AD FS 3.0 and CNG Certificates

Similar Messages

• ISE 1.2 and iPEP Certificate Requirements

  Hi,
  For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:
  Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.
  [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  Any thoughts?
  Thank you,
  Octavian

  The EKU validation has been removed in version 1.2
  "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."
  Source:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

• Private key and digital certificate

  I have a keystore . in ordeer to know what it contains ,i opened this keystore with this command ...keytool -list -keystore DemoIdentity.jks
  and i got,
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 1 entry
  demoidentity, Jan 4, 2007, keyEntry, // is it called private key ?
  Certificate fingerprint (MD5): 60:42:75:33:31:AA:9A:C6:9D:1A:CD:9F:22:8D:4A:6A // is it called certificate ?
  Question :
  I still dont understand what a keystore contains. does it contains "private key" + "digital certificate" ?
  If so , what are private keys and digital certificate in the above contents ?
  Message was edited by:
  Unknown_Citizen
  Message was edited by:
  Unknown_Citizen

  The content of a 'keystore' is what you, or the person who provided it, put in it. In this case it looks like all it contains it a public key certificate with an alias of 'demoidentity' .

• How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

  Hi,
  I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
  Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
  Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
  Please suggest how to pass both the certs from client Application..

  Hi,
  This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
  And for more information, you could refer to:
  http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
  Regards

• ISE 1.2 and multiple certificates

  Hello,
  Hopefully someone can answer this question.  We have ISE 1.2 setup and running, 802.1x and user and computer certificates.  All is working fine except some users have two user certificates, one from our server the other from our parent company.  When these users log in they get a bubble message saying "additional information is required to connect to the network", they click on this and they are asked to pick a certificate.  If they pick the one from us all works. 
  Question, is there a way either in Windows or ISE to use our certificate by default?  The PCs in question all have the cisco NAC agent, 4.9.43, and are either XP, Windows 7 or 8. 
  Thanks

  Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac. 

• My company loaded profiles onto my iPad for email and calendars.. There is also a signing certificate and a certificate. What are these for? Additionally are they able to monitor apps and usage, ie Internet usage when it is not on their wifi?

  My company loaded profiles onto my iPad for email and calendars.. There is also a signing certificate and a certificate. What are these for?
  Additionally are they able to monitor apps and usage, ie Internet usage when it is not on their wifi?
  I do not have any VPN enabled?

  Do you happen to have an Android?  If so and depending on what version there is a great data usage analyse tool built-in.  See if you can go to Settings -> Data Usage  from there you can pick a current or previous billing cycle and then use the vertical sliders to select a date range and it will filter the usage data per app to show you exactly what app(s) were using data during that time frame.

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

• WS-Security:  Fail to configure Keystore and Identity Certificates

  Hi,
  This is my first question here!
  I want to set a secure web service, following the guide "Web Services Security Guide" i set up the keystore and Identity Certificates with a keystore that contains two certificates created by me, I set the keys to be used as signature and encryption. Not define any method for authentication.
  I deployed the application to the server (oc4j_extended_101350) and up to this point apparently everything went well.
  I created a web service proxy to test the web service with jdeveleper, but when I call the web service method the server responds with the error:
  java.rmi.ServerException:
  start fault message:
  Internal Server Error
  : End fault message
  at oracle.j2ee.ws.client.StreamingSender._raiseFault (StreamingSender.java: 571)
  at oracle.j2ee.ws.client.StreamingSender._sendImpl (StreamingSender.java: 401)
  at oracle.j2ee.ws.client.StreamingSender._send (StreamingSender.java: 114)
  at clientmessageoc4jstda.proxy.runtime.MyWebService1SoapHttp_Stub.getHelloWorld (MyWebService1SoapHttp_Stub.java: 77)
  at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.getHelloWorld (MyWebService1SoapHttpPortClient.java: 42)
  at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.main (MyWebService1SoapHttpPortClient.java: 30)
  On the server the following error occurs:
  ERROR OWS-04005 error has occurred on port: () http://messagelevelsecurity/ MyWebService1SoapHttpPort: oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: java.lang.NullPointerException.
  The client and server are not in the same directory.
  The class exposed by the web service is a simple Hello World.
  public class HelloWorld {
  public HelloWorld() {
  public String getHelloWorld(){
  return "Hello World";
  Thanks in advance
  I apologize for my English

  I had to add : " outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");" to the client code and it started working !

• Points System Incorrectly invalidated $50 and $5 certificate, left with $40...

  To whom it may concern,
  I received an email back on 12/24/2013 stating that My Best Buy redeemed my points for a $50 certificate.  I continued to purchase items without using the certificate.  On 12/30/2013, I received another email stating that My Best Buy redeemed additional points for a $5 certificate.  I have not made any additional purchases since the $5 certificate and yet when I attempted to use both of the certificates the other day, I was told they were not valid and had likely been used.  The only thing that I have returned was purchased on 12/30/2013 after receiving the $5 certificate.  The tablet was then returned in the following two days.  I know from previous experience that Best Buy only awards points on purchases at a minimum 30 days after the purchase has been completed to ensure that the awarded points are only given on items that have been kept.
  Given this, why is it that your system invalidated my $50 and $5 certificates, and then proceeded to give me a $40 certificate instead? What happened to the additional points that your system issued back prior to downgrading me to a $40 certificate???  I'll be honest with you - I have already had multiple displeasing experiences at Best Buy and hope this will not be another one.  I can assure you that if it is, I will be transitioning my purchases to Amazon instead of through your company.
  Please advise...

  Good morning mrod5167, and welcome to the forum,
  I can understand having questions if it appears that points are missing from your account or if certificates were cancelled for some reason.  After using the email address you registered with the forum to review your My Best Buy™ account, I believe that I can explain why those certificates were cancelled.  Whenever a return is processed, any points that were awarded for the original purchase would be removed.  The returns that you processed at the beginning of the year involved bonus points that you had been awarded from one of our private shopping events, so when removed caused your points balance to go negative and the two certificates to be cancelled.  Once the point values for the two certificates reposted to your account, you no longer had a negative balance, but only enough for a $40 certificate.
  I hope that explanation helps; however, if you do have additional questions, please feel free to send me a private message and I will see what I can do to further assist.  A private message can be sent by clicking on the blue button located within my signature.
  Thank you for reaching out to us.
  Derek|Social Media Specialist | Best Buy® Corporate
   Private Message

• JDBC Thin Connections with SSL and client certificates

  Hi ,
  we are going have a look at JDBC Thin Connections with SSL and client certificates.
  I have two questions:
  1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
  2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
  Thanks for your help
  regards
  Markus Reichert

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• IPhone's and Public Certificates

  Hello,
  My question is specific to using PEAP (EAP-MSCHAP v2) with 3rd party certificates on iPhones. I have read that despite having a public certificate, iPhones will continue to prompt to accept the cert every time. Can anyone confirm if this is true or if you
  can avoid the cert prompt by having a public certificate installed?
  Thanks

  Hi,
  I don’t similar the iPhone certificate processing mechanism, but base on my experience, it must your iPhone not trust the root certificate of your CA. Please confirm your
  iPhone have install the certificate which same with your NPS server.
  Certificate enrollment for computers that are not domain members cannot be performed with autoenrollment. When a computer is joined to a domain, a trust is established that
  allows autoenrollment to occur without administrator intervention. When a computer is not joined to a domain, trust is not established and a certificate is not issued. Trust must be established using one of the following methods:
  An administrator (who is, by definition, trusted) must request a computer or user certificate using the CA Web enrollment tool.
  • An administrator must save a computer or user certificate to a floppy disk and install it on the non-domain member computer. Or, when the computer is not accessible to the
  administrator (for example, a home computer connecting to an organization network with an L2TP/IPsec VPN connection), a domain user whom the administrator trusts can install the certificate.
  • An administrator can distribute a user certificate on a smart card (computer certificates are not distributed on smart cards).
  The related KB:
  Certificates and NPS
  http://social.technet.microsoft.com/Forums/en-US/3dcbc123-c7ed-479a-82fc-79670c05bed5/iphones-and-public-certificates?forum=winserverNAP
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Portal and BW certificate must be different

  Hi,
  We've installed BI with BI Java and Portal as Addin on same System.
  We've configured the BI & Portal integration via NWA and everything is ok. But after when tested we got " The system is unable to interpret the SSO ticket received " errors during Bex Launcher.
  When we checked the configuration via RSPOR_SETUP Repost on ABAP Stack, everything except the following seems ok.
  Status 10: Import Portal Certificate into BI            <b>Portal and BW certificate must be different</b>
  Status 12: Maintain User Assignment in Portal           <b>System failure during call of function module RSWR_RFC_SERVICE_TEST</b>
  I think the problem is when we imported the Portal Certificate into BI, as they reside on same system error occurs at step 10.
  This is the production system. On Development System, Portal+BI Java are on another server than BI and this problem was not occured.
  Does anyone experienced this issue?

  Hi,
  Of cours I've solevd the issue via sap note "917950 SAP NetWeaver 2004s: Setting Up BEx Web"
  Here is the section you've to consider ;
  Add-In Installation and importing Certificates with identical system ID (SID)
  In case of Add-In installation, the system ID (SID) of
  AS-ABAP and AS-Java is identical. This causes problems
  during import and certificates, if you are using the
  Template Installer. Because the ABAP system does not allow
  to import a certificate with identical Distinguished Names (DN) (e.g. identical common names (CN), subject names, ...). Also the standard client of the J2EE must be different from the standard client of the ABAP system.
  If the common names are identical, the report RSPOR_SETUP
  displays the error message "Portal and BW certificate must be different" (English).
  If the client of the Portal certificate is existing in the
  ABAP system, the error message "Add-In Installation: check logon.ticket_client (see note 994785)" is diplayed.
  This issue could be solved by creating a new Portal
  certificate with a different Distinguished Name (DN). The
  steps to create a new Portal certificate are described in
  the report RSPOR_SETUP documentation of step "Export Portal Certificate to the Portal" (step 9):
       1. Delete J2EE certificate (SAPLogonTicketKeypair
  and SAPLogonTicketKeypair-cert) in Visual Administrator under Services Keystorage
       2. Create new J2EE certificate (SAPLogonTicketKeypair with other Distinguished Name) in
  Visual Administrator under Services Keystorage (as
  described in documentation of step 9 "Export Portal
  certificate in Portal", report RSPOR_SETUP)
       3. Delete J2EE certificate in certificate list
  and access control list (ACL) with transaction STRUSTSSO2
       4. Import new J2EE certificate to certificate
  list in transaction STRUSTSSO2
       5. Add new J2EE certificate to access control
  list (ACL) in transaction STRUSTSSO2
  See report RSPOR_SETUP documentation of step "Configure User Management in Portal" (step 8) or note 994785 how to
  change the standard client of the J2EE.
  Message was edited by:
          HUSEYIN BILGEN

• Expired encryption and Trust certificates

  Suppose:
  a Mac OS X 10.8 server shut down for summer,
  Linked to Active Directory Win Serv 2008 R2 x64,
  Managing Macs and iDevices,
  with an encription certificate expired early June 2013
  and a Trust certificate expired late August 2013.
  1- Do I read correctly that all Macs and iDevice (and Net Boot/Restore/install images) need to be reimaged with the New certificates?
  2- Do I unedrstand also that all Update Server's Apple Updates need to be redownloaded. (just read that tonight).
  3- What other thing to do in that case and in which order?
  4- If nothing very important was done on that OS X server besides being linked to Active Directory and a few test Wikis., it it easier to rinstall from scratch?
  ==

  I'd want a correct, current and valid certificate chain (and would likely set up a private CA, as is my wont), as bad certs can block some sorts of secure network access until either corrected or overridden, and as training the end-users to always "yeah, whatever" with certificate security can potentially lead to... well, other issues.
  The software update server will certainly download new and updated changes, but shouldn't need to re-download everything.  Disk images will need to be updated.
  I'd verify proper local DNS services and correct certs as part of the initial validation of the configuration, yes.
  That's entirely your call.  Won't really help with the disk images, and will require a re-download of updates.

• Cisco Expressway C and E Certificates

  Hi
  I need some help on expressway C and E certificates. I need to know which certificates are reuired on both the systems.
  What is the complete procedure to generate the license from internal Microsoft CA server and upload these certificates to Expressway C and E?
  Regards
  Rohit Mahajan

  Here is the document Jamie is referring to:
  Expressway Certificate Creation and Use Deployment Guide

• Does Firefox reset all the root certificates and root certificate settings whenever an upgrade is installed?

  Does Firefox reset all the root certificates and root certificate settings whenever an upgrade is installed?

  Root certificates are stored in the file nssckbi.dll and if you've disabled build-in root certificates then it is possible that they get re-enabled. There is however no reason to disable any of the build-in root certificates.
  Tools > Options > Advanced > Encryption: Certificates > View Certificates : Authorities