I have a c# program and part of it creates a self-signed certificate.
The problem is when i try to import the certificate in MMC it says "This certificate has an invalid digital signature."
And when i try to add this certificate through command prompt using netsh http add it says:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
I've tried all suggestions from other questions similar to this but to no luck.
I've also tried downloading Hotfix from Microsoft but it didnt work.
By the way, my machine is running in Windows7-64bit.
I ran into an answer here The basic issue is that DC authority cert creators get sloppy and create multiple certs for the same DC cert authority. I had my self-signed cert created using latest and grates DC cert authority certificate. I had to export and install both root cert and a self signed cert on my destination machine for it to recognize self signed cert used on the server. But the root cert I exported was a cert with the same name but different dates. Once I located the proper root cert and installed it on my destination computer everything worked flawlessly.
In my case it was due to an old self signed certificate with a small key length.
I found the solution here - https://security.stackexchange.com/a/82606/26742 to reduce the security (only in my dev environment)
certutil -setreg chain\minRSAPubKeyBitLength 512
Related
After signing my Application using Test certificate (pfx) with signtool when I try to verify using signtool verify I am getting below error code
SignTool Error: WinVerifyTrust returned error: 0x80096019
A certificate's basic constraint extension has not been observed.
I have Tried to other exe with the same cert still the same Issue?
I have tried different certificates with the same exe still the same Issue?
I have searched on the Internet I couldn't find a source or Link. Any Help would be much appreciated?
You maybe use a CA certificate to sign. A CA certificate should issue a Code Signing certificate so you need a second certificate to sign your executable (Basic Constraints = LIMITED to 0 or false) that is then used to sign the executable.
This second code signing certificate is signed with the CA certificates private key.
I'm trying to setup a development environment where TLS is enabled for RabbitMQ. So here is what I did:
Use tls-gen script to generate certificates with basic profile.
Configure rabbitmq to use ca-certificate.pem, server-certificate.pem, and server-key.pem.
As I'm using MacOS, I ran sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain testca/ca_certificate.pem to add the CA certificate to the trusted roots
Within a Go program, I load the client_certificate.pem, and client-key.pem into a tls.Config
Call amqp.DialTLS().
I got the following error message:
err: x509: certificate signed by unknown authority
which is unexpected. In step 4 above, if I add the ca-certificate.pem into the root CAs of the tls.Config, it works fine. So I'm suspecting that the addition of the root ca macOS is not right.
Can somebody review the above and point out my mistake?
Users are reporting that they can't view https://blog.za3k.com on OS X.
Chrome and Safari (which use OS X's root certificates fail).
All tests of Linux and Windows have shown no problems. Qualys SSL Labs reports no problems except SHA1 signatures.
Chrome reports NET::ERR_CERT_INVALID and if I click the certificate icon -> View certificate, I see The data does not appear to be a valid certificate
Firefox loads the page correctly.
Safari hangs on visiting the page.
OS X version has no effect that I can tell, but I'm on 10.10.1 personally.
curl https://blog.za3k.com fails with:
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
openssl s_client -connect blog.za3k.com:443 reports success
The root certificate is 'StartCom', which should be trusted on mac.
Ideas on how to debug?
What are you seeing in the certificate data which you're returned? Here things are a bit curious -- from a desktop system I see a certificate returned for 'nanowrimo.za3k.com' or 'za3k.com' (but not blog.za3k.com), while obviously SSLLabs sees a certificate which is valid for blog.za3k.com and za3k.com. Could be a DNS aliasing issue, but really the cert should contain a SAN for whatever you mean it to appear as.
openssl s_client -connect blog.za3k.com:443 | openssl x509 -text
Before attempting to solve this, I had no clue how certs or SSL worked, so please bear with my n00b-ness.
I'm currently using the Savon gem (v. 0.9.9) to try and connect to a SOAP-based web-service over HTTPS. However, I'm having a difficult time making successful calls.
As I understand the SSL/TSL protocol, the client sends the initial 'client hello' message to the server, to which the server responds with a 'server hello', which includes the server's digital certificate. The client will check that cert's chain against the local Cert Authority bundle to see if said cert can be trusted. That being said, here's what I've tried.
Update RVM CA certs: At first, I was getting the same error described in this SO thread, and I learned that Ruby checks the CA certs. I also found these instructions on updating the CA certs that RVM uses. So I ran the following in iTerm:
rvm osx-ssl-certs status all
and I got the following output:
Certificates for /Users/user-name/.rvm/usr/ssl/cert.pem: Up to date.
However, this still didn't allow me to successfully make SOAP calls over HTTPs.
Check if remote server's SSL cert is valid: I learned about the openssl CI tool from here, and so I figured perhaps the issue isn't me. Perhaps the issue is with the certificate itself. So I ran the following command in iTerm:
openssl s_client -connect [HOST]:[PORT] -showcerts
In addition to the certificate itself, I got the following in the output:
Verify return code: 18 (self signed certificate)
As I understand it, since this cert is self-signed, then unless it itself was a trusted CA, then of course it could never be verified. So the issue isn't with the certificate, the problem is with my local CA bundle.
Update local CA bundle: As I understand it, cert.pem is a list of trusted CA certs. I actually found two such files on my local machine:
/Users/user-name/.rvm/usr/ssl/cert.pem
and
/System/Library/OpenSSL/cert.pem
I wasn't sure which one I should update, so I ended up copying one of those files into my app's directory, copied & pasted the certificate into new local cert.pem, and tried again. Unfortunately I now get the following:
OpenSSL::SSL::SSLError:
hostname does not match the server certificate
At this point, I'm not really sure what to do since as far as I can tell, the certificate should now be treated as a trusted certificate. Here's my code at the moment:
$SOAP_CORE = Savon::Client.new do |wsdl, http|
http.auth.ssl.ca_cert_file = path_to_local_cert.pm
http.auth.ssl.verify_mode = :peer
wsdl.document = path_to_remote_wsdl_over_https
end
As I understand it, since this cert is self-signed, then unless it itself was a trusted CA, then of course it could never be verified. So the issue isn't with the certificate, the problem is with my local CA bundle.
I'm confused how you come to this conclusion. A self-signed certificate isn't going to verify, so the issue is with the certificate. Updating your CA bundle won't help unless the self-signer ends up in there, which seems silly.
Try turning off verification.
http.auth.ssl.verify_mode = :none
I'm trying to automate the weekly download of a text file from an https site with a ps1 script. My simple attempts to connect look like this -
Start-BitsTransfer `
-source https://url.com/file `
-destination d:\test.txt
I get the error "The certificate authority is invalid or incorrect". Is there a way to override this CA check?
This Powershell (3.0) script is running on Windows Server 2008R2 and the https://url.com/ SSL cert is issued by Entrust CA. I've tried to add Entrust as a "Trusted Root Certificate Authority" to the "Certificate Store" through IE8. No joy.
This really racked my brain for quite some time. I finally figured out you need to enter the number in decimal not in binary or hex.
C:>bitsadmin /SetSecurityFlags myJob 8
The 8 will make the "Ignore invalid certificate authority in server certificate :true"
http://technet.microsoft.com/en-us/library/cc753211(v=ws.10).aspx
C:\>bitsadmin /SetSecurityFlags myJob 0x011110
I believe I needed to update my Root CA list on the server with a MS Security Update.
And bitstransfer can not override a CA check.