Bug Webplayer - no https certificat and connexion impossible

Similar Messages

• Install https certificate and Connect to an alias URL

  Hello,
    I have IDM 7.1 installed on Windows and MS SQL and its working fine.
  My requirement is to access IDM with easyURL (instead of having port no: 500000/idm...).
     an alias name has been created. Now i want to install https certificate and then want to connect to the alias URL.
  I have got the https port number also.
  would you please help me as to exactly how to install th https certificate to the alias URL.
  Regards,
  Mahesh

  Hello,
    I was able to install the certificate.
  If anyone wants help, let me know
  Regards,
  Mahesh

• Cisco ISE NDES EAP and HTTP certificates from different CA

  Hi guys, hope this is something you can help with…
  2 x ISE 1.2 (patch 5) 3415 appliances with hostnames webproxy1.customerdomain.com and webproxy2.customerdomain.com
  AD integration with customerdomain.local
  Guest authentication (CWA) using a separate interface on the ISE appliance (Gigabit 1) routing into its own VRF for isolation
  Corporate authentication is using EAP-TLS which is working fine
  BYOD using NSP with SCEP for iPads only at this stage using NDES on <customerdomain.local>
  I have installed a signed GlobalSign server certificate for HTTPS for guests (with SAN fields webproxy1.customerdomain.com and webproxy2.customerdomain.com)
  I have also installed a signed server certificate from the customer's CA for EAP (with CN of psn.customerdomain.local and SAN fields psn.customerdomain.local , webproxy1.customerdomain.com and webproxy2.customerdomain.com)
  The issue I have is if the two certificates are assigned for EAP and HTTP respectively the NSP process fails to generate a certificate though SCEP to the NDES server.
  As soon as I use the same internally signed certificate for HTTP and EAP it works, this then causes a problem with the HTTPS certificate being trusted by guests.
  This does not work with the GlobalSign certificate being used for both HTTPS and EAP, only the internal one works.
  Can you confirm if it is a valid design to have the ISE use one certificate for HTTPS and another for EAP signed by different CAs, it appears it has to be the internal CA used in the SCEP process to work.
  Thanks
  Andy

  I have now tested this with a test HTTP cert signed by a public CA and an EAP cert signed by my internal and SCEP works fine.  I am wondering if this is a certificate tier length issue.  My working example has a RootCA->IssuingCA->Cert.  It fails with a cert with a 3-tier heirarchy RootCA->IntermediateCA->IssuingCA->Cert.
  Can anyone confirm this works on other deployments with a 3-tier certificate chain with SCEP?
  Thanks

• Config certificate and log issues

  I config certificate and use it to connect ipsec vpn ， I just config    
  jinan-neusoft(config)#ip domain-name neusoft.com
  jinan-neusoft(config)#crypto key generate rsa general-keys
  The name for the keys will be: jinan-neusoft.neusoft.com
  Choose the size of the key modulus in the range of 360 to 4096 for your
    General Purpose Keys. Choosing a key modulus greater than 512 may take
    a few minutes.
  How many bits in the modulus [512]:
  % Generating 512 bit RSA keys, keys will be non-exportable...
  [OK] (elapsed time was 0 seconds)
  jinan-neusoft(config)#
  Nov 16 01:05:44.435:  RSA key size needs to be atleast 768 bits for ssh version 2
  jinan-neusoft(config)#
  Nov 16 01:05:44.435: %SSH-5-ENABLED: SSH 1.5 has been enabled
  jinan-neusoft(config)#crypto pki trustpoint CA1
  jinan-neusoft(ca-trustpoint)# enrollment url http://59.44.43.217:80
  jinan-neusoft(ca-trustpoint)# revocation-check crl
  jinan-neusoft(ca-trustpoint)# rsakeypair DMVPN-SY-KEY
  jinan-neusoft(ca-trustpoint)# auto-enrol
  jinan-neusoft(config)#crypto pki authenticate CA1
  Certificate has the following attributes:
         Fingerprint MD5: D5F9D56B 4D9A4260 43F21D39 811D7AD5
        Fingerprint SHA1: 1E49B228 DD57F4DB 43DD2C2F 03870C18 840DA12A
  % Do you accept this certificate? [yes/no]: y
  Trustpoint CA certificate accepted.
  then I have log issues like below ，even I config auto-enroll , I don t get  certificate pending information  from my certificate server ，
  my device is C3925 and ios is c3900-universalk9-mz.SPA.151-4.M4.bin ，how to deal with it ，top players ， THX~~~~
  Nov 16 01:07:54.871: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
  Nov 16 01:07:54.951: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
  Nov 16 01:07:55.115: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
  Nov 16 01:07:55.115: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
  Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6
  jinan-neusoft(config)#D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
  Nov 16 01:07:55.119: %SYS-2-MALLOCFAIL: Memory allocation of 40 bytes failed from 0x6D05DEC, alignment 0
  Pool: Processor  Free: 731143916  Cause: Interrupt level allocation
  Alternate Pool: None  Free: 0  Cause: Interrupt level allocation
  -Process= "<interrupt level>", ipl= 3
  -Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z
  Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
  jinan-neusoft(config)#
  Nov 16 01:08:09.719: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
  Nov 16 01:08:09.879: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
  Nov 16 01:08:09.879: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
  jinan-neusoft(config)#
  Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
  Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
  jinan-neusoft(config)# Nov 16 01:07:54.871: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
  Nov 16 01:07:54.951: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
  Nov 16 01:07:55.115: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
  Nov 16 01:07:55.115: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
  Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6
  jinan-neusoft(config)#D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
  Nov 16 01:07:55.119: %SYS-2-MALLOCFAIL: Memory allocation of 40 bytes failed from 0x6D05DEC, alignment 0
  Pool: Processor  Free: 731143916  Cause: Interrupt level allocation
  Alternate Pool: None  Free: 0  Cause: Interrupt level allocation
  -Process= "<interrupt level>", ipl= 3
  -Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z
  Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
  jinan-neusoft(config)#
  Nov 16 01:08:09.719: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
  Nov 16 01:08:09.879: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
  Nov 16 01:08:09.879: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
  jinan-neusoft(config)#
  Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
  Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
  jinan-neusoft(config)#

  I do not have the answer but have exactly the same issue, looks as if it is a bug of some kind :
  Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 980992K/67584K bytes of memory.
  Processor board ID FCZ163371P3
  6 FastEthernet interfaces
  3 Gigabit Ethernet interfaces
  1 terminal line
  1 Virtual Private Network (VPN) Module
  DRAM configuration is 72 bits wide with parity enabled.
  255K bytes of non-volatile configuration memory.
  250880K bytes of ATA System CompactFlash 0 (Read/Write)
  System image file is "flash0:c3900-universalk9-mz.SPA.151-4.M4.bin"
  Nov 16 07:37:16.611: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 358FF778 7C2E66AE 895BF088 BF022442
  .Nov 16 07:37:16.615: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 5F7A4300 20B62132 83D08C6E 2D315DF4 51EFE94D
  .Nov 16 07:37:16.623: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 412
  7784z
  .Nov 16 07:37:16.623: %SYS-2-MALLOCFAIL: Memory allocation of 72 bytes failed from 0x6D05DEC, alignment 0
  Pool: Processor  Free: 704933204  Cause: Interrupt level allocation
  Alternate Pool: None  Free: 0  Cause: Interrupt level allocation
  -Process= "", ipl= 3
  -Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4AC
  B9F4z Nov 16 07:37:16.611: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 358FF778 7C2E66AE 895BF088 BF022442
  .Nov 16 07:37:16.615: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 5F7A4300 20B62132 83D08C6E 2D315DF4 51EFE94D
  .Nov 16 07:37:16.623: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
  -Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 412
  7784z
  .Nov 16 07:37:16.623: %SYS-2-MALLOCFAIL: Memory allocation of 72 bytes failed from 0x6D05DEC, alignment 0
  Pool: Processor  Free: 704933204  Cause: Interrupt level allocation
  Alternate Pool: None  Free: 0  Cause: Interrupt level allocation
  -Process= "", ipl= 3
  -Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4AC
  B9F4z

• Problem with Generate a certificate and Key

  I have a Cisco S370 and generated a certificate Key to block HTTPS pages.
  I require a CA signs the certificate generated by the Cisco S370, but the CA returns me an error and asks the key is changed to 2048, but I have no option to do this in the GUI, look in the CLI but can not find any option to change the HTTPS certificate key 2048
  You can change the certificate that was generated by the WSA S370 to 2048

  In addtition to Kush's response, we had a similar thread in the past. Please refer to:
  https://supportforums.cisco.com/message/3900340?referring_site=bss&channel=bdp#3900340
  Also, please note it would be advisable to refer to this Feature Request using Cisco Bug ID CSCzv70884 instead of
  86121.
  You can search for Bug IDs using Cisco Bug Search Tool :
  https://tools.cisco.com/bugsearch/
  From this tool, you can not only obtain info about the bug but also open TAC cases and Save the bug so you can get updates.
  Regards,
  -Valter

• Connexion impossible à CC

  Bonjour, depuis ce matin je n'arrive pas à me connecter à CC par Adobe Creative Cloud Desktop.
  J'ai essayé d'ouvrir également Photoshop et lors de l'identification j'ai eu ce message d'erreur :
  C'est normal ?
  Merci pour vos aides

  Merci pour votre réponse, mais j'ai trouvé la solution en cherchant sur
  Google. En fait c'est votre solution 2 qui est la bonne. ( supprimer le
  fichier oobe )
  Merci beaucoup !
  Cordialement
  N Verri
  De :  Rajshree <[email protected]>
  Répondre à :  <[email protected]>
  Date :  lundi, 14 octobre 2013 17:40
  À :  nello verri <[email protected]>
  Objet :  Connexion impossible à CC
  Re: Connexion impossible à CC
  created by Rajshree <http://forums.adobe.com/people/Rajshree>  in Adobe
  Creative Cloud - View the full discussion
  <http://forums.adobe.com/message/5758519#5758519>
  Hi antoneelo,  Salut ,  Vous pouvez essayer ceci:La licence de l'équipe
  elle-même ne devrait pas être un problème, mais si la demande a été installé
  et enregistré avec un compte différent du vôtre (et ensuite changé au fil de
  votre compte AdobeID ) qui pourraient causer un problème. Pouvez-vous
  essayer quiting Ps , puis naviguer dans le répertoire de configuration.
  Déplacer le dossier complet à votre bureau, puis relancer Ps ? OSX :
  Utilisateurs / / Library / Preferences / Adobe
  Photoshop Settings CCVictoires: Users / / AppData /
  Roaming / Adobe / Adobe Photoshop Photoshop Settings CC / CC Adobe  2 . Vous
  pouvez essayer cela aussi :pouvez-vous essayer de recréer le fichier opm.db
  et laissez-moi savoir si cela fonctionne ? Sinon, je tiens à capturer
  certains de vos fichiers journaux si commode. S'il vous plaît suffit de
  placer le fichier opm.db originale sur le bureau Sortie Connection Creative
  Cloud .Sur Windows, supprimez le fichier opm.db situé ici: C: \ Users \
  \Library\Application Support\Adobe\OOBERestart Creative
  Cloud Connection and sign in. Regards, Rajshree
  Please note that the Adobe Forums do not accept email attachments. If you
  want to embed a screen image in your message please visit the thread in the
  forum to embed the image at http://forums.adobe.com/message/5758519#5758519
  Replies to this message go to everyone subscribed to this thread, not
  directly to the person who posted the message. To post a reply, either reply
  to this email or visit the message page:
  http://forums.adobe.com/message/5758519#5758519 To unsubscribe from this
  thread, please visit the message page at
  http://forums.adobe.com/message/5758519#5758519. In the Actions box on the
  right, click the Stop Email Notifications link.  Start a new discussion in
  Adobe Creative Cloud at Adobe Community
  <http://forums.adobe.com/choose-container!input.jspa?contentType=1&container
  Type=14&container=4670>  For more information about maintaining your forum
  email notifications please go to
  http://forums.adobe.com/message/2936746#2936746.

• SSL certificate and use?

  Hi,
  some time ago I've become aware of the presence of an SSL certificate for for the Arch homepage.
  Unfortunately Firefox tells me that the site "Contains unauthenticated content". And if I try to visit the forum, wiki or AUR (with https://...), then I get redirected to the Arch homepage.
  Is there a particular reason that on the one hand the infrastructure for SSL/https seems to be there, but on the other hand is not complete (in case of the Arch homepage) and not extended to the forum, wiki, and the AUR?
  And if SSL is not intended to be used for the sub domains of archlinux.org, how are the login-processes for the forum/wiki/AUR handled/secured?
  I ask mainly because of paranoia and secondly out of curiosity.

  cactus wrote:The ssl cert was purchased long ago (and recently renewed) for www.archlinux.org only.
  It is not a 'wildcard' ssl cert like you sometimes see, which would allow for *.archlinux.org (likely due to cost).
  It's been a while, but the situation has slightly changed, and I've also gained a bit of experience about PKIs, so I wanted to propose an idea.
  As I've seen today, the ssl certificate for www.archlinux.org seems to have expired, because it's no longer there and has been replaced by a self-signed certificate for dev.archlinux.org.
  As you're not using officially signed certs any longer, you could also do the following:
  You could start your own certificate authority, make one certificate for each domain {aur,bbs,wiki,dev,bugs,www,etc}.archlinux.org, and sign each of these with your own root-cert. Then you would only have to spread the public key of your root cert, and every signed cert of yours would be recognized and accepted by the users.
  I've found a really well-written howto here, and I've already tested it within my local network.
  Once the root cert has been imported/accepted on the client system, all signed certs will be accepted, too. And if you ever wanted to get an officially signed cert, you would only need to have your root cert signed (e.g. by CAcert). But that is only an assumption, as I don't have any experience how to get signed by an official institution.
  Or you could also ship your root cert with the installation iso, similar to Ubuntu shipping the public pgp-keys of their package-managers with there installation isos.
  This is of course only a suggestion, but as I think everyone should be aware of the importance of encrypted and signed communication, and in the end everyone would benefit from it.
  I'm pretty interested in everyone's feedback. Maybe there's even one who has experience about other distros and how they've handled that problem.

• Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?

  I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
  https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
  For example, if I build following servers, what SAN needs ?
  It is happy to also tell me why.
  [ServerNames]
   AD DS Server:DS01
   AD FS Server:FS01
   Web Application Proxy Server:PRX01
   SharePoint Server(WFE):WFE01
   SharePoint Server(APL):APL01
   SQL Server:DB01
  [AD DS Domain Name]
   contoso.local
   (Please be assumed that above all servers join this domain)
  [Site collection strategy]
   using a host-named site collection
  [Primary web application URL]
   https://sps.contoso.com
  Thanks.

  Hi,
  From your description, my understanding is that you have some doubts about SAN.
  If you have a SAN, you can leverage it to make SharePoint
  a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
  http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
  SAN Basics” in this blog.
  These articles may help you understand SAN:
  https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
  http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
  http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
  Best Regard
  Vincent Han
  TechNet Community Support

• Multiple additional SIP domains - certificate and DNS requirements

  We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
  This is working successfully internally, externally and through Lync Mobile.
  However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
  In other words, user A has a primary SMTP and SIP address of
  UserA@aaaaa_group.com
  However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
  There must be in excess of 40 to 50
  of these other domains in use as primary SMTP addresses.
  (Nearly all
  these users have secondary SMTP addresses of aaaaa_group.com).
  I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
  I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them. 
  Wilcard certificates aside, what are the names that will I need to add to my SAN certificates?  Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
  The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull.  However, I still need to report back with a cost of doing this, no matter
  what it is.
  Any thoughts/comments would be very welcome. :-)

  Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards.  So you may be able to use wildcards,
  but do plenty of research on how to approach this.  Here are some articles to get started:
  http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
  http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
  That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
  For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
  sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
  The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
  FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
  FQDNs.
  For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry.  The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
  SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync.  Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
  have to add all those as well.
  So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work.  And even if you do have some of those devices you could simply add the 40-50
  sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc.  Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
  domain name entry in the CN and then place the wildcard entries in the SAN field.  It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
  For example:
  Edge Server external certificate
  Common Name: sip.domain1.com
  Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
  etc...
  Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

• Since the most recent Firefox update 3.6.8 by banking institution no longer shows as having a secure encrypted connection, however, my bank assures me all is well with their certificates and that is a problem with the new Firefox browser update, can you g

  Since the most recent Firefox update 3.6.8 my banking institution no longer shows as having a secure encrypted connection, however, my bank assures me all is well with their certificates and that is a problem with the new Firefox browser update, can you give me some idea why it is doing this?
  == This happened ==
  Every time Firefox opened
  == Right after the new Firefox update

  Hello Anne.
  Can you please try it in a new (temporary) Firefox profile and see if the issue is still present? See [http://support.mozilla.com/en-US/kb/Managing+profiles this article] to know how to create a new Firefox profile. Please report back the results.

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us

• Trying to set up encrypted mails but I'm confused about certificates and keys

  Hello all,
  My first foray into encrypted emails and I'm already confused! To begin with, I'm trying to exchange mails with one other person, who I believe uses Outlook. So far:
  He's sent me his certificate (although I thought I would receive his public key) which is a file called smime.p7m. I don't know what to do with this.
  I've successfully followed the instructions at https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages. When I start a new mail, I can either go to the Enigmail menu and switch on encryption / digital signing and it seems fine, or I can go to the dropdown on the S/MIME button and it says "You need to set up one or more personal certificates before you can use this security feature." Are these two different ways of doing the same thing (in which case I'll use the one that works!) or not?
  As you can see, I'm getting confused between keys and certificates! If some kind person could take a minute to explain what my next steps are, that would be much appreciated. I couldn't find anything on the Thunderbird support pages, though I know I need to send him my public key.
  Thanks in advance.
  Stuart.

  Stuart8, good find, that article.
  I found the main disincentive to using the built-in S/MIME capability is that it's not immediately obvious where to get your certificate and keys. Most providers want $$$ for them, which is natural enough if they are actually going to validate you in some way. I did at one time have a Thawte certificate and even enough WOT vouches to be a low-grade WOT Attorney.
  Once you have your key, it's a bit of a pfaff to install it into Thunderbird. You'll probably find that S/MIME is the default in business correspondence, since many businesses operate their own mail servers, ftp servers and so on and probably have an arrangement to generate self-issued certificates or to buy them on a commercial basis from a CA.
  Enigmail/OpenPGP doesn't require any financial outlay on your part, but is harder to get your keys properly validated since there's not much of a formal WOT nor a reliable central registry. You generate your own keys and it's pretty much all based on mutual trust.
  Since the two systems are incompatible, you need to have set up the same as whatever your correspondent is using.
  I suspect that you have discovered that it's a two-way process. In order for a correspondent to send you an encrypted message, you must both be using the same system, and he must have your public key to encrypt his message, and you'll need his in order to reply with encryption. So yes, he needs to send you his public key for you to send to him, but what he sends to you needs YOUR public key.
  Obviously, signing messages is a useful halfway house. I believe that you sign with your private key, and the recipient will have to download your public key to validate your signature. Whilst a signature doesn't safeguard your privacy, it goes some way to proving that the message came from who it says it came from and that it hasn't been altered in transit. (I really can't understand why banks, lawyers, insurance companies haven't picked up on these encryption and signing schemes. Perhaps they actually prefer all those awful phone calls where you need to struggle to recall supposedly unforgettable names and dates! ;-) )
  In practice, I find that if you sign a message to an outfit who don't know what to do with it, their numpty anti-virus system will probably barf on the signature which it thinks is executable code and therefore must be a virus or worm. :-(

• Step Through a List of .p12 Certificates and Their Passwords to Extract Property Data

  This is a follow-up question to my previous thread:
  http://social.technet.microsoft.com/Forums/en-US/58ca3098-e06d-419a-9465-1ae7973e1c04/extract-p12-property-information-via-powershell?forum=ITCG
  I understand how to extract the information for a certificate one-by-one, but I am wanting to write a powershell script that will step through a list of certificates and a list of their corresponding network passwords in order to extract their property
  data (i.e. expiration date, etc). Any suggestions?
  jrv helped me with the first part of my question by providing this script:
  PS C:\> $filename='c:\temp2\certs\jpd.cer'
  PS C:\> $cert=[System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromSignedFile($filename)
  PS C:\scripts> $cert|fl
  Happy Hunting!

  HINT:
  dir *.cer | %{ [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromSignedFile($_)}
  ¯\_(ツ)_/¯

• HTTPS certificate problem on MPLS

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tableau Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi everyone,
  We are currently migrating our network from IP to MPLS and we encounter an issue with a only one application using security certificat through HTTPS. All other services are OK such as HTTP, FTP, Mailing, etc.
  Network description :
  The network architecture is composed by 4 core routers (which play the role of P and PE at the same time) and 2 borders routers (B1 and B2) linked to Internet via STM1 - POS interfaces.
  Each borders are both connected to two core routers (C1 and C2) by GigabitEthernet links.
  Please also note that there is a DPI (Deep Packet Inspector, model Arbor 100) between each border and core.
  Core routers C1,C2, C3 and C4 are connected to each other by GigabitEthernet links.
  B1 and B2 are linked to Internet by STM1 (POS) using eBGP.
  OSPF is used as the infrastructures routing protocol between all equipments.
  (cf the network diagram attached)
  Configuration :
  When migrating to MPLS, we fixed interfaces MTU at 9216 and the MPLS MTU at 1512 on all concerned interfaces from Core to Border routers.
  Below is a sample configuration.
  mpls ip
  mpls label protocol ldp
  mpls ldp router-id loopback0
  interface GigabitEthernet1/1
  mtu 9216
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 XXXXXXXXXXX
  ip ospf network point-to-point
  ip ospf cost 1
  ip ospf hello-interval 1
  mpls mtu 1512
  mpls ip
  Problem :
  The service application uses a server on the local network (linked via CE router) which send https requests and files to a server located in the Internet.
  When MPLS is activated only on the Core-To-Core interfaces (C1, C2, C3 and C4) the application is working properly.
  But when the MPLS is expanded on Core-To-Border / Border-To-Core interfaces, this specific application fails as it appears that the certificate server sees a corrupted frame, some bits have been added to the normal frame. But all other services (HTTP, FTP, everything,)
  Below are major differences between Border and Core routers connection schemes:
      A DPI equipment between Core and Border,
  GibabitEthernet are used for links Border-To-Core and Core-To-Core, STM1(POS) is used for links Border-To-Internet (IP)
  ­    The MTU size on STM1 interface is fixed at 4470, MTU size of 9216 is assigned to GE interfaces (Border-To-Core, Core-To-Core)
  Regards.

  Hi,
  Would it be possible to disable the functionality of the DPI (passthrough mode?) and test again?
  MPLS labels or not on the packet should not make a difference wrt HTTPS only (in theory).
  Since you mention corrupted frames, taking a packet capture should show you if this is true or not.
  Thanks,
  Luc

• RFC to HTTP Synchronous and SSL encryption

  I have the a Scnario RFC --> XI ---> HTTP with responce coming back from HTTP to xi and then in turn will go back to SAP.
  so it is like :  RFC  to XI and then To HTTP application at BANK partner
  but my case more complex because before i send the message to the web application over HTTP i need to encrypt the message and communicate with the web application of the bank, so i wonder how can we implement SSL to handshake with the bank successfully and how to encrypt the xml before i send the message to the bank ????
  also one more interesting question is : when i send the data to the bank over HTTP they asked me to pass it as an arugment...so what does that mean and how can i send data as an argument inside the HTTP request ??
  so in this case do i have to use HTTP adapter or SOAP adapter ????
  please help me out guys and thanks in advance

  Hi,
  use the HTTP adapter.
  You have to install the SAP crypto lib to enable the HTTPS service in PI.
  Afterwards you have to store the SSL certificates and the certificate chain in PI (TX STRUST).
  Argument/parameter:  eg.  www.xyz.com/script.asp?user=peter
  Cheers,
  André