I recently setup https on a Worklight Quality Assurance virtual appliance. I provided the certificate signed by my CA following the directions on the IBM Knowledge Center:
http://www-01.ibm.com/support/knowledgecenter/SSFRDS_6.0.0/com.ibm.mqa.install.doc/topics/t_confighttps.html?lang=en
and configured the appliance to accept connection only in https (I disabled port 80 through the firewall configuration wizard).
However, when I try to connect on https, the certificate retrieved by the browser is the default certificate issued by the appliance.
Is this correct? I was expecting the browser to retrieve the certificate I just imported.
Many thanks,
Marco
The best way to check if the certificate has been updated properly is to check the modified date of the cert and the key.
Related
Please suggest on the issue which we are facing while accessing SSRS Secured web services and web portal URL Error Message
"Your connection is not private Attackers might be trying to steal
your information from <> (for example, passwords, messages, or credit
cards). Learn more NET::ERR_CERT_REVOKED"
We have got the SSL certificate reinstalled and restarted the SSRS services , but still no luck .
Could anyone please guide us in this regard Server configuration details are as follows -
-Microsoft SQL Server Version 17
-SSRS product version of 14.0.600.490
-WINDOWS SERVER 2016 DATACENTER
The SSL certificate is configured on Windows server .Also the SSL is configured in Web services and Web portal SSL configuration in SSRS is with (ALL IPV4) and (ALL IPV6),SSL certificate and validity till 2019
There was a patch update last week and post that we are unable to access secured urls
https://<>/reports/
https://<>/reportserver/
but we can access non secured urls
http://<>/reports/
http://<>/reportserver/
If the site is publicly accessible, please check the certificate served by your web server via SSL Checker.
Compare the certificate serial number and expiration date with the data of the certificate you installed in your web server or hosting control panel. In many cases, I saw that the server uses an old or invalid certificate.
(Source)
If you are sure that the correct certificate is served, clear the CRL and OCSP cache:
certutil -urlcache CRL delete
certutil -urlcache OCSP delete
You can also try disabling certificate revocation in browsers. It fixes ERR_CERT_REVOKED on the client side.
I'm setting up kerberos with an existing Active Directory as KDC and having an issue communicating to the ldaps server. We have a cluster of servers for AD. let's say server1.example.com,server2.example.com,server3.example.com and the company just uses example.com to connect. I've setup ldap integration with amabri for user access to the portal via the ambari-server setup-ldap, but did it without ssl and I can use ldap://example.com as the ldap server and it works fine. With ldaps, however, ldaps://example.com:636 doesn't work. I get an error in the ambari-server.log: "java.security.cert.CertificateException: No subject alternative DNS name matching example.com found". I have imported the CA cert and each individual server's certificate into my keystore and put the ca in /etc/pki/ca-trust/source/anchors/activedirectory.pem, but I still can't get it to work for example.com. I can get it to work for server1.example.com and all the others individually, but I can't get it to work for the example.com dns name. I don't have control over the certificate creation on the AD ldaps side. These certs were self-signed by the AD server and each server has it's own certificate. Is there anyway to tell ambari to accept invalid certs for the kerberos wizard, or any other way to get the broader domain name to work? Thanks in advance for any help.
I have a win 7 x64 box I recently reimaged and I have installed IIS7.5 and PHP 7. I am trying to set up localhost sites for secure https and I have successfully created a self-signed certificate for this purpose. I have set the IIS bindings for the site to use https over port 443 (IP Address: All unassigned) and selected the new SS cert.
When I go to https://localhost/php_info.php on my computer, I can see the phpInfo content but Chrome displays alerts that site is not secure.
Certificate error: There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
Obsolete connection settings: The connection to this site uses a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and an obsolete cipher (AES_256_CBC with HMAC-SHA1).
What can I do to run secure sites over localhost?
The certificate error can be fixed if you generate another certificate, with Subject Alternative Name (which is required by Chrome). More information can be found in,
https://blog.lextudio.com/why-chrome-says-iis-express-https-is-not-secure-and-how-to-resolve-that-d906a183f0
The TLS cipher should be cleaned up by using a tool such as IIS Crypt,
https://www.nartac.com/Products/IISCrypto
Jexus Manager has SSL Diagnostics, which can provide you hints on what's wrong in your server configuration,
https://www.jexusmanager.com/en/latest/tutorials/ssl-diagnostics.html
I have been working with web services connecting to URLs provided by different clients and so far it has all been done using one-way authentication. Now I'm asked to enable 2-way (mutual) authentication for one of the clients. I did a lot of research and reading but still confused about a lot of things.
I could test successfully on my local machine following instructions from various different articles. But the problem is now to deploy it in production.
Here's what I did for testing: I created a test Web service Host and assigned it a self-signed certificate and created a client to test this. After this I created a client certificate using makecert and verified that this is installed via MMC. I then modified my Host app to only allow clients with certificate and tested from client to see the connection refused due to not providing the client certificate. Then I modified the bindings in the client application to include the certificate name and I was able to connect to the Host successfully. So this completes local hosting.
Now the real problem. The tech team is going to create a certificate in "cert store" on the server. And I need to test again to make sure everything works as expected. We have a few different developers who all want to test on their machines on their local code. Can we all use the same certificate somehow? I don't think we would be allowed to import the certificate but what suggestions could I give them so all of us can use the same certificate?
I'm also confused about issues like difference between windows certificate and IIS certificate. What advantages would the IIS certificate provide?
Thanks for help!
Edit: Could one of the differences between installing on IIS be so that the hosted sites be accessed via SSL connection? This would mean we don't really need to install on IIS if it's just a client certificate. Is this correct?
Full disclosure, I asked this question over at Ask Different (https://apple.stackexchange.com/questions/96776/always-get-a-security-error-for-internal-https-website) but didn't get much helpful feedback. I'm hoping this question fits better here.
My company recently changed an internal site to use HTTPS instead of HTTP (it is our Jira site in case that matters). From what I can tell, this site is using an internal certificate. On our work computers this certificate appears to be pre installed so the website comes up without trouble in IE, Firefox, and Chrome. However, my personal computer is a Mac (OS X 10.8.4) and I am having major troubles accessing the site through any browser. I have followed instructions to install the certificate in my Keychain and I believe I have successfully done that, but I am still not able to access the site.
When Accessing the site I Get:
Chrome: Invalid Server Certificate You attempted to reach jira.surescripts.local, but the server presented an invalid certificate.
Safari: Safari can't open the page Safari can't open the page "https://jira.local:8081/" because Safari can't establish a secure connection to the server "jira.local"
In Chrome when I view the certificate information it I see: Intermediate certificate authority. Expires: Thursday, May 21, 2015 1:19:28 PM Central Daylight Time. This certificate is valid
To make sure that it wasn't something strange with our company's VPN, I installed a Windows 7 virtual machine on my Mac and installed the certificate in Windows and am able to successfully log on to the site how I always would.
I am not much of an expert with certificates and I really don't know where to go from here. Any help would be greatly appreciated! Thanks.
It almost sounds like you need to trust a self-signed certificate? Perhaps follow: https://confluence.atlassian.com/display/SOURCETREEKB/Resolving+SSL+Self-Signed+Certificate+Errors
Sefl signed certificate always triger warnings in web browsers.
To validate a server certificate you must have in the client browser the CA certificate wich was used to sign the SSL server certificate.
Your company should create a CA cert, then create a server SSL cert. signed with the CA and put it on the web server. The clients install public part of the CA cert in "Trusted CA" certificate store. When client conect to the web server the server sent the signed SSL certificate, the client check if it is a "trusted" cert (was signed by a trusted CA) and if everithing is Ok the client doesn't show the warning.
You ended with this cert chain:
CA cert->SSL cert
CA cert public part is installed in client broser as trusted CA. SSL is put in the web server. Client validate SSL cert agaist its Trusted CA certs installed in its Certificate Stores.
It is like CyberTrus CA. You can see how you have Baltimore Cyber Trust Root and Cybertrust Public SureServer SB CA installed in your computer and when you enter into https://www.bancosantander.es/cssa/Satellite?pagename=SantanderComercial/Page/SAN_Index you can see that *.bancosantander.es certificate is valid because you are trusting in the chain.
Your company needs to create the root, then create the SSL signed by the root. The root (public part) is distributed to the client for install. The server sends the SSL to client in HTTPS protocol.
Check this link for more info.
The problem is probably the encryption protocols that your Mac and the company web site don't match up.
Safari Browsers for OS X before Safari 7 (up to 6.0.7 which was on OS X 10.8.4) use the SSL 3.0 protocol, which has vulnerabilities and is considered insecure. Most newer and well-designed web sites use TLS 1.1 and/or TLS 1.2.
Browser encryption capabilities for Safari 6.0.4
Find out from your company if that is what is set up. The same site that has the specs I linked to allow you to enter a web site, and they'll throw a battery of test transactions at it to test it's security and what will connect, but I doubt you can use that for an internal site. Ask your IT folks what encryption protocols they are using.
As a solution, I believe there are versions of Firefox and/or Chrome that can run on 10.8.4 that use TLS 1.2.
List of major browser versions that support TLS 1.2