSvc](3) WssecAuthenticateIBSAML function: VerifySignature failed.

    Following are details of the logs and what i did/have.

    Tools Used: SOAPUI v4.5.0.1
    JDK 1.6 (Generate self-signed certificate)
    Server Info: Peopletools 8.51

    What I have done.
    - create a test service with single synchronous service operation
    - generated private key in client keystore. (key algo=RSA, key size=1024, sig algo=SHA1WithRSA)
    - exported public cert to file.
    - import public cert into server keystore (i.e. ..\PSIGW.war\WEB-INF\classes\interop.jks)
    - import public cert into digital cert (i.e. PIA Peopletools Security Security Objects Digital Certs) as Root CA
    - import public cert into digital cert (i.e. PIA Peopletools Security Security Objects Digital Certs) as Remote cert
    - Restarted Web and App servers
    - Configure SAML IB Setup to map cert alias to local server user profile.
    - I have checked that the cert alias is set to same in all the keystores
    - Setup SOAPUI to send message with SAML(Form)

    ************************
    REQUEST MESSAGE - Request Message generated by SOAPUI. Replaced lengthy cert/sign binary data with '.....'
    ************************
    soapenv:Envelope
    xmlns:n="http://xmlns.oracle.com/Enterprise/Tools/schemas/N_TEST_WS_REQ_MSG.1"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    soapenv:Header
    wsse:Security soapenv:mustUnderstand="1"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
    wsu:Id="CertId-12B5F387F5EA1B.....+djdAxdoHEba+
    /wsse:BinarySecurityToken
    saml1:Assertion AssertionID="12B5F387F5EA1B2DAD13407218448691" IssueInstant="2012-06-26T14:44:04.729Z"
    Issuer="TEST3" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType"
    xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    saml1:Conditions NotBefore="2012-06-26T14:44:04.885Z" NotOnOrAfter="2012-06-26T14:49:04.885Z"/
    saml1:AuthenticationStatement AuthenticationInstant="2012-06-26T14:44:04.885Z"
    AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
    xsi:type="saml1:AuthenticationStatementType"
    saml1:Subject
    saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="TEST.SAML"
    CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG
    /saml1:NameIdentifier
    saml1:SubjectConfirmation
    saml1:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:sender-vouches/saml1:ConfirmationMethod
    /saml1:SubjectConfirmation
    /saml1:Subject
    /saml1:AuthenticationStatement
    ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    ds:SignedInfo
    ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/
    ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/
    ds:Reference URI="#12B5F387F5EA1B2DAD13407218448691"
    ds:Transforms
    ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/
    ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/
    /ds:Transforms
    ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/
    ds:DigestValue2zaWFj5SG+sfrMegFeRWmvPqGnM=/ds:DigestValue
    /ds:Reference
    /ds:SignedInfo
    ds:SignatureValueYMob0+KseNLn.....DY6IkxcVV1jy+9Q=/ds:SignatureValue
    ds:KeyInfo
    ds:X509Data
    ds:X509CertificateMIICYzCCAcygA.....+djdAxdoHEba+/ds:X509Certificate
    /ds:X509Data
    /ds:KeyInfo
    /ds:Signature
    /saml1:Assertion
    wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
    wsu:Id="STRSAMLId-12B5F387F5EA1B2DAD13407218451505"
    xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
    wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID"
    12B5F387F5EA1B2DAD13407218448691
    /wsse:KeyIdentifier
    /wsse:SecurityTokenReference
    ds:Signature Id="SIG-1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    ds:SignedInfo
    ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
    ec:InclusiveNamespaces PrefixList="n soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/
    /ds:CanonicalizationMethod
    ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/
    ds:Reference URI="#id-184"
    ds:Transforms
    ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
    ec:InclusiveNamespaces PrefixList="n" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/
    /ds:Transform
    /ds:Transforms
    ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/
    ds:DigestValue7MYt+AgNrdj48Kl+AKGkmwj+XzA=/ds:DigestValue
    /ds:Reference
    ds:Reference URI="#STRSAMLId-12B5F387F5EA1B2DAD13407218451505"
    ds:Transforms
    ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"
    wsse:TransformationParameters
    ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/
    /wsse:TransformationParameters
    /ds:Transform
    /ds:Transforms
    ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/
    ds:DigestValuekXrBKY+585tz3cSgudWUnOvQvP8=/ds:DigestValue
    /ds:Reference
    /ds:SignedInfo
    ds:SignatureValueLBdNW7QAZpcvCy.....BLlhZ3rIMcuY=/ds:SignatureValue
    ds:KeyInfo Id="KeyId-12B5F387F5EA1B2DAD13407218451502"
    wsse:SecurityTokenReference wsu:Id="STRId-12B5F387F5EA1B2DAD13407218451503"
    wsse:Reference URI="#CertId-12B5F387F5EA1B2DAD13407218451504"
    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/
    /wsse:SecurityTokenReference
    /ds:KeyInfo
    /ds:Signature
    /wsse:Security
    /soapenv:Header
    soapenv:Body wsu:Id="id-184" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    n:N_TEST_WS_REQ_MSG
    n:FieldTypes
    !--You may enter the following 2 items in any order--
    n:N_WS_TEST class="R"
    n:EMPLID type="CHAR"/
    n:ACAD_PROG type="CHAR"/
    /n:N_WS_TEST
    n:PSCAMA class="R"
    !--Optional:--
    n:LANGUAGE_CD type="CHAR"/
    !--Optional:--
    n:AUDIT_ACTN type="CHAR"/
    !--Optional:--
    n:BASE_LANGUAGE_CD type="CHAR"/
    !--Optional:--
    n:MSG_SEQ_FLG type="CHAR"/
    !--Optional:--
    n:PROCESS_INSTANCE type="NUMBER"/
    !--Optional:--
    n:PUBLISH_RULE_ID type="CHAR"/
    !--Optional:--
    n:MSGNODENAME type="CHAR"/
    /n:PSCAMA
    /n:FieldTypes
    n:MsgData
    !--Zero or more repetitions:--
    n:Transaction
    !--You may enter the following 2 items in any order--
    !--Optional:--
    n:N_WS_TEST class="R"
    n:EMPLID IsChanged="?"TEST/n:EMPLID
    n:ACAD_PROG IsChanged="?"TEST/n:ACAD_PROG
    /n:N_WS_TEST
    n:PSCAMA class="R"
    !--Optional:--
    n:LANGUAGE_CD IsChanged="?"?/n:LANGUAGE_CD
    !--Optional:--
    n:AUDIT_ACTN IsChanged="?"?/n:AUDIT_ACTN
    !--Optional:--
    n:BASE_LANGUAGE_CD IsChanged="?"?/n:BASE_LANGUAGE_CD
    !--Optional:--
    n:MSG_SEQ_FLG IsChanged="?"?/n:MSG_SEQ_FLG
    !--Optional:--
    n:PROCESS_INSTANCE IsChanged="?"?/n:PROCESS_INSTANCE
    !--Optional:--
    n:PUBLISH_RULE_ID IsChanged="?"?/n:PUBLISH_RULE_ID
    !--Optional:--
    n:MSGNODENAME IsChanged="?"?/n:MSGNODENAME
    /n:PSCAMA
    /n:Transaction
    /n:MsgData
    /n:N_TEST_WS_REQ_MSG
    /soapenv:Body
    /soapenv:Envelope

    ************************
    ERRORS - APPSRV_xxxx.LOG
    ************************
    Only a single line of error found in application server log:
    PSAPPSRV.620 (13) [06/26/12 00:09:46 PS@JavaClient IntegrationSvc](3) WssecAuthenticateIBSAML function: VerifySignature failed.

    ************************
    ERRORS - PIA_servletsX.LOG
    ************************
    Web server log shows normal entries:
    6/26/12 12:09:46 AM SGT52-214522143464INFOcom.peoplesoft.pt.security.wss.PSGatewayReceiverHandlerinvokeReceiving incoming SOAP Message.
    6/26/12 12:09:46 AM SGT53-214522143464INFOcom.peoplesoft.pt.security.wss.processor.PSSAMLTokenProcessorhandleTokenCompleted SAML Token Process.
    6/26/12 12:09:46 AM SGT54-214522143464INFOcom.peoplesoft.pt.security.wss.processor.PSSignatureProcessorverifyXMLSignatureVerify XML Signature.
    6/26/12 12:09:46 AM SGT55-214522143464INFOcom.peoplesoft.pt.security.wss.processor.PSSignatureProcessorhandleTokenCompleted Signature Token Process.
    6/26/12 12:09:46 AM SGT56-214522143464INFOcom.peoplesoft.pt.security.wss.PSGatewayReceiverHandlerinvokeCompleted Process Received Message.

    ************************
    ERRORS - ErrorLog.html
    ************************
    ** STACK TRACE
    com.peoplesoft.pt.integrationgateway.common.GeneralFrameworkException
    at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftServiceListeningConnector.service(PeopleSoftServiceListeningConnector.java:429)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
    at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:85)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

    **REQUEST RECEIVED ON SERVER
    Message-ID: 27569945.1340640586419.JavaMail.ccelaicc@w7x64
    Date: Tue, 26 Jun 2012 00:09:46 +0800 (SGT)
    Mime-Version: 1.0
    Content-Type: multipart/related;
    boundary="----=_Part_26_26890791.1340640586378"
    Content-ID: PeopleSoft-Integration-Broker-Internal-Mime-Message
    PeopleSoft-ToolsRelease: 8.48

    ------=_Part_26_26890791.1340640586378
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 8bit
    Content-Disposition: inline
    Content-ID: IBInfo

    ?xml version="1.0"?IBInfoExternalOperationName![CDATA[N_GET_STD.v1]]/ExternalOperationNameHttpSessionSessionID![CDATA[]]/SessionID/HttpSessionFromProtocolhttps/ProtocolExternalUserName![CDATA[CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG]]/ExternalUserNameWS-SecurityWSTokenType![CDATA[STSD]]/WSTokenTypeWSTokenEncryptedN/WSTokenEncryptedWSTokenSignedY/WSTokenSignedWSTokenEncryptLevel/WSTokenEncryptLevelWSRequestAliasName![CDATA[test_self3]]/WSRequestAliasName/WS-SecuritySAML-CertAlias![CDATA[test_self3]]/SAML-CertAliasSAML-QualifierName![CDATA[TEST.SAML]]/SAML-QualifierNameSAML-Issuer![CDATA[TEST3]]/SAML-IssuerSAML-SubjectName![CDATA[CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG]]/SAML-SubjectNameSAML-Signature![CDATA[Vn7YdLdZHo3G/fQoic+gsaKu5OlFj+d+pZ9vMYMziwDSZq0HnuJmdvF6fV6WBwf5rL1sX/OCopiAZg7Y9f6QnKlH742xD9rGvEmhj4gCGwqj0BH6Ym0lj6wy5dhDlNxs9ni9WZGK5bz2e39pEkzQoXhor/vw+GGRWIexDjXg1vw=]]/SAML-SignatureSAML-TokenData***deleted for security purposes****/SAML-TokenData/FromContentSectionsContentSectionIDContentSection0/IDNonRepudiationN/NonRepudiationHeadersContent-Type![CDATA[text/xml;charset=UTF-8]]/Content-TypeAccept-Encoding![CDATA[gzip,deflate]]/Accept-EncodingSOAPAction![CDATA["N_GET_STD.v1"]]/SOAPActionHost![CDATA[localhost]]/HostConnection![CDATA[Keep-Alive]]/ConnectionUser-Agent![CDATA[Apache-HttpClient/4.1.1 (java 1.5)]]/User-Agent/Headers/ContentSection/ContentSectionsAttachmentSection ResponseAsAttachment="N"/AttachmentSection/IBInfo
    ------=_Part_26_26890791.1340640586378
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 8bit
    Content-Disposition: inline
    Content-ID: ContentSection0

    ?xml version="1.0"?
    n:N_TEST_WS_REQ_MSG xmlns:n="http://xmlns.oracle.com/Enterprise/Tools/schemas/N_TEST_WS_REQ_MSG.1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    n:FieldTypes
    .....
    /n:MsgData
    /n:N_TEST_WS_REQ_MSG

    **RESPONSE FROM SERVER
    SOAP FAULT with message "SAML Authentication failed for Service Operation"

  • RELEVANCY SCORE 2.33

    DB:2.33:Soapfaultcode:1 An Error Was Discovered Processin G The Wsse:Security Header s3


    Dear all,

    I need to consume an external webservice secured with WS-Security User Name/Password Digest.
    Logical port was created by means of WSDL.
    When I configure the consumer proxy with TA soamanager, I have no clue what to enter in the security tab. Currently I have:

    Transport Security

    Security Mechanism: Transport Security

    Ignore SSL Server Certificate: Ignore SSL Certificate

    Signature Expected: No Signature Expected

    Trustworthy Certificate PSE: WSSKEYS

    Pattern for Certificates: Subject=*;Issuer=*;SerialNumber=*

    Signed Message Elements: Body signed

    Encryption Expected: No Encryption Expected

    Add signature: No Not Add Signature

    PSE Signature Key: WSSKEYS

    Signed Message Elements: Sign Body

    Encryption: Do not Encrypt Message

    PSE of Key: WSSCRT

    Unique X.500 ID (DN):

    Encrypted Message Elements: Encrypt Body

    Message Age Expected: No Message Age

    Maximum Message Age: 180

    Use WS Secure Conversation: No WS Secure Coonversation

    Authentication

    Authentication Method: User Name/Password Digest.

    Trustworthiness Method: Vouches Uses XML Signature

    Issuer:

    Name of Attester: saml_default_attester

    Validity of SAML Assertion: 180

    Caching of SAML Assertions: True

    Attester System Destination: WS_SAML_attester_default

    Name of Attester: saml_default_attester

    User: my_user

    Password: my_password

    Client PSE: DFAULT

    When testing service consumer following error appears:

    SoapFaultCode:1 An error was discovered processin g the wsse:Security header

    Any ideas?

    Thanks,

    Marc

    DB:2.33:Soapfaultcode:1 An Error Was Discovered Processin G The Wsse:Security Header s3

    Dear all,

    I need to consume an external webservice secured with WS-Security User Name/Password Digest.
    Logical port was created by means of WSDL.
    When I configure the consumer proxy with TA soamanager, I have no clue what to enter in the security tab. Currently I have:

    Transport Security

    Security Mechanism: Transport Security

    Ignore SSL Server Certificate: Ignore SSL Certificate

    Signature Expected: No Signature Expected

    Trustworthy Certificate PSE: WSSKEYS

    Pattern for Certificates: Subject=*;Issuer=*;SerialNumber=*

    Signed Message Elements: Body signed

    Encryption Expected: No Encryption Expected

    Add signature: No Not Add Signature

    PSE Signature Key: WSSKEYS

    Signed Message Elements: Sign Body

    Encryption: Do not Encrypt Message

    PSE of Key: WSSCRT

    Unique X.500 ID (DN):

    Encrypted Message Elements: Encrypt Body

    Message Age Expected: No Message Age

    Maximum Message Age: 180

    Use WS Secure Conversation: No WS Secure Coonversation

    Authentication

    Authentication Method: User Name/Password Digest.

    Trustworthiness Method: Vouches Uses XML Signature

    Issuer:

    Name of Attester: saml_default_attester

    Validity of SAML Assertion: 180

    Caching of SAML Assertions: True

    Attester System Destination: WS_SAML_attester_default

    Name of Attester: saml_default_attester

    User: my_user

    Password: my_password

    Client PSE: DFAULT

    When testing service consumer following error appears:

    SoapFaultCode:1 An error was discovered processin g the wsse:Security header

    Any ideas?

    Thanks,

    Marc

  • RELEVANCY SCORE 2.32

    DB:2.32:Issuernameregistry / Dependency Injection Issue xm


    In my web.config I specified my own custom issuer name registry for custom token cert validation. As far as I can tell WIF has no dependencyinjection hooks for my external dependencies. Typically, I would use Castle Windsor and construction injection for my data layerdependenciesin the following manner:

    DB:2.32:Issuernameregistry / Dependency Injection Issue xm

    Scott_m,
    Thanks for the update.
    Give my best to the Bothans. :)If this answers your question, please use the Answer button to say so | Ben Cline

  • RELEVANCY SCORE 2.32

    DB:2.32:2008 R2 Sp1 Cant Start Active Directory Certificate Services - Object Was Not Found 0x80090011 (-2146893807) k8


    Can't start Active Directory Certificate Services - Object was not found 0x80090011 (-2146893807)
    This is the resulte of the certutil -verifystore my
    my
    ================ Certificate 0 ================
    Archived!
    Serial Number: 11eceb0a000000000038
    Issuer: CN=jeff-CA, DC=domain, DC=org
    NotBefore: 12/16/2010 11:36 AM
    NotAfter: 12/16/2011 11:36 AM
    Subject: EMPTY (Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org)
    Non-root Certificate
    Template: DirectoryEmailReplication, Directory Email Replication
    Cert Hash(sha1): fa 48 69 cd 2b 5f eb 9a 33 e1 9d 76 28 1e e0 19 bb 62 d8 12
    Key Container = 582efefc6db52d25800954d23fe993ae_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DirectoryEmailReplication-c9dbc64c-f713-4737-bf36-c19ec6af7685
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
    ChainContext.dwRevocationFreshnessTime: 712 Days, 5 Hours, 59 Minutes, 39 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
    SimpleChain.dwRevocationFreshnessTime: 712 Days, 5 Hours, 59 Minutes, 39 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=5
    Issuer: CN=jeff-CA, DC=domain, DC=org
    NotBefore: 12/16/2010 11:36 AM
    NotAfter: 12/16/2011 11:36 AM
    Subject:
    Serial: 11eceb0a000000000038
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: Directory Email Replication
    fa 48 69 cd 2b 5f eb 9a 33 e1 9d 76 28 1e e0 19 bb 62 d8 12
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
    CRL 0195:
    Issuer: CN=jeff-CA, DC=domain, DC=org
    72 42 f8 d6 6f 31 31 5d 14 1c 28 bd 8e 30 7d 15 c0 ce f5 b4
    Delta CRL 0196:
    Issuer: CN=jeff-CA, DC=domain, DC=org
    f1 24 f0 c7 bc 20 e1 e2 d0 88 6a 86 30 73 41 70 9b b0 17 01
    Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=jeff-CA, DC=domain, DC=org
    NotBefore: 1/25/2010 2:10 PM
    NotAfter: 1/25/2015 2:20 PM
    Subject: CN=jeff-CA, DC=domain, DC=org
    Serial: 45a0f8729e8e16a34d0bda8f40d92c75
    Template: CA
    9c b1 10 1a 3f cf 33 c0 88 b2 3d e8 46 82 1b 2f 7e 79 67 7c
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    9a a9 30 91 ee 8d cf c7 4d c8 83 aa 7d 97 c3 89 2c 54 0a f0
    Full chain:
    1d e3 3c 77 49 c1 7f 0a e3 28 74 b9 b3 2c fe fe 5a ac b1 5b
    Issuer: CN=jeff-CA, DC=domain, DC=org
    NotBefore: 12/16/2010 11:36 AM
    NotAfter: 12/16/2011 11:36 AM
    Subject:
    Serial: 11eceb0a000000000038
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: Directory Email Replication
    fa 48 69 cd 2b 5f eb 9a 33 e1 9d 76 28 1e e0 19 bb 62 d8 12
    The certificate is revoked. 0x80092010 (-2146885616)
    ------------------------------------
    Certificate is REVOKED

    ================ Certificate 1 ================
    Serial Number: 42396d083ccb02a74ca62e977471bdf8
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Certificate Template Name (Certificate Type): CA
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    No key provider information
    Encryption test FAILED
    Verified Issuance Policies: All
    Verified Application Policies: All
    Certificate is valid
    ================ Certificate 2 ================
    Archived!
    Serial Number: 61f386d3000000000023
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/20/2012 2:39 PM
    NotAfter: 1/19/2013 2:39 PM
    Subject: EMPTY (Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org)
    Non-root Certificate
    Template: DirectoryEmailReplication, Directory Email Replication
    Cert Hash(sha1): f2 a8 48 b5 d3 d9 82 95 64 82 5a 48 ae b0 10 67 ce bf cb cb
    Key Container = 7c97e60393c1438f879c3990055aab81_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DirectoryEmailReplication-6e8ebc15-64cb-4760-9e1b-0d896a8f749e
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 47 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 47 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000041
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/20/2012 2:39 PM
    NotAfter: 1/19/2013 2:39 PM
    Subject:
    Serial: 61f386d3000000000023
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: Directory Email Replication
    f2 a8 48 b5 d3 d9 82 95 64 82 5a 48 ae b0 10 67 ce bf cb cb
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    4a 68 40 62 ef 88 f5 50 66 a6 e9 70 2b 62 8b 07 c9 b6 a5 53
    Full chain:
    f9 96 15 c7 45 87 76 83 8b d4 37 38 87 d2 28 f6 c4 3e 1e 22
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/20/2012 2:39 PM
    NotAfter: 1/19/2013 2:39 PM
    Subject:
    Serial: 61f386d3000000000023
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: Directory Email Replication
    f2 a8 48 b5 d3 d9 82 95 64 82 5a 48 ae b0 10 67 ce bf cb cb
    A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
    ------------------------------------
    Expired certificate

    ================ Certificate 3 ================
    Serial Number: 7fc04b63000000000053
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2013 6:25 PM
    Subject: EMPTY (DNS Name=DC01.domain.org)
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    Cert Hash(sha1): ee 89 89 a7 ef 7a 2f 38 99 8e 09 f4 6e 71 73 db f6 3f 77 f0
    Key Container = d81f8da446941354b7343a6fc3c7b41c_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DomainControllerAuthentication-f3915c15-1c6a-4075-af79-bbbccb2cc764
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2013 6:25 PM
    Subject:
    Serial: 7fc04b63000000000053
    SubjectAltName: DNS Name=DC01.domain.org
    Template: Domain Controller Authentication
    ee 89 89 a7 ef 7a 2f 38 99 8e 09 f4 6e 71 73 db f6 3f 77 f0
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    36 90 20 77 1d e6 a0 61 1f 05 8f e6 3c 75 89 32 a2 91 34 e7
    Full chain:
    41 93 f5 5f d9 79 98 1d ad 49 2b ec 52 9d 79 5c 14 91 b9 a6
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2013 6:25 PM
    Subject:
    Serial: 7fc04b63000000000053
    SubjectAltName: DNS Name=DC01.domain.org
    Template: Domain Controller Authentication
    ee 89 89 a7 ef 7a 2f 38 99 8e 09 f4 6e 71 73 db f6 3f 77 f0
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline
    Certificate is valid
    ================ Certificate 4 ================
    Archived!
    Serial Number: 3f84b029000000000018
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 5/13/2011 3:15 PM
    NotAfter: 5/12/2012 3:15 PM
    Subject: EMPTY (DNS Name=DC01.domain.org)
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    Cert Hash(sha1): d8 ea 81 38 03 91 c7 da 53 14 bb f7 80 f1 ba e7 74 8f 5c 8a
    Key Container = 91441ec2d06c576b230106aa52356347_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DomainControllerAuthentication-a41a41cf-f42b-41f7-8989-fca338c7d28d
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000041
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 5/13/2011 3:15 PM
    NotAfter: 5/12/2012 3:15 PM
    Subject:
    Serial: 3f84b029000000000018
    SubjectAltName: DNS Name=DC01.domain.org
    Template: Domain Controller Authentication
    d8 ea 81 38 03 91 c7 da 53 14 bb f7 80 f1 ba e7 74 8f 5c 8a
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    55 25 a6 b9 ae 4f 89 aa ae 65 da 86 0e 85 23 d0 dc 0e 46 99
    Full chain:
    77 08 50 d7 8f ea 0e 50 da 6b f9 ae 9b 9c cc e6 7d 66 a3 f1
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 5/13/2011 3:15 PM
    NotAfter: 5/12/2012 3:15 PM
    Subject:
    Serial: 3f84b029000000000018
    SubjectAltName: DNS Name=DC01.domain.org
    Template: Domain Controller Authentication
    d8 ea 81 38 03 91 c7 da 53 14 bb f7 80 f1 ba e7 74 8f 5c 8a
    A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
    ------------------------------------
    Expired certificate
    --- Other certificates ---
    ================ Certificate 7 ================
    Archived!
    Serial Number: 5150eb4b00000000002b
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/31/2012 10:43 PM
    NotAfter: 3/31/2013 10:43 PM
    Subject: EMPTY (DNS Name=DC01.domain.org)
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    Cert Hash(sha1): 58 4d 31 3a b3 94 c5 48 4c 47 bc 73 09 a9 ed 7b 0a 22 16 da
    Key Container = 0038cb424a44045bd707121c29de417c_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DomainControllerAuthentication-bff11c68-cbd5-4da8-bb6d-33bde51a9366
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/31/2012 10:43 PM
    NotAfter: 3/31/2013 10:43 PM
    Subject:
    Serial: 5150eb4b00000000002b
    SubjectAltName: DNS Name=DC01.domain.org
    Template: Domain Controller Authentication
    58 4d 31 3a b3 94 c5 48 4c 47 bc 73 09 a9 ed 7b 0a 22 16 da
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    68 b8 5c c0 6d 0b b6 e4 83 d5 09 d7 cd 8b 8e ef e3 cf 52 3c
    Full chain:
    21 5f 91 7e 1e d6 65 e6 36 ce 54 b4 b7 1e e3 45 5c ba 18 87
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/31/2012 10:43 PM
    NotAfter: 3/31/2013 10:43 PM
    Subject:
    Serial: 5150eb4b00000000002b
    SubjectAltName: DNS Name=DC01.domain.org
    Template: Domain Controller Authentication
    58 4d 31 3a b3 94 c5 48 4c 47 bc 73 09 a9 ed 7b 0a 22 16 da
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline
    Certificate is valid
    ================ Certificate 8 ================
    Serial Number: 6750773400000000005a
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 12/8/2012 5:35 PM
    NotAfter: 12/8/2013 5:35 PM
    Subject: EMPTY (Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org)
    Non-root Certificate
    Template: DirectoryEmailReplication, Directory Email Replication
    Cert Hash(sha1): 3f 62 1f 71 08 42 9c 37 77 74 4f 0e c8 dc 66 93 a7 a7 55 a0
    Key Container = b80d7dbae75b7ec94fea2a5aafe2a645_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DirectoryEmailReplication-d6220204-fa56-40e4-998d-7d463fac09af
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 12/8/2012 5:35 PM
    NotAfter: 12/8/2013 5:35 PM
    Subject:
    Serial: 6750773400000000005a
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: Directory Email Replication
    3f 62 1f 71 08 42 9c 37 77 74 4f 0e c8 dc 66 93 a7 a7 55 a0
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    d5 6a ca 9b 8d 27 dd a0 9f c8 bc f3 c9 e8 ec ac 82 04 0a 28
    Full chain:
    ec d1 2b 56 b5 1b ff fb 5f 94 ee 76 b6 32 5d 50 f8 4e 34 a0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 12/8/2012 5:35 PM
    NotAfter: 12/8/2013 5:35 PM
    Subject:
    Serial: 6750773400000000005a
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: Directory Email Replication
    3f 62 1f 71 08 42 9c 37 77 74 4f 0e c8 dc 66 93 a7 a7 55 a0
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline
    Certificate is valid
    ================ Certificate 9 ================
    Serial Number: 7fc04d46000000000054
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2014 6:35 PM
    Subject: EMPTY (Other Name:Principal Name=DC01$@domain.org, DNS Name=DC01.domain.org, DNS Name=domain.org, DNS Name=domain)
    Non-root Certificate
    Template: LDAPS
    Cert Hash(sha1): 37 95 7c 81 c6 9a 54 b8 1a 11 7d 27 e6 51 89 84 c2 ce 24 56
    Key Container = 40b9e6004a396d69586963293e8b656d_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-LDAPS-74b0e4ca-79a7-4731-9ebf-e98f0ba61df1
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2014 6:35 PM
    Subject:
    Serial: 7fc04d46000000000054
    SubjectAltName: Other Name:Principal
    Name=DC01$@domain.org, DNS Name=DC01.domain.org, DNS Name=domain.org, DNS Name=domain
    Template: LDAPS
    37 95 7c 81 c6 9a 54 b8 1a 11 7d 27 e6 51 89 84 c2 ce 24 56
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.5.2.3.5 KDC Authentication
    Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[3] = 1.3.6.1.5.5.7.3.2 Client Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    aa d4 e9 f3 26 54 40 34 19 9d d2 1a 41 a7 7f cb 45 e3 12 74
    Full chain:
    38 16 44 3f a9 32 f5 de a9 8e a4 ab 91 34 54 4f 05 bc cf 76
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2014 6:35 PM
    Subject:
    Serial: 7fc04d46000000000054
    SubjectAltName: Other Name:Principal
    Name=DC01$@domain.org, DNS Name=DC01.domain.org, DNS Name=domain.org, DNS Name=domain
    Template: LDAPS
    37 95 7c 81 c6 9a 54 b8 1a 11 7d 27 e6 51 89 84 c2 ce 24 56
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline
    Certificate is valid
    ================ Certificate 10 ================
    Archived!
    Serial Number: 3e8d3ff500000000000e
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/3/2011 9:01 AM
    NotAfter: 3/2/2012 9:01 AM
    Subject: EMPTY (Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org)
    Non-root Certificate
    Template: DirectoryEmailReplication, Directory Email Replication
    Cert Hash(sha1): 2c 80 24 87 cf f6 36 0f 78 93 b2 b6 03 14 f1 46 b8 a4 91 ef
    Key Container = da81309766bd5d3da8fd2bcc32cc651e_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DirectoryEmailReplication-08ecad77-ef8c-4ec6-b42b-dafa6fa5ad04
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000041
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/3/2011 9:01 AM
    NotAfter: 3/2/2012 9:01 AM
    Subject:
    Serial: 3e8d3ff500000000000e
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: Directory Email Replication
    2c 80 24 87 cf f6 36 0f 78 93 b2 b6 03 14 f1 46 b8 a4 91 ef
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    15 85 ea a8 d3 4a d6 57 da 20 2b 77 c2 57 23 69 b9 d3 e0 02
    Full chain:
    54 46 cf 50 9c b0 3b cd c6 ac 79 09 d4 de c7 45 90 e2 ff 20
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/3/2011 9:01 AM
    NotAfter: 3/2/2012 9:01 AM
    Subject:
    Serial: 3e8d3ff500000000000e
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: Directory Email Replication
    2c 80 24 87 cf f6 36 0f 78 93 b2 b6 03 14 f1 46 b8 a4 91 ef
    A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
    ------------------------------------
    Expired certificate

    ================ Certificate 11 ================
    Serial Number: 1adfba76000000000008
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 2/24/2011 10:44 AM
    NotAfter: 2/23/2013 10:44 AM
    Subject: CN=DC01.domain.org
    Certificate Template Name (Certificate Type): WebServer
    Non-root Certificate
    Template: WebServer, Web Server
    Cert Hash(sha1): 2a d9 ca 40 3f 21 35 be b0 57 6e 6c 4d 91 33 f5 70 99 d7 7b
    Key Container = 62bbdaf573b7ead83ad4f48848ce56bf_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: CertReq-WebServer-840b2631-1100-4962-a935-c96d8b329ef1
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=5
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 2/24/2011 10:44 AM
    NotAfter: 2/23/2013 10:44 AM
    Subject: CN=DC01.domain.org
    Serial: 1adfba76000000000008
    SubjectAltName: DNS Name=d2l1.domain.edu, DNS Name=dc01, DNS Name=dc01.domain.org
    Template: WebServer
    2a d9 ca 40 3f 21 35 be b0 57 6e 6c 4d 91 33 f5 70 99 d7 7b
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    40 cc 2f 31 5f 53 b1 cf c5 01 57 a1 85 73 14 a4 c0 dc 32 76
    Full chain:
    1e 4c 25 96 c0 a5 0f 94 b9 6e 69 75 1c 2b a2 32 f8 12 18 39
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 2/24/2011 10:44 AM
    NotAfter: 2/23/2013 10:44 AM
    Subject: CN=DC01.domain.org
    Serial: 1adfba76000000000008
    SubjectAltName: DNS Name=d2l1.domain.edu, DNS Name=dc01, DNS Name=dc01.domain.org
    Template: WebServer
    2a d9 ca 40 3f 21 35 be b0 57 6e 6c 4d 91 33 f5 70 99 d7 7b
    The certificate is revoked. 0x80092010 (-2146885616)
    ------------------------------------
    Certificate is REVOKED

    ================ Certificate 12 ================
    Serial Number: 66b9efef000000000033
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 6/18/2012 4:05 PM
    NotAfter: 6/18/2014 4:15 PM
    Subject: EMPTY (Other Name:Principal Name=DC01$@domain.org, DNS Name=DC01.domain.org, DNS Name=domain.org, DNS Name=domain)
    Non-root Certificate
    Template: LDAPS
    Cert Hash(sha1): 27 5c 7b a9 4d 97 bc 54 3c 63 a8 e9 6c a8 83 ca e9 ee d5 c0
    Key Container = c3ac6c908609fbda91d6e8f3de6034aa_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-LDAPS-bab068c1-840a-404d-8e90-b1a56ebeac2a
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 6/18/2012 4:05 PM
    NotAfter: 6/18/2014 4:15 PM
    Subject:
    Serial: 66b9efef000000000033
    SubjectAltName: Other Name:Principal
    Name=DC01$@domain.org, DNS Name=DC01.domain.org, DNS Name=domain.org, DNS Name=domain
    Template: LDAPS
    27 5c 7b a9 4d 97 bc 54 3c 63 a8 e9 6c a8 83 ca e9 ee d5 c0
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.5.2.3.5 KDC Authentication
    Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[3] = 1.3.6.1.5.5.7.3.2 Client Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    ef d7 72 93 f0 64 3c ba 28 5e 75 5a c8 6b 05 b5 45 b5 80 9f
    Full chain:
    f0 58 f9 f2 71 8d e2 6c 63 78 45 e0 05 49 6f 89 d9 67 d2 37
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 6/18/2012 4:05 PM
    NotAfter: 6/18/2014 4:15 PM
    Subject:
    Serial: 66b9efef000000000033
    SubjectAltName: Other Name:Principal
    Name=DC01$@domain.org, DNS Name=DC01.domain.org, DNS Name=domain.org, DNS Name=domain
    Template: LDAPS
    27 5c 7b a9 4d 97 bc 54 3c 63 a8 e9 6c a8 83 ca e9 ee d5 c0
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline
    Certificate is valid
    ================ Certificate 13 ================
    Archived!
    Serial Number: 3e8da95200000000000f
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/3/2011 9:01 AM
    NotAfter: 3/2/2012 9:01 AM
    Subject: EMPTY (DNS Name=DC01.domain.org)
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    Cert Hash(sha1): 25 5d de 56 65 5c bd ea 23 e0 50 4e 01 3f c8 97 68 d5 a6 49
    Key Container = b52311bc71bd3f4c6dbbcd9599beface_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DomainControllerAuthentication-18ce05ac-ed6e-4385-bf8d-0ca0ac95e03a
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000041
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/3/2011 9:01 AM
    NotAfter: 3/2/2012 9:01 AM
    Subject:
    Serial: 3e8da95200000000000f
    SubjectAltName: DNS Name=DC01.domain.org
    Template: Domain Controller Authentication
    25 5d de 56 65 5c bd ea 23 e0 50 4e 01 3f c8 97 68 d5 a6 49
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    d4 31 d3 df c9 26 3d 7a 03 f6 27 a2 09 d6 d8 4c 09 5c f1 0b
    Full chain:
    9c a4 50 46 b8 db c4 1b cb 82 6c 10 19 bb 45 6a a5 b3 37 cf
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 3/3/2011 9:01 AM
    NotAfter: 3/2/2012 9:01 AM
    Subject:
    Serial: 3e8da95200000000000f
    SubjectAltName: DNS Name=DC01.domain.org
    Template: Domain Controller Authentication
    25 5d de 56 65 5c bd ea 23 e0 50 4e 01 3f c8 97 68 d5 a6 49
    A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
    ------------------------------------
    Expired certificate

    ================ Certificate 14 ================
    Archived!
    Serial Number: 7fc0497f000000000052
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2013 6:25 PM
    Subject: CN=DC01.domain.org
    Certificate Template Name (Certificate Type): DomainController
    Non-root Certificate
    Template: DomainController, Domain Controller
    Cert Hash(sha1): 09 c1 69 d2 50 2e d9 da bb ad 3e b4 07 be 99 2e b7 49 db 22
    Key Container = 97346be9499c8cbaddfd73241a87a2ac_81d37a94-e924-4d06-b798-9202ec64c882
    Simple container name: le-DomainController-8c7111ad-cce0-464c-a824-3782a2362a78
    Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 19 Days, 4 Hours, 29 Minutes, 48 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2013 6:25 PM
    Subject: CN=DC01.domain.org
    Serial: 7fc0497f000000000052
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: DomainController
    09 c1 69 d2 50 2e d9 da bb ad 3e b4 07 be 99 2e b7 49 db 22
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    c4 2d 28 23 d1 ed 2b 14 cb 4a 0c 9e d3 19 7d de 96 6e b7 e2
    Delta CRL 02ef:
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    30 75 5c ca 45 0c 35 28 aa bc da 4f c2 ff e0 27 a2 50 8f 9b
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 1/25/2011 3:45 PM
    NotAfter: 1/25/2021 3:55 PM
    Subject: CN=cl-CA-DC01, DC=domain, DC=org
    Serial: 42396d083ccb02a74ca62e977471bdf8
    Template: CA
    f3 57 01 75 60 7e 67 e2 35 e9 08 86 81 1d f1 54 b0 cb c5 e0
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    2b d0 ba 40 49 3d 34 58 42 31 13 b6 af 39 cc f1 c1 8b 1b 48
    Full chain:
    e6 1c 52 00 8f 91 80 40 59 54 66 8d 76 2f aa f5 90 b3 64 6b
    Issuer: CN=cl-CA-DC01, DC=domain, DC=org
    NotBefore: 10/24/2012 6:25 PM
    NotAfter: 10/24/2013 6:25 PM
    Subject: CN=DC01.domain.org
    Serial: 7fc0497f000000000052
    SubjectAltName: Other Name:DS Object Guid=04 10 ac a1 51 b4 97 0e 41 4c bb b5 80 41 d7 e8 dc c4, DNS Name=DC01.domain.org
    Template: DomainController
    09 c1 69 d2 50 2e d9 da bb ad 3e b4 07 be 99 2e b7 49 db 22
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline
    Certificate is valid
    CertUtil: -verifystore command completed successfully.
    Can't start Active Directory Certificate Services - O

    DB:2.32:2008 R2 Sp1 Cant Start Active Directory Certificate Services - Object Was Not Found 0x80090011 (-2146893807) k8

    you have 2 options:
    1) restore the backup on the original machine
    2) restore the backup on another (temporary) machine, run it and export CA certificate from the restored backup.My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new:
    PowerShell FCIV tool.

  • RELEVANCY SCORE 2.32

    DB:2.32:Managing Self-Signed Certificates xf


    I'm getting 12014 event types, telling me that Exchange (2007 on SBS 2008) can't find a certificate that matches the domain name [server name] in the personal store...
    I've looked at my existing certificates and I'm really puzzled about why there are so many certificates, and why they seem be duplicating services, including some that are expired.
    Here are the entries from Get-ExchangeCertificate: (mydomain substituted)

    CertificateDomains : {GUSTAV.mydomain.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=mydomain-GUSTAV-CA
    NotAfter : 8/26/2013 2:10:11 PM
    NotBefore : 8/26/2012 2:10:11 PM
    Services : SMTP
    Status : Valid
    Subject : CN=GUSTAV.mydomain.local

    CertificateDomains : {remote.mydomain.org, mydomain.org, GUSTAV.mydomain.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=mydomain-GUSTAV-CA
    NotAfter : 10/12/2013 11:38:42 AM
    NotBefore : 10/13/2011 11:38:42 AM
    Services : IIS, SMTP
    Status : Valid
    Subject : CN=remote.mydomain.org

    CertificateDomains : {remote.mydomain.org, mydomain.org, GUSTAV.mydomain.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=mydomain-GUSTAV-CA
    NotAfter : 10/11/2013 10:29:33 AM
    NotBefore : 10/12/2011 10:29:33 AM
    Services : SMTP
    Status : Valid
    Subject : CN=remote.mydomain.org

    CertificateDomains : {remote.mydomain.org}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=remote.mydomain.org, DC=org, DC=mydomain
    NotAfter : 10/10/2016 4:50:24 PM
    NotBefore : 10/10/2011 4:50:24 PM
    Services : SMTP
    Status : Valid
    Subject : CN=remote.mydomain.org, DC=org, DC=mydomain

    CertificateDomains : {Sites, GUSTAV.mydomain.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=mydomain-GUSTAV-CA
    NotAfter : 10/8/2013 4:09:37 PM
    NotBefore : 10/9/2011 4:09:37 PM
    Services : IMAP, POP, SMTP
    Status : Valid
    Subject : CN=Sites

    CertificateDomains : {Sites, GUSTAV.mydomain.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=mydomain-GUSTAV-CA
    NotAfter : 10/7/2013 3:32:44 PM
    NotBefore : 10/8/2011 3:32:44 PM
    Services : IMAP, POP, SMTP
    Status : Valid
    Subject : CN=Sites

    CertificateDomains : {Sites, GUSTAV.mydomain.local}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=mydomain-GUSTAV-CA
    NotAfter : 10/7/2013 2:08:05 PM
    NotBefore : 10/8/2011 2:08:05 PM
    Services : IMAP, POP, SMTP
    Status : Valid
    Subject : CN=Sites

    CertificateDomains : {mydomain-GUSTAV-CA}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=mydomain-GUSTAV-CA
    NotAfter : 10/8/2016 2:16:25 PM
    NotBefore : 10/8/2011 2:06:25 PM
    Services : None
    Status : Valid
    Subject : CN=mydomain-GUSTAV-CA
    Since we're a non-profit, I don't have the budget to purchase a 3rd party UCC certificate, so I figure I'm stuck with self-signed certs. Except for mobile phones accessing email via ActiveSync, we don't really have externally accessible type services (POP,
    RWW, Outlook Anywhere) though I would not be averse to getting our RWW back up. We had someone trying to hack our RWW, so I took it down.
    Additionally, our email is occasionally delayed, as much as a day. When I run the Exchange Troubleshooting Assistant, the Tool in the Exchange Console, errors popup in the Exchange Mail Acceptance Test Results: Error submitting mail. Mail submission failed.
    Error message. Server does not support secure connections. I think this is tied to the cert problem. Everything else is OK (except a warning about IPv6 not supported).

    How do I clean up the expired certs and consolidate the remaining ones into a manageable heap? Eight seems like overkill, and admin overhead.
    Thanks,
    Lane

    Thanks, Lane Richardson

    DB:2.32:Managing Self-Signed Certificates xf

    Those are 2 differwnt cinnector, see the link poated by Wendy. It explains it. Also you do need to enable TLS if it is not required.aSukh

  • RELEVANCY SCORE 2.32

    DB:2.32:Office Web Apps 2013 Installation Issue In Https a9


    Hi,
    I'm trying to install Office Web Apps Server in HTTPS mode but keep getting an error. When I run the command New-SPWOPIBinding -ServerName owaserver, it says WARNING: The server did not repspond. Trying again (attempt 1of 5). When I go into Event
    Viewer, I see this error for each attempt:
    An operation failed because the following certificate has validation errors:
    Subject Name: CN=url, OU=Domain Control Validated - RapidSSL(R), OU=See
    www.rapidssl.com/resources/cps (c)12, OU=OU, SERIALNUMBER=serial number
    Issuer Name: CN=RapidSSL CA, O=GeoTrust, Inc., C=US
    Thumbprint: thumbprint
    Errors:
    SSL policy errors have been encountered. Error code '0x2'..
    I've installed the Root CA from the provider, registered the .cer files in CA - Security - Manage Trusts, and via PowerShell. I've reset IIS multiple times and rebooted the OWA server and the WFE. I'm not sure if it's an issue with the cert or a
    SharePoint issue.
    Thanks

    DB:2.32:Office Web Apps 2013 Installation Issue In Https a9

    Open port 80 temporarily while registering with sharepoint

  • RELEVANCY SCORE 2.32

    DB:2.32:Small Rd Setup Via Server 2012 Not Working With Certs From Our Internal Ca c9


    Hi,

    I'm having trouble with a small installation of Remote Desktop which is supposed to be accessed from outside our network. I'm using a Server 2012 system for all RD roles (TS, gateway, web access, and broker, although we shouldn't actually need the latter
    two). This is the only 2012 system in the network; we have two DCs, 2008 and 2008 R2, and we have cert root and issuing authorities also on 2008 R2. Our Internet-based clients trust our root cert and the PKI is working ok for other (non-RD) servers.

    Things work fine if the RD Connection Broker - Enable Single Sign On certificate is a self-signed cert generated by Server Manager on the 2012 box. However, if I assign a cert from our issuing CA to that role, it doesn't work. Interestingly, it
    works fine if the *other* certs (RD Gateway, RD Web Access, and RD Connection Broker - Publishing) are from our CA. (Now, when I say works fine I mean after ignoring a security warning on the client due to the Broker SSO cert not being trusted.)

    The procedure I'm using for the certs is as follows:

    1. Make a cert template based on the Web Server 2008 built-in template with some straightforward changes, and make the issuing CA use the template. Initially I had upped the crypto strength and made several extensions critical, but for troubleshooting
    I made a template without those changes and it still doesn't work.

    2. Request a new cert via the Certificates snap-in on the 2012 machine, on the local computer account. Initially I was using a friendly name for the Subject CN and then using a DNS Alternative Name extension to give the 2012 box' external domain
    name. To be more sure for testing, I used the external domain for the Subject CN and then also provided DNS Alternative Names for both the external and internal domains (which are subdomains of the same domain). For crypto provider, we use RSA,Microsoft
    Software Key Storage Provider and disable the others.

    Internet connections come in via some tricky DNAT but I don't think this is the problem as it works perfectly from outside with a self-signed cert for Broker SSO. Only our internal DNS knows about the internal domain.

    3. Manually issue the cert on the CA. (Our site is small and for security we require manual issuance for all certs.)

    4. Export the cert from the CA via PKCS #7, with the option to include all certs in the cert path, and then import this in the Certificates snap-in on the 2012 machine.

    5. On the 2012 box, export the private key via PKCS #12 and include all certificates in the certification path if possible. For troubleshooting I also tried Export all extended properties and it didn't fix the issue. I'm exporting with
    password protection.

    6. In Server Manager-Remote Desktop Services-Overview, on the Deployment Overview, I pick Tasks-Edit Deployment Properties and use the Select existing certificate... button for the desired role on the Certificates page.

    If the RD Connection Broker - Enable Single Sign On certificate is from our CA via the above procedure, then attempting to log on from the Internet gives an error on the client reading:

    Your computer can't connect to the remote computer because the Remote Desktop Gateway and the remote computer are unable to exchange policies. This could happen due to the following reasons:
    1. The remote computer is not capable of exchanging policies with the Remote Desktop Gateway.
    2. The remote computer's configuration does not permit a new connection.
    3. The connection between the Remote Desktop Gateway and the remote computer ended.
    Contact your network administrator for assistance.

    My test client is Windows 7 SP1, if memory serves with an update manually installed to upgrade to RDP8.

    The logs on the client show nothing unusual. In the System log on the Server 2012 box I get two errors:

    ID 36874
    An [sic] TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    followed by:

    ID 36888
    A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

    I found some advice that this error may be the result of the cert not being a CNG cert. The CA is 2008 R2, the domain has always been at least 2008 functional level (was originally 2008 and recently schema updated for 2008 R2), and only 2008 R2 CAs have
    ever been used on it. I have furthermore verified by dumping the cert store that under CERT_KEY_PROV_INFO_PROP_ID, ProviderType and KeySpec are both zero, which in my understanding means this is a CNG cert.

    To reiterate, the problem does *not* happen if I replace the RD Connection Broker - Enable Single Sign On certificate with a self-signed cert created by Server Manager.

    The test cert I'm trying to use for RD Connection Broker SSO has the following info:

    Version=V3
    Signature algorithm=sha512RSA
    Signature hash algorithm=sha512
    Issuer=our issuing authority
    Valid to=two weeks today (it's just for testing)
    Subject=external.domain.com
    Public key=RSA (2048 Bits)
    Template=Test - Delete Please(1.3.6.1.4.1.311.21.8.5198179.16696210.7229373.7348787.5553704.31.11896299.7938212)
    Major Version Number=100
    Minor Version Number=2
    Enhanced Key Usage=Server Authentication (1.3.6.1.5.5.7.3.1)
    Key Usage=Digital Signature, Non-Repudiation [turned this on as a test], Key Encipherment, Data Encipherment (f0)
    Application Policies=
    [1]Application Certificate Policy:
    Policy Identifier=Server Authentication
    Subject Alternative Name=
    DNS Name=external.domain.com
    DNS Name=thebox.internal.domain.com

    Forgive me if I'm missing something obvious - I'm not a full-time netadmin and I'm new to RD and PKI. I hope someone can shed some light on this troublesome mystery.

    Thank you,
    Kevin

    DB:2.32:Small Rd Setup Via Server 2012 Not Working With Certs From Our Internal Ca c9

    I finally got this working. From what I can tell it was the fact that the SSO cert's crypto was too strong, at least for Windows 7 clients. It was 4096 bits with SHA512. When I set up a very similar PKI with 2048 bits and SHA256, it worked.

  • RELEVANCY SCORE 2.32

    DB:2.32:Question About Powershell Functions And Webssl pf


    I'm trying to find all the websites in my environment that have an SSL cert and determine when the cert expires. I'd like to have the output in a CSV. I have a text file that lists all the hosts in my desired DNS zone and the code below, which I didn't write
    and don't fully understand.
    My first question is, how do I return the certificate information to a variable? I assume that once I do that, I can just use export-csv to create the file.
    How do I ensure that the data is put into columns? Here is what the output looks like now, when it is written to the shell:
    Host : hostname
    Certificate : [Subject] CN=*.domain.com, O=Org, L=Location, S=State, C=US

    [Issuer]blah

    [Serial Number]blah

    [Not Before]blah

    [Not After]blah

    [Thumbprint]blah

    SubjectAlternativeNames : {DNS Name=*. domain.com, DNS Name= domain.com}
    CertificateIsValid : True

    Here is the script:
    function Test-WebServerSSL {
    [CmdletBinding()]
    param(
    [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
    [string]$URL,
    [Parameter(Position = 1)]
    [ValidateRange(1,65535)]
    [int]$Port = 443,
    [Parameter(Position = 2)]
    [Net.WebProxy]$Proxy,
    [Parameter(Position = 3)]
    [int]$Timeout = 15000,
    [switch]$UseUserContext
    )
    Add-Type @
    using System;
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    namespace PKI {
    namespace Web {
    public class WebSSL {
    //public Uri OriginalURi;
    //public Uri ReturnedURi;
    public X509Certificate2 Certificate;
    //public X500DistinguishedName Issuer;
    //public X500DistinguishedName Subject;
    //public string Issuer;
    //public string Subject;
    public string[] SubjectAlternativeNames;
    public bool CertificateIsValid;
    //public X509ChainStatus[] ErrorInformation;
    public string[] ErrorInformation;
    public HttpWebResponse Response;
    }
    }
    }
    @
    $ConnectString = https://$url`:$port
    $WebRequest = [Net.WebRequest]::Create($ConnectString)
    $WebRequest.Proxy = $Proxy
    $WebRequest.Credentials = $null
    $WebRequest.Timeout = $Timeout
    $WebRequest.AllowAutoRedirect = $true
    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    try {$Response = $WebRequest.GetResponse()}
    catch {}
    if ($WebRequest.ServicePoint.Certificate -ne $null) {
    $Cert = [Security.Cryptography.X509Certificates.X509Certificate2]$WebRequest.ServicePoint.Certificate.Handle
    try {$SAN = ($Cert.Extensions | Where-Object {$_.Oid.Value -eq 2.5.29.17}).Format(0) -split , }
    catch {$SAN = $null}
    $chain = New-Object Security.Cryptography.X509Certificates.X509Chain -ArgumentList (!$UseUserContext)
    [void]$chain.ChainPolicy.ApplicationPolicy.Add(1.3.6.1.5.5.7.3.1)
    $Status = $chain.Build($Cert)
    New-Object PKI.Web.WebSSL -Property @{
    #OriginalUri = $ConnectString;
    #ReturnedUri = $Response.ResponseUri;
    Certificate = $WebRequest.ServicePoint.Certificate;
    #Issuer = $WebRequest.ServicePoint.Certificate.Issuer;
    #Subject = $WebRequest.ServicePoint.Certificate.Subject;
    SubjectAlternativeNames = $SAN;
    CertificateIsValid = $Status;
    Response = $Response;
    #ErrorInformation = $chain.ChainStatus | ForEach-Object {$_.Status}
    }
    $chain.Reset()
    [Net.ServicePointManager]::ServerCertificateValidationCallback = $null
    } else {
    Write-Error $Error[0]
    }
    }

    $hostNames = Get-Content C:\shared\zone.txt
    ForEach ($hostName in $hostNames){
    Write-Host Host : $hostName
    Test-WebServerSSL -URL $hostName.domain.com
    write-host $a oh yeah!
    }

    Thanks.

  • RELEVANCY SCORE 2.32

    DB:2.32:Certificate - User Subject Name x9


    Auto-enrollment is working fine on Window 2008.  PKI standalone root and Sub-Ent CA.  But how can I enable Auto-enroll a user certificate to workstation, the subject of cert should be machine hostname.   That's right I'm using a user cert, but want a machine hostname for the subject name, is that possible ?   So far I have no luck. I have been playing around with options: E-mail name  (User object DNS name    (FQDN computer cert) User Principal name (user object) Service principal name  (computer cert object?)

    DB:2.32:Certificate - User Subject Name x9

    Hi,
    As far as I know, we cannot request a user certificate to workstation. What’s the purpose of this requirement? There are computer certificates that you can request for authentication. For your reference:
    Configuring the subject namehttp://technet.microsoft.com/en-us/library/cc783912(WS.10).aspx
    Thanks.This posting is provided AS IS with no warranties, and confers no rights.

  • RELEVANCY SCORE 2.32

    DB:2.32:This Version Of Windows Cardspace Does Not Support The Specified Claim For A Self Issued Token. 8m


    I'm developing a sample WCF scenario with CardSpace integration. Running on Windows Server 2008. I created a personal Info Card, and generated a dev certificate for the service using makecert from the Windows 2003 SDK.Following is part of the config for the service host application:wsFederationHttpBinding        binding name=helloserviceBinding          security mode=Message            message              claimTypeRequirements                add claimType=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress/                !--add claimType=http://schemas.xmlsoap.org/ws/2005/05/identity/privatepersonalidentifier isOptional=false/--              /claimTypeRequirements              issuer address=http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self /            /message          /security        /binding      /wsFederationHttpBindingAnd then the client app.config:wsFederationHttpBinding        binding name=WSFederationHttpBinding_ISayHello ...useDefaultWebProxy=true          readerQuotas maxDepth=32 maxStringContentLength=8192 maxArrayLength=16384              maxBytesPerRead=4096 maxNameTableCharCount=16384 /          reliableSession ordered=true inactivityTimeout=00:10:00              enabled=false /          security mode=Message            message algorithmSuite=Default issuedKeyType=SymmetricKey                negotiateServiceCredential=true              claimTypeRequirements                add claimType=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress/                !--add claimType=http://schemas.xmlsoap.org/ws/2005/05/identity/privatepersonalidentifier isOptional=false/--              /claimTypeRequirements              issuer address=http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self /            /message          /security        /binding      /wsFederationHttpBindingWhen I run the application things work fine. However if I comment out the line in each config that relates to the PPID, then the app throws an exception related to the subject of this post and the following error is Event Viewer:The description for Event ID 278 from source CardSpace 3.0.0.0 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: This version of Windows CardSpace does not support the specified claim for a self issued token.---Any info on this is greatly appreciated.

    DB:2.32:This Version Of Windows Cardspace Does Not Support The Specified Claim For A Self Issued Token. 8m

    Ughh...that's what I get for handtyping that URI in there. The missing claims/ was it. Thanks for the extra pair of eyes on that.

  • RELEVANCY SCORE 2.32

    DB:2.32:Java System App Server 9 + Crls? p8


    Hi all -

    I'm trying to set up my web apps under Java System App Server 9 on a Windows 2003 (Server) box. Everything is working just dandy, except that I cannot seem to get JSAS9 to recognize a Certificate Revocation List for my Certificate Authority certs. I have a URL specified in the CA cert's extensions for the CRL. I also have the CRL in all of my keys generated by the CA cert. Using Windows' cert manager, I can see that my keys and CA cert both list the URL correctly. I made two test keys, A and B, and added key B to the CRL. If I visit the URL specified for the CRL, I see that the key is indeed on the list. But when I visit my JSAS9 server, it still allows me to authenticate with it using the revoked key.

    I also exported the CA cert key from my JSAS9 keystore and it only has the issuer name/owner name/valid dates/signatures, no CRL URL (the key I imported into JSAS9 most definitely does have the URL in the x509 extensions).

    I haven't seen any config options for either specifying a static list of CRLs or for honoring the CRLs provided with CA certs or user certs. Anybody have any idea where to look for these options?

    Thanks a ton,
    Reid

  • RELEVANCY SCORE 2.32

    DB:2.32:Aleweb_Get_Context Integrated Its a8



    Hi,

    I have a similar issue, with integrated ITS on SRM 5.0 in a migration project. When I try to register the certificate into USREXTID, before was implemented by the next steps:

    1.- field-get '~http_auth_cert' 1 usercert_base64_c_tab certlen.

    2.- CALL 'SNC_ABAP_INFO' ID 'OPCODE' FIELD get_cert_info

    ID 'CERT' FIELD usercert_base64

    ID 'CERTLEN' FIELD certlen

    ID 'SUBJECT' FIELD subject

    ID 'ISSUER' FIELD issuer

    ID 'SNUMBER' FIELD serialno.

    But, now the call to makro field-get not work whit the param '~http_auth_cert' , and I have to pass the value DN of the certificate (CN=name- NIF xxxxxxxy, OU=xxxxxxx, OU=xxxxxx Clase x CA, O=xxx, C=xx), and works fine executing the next ALEWEB_GET_CONTEXT function. Then the call to system function 'SNC_ABAP_INFO', returns subrc 300.

    In this version, the standar service certmap do it similar.

    Sorry, can anybody help me.

    Tx and regards.

    DB:2.32:Aleweb_Get_Context Integrated Its a8


    Hi Satur,

    with SRM 5.0 you are using integrated ITS. With integrated ITS ~http_auth_cert is no longer available.

    Best regards,

    Klaus

  • RELEVANCY SCORE 2.32

    DB:2.32:Company Hub File Download Service Is Not Called By Mdm Client After Enrollment fm


    Hi,
    In our MDE/MDM Server solution we are using 2 options to issue Server andDevice certificates for the device MDM SSL communication.
    1. Internal code generated self-signed (using System.Security.Cryptographyclasses)
    2. Issued by Active Directory CA (via Certificate Enrollment API) - ADCS server

    When we are usingsecond option with enrollment response and AET provided, then Company Hub application is getting installed on the devicewithout problem.
    Ifcertificates are code generated then MDM Agent will never try to connect our Company Hub service https download link.However,it is possible to use thatURL in the Webbrowser and download .xap file
    There is one exception:since Company Hub .xapfile was successfully installed as a result of device enrollment with certificates issued by ADCS, then any following attempt to re-enroll device using code-generated certificates will succeed in terms
    ofCompany Hub installation
    MDM Management https service(OMA DM)seems to be agnostic and happy with both certificate generation options and works well all of the times
    Both pairs of certificates are not very different and all based on 2048 key length and SH1RSA:

    CERTIFICATE OPTION 1 (code-generated): ROOT
    CERT VERSION: 3
    SUBJECT: dnQualifier=9C5B7156-F52D-42AC-85A3-8EFAB8136EBD, CN=MobiControl Root CA
    Signature Algorithm: Value = 1.2.840.113549.1.1.5, FriendlyName = sha1RSA
    Serial Number: B0BDF62162C49060
    Not Before: 12/31/1999
    Not After: 7/17/2038
    Issuer Name: dnQualifier=9C5B7156-F52D-42AC-85A3-8EFAB8136EBD, CN=MobiControl Root CA
    Has Private Key: true
    Value = 2.5.29.14, FriendlyName = Subject Key Identifier
    Subject Key ID: ED50284B11F0848EBFE4043E0CDC5C901C64B872
    Value = 2.5.29.15, FriendlyName = Key Usage
    Key Usages: CrlSign, KeyCertSign, NonRepudiation, DigitalSignature
    Value = 2.5.29.19, FriendlyName = Basic Constraints
    Value = 2.5.29.1, FriendlyName = Authority Key Identifier
    CERTIFICATE OPTION 1 (code-generated): CLIENT
    CERT VERSION: 3
    SUBJECT: CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1
    Signature Algorithm: Value = 1.2.840.113549.1.1.5, FriendlyName = sha1RSA
    Serial Number: 639D316104A48D4999872CFBF81A05FE
    Not Before: 7/24/2013
    Not After: 7/24/2015
    Issuer Name: dnQualifier=9C5B7156-F52D-42AC-85A3-8EFAB8136EBD, CN=MobiControl Root CA
    Has Private Key: false
    Value = 2.5.29.14, FriendlyName = Subject Key Identifier
    Subject Key ID: 2D6652E356CD9FFF963E85B7DDD3625BB6A46714
    Value = 2.5.29.15, FriendlyName = Key Usage
    Key Usages: KeyEncipherment, DigitalSignature
    Value = 2.5.29.35, FriendlyName = Authority Key Identifier
    Value = 2.5.29.37, FriendlyName = Enhanced Key Usage
    Enhanced Key Usage: Value = 1.3.6.1.5.5.7.3.2, FriendlyName = Client Authentication
    Enhanced Key Usage: Value = 1.3.6.1.4.1.311.65.2.1, FriendlyName = null
    //////////////////////////////////////
    CERTIFICATE OPTION 2 (ADCS): ROOT
    CERT VERSION: 3
    SUBJECT: CN=contoso-CA, DC=contoso, DC=com
    Signature Algorithm: Value = 1.2.840.113549.1.1.5, FriendlyName = sha1RSA
    Serial Number: 68BFADEABBDE3B81466DEC45F8036480
    Not Before: 7/13/2012
    Not After: 7/13/2017
    Issuer Name: CN=contoso-CA, DC=contoso, DC=com
    Has Private Key: false
    Value = 2.5.29.15, FriendlyName = Key Usage
    Key Usages: CrlSign, KeyCertSign, DigitalSignature
    Value = 2.5.29.19, FriendlyName = Basic Constraints
    Value = 2.5.29.14, FriendlyName = Subject Key Identifier
    Subject Key ID: 7819E61B816432E17EA3BFB23653DCE741AFB943
    Value = 1.3.6.1.4.1.311.21.1, FriendlyName = CA Version
    CERTIFICATE OPTION 2 (ADCS): CLIENT
    CERT VERSION: 3
    SUBJECT: CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1
    Signature Algorithm: Value = 1.2.840.113549.1.1.5, FriendlyName = sha1RSA
    Serial Number: 3F109B78000000000067
    Not Before: 7/24/2013
    Not After: 7/14/2015
    Issuer Name: CN=contoso-CA, DC=contoso, DC=com
    Has Private Key: false
    Value = 2.5.29.14, FriendlyName = Subject Key Identifier
    Subject Key ID: DBD1C79328B92CDA483D5B60A1D95A26FEAEF67A
    Value = 2.5.29.35, FriendlyName = Authority Key Identifier
    Value = 2.5.29.31, FriendlyName = CRL Distribution Points
    Value = 1.3.6.1.5.5.7.1.1, FriendlyName = Authority Information Access
    Value = 2.5.29.15, FriendlyName = Key Usage
    Key Usages: KeyEncipherment, DigitalSignature
    Value = 1.3.6.1.4.1.311.21.7, FriendlyName = Certificate Template Information
    Value = 2.5.29.37, FriendlyName = Enhanced Key Usage
    Enhanced Key Usage: Value = 1.3.6.1.5.5.7.3.2, FriendlyName = Client Authentication
    Enhanced Key Usage: Value = 1.3.6.1.4.1.311.65.2.1, FriendlyName = null
    Value = 1.3.6.1.4.1.311.21.10, FriendlyName = Application Policies
    ///////////////////////////////////////////////////////////////////////////////////////////
    From WireShark capture we can clearly see HTTPS handshake and application data exchange between client and serverfor Company Hub download (when ADCS certificates issued)
    When certificates code-generated, there is no any related traffic caught, not even initial Client Hello from MDM Client to Company Hub HTTPS servicesent. But OMA DM activity is present.
    What we are doing wrong? Is thereany special Company Hub certificate requirement, thatdifferent from MDM Device Management HTTPS service certificate requirements?

    DB:2.32:Company Hub File Download Service Is Not Called By Mdm Client After Enrollment fm

    Also, I figured out what is happening when on SyncML serverHttpClientCredentialType set to Certificate. Right after enrollment Client is trying as usual toinitiate first SyncML session:
    Client: Client Hello
    Server: Server Hello, Certificate, Server Hello Done
    Client: Client Key Exchange, Change Cipher Spec, Finished
    Server: Change Cipher Spec, Finished
    Client: SSL Serment
    Client: POST with SyncML payload
    Server: Hello Request
    Client: Client Hello
    Server: TCP ACK
    Server: TCP Segment
    Client: TCP ACK
    Server: Server Hello, Certificate, Certificate Request, Server Hello Done
    Client: TCP ACK
    Client TCP FIN, ACK

    Looks like client did not like something and initiated session end. Wondering, why?

  • RELEVANCY SCORE 2.32

    DB:2.32:Certificate Renewal Question - Consolidating Certs ma


    Hey folks,
    This is a breakup from a previous thread that seem to have gotten off on the wrong tract. So I am starting fresh here with only one of the two questions.
    Exhcnage 2007, SP3, RU6 (or maybe up to 7, I don't remember).When I do a Get-Exchange Certificate, there are four items listed. I'll summarize below:

    Services Subject
    -------- -------
    ...W. CN=autodiscover.MyDomain.com, OU=My Domain Inc, ...
    ..... CN=webmail.MyDomain.com, OU=My Domain Inc....
    ..... CN=WMSvc-TBEX03
    IP.WS CN=mail.MyDomain.com, OU=My Domain Inc., O...

    A Get-ExchangeCertificate |FL produces more detail, I'll trim it down and put only the highlights below:
    CertificateDomains : {autodiscover.MyDomain.com, www.autodiscover.MyDomain.com}
    Issuer : Go Daddy
    NotAfter : 11/12/2012 1:58:52 PM
    Services : IIS
    Subject : CN=autodiscover.MyDomain.com, OU=My Domain, Inc., O=My Domain Inc., L=MyCity, S=TX, C=US

    CertificateDomains : {webmail.MyDomain.com, www.webmail.MyDomain.com}
    Issuer : Go Daddy
    NotAfter : 9/18/2012 4:22:04 PM
    Services : None
    Subject : CN=webmail.MyDomain.com, OU=My Domain Inc., O=My Domain Inc., L=MyCity, S=TX, C=US

    CertificateDomains : {WMSvc-TBEX03}
    Issuer : CN=WMSvc-TBEX03
    NotAfter : 8/23/2019 4:13:02 PM
    Services : None
    Subject : CN=WMSvc-TBEX03

    CertificateDomains : {mail.MyDomain.com, www.mail.MyDomain.com}
    Issuer : Go Daddy
    NotAfter : 7/24/2012 11:12:19 AM
    Services : IMAP, POP, IIS, SMTP
    Subject : CN=mail.MyDomain.com, OU=My Domain Inc., O=My Domain Inc.,L=MyCity, S=TX, C=US

    So, two questions from this. 1) Can I consolidate one or more of these, 2) What would the Certificate generation look like? Here is an example of what I THINK it should look like
    New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname
    c=US, l=MyCity, s=Texas, o=My Domain Inc,
    cn=MyDomain.com -domainname mail.MyDomain.com,
    TBEX03, TBEX03.MyDomain.com, Autodiscover.MyDomain.com
    -PrivateKeyExportable $true -path c:\certrequest.txt
    I have seen where the CSR above would have the domain name set to domain only (not including mail.MyDomain.com) so I am not sure of the proper way. Also, I added the Autodiscover.MyDomain.com as suggested by another poster here.
    Any help would be greatly appriciated. My m,ain cert exires next week.
    Thanks,
    James

    DB:2.32:Certificate Renewal Question - Consolidating Certs ma

    Hello,

    Thanks for the question.

    Generally, the old certificate will not cause confliction. You can either leave it alone or remove it in EMS.

    Thanks,
    Simon

  • RELEVANCY SCORE 2.32

    DB:2.32:Buiding A Certpath From A Keystore[Trusted.Cacerts] ff


    Hi folks, I am eager to know w-t-* am I doing wrong in the following code:

    FileInputStream fis =
    new FileInputStream(
    new File("D:"+File.separator+"TestCertificates"+File.separator+"TESTEX509.cert"));
    BufferedInputStream bis = new BufferedInputStream(fis);
    // The X509 Test Certificate
    X509Certificate c = (X509Certificate) cf.generateCertificate(bis);
    //My KeyStore of imported trusted certificates( Imported using the Java Control Panel)
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    String senhaPadrao = "";
    FileInputStream fis2 =
    new FileInputStream(
    System.getenv("APPDATA")+File.separator+"Sun"+
    File.separator+"Java"+
    File.separator+"Deployment"+
    File.separator+"security"+
    File.separator+"trusted.cacerts");
    BufferedInputStream bis2 = new BufferedInputStream(fis2);
    ks.load(bis2,senhaPadrao.toCharArray());
    //Defining that the certificate to look for is the issuer of the test certificate
    X509CertSelector xcs = new X509CertSelector();
    xcs.setSubject(x9.getIssuerX500Principal());
    //Defining the Builder parameters(No Revocation checking) and validity - The test certificates are expired
    PKIXBuilderParameters pkbp = new PKIXBuilderParameters(ks,xcs);
    pkbp.setRevocationEnabled(false);
    //Getting the instance of the CertPathBuilder and building the certPath
    CertPathBuilder cpb1 = CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr1 = cpb1.build(pkbp);

    //Getting the whole CertPath based on the issuer of the test certificate
    CertPath cp1 = cpbr1.getCertPath();
    This code basically does the following:

    Intro: I have a test certificate( Cert A), that was issued by and intermediary entity ( Cert B ), and its certificate was issued by a test CA( Cert C). So, I have both Cert B and Cert C imported using the Java Control Panel, they are in the key store described in the code.

    What I want is to build the certPath and that it contains both Cert B and Cert C, but whith this code certPath always return length zero. And inside the TrustAnchor in the CertPathBuilderResult there is the Cert B, but no Cert C....Am I missing something??

    Is there a problem with X509CertSelector? PKIXBuilderParameter? What is wrong ?! =/

    PS: Where can I find the source code of sun.security.provider.* packages?? I want to debug but it is not inside %JAVA_HOME%\src.zip. I found one with OpenJDK but the line number are all scrumbled...I need a consistent source code to debug. Please, help...

    Thanks, Daniel.

    Edited by: Lao on Oct 24, 2007 11:44 AM

    DB:2.32:Buiding A Certpath From A Keystore[Trusted.Cacerts] ff

    Hi folks, I am eager to know w-t-* am I doing wrong in the following code:

    FileInputStream fis =
    new FileInputStream(
    new File("D:"+File.separator+"TestCertificates"+File.separator+"TESTEX509.cert"));
    BufferedInputStream bis = new BufferedInputStream(fis);
    // The X509 Test Certificate
    X509Certificate c = (X509Certificate) cf.generateCertificate(bis);
    //My KeyStore of imported trusted certificates( Imported using the Java Control Panel)
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    String senhaPadrao = "";
    FileInputStream fis2 =
    new FileInputStream(
    System.getenv("APPDATA")+File.separator+"Sun"+
    File.separator+"Java"+
    File.separator+"Deployment"+
    File.separator+"security"+
    File.separator+"trusted.cacerts");
    BufferedInputStream bis2 = new BufferedInputStream(fis2);
    ks.load(bis2,senhaPadrao.toCharArray());
    //Defining that the certificate to look for is the issuer of the test certificate
    X509CertSelector xcs = new X509CertSelector();
    xcs.setSubject(x9.getIssuerX500Principal());
    //Defining the Builder parameters(No Revocation checking) and validity - The test certificates are expired
    PKIXBuilderParameters pkbp = new PKIXBuilderParameters(ks,xcs);
    pkbp.setRevocationEnabled(false);
    //Getting the instance of the CertPathBuilder and building the certPath
    CertPathBuilder cpb1 = CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr1 = cpb1.build(pkbp);

    //Getting the whole CertPath based on the issuer of the test certificate
    CertPath cp1 = cpbr1.getCertPath();
    This code basically does the following:

    Intro: I have a test certificate( Cert A), that was issued by and intermediary entity ( Cert B ), and its certificate was issued by a test CA( Cert C). So, I have both Cert B and Cert C imported using the Java Control Panel, they are in the key store described in the code.

    What I want is to build the certPath and that it contains both Cert B and Cert C, but whith this code certPath always return length zero. And inside the TrustAnchor in the CertPathBuilderResult there is the Cert B, but no Cert C....Am I missing something??

    Is there a problem with X509CertSelector? PKIXBuilderParameter? What is wrong ?! =/

    PS: Where can I find the source code of sun.security.provider.* packages?? I want to debug but it is not inside %JAVA_HOME%\src.zip. I found one with OpenJDK but the line number are all scrumbled...I need a consistent source code to debug. Please, help...

    Thanks, Daniel.

    Edited by: Lao on Oct 24, 2007 11:44 AM

  • RELEVANCY SCORE 2.31

    DB:2.31:Ssl Encryption Between Applet And Jboss 8x


    Hi!

    I have implemented an applet client (running i an browser) to access a JBoss application server. I have some problems setting up the SSL encryption on the communication between the two.

    The applet shall be downloadable from a web server, and shall therefore not have access to any other keystore than the default "cacerts" (that comes with the Java plugin).

    I have therefore gotten a cert verifing my company, issued by CA Thawte. This cert is of type codesigning cert. I have verified that the Thawte CA cert used to sign my company's cert is indeed in the "cacerts" keystore.

    By enabling "javax.net.debug" = "ssl" I get a lot of debug info. The error message looks like this (full execption below):
    - "Netscape cert type does not permit use for SSL server"
    This message seems to me, like I can't use this type of cert for SSL encryption? Is this right? and if so, why not?

    The funny thing is that if I give the applet access to the keystore containing my company's cert (private/public keys) by using
    "javax.net.ssl.trustStore" = "some path"
    it works! SSL encryption is enabled! Of cause this option is not acceptable in a production environment.

    I am using J2SDK 1.4.2 and JBoss 3.2.1 with http-invoker.

    Any help appreciated

    ThanX.
    - Chris

    The full exception is:
    keyStore is :
    keyStore type is : jks
    init keystore
    init keymanager of type SunX509
    trustStore is: /usr/java/j2sdk1.4.2/jre/lib/security/cacerts
    trustStore type is : jks
    init truststore
    adding as trusted cert:
    Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0xe49efdf33ae80ecfa5113e19a4240232
    Valid from Mon Jan 29 01:00:00 CET 1996 until Thu Jan 08 00:59:59 CET 2004

    adding as trusted cert:
    Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x1
    Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021

    adding as trusted cert:
    Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
    Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
    Valid from Wed Nov 09 01:00:00 CET 1994 until Fri Jan 08 00:59:59 CET 2010

    adding as trusted cert:
    Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
    Algorithm: RSA; Serial number: 0x20000bf
    Valid from Wed May 17 16:01:00 CEST 2000 until Sun May 18 01:59:00 CEST 2025

    adding as trusted cert:
    Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Algorithm: RSA; Serial number: 0x374ad243
    Valid from Tue May 25 18:09:40 CEST 1999 until Sat May 25 18:39:40 CEST 2019

    adding as trusted cert:
    Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    Algorithm: RSA; Serial number: 0x20000b9
    Valid from Fri May 12 20:46:00 CEST 2000 until Tue May 13 01:59:00 CEST 2025

    adding as trusted cert:
    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
    Algorithm: RSA; Serial number: 0x380391ee
    Valid from Tue Oct 12 21:24:30 CEST 1999 until Sat Oct 12 21:54:30 CEST 2019

    adding as trusted cert:
    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x389ef6e4
    Valid from Mon Feb 07 17:16:40 CET 2000 until Fri Feb 07 17:46:40 CET 2020

    adding as trusted cert:
    Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Algorithm: RSA; Serial number: 0x1a5
    Valid from Thu Aug 13 02:29:00 CEST 1998 until Tue Aug 14 01:59:00 CEST 2018

    adding as trusted cert:
    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x1
    Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021

    adding as trusted cert:
    Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x3863b966
    Valid from Fri Dec 24 18:50:51 CET 1999 until Tue Dec 24 19:20:51 CET 2019

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

    adding as trusted cert:
    Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x325033cf50d156f35c81ad655c4fc825
    Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Jan 08 00:59:59 CET 2020

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

    adding as trusted cert:
    Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
    Algorithm: RSA; Serial number: 0x0
    Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

    adding as trusted cert:
    Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Algorithm: RSA; Serial number: 0x1b6
    Valid from Fri Aug 14 16:50:00 CEST 1998 until Thu Aug 15 01:59:00 CEST 2013

    adding as trusted cert:
    Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
    Algorithm: RSA; Serial number: 0x1a3
    Valid from Sat Feb 24 00:01:00 CET 1996 until Fri Feb 24 00:59:00 CET 2006

    adding as trusted cert:
    Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0xba5ac94c053b92d6a7b6df4ed053920d
    Valid from Mon Jan 29 01:00:00 CET 1996 until Thu Jan 08 00:59:59 CET 2004

    adding as trusted cert:
    Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
    Algorithm: RSA; Serial number: 0x389b113c
    Valid from Fri Feb 04 18:20:00 CET 2000 until Tue Feb 04 18:50:00 CET 2020

    init context
    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1063272795 bytes = { 200, 41, 212, 81, 50, 46, 166, 131, 2, 7, 19, 96, 56, 74, 143, 149, 231, 10, 143, 121, 63, 135, 54, 136, 6, 166, 9, 47 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, READ: TLSv1 Handshake, length = 1772
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1063272795 bytes = { 105, 170, 14, 117, 169, 51, 242, 67, 230, 247, 123, 147, 165, 241, 231, 69, 135, 210, 105, 82, 188, 80, 238, 241, 241, 232, 100, 84 }
    Session ID: {63, 96, 65, 91, 84, 175, 225, 96, 176, 221, 147, 94, 80, 197, 97, 33, 229, 44, 241, 241, 225, 250, 70, 184, 181, 194, 253, 85, 75, 166, 132, 20}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    ***
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    [
    Version: V3
    Subject: CN=NERA SATCOM AS, OU=Research and Development, O=NERA SATCOM AS, L=Oslo, ST=Oslo, C=NO
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    c6eea673 104e5537 90419256 aaf2dfab bd847a37 3a123258 f309f711 329215c7
    13599182 b107c56e c01b528d a241c944 035fa2c1 94b23c05 4faf8f6c a4b2ff58
    60c3203d d8071874 d3c17ed7 cd00c880 8a5fb8aa 61a6fedf adf279bd c1da310d
    3d840444 f64fe148 faed0294 1fd8aa61 1c9fbb44 8b2c39fa f5cf985b 8f27e74b
    Validity: [From: Fri Sep 05 09:31:13 CEST 2003,
    To: Sat Sep 04 09:31:13 CEST 2004]
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 3d2cff]

    Certificate Extensions: 6
    [1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
    NetscapeCertType [
    Object Signing
    ]

    [2]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: http://crl.thawte.com/ThawteServerCA.crl]
    ]]

    [3]: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
    [DNSName: www.nera.no]]

    [4]: ObjectId: 2.5.29.4 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 16 30 14 30 0E 30 0C 06 0A 2B 06 01 04 01 82 ..0.0.0...+.....
    0010: 37 02 01 16 03 02 07 80 7.......

    [5]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    [1.3.6.1.5.5.7.3.3, 1.3.6.1.4.1.311.2.1.22]]

    [6]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:false
    PathLen: undefined
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 96 9B DA 1E A0 A8 BC 72 2F 9A E4 C2 64 38 2F AE .......r/...d8/.
    0010: 0D AE 55 8F 7B 86 E5 C6 98 0B 26 AA AB 4F 50 1C ..U.........OP.
    0020: 85 18 D2 C9 6F 38 A1 CC DF 52 CD 5B 5A 0B 25 BD ....o8...R.[Z.%.
    0030: E2 3C EB 90 CA 93 21 E1 71 FC E1 97 7E 6B C0 0C .....!.q....k..
    0040: 60 F2 9D 59 08 43 25 E3 E4 9C 55 84 03 42 0F F3 `..Y.C%...U..B..
    0050: CC 29 7D E2 0F B3 D5 15 76 A5 97 93 D6 7E D9 B4 .)......v.......
    0060: F8 70 B6 A5 03 73 BE 71 BC 39 BE 0F 72 AC 5B 6B .p...s.q.9..r.[k
    0070: F0 68 49 F3 34 DA 3D C4 89 5E C9 A2 FA 58 3F FC .hI.4.=..^...X?.

    ]
    chain [1] = [
    [
    Version: V3
    Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    d3a4506e c8ff566b e6cf5db6 ea0c6875 47a2aac2 da8425fc a8f44751 da85b520
    7494861e 0f75c9e9 0861f506 6d306e15 1902e952 c062db4d 999ee26a 0c4438cd
    febee364 0970c5fe b16b29b6 2f49c83b d4270425 10972fe7 906dc028 4299d74c
    43dec3f5 216d549f 5dc358e1 c0e4d95b b0b8dcb4 7bdf363a c2b56622 12d6870d
    Validity: [From: Thu Aug 01 02:00:00 CEST 1996,
    To: Fri Jan 01 00:59:59 CET 2021]
    Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [ 01]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 07 FA 4C 69 5C FB 95 CC 46 EE 85 83 4D 21 30 8E ..Li\...F...M!0.
    0010: CA D9 A8 6F 49 1A E6 DA 51 E3 60 70 6C 84 61 11 ...oI...Q.`pl.a.
    0020: A1 1A C8 48 3E 59 43 7D 4F 95 3D A1 8B B7 0B 62 ...HYC.O.=....b
    0030: 98 7A 75 8A DD 88 4E 4E 9E 40 DB A8 CC 32 74 B9 .zu...NN.@...2t.
    0040: 6F 0D C6 E3 B3 44 0B D9 8A 6F 9A 29 9B 99 18 28 o....D...o.)...(
    0050: 3B D1 E3 40 28 9A 5A 3C D5 B5 E7 20 1B 8B CA A4 ;..@(.Z... ....
    0060: AB 8D E9 51 D9 E2 4C 2C 59 A9 DA B9 B2 75 1B F6 ...Q..L,Y....u..
    0070: 42 F2 EF C7 F2 18 F9 89 BC A3 FF 8A 23 2E 70 47 B...........#.pG

    ]
    ***
    main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
    main, WRITE: TLSv1 Alert, length = 2
    main, called closeSocket()
    main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
    javax.naming.NamingException: Failed to retrieve Naming interface [Root exception is java.io.IOException]
    at org.jboss.naming.HttpNamingContextFactory.getInitialContext(HttpNamingContextFactory.java:68)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
    at javax.naming.InitialContext.init(InitialContext.java:219)
    at javax.naming.InitialContext.init(InitialContext.java:195)
    at nera.mb.mms.rmi.MBJNDIConnection.init(MBJNDIConnection.java:31)
    at nera.mb.mms.MBClient.init(MBClient.java:112)
    at nera.mb.mms.MBClient.main(MBClient.java:175)
    Caused by: java.io.IOException
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:591)
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(DashoA6275)
    at org.jboss.naming.HttpNamingContextFactory.getNamingServer(HttpNamingContextFactory.java:110)
    at org.jboss.naming.HttpNamingContextFactory.getInitialContext(HttpNamingContextFactory.java:64)
    ... 7 more
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
    at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615)
    at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:1446)
    at java.net.URLConnection.getHeaderFieldInt(URLConnection.java:476)
    at java.net.URLConnection.getContentLength(URLConnection.java:371)
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getContentLength(DashoA6275)
    at org.jboss.naming.HttpNamingContextFactory.getNamingServer(HttpNamingContextFactory.java:106)
    ... 8 more
    Caused by: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
    at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:246)
    at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:103)
    at sun.security.validator.Validator.validate(Validator.java:205)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6275)
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6275)
    ... 22 more

    DB:2.31:Ssl Encryption Between Applet And Jboss 8x

    hello there

    i need to accomplish the same task as you did.
    eg: have an applet that uses a truststore.

    were you able to fix the problem?
    how did you do it?

    thanks in advance
    warder

  • RELEVANCY SCORE 2.31

    DB:2.31:Single Inbox Ssl f3



    Happy Holidays all!

    Bear with me as I'm learning this by the seat of my pants, so my wording may not be accurate and if so just correct me....

    We're working on setting up single inbox with exchange 2010. Our configuration:

    Kemp Load BalancersExchange 2010Unity Connection8.6

    (all in a cluster)

    During initial configuration testing we were able to get single inbox working by-passing the load balancers but now we need to secure it.

    When we applied SSL on exchange, the connection broke....even after configuring Unity to use NTLM and HTTPS.

    I installed the Tomcat trust certificate issued by Digicert(which i recieved from my ExchAdmin).

    So thats where I am at, at this point.

    My question: In the following cisco doc http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/administration/guide/8xcucsag215.html#wp1069897

    2. If a Connection cluster is configured, run the set web-security CLI command on both Connection servers in the cluster and assign both servers the same alternate name. The alternate name will automatically be included in the certificate signing request and in the certificate.

    When I installed the certificate, I installed it as Tomcat-Trust....this seemed like the only place Unity would allow for me to upload it to. Is this correct?

    And what exactly would be the alternate name? As I look at the cert that I installed, it shows the Issuer name and the Subject name....which one is correct? The Subject name is already in the altName list.

    Am I even going in the right direction? I'm trying to understand this process better before messing with the cli as it looks like it could have some negative impact if I do this wrong.

    Thanks for your time and your help....

    ~Ray

    DB:2.31:Single Inbox Ssl f3

    2. If a Connection cluster is configured, run the set web-security CLI command on both Connection servers in the cluster and assign both servers the same alternate name. The alternate name will automatically be included in the certificate signing request and in the certificate.
    This has nothing to do with Single Inbox. This is for uploading a signed certificate for Unity Connection itself to avoid security warnings when using /ciscopca or /cucadmin. The Subject Alternate Name is used when you want to address both servers by the same DNS CNAM record. Example: cxnserver1.domain.com and cxnserver2.domain.com should both be accessible as voicemail.domain.com without a security warning.

    All of the Single Inbox-related configuration is in this document:

    http://www.cisco.com/en/US/docs/voice_ip_comm/connection/9x/unified_messaging/guide/9xcucumg020.html

    Follow the procedure here to the letter. I recommend sitting down with your Exchange admin at the same table and doing it together. You can waste days of time by either of you skipping a step.

    For example, you need to upload the root CA certificate which signed the Exchange CAS server certificate to the tomcat-trust and connection-trust stores.

    Where I have seen this break with load balancers in the past is if the full certificate chain (root CA, intermediate signing CA, and actual Exchange CAS certificate) are not presented during the SSL handshake. In other words they uploaded only the Exchange CAS certificate to the load balancer; the full chain must be intact. The only way to see this from CXN is to run a packet capture and look at the certificates presented.

    Please remember to rate helpful responses and identify helpful or correct answers.

  • RELEVANCY SCORE 2.31

    DB:2.31:Event Id 8311 0x2 pp


    Today I had a significant amount of errors pop up on my sharepoint site after installing a certificate on sharepoint web services for the https binding.allare error code 8311 the error reads:
    An operation failed because the following certificate has validation errors: Subject Name: {redacted} Issuer Name: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US Thumbprint: {redacted} Errors: SSL policy errors have been encountered.
    Error code '0x2
    I found suggestions about going into security-manage trust and adding the root ca, but this did not work for me. This is a cert issued by digicert and not a self signed cert. the fqdn on the cert matches the address everything is going to and I do not receive
    any cert errors when browsing to the binding. I found a blog post to run the powershell scripts: get-spserver, then rename-spserver -identity {server name} -name {fqdn}. followed by an iis reset.I tried this in a test environment and this completely
    breaks access to the site. Everything on the site continues to appear functional even with the error, but im receiving around 10000 errors an hour around this and I would like it to stop. Anyone have any ideas?

    DB:2.31:Event Id 8311 0x2 pp

    I have been thinking about this a bit more, and I have some thoughts on what may be causing it. Default behavior onthis port is to run with no cert binding in iis on an https port. The really strange thing is, there is still a Microsoft self signed
    cert listed when you try to hit the web interface for this port, but no self signed cert binding in iis. Why Microsoft decided to use an internal cert pool and not use iis to make things easier we will never know. however, what I believe is happening is when
    the cert binding is applied in iis, SharePoint still attempts attempts to use its own internal self signed cert, and when it hits the duplicate cert it crashes out because there totally different cert chains. Now, what doesn't make sense is that I added this
    to the internal SharePoint keystore, which should in theory prevent it from continuing to use its own internal cert, but because SharePoint isn't talking to iis, it doesn't realize this. My guess here is that when Microsoft was designing SharePoint 2013 they
    didn't take into consideration people wanting to remove all self signed certs,so they didn't bother to make this possible/easy for this service. So again were faced with the demon of compromising regulatory requirements due to bad design. Well played
    Microsoft, well played.

  • RELEVANCY SCORE 2.31

    DB:2.31:Error Message For Ca Help j8



    Hi,

    Can anyone advise me on what is the cause of the problem (Manually install 3rd party Vendor for use with WebVPN configuration version 8.0) ?

    i have follow the configuration example and found this error message via CLi

    Appreciated any kind reply.

    FO: Certificate has the following attributes:

    Fingerprint: 713cdfee 53530e1e 06fa7a41 b78a7779

    Do you accept this certificate? [yes/no]: y

    Trustpoint 'xx.Entrust.TrustPoint' is a subordinate CA and holds a non self-signed certificate.

    Trustpoint 'xx.Entrust.TrustPoint' is a subordinate CA.

    but certificate is not a CA certificate.

    Manual verification required

    Trustpoint CA certificate accepted.

    % Certificate successfully imported

    PHS-ASA(config)# CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

    CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 469C84D9, subject name: cn=xxxx.xxxx.com.xx,ou=IT,o=xxxxxxxx,l=xxx,c=xx.

    CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

    Current Certificate list contents:

    Certificate 1:

    SERIAL: 469c84d9

    ISSUER: cn=Entrust.net Secure Server Certification Authority,ou=(c) 1999 Entrust.net Limited,ou=www.entrust.net/CPS incorp. by ref. (limits liab.),o=Entrust.net,c=US

    CRYPTO_PKI: crypto_process_ra_certs(trust_point=PW.Entrust.TrustPoint)INFO: Certificate has the following attributes:

    ^

    PHS-ASA(config)# ISSUER: cn=Entrust.net Secure Server Certification Authorit$

    ISSUER: cn=Entrust.net Secure Server Certification Authority,ou=(c) 1999 Entrust.net Limited,ou=www.entrust.net/CPS incorp. by ref. (limits liab.),o=Entrust.n

    et,c=US

    DB:2.31:Error Message For Ca Help j8


    If you get a certificate from a trusted 3rd party (i.e. Verisign/Thawte/etc.) to install on the appliance then you shouldn't get the certificate warning pop-ups for anything that's encrypted by the SSL VPN appliance. For some certificates manual install maybe the only way. You need to check with the issuer of certificate for a such problem.