Can't create Exchange domain-signed certificate

Similar Messages

• SELFSSL.exe - can you create a Domain Controller certificate?

  As the title asks really.  Rather than setting up CA's, can you use selfssl.exe to create domain controller certificates?

  if you are not using certificates, then why not just delete certificates that cause warnings? Old trusted CA can be propagated from active directory. See this article:
  http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx
  you need to perform only step 6 and 7.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• Creating a self signed certificate - how do you set the 'storepass'

  Hi, I'm trying to use the ADT to create an AIR 2.7 file, but it's the first time i've used the command line tool to build one and am having problems understanding the signing process.
  I can generate a cert.p12 keystore file from within the flash IDE, and this asks for a password for the file (-storepass)
  I can also use ADT to create a self-signed certificate from the command line, here you can specify the -keystore (cert location) and -keypass (password for the key in the store)
  I cannot find a way of generating a self-signed certificate where you can specify both passwords though, one for the store (-storepass) and one for the key (-keypass).
  This is a problem because when i go to package my AIR file using ADT it needs both passwords -storepass and -keypass before it can publish it.
  Does anyone know how to generate a self-signed .p12 certificate and have control over both the keys...?
  I have spent hours playing and searching now so may have the wrong end of the stick, could do with some help getting past this issue.
  Thanks
  Sean

  There is only one password is required to package for ipa as far I know
  Sample command:
  C:\AdobeAIRSDK\bin\adt.bat -package -target ipa-test -storetype pkcs12 -keystore [KEYFILE].p12 -storepass [KEY PASSWORD] -provisioning-profile [MOBILE PROVISION FILE].mobileprovision [IPA NAME].ipa [XML FILE NAME].xml [SWF FILE NAME].swf Icon_29.png Icon_48.png Icon_57.png Icon_72.png Icon_512.png Default-Landscape.png Default-Portrait.png Default-PortraitUpsideDown.png Default-PortraitLandscapeLeft.png Default-PortraitLandscapeRight.png

• Can ACE produce a self signed certificate?

  Hi people,
  I have used ace to create a csr and then send it to verisign and install the signed certificate on ACE so that it acts as ssl-proxy termination.
  But now I want to know if it's possible for ACE to create a self signed certificate. (instead of sending it to verisign to sign it).
  Can this be done?
  thanks,
  george

  HI George,
  As far as I know, there is no option to signed your certificates from ACE.  You'll have to create keys and certificates on a separate device using openssl and then import them into the ACE module.
  http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example#Using_OpenSSL_to_Generate_a_Self_Signed_Certificate

• Problems with Creating a self-signed Certificate

  hi,
  I read the keytool Documentation and wanted to create my own self-signed certificate.
  ok, I followed the steps :
  1) keytool -keyclone -alias origkey -dest my_key
  2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
  3) keytool -certreq -alias my_key (output in mycert.cer)
  4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
  .. Password Input...
  Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
  But it exists, see :
  [usr]$ keytool -list
  Keystore-Typ: jks
  Keystore-Provider: SUN
  new_key, 06.05.2003, keyEntry,
  So it exists, but why do I get the error ?
  So far,
  Stefan Gross

  stefan hi,
  i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
  and then using the keystore you can create as many certificates as possible based on the key pair.
  try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
  hope this time it'll work, let me know.
  cem.
  note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
  To set up a digital certificate,
  Generate a key pair.
  The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
  To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
  keytool -genkey -keyalg RSA -alias tomcat-server
  -keystore <keystore_filename>
  The keytool utility prompts you for the following information:
  Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
  First and last name--Enter the appropriate value, for example, JWSDP.
  Organizational unit--Enter the appropriate value, for example, Java Web Services.
  Organization--Enter the appropriate value, for example, Sun Microsystems.
  City or locality--Enter the appropriate value, for example, Santa Clara.
  State or province--Enter the unabbreviated name, for example, CA.
  Two-letter country code--For the USA, the two-letter country code is US.
  Review the information you've entered so far, enter Yes if it is correct.
  Key password for the Web server--Do not enter a password. Press Return.
  The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
  Creating a Self-Signed Certificate
  This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
  Export the server certificate to a certificate file:
  keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
  Enter the password (changeit).
  Keytool returns the following message:
  Certificate stored in file <server.cer>
  Import the new server certificate into the Certificate Authority file cacerts.jks:
  keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
  -file server.cer
  Enter the password (changeit).
  Keytool returns a message similar to the following:
  Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Serial number: 3e39e3e0
  Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
  Certificate fingerprints:
  MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
  SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  ----------------------------------

• Create exchange domain certificate

  upgrade exchange 2007 to exchange 2013, our new exchange 2013 is 2 mailbox server with DAG, and 2 CAS with NLB, I try to create exchange certificate with my domain CA, I can generate certificate request file ( .csr ) but whe I try to submit on Domain CA
  server it not work
  my exchange server is run windows server 2012 and CA server is windows 2008 r2, and domain functional and forest functional is 2003, please guide me how to complete these task, and when I got .cer file it need to import to all exchange server or not
  Thank you for your support

  This is a bit vague - need an error or screenshot etc to go on.
  How are you completing the certificate request?  IE or MMC? 
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Can't create Exchange users in a new child domain

  Hi,
  i have an Exchange 2010 SP3 ( 1 CAS/Hub + 1 mailbox) server running in a parent domain. Few days ago i've created a new child domain, but i can't create mailbox for users coming from this new child domain.
  The error message says that i don't have enough rights to do this operation (can't copy the error, translation from frecnh will be a disaster :p )
  That's what i get :
  Réponse d'Active Directory : 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  I'm doing this with my parent domain administrator.
  I've read that the exchange infra had to be prepared for all domains with command
  setup.com /PrepareAllDomains
  is it possible with an existing exchange?
  Thanks for your replies

  Yes, you need to prepare any domain that will have mail-enabled accounts in it.
  You can run this for a specific domain:
  setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain.
  Its safe to run this in an existing Exchange org.
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Can you use a self signed certificate on an external Edge Server interface?

  Hi,
  I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
  interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
  cert is valid (root and intermediate have been checked for validity).
  At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
  Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
  Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
  I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
  Thx

  Drago,
  Thanks for all your help. I got it working.
  My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
  Let me update everyone about self-signed certificates:
  YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
  I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
  intermediate have been checked for validity).
  Here are my notes:
  Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
  On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
  Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
  You should have already completed: Step1 and Step 2.
  Run or Run Again "Step 3: Request, Install or Assign Certificates".
  Install the "Edge internal" certificate.
  Click "Request" button to run the "Certificate Request" wizard.
  You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
  Once the certificate has been created, use "Import Certificate" to import it.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
  In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
  Install the "Edge External" certificate (public Internet).
  Click the "Request" button to run the "Certificate Request" wizard.
  Press "next"
  Select "Prepare the request now, but send it later (offline certificate request).
  Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
  Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
  Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
  Fill in the organization info.
  Fill in the Geographical Information.
  The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
  Select your "Configured SIP domains"
  "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
  Verify the "certificate Request Summary". Click next.
  Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
   Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
  In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
  For the "External Edge certificate (public Internet), click "Assign".
  The "Certificate Assignment" wizard will run.
  Click next.
  From the list, select your cert "EXTERNAL-EDGE".
  Finish the wizard to "complete".
  You are finished on the server.
  Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
  When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
  Browse
  Select "Trusted Root Certification Authorities"
  Finish the wizard.

• N97 - Mail for Exchange self signed certificate

  I would like to use my N97 for sychronizing my nokia with my office e-mails (MfE 2003). Sync keeps on failing. I assume that my n97 does not accept the self-signed certificate we are using (unlike the iPhone and any other HTC or Windows mobile based device). I tried to install the certificate on my nokia - however all versions offered for conversion by my internet explorer are not recognized as a certificate by the n97 (either unkown format or just displayed as text).
  Can anyone help? (I am afraid I have to deal with our self-signed certificate - so there is no chance to approach the problem from that end)
  Many thanks!

  I am also having the exact same problem.  My company uses Exchange Server 2003, but I cannot get the Nokia N97 to sync using Mail for Exchange.  I too am guessing that it might be related to the fact that we are using a self signed certificate.
  When the sync failed, I tried to browse to our web exchange access on the N97 web browser, but that wouldn't work either (I have successfully been able to do this on a Sony Ericsson C905 and a BlackBerry Pearl, but the Nokie N97 says it is unable to perform the operation).
  Can anyone confirm if the issue is in fact the self signed certificate, or make any other suggestions?  I do not want to push my company down the path of getting the certificate signed if it's not going to solve the problem.
  Thanks!

• How can I replace the self-signed certificate on a SL150?

  Hi,
  I would prefer to have our internal CA sign the SSL-certificate for our SL150.
  Is this possible? Where can I find the configuration to generate a request and upload the certificate?
  Thanks,
  /M

  http://h10032.www1.hp.com/ctg/Manual/c01918142.pdf
    Videos from the HP Media Service Library
   http://h20574.www2.hp.com/default.htm?lang=en&cc=U​S&hpappid=psml
   It's probably easier to order a new board as it's separate from the main mother board.

• Can't create new digital ID/certificate - Reader shutting down unexpectedly

  I had Adobe Reader X (10.0.0) installed and when I went to Edit|Protection|Security Settings it would pop up a dialog then shut down immediately.
  I upgraded to the latest X build (10.2.1 or something), and the same thing occured.
  I turned off Protected Mode and now instead of just shutting down it showed an 'Adobe Reader has stopped working' dialog (I did save the crash dump file but then lost it unfortunately, however there was nothing obvious in it)
  I then installed version XI (not sure why Update didn't tell me about this).
  When I tried to start that, it shut down immediately.  I read here that this was a known problem of sorts, and ran the EULA program to allow it to at least start up.
  Next I tried to find the equivalent "Security Settings" dialog in version XI in order to create a new Digital ID, and eventually found what looked like the right option under Edit|Preferences|Signatures|Identities & Trusted Certificates.
  But when I click the "More" button...it just shuts down immediately.  The 'More' button for "Document Timestamping" causes the same thing, as does the 'More button' on the tab for Edit|Preferences|Security. I managed to get a screen shot and it's just the partly painted "Digital ID and Trusted Certificate Settings" shown before it disappears completely, with no other dialogs displayed or any options to capture the crash dump.  I attached a debugger to it and managed to get this stack trace:
  First-chance exception at 0x700b2a5a in AcroRd32.exe: 0xC0000005: Access violation writing location 0x700de9f4.
  >
  nvdxgiwrap.dll!700b2a5a()
  [Frames below may be incorrect and/or missing, no symbols loaded for nvdxgiwrap.dll]
  mshtml.dll!0ce4021a()
  dxgi.dll!0f7ab564()
  dxgi.dll!0f79919e()
  dxgi.dll!0f7ab5ba()
  dxgi.dll!0f7ab581()
  nvdxgiwrap.dll!700bc42b()
  nvdxgiwrap.dll!700b6836()
  After which...
  The program '[9844] AcroRd32.exe: Native' has exited with code -1073741819 (0xc0000005).
  This is on pretty much plain-vanilla Windows 7 64-bit system.
  Any help appreciated.
  Thanks
  Dylan

  I searched for nvdxgiwrap and located this thread
  http://forums.adobe.com/thread/1178057
  Which had the answer (NVIDIA 3D graphics settings - use Integrated Graphics).

• Steps to create your own self signed certificate with java plugin working

  You need two tools that comes with your jdk which are keytool and jarsigner.
  Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
  * keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
  cn = Certificate name
  o = organistation
  ou = organistation unit
  c = country (first two letters)
  If don't put the -dname, you can fill it line by line.
  The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
  On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
  file. When you update it, check for the timestamp change and you know if you at the right spot.
  You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
  The .keystore contains a list of alias so you don't have to do this process again and again.
  Another tip if you want your certificate encryption validity to be more than the default one month is simply
  add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
  Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
  Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
  * keytool -export -alias tstkey -file MyTestCert.crt
  It will read the alias information in the .keystore information picking up the rsa private/public keys info and
  create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
  If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
  If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
  * Put your classes in your jar file, my example is tst.jar.
  * jarsigner tst.jar tstkey
  Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
  * jarsigner -verify -verbose -certs tst.jar
  Check that its been verified.
  The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
  have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
  netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
  CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
  JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
  JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
  the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
  * keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
  Off course point to your own cacerts file destination.
  Password to change it, is "changeit"
  Before you do this step make a copy of it in its own directory in case you do something silly.
  This example will add a CA with alias of my key called "tstkey" and store to my example destination.
  * keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
  List to see if another CA is added with your alias key.
  Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
  your own self sign applet certificate should work
  Cheers
  Abraham Khalil

  I follow Signed Applet in Plugin, and it's working on
  my computer. Thanks
  But When I open my applet from another computer on
  network, why it does not work ..?
  How to make this applet working at another computer
  without change the policy file ..?
  thanks in advance,
  AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
  I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be.

• How to issue a self-signed certificate to match Remote Desktop Gateway server address requested

  I have an RDG server named gw.domain.local with port 3389/tcp forwarded from
  gw.example.com.
  Using RDGM snap-in I created a self-signed SSL certigicate with FQDN gw.example.com.
  But when I connect over RDP from outside the local network I'm getting an error:
  Your computer can't connect to the computer because the Remote Desktop Gateway server address requested and the certificate name do not match
  Because certificate subject name is gw.domain.local indeed.
  So there question is: how to issue a certificate properly, or how to assign an existing one the name to match?

  Hi,
  Thanks for your post in Windows Server Forum.
  The certificate error which you are facing seems like certificate mismatch error, something like the security certificate name presented by the TS Gateway server does not match the TS Gateway name. You can try reconnecting using the FQDN name of the TS Gateway
  server. You can refer below article for more troubleshooting.
  TS Gateway Certificates Part III: Connection Time Issues related to TS Gateway Certificates
  And for creating a SSL certificate for RD gateway, you can refer beneath articles.
  1.  Create a Self-Signed Certificate for the Remote Desktop Gateway Server
  2.  Obtain a Certificate for the Remote Desktop Gateway Server
  Hope it helps!
  Thanks,
  Dharmesh

• Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

  In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
  on this computer" and un-checked "Use simple certificate selection".
  My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
  client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
  drop down.
  Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
  TIA,
  -Rick

  Hi Rick,
  Thank you for your patience.
  According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
  know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.