CDP and AIA after CA Renewal w/ new key

Similar Messages

• PKI - Add LDAP path to CDP and AIA extensions?

  Another question for our new PKI design.
  Most of the issued certificates will be used by domain clients and users. However, we will also use certificates for DirectAccess, which means CRL and AIA checking must also work for internet clients.
  As far I understand the documentation, the URL's defined for CDP and AIA checking are checked in order. Let's say a I configure the following CDP's paths, and enable the option "Include in CDP extension of issued certificates":
  1. HTTP
  2. LDAP
  Is it true that all clients (internal and external) will use option 1 first, and do a fallback to option 2? Basically this means that domain clients will never check LDAP (well at least as URL 1 is accessible)?
  When I change the order to LDAP first, so:
  1. LDAP
  2. HTTP
  Will this mean the CRL and AIA checking for internet clients will take a lot of extra time? First it tries to access the LDAP path, and after some time it falls back to HTTP? Or are internet clients smart enough to skip the LDAP path?
  Another thing I don't like of publish in the AD, is that your AD configuration comes back in every issued certificate.

  On Fri, 24 Oct 2014 07:52:52 +0000, MD_1977 wrote:
  Most of the issued certificates will be used by domain clients and users. However, we will also use certificates for DirectAccess, which means CRL and AIA checking must also work for internet clients.
  As far I understand the documentation, the URL's defined for CDP and AIA checking are checked in order. Let's say a I configure the following CDP's paths, and enable the option "Include in CDP extension of issued certificates":
  1. HTTP
  2. LDAP
  Is it true that all clients (internal and external) will use option 1 first, and do a fallback to option 2? Basically this means that domain clients will never check LDAP (well at least as URL 1 is accessible)?
  Correct.
  When I change the order to LDAP first, so:
  1. LDAP
  2. HTTP
  Will this mean the CRL and AIA checking for internet clients will take a lot of extra time? First it tries to access the LDAP path, and after some time it falls back to HTTP? Or are internet clients smart enough to skip the LDAP path?
  I wouldn't say a lot of extra time. For details check out this whitepaper
  and search for "timeout" -
  http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx
  Another thing I don't like of publish in the AD, is that your AD configuration comes back in every issued certificate.
  There isn't a lot that a bad guy can really do with that information. The
  current recommendation and best practice calls for only using HTTP URLs in
  any event. This works much better in a number of scenarios including CRL
  checking over the Internet, non-domain joined devices and clients,
  non-Windows clients, etc. Just make sure that the HTTP CDP/AIA location is
  highly available and is accessible both internally and externally.
  Paul Adare - FIM CM MVP
  MCSE: Microsoft Certified Shutdown Engineer -- Tomi Sarvela

• PKI - CDP and AIA paths, why must the URL be so complex?

  I'm currently desiging a new PKI infrastructure and thinking about the CPD and AIA extensions of the root and issuing CAs.
  There is more than enough documention to find, but (almost) everyone is using the same kind of syntaxes to build the CDP and AIA urls. An AIA extension URL for example:
  http://pki.fabrikam.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
  This means that every issued certificate gets the following AIA URL in its extension:
  http://pki.fabrikam.com/CertEnroll/myrootca_Fabrikam%20Ltd.%20Root%20Certification%20Authority.crt
  I don't like this URL at all. First of all you expose the name of your CA server, second of all it contains illegal URL characters (.) and third of all, with the %20 in it (spaces) it looks ugly.
  Is there any reason, why I just shouldn't skip all this variables and use the following name in the AIA/CDP extensions URL, e.g.:
  http://pki.fabrikam.com/certenroll/contoso-rca.crt

  On Fri, 24 Oct 2014 07:11:49 +0000, MD_1977 wrote:
  I'm currently desiging a new PKI infrastructure and thinking about the CPD and AIA extensions of the root and issuing CAs.
  There is more than enough documention to find, but (almost) everyone is using the same kind of syntaxes to build the CDP and AIA urls. An AIA extension URL for example:
  http://pki.fabrikam.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
  This means that every issued certificate gets the following AIA URL in its extension:
  http://pki.fabrikam.com/CertEnroll/myrootca_Fabrikam%20Ltd.%20Root%20Certification%20Authority.crt
  I don't like this URL at all. First of all you expose the name of your CA server, second of all it contains illegal URL characters (.) and third of all, with the %20 in it (spaces) it looks ugly.
  Exposing the host name and CN of your CA is not a risk, and if you don't
  want a "." in the URL, then don't use one when you create the CN for the CA
  in the first place.
  Is there any reason, why I just shouldn't skip all this variables and use the following name in the AIA/CDP extensions URL, e.g.:
  http://pki.fabrikam.com/certenroll/contoso-rca.crt
  There are a few reasons not to do this. First of all, the CA certificate
  file name is always going to be
  <ServerDNSName>_<CaName><CertificateName>.crt. Secondly, if you hard code
  the CA certificate name in your URLs, you're going to run into problems
  after renewals as there are index numbers added to the CA certificate file
  name that you won't be able account for by hard coding the certificate
  name.
  Paul Adare - FIM CM MVP
  void russian_roulette(void) { char *target; strcpy(target, "bullet"); }
  -- Simon Cozens or Thorfinn

• Changing CDP and AIA on internal CA

  Good morning, I have a quick question:
  I have an environment with 1 Root CA and 1 issuing CA, both are domain-joined and online. If I make changes to CDP and AIA, do I have to renew the CA-cert for both CA's? And if I have to do that, does it have any consequences for the certificates already
  issued or will they keep on working as today? (we have quite a few issued manually so re-issue all certs is not done quickly)
  Thank you in advance
  Regards Per-Torben Sørensen http://pertorben.wordpress.com/

  Deepdive for CA certificate renewal internal.
  http://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• Lost my apps and music after updating to the new OS

  I lost my apps and music on my 3GS after updating to the new 5.0.1 OS.  I can see all my apps and music on my laptop iTunes, but can't get the phone to sync.  Any ideas??

  What happens when you try to sync?

• Profiles corrupt in firefox and thunderbird after restart win 7 new profiles created

  After restarting computer (Win 7 64 bit) new profiles in firefox and thunderbird created. Old profiles still there. May have been a Windows update (don't recall) at shut-down. Perhaps a clue Win 7 desktop ini file changed and this occurred: http://support.microsoft.com/kb/330132
  New computer install in use 2-3 days.
  == This happened ==
  Every time Firefox opened
  == After restart

  Solution:
  The profiles.ini file had changed for both Thunderbird and Firefox.
  I manually edited both profiles.ini files and changed the profile path back to the correct profile. For example I changed :
  Path=Profiles/bbwyygfp.default
  to:
  Path=Profiles/k5adm39.default
  Would mark this as solved if I knew how.....

• Why did i lose my apps and data after syncing to another new computer? i clicked transfer but only transfered part of the apps?

  Okay basically i had 166 apps in my ipod...
  After i bought new laptop and wanted to sync into it, it said to transfer apps from ipod touch to laptop, i did, but it only transferred part of it and said the remaining was not able to be transfered...
  i had encountered this problem when i transfered the apps in my old pc to my old laptop, now that i wan to transfer apps from my old laptop to my new one, i thought i knew what to do..
  i knew the problem was with the fact that the other apps was bought with another apple id thus not able to transfer as it is not yet authorised... while it was syncing, i authorised the older apple id that the apps was not synced yet... after i did, i realised i was left with the apps bought with my new apple id only...
  then i realised i lost all my data on my older apps, like the privacy photo app which had memories of my photos stored in it.. tap tap 4 all my songs in it... and 70 other apps..
  What happened? this did not happen in my previous attempt during my transfer of apps from old pc to old laptop... so why?
  its really really sad... all my data was lost, i got back the apps though.. but data in it all LOST...
  what to do? can i still retrieve it back?

  - Try redownling the apps by:
  Downloading past purchases from the App Store, iBookstore, and iTunes Store
  The computer has to be authorized and signed into the account that originaly purchased them.
  - When all the apps are ih the iTunes library, try restoring from backup if you have the backup that would contain all the app date. I would turn off autosyncing (go to iTunes>Prefernces>Device and check the box titled Prevent iPods...automatically" to prevent overwritting the previous backup.

• Missing hard drive space and files after Genius Bar installed new Hardware

  I took my computer to genius bar.  They installed a new CD/DVD drive.  My computer wouldn't load when I got it home, so I reinstalled OSX and now I am missing tons of hard drive space and all my old files (which have been backed up).  How do I fix this?

  "DURING WARRANTY SERVICE IT IS POSSIBLE THAT THE CONTENTS OF THE APPLE
  PRODUCT’S STORAGE MEDIA WILL BE LOST, REPLACED OR REFORMATTED. IN
  SUCH AN EVENT APPLE AND ITS AGENTS ARE NOT RESPONSIBLE FOR ANY LOSS
  OF SOFTWARE PROGRAMS, DATA OR OTHER INFORMATION CONTAINED ON THE
  STORAGE MEDIA OR ANY OTHER PART OF THE APPLE PRODUCT SERVICED.
  Following warranty service your Apple Product or a replacement product will be returned to you
  as your Apple Product was configured when originally purchased, subject to applicable updates.
  You will be responsible for reinstalling all other software programs, data and information.
  Recovery and reinstallation of other software programs, data and information are not covered
  under this warranty."
  http://images.apple.com/legal/warranty/docs/cpuwarranty.pdf

• Problem sync ical ipad and iphone4 after no-renew mobileme

  Until last week i had an mobileme account, and everything worked very well, i syncronised contacts calendar on line everytime i did a change.
  I decided to not renew the account for the moment. And starting from that moment i cannot sync my iphone my ipad with ical.
  i tryed to re sync with itunes manually, but nothing happens,  i arrive to sync contacts but i cannot sync calendar with mac.
  do you know how i have to do to sync again everything?
  i would not spend 79€ only to sync calendars events
  Thanks for the help!
  gabriele

  Go into the control panel. Add/remove programs. Uninstall iTunes, Apple mobile device service, apple application support. Then redownload and reinstall iTunes. See if that fixes it. If not there are more indepth things you can do.

• How can I get my favorites files and folders after upgrading to a new version?

  Hi.
  I recently rebooted my computer back to factory condition an upgraded to the newest version of fire fox.
  I lost all my favorites, bookmarks and important folders. Is there a way I can restore that information back to fire fox?

  Not if you didn't backup your personal data in the Firefox program folder or were using Firefox Sync.
  You should always backup your personal data before reformatting the computer.
  *http://kb.mozillazine.org/Profile_backup
  *https://support.mozilla.org/kb/Backing+up+your+information

• DW 6 fails to upload and download after site moved to new server.

  Cyberduck has same permissions and works fine, so it's not a permissions issue.
  We're using the same hosting site, just a dedicated server.
  Downloading DW says the file doesn't exist, but it does.
  Uploading DW says it can't create the folder the file is to go into, except the folder already exists.
  Here'a sample of the error messages:
  DOWNLOAD:
  Started: 4/17/14 9:59 AM
  Path was: /u_Eng
  /u_Eng/news2014-01.txt - error occurred - Get operation failed since news2014-01.txt does not exist on the remote site.
  Path was: /u_Eng/_notes
  File activity incomplete. 1 file(s) or folder(s) were not completed.
  Files with errors: 1
  /u_Eng/news2014-01.txt
  Finished: 4/17/14 9:59 AM
  Problems:
  (1) Why does it want to use _notes folder to find the file?
  (2) I disabled notes option for the server, and it still does it anyway. Why?
  (3) I created a _notes folder, and put the file into it, and it still fails to find the file. Why?
  = = = = = = = = = = = = =
  UPLOAD:
  Started: 4/17/14 10:08 AM
  Path was: /MM_CASETEST4291
  Path was: /MM_CASETEST4291
  Connected to appzooz1.
  Path was: /_mm
  Path was: /_mm
  Path was: /u_Eng
  Path was: /u_Eng
  Path was: /u_Eng
  /u_Eng/ - error occurred - Unable to create server folder /u_Eng/.  An error occurred. Please contact your administrator.
  u_Eng:news2014-01.txt - user cancelled
  File activity incomplete. 1 file(s) or folder(s) were not completed.
  Files with errors: 1
  /u_Eng/
  Finished: 4/17/14 10:08 AM
  Problems:
  (1) The u_Eng folder already exists, so why can't it find it and use it?
  (2) SFTP account settings are the same as used in Cyberduck, and it has no problem with putting and getting files AND in creating folders. So, why is DW failing here as well?
  THOUGHTS ANYONE?
  --- Robert

  If Cyberduck can connect but DW can't, you might need to toggle settings under More Options.  See screenshot.
  Nancy O.

• Hello, my name is Karan Taneja and i have been a loyal Apple customer. I have been using Apple since it introduced iphone 4 and have been upgrading/buying every new phone Apple introduces after that. I was always happy and surprized to see Apple doing so

  Hello, my name is Karan Taneja and i have been a loyal Apple customer.
  I have been using Apple since it introduced iphone 4 and have been upgrading/buying every new phone Apple introduces after that.
  I was always happy and surprized to see Apple doing so good to its customers.
  Unfortunately, i experienced some thing really unprofessional and different this time.
  It begun suddenly one day when i tried to charge my phone, the phone was on silent mode and as usual the phone vibrated when i kept it for charge.
  After a few seconds the phone vibrated twice or thrice again when i re-inserted the cable thinking it might be loose.
  It continued to charge well when i left the room for 2 hours and finally when i returned i could see a damaged i phone 5
  lying on the floor and the phone vibrating continuously and i figured out there was a fault with the cable and the
  current wasnt flowing continuously due to which the phone continued to vibrate and fell off the shelf.
  Next day i took the iphone to Apple service centre at Saket which was closed.
  Thinking its August 15 and so the store might be closed i went back to home and waited for the next day but unfortunately could not turn up since
  i had to go to work on odd timings.
  I again went to the same service centre on 17th August 2013 and saw the service centre closed again when i tried to contact
  the other service centre and was informed about Saket's service centre already been shut down.
  There was no hoarding/ banner any kind of intimation for the customers.
  Since 18th August was Sunday and i was occupied on 19th August i went to service centre at Ansal Plaza Khel Gaon Marg on
  20th August 2013 to complaint about the Faulty Cable and the damaged caused to my iphone 5 due to the same.
  I very well explained the same to one of the person at the receiving desk at the service centre who accepted the cable
  but explained me that he doesnt have the authority to accept my iphone without permission from the technical support people
  who will be able to help me in that case and gave me the toll free number.
  i Tried to reach the toll free number and finally managed to get online with a technical support executives who too all my details and
  summary of the problem i experienced and finally kept me on hold for almost 10 minutes ormore after which he said he said that my
  case cannot be considered and while the discussion was on, the call was disconnected and i was left frustrated as i still was at the service centre
  but finally i left with no hope from Apple .
  I tried to reach again at the toll free number, and finally managed to talk to a well behaved person who assured me of considering my case and suggested
  me to go back to the service centre and advice the the person at the recieving end there to get me connected to the technical support team when i reach so that i could
  submit my phone but, since, it was already around 4:30 and the service centre was about to shut and due to traffic
  conditions all around i thought of visiting the service centre next day.
  On 21st August 2013, i went back to the service centre and spoke to the one of the store person who adviced the case to the manager Mr. Alok ( as i remember )
  who was really rude to tell me that i will have to call the technical support team on my own and then he will connect and that its not his work and all that .
  I finally connected to one of the senior technical support executives Mr.Mohamed Azharuddin K who understood my concern and spoke to the manager of the store to accept
  my iphone.
  My iphone was finally collected and i was assured i would get a call back next day from the service centre about the update.
  It was now 22nd August 2013, no update was given,no call was received, i tried to call the service centre at 12:30, they were unaware about my case and knew only about the cable and said will call me
  back very shortly.
  I called back at 2:30, still no update, at 4:30 i called back again when i was told that my case cannot be considered and i can collect my phone.
  Similar discussion was held with Mr.Mohamed Azharuddin K.
  I knew by the time i will reach the service centre would again close.
  He told me that my case cannot be considered since the cable was recieved in the dead condition and wasnt working at all unlike what i told him about the cable.
  On 23th August 2013, i went back to the service centre and collected my phone. When i asked about my old cable and told them that it was working and i wanted the technician
  to check it properly when i handed it over, they had no answer but to say its already shipped. I spoke to the manager who said that he never told any body that the cable
  was received in dead condition and he only conveyed to other authorities that the cable had fault .
  I finally dont know what to do and came back with the new cable.
  I just visited my time, petrol and parking charges in getting the cable replaced.
  If i calculated i have spent around 16 hours and 2000 worth of money in just getting the cable replaced and have a broken phone in hand.
  More than a weeks torture.
  Is that the way apple compensates for its fault ????????????????
  I will make sure that i never buy any thing from Apple and advice all the people i know to not trust Apple blindly.

  Wow, Karan Taneja, you've just embarrassed yourself on a worldwide support forum.  Not only is your post ridiculous and completely inappropriate for a technical support forum, but it also shows your ignorance as to whom you think the audience is.  Apple is not here.  It's users, like you. 
  If you would have spent half the time actually reading the Terms of Use of this forum that YOU agreed to by signing up to post, as you did composing that usesless, inappropriate post, you (and the rest of us on this forum) would have been much better off.

• How do you access updates to apps from the App store after changing to a new ID because the password on the old ID was changed and you don't know what it is now?

  How do you access updates to apps from the App store after changing to a new ID because the password on the old ID was changed by the former husband and you don't know what it is now?  And you set up your own new ID and account but can NOT access the updates, from the App store for the many apps that you already have, because they require that you sign in with that former now inaccessible ID and account and password?  Call it a problem of modern times and changing relationships, if you want to be charitable.

  So I guess it will only be new apps that I download that are allowed to give me their updates while 13 updates wait for me on an ID I can no longer access.
  Yes...  sorry.
  In the future, if need be, you can re download your purchases for free  >  Downloading past purchases from the App Store, iBookstore, and iTunes Store
  Good rule of thumb is to back up your purchases regardless  >  Mac App Store: Backing up your app purchases

• I have used Firefox on my computer for several years. Today, after upgrading to the new version, I was not able to open Firefox. I have tried several times uninstalling and re-downloading Firefox. It still will not open! What is wrong?

  I have used Firefox on my computer for several years. Today, after upgrading to the new version, I was not able to open Firefox. I have tried several times uninstalling and re-downloading Firefox. It still will not open! Is the new version not compatible with Windows Vista?

  I hope that link points to mozilla.com or mozilla.org
  You will have to close firefox.exe with the Windows Task Manager from the "Processes" tab of the WTM since you don't have a widow to close.
  The best way to close Firefox is through File > Exit, for those who stuck with the "Firefox" button click on the Firefox button then Exit. It is not perfect but it is a lot better than just closing the window with the "X" in the upper right corner

• I recently got a new computer because my old one wouldn't let me open creative suite 3 after it generated a error and now I can't deactivate the key to activate it onto my new account.

  I recently got a new computer because my old one wouldn't let me open creative suite 3 after it generated a error and now I can't deactivate the key to activate it onto my new computer. Any help would be appreciated. Thank you.

  You are allowed to have two activted installations, so if the first machine is the only machine with an activated installation there is nothing prohibiting you from installing and activating on the new machine.
  You can contact Adobe Support thru chat to have the old installation deactivation.
  Serial number and activation support (non-CC)
  http://helpx.adobe.com/x-productkb/global/service1.html ( http://adobe.ly/1aYjbSC )