09-30-2010 12:39 PM
I'm trying to use CCP 2.3 running on windows xp to manage a cisco router.
The router has a valid signed certificate and https/ssh enabled.
If I go to https://router.domain.name/ with my web browser it reports that the certificate is good.
When I try to use CCP to discover the router, since I have "connect securely" selected, CCP tries to use ssl to connect.
But java pops up with a security certificate alert that the certificate was issued by an untrusted certificate authority.
I've checked all the cacerts files used by java, and the certificate authority that issued the certificate is listed in cacerts.
So why is CCP complaining about a bad certificate? Where does CCP actually get its list of certificate authorities from?
10-03-2010 11:05 PM
It's a self signed certificate which is considered untrusted by most CA providers and browsers which is the reason you keep getting the error message. Depending on the browser you are using, you elect to install the certificate so the pop up does not appear.
Here is an example from Microsoft to install SSL in IE:
In Firefox:
Go to Tools > Options > Advanced > Encryption > View Certificates, on the bottom, Add Exception.
Or
(Note: Not recommend cuz all untrusted will be honored)
Type "about:config" in your URL address bar ---> Navigate to: browser.xul.error_pages.expert_bad_cert -->Double-click on it (this will set it to equal True).
10-04-2010 06:54 AM
The router does not have a self-signed certificate. The router has a normal ssl certificate signed & issued by a 3rd-party certificate authority.
This certificate authority is present & trusted by both firefox and internet explorer. As a result, both firefox and internet explorer do not complain about the router's certificate.
The bad certificate warning is not coming the web browser, it's from CiscoCP.
CiscoCP is based on an ancient version of java (1.5.0.11). Java normally stores its certificate authorities in a file called cacerts.
There is a cacerts file in the C:\Program Files\Cisco Systems\CiscoCP\tools\jre1.5.0_11\lib\security\ directory.
If I look at the contents of the cacerts file using the java keytool utility, I can see which certificate authorities are present & trusted by java. The certificate authority that issued the router's certificate is present in the cacerts file and it is trusted.
I checked every other cacerts file on my computer, and the certificate authority that issued the router's certificate is present & trusted in the cacerts file.
So, CiscoCP must be using some other mechanism to determine what is a trusted certificate authority, but I can't figure out what CiscoCP is actually doing.
10-05-2010 12:29 AM
Can you post a screenshot of the error and the show ver of the device?
10-05-2010 10:46 AM
10-05-2010 05:00 PM
Do you mind emailing me the signed certificate? Who signed the certificate? What CA provider issued the SSL?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide