I'm importing a .cer file to Chrome and Internet Explorer's certificate store.
When I'm importing it as "Trusted Root Certificate", it doesn't show any error but the certificate is found in "Personal Certificates" tab and not in "Trusted Root Certificates" tab.
Any idea about this?
If you import a certificate that is not a Root Certificate (self-signed) or a CA certificate (CA:true basic extension is not set) and you select "Automatically select the certificate store based on the type of certificate" in the wizard, it will get imported as "Personal" or "Other People".
If you select "Trusted Root Certificate Authorities" while importing a non-root certificate, it says 'import was successful', but that certificate is not found anywhere in the wizard.
To check if a certificate is a root certificate or not, open the certificate (in Windows) and check the following:
'Basic Constraints' must have 'Subject Type=CA'
'Issuer' and 'Subject' field must be the same.
Hope this helps.
Related
i builded an app running in console with Python. Then i made this app convert to exe. i wanna publish this app on the web. So i signed this app. But i see this problem:
This CA Root certificate is not trusted. Upload this certificate to the Trusted Root Certification Authorities store to be trusted.
From this warning i understand that i must my upload certificate to the Trusted Root Certification Authorities store. But i do not know it way.
My app certificate' s is:
https://www.digicert.com/support/tools/certificate-utility-for-windows
Who issued certificate:
http://127.0.0.1:5000/
Whom was issued certificate:
http://127.0.0.1:5000/
Signature algorithm:
sha256RSA
You're using self-signed certificate i.e. certificate is not issued from valid trusted Certificate Authority. If you want to publish the app for public, then you've to sign it by obtaining the certificate from valid trusted certificate authority (CA). In case, you want to manually share the app with the recipients, and they're aware of the possible risk factor then you can share the issuer certificates with them, and they've installed those into the windows trust store.
Just search for certmgr on windows and add the issuer certificates into Trusted Root Certification.
I am trying to install the SSL certificate on the IIS, I am following the exact step mentioned here https://pk.godaddy.com/help/manually-install-an-ssl-certificate-on-my-iis-10-server-27349.
Steps I did:
I purchased the SSL certificate from Go Daddy
I configured that on Go Daddy by giving the domain name
Submit the changes for getting the certificate
After verification downloaded the certificate
Created .Cer file from the .crt file
Imported the gd-g2_iis_intermediates.p7b in MMC under the intermediate certificate authority
Create a request in IIS and import .Cer file
After refreshing that window, the certificate doesn't appear
Am I doing something wrong in this?
So the thing is I was facing an issue because I couldn't able to produce the .pfx file from my machine using MMC, but DigiCert tool helped me to create the .pfx file from the .crt file I got from the Go Daddy. Instructions to create the file are on this link
https://www.digicert.com/kb/util/pfx-certificate-management-utility-import-export-instructions.htm
Later I went to the MMC and to the intermediate certificate authority and I imported the .pfx file along with the password and the certificate got exported to the system and to the IIS and now it's visible in the IIS.
I have a local domain (markfisher.local) for which I have made a self-signed certificate, which I have added to the Certificates in Keychain Access (I am using Mac). This results in the certificate being trusted in Chrome and Safari. If I edit the certificates Trust in KeyChain Access to "Never Trust" then Chrome and Safari no longer accept it, then if I change it back to "Always Trust" then I can access markfisher.local OK again.
But when accessing the site in Firefox I get the following:
markfisher.local uses an invalid security certificate.
The certificate does not come from a trusted source.
Error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
I have set security.enterprise_roots.enabled to true as suggested in this answer. Also, going to Preferences > Privacy & Security > View Certificates, I can see my certificate is in the Authorities tab and I have checked the "This certificate can identify websites" in the "Edit Trust" dialog. This was not checked originally
However Firefox refuses to accept the certificate. How can I fix this?
See https://bugzilla.mozilla.org/show_bug.cgi?id=1034124 and specifically this answer:
Looks like that certificate has a basicConstraints extension with the
value cA: TRUE. We stopped allowing CA certificates to act as
end-entity certificates. That certificate should be regenerated
without the basicConstraints extension.
This is also explained at https://wiki.mozilla.org/SecurityEngineering/x509Certs
Error Code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
What It Means: A certificate with a basic constraints extension with cA:TRUE is being used as an end-entity certificate
What Can I Do: Re-generate the end-entity certificate without the basic constraints extension
I fixed the error by running "Run AutoSSL" on my hosting cPanel after DNS propagation.
Now Firefox says that the connection is secure, without any error.
In IIS 8, I created a Certificate Signing Request. After creation, I can see a certificate in "Certificate Enrollment Requests" in Microsoft Management Console (MMC), as well as the created CSR file. I took the content of the CSR file, and then enrolled with Symantec. After enrollment, a "cert.p7b" file was sent to me. This file contains my certificate, plus intermediate certificate.
At this point, I am not so sure of the correct next step. I know that I need to export out my certificate from "cert.p7b" into a .cer file first.
After that, should I take this exported .cer file, and then do a "Complete Certificate Request" in IIS 8 with it? I notice that when selecting a file in "Complete Certificate Request", the default extension is .cer. Can it take the whole "cert.p7b" file instead?
Instead of doing a "Complete Certificate Request", can I simply just open the exported .cer file, and do a "Install Certificate..."?
Thanks in advance.
I have simple app runing on jboss server. I have following certificates:
Self Signed Root CA, intermediate CA 1 (signed by root), intermediate CA 2 (signed by root), .pfx certificate for my webpage. I had created a keystore with my .pfx certificate and added it to correct folder in jboss and modified http connection in server.xml file. Anyway when i acccess webpage i see warning triangle that CA is unknown. My question is how shoudl i configure jboss to make warning disappear? Soudl i add it to the trustore? or only way is to add it to Windows/web browser root store?
The browser's warning page appears because the self-signed certificate is not locally trusted. There is nothing that can be done on the server end to hide this warning.
You must put the certificate in the browser's trust store, or get a certificate from a certificate authority that is already trusted.