ACE multi domain SSL certificate

Similar Messages

• REDUNDANT ACE 20 WITH SSL CERTIFICATE

  Hi
  I have an ACE 20 redundant infrastructure (Active-Standby),and  it´s needed to implement a secure aplication with SSL certificate.
  The question I have is, for this solution is neccesary to generate a digital certificate and key  for each ACE module? and, It´s is possible to use the same certificate and key in both ACE modules?
  Thanks for your help.
  Regards

  Ricardo,
  You can just the same certificates for both devices.
  Jorge

• Java and multi-domain certificates

  Hi, I tried using a so called MDC or multi-domain certificate with my Java application but when connecting with a webbrowser I get the following error in Firefox (Internet Explorer gives a similar error but provides less info) :
  "The certificate is only valid for www.somedomain.com%2Csub1.somedomain.com%2Csub2.somedomain.com%2C"
  I assume the %2C should be commas or at least have been interpreted as commas.
  My question, was this certificated created wrong or does Java not support this type of certificate?

  I doubt it is a Java issue. If your SSL handshake is reaching the stage where the server sends its certificate to your browser, then the server is already satisfied with its own certificate. I doubt the server pays much attention to the subject name or any of the subject alternative names of its own certificate. And the server cannot change any of the fields of this certificate, so what it is sending the browser is exactly what you got back from the CA.
  You say you did not create the certificate, but you almost certainly created almost all the fields of the certificate by creating something called a certificate signing request. This is what you give to the CA. The CA uses this to populate the fields of a certificate that it signs and gives back to you.

• How to install SSL certificate on the second ACE in the HA pair

  Hi,
  I'm struggling to figure out how to install a certificate (.p7b and .crf) on my second ACE in a HA pair.
  On ACE01 i generated a CSR and gave the details to our SSL provider, they provided the certificates and i imported them. All good there.
  How can i install the same SSL on ACE02 if i haven't generated a CSR on my backup devicde, or do i generate a CSR and import the same certificate?
  Since bringing the ACE's into HA all contexts have sync'd and the backup ACE is in 'hot standby' state. But one context fails the sync and i think this is because the SSL certificate is not installed correctly on the second ACE02.
  Anybody got any ideas, suggestions?
  Cheers

  Hi,
  If you already have the cert and key on the Active ACE, then you just need to export them using "crypto export ..." command from Active ACE and then import to the standby ACE using "crypto import ..."
  Regards,
  Siva

• SSL Certificates Update Error in ACE 4710

  Hi,
  I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
  I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
  but still the new certificate is not used even after a reboot,
  Attaching screenshots and running config. Any help will be appreciated.
  BR//Rajiv

  Ravi,
        Here are the procedures for updating your certificate on the ACE. 
  1) Create New RSA Key
  2) Create CSR
  3) Send CSR to CA authority for a new certificate
  4) Import Certificate into the ACE
  5) Change the ssl-proxy to use the new Certificate and Key
  6) Remove the SSL-Proxy from the policy map and reapply
  Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate.  Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA.  In your configuration, you have
  crypto chaingroup iotms-chain-gr-1
    cert inter-root-new
  Is the the correct certificates for your cert?  If so, it seems odd that there is only on certificate in the Chaingroup.  Most CAs use an intermediate and and a root certificate. 
  Verify that you have the correct chaingroup (with the correct root and intermediate certificates). 

• SSL Certificates issues on ACE module

  Hi,
  SSL certificate and keys are not been transfered from active to standby automaticaaly, could anyone tell me why is this happening and what needs to be done.
  Thanks
  Neha

  Hi Neha,
  Yes - unless you are running the 2.2 version of ACE software - which is intended for really large configurations then there is no bulk certificate/key import process.
  Whatever you did to import the certificates/keys on your active configs you'll need to do on the standby configs.
  Note, by having missing files, replication will have been stopped.
  Cathy

• Is it possible to use single ssl certificate for multiple server farm with different FQDN?

  Hi
  We generated the CSR request for versign secure site pro certificate
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
  And the same message when trying to access https://www.abc.com from Google Chrome.
  "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
  so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
  Now my question is
  1. Is is possible to  remove above errors doing some ssl configuration on ACE?
  2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
  Thanks
  Waliullah

  If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
  Hope this helps,
  Sean

• What's the difference with SSL Certificates?

  Hi,
  I need to get an SSL Certificate for my client's online
  store. There are so
  many choices out there ranging from stupidly expensive, down
  to suspiciously
  cheap.
  Can anyone help me sort through the mob and recommend
  something that is
  trustworthy, secure and cheap.
  I'm happy to buy globally, but I'd prefer either a true
  multi-national, or
  an Australian company.
  Thanks,
  B

  Which certificate you choose depends on your intended use for
  the cert. The cheap ones (US $20/year and up) simply assure that
  you control the domain in question. The certificate agency sends an
  email to the administrative contact specified in the domain's Whois
  listing. If they get the appropriate response, the certificate is
  issued. If all you are out to do is establish SSL connections to a
  web site to prevent eavesdropping, this type of certificate is
  fine. There is no difference in the level of security between these
  certificates and fancier offerings as long as both the cert and
  your web server support 256 bit encryption. You can also get a
  certificate that is valid for up to 10 years, so you won't have to
  worry about SSL for a long time. The cheap certificates are not
  recommended for online commerce, as there is no assurance you are
  an actual company. If you go this route, getting a certificate from
  an outfit that supports single root verification greatly eases
  installation on your server. (Translation from geek: A single root
  certificate is inherently trusted by all major browsers. Companies
  such as RapidSSL (cheap), Geotrust and Thawte (not so cheap), and
  Verisign (expensive) all own their root certificates. Many other
  certificate agencies require installing a chain of certificates on
  your server that point back to the trusted root certificate. Use
  Firefox to test your SSL site, as it has the most comprehensive
  certificate validation routines.)
  The next step up are the high assurance certificates. These
  require you to prove that you own or represent the company whose
  domain you are getting a certificate for. The price for these
  certificates ranges from US$100/year to ~$400. The certificate
  company will perform a search on your business or organization, and
  you may be required to submit supporting documentation to prove you
  are who you claim to be. The more expensive flavors of these certs
  usually offer larger guarantees against credit card fraud resulting
  from certificate misuse. These certificates are valid for up to 3
  years.
  Finally, there are the new extended validation certificates.
  These require an in-depth evaluation of your business, including an
  investigation into the overall legitimacy of your corporation.
  Government agencies also qualify. Sole proprietorships and and
  general partnerships are not eligible, although the CA/B says they
  may be in the future. Get one of these and IE users can see the
  navigation bar turn a trustworthy green color. There is also a
  large amount of green involved in purchasing one of these
  certificates, ranging from US$500/year from the cheapie outfits to
  $900/year from Thawte to $1500 per year from Verisign.
  No matter which option you pursue, there are a couple of
  points to be aware of. First, choose a vendor that offers free
  certificate replacement. This protects you in case a change in
  hosting provider or web server invalidates your existing
  certificate. Also, a normal certificate is very specific in terms
  of which domain it supports. For example, a certificate for
  www.domain.com does not work for mail.domain.com, ftp.domain.com,
  or even domain.com. If this is important to you, you can either
  purchase multiple certificates or a wildcard certificate that
  supports any number of subdomains. Wildcard cert prices are
  typically 4-5x higher than for a single cert. Finally, many cert
  companies offer verification seals that you can add to your SSL web
  pages. These allow your clients to click or hover over the seal to
  get a quick verification that your site certificate comes from a
  recognizable brand. Useful, perhaps, if you want to brag that "I
  care enough to purchase certs from Thawte, Network Solutions,
  Geotrust, et. al." or "I'm a penny-pincher and use GoDaddy!"

• Cisco ASA 5505 and comodo SSL certificate

  Hey All,
  I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
  Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
  On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
  What am I missing here? I can post config if anyone needs it.
  (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

  It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
  ASA Version 9.0(2)
  hostname MyDomain-firewall-1
  domain-name MyDomain.com
  enable password omitted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd omitted
  names
  name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
  name 10.200.0.0 MyDomain_New_IP description MyDomain_New
  name 10.100.0.0 MyDomain-Old description Inside_Old
  name XXX.XXX.XX.XX Provider description Provider_Wireless
  name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
  name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
  ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
  ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address Cisco_ASA_5505 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address Provider 255.255.255.252
  boot system disk0:/asa902-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.0.3.21
  domain-name MyDomain.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network MyDomain-Employee
  subnet 192.168.208.0 255.255.255.0
  description MyDomain-Employee
  object-group network Inside-all
  description All Networks
  network-object MyDomain-Old 255.255.254.0
  network-object MyDomain_New_IP 255.255.192.0
  network-object host MyDomain-Inside
  access-list inside_access_in extended permit ip any4 any4
  access-list split-tunnel standard permit host 10.0.13.1
  pager lines 24
  logging enable
  logging buffered errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
  route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
  route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
  route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  action terminate
  dynamic-access-policy-record "Network Access Policy Allow VPN"
  description "Must have the Network Access Policy Enabled to get VPN access"
  aaa-server LDAP_Group protocol ldap
  aaa-server LDAP_Group (inside) host 10.0.3.21
  ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
  server-type microsoft
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http MyDomain_New_IP 255.255.192.0 inside
  http redirect outside 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  no validation-usage
  no accept-subordinates
  no id-cert-issuer
  crl configure
  crypto ca trustpoint VPN
  enrollment terminal
  fqdn vpn.mydomain.com
  subject-name CN=vpn.mydomain.com,OU=IT
  keypair vpn.mydomain.com
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpool policy
  crypto ca server
  shutdown
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
      omitted
    quit
  crypto ca certificate chain VPN
  certificate
      omitted
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate ca
      omitted
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint VPN
  telnet timeout 5
  ssh MyDomain_New_IP 255.255.192.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
  ssl trust-point VPN outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
  anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
  anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
  anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value MyDomain.com
  group-policy MyDomain-Employee internal
  group-policy MyDomain-Employee attributes
  wins-server none
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value MyDomain.com
  webvpn
    anyconnect profiles value MyDomain-employee type user
  username MyDomainadmin password omitted encrypted privilege 15
  tunnel-group MyDomain-Employee type remote-access
  tunnel-group MyDomain-Employee general-attributes
  address-pool MyDomain-Employee-Pool
  authentication-server-group LDAP_Group LOCAL
  default-group-policy MyDomain-Employee
  tunnel-group MyDomain-Employee webvpn-attributes
  group-alias MyDomain-Employee enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
  : end
  asdm image disk0:/asdm-712.bin
  asdm location MyDomain_New_IP 255.255.192.0 inside
  asdm location MyDomain-Inside 255.255.255.255 inside
  asdm location MyDomain-Old 255.255.254.0 inside
  no asdm history enable

• Is there a way to change the CSR for install SSL Certificate for CCMADMIN

  HI there,
  Our customer want a solution for the https failure on CCMAdmin and CCMUser sites.
  For that, I have exported a csr to buy a ssl certificate from verisign.
  The problem is the csr includes fqdn an not just the servername
  But the users just have to type in the servername to reach the server.
  Is there a way to export a csr which include as common name only the server name without changing the domain settings in the cucm?
  thanks
  Marco

  Hi
  You can go to the server via SSH, and enter the 'set web-security' command with the alternate-host-name parameter:
  Command Syntax
  set web-security orgunit orgname locality state country alternate-host-name
  Parameters
  • orgunit represents the organizational unit.
  • orgname represents the organizational name.
  • locality represents the organization location.
  • state represents the organization state.
  • country represents the organization country.
  • alternate-host-name (optional) specifies an alternate name for the host when you generate a
  web-server (Tomcat) certificate.
  Note When you set an alternate-host-name parameter with the set web-security command,
  self-signed certificates for tomcat will contain the Subject Alternate Name extension with
  the alternate-host-name specified. CSR for Cisco Unified Communications Manager will
  contain Subject Alternate Name Extension with the alternate host name included in the CSR.
  Typically you would still use an FQDN, but a less specific one (e.g. ccm.company.com)...
  Regards
  Aaron
  Please rate helpful posts...

• How to install SSL certificate on Mac OS X 10.8.3 Server 2.2

  Hi,
  In eairler versions of !0.8 / OS X Server 2.2 your where able to install a purchased SSl certificate in the
  Hardware >> Profile Manager Server >> Settings >> SSL Certificate Edit
  I've just done a clean install of 10.8.3 and OS X Server 2.2 but there is no  "SSL Certificate Edit" available.
  How do I install my purchased certificate?
  Thanks,
  John

  sorry for hijacking but I have a related question to do with certificates.
  I had to set up virtual domains manually instead of through the GUI and the server ssl site is now locked to a certificate that is about to expire and no longer needed, I can't change the certificate in the web gui because it was created manually, I can't delete the certificate because it is assigned to the server ssl website and I can't manually edit the conf files to point to a different certificate becasue it breaks it, any ideas?

• Cannot display images after updating SSL certificate

  Hello All,
  With the changes in SSL certificates (no support for .local domains in public certificates), I had to update the SSL certificate used for our Exchange 2010 Server.  We are a small organization with a single server running Exchange Server 2010. 
  There were some articles about how to change the URL's within Exchange to use the public (not .local) domain names.  We followed these instructions and now, when a user using Outlook sends an e-mail with an image embedded to other users in the domain,
  they see a placeholder for the graphic with the text "The linked image cannot be displayed.  The file may have been moved, renamed, or deleted.  Verify that the link points to the correct file and location." .  This is causing a great
  deal of concern to the users and I cannot find anything on how to fix or even troubleshoot this issue.  Any assistance will be greatly appreciated.
  Thanks in advance,
  Allen
  Long time IT professional always learning the new stuff! Thank you for your assistance.

  Hi,
  According to your post, I understand that client face an problem “The linked image cannot be displayed.  The file may have been moved, renamed, or deleted.  Verify that the link points to the correct file and location” after change SSL certificate.
  If I misunderstand your concern, please do not hesitate to let me know.
  Do you see the "page cannot be displayed" error only from your DC server or also from a Windows 7 client machine? What browser do you use and what version?
  Please run “certutil –store” command from a command to verify that the certificate is correctly installed in the certificate store. Also run “certutil -store my” to check the certificate from CA.
  If the certificate is already installed, please refer to below link to check the value of Cache in registry:
  https://support.microsoft.com/en-us/kb/2753594
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support

• Multi-Domain LDAP UME configuration

  Hello
  We have EP 7.0 installed and want to connect the UME to our Corporate
  LDAP (MSADS) as data source.
  Our ADS is as follows:
  domain.pt u2013 This is our top level domain. Here we have our main users.
  Gs.domain.pt u2013 This is a child domain of ren.pt. Here are some special
  users that cannot be moved to domain.pt level (because of this we have to
  use multi-domain configuration)
  According to some documents Step 2 of Note 762419 - Multi-Domain Logon
  Using Microsoft Active Directory this configuration as to be done
  according to a Multiple-Domain UME LDAP Configuration.
  Following is is my configuration of LDAP access:
  I have set the u201CUME LDAP Datau201D in Config Tool to point to
  the u201CdataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xmlu201D configuration file that has been previously change by me following previous documents. The xml is is the end of the message
  Also in the u201CUME LDAP Datau201D (Directory Server) I have defined the following settings:
  Server Name: dc01.domain.pt (This is the DC of domain.pt)
  Server port: 389
  User: j2ee-pp3 @domain.pt
  Pass: ******* (ok on all configuration tests and authentication)
  SSL: NO.
  User Path: DC=domain,DC=pt
  Group Path: DC=domain,DC=pt
  Checked the u201CFlat User Group Hierarchyu201D.
  Checked the u201CUse UME Unique id with unique LDAP Attributeu201D.
  At u201CAdditional LDAP Propertiesu201D I have set the properties of
  ume.ldap.unique_user_attribute(global) and
  ume.ldap.unique_uacc_attribute(global) to userprincipalname. This was
  done according to the Multi-Domain configuration.
  Also ume.ldap.access.multidomain.enabled=true was set the property
  sheet of the UME service. After this all checks are ok including in
  User Administration in Portal.
  Conclusion: We have no problem with SSO and search capabilities
  at u201Cdomain.ptu201D level. All users of this domain are able to access the
  portal with SSO.
  Nevertheless no user from u201Cgs.domain.ptu201D is able to logon. Additionally,
  using User Admninistration in Portal with option u201CAll Data Sourcesu201D
  returns no results when searching for users from this child domain. It
  seems the the configuration file does not recognize gs.domain.pt.
  Is it possible that our xml file is incorrectly adapted? Is there any
  missing or wrong configuration for multi-domain LDAP access? Please
  advice.
  Thanks in advance
  dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
  <!DOCTYPE dataSources SYSTEM  "dataSourceConfiguration.dtd">
  <dataSources>
      <dataSource id="PRIVATE_DATASOURCE"
                  className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
                  isReadonly="false"
                  isPrimary="true">
          <homeFor>
              <principals>
                   <principal type="group"/>
                   <principal type="user"/>
                   <principal type="account"/>
                  <principal type="team"/>
                  <principal type="ROOT" />
                  <principal type="OOOO" />
              </principals>
          </homeFor>
          <notHomeFor/>
          <responsibleFor>
              <principals>
                   <principal type="group"/>
                   <principal type="user"/>
                   <principal type="account"/>
                  <principal type="team"/>
                  <principal type="ROOT" />
                  <principal type="OOOO" />
              </principals>
          </responsibleFor>
          <privateSection>
          </privateSection>
      </dataSource>
       <dataSource id="CORP_LDAP"
                 className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
                 isReadonly="true"
                 isPrimary="true">
            <homeFor/>
            <responsibleFor>
                      <principal type="account">
                                <nameSpace name="com.sap.security.core.usermanagement">
                                     <attributes>
                                          <attribute name="j_user"/>
                                          <attribute name="j_password"/>
                                          <attribute name="userid"/>
                                          <attribute name="logonalias"/>
                                     </attributes>
                                </nameSpace>
                      </principal>
                      <principal type="user">
                           <nameSpaces>
                                <nameSpace name="com.sap.security.core.usermanagement">
                                     <attributes>
                                          <attribute name="firstname" populateInitially="true"/>
                                          <attribute name="displayname" populateInitially="true"/>
                                          <attribute name="lastname" populateInitially="true"/>
                                          <attribute name="fax"/>
                                          <attribute name="email" populateInitially="true"/>
                                          <attribute name="email"/>
                                          <attribute name="title"/>
                                          <attribute name="department"/>
                                          <attribute name="description"/>
                                          <attribute name="mobile"/>
                                          <attribute name="telephone"/>
                                          <attribute name="streetaddress"/>
                                          <attribute name="uniquename" populateInitially="true"/>
                                          <attribute name="krb5principalname"/>
                                          <attribute name="kpnprefix"/>
                                          <attribute name="dn"/>
                                     </attributes>
                                </nameSpace>
                                <nameSpace name="com.sap.security.core.usermanagement.relation">
                                     <attributes>
                                          <attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
                                     </attributes>
                                </nameSpace>
                                <nameSpace name="$usermapping$">
                                        <attributes>
                                             <attribute name="REFERENCE_SYSTEM_USER"/>
                                        </attributes>
                                   </nameSpace>
                           </nameSpaces>
                      </principal>
                      <principal type="group">
                           <nameSpaces>
                                <nameSpace name="com.sap.security.core.usermanagement">
                                     <attributes>
                                           <attribute name="displayname" populateInitially="true"/>
                                           <attribute name="description" populateInitially="true"/>
                                           <attribute name="uniquename"/>
                                      </attributes>
                                </nameSpace>
                                <nameSpace name="com.sap.security.core.usermanagement.relation">
                                     <attributes>
                                           <attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
                                           <attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
                                     </attributes>
                                </nameSpace>
                                <nameSpace name="com.sap.security.core.bridge">
                                     <attributes>
                                          <attribute name="dn"/>
                                     </attributes>
                                </nameSpace>
                           </nameSpaces>
                      </principal>
            </responsibleFor>
            <attributeMapping>
                 <principals>
                      <principal type="account">
                           <nameSpaces>
                                <nameSpace name="com.sap.security.core.usermanagement">
                                     <attributes>
                                          <attribute name="domain_j_user">
                                               <physicalAttribute name="samaccountname"/>
                                          </attribute>
                                          <attribute name="j_user">
                                               <physicalAttribute name="userprincipalname"/>
                                          <attribute name="logonalias">
                                               <physicalAttribute name="userprincipalname"/>
                                          </attribute>
                                          <attribute name="j_password">
                                               <physicalAttribute name="unicodepwd"/>
                                          </attribute>
                                          <attribute name="userid">
                                               <physicalAttribute name="null"/>
                                          </attribute>
                                     </attributes>
                                </nameSpace>
                           </nameSpaces>
                      </principal>
                      <principal type="user">
                           <nameSpaces>
                                <nameSpace name="com.sap.security.core.usermanagement">
                                     <attributes>
                                          <attribute name="firstname">
                                               <physicalAttribute name="givenname"/>
                                          </attribute>
                                          <attribute name="displayname">
                                               <physicalAttribute name="displayname"/>
                                          </attribute>
                                          <attribute name="lastname">
                                               <physicalAttribute name="sn"/>
                                          </attribute>
                                          <attribute name="fax">
                                               <physicalAttribute name="facsimiletelephonenumber"/>
                                          </attribute>
                                          <attribute name="uniquename">
                                               <physicalAttribute name="userprincipalname"/>
                                          </attribute>
                                          <attribute name="loginid">
                                               <physicalAttribute name="null"/>
                                          </attribute>
                                          <attribute name="email">
                                               <physicalAttribute name="mail"/>
                                          </attribute>
                                          <attribute name="mobile">
                                               <physicalAttribute name="mobile"/>
                                          </attribute>
                                          <attribute name="telephone">
                                               <physicalAttribute name="telephonenumber"/>
                                          </attribute>
                                          <attribute name="department">
                                               <physicalAttribute name="ou"/>
                                          </attribute>
                                          <attribute name="description">
                                               <physicalAttribute name="description"/>
                                          </attribute>
                                          <attribute name="streetaddress">
                                               <physicalAttribute name="postaladdress"/>
                                          </attribute>
                                          <attribute name="pobox">
                                               <physicalAttribute name="postofficebox"/>
                                          </attribute>
                                    <attribute name="krb5principalname">
                                      <physicalAttribute name="userprincipalname"/>
                                  </attribute>
                                    <attribute name="kpnprefix">
                                      <physicalAttribute name="samaccountname"/>
                                  </attribute>
                                          <attribute name="dn">
                                               <physicalAttribute name="distinguishedname"/>
                                          </attribute>
                                       </attributes>
                                </nameSpace>
                                <nameSpace name="com.sap.security.core.usermanagement.relation">
                                     <attributes>
                                          <attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
                                               <physicalAttribute name="null"/>
                                          </attribute>
                                     </attributes>
                                </nameSpace>
                                <nameSpace name="$usermapping$">
                                        <attributes>
                                             <attribute name="REFERENCE_SYSTEM_USER">
                                                  <physicalAttribute name="sapusername"/>
                                             </attribute>
                                        </attributes>
                                   </nameSpace>
                           </nameSpaces>
                      </principal>
                      <principal type="group">
                           <nameSpaces>
                                <nameSpace name="com.sap.security.core.usermanagement">
                                     <attributes>
                                           <attribute name="displayname">
                                                <physicalAttribute name="displayname"/>
                                           </attribute>
                                           <attribute name="description">
                                                <physicalAttribute name="description"/>
                                           </attribute>
                                           <attribute name="uniquename" populateInitially="true">
                                                <physicalAttribute name="ou"/>
                                           </attribute>
                                      </attributes>
                                </nameSpace>
                                <nameSpace name="com.sap.security.core.usermanagement.relation">
                                     <attributes>
                                           <attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
                                                <physicalAttribute name="null"/>
                                           </attribute>
                                           <attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
                                                <physicalAttribute name="null"/>
                                           </attribute>
                                      </attributes>
                                </nameSpace>
                                <nameSpace name="com.sap.security.core.bridge">
                                     <attributes>
                                          <attribute name="dn">
                                               <physicalAttribute name="null"/>
                                          </attribute>
                                     </attributes>
                                </nameSpace>
                           </nameSpaces>
                      </principal>
                 </principals>
            </attributeMapping>
            <privateSection>
                 <ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
                 <ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
                 <ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
                 <ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
                 <ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
                 <ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
                 <ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
                 <ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
                 <ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
                 <ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
                 <ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
                 <ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
                 <ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
                 <ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
                 <ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
                 <ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
                 <ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>
                 <ume.ldap.access.multidomain.enabled>true</ume.ldap.access.multidomain.enabled>
                 <ume.ldap.access.extended_search_size>200</ume.ldap.access.extended_search_size>
                      <ume.ldap.access.domain_mapping>
                      [DOMAIN_PT;DC=domain,DC=pt]
                      [GS_DOMAIN_PT;DC=gs,DC=domain,DC=pt]
                      [gs;DC=DC=gs,DC=domain,DC=pt]
                      [domain;DC=pt]
                      </ume.ldap.access.domain_mapping>
            </privateSection>
       </dataSource>
      </dataSources>
  Edited by: Joaquim Pereira on Feb 7, 2009 1:34 PM

  Hi Gaetano
  I tried to set back the "uniqueid" in the XML to samaccountname.
  Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
  In the 1st tests this worked perfectly, but we still to do some testings with this config.
  When i get confirmation, ill reply here.
  Thank you.
  PS:. we thought on defining the abap user for each user, but there are a lot of users...
  we'll try this config, and if it doesn't work, probably, thats what we'll do.
  Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
  Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
  I just need to test which change did the trick.
  Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM

• Exchange 2010: How to renew an SSL certificate?

  Hi all.  I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010.  I really don't want to mess this one up by cobbling together partial answers
  from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out. 
  This is a standard GoDaddy 5-domain UCC certificate.  There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet).  The existing certificate expires in a month or so. 
  I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
  has addressed all my concerns, or in some cases information conflicts.  So my concerns for example are:  can you do a renewal for a certificate before the old one expires?  It is actually a renewal, or are you adding a 2nd certificate? 
  Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  Thank you. 

  -->Can you do a renewal for a certificate before the old one expires? 
  Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
  -->It is actually a renewal, or are you adding a 2nd certificate? 
  You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
  -->Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  You will have to do it from MMC or EMS. No need to do anything from IIS.
  Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
  1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
  folder
  Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
  2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
  3. Open Exchange MMC. Go to Server configuration. Right click on the pending request.  Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
  4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
  5.Delete the old one certificate from MMC.
  From EMS use this command 
  Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
  You can see the the certificate thumprints using Get-ExchangeCertificate command
  MAS. Please dont forget to mark as answer if it helped.

• Error after SSL Certificat update

  I updated the SSL certificate on a Win2003 SP2 server with IIS6.0
  The initial certificat was a single URL certificate and is replaced by a wildcard one.
  After installing the certificate (and it's CA chain) using the mmc I changed the certificate in IIS and configured the SSLBinding using "cscript.exe
  adsutil.vbs".
  The result is an SSL ERROR.
  The CA chain and the certificate are two CRT files.
  Here is the result of the "certutil.exe -store my"
  command :
  C:\Documents and Settings\Administrateur.W2K79>certutil -store my
  ================ Certificat 0 ================
  Numéro de série : 4899717f3b1ba89dedb7c472d575cb01
  Émetteur: CN=Thawte SSL CA, O=Thawte, Inc., C=US
  Objet: CN=*.bourgenbresse.fr, OU=Collectivite, O=COMMUNE DE BOURG EN BRESSE, L=B
  OURG EN BRESSE, S=Ain, C=FR
  Il ne s'agit pas d'un certificat racine
  Hach. cert. (sha1): eb 03 df 43 a8 03 e5 5f b1 52 fc e7 5b a9 0b 0c 19 2a 15 8a
  Aucune information sur le fournisseur de clé
  Pas de propriétés pour le jeu de clé dans le magasin
  ================ Certificat 1 ================
  Numéro de série : 023fcc
  Émetteur: CN=GeoTrust DV SSL CA, OU=Domain Validated SSL, O=GeoTrust Inc., C=US
  Objet: CN=www.portailenfance.bourgenbresse.fr, OU=Domain Control Validated - Qui
  ckSSL(R) Premium, OU=See www.geotrust.com/resources/cps (c)11, OU=GT68088061, O=
  www.portailenfance.bourgenbresse.fr, C=FR, SERIALNUMBER=R2RJ3sRPOrW0Q3XZYvvpcP05
  TqodNAru
  Il ne s'agit pas d'un certificat racine
  Hach. cert. (sha1): 12 49 a6 95 9a 67 05 86 d9 a3 64 cb a7 a7 78 ee 6c eb 94 52
    Conteneur de clé = cecd6bee4621365b6e763b9bfcd773cf_b3f7eefb-5c14-4333-a5bb-29
  d40b271698
    Fournisseur = Microsoft RSA SChannel Cryptographic Provider
  Succès du test de cryptage
  CertUtil: -store La commande s'est terminée correctement.
  Please help !

  It seems that the key for the wild card certificate has not been found. The output shows a valid key for the other cert. ("1") but no key information for the wild card cert ("0"). I assume, that when you double-click the certificate in
  the computer's Personal store you don't see the message You have a Private Key...
  (on the bottom of the General tab), right?
  Windows 2003 sometimes needed some extra effort to "connect" key and certificate, in addition to just importing it (I am assuming that you imported it to the machine where you had created the key).
  Check if the command line tool certutil is available. If not, install the W2K3 admin pack (download e.g.
  here).
  Double-click the new server certificate, go to Details...
  Scroll down the list of attributes and locate the Serial Number. Copy the serial number value.
  At the command shell run as a local admin:
  certutil -repairstore my "<Serial Number>"
  If this has been successful you should now see the message You have a Private Key... when double-clicking the certificate.
  Elke