Certificate Authority root CA increased validity problem

Dear all,
I was successfully able to create in Certificate Services root CA for 20 years, issued a certificate and login using smartcard using the following procedure:
1. I increased the CA lifetime to 20 years by using this link http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html
Created the file CAPolicy.inf in %SYSTEMROOT% with following content
[Version]
Signature=”$Windows NT$”
[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
2. Renew CA root using this guide https://technet.microsoft.com/en-us/library/cc780374(v=ws.10).aspx
Console Root -> Certification Authority -> select domain -> Right click -> All Tasks -> Renew CA certificate
3. Delete from
Console Root -> Certificates (local computer) -> Trusted Root Certification Authority -> Certificates the *WINSC-CA that has the previous lower validity, and from
Certificates (local
computer) -> Personal, the *WINSC-CA that was lower validity
4. I performed a reboot here
5. Change in Console Root -> Certificate Templates -> Smartcard Logon Custom Template (my custom duplicate template) -> Properties -> Validity 10 years
6. Change in registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
to value 10 for 10 years.
7. Request a new certificate from CA webpage http://ipofdomain/certsrv and let the webpage write it to smartcard (I was making
sure there is no other certificate on the smartcard)
8. Try to log in. At this point it should throw an erorr that smartcard logon is not supported for this account type. This
is becuase we need to enroll it again for domain authentication
9. Console Root -> Certificates (local Computer) -> Personal -> Right click -> All Tasks -> Request new Certificate
-> Next -> Active Directory Enrollment -> Next -> Select Domain Controller Authentication -> Enroll -> Finish.
Now you should be able to login using your smartcard and 10 years generated certificate.
Though I have a
problem at step 3, after CA server reboots the *WINSC-CA certificate with lower validity is restored automatically, but the certificates are generated for 10 years.
What am I doing
wrong ? How can I delete the lower validity root CA ?

Hi,
Thanks for your post.
Did you try to restart the CertSrv service to check the result after you create and save the CAPolicy.inf file?
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Similar Messages

How to import a Root Certificate Authority for signing

How can I import a Root Certificate Authority in order to use it with Certificate Assistant as a CA to sign other certs?
I have the CA cert imported in keychain along with it's associated private key (from a .p12), it's got the gold icon and is recognized as a Root certificate authority, yet Certificate Assistant will not list it as an available Root CA in the "Set Default CA" action dialog, the "Add..." dialog seems only interested in a ".certAuthorityConfig" plist file.
Do I have to generate a certAuthorityConfig for the CA? I can't seem to find a way to do that. No clues from certtool & security CLI utils even.
Any info/leads on how to get this to work would be much appreciated.
Regards,
-david

Hi Alex,
From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
Thanks,
Olivier

Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

Hi,
I am trying to install CA root certificate on Windows 7, IE 9.
Encounter error: "Untrusted Certificate". "This certificate cannot be verified up to a trusted certificate authority."
I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on
the list.
On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.
I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".
Anyone, any idea ?
Regards,
Eye Gee

Hi,
If you install the certificate but then cannot see it please read the following KB article:
You cannot view certificate information in Windows Internet Explorer 7 or in Certificate Manager after you successfully import a certificate on a Windows Vista-based computer(although it applies to Windows Vista)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;932156
This is also because of this: Microsoft Security Advisory: Update for minimum certificate key length
http://support.microsoft.com/kb/2661254
To get rid of the error, you can self-signed certificate for a secured website in Internet Explorer.
To do this, follow these steps:
1. In Explorer Options, add the URL to your trusted sites. Exit Explorer.
2. In Windows Internet Explorer, click Continue to this website (not recommended).
A red Address Bar and a certificate warning appear.
3. Click the Certificate Error button to open the information window.
4. Click View Certificates, and then click Install Certificate.
5. On the warning message that appears, click Yes to install the certificate and place it in your trusted certificates authority.
6. Exit Explorer then open the page again. Error should be gone.
I also would like to suggest you refer to the link below to learn more about certificates:
Certificate errors: FAQ
http://windows.microsoft.com/en-HK/internet-explorer/certificate-errors-faq#ie=ie-11
Understanding Certificate Revocation Checks
http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx
Hope it helps.
Regards,
Blair Deng
Blair Deng
TechNet Community Support

Certificate Authority Problem.

Hi Gurus.
I have an OIM 10.1.4 installed on Windows.
I'm trying to access the Certificate Authority but I can't.
When I access the https://localhost:6600/oca/admin and click in Certificate Management tab I received an error. Page not found.
The OCA is started (ocactl start)
Somebody knows what's happening?
I think that this is a local problem.
Thanks in advanced

Anything on the Apache logs? Everything started? Check OEM

Request Smartcard Logon certificates for more than 2 years from Certificate Authority

Dear all,
I have setup a Certificate Services in a Windows Server 2008 R2 domain and I request certificates via the CA webpage
http://ipofdomainserver/certsrv using the SmartCard logon custom template.
The problem is that my certificates are only valid for 2 years even though when I created my custom Smartcard logon I selected for validity period 5 years.
I read in documentation that issued certificates cannot have a greater validity than the root that signed them.
What and where I should modify to be able to request certificates from the template for more years than standard 2 ?
Ps: WINSC-CA is valid for 5 years. Should I generate a new WINSC-CA ? How ?

I was successfully able to create a root CA for 20 years, issued a certificate and login using smartcard using the following procedure:
1. I increased the CA lifetime to 20 years by using this link http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html
Created the file CAPolicy.inf in %SYSTEMROOT% with following content
[Version]
Signature=”$Windows NT$”
[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
2. Renew CA root using this guide https://technet.microsoft.com/en-us/library/cc780374(v=ws.10).aspx
Console Root -> Certification Authority -> select domain -> Right click -> All Tasks ->
Renew CA certificate
3. Delete from Console Root -> Certificates (local computer) -> Trusted Root Certification
Authority -> Certificates the *WINSC-CA that has the previous lower validity, and from
Certificates (local computer) -> Personal, the *WINSC-CA that was lower validity
4. I performed a reboot here
5. Change in Console Root -> Certificate Templates -> Smartcard Logon Custom Template (my custom duplicate template) -> Properties -> Validity 10 years
6. Change in registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
to value 10 for 10 years.
7. Request a new certificate from CA webpage http://ipofdomain/certsrv and let the webpage write it to
smartcard (I was making sure there is no other certificate on the smartcard)
8. Try to log in. At this point it should throw an erorr that smartcard logon is not supported for this
account type. This is becuase we need to enroll it again for domain authentication
9. Console Root -> Certificates (local Computer) -> Personal -> Right click -> All Tasks ->
Request new Certificate -> Next -> Active Directory Enrollment -> Next -> Select Domain Controller Authentication -> Enroll -> Finish.
Now you should be able to login using your smartcard and 10 years generated certificate.
Though I have a problem at step 3, after CA server reboots the *WINSC-CA certificate with lower
validity is restored automatically, but the certificates are generated for 10 years.
What am I doing wrong ? How can I delete the lower validity root CA ?

Certificate Authority chain issue

Hello,
I have a problem with using root and sub Certificates in our PKI environment. Specifically, I have a problem with the way the Java implementation of certificates is working in our environment.
We use Entrust as our external Certificatation Authority. We are a predominantly Microsoft environment and have implemented PKI for user accounts and Smartcard logons across our domain. Our certificates are generated under Entrusts certificatation authority and we have added their DCOMROOTCA and DCOMSUBCA (Root and Subordinate) certificates to our trusted root certification Authorities store for all MS clients. Entrust have recently reissued their DCOMROOTCA and DCOMSUBCA certificates and we have included those new certificates in our trusted root certification Authorities store. The old Entrust certificates are still valid and dont expire for another 2 years. Our PKI environment and authentication continues to work as normal in an MS environment.
In a Windows environment which is using Microsofts implementation of certificates, a smart card which was issued under Entrusts old root certificate will successfully authenticate with a certificate issued under Entrustss new root certificate.
I am having a problem with VMWare View. VMWare View is a Web interface broker server which uses Javas implementation of certificate security, ie uses keytool.exe and cacerts as its trusted certificate store. I have secured the web interface with a certificate issued under Entrusts new root certificate. I am trying to authenticate with a smart card which has been issued with a certificate under Entrusts old root certificate. This has not been successful. I have imported the old DCOMROOT and DCOMSUB certificates and the new DCOMROOT and DCOMSUB certificates into the cacerts file. The client (a Wyse Terminal) also has the old and new DCOMROOT and DCOMSUB certificates in its trusted store. When I attempt to logon I get the following event in the logs on the Web interface broker server:
16:54:18,789 DEBUG <pool-1-thread-17> PooledProcessor SSL handshake exception from /10.42.2.138:2867, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
If I reissue the Smartcard with a new certificate which has been generated under Entrust's new root and sub certificates I am able to successfully authenticate.
The conclusion I can draw from this is that Java certification (at least in the way I have set it up) breaks if a new issuing certificate is being used to generate a certificate to secure the Web interface and an old issuing certificate is being used on a smart card / client.
Does this sound correct? Is this a known issue or have I not imported or setup up the certificate chains correctly?
Any advice would be most welcome.
Many thanks,
Ben

Hi,
thanks for your reply.
Here is some more from the log. The log has some VMWare specific entries.
10:44:41,337 DEBUG <pool-1-thread-7> [PooledProcessor] SSL handshake exception from /10.42.2.134:1104, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
10:44:41,462 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=11, availableVMs=11, zombieVMs=0, busyVMs=0, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=20, vmMinimumCount=10, vmHeadroomCount=5, customizingVMs=0
10:44:41,462 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int::Control path is vmHeadroomCount-stop as availableVMs(11) > vmHeadroomCount(5)
10:44:41,478 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) Not stopping VMs as policy is ALWAYSON, REMAINON or DELETEONUSE
10:44:41,478 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int
10:44:41,963 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=10, availableVMs=9, zombieVMs=0, busyVMs=1, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=20, vmMinimumCount=10, vmHeadroomCount=5, customizingVMs=0
10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int::Control path is vmHeadroomCount-stop as availableVMs(9) > vmHeadroomCount(5)
10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) Not stopping VMs as policy is ALWAYSON, REMAINON or DELETEONUSE
10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int
10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=6, availableVMs=6, zombieVMs=0, busyVMs=0, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=0, vmMinimumCount=0, vmHeadroomCount=0, customizingVMs=0
10:44:42,713 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Peer unverified
10:44:42,713 DEBUG <Thread-19> [SimpleAJPService] (Request128) SimpleAJPService request: /broker/xml
10:44:42,728 DEBUG <TP-Processor3> [XmlAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter
10:44:42,744 DEBUG <TP-Processor3> [XmlRequestProcessor] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) read XML input
10:44:42,744 DEBUG <TP-Processor3> [XmlRequestProcessor] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) added: configuration
10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for disclaimer
10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for SecurID
10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for gssapi
10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against gssapi
10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for cert-auth
10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against cert-auth
10:44:42,775 DEBUG <TP-Processor3> [CertificateAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Client did not use Certificate Authentication, skipping or failing
10:44:42,775 DEBUG <TP-Processor3> [CertificateAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Failing Certificate authentication, bypassing for OPTIONAL mode
10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for windows-password
10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against windows-password
10:44:42,775 DEBUG <TP-Processor3> [WinAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting authentication against AD
10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Not authenticated, requesting login page for windows-password
10:44:42,791 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) AuthorizationFilter: XML Authorization Filter in doFilter()
10:44:42,791 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) paeCtx == null, forwarding to login page: /broker/xml
10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Start processing: configuration
10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Processing: configuration
10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Finished processing: configuration, Result: ok
10:44:42,806 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) End processing: configuration
Many thanks again,
Ben

WINDOWS MANAGEMENT FRAMEWORK 4.0 - A required certificate is not within its validity period

Hello,
I can't figure out if this is because the Root Certificates were updated in April 2014 then apparently expired by Microsoft or if the PowerShell installer signed this file with a bad software release signature??
We were deploying PowerShell 4.0 (Windows6.1-KB2819745-x64-MultiPkg.msu) with ConfigMgr 2012 with a dependency of .NET Framework 4.5.1. Everything was working fine until sometime around April 24 (exact date unknown). Now any
Win 7 SP1 machines I try to update will not install WMF 4.0. They installed .NET 4.5.1 without any trouble..
The digital signature on it it states it was signed Sept 27 2013 and the certificate expires 4/24/2014.
Even if we change the system clock to April 1 2014 it still will not install.. but this shouldn't matter anyway. They just can't sign new software with that certificate.. surely I can install it..
As for a log... If I run as C:\Windows\ccmcache\3>wusa.exe Windows6.1-KB2819745-x64-MultiPkg.msu /log:c:\windows\ccmcache\3\broken.txt
In the broken.txt I see:
Install Worker.01194: Operation Result Code of the installation: 0X4 HRESULT of the installation: 0X80240022 Operation
Result Code of the update:0X4 HRESULT of the update: 0X800b0101
Install Worker.01243: Failed install update Update for Windows (KB2819745)
Install Worker.01287: Exit with error code 0X800b0101 (A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.)
WINDOWS MANAGEMENT FRAMEWORK 4.0 FOR MICROSOFT OPERATING SYSTEM PRODUCTS
Windows6.1-KB2819745-x64-MultiPkg.msu
I also see this same event information in Setup event log..
I don’t know what to do here. Anyone else having this problem?

Hi,
Have you ever seen this article?
Event ID 4107 or Event ID 11 is logged in the Application log in Windows and in Windows Server
http://support.microsoft.com/kb/2328240/en-us
If you have any feedback on our support, please click
here
Alex Zhao
TechNet Community Support

ISE Certificate Authority Certificate

I'm confussed about the certificates:
Some weeks ago a certificate was installed in the ISE to avoid the browser certificate error when the customer access the sponsor portal ...
Now, the customer is requesting to authenticate the sponsor users through LDAPS ... I understand Active Directory or LDAP as External Identity Sources are not secure. So, in order to enable LDAPS we must check the Secure Atuthentication box in the LDAP configuration, but a ROOT CA must be chooseen also.
I understand the ISE should validate the customer PKI in order to validate the user certificate ... Am I right?
Do I need request the customer to provide me the "Certificate Authority Certificate" from its PKI ??
Is it a file completely different to the certificate already loaded in the ISE ??
With this certificate, would the ISE validate the user's computer certificate additional to user and password ??
Would the user must use a computer with certificate in order to access the sponsor portal ??
Thanks in advance.
Regards
Daniel Escalante.

Please follow the "secure authentication tab" in the below table( highlighted)
go to >LDAP Connection Settings
Table lists the fields in the LDAP connection tab and their descriptions.
Table : LDAP Connection Tab
Option Description
Enable Secondary Server
Check this option to enable the secondary LDAP server to be used as a backup in the event that the primary LDAP server fails. If you check this check box, you must enter configuration parameters for the secondary LDAP server.
Primary and Secondary Servers
Hostname/IP
(Required) Enter the IP address or DNS name of the machine that is running the LDAP software. The hostname can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for hostnames are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-).
Port
(Required) Enter the TCP/IP port number on which the LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information from the LDAP server administrator.
Access
(Required) Anonymous Access—Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured as accessible to any unauthenticated client. In the absence of a specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection.
Authenticated Access—Click to ensure that searches on the LDAP directory occur with administrative credentials. If so, enter information for the Admin DN and Password fields.
Admin DN
Enter the DN of the administrator. The Admin DN is the LDAP account that permits searching of all required users under the User Directory Subtree and permits searching groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users who are authenticated by that LDAP.
Password
Enter the LDAP administrator account password.
Secure Authentication
Click to use SSL to encrypt communication between Cisco ISE and the primary LDAP server. Verify that the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must choose a root CA.
Root CA
Choose a trusted root certificate authority from the drop-down list box to enable secure authentication with a certificate.
See the "Certificate Authority Certificates" section on page 12-17 and "Adding a Certificate Authority Certificate" section on page 12-19 for information on CA certificates.
Server Timeout
Enter the number of seconds that Cisco ISE waits for a response from the primary LDAP server before determining that the connection or authentication with that server has failed. Valid values are 1 to 300. The default is 10.
Max. Admin Connections
Enter the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and the Group Directory Subtree. Valid values are 1 to 99. The default is 20.
Test Bind to Server
Click to test and ensure that the LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest.

How to find/replace existing certificates before decommissioning certificate authority?

We plan to decommission a multi-use server that also contains our internal certificate authority and replace it with new dedicated CA servers in a more secure design (offline root CA etc.).
Before we decommission our existing CA servers, how do we find a list of all the issued certificates that are still valid?
We would need replace all those old certificates with new certificates from our new CA so the applications that use them don't break when the old certificates are removed/revoked and before we remove the GPO setting that makes our current CA a trusted root
CA for our domain computers.

on CA server you can filter issued certificates by "Certificate Expiration Date" column. In the Certification Authority MMC snap-in, select Issued Certificates folder, then click View -> Filter. Add a filter that would filter certificates
where "Certificate Expiration Date" is greater than current date.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

Certificate Authority - Custom Temp not showing up. W2k8R2ent

Hi Guys,
Couldn't see a forum for CA so I had to post it here. Hopefully its the right place.
(Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise)
So here's the issue I am trying to create and export certificate for other users (eobo).
It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template.
The new template CopyOfUser i changed(of confirmed) following settings:-
General Tab = Publish Cert in Active Directory
Request Handling = Allow private key to be exported & Enroll subject without req any input
Security : I am logging as domain administrator and it has Read/Write/Enroll
Issurance Req: This number of authorized signature = 1
& Application Policy & Client Authentication.
Subject Name : Build from AD (Fully Distinguished name)
Selected boxes : Include email name / Email name / UPN
Now problem is i cannot see the custom template on Enable Certificate Templates.
I am very new to CA so I am sure i am missing something or doing something wrong.
Would love some help.

Hi,
I’d suggest if the steps below doesn’t help to remove the CA. Make sure you are using Enterprise Edition (no upgrade from 2K3 or 2K9 standart) of windows
and install it again as Enterprise Root CA. Check and see if you still have the issue before tweaking the CA further:
Open ADUC and check navigate to [Buildin > users > properties > members] and make sure the fallowing security groups are present.
- Authenticated users
- Domain Users
- Interactive
Open ADSI Edit and navigate to
[Domain Naming context > DC=<DomainNAme>, DC=<DomainNAme> > CN=Users > CN=Cert Publishers > properties > security ]
and give [Read] and [write]
permissions to [Authenticated users] group
Restart the CA.
Check permissions on the CA:
Open the [Certificate Authority] console and right click on [properties > Security] and add the fallowing permissions:
[Authenticated Users]
[V] Request Certificates
[Domain Admins]
[V] Read
[V] Issue and Manager Certificates
[V] Manage CA
[V] Request Certificates
[Enterprise Admins]
[V] Issue and Manager Certificates
[V] Manage CA
[Administrators]
[V] Issue and Manager Certificates
[V] Manage CA
[V] Request Certificates
[Domain Controllers]
[V] Read
[V] Issue and Manager Certificates
[V] Manage CA
[V] Request Certificates
[Domain Computers]
[V] Read
[V] Request Certificates
Will appreciate if you give feedback if this has helped you. If yes please select “Mark
as answer”.
Best Regards,
Spas Kaloferov
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com

Certificate Authority for Exchange 2013

Dear,
I will install exchange 2013, whether to install the Certificate Authority role also?
If it is necessary, to install this CA, is simply combined with ADDS server, Exchange Server or a separate server?
Thanks

Hi,
As all above says, Exchange 2013 can use Self-signed Exchange certificate which is installed automatically after Exchange 2013 installation. But please note that this self-signed certificate would be not trusted for Exchange using.
If your Exchange 2013 is not internet-facing, we can use the self-signed certificate in your internal domain environment. If you want to publish your Exchange 2013 to the internet and send/receive external mails, we need to have a valid and trusted certificate
for Exchange using.
To get trusted certificate, we can deployed an
Enterprise root CA which self-signs its own CA certificate and uses Group Policy to publish that certificate to the Trusted Root Certification Authorities store of all servers and workstations in the domain. Or we can directly buy a third-party certificate
for using.
About where to install the CA, my personal suggestion is to install ADCS (Active Directory Certificate Services) on a standalone server. You can also install it with your DC. About how to install a
Root Certification Authority, please refer to:
http://technet.microsoft.com/en-us/library/cc731183.aspx
Regards,
Winnie Liang
TechNet Community Support

Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

Dear All,
i have the folloing case :
i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
so what the setting of the mail and smtp server should be ,
was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
Best regards,

Thanks Jennifer.
I did manage to configure LDAP attribute map to the specific group policy.
Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
Example: let say my username is LLH.
Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
Only me know the preshared key and only me can login with my Connection Profile.
Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
Example:
AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
I hope above description can paint the scenario clearer.
Thanks in advance for all the help and comment given.

Certificate Authority not working when signing documents (Active Directory)

We recently went to an Active Directory structure at my job, and we do a lot of signatures. Part of the Active Directory setup was an auto-certificate authority setup. I went to sign a document recently and the signature will not apply. I went into trust tab and clicked to trust the certificate, and then backed out, but it still will not sign. When I click to sign the document nothing happens. There are red Xs next to everything in the trust tab.
Any ideas? I am wondering if there is something I can do in Adobe to let it know that certificate is trusted?
Any help would be appreciated.

When Acrobat builds the signature object (which is created when you sign), it tries to populate the object with as much data as possible in order to facilitate long term validation. This means that it is trying to add all of the certificates in the signature chain to the PDF along with all of the corresponding revocation information (which is either an OCSP response of a CRL). This way, after the signer's digital ID expires all of the validation collateral will still be available, otherwise you would get an Unknown signature after the signer's cert expired.
In order for Acrobat to get the revocation information trust has to be established. When you create the signature Acrobat tries to gather all of the certificates in the signing chain. After it has finished building the chain it walks the chain from the bottom up (the bottom being the signer's certificate) and checks to see if the cert is a designated trust anchor. Once it finds trust anchor it will try to procure revocation info for each cert below the trust anchor, but not the trust anchor itself. After it has gathered up all of the rev info it writes it into the PDF file along with the certificates. So, when it comes to signature creation, it's good to add the certificate that is at the root (top) of the signing chain to the Manage Trusted Identities list and trust it for signing and certifying. That way when you do sign all of the rev info will be written into the file.
The next thing to realize is Acrobat can only retrieve the revocation info if it knows where to get it from. Each certificate in the signing chain except for the root cert should have an extension that tells Acrobat where it can download the information. For an OCSP response the URI is in the Authority Information Access (AIA) extension and for a CRL the URI is in the CRL Distribution Point (CRLdP) extension. If there is an entry in either of these two extensions that are not valid (that is either they don't exist or, the exist but don't really provide the expected data) then Acrobat will try to download the data, but the download will fail. Thus, you end up with a signature in an Unknown state because revocation checking must succeed if the is an AIA or CRLdP extension. Wheat you need to check is, does the certificate have one or both of these two extensions and if so, does it lead to a successful download.
Steve

Certificate authority is not installed

Hi
SBS 2011 std.
In Fix My Network wizard I am getting 'certificate authority is not installed' and the wizard is unable to fix the problem. I have checked and Active Directory Certificate Services is installed under Roles.
How can I fix this please?
Thanks
Regards

Hi,
Looks like a corrupt package, please follow
Uninstall the CA server role
1. On the server that is running SBS 2011 Essentials, click Start , point to Administrative Tools , and then click Server Manager .
2. Right-click Roles , and then select Remove Roles .
3. On the Before You Begin page, click Next .
4. Click to clear the Active Directory Certificate Services check box, and then click Next .
5. On the Confirm Removal Selections page, click Remove .
6. Click Close , and then restart the server.
7. After the server restarts, click Close when you are prompted by a message that reads
Removal Succeeded.
Reinstall the CA server role
1. On the server, click Start , point to Administrative Tools , and then click Server Manager .
2. In the Roles Summary section, click Add Roles .
3. On the Before You Begin page, click Next .
4. On the Server Roles page, select Active Directory Certificate Services , and then click Next .
5. On the Introduction to Active Directory Certificate Services page, click Next .
6. On the Select Role Services page, select Certification Authority and Certification Authority Web Enrollment , and then click Next .
7. On the Specify Setup Type page, select Standalone , and then click Next .
8. On the Specify CA Type page, select Root CA , and then click Next .
9. On the Set Up Private Key page, select Use existing private key , select Select a certificate and use its associated private key option, and then click Next .
10. On the Select Existing Certificate page, select the <Server_Name> -CA certificate, and then click Next .
Note In this certificate name item, < Server_Name> is the name of the destination server.
11. On the Configure Certificate Database page, accept the default locations, and then click Next .
12. Confirm your selections, and then click Install .
13. When the wizard is finished, click Close , and then restart the server.
14. At an elevated command prompt, run the following commands:
• CertUtil -setreg CA\ValidityPeriod Years
• CertUtil -setreg CA\ValidityPeriodUnits 30
Verify the installation
1. Click Start , point to Administrative Tools , and then click Certification Authority .
2. Right-click the server name, and then click Properties .
3. Click the Extensions tab.
4. In the list that is displayed, click <a href="http:///CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl">http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl .
5. Make sure that the following options are selected:
• Include in CRLs. Clients use this to find the Delta CRL location .
• Include in the CDP extension of issued certificates .
6. Click OK to save your changes.
7. When you are asked to restart Active Directory Certificate Services, click Yes .
8. Close the Certification Authority screen.
Add the server and the clients to the Dashboard
1. Locate the following folder: C:\Program Files\Windows Server\Bin\ .
2. Right-click the Wsspowershell.exe file, and then click Run As Administrator .
Note A new window that runs PowerShell opens.
3. In the PowerShell windows, type Add-WssLocalMachinecert .
4. Rerun the connector installation on all client computers. For more information about how to install the client connector, see How do I connect compu
Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

How do I set up my own certificate authority

I tried google on the above question, and the most recent thing I found was 7 years old. replacing the phrase used generates a lot of hits with a very poor signal to noise ratio.
I have OpenSSL (in the cygwin distribution), which is quite recent, but frankly its documentation leaves just about everything to be desired. I found pyca, but it has no documentation at all (and it is a couple years old).
I tried the steps appended below, but invariably the attempt to sign the certificates fails with an obscure error message about OpenSSL not finding one thing or another.
At this stage, I just don't care whether I do this using something in the J2SDK such as keytool or OpenSSL, as long as I can get it done. Or if there is some other opensource software tool I can use, terrific. This is primarily for the purpose of securing communications within an Intranet, and secondarily for signing applets and applications distributed through WebStart. If I am not mistaken, I'll need a certificate for each of my servers. Right?
If you know of an URL where this is well explained and illustrated, great. Give that to me.
Otherwise, a simple illustration (or a correction of what I've appended below) would be appreciated. I believe I understand what ought to be happening. It ought to be rather simple to do, but there are these irritating and frustrating minor details getting in the way. For example, the steps I show below seem simple, but everything appears to get messed up by some of the contents of openssl.cnf in 'usr/ssl', in the cygwin directory, and there is no explanation of how to set things up for the first time you use OpenSSL within Cygwin (or on unix for that matter).
Any assistance would be appreciated.
Thanks,
Ted
========failed attempt=====================
# Generation of Certificate Authority(CA)
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config /usr/ssl/openssl.cnf
# Create server request and key
openssl req -new -keyout server-key.pem -out server-req.pem -days 36502 -config /usr/ssl/openssl.cnf
# Remove the passphrase from the key
openssl rsa -in server-key.pem -out server-key.pem
# Sign server cert
openssl ca -policy policy_anything -out server-cert.pem -infiles server-req.pem -config /usr/ssl/openssl.cnf
# Create client request and key
openssl req -new -keyout client-key.pem -out client-req.pem -days 36502 -config /usr/ssl/openssl.cnf
# Remove a passphrase from the key
openssl rsa -in client-key.pem -out client-key.pem
# Sign client cert
openssl ca -policy policy_anything -out client-cert.pem -infiles client-req.pem -config /usr/ssl/openssl.cnf

The following works for me:
NB: Some of the output has been removed in the interests of privacy (this will not affect the outcome)
1. Create CA key and certificate
1.1 Create a new file called "serial" containing the value "01".
1.2 Create an empty file "index.txt"
1.3 Create a subdirectory "newcerts"
1.4 Execute.... create a key for your CA
[ben@localhost ca]$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
..........................................................+++
e is 65537 (0x10001)
1.5 Execute... create a certificate for your own CA
[ben@localhost ca]$ openssl req -config ./openssl.cnf -new -x509 -key ca.key -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
County or State (full name) []:
City or town (eg, Hitchin) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
2. Create PK key and .csr
2.1 Execute...
[ben@localhost ca]$ keytool -genkey -alias PK
Enter keystore password: password
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=, OU=, O=, L=, ST=, C=GB correct?
[no]: yes
Enter key password for <PK>
(RETURN if same as keystore password):
2.2 Create .csr
[ben@localhost ca]$ keytool -certreq -alias PK -file PK.csr
Enter keystore password: password
3. Sign PK with CA cert
[ben@localhost ca]$ openssl ca -config ./openssl.cnf -in PK.csr -out PK.pem -keyfile ca.key -days 365
Using configuration from ./openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 5 19:48:33 2006 GMT
Not After : Jan 5 19:48:33 2007 GMT
Subject:
countryName = GB
stateOrProvinceName =
organizationName =
organizationalUnitName =
commonName =
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D6:2D:7E:71:77:9E:1A:BB:54:69:98:63:6A:6A:E2:BA:12:C4:D7:DD
X509v3 Authority Key Identifier:
keyid:92:7C:33:7C:EC:1D:76:C5:B8:F0:30:6D:10:12:40:E5:E7:EA:24:31
DirName:/C=GB/ST=/L=/O=/OU=/CN=/emailAddress=
serial:F0:D1:38:36:65:6D:71:D5
Certificate is to be certified until Jan 5 19:48:33 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4. Convert PK certificate into DER format
[ben@localhost ca]$ openssl x509 -in PK.pem -out PK.der -outform DER
5. Import CA certificate into keystores
[ben@localhost ca]$ keytool -import -alias ca -file cacert.pem
Enter keystore password: password
Owner: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
Issuer: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
Serial number: f0d13836656d71d5
Valid from: Thu Jan 05 19:41:09 GMT 2006 until: Fri Jan 05 19:41:09 GMT 2007
Certificate fingerprints:
MD5: AF:3D:8E:25:12:24:04:1F:40:70:BC:A0:9E:0E:44:84
SHA1: B8:E8:0B:A5:86:33:21:0C:B5:3C:6E:F2:DE:7B:31:0F:59:AE:21:E4
Trust this certificate? [no]: yes
Certificate was added to keystore
6. Import signed PK into keystore
[ben@localhost ca]$ keytool -import -alias pk -file PK.der
Enter keystore password: password
Certificate reply was installed in keystore
REF:
http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#ownca
http://www.openssl.org/docs/apps/ca.html#
openssl.cnf:#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
# This definition stops the following lines choking if HOME isn't
# defined.
HOME               = .
RANDFILE          = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file          = $ENV::HOME/.oid
oid_section          = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions          =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
[ ca ]
default_ca     = CA_default          # The default ca section
[ CA_default ]
dir          = .               # Where everything is kept
certs          = $dir/certs          # Where the issued certs are kept
crl_dir          = $dir/crl          # Where the issued crl are kept
database     = $dir/index.txt     # database index file.
#unique_subject     = no               # Set to 'no' to allow creation of
                         # several ctificates with same subject.
new_certs_dir     = $dir/newcerts          # default place for new certs.
certificate     = $dir/cacert.pem      # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber     = $dir/crlnumber     # the current crl number must be
                         # commented out to leave a V1 CRL
crl          = $dir/crl.pem           # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE     = $dir/private/.rand     # private random number file
x509_extensions     = usr_cert          # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt      = ca_default          # Subject Name options
cert_opt      = ca_default          # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions     = crl_ext
default_days     = 365               # how long to certify for
default_crl_days= 30               # how long before next CRL
default_md     = md5               # which md to use.
preserve     = no               # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match
# For the CA policy
[ policy_match ]
countryName          = match
stateOrProvinceName     = match
organizationName     = match
organizationalUnitName     = optional
commonName          = supplied
emailAddress          = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName          = optional
stateOrProvinceName     = optional
localityName          = optional
organizationName     = optional
organizationalUnitName     = optional
commonName          = supplied
emailAddress          = optional
[ req ]
default_bits          = 1024
default_keyfile      = privkey.pem
distinguished_name     = req_distinguished_name
attributes          = req_attributes
x509_extensions     = v3_ca     # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix      : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
# we use PrintableString+UTF8String mask so if pure ASCII texts are used
# the resulting certificates are compatible with Netscape
string_mask = MASK:0x2002
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName               = Country Name (2 letter code)
countryName_default          = GB
countryName_min               = 2
countryName_max               = 2
stateOrProvinceName          = County or State (full name)
stateOrProvinceName_default     =
localityName               = City or town (eg, Hitchin)
localityName_default          =
0.organizationName          = Organization Name (eg, company)
0.organizationName_default     =
# we can do this but it is not needed normally :-)
#1.organizationName          = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default     =
commonName               = Common Name (eg, your name or your server\'s hostname)
commonName_max               = 64
emailAddress               = Email Address
emailAddress_max          = 64
# SET-ex3               = SET extension number 3
[ req_attributes ]
challengePassword          = A challenge password
challengePassword_min          = 4
challengePassword_max          = 20
unstructuredName          = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType               = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment               = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

Certificate Authority root CA increased validity problem

Similar Messages

Maybe you are looking for