Cannot enter 3rd-party certificate into SCUP 2011 on Server 2012

Similar Messages

• SCUP 2011 On Server 2012 WSUS

  I've been having some issues publishing updates to WSUS from SCUP 2011 on server 2012 (I guess this is WSUS 4.0 or whatever comes on server 2012). Is SCUP 2011 not compatible with this version of WSUS?
  2012-09-25 13:15:19.262 UTC Error Scup2011.4 Publisher.PublishPackage PublishPackage(): Operation Failed with Error: Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.

  This is now supported:
  http://blogs.technet.com/b/configmgrteam/archive/2013/05/14/support-announcements-for-may-2013.aspx
  Justin Chalfant | My Blog |
  LinkedIn | Please mark as helpful/answer if this resolved your post

• Adding PKI signing certificate to SCUP 2011

  I get the error below when trying to add a PKI signing certificate into SCUP. I followed the link below up to step 4, which is where I get the error.
  http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx 
  My setup:
  Windows Server 2008 R2 hosting WSUS 3.0 SP2, with latest hotfixes applied, SCCM 2012 SP1, and SCUP 2011. I saw in another post that someone was able to get this working by installing Scup on a seperate machine. I'm not sure how they set everything up on
  that machine but I have tried with no success. 

  I'm experiencing the same issue at a customer site.  We have server 2012 with CM 2012 R2, when pressing Create to get the self signed cert, the process fails.   When creating a self signed certificate, it seems to be okay, we get a cert
  error when publishing the update, and then going back into the options it appears the configuration disappeared.  Seems like SCUP needs to be update to support Server 2012.

• PKI setup using 3rd party certificates

  I want to configure SCCM in our environment using are existing certificate creation infrastructure. I do not want to use Microsoft Certificate services. Instead I'd rather use our OpenSSL solution. However I cannot find good documentation to work with using
  3rd party certificates. Everything is related around Microsoft's certificate services.
  Has anyone had any luck implementing SCCM in this manor? Documentation available to aid?

  So we are planning to setup https across the board and going through the blogs and TechNet article - I see that internal PKI is a requirement and you just cannot do away with 3rd party/external certificate, correct ??
  I am working on a scenario where the customer does not want to implement internal PKI but use external certificate either by GoDaady or Thawte or VeriSign where possible at all times but looks like you can't use the external certificate to act as ConfigMgr
  Web Certificate or ConfigMgr DP Cert?
  given the following scenario
  https://social.technet.microsoft.com/Forums/en-US/ac34ebdf-c932-4075-b4a3-ebe572ffab0e/scenario-multi-tenant-configmgr-2012-r2-and-same-ip-address-range-for-multiple-customer?forum=configmanagerdeployment#868600a8-e8eb-471a-b767-761305636041
  for clients to communicate to DP's/Secondary Sites configured in HTTPS, we still need internal PKI ?
  I guess the answer is yes to all.. but just confirming :)

• Exchange Server 2010 Edge Transport Subscription Issue while moving Internal CA Certificate to 3rd Party Certificate

  My Client have a Exchange 2010 Organization with Single Domain Single Forest.
  They were using Internal CA Certificate and a TLS Cert.
  As a POC we are doing a POC for Exchange 2010 Hybrid Office 365 Environment.
  For this 3rd Party CA is Mandatory and they have bought a Geo Trust Certificate.
  Now when they have installed cert on both HUB as well as EDGE servers, he was prompted to do edge subscription again.
  HUB and CAS are combined on the server at both Main and DR Site.
  When they try to do edge subscription again they are getting the following error.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.

  I was finding out the solution and got this.
  1-Certificate will import on both EDGE and HUB Servers.
  2-Edge Sync will use Self-Sign Certificate (but I an unable to find how do I configure this)
  3-some communication between Edge and Hub will be encrypted via 3rd party Certificate.
  Could anyone suggest, which services on HUB must based in this 3rd party cert.
  All the external communication must be encrypted via 3rd party CA and communication between HUB-EDGE will set on self-sign Cert. How do I do this.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.
  Hi,
  Please run Get-ExchangeCertificate | fl to check your Exchange certificate settings. Also confirm if the 5E470560626E313646730C177FCA66728E2BAFF7 certificate is your trusted 3rd party cert.
  Please use Enable-ExchangeCertificate cmdlet to assign SMTP service to your self-signed certificate in your Edge server.
  Regards,
  Winnie Liang
  TechNet Community Support

• WLC5760 - CSR request for 3rd party certificate

  I need to generate a CSR request to obtain a 3rd party certificate for my WLC.
  i am not sure how i can do that. all document availble are for wlc 4400.
  let me know if the same process will apply to wlc5760 as well.

  Thanks Matteo,
  I managed to get it done, Yes I used OpenSSL to generate CSR.
  Here what I have learnt about it, including WebAuth Cert installation on 5760. This may be useful to someone else.
  http://mrncciew.com/2014/07/30/5760-webauth-certificates/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Cisco IOS CA using 3rd Party Certificate

  Hi,
  Can I use 3rd Party certificate such as verisign, on Cisco IOS CA ? All i can see on cisco.com is self-signed certificate from router.
  Thanks
  -santo-

  Santo,
  That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.
  Private PKI is not based on self signed certificates - only the root CA might need something like it :-)
  That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.
  Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).
  M.

• Farm member not using 3rd party certificate

  I have a Microsoft server 2008 R2 RDS farm using a broker and NLB farm nodes.
  In the farm member node ( not the broker ), I open  “Remote Desktop Session Host Configuration” tool I selected “member of farm RD Connection Broker” and in the “general” tab under the “certificate” section I clicked “select” and picked the 3rd party
  Certificate.
  This is a Farm member. When I use a rdp client to go to farmName.domain.com I get a pop up with a certificate error and it shows the certificate as serverName.domain.com and not the name in the “farm” certificate.
  How can I troubleshoot this issue.

  Hi,
  Iniitally seems the certificate is not from valid trusted authority. So please check the trusted authority. Apart there is mismatch in certificate name with server name. 
  The name in the Subject line of the server certificate (certificate name, or CN) must match the FQDN, or the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates.
  If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. 
  The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.
  In addition, please check beneath article for reference.
  Configuring Remote Desktop certificates
  http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 3rd party certificate on WiSM controllers

  Hi,
  On my corporate wireless net, there is an SSID to allow guests to reach the Internet. They receive a voucher with 1-day valid credentials and are asked to open a browser, which is redirected to a login page https://1.1.1.1/login.html.
  The controllers in the acnhor group have a 3rd party certificate installed. It is generated for a company URL like: guest.companyname.com
  So when the browser hits the login screen, it stops and issues a warning about receiving a valid certificate but for a different URL.
  We have an external DNS-record which resolves the company URL to 1.1.1.1.
  I see a possible solution, if the URL of the Internal (default) URL can be changed to https://guest.companyname.com/login.html because if this is keyed in manually, I receive the login page right away without warnings. This is obviously what we want the guest to see.
  The controllers run 7.0.230.0 software as well as the WLC.
  Hope someone has the simple answer to this???

  Putting 1.1.1.1 (VIP address) is a test to bypass the certificate.  It is pretty simple, if you have done it a hundred times.  But to start of from the basic, make sure that the user is being anchored to the guest wlc.  You should see an entry of the client on the guest anchor and the client should be in the WEBAUTH_REQD state until they go through the login proccess in which they will be in the RUN state.  If you don't , then I can see why the 3rd party certificate is not working.  SO you should see the client on the foreign and the anchor wlc.  Make sure of this first.
  Did you not restart the anchors when you put in the FQDN in the VIP?
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Search or Report on the CVE ID using SCUP 2011 and SCCM 2012.

  I am in the process of deploying SCCM 2012 on a single server since we have a small environment, as a Primary Site Server.  The SQL databases are located on a separate SQL 2008 cluster.  I also have SCUP 2011 installed on the SCCM 2012 server.
  I am starting to use SCUP as the facilitator to publish 3rd party patches into SCCM and I would like to be able to report on the CVE number that an update has.  I know that not all updates have a CVE and that microsoft updates usually publish this in
  the MSID article.
  My question is if there is anyway to report on this CVE code from within System Center Configuration Manager?  If the data is in the xml file in SCUP and I can read it there, does that information get discarded when published to SCCM or does it remain
  with the update but hidden in the SQL DB?  If it is hidden, I'm sure we can report on it but I would like to know if anyone else is pursuing this or had any other ideas for reporting on the CVE or searching for the CVE in SCCM 2012?
  Thanks in advance.
  Jason Apt, Microsoft Certified Master | Exchange 2010
  My Blog

  Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
  To my knowledge nothing was added to R2 that would give you the CVE. I think this can be done as a custom solution but it would take a while to do the R&D and write the solution.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• RDS 2012 R2 cannot add 3rd party (parent domain) licensing server

  Hi,
  I have a RDS 2012 R2 farm and i cannot add a 3rd party licensing server that is in a parent domain (forest root domain - hosted by our corp HQ). I will edit deployment properties for the deployment in the first CB server to add a licensing server in per
  user mode. Seemes to work, however no licenses are given to SH servers. Have made GPO aswell to explicitly specify licensing server and mode, however i think this should not be neccessary.
  Any ideas?
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for posting in Windows Server Forum.
  1. In Server Manager -- RDS -- Overview -- Tasks -- Edit Deployment Properties -- RD Licensing tab, please make sure that the Licensing mode is set to match the type of licenses you purchased, and that the FQDN of your RD Licensing server is listed.
  2. In Server Manager -- RDS -- Collections -- <your collection> -- Host Servers, please make sure that your RDSH server is listed.  If you have more than one server with the RDSH Role Service in your deployment make sure that all of them are
  listed.  If they are not you may click Tasks -- Add RD Session Host Servers (make sure the servers are part of the Server Manager server pool prior to this).
  3. On Server 1, please open an Administrator PowerShell prompt and enter the following command:
  Add-WindowsFeature RDS-Licensing-UI
  4. After the above powershell command completes you should be able to open RD Licensing Manager (licmgr.exe) on Server 1 if you need to.  Please note that it is more important to have the licensing configured properly in deployment properties and your
  RDSH servers part of a collection than it is to be able to open RD Licensing Manager on both of your servers. 
  (Above one quoted from beneath thread)
  Source:
  RDS 2012 Can't add a licensing server
  In addition, check below article.
  RD Licensing Configuration on Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Falsely accused of installing 3rd party RAM into my macbook pro while just a month away from my warranty expiring

  Hey, this is my first "post" here on Apple discussions.
  Since i bought my Macbook pro in October 2011, my macbook has been given for servicing many times. We've always used the Authorised Service centre here in Singapore (QCD Technologies), and I can swear I have never taken my laptop to a third party. However, when I gave my laptop in for servicing yesterday because it wasn't booting up and instead beeped 3 times every time I tried to switch it on (suggesting faulty RAM), they told me that they can't work on the laptop until we talk to Apple because they claim that the RAM installed is not original (suggesting that we used a 3rd party for my macbook's repair). Needless to say we were extremely appalled because we have never consulted a 3rd party, and this makes it extremely clear to us that either QCD or Apple slipped up in their servicing/production without accounting for changing the RAM or are simply lying. If they don't have a log for it, then we know they made a mistake, however the problem is they can easily use this as an excuse to evade costs on their part.
  Has anyone else experienced this? What should I do from here on?  I need my laptop for college quite urgently and It's very convenient that Apple is doing this just 1 month before my warranty after extending it, expires finally.

  Have you taken the computer to the same repair place every time it was repaired? If so, suggest to them that they must have installed third party RAM. And, another fact to consider: Apple does not manufacture RAM - it always uses third party RAM. They do change suppliers, so different machines may have different brands of RAM. And, as mentioned: installing RAM does not void your warranty - you may want to point that out to the repair place as well. Although, to be fair, a senior Applecare rep once told me to reinstall the original RAM before sending in the machine for repair so no one could possibly blame the problems on third party RAM.
  You can easily install RAM yourself; use one/both of the links provided by leroydouglas to purchase the correct RAM as three beeps at startup usually mean there is a problem with the RAM.

• How to package 3rd party libs into EAR

  Netweaver 7.0, WEBAS 640:
  I have an EAR I am deploying containing an EJB and a webapp. I have third party jars that I need to use from both the EJB and webapp, and so want to just package in as part of the EAR. I do not want to fuss with deploying the third party jars separately, nor do I want to duplicate them into the EJB and WAR separately...
  I have the jars in the root of my EAR project, and have the build path set up in NWDS for the EJB and WAR so that the jars are referenced, so I'm ok at build time...
  ...but I'm getting NoClassDefFound exceptions for the classes in the 3rd party apps when I go to run them.
  What do I have to do in my EJB and WAR projects to be able to see the third party jars in the EAR at runtime?

  Hi,
  <module>
      <java>
        <uri>abc.jar</uri>
      </web>
    </module>
  Try putting this in application.xml.
  The best option for such type of problem is creating a APP-INF folder under the root.
  Sample structure:
  ear
        APP-INF
             classes   -- put all class files and properties files
             lib           -- put all jar files
      war
      ejb-jar
  Try with this structures. Put all the jar files under APP-INF/lib folder, and the application class loader will pull all the classes and properties from classes and lib folder.
  NOTE: I am not sure this folder is recognised in EP server. Weblogic recognises this folder.
  Try this once.
  In EP server the recommendation is to create  j2ee library projects and refer them in the project descriptor files. By specifying thus the server will load them in the application class loader.
  Rama Murthy

• Going from a self signed certificate to a 3rd party certificate....

  Hello all...
  I have an Apache webserver running both the GroupWise WebAccess and the
  Netware FTP server. Up until now, I have used self signed SSL certificates
  on each of them to provide security. Now, we are going to a 3rd party issued
  certificate for both of them.
  Any idea how I set up the apache server so it will use the 3rd party cert
  instead of the self signed one...?
  Also, if you know how to set it up with the FTP server as well, it would
  help.
  (And, yes I know this is not the right forum, but in the interest of not
  repeating my work, I was hoping to bend the rules some.....)
  Thanks in advance....
  Delon E. Weuve
  Senior Network Engineer
  Office of Auditor of State
  State of Iowa
  USA

  As far as the FTP goes, can you be more specific? Where is this ini file
  that I need to modify? And how do I modify it?
  Thanks.
  Delon E. Weuve
  Senior Network Engineer
  Office of Auditor of State
  State of Iowa
  USA
  >>> On 6/25/2008 at 2:34 PM, in message
  <[email protected]>, Richard Beels
  [SysOp]<[email protected]> wrote:
  > close enough on the group... :-)
  >
  > for apache, it's easy peasy, find the bit in your httpd.conf and where
  > it says:
  >>>>
  > SecureListen 443 "SSL CertificateDNS"
  >>>>
  >
  > change it to whatever you've neamed the new cert, such as:
  >>>>
  > SecureListen 443 "DigiCert"
  >>>>
  >
  > which should give you a clue as to what I recc. for 3rd party certs.
  > :-)
  >
  >
  > As to ftp, it should be the same, i.e. ini file fiddly bit...
  >
  >
  > --
  > Cheers!
  > Richard Beels
  > ~ Network Consultant
  > ~ Sysop, Novell Support Connection
  > ~ MCNE, CNE*, CNA*, CNS*, N*LS

• 3rd party Certificate and AAA Authentication

  I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
  In the connection profile i have set up that users should authenticate using both certificate and AAA.
  Due to a high security requirement, the user certificate is issued from a 3rd party.
  This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
  I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
  Problem:
  If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
  I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
  So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
  I am happy for any help that could point me in the right direction on how to accomplish this.
  Best regards,
  Kenneth

  I actually got a better idea, and i think this will work great!
  One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
  After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
  So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
  [123] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [department=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
  I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
  [138] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  Worked like a charm!
  I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
  Thank you for the input Marcin