3rh party certificates / onfigure valid NPS servers

Similar Messages

• Replace Self-Signed FAST Search Certificate with Third Party Certificate

  We are trying to replace the Self-Signed FAST Search Certificate with Third Party Certificate in our SP 2010 environment. And are facing issues while enabling the SSL communication between the FAST servers and the corporate servers.
  Our FAST search servers are in a different farm than that of the Corporate Servers.
  The details of the certificate we received is as follows:
  Issued to : FastSearchCert
  Issued By: Issuer Name
  Valid From: 4/21/2015 to 4/20/2017
  We were able to successfully renew the certificate on the FAST Search Server by following the below steps:
  1.  Login to the Administrative and the Non-Administrative nodes 
  of the FAST server. Go to Windows Service and stop the FAST Search for SharePoint and the FAST Search for SharePoint Monitoring services in both the servers.
  Follow the below steps in the Administrative Node followed by the Non-Administrative Node
  2. 
  Install the certificate in the following paths in the certificate store:
  “Certificates(Local Computer)\Personal”
  “Certificates(Local Computer)\Trusted Root Certification Authorities”
  3. Ensure that the user account configured for the “FAST Search Server 2010 for SharePoint” has access to the private key of the certificate.
  4. Go the Administrative node of the FAST farm and follow the below steps:
  Go to the certificate store.
  Expand the Personal folder and then click the Certificates folder. Double-click the third party signed FAST certificate.
  Open the Details tab and then click Thumbprint. Note down this thumbprint.
  5. Next, open
  Microsoft FAST Search Server 2010 for SharePoint with Administrator
  Privileges.
  6.
  Navigate to the directory, “D:\FASTSearch\installer\scripts” and execute the below command to replace the current certificate with the newly created
  third party signed FAST certificate.
  .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint".
  7. The FAST certificate was renewed successfully.
  Once the certificate has been renewed successfully in both the nodes, follow the below step:
  8. Start the FASTSearch for SharePoint and the FAST Search
  for SharePoint Monitoring services in the administrator server.
  Next, while enabling the SSL communication between the FAST servers and the other corporate servers, we follow the below steps:
  1. 
  Copy the new certificate from any of the FAST servers to all the web-front end and application servers in the corporate farm, in order to enable SSL communication between these servers and the FAST farm.
  2.   Also, copy the script
  ‘SecureFASTSearchConnector.ps1’ from the location “%FASTSearchFolder%\installer\scripts” in the FAST servers 
  to the web-front end and application servers of the corporate farm.
  3.  Follow the below steps on each of the servers in the corporate farm:
  Open ‘SharePoint 2010 Management Shell’ with administrator privileges and navigate to the directory in which
  SecureFASTSearchConnector.ps1’ script is located.
  And then, execute the below command:
   .\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" –ssaName “FASTCibtebtSSA” –username “DOMAIN\SP_Farm”
   Where,
  -certThumbprint 
  - Thumbprint of the certificate
  -ssaName – FAST Content SSA
  -username – The account configured to run the SharePoint
  Search Service
  On execution of the above command, we receive an error message stating that the "Connection to the Content Distributor servername.corp.abc.org: 14391 could not be validated...instance of FAST search server backend is running"
  Please help us resolve this issue. We have not been able to find the cause of the above error for a long time.
  Any help is much appreciated.

  Your tip on exporting from eDir to locate a missing private key was very helpful. Here are my steps to renew an expired third party certificate when the private key, generated 30 months ago in my case, could not be located.
  In iManager, browse the tree and locate the likely certificate object. The Attributes for the object show Subject Name = webmail.acme.com. Selected the certificate and exported to webmailcert.pfx.
  Then, the openssl commands in TID 7004039, "How to convert a SSL PFX to a PEM file", were run against the .pfx file to create cert.pem, key.pem and server.key files.
  TID 7015500, "How to determine if private key belongs to public key (certificate)", was followed to determine if the public key (downloaded from third party) and private key (just retrieved from iManager) match - they did - that is, the private key converted from webmailcert.pfx matches the downloaded certificate.
  TID 7013103, "How to create a .pem File for SSL certificate Installations", was followed to manually create a server.pem file using openssl.
  TID 7010584, "How to setup SSL Certificate for Apache", part labeled "Additional Information" was followed to modify /etc/apache2/vhosts.d/vhost-ssl.conf file. Server.pem file created above copied to /etc/apache2/ssl.crt/ and /etc/ssl/servercerts/ directories as specified in vhost-ssl.conf.
  Restarted apache2.
  www.digicert.com has an SSL Certificate Checker that can be used to verify the installation is successful.

• Third party Certificate not showing up in SQL configuration manager drop down box

  Hi,
  I have an SQL instance that needs to use a third party SSL certificate for all communications to that SQL instance. I have installed my third party certificate via MMC and it is showing under the Personal Folder.
  However, when i go into the SQL configuration manager and right click the instance name > Properties > Certificates, it is not showing in the drop down box.
  I am currently using MS SQL Server 2008 R2, which is installed on Windows Server 2012. 

  Hi,
  If the certificate cannot be used for SQL Server and hence will not be visible in SQL Configuration manager. Check the validity of the installed certificate. It may not has the correct DNS name.
  I suggest you request a new third party certificate from the vendor with the correct DNS name. Install it on SQL Server environment, then you should see certificate form the configuration manager dropdown box.
  Thanks.
  Tracy Cai
  TechNet Community Support

• Certificate signature validation failed

  Hi!
  I'm getting nuts over how to get Acitve Directory to work with java.
  I have a root-certificate for the domain (supposed to work for everything according to our networking expert) but when using it I get: "Certificate signature validation failed".
  When looking in C:\ on the ADS I find another certificate but then my javaprogram says: "No trusted certificate found".
  So, now after much searching where I seems to find everything but what I'm looking for I have to ask: What should I be looking for? Hopefully when looking for the right thing I will find the answers. :-)
  Thanks you very much in advance
  Roland Carlsson

  Please! Anyone? How can I get a correct certificate from our ADS? The certificate-server on is on our Exchange-server. I have a certificate that is supposed to work all over the domain and I have check several other certificate that I found on our servers but I still havn't found anything that works.
  I'd would really like to get some ideas about where how to find the working one.
  Thanks in advance
  Roland

• Install third party certificate on MAC os X

  Hello,
  I have installed leport 10.5.X on my machine. I am new bie for MAc and want to install intermediate certificate for my domain from Digicert. I have registered from Digicsert. Please help me to how can I install on the machine. I also need to create a new certificate but when I tried to add it shows an error message like this.
  "There are no valid root or intermediate certificate authorities available to sigh certificates. Use the "create certificate Authority" option to create a certificate authority."
  Can anybody please help me to what should be the next step.
  And how can I install third party certificate.
  Thanks in advance.

  There is a product called VolumeWorks that is supposed to do this. I looked at the demo, but I could not get it to see the extra space so I ended up backing it all up and erasing the Raid and doing a block copy with Carbon Copy Cloner.

• Exchange Server 2010 Edge Transport Subscription Issue while moving Internal CA Certificate to 3rd Party Certificate

  My Client have a Exchange 2010 Organization with Single Domain Single Forest.
  They were using Internal CA Certificate and a TLS Cert.
  As a POC we are doing a POC for Exchange 2010 Hybrid Office 365 Environment.
  For this 3rd Party CA is Mandatory and they have bought a Geo Trust Certificate.
  Now when they have installed cert on both HUB as well as EDGE servers, he was prompted to do edge subscription again.
  HUB and CAS are combined on the server at both Main and DR Site.
  When they try to do edge subscription again they are getting the following error.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.

  I was finding out the solution and got this.
  1-Certificate will import on both EDGE and HUB Servers.
  2-Edge Sync will use Self-Sign Certificate (but I an unable to find how do I configure this)
  3-some communication between Edge and Hub will be encrypted via 3rd party Certificate.
  Could anyone suggest, which services on HUB must based in this 3rd party cert.
  All the external communication must be encrypted via 3rd party CA and communication between HUB-EDGE will set on self-sign Cert. How do I do this.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.
  Hi,
  Please run Get-ExchangeCertificate | fl to check your Exchange certificate settings. Also confirm if the 5E470560626E313646730C177FCA66728E2BAFF7 certificate is your trusted 3rd party cert.
  Please use Enable-ExchangeCertificate cmdlet to assign SMTP service to your self-signed certificate in your Edge server.
  Regards,
  Winnie Liang
  TechNet Community Support

• Third Party Certificate, 802.1X and Intermediate Certificate

  Hi Guys,
  Quick question:
  Have 802.1x setup with Windows Radius Server - Installed a Godaddy certificate which came with an intermediate root certificate. 
  I would like clients to validate the certificate to connect to the 802.1x, - 
  Question: Do i need to rollout the intermediate root certificate to all windows devices - laptops to validate the godaddy certificate thats presented to the wireless clients? The trusted root on the intermediate root certificate is already installed on windows
  desktops.
  THanks

  Hi,
  1. When you deploy 802.1X authenticated wired access that uses smart cards or other digital certificates for client authentication, you must deploy a private CA on your network
  by using AD CS.
  2. Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.
  Advantages:
  Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have
  only a few NPS servers.
  Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network.
  Disadvantages:
  This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase
  with each NPS server you deploy.
  Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
  The related KB：
  PEAP-MS-CHAP v2-based Authenticated Wireless Access Design
  http://technet.microsoft.com/zh-cn/library/dd348500(v=ws.10).aspx
  EAP-TLS-based Authenticated Wired Access Design
  http://technet.microsoft.com/zh-cn/library/dd378869(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• WLC526 third party certificate?

  Hi!
  Is it possible to install a third party certificate on the WLC526 Controller?
  Would be great for Web Authentication for my Guest Wlan!
  Thankx
  David

  Hi,
  If the certificate cannot be used for SQL Server and hence will not be visible in SQL Configuration manager. Check the validity of the installed certificate. It may not has the correct DNS name.
  I suggest you request a new third party certificate from the vendor with the correct DNS name. Install it on SQL Server environment, then you should see certificate form the configuration manager dropdown box.
  Thanks.
  Tracy Cai
  TechNet Community Support

• Farm member not using 3rd party certificate

  I have a Microsoft server 2008 R2 RDS farm using a broker and NLB farm nodes.
  In the farm member node ( not the broker ), I open  “Remote Desktop Session Host Configuration” tool I selected “member of farm RD Connection Broker” and in the “general” tab under the “certificate” section I clicked “select” and picked the 3rd party
  Certificate.
  This is a Farm member. When I use a rdp client to go to farmName.domain.com I get a pop up with a certificate error and it shows the certificate as serverName.domain.com and not the name in the “farm” certificate.
  How can I troubleshoot this issue.

  Hi,
  Iniitally seems the certificate is not from valid trusted authority. So please check the trusted authority. Apart there is mismatch in certificate name with server name. 
  The name in the Subject line of the server certificate (certificate name, or CN) must match the FQDN, or the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates.
  If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. 
  The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.
  In addition, please check beneath article for reference.
  Configuring Remote Desktop certificates
  http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 3rd party certificate on WiSM controllers

  Hi,
  On my corporate wireless net, there is an SSID to allow guests to reach the Internet. They receive a voucher with 1-day valid credentials and are asked to open a browser, which is redirected to a login page https://1.1.1.1/login.html.
  The controllers in the acnhor group have a 3rd party certificate installed. It is generated for a company URL like: guest.companyname.com
  So when the browser hits the login screen, it stops and issues a warning about receiving a valid certificate but for a different URL.
  We have an external DNS-record which resolves the company URL to 1.1.1.1.
  I see a possible solution, if the URL of the Internal (default) URL can be changed to https://guest.companyname.com/login.html because if this is keyed in manually, I receive the login page right away without warnings. This is obviously what we want the guest to see.
  The controllers run 7.0.230.0 software as well as the WLC.
  Hope someone has the simple answer to this???

  Putting 1.1.1.1 (VIP address) is a test to bypass the certificate.  It is pretty simple, if you have done it a hundred times.  But to start of from the basic, make sure that the user is being anchored to the guest wlc.  You should see an entry of the client on the guest anchor and the client should be in the WEBAUTH_REQD state until they go through the login proccess in which they will be in the RUN state.  If you don't , then I can see why the 3rd party certificate is not working.  SO you should see the client on the foreign and the anchor wlc.  Make sure of this first.
  Did you not restart the anchors when you put in the FQDN in the VIP?
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Generate CSR for Third-Party Certificates

  Hi All,
  i have an issue when i tried to Generate CSR for Third-Party Certificates,
  i follow step by step in the document of cisco until this step:
  3.
  Now that your CSR is ready, copy and paste the CSR information into any CA enrollment tool.
  In order to copy and paste the information into the enrollment form, open the file in a text editor that
  does not add extra characters. Cisco recommends that you use Microsoft Notepad or UNIX vi. Refer
  to the website of the third−party CA for more information on how to submit the CSR through the
  enrollment tool.
  After you submit the CSR to the third−party CA, the third−party CA digitally signs the certificate and
  sends back the signed certificate via e−mail.
  4.
  Copy the signed certificate information that you receive back from the CA into a file.
  This example names the file CA.pem.
  my issue is where i sould copy and paste the CSR information into any CA enrollment tool. i just have done create mykey.pem and myreq.pem in my folder OpenSSL\bin
  Please help and Thanks you.
  Regards,
  Jasa

  you have to do more steps using openssl.
  before you obtain the third−part certificate, you have to copy that on a notepad text, and you have to obtain an intermediate and root certificate from the company that gives you the certificate.
  Then you have to copy and paste on a notepad or gedit:
  SSL (the certificate that they give you)
  Intermediate (the certificate that you obtain from the company that gives you the certificate)
  Root (the certificate that you obtain from the company that gives you the certificate)
  name the text file like: allcerts.pem
  then... you have to run this commands:
  C:\OpenSSL\bin>openssl pkcs12 -export -in allcerts.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:yourpassword -passout pass:yourpassowrd
  C:\OpenSSL\bin>openssl pkcs12 -in All-certs.p12 -out finalcert.pem -passin pass:yourpassword -passout pass:yourpassword
  Then you are going to have a file named: finalcert.pem, thats the one you have to update to the WLC. please note that on those lines "yourpassword" is the password you use when you create the certificate and its going to be the same that you have to use for upload to WLC.
  Note that you have to use openssl version 0.9.8 because its the only version thats WLC support
  If you have doubts please contact me.
  Have fun!

• Error While importing third party certificate

  Hi,
  In my application I'm using HTTPS for secure connectivity.For that purpose I signed my midlet using a third Party certificate (GoDaddy's Certificate).But when I'm hitiing the url it is not working.
  I've done this with generating my own certificate with Tomcat.It is working fine there.I followed the following topic to create Certificate for TomCat
  http://143.129.203.3/s/sitter/sl2nap/javaSSLprogr.htm
  but when i'm hitiing some live url then it is not working!
  Please provide me proper help if possible
  Thanx in advance

  Slawrence,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Third party certificate and mobility express 526

  Hi!
  I want to get rid of the certificate warning for my guest users using webauthentication. With my 2100 controller i have the option to upload a trusted certificate but can´t find anything on this controller.
  Is it even possible on this controller?

  Hello,
  Kindly note that mobility express 526 controller have limted features and does not support 3rd party certificate.
  you can refer to this link for supported features on this model.
  http://www.cisco.com/en/US/docs/wireless/controller/526/1.5/configuration/guide/A3_feature_list.html
  Hope this answers your question.
  Best regards
  Talal
  ===
  Don't forget to rate answers that you find useful

• Code signing with 3rd-party certificate fails

  Hello everybody !
  I'm about to sign an app written in Xojo on OS X 10.10 with a class-2 code object certificate issued by StartSSL. On Windows this is working fine, but signing on OS X leads to the "app from an unknown developer" message.
  For signing I'm using the codesign utility:
  codesign -s "Mario Hammer" -f -v "My App.app"
  or codesign -s "Mario Hammer" --deep -f -v "My App.app"
  It returns "signed bundle with Mach-O thin (i386) [com.mariohammer.testapp]".
  Signature checking with spctl --verbose=4 --assess --type execute "My App.app" returns 'My App.app: rejected'.
  And codesign -dv "My App.app" returns this:
  Executable=/Users/mario/Desktop/Test/My App.app/Contents/MacOS/My App
  Identifier=com.mariohammer.testapp
  Format=bundle with Mach-O thin (i386)
  CodeDirectory v=20100 size=67752 flags=0x0(none) hashes=3381+3 location=embedded
  Signature size=5893
  Signed Time=05.11.2014 15:51:59
  Info.plist entries=13
  TeamIdentifier=not set
  Sealed Resources version=2 rules=12 files=22
  Internal requirements count=1 size=100
  I have also tried to manually sign each file within "My App.app", but same result.
  I'm not sure where to look at fixing this. Any help is highly appreciated.
  Looking at my key chain, I have a key chain "Anmeldung" (not sure how this is labelled in English) that contains my private key and my certificate (as two separate entries, key is listed first). Clicking "Information" shows my cert with "Certificate is valid" and a green sign.
  Using the certificate assistant to verify my certificate, it shows "Checking state: No root certificate found" and "Certificate condition: Good".
  The root certificate however is there (the intermediate certificate "StartCom Class 2 Primary Intermediate Object CA" is in my "Anmeldung" keychain and the root certificate "StartCom Certification Authority" is on my "Anmeldung" key chain as well as on "System" pre-installed (cannot change anything there).
  Any help you can provide me with is highly appreciated.
  Sincerely,
  Marco.

  There is no special reason. But since I don't intend to sell over the AppStore and I already have that membership at StartSSL (server and e-mail certificates), I thought I can save $99 registration fee for the Apple Developer Program.
  So I appreciate any help. :-) Even it just means that I need to buy the Apple membership, too... but I want to get rid off this annoying and trust-stealing "app not from a certified developer" message.

• SSL with third party certificate

  Hi All,
  I followed the configuration mentioned in the white paper
  Oracle Forms Services 10g: Configuring Transport Layer Security with SSL An Oracle White Paper July 2005 (frm10gss.pdf). That is working fine.
  I have a third party certificate (file format - .der, I got .cer from that).
  With this certificate i need to configure the Application Server 10g. For this certificate i didn't created certificate request and sent to the third party.
  In the steps motioned in the frm10gss.pdf where i have to make changes to include the third party certificate and not to consider the default oracle OCA certificate. Or with that Certificate how can i configure the SSL.
  Any suggestions please…

  Hi All,
  I followed the configuration mentioned in the white paper
  Oracle Forms Services 10g: Configuring Transport Layer Security with SSL An Oracle White Paper July 2005 (frm10gss.pdf). That is working fine.
  I have a third party certificate (file format - .der, I got .cer from that).
  With this certificate i need to configure the Application Server 10g. For this certificate i didn't created certificate request and sent to the third party.
  In the steps motioned in the frm10gss.pdf where i have to make changes to include the third party certificate and not to consider the default oracle OCA certificate. Or with that Certificate how can i configure the SSL.
  Any suggestions please…