Certificate authority Server (Digitial Certificate)

Similar Messages

• Licensing requirement for deploying Certificate Authority Server

  Is there any separate license that we need to purchase from Microsoft in order to use and implement Microsoft Certificate Authority Server
  in an organization. Or is it a free feature which comes as a part of Windows Server licensing.
  Also, do we require any separate license for clients connecting or using the certificates.
  If there is any licensing involved kindly share information of the same.
  Server - 2008 R2
  Clients - 7, 8, 8.1

  Hi Rahul,
  In addition, if there are any specific queries about licensing in the future, you may contact Microsoft via phone numbers listed here:
  Microsoft Volume Licensing Activation Centers Worldwide Telephone Numbers
  http://www.microsoft.com/licensing/existing-customers/activation-centers.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Creating Node data on Author server from outside source?

  I was wondering if it is possible to create node data on the author server from an outside source such as the publish server, without using reverse replication?
  IE,
  User accessing form page on publish server, enters data, submits the form. Which somehow would create node data directly on the author server without storing any data on the publish server.
  Is this even possible?
  Thanks

  Thank you for all the responses.
  Yes I do agree that not using reverse replication as the system is designed is not exactly a wise design choice. The problem I am facing is that the end user generated content is security sensitive and cannot be store on the publish instance. (Even temporarily)
  I have managed to write a servlet on the Author server to accept the post data and create node data on the Author repository.
  However to do this, I have had to disable login/security on the Author server for the servlet path (IE /bin/posthandlerservlet ) so that the author servlet can be accessed from the outside. Firewall has also been adjusted to let traffic through as well.
  Now my remaining question would be, is opening up this path to the Author server much more dangerous and less secure that creating the node data on the Publish server in a place that protected access? We are really worried that the node created data on the publish server could somehow be accessed by end users in the event of a security problem.

• Upgrading PowerShell 2.0 to 3.0 on a Windows Server 2008 SP 2 Enterprise Certification Authority server

  Hello All:
  Are there any caveats to upgrading PowerShell 2.0 to 3.0 on a customer's Certification Authority server? The customer will also be upgrading to SCCM 2012  and employ this server as a Distribution Point.
  Any feedback would be greatly appreciated.
  Thank you.

  Hi Erik,
  I haven't tried to upgrade powershell on Certification Authority server, however, Windows Management Framework 3.0 requires Microsoft .NET Framework 4.0, and you need to change .NET version on server 2008 SP2.
  For more detailed installation instruction, please follow this article:
  Windows Management Framework 3.0
  If there is anything else regarding this issue, please feel free to post back.
  Best Regards,
  Anna Wang

• Publish to Staging and Production from the Authoring server

  Hi,
  Is it possible to configure CQ in such a way that, when the user activate a content, it will be publish to the Staging server.
  And then the user can trigger a workflow in the same authoring server, and send the content to the production server?
  Or is there any other way round?
  Basically the user does not want to login into multiple CQ instance.
  Thanks

  You would have to implement several things to allow this work:
  You need replication agents for all the production publish servers and the staging servers. To simply your life you will probably want to set up your dispatcher agents on your publish and staging servers so you don't have to deal with them during the workflow. 
  You need to decide how you want the standard activation tools to behave (activate button, activate later, other possible workflows) behave. You have a couple of options:
  Have the default activation behaviors publish to both environments
  Have the default activation only publish to production publish
  Have the default activation only publish to staging
  Have the default activation do nothing
  Based on that decision above you may have to check the Ignore Default option on the Triggers tab of the replication agents that shouldn't get anything on the standard publish.
  Create a workflow process that will publish only to selected publish instances. Most likely this will be a step that only publishes to your Staging server, in which case you need some configuration mechansim which identifies which replication agents are staging agents.

• Change domain membership of enterprise certificate authority server

  Hello,
  I'm just wondering if a certificate authority can member a domain controller in another forest. A colleague decided to deploy a new AD forest from scratch and joined all the workstations to a new domain controller, however, he didn't realize they they an
  enterprise certificate authority still running on the old domain controller.
  They are running Windows Server 2008 R2.
  Regards,
  Alberto Reis

  If the question is "Can the clients still enroll for certificates from the CA in the other forest?":
  On principle yes, but you would need to deploy one of these solutions for cross-forest enrollment:
  Certificate Enrollment Web Services in Windows Server 2008 R2
  (AD CS roles, HTTPs based enrollment)
  AD CS: Deploying Cross-forest Certificate Enrollment
  (Powershell scripts syncing objects cross-forest)
  If the question is "Can the CA be migrated to the new forest?"
  It depends on AIA and CDP URLs that had been used in the other forest. The CA still needs to publish current CRLs to the "old" locations that are embedded in already issued certificates. If the default URLs had been used these point to LDAP locations
  in the old forest.
  On principle it can be done if there is still one old DC and clients can access the other forest... and you setup some manual publication to the other forest... but this gets kind of messy.
  It would be easier to install a new CA from scratch in the new forest with new URLs and make sure that all clients enroll for new certificates. But if you aren't 100% you "caught" all applications using the old certificates you would need to keep
  at least on the old old CDP URLs active.
  The CA should also not run on a domain controller - this makes it even more complicated. I am not sure if this is supported.
  Elke

• Certificate Authority Server- Why?

  I Don't Know much about CA Server.
  But we need to access our .net base applications through Internet so we have to get the SSL Certificates.
  In Future we need many applications to be accessed from Internet.
  Someone Suggest me to install the CA Server to give the SSL Certificates to these Applications.
  Can anyone Explain this ?
  Thanks

  Generally internet facing services and applications will use commercially issued SSL certificates from a provider such as Verisign, GoDaddy, etc... The benefit to standing up your own CA is that there is no cost for the issuance. However, it takes additional
  hardware, software and technical know how to set it up and make sure it continues to work. For many organizations with little to no expertise, there is little money to be saved by trying to do this on your own. More often than not, the installation and configuration
  is much more involved than anticipated and if it even gets properly installed, it is often neglected afterwards and eventually leads to outages and business impact. I would buy a commercial certificate now and if you ever get to a point where you are spending
  A LOT of money on these public certificates and you believe you could hire or contract the resources to install and support the CA, then you can look at doing it in-house.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Certificate authority server

  Hi,
  I am using 2 servers windows 2008, one for Root certificate and another for subordinate certificate.
  I want to move the rott certificate to an Domain controler Server and iliminate the current one.
  I know that i can backup the root ca and retore it on the nwe server.
  My question, wat about the subordinate certificate server do i need point it agaain to the new root certicate or others?
  Thanks and kind regards

  Did you read the meat Vadim's reply.
  1) Do not install ADCS on a domain controller, ever!
  2) A root CA should be offline, not installed on any server connected to the domain
  3) The subordinate CA should be online, a domain member (and never installed on a DC).
  Your proposal is a worst practices proposal and I would not proceed down that path
  Look at this as a guide
  http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx
  Brian

• Oract Tutor 14 Author server installation and Publisher Client-Server installation

  hi all,
  does any one know about the installation of Tutor Author 14 server version and how to setup Publisher Client-Server architecture??
  please share any document or link that can guide with this..
  thanks and regards,
  SD

  Hi,
  are you on itanium or x86? Your log says, "inux_ia32_jrockit_160_14_R27.6.5-32_jdk.zip not found" that means you should have itanium.
  Regards

• Certificate Authority Windows 2008 to 2012 R2 - Clean up and Migration

  Hello,
      I'm currently dealing with the following scenario:
  1. I've inherited the current infrastructure setup and the plan is to clean things up and setup a new certificate infrastructure using Windows 2012 R2.
  2. The current setup:
      a. Domain Controller, Windows 2008 R2, is/was a Certificate Authority.  It hasn't issued any new certificates (based on the information in Certificate Effective Date) for quite some time.  It also has an expired certificate for
  itself - issued by the domain's issuing CA - and attempts to renew it via MMC give a "Server execution failed" and STATUS: Failed when looking in Certificate enrollment for Domain Controller.  We'll call the server, DC1.
      b. Certificate Authority Server, we'll call it CERT1.  When booting up the machine and/or attempting to restart certificate services on the server, the following errors are in the event log:
  EVENT 7024: Description: The Active Directory Certificate Services service terminated with service-specific error %%-2146885613.
  EVENT 100: Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  Domainlocal Issuing CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013
  (-2146885613).
  EVENT 48: Description: Revocation status for a certificate in the chain for CA certificate 0 for Domain.local Issuing CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because
  the revocation server was offline. 0x80092013 (-2146885613).
  Note:  The server's computer certificate has expired and it was issued by the Domain Controller mentioned in point A.  Attempts to renew it fail.
  (The issue on CERT1 is like the one mentioned in this article: https://support.microsoft.com/kb/825061?wa=wsignin1.0  however an upgrade wasn't done and it's not old versions of Windows.)
  c. There is a certificate authority machine - part of what was created for a PKI infrastructure - that was kept shutdown.  I've powered it up and the machine is not part of the domain.
  Any thoughts or feedback on easily repairing the current situation so that I can upgrade everything to a new Windows 2012 R2 Certificate infrastructure would be appreciated.
  Thanks!

  Hi Vadims,
      Basically using certificates in the following manner:
  1. User / Computer enrollment in the AD domain.
  2. Any hardware / web services (internal) that need a certificates.  This is usually hardware that has some form of GUI that is accessed via URL, printers accessed via URL and/or that communicate via LDAP to AD, internal UC (Lync is an example), that
  sort of thing.
      A number of machines currently show certificate errors (ie.. certificate has expired) however that hasn't stopped things from working just functioning differently.  I'm going already on the assumption that if I remove the entire CA
  infrastructure and re-install a new one and have everything point to that new CA server that I should be ok but I'm not 100% certain hence why I asked on this forum.
  Also, you're correct is that there is one more CA.  That CA was the server that was turned off/offline that I powered on.  It is not part of the AD domain that the domain controller and the other CA belong to.  (It is standalone.)  I'm
  currently patching the standalone CA since it's been off for what looks like almost 1.5 years. 

• Windows 2012 Certificate of authority

  Hi,
  Can anyone tell me if I can setup a windows 2012 r2 Certificate of Authority server with a windows 2008 AD domain?

  Yes.  Assuming your 2008 domain is at 2008 functional level, you would join your 2012 R2 domain controller to the domain as a 2008 functional level domain and then install the Certificate Services role.
  . : | : . : | : . tim

• Client certificate authentication on ASA 5520

  Hi,
  We have configured certificate authentication for remote access IPSEC vpn and it is working fine.   This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
  We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
  How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA?    What is the process to follow on the GUI to do this?     Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?

  Hi Paul,
  I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
  I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
  Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
  And that it.
  Vincent

• Creating a certificate for 802.1x wireless access....

  I know this is a complicated issue.  We are trying to setup 802.1x access to our corporate WiFi using computer identity with certificates.
  The video provided by apple here: http://www.apple.com/education/resources/information-technology.html#authenticat ion_on_mac at the 3:04 mark the instructors talk about importing a computer identity certificate into the key chain but doesn't mention how it's generted in the first place.
  This is where we are stuck.
  When we think about generating the proper certificate and click on Configure under Authenticition with TLS checked we get the following:
  No Certificates Found...
  We are using a Microsoft Windows Server 2008 Certificate Authority server as our in house certificate server.
  Any help would be greatly appreciated.  Thanks in advance!
  -Paul

  step 1a create Wirelesscert.mobleconfig with the following changing the defaults to match your needs
  The "Certtemplate key" must match the name of the Cert template on the server.
  You can use the same machine cert template as the PCs. use UUID are done in the next step
  CertServer Key use http or https depending on you cert server config
  Generic config file sortof :
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <dict>
          <key>PayloadContent</key>
          <array>
              <dict>
                  <key>CertServer</key>
                  <string>https://Server.domain.name/certsrv</string> 
                  <key>CertTemplate</key>
                  <string>Your_Computer_template_name</string>
                  <key>PayloadDisplayName</key>
                  <string>Enter_your_name_fort_the_policy</string>
                  <key>PayloadIdentifier</key>
                  <string>Create_payload_ident</string>
                  <key>PayloadType</key>
                  <string>com.apple.ADCertificate.managed</string>
                  <key>PayloadUUID</key>
                  <string>Change-me-to-a-new-UUID</string>
                  <key>PayloadVersion</key>
                  <integer>1</integer>
                  <key>deleted</key>
                  <false/>
              </dict>
          </array>
          <key>PayloadDescription</key>
          <string>Enter_Description_here</string>
          <key>PayloadDisplayName</key>
          <string>Enter_Display_name</string>
          <key>PayloadIdentifier</key>
          <string>Enter_paylode_name</string>
          <key>PayloadOrganization</key>
          <string>Enter_paylode_orgname</string>
          <key>PayloadRemovalDisallowed</key>
          <false/>
          <key>PayloadType</key>
          <string>SystemConfiguration</string>
          <key>PayloadUUID</key>
          <string>Change-me-to-a-new-UUID</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
      </dict>
      </plist>
  Step 1b. Create two UUID on the mac command shell past into the file replace Change-me-to-a-new-UUID with two different UUIDs
  the command is "uuidgen" You must run uuidgen once for each number. Paste the resulting numbers into Wirelesscert.mobleconfig
  This must be done for every computer you install the policy on so that they are Unique to that computer.
  Do these steps in a local machine admin account  not logged into the domain
  step 2. In Lion 7.2 (only) Turn off the Cert checking to prevent a endless loop  (a known bug should be fixed in a update)
     a. open Key Chain Access
     b. Click on Keychain Acess in the apple tool bar
     c. Select Preferences
     d. Select the Certificates Tab
     f. Turn off OCSP and CRL   ( this can be turned back on after you get the Cert from ad)
  Step 3 Connect using safari to you Microsoft AD certificate server and trust the locally self signed Cert
  Step 4 copy Cert in key chain from user to system
  Step 5 open a shell for steps 6 and 7
  Step 6 type Sudo kinit -k (machinenamelowercase)$    ! the dollarsign is appended to the computer name
  Step 7 type klist -l   ! verify that a ticket in kerberos is listed under the machine name
  Step 8  double click on the file Wirelesscert.mobleconfig to import the profile and create the Certificate
  Step 9  Verify in the Key Chain that you have a system Certificate
  In the network wireless click on the Join the ssid  
  Mode is EAP-TLS
  Identity X509 Certificate  (the one just created)
  Username: host/(Your_Macs_Fully_qualified_name)
  I hope this helps now I now have a Cert from ad on the machine and I think when it expires the plugin will renew.
  Read the Original document this is based on at http://support.apple.com/kb/HT4784
  I just need to figure out how to set a policy that uses the Cert on the machine
  Message was edited by: daveBoxElderSD

• Cisco Prime Decryption Settings - Import Certificate

  Hi there,
  I have exported a PFX from a Windows server and converted it to PEM with an unencrypted key file as pem format also. I have done this many times before for Linux based appliances with no problems so i know the format is correct. 
  When I go to Decryption Settings and try to import the certificate it is giving me this error: certificate:The certificate to be used by the TLS decryption engine must be enabled as a certificate authority
  I have added the root certificate of this certificate chain and the intermediate to the root authority section in Prime (Configuration > Certificates) but it still gives me this error. I could see one post on the Internet with a similar error and he had converted it from PFX to PEM like myself. 
  If anyone has any tips that'd be great. 
  Thanks

  Hey,
  It's actually the root certificate that is meant to be uploaded to Prime not a standard certificate as it turns out (I got replies from a TAC case). 
  The solution is to use the root certificate from a Windows certificate authority server in a domain environment or use the self signed certificate that Prime can generate. The root certificate then must be installed onto any machines that are using web filtering or else they'll get a certificate warning/error when they start web browsing. If there's a certificate authority server and all your machines are joined to the domain then the certificate will more than likely already be trusted by PCs. 
  Haven't got around to trying this yet though. 
  Hope this helps. 
  Shane

• User Certificate distribution with own CA via Afaria

  Hi there
  We have our own enterprise certificate authority Server (Microsoft Native).
  We have already been able to request user certificates, get them on the device and use them for WiFi-Access. Still we have some questions concerning certificate handling.
  In the Server-Configuration (Afaria 7 SP5) at Server -> Configuration -> Certificate Authority we found the Checkbox for "Revocation".
  The Afaria Documentation describes the Checkbox like this:
  "Revocation: Enable to allow users to revoke the certificate".
  Who are the 'users' in this sentence? The Users for whom certificates have been requested? If this checkbox is not ticked, is it not possible to revoke certificates via CRL from the server?
  Kind regards, Tobias

  Hi, Tobias.
  The "users" in this case would be the people assigned as Afaria administrators and granted proper privileges through the Afaria Administrator roles to revoke certificates for devices.  The device owners cannot revoke their own certificates. 
  If the "Revocation" box is not checked you won't see the "Revoke Certificates" icon appear when highlighting a device from the Device Certificates views.  So you cannot revoke the certificates from within the Afaria Administrator.  You could still revoke them from the CA itself, however.
  Let me know if you have further questions.
  Thanks,
  Keith Nunn
  SAP Active Global Support