I'm using vSphere Client version 7.0.2.00200, facing issue when adding the Trusted Root Certificates in administration settings.
Error message: Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors.Error, Certificate bearing subject CN=XXXXX,O=XXXXXXXXXXX,L=Palo Alto,ST=California,C=US is not a valid CA certificate. Please retry with a valid certificate chain
Please helpme out.
Related
EDIT: I need to request certificates, after generating CAs, as per this link. I wrongly assumed the certificate attached to the CA was the desired certificate for use within the VPN Client Endpoint wizard.
Instructions are as follows:
Sign into the AWS Management Console and open the ACM console at
https://console.aws.amazon.com/acm/home
Choose Request a certificate.
On the Request a certificate page, choose Request a private
certificate and Request a certificate to continue.
On the Select a certificate authority (CA) page, click the Select a CA
field to view the list of available private CAs identified by ARN. If
the CA is shared from another account, the ARN is prefaced by
ownership information. Choose a CA from the list.
Details about the CA are displayed to help you verify that you have
chosen the correct CA:
I am trying to use the certificates that I generated in ACM with the VPN Client Endpoint service. I have generated a root ca, then a server and client ca as subordinate to that root ca, in the ACM.
When I go to use these in the Client VPN Endpoint generation wizard, it does not appear available.
If I attempt to just copy paste the ARN as found on the "Status" tab of the certificate, when generating the client vpn endpoint I receive an error:
I'm trying to Import a certificate from Cloudflare using the AWS Web UI and I'm stuck in this page:
I read that the equivalent in Cloudflare to Certificate Chain is Origin Certificates (not 100% sure on this), so I created one and chose the RSA certificate and when I try to finish the import in AWS it says:
Could not validate the certificate with the certificate chain. Choose Previous button below and fix it.
Anyone knows what's the problem?
Thanks
EDIT:
I tried the root CA and it also doesn't work:
This is the "solution" from AWS:
"Could not validate the certificate with the certificate chain."
If ACM can't match the certificate to the certificate chain provided, verify that the certificate chain is associated to your certificate. You might need to contact your certificate provider for further assistance.
Ok I found the issue, I had created a Client CE and that’s what I was using, I read on the description that it was the one used to authenticate APIs in clients so it made sense. Anyway, resolution:
All 3 CE has to be ORIGIN and the root is from this page. So if anyone has this issue, make sure you use the CE from the Origin page + the root
I recently inherited a website and ran into an issue with an expired SSL certificate. After verifying the certificate with OpenSSL, I discovered that there are two certificates for the one domain:
A manually created Let's Encrypt cert (expired)
A cert served by AWS's Certificate Manager (working)
The OpenSSL check points to the working cert when www. is at the beginning of the URL, but if the www. is removed the check points to the expired cert. The weird issue is that the AWS cert is a wildcard cert for the domain, and does not contain a www. in it.
How can I resolve this issue to just have users directed to the correct SSL cert? I attempted to locate the actual cert file in the server in an attempt to remove it, but I couldn't find it in any of the usual places.
We are using cloudfront to serve images with a custom domain.
http://images.example.com/fubar.png
We want to be able to access them with SSL, eg https://images.example.com/fubar.png
We have a wildcard SSL certificate (issued from Godaddy) for *.example.com and I used the AWS Certificate Manager to upload the certificate, private key, and keychain. The upload appears to have been successful as *.example.com appears to be issued (according to the Certificate Manager).
How do I "apply" this wildcard SSL to images.example.com? If I visit CloudFront Distributions and edit the General settings to select Custom SSL Certificate I can see my *.example.com wildcard SSL. But when I try to click the Yes, Edit button I get the following error message:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: ffffffff-ffff-ffff-ffff-ffffffffffff)
What steps do I need to take to allow me to apply this Wldcard SSL cert to my cloudfront images with custom DNS name?
Cannot say for sure, but typically with issues like this your certificate chain is incorrect. You’ll need to check the certificate authority’s instructions for creating the chain (e.g. what intermediate certificates does it need).
I got the same error, and finally found out it's the the maximum size of the public key in an SSL/TLS certificate issue.
AWS CloudFront only support 2048 bits, although Certificate Manager allows you to import 4096 bit keys.
Please refer to:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-size-of-public-key.html
Especially this one: step by step
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-format
I am configuring a SharePoint 2013 web application to use Identiy server 3 as an identity provider, the configuration is done successfully and identiy server is added as a trusted identity token issuer to SharePoint, I have used identity server 3 Test Certificate as the signing certificate for SharePoint but every time, the redirect url gives an error occurred, this is the error in the log
An operation failed because the following certificate has validation errors: Subject Name: CN=idsrv3test Issuer Name: CN=DevRoot Thumbprint: Errors: PartialChain: A certificate chain could not be built to a trusted root authority. RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate. OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline. .
SharePoint needs to have the entire certificate chain, right up to the root, added as a SPTrustedRootAuthority.
In the "Import a token signing certificate by using Windows PowerShell" section of the Configure SAML-based claims authentication with AD FS in SharePoint 2013 article:
This step must be repeated for every token signing certificate in the chain until the root certification authority is reached.
So you can either get the root certificate of the IdentityServer test certificate, which is called DevRoot or create your own self-signed certificate for token signing.