Certificate for applet automatically rejected

Similar Messages

• Tell me the procedure to get certificate for applet signature

  tell me the procedure to get certificate for applet signature
  tell me the procedure to get certificate for applet signature
  after certificate code will not show dialogbox.

  I suppose that you want to sign an applet?
  OK, here we go:
  'keytool' is delivered with Sun's development kit.
  keytool -genkey -keyalg rsa -alias yourkeyFollow the instructions and type in all needed information.
  Now we make the certificate:
  keytool -export -alias yourkey -file yourcert.crtNow we have to sign the applet:
  javac yourapplet.java
  jar cvf yourapplet.jar yourapplet.class
  jarsigner yourapplet.jar yourkey

• Why is my mail certificate for POP IMAP rejected?

  I am running 10.6 server with the latest updates and suddenly I noticed that my mail account stopped working. When I investigated the issue it looks like that my SSL certificate in the server admin under mail -> security is gone. there are two fields for enabling SSL, one for SMTP-SSL where my certificate still shows up and is working just fine and the other one for IMAP and POP SSL shows 'no certificate'.
  When I try to chose my certificate from the pulldown menu and click save, it takes a couple of seconds to save the status and then jump back to showing 'no certificate'.
  when disabling ssl the mail server works as intended. changing or adding certificates with the certadmin also failed. maybe someone else has an idea on how to get the server-admin to use a certificate for the imap-pop-ssl again.
  thanks.

  after googling around for quite some time was about to give up but then i stumbled onto some threads with the same problem.
  one suggested to reinstall and set the server up clean from the beginning again, which wasnt really an option but there was one comment to it that helped me to find the solution. the person suggested to point the dovecot.conf file (located at /etc/dovecot/) to the /etc/certificates folder again. that was not quite the solution for me, but maybe it helps someone else.
  what did the trick for me was actually to manually solve a bug from server-admin in the dovecot.conf file at /etc/dovecot. be sure to make a backup of the file first before you do any editing. if you change something in server-admin with your mail server and certificates, the server admin tends to append things to the dovecot.conf rather than replace the old text in there. so what you end up with is a long and messed up dovecot.conf file. in the dovecot.conf file is a section for ssl_ca_file, ssl_key_file and ssl_cert_file where only one term should stand, rather than multiple things. by deleting the unnecessary additions created by server-admin, or deleting everything the equal sign (after ssl_ca_file =) and then pointing the server-admin to the right certificate again, you may get rid of this bug.
  this is the thread that helped me find this out: https://discussions.apple.com/thread/2291114?threadID=2291114
  thanks

• Automatically renewing certificates for digital signatures

  Is it possible to setup some form of system that automatically renews the user certificate for digital signatures? If so, where can i find information on this?

  Hi - these are all reader extended through Livecycle ES Reader extensions and are signed by users in Reader. What I am asking is if anyone has an idea where this behaviour is declared, so that I can change it.

• Certificate for intranet applet

  Hi I have a self singed applet and I'm having the same security issues with the latest updates from version 7, so I want to sign my applet, but since this applet is running from an intranet site, how can I buy a certificate since it doesn't have a public domain, or can I use a certificate for any other public domain and use it in my applet?
  Can you help me with this?

  What I've done is to import the certificate into a keystore on the web server. I also have the policy file (also on the web server) pointing to this keystore. This works fine, as long as either one of the following is true:
  1) the java.security file on the client has a policy.url entry thta points to the policy file on the web server
  2) The runtime parameters for the plug-in specify the policy file on the web server (e.g. -Djava.security.manager -Djava.security.policy={location of policy file on web server})
  I'm trying to figure out a way to not have an automated procedure change the java.security file on the client (though I'll use this approach if needed). I also don't want to change the runtime parms on the plug-in (will affect other applets). If there is a way to specify this in the HTML for my applet, that would be perfect. Any ideas (will be posting this as a separate thread).
  Thanks,
  Van Williams

• Automatic rejection even if already signed?

  Hi,
  First off I should say that I am not a developer - I am a tester with limited Java knowledge :)
  We have our own Java application that is hanging and the Java console outputs errors which are mostly AccessControlExceptions (see snippet below). This hang only occurs because of JVMHook environment variables that are added by a test tool (QTP). When these are removed everything works fine. I have tried deleting all sorts of caches (including the Java security ones) and Java 1.6 versions but they don't help. Removing the variables isn't a valid workaround as they are necessary for QTP to recognise Java.
  What has pointed me to this forum is the fact that when the application is working as normal, if a user clicks 'Cancel' in the signing dialog the exact same errors below appear in the Java console. To me this intimates that the variables are having a conflict with the applet signing code, and that it causing the same outcome as if the applet is being automatically rejected.
  So my questions are:
  1) Am I sniffing in the correct area of security and signatures based on the output below?
  2) Is it possible for an applet to be automatically rejected without the dialog appearing, even if it already has a valid signed certificate?
  Thanks
  JAVA console output snippet
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet initLogging
  WARNING: Unable to read logging configuration from http://localhost:32502/xxxxxxxxx/Client/logging.properties: using default.
       Reason was java.security.AccessControlException: access denied (java.util.logging.LoggingPermission control)
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet initLogging
  WARNING: Unable to read logging configuration from http://localhost:32502/xxxxxxxxx/Client/logging.properties: using default.
       Reason was java.security.AccessControlException: access denied (java.util.logging.LoggingPermission control)
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet initLogging
  WARNING: Unable to read logging configuration from http://localhost:32502/xxxxxxxxx/Client/logging.properties: using default.
       Reason was java.security.AccessControlException: access denied (java.util.logging.LoggingPermission control)
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet initLogging
  WARNING: Unable to read logging configuration from http://localhost:32502/xxxxxxxxx/Client/logging.properties: using default.
       Reason was java.security.AccessControlException: access denied (java.util.logging.LoggingPermission control)
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet initLogging
  WARNING: Unable to read logging configuration from http://localhost:32502/xxxxxxxxx/Client/logging.properties: using default.
       Reason was java.security.AccessControlException: access denied (java.util.logging.LoggingPermission control)
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet initLogging
  WARNING: Unable to read logging configuration from http://localhost:32502/xxxxxxxxx/Client/logging.properties: using default.
       Reason was java.security.AccessControlException: access denied (java.util.logging.LoggingPermission control)
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet initLogging
  WARNING: Unable to read logging configuration from http://localhost:32502/xxxxxxxxx/Client/logging.properties: using default.
       Reason was java.security.AccessControlException: access denied (java.util.logging.LoggingPermission control)
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet createAndInitChild
  INFO: Starting RelationsBrowserApplet
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet globalStartup
  INFO: xxxxxxContainerApplet: global startup
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet createAndInitChild
  INFO: Starting ResourceBrowserApplet
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet createAndInitChild
  SEVERE: Failed to load applet
  java.security.AccessControlException: access denied (java.util.PropertyPermission swing.metalTheme write)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.System.setProperty(Unknown Source)
       at com.xxxxxx.core.boot.xxxxxxContainerApplet.globalStartup(xxxxxxContainerApplet.java:185)
       at com.xxxxxx.core.boot.xxxxxxContainerApplet.createAndInitChild(xxxxxxContainerApplet.java:696)
       at com.xxxxxx.core.boot.xxxxxxContainerApplet.init(xxxxxxContainerApplet.java:598)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet globalStartup
  INFO: xxxxxxContainerApplet: global startup
  01-Jul-2010 10:38:07 com.xxxxxx.core.boot.xxxxxxContainerApplet createAndInitChild
  SEVERE: Failed to load applet
  java.security.AccessControlException: access denied (java.util.PropertyPermission swing.metalTheme write)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.System.setProperty(Unknown Source)
       at com.xxxxxx.core.boot.xxxxxxContainerApplet.globalStartup(xxxxxxContainerApplet.java:185)
       at com.xxxxxx.core.boot.xxxxxxContainerApplet.createAndInitChild(xxxxxxContainerApplet.java:696)
       at com.xxxxxx.core.boot.xxxxxxContainerApplet.init(xxxxxxContainerApplet.java:598)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)

  Alan ~ Welcome to the discussions. This old thread may help:
  _iweb asks me to sign in to mobile me when publishing site_

• EDI order to automatically reject line items that cannot be allocated( AFS)

  Hi All
  The requirement is as follows
  1. A specific type of customer EDI order enters SAP via IDOC
  2. We need to identify these specific orders in SAP and have the ability to automatically reject lines that cannot be allocated (AFS allocation)
  3. What are our options using standard functionality of SAP/AFS?  Iu2019d prefer an element other than a new doc type.  Something such as order reason, or Purchase Order Type (preferred)
  4. How is this possible?
  Appreciate your quick help and response.
  Thanks
  Yella

  Hi Roja,
    After seeing your query it can be done through user exit only,there is no option in standard.
  User exit in program MV45AFZZ - USEREXIT_MOVE_FIELD_TO_VBAP or
  MV45AFZZ - USEREXIT_SAVE_DOCUMENT
  take ABAPer help he can fix the problem
  in the program you can tell in which conditions the order should be created with automatic reason for rejection.
  Regards
  Ram

• Wildcard * SSL Certificates for TTA??

  Is there any way I can use a wildcard SSL certificate like:
  *.mycompany.com
  in my TTA server?
  I was able to run all the cert commands successfully using the
  *.mycompany.com cert:
  Generated the CSR (tarantella security certrequest)
  Installed the Cert File (tarantella security certuse)
  Installed the Chained CA cert (tarantella security customca)
  Review/validate certinfo (tarantella security certinfo)
  The TTA-installed Apache webserver was fine with the wildcard certificate
  since I was able to goto:
  https://subdomain.mycompany.com (FYI, the subdomain is NOT "www")
  But after I went to:
  https://subdomain.mycompany.com/tarantella/
  I got the following errors in my Java Console:
  Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop
  server...
  Secure Global Desktop 4.10.903: Using secure connection to
  Secure Global Desktop server subdomain.mycompany.com:443
  Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted
  for this Secure Global Desktop server (subdomain.mycompany.com) due to name
  mismatch.
  Secure Global Desktop 4.10.903: Client dropping connection.
  Secure Global Desktop 4.10.903: Unable to connect: Certificate
  (*.mycompany.com) not accepted for this Secure Global Desktop server
  (subdomain.mycompany.com) due to name mismatch.
  Secure Global Desktop 4.10.903: Missing negotiation feature cgi script
  Is there a way that I can get the applet to do a regex-ish match on the name
  for wildcard certs?
  Cyrus

  Hi Cyrus
  I was loosely referring to PKI rules e.g.
  http://www.ietf.org/proceedings/98mar/98mar-edited-110.htm
  http://www.iihe.ac.be/internal-report/1997/stc-97-19.html
  Wildcarding isn't supported. I understand what you are trying to do now
  but it won't work because the software is looking for a certificate
  matching a single server.
  The certrequest command is just a wrapper script for openssl so it won't
  stop you doing anything the openssl command believes may be valid. You don't
  actually need to use this command it's just there for convenience, you
  could do everything just using openssl.
  The current documentation doesn't explictly state that you can't use
  wildcards in certificates but it does say you need a certificate for a
  SGD server. My understanding of the wildcard issue is that it is up to
  a particular application to decide what is appropriate.
  http://www.tarantella.com/support/documentation/sgd/ee/4.1/help/en-us/tsp/gettingstarted/whatare_certs.html
  Regards
  Barrie
  On 2005-08-15, Cyrus Mehta <[email protected]> wrote:
  May I inquire as to where these rules are listed regarding SSL Certs, I
  didn't see anything to the effect in the documentation. Also why weren't
  the rules enforced at certificate generation time. Even the validation
  command (tarantella security certinfo) had no problems.
  The CSR generation/signing went through flawlessly and created a wildcard
  cert that Apache could use. It's one thing if the whole cert process
  couldn't handle a wildcard, but it seems like everything would have worked
  if only the applet accepted a wildcard regex match.
  Regards,
  Cyrus
  barrie wrote:
  Hi Cyrus
  No, sorry. The rules say you can't do that. You are required to have a
  certificate for a node not a network.
  Regards
  Barrie
  On 2005-08-05, CM <[email protected]> wrote:
  Is there any way I can use a wildcard SSL certificate like:
  *.mycompany.com
  in my TTA server?
  I was able to run all the cert commands successfully using the
  *.mycompany.com cert:
  Generated the CSR (tarantella security certrequest)
  Installed the Cert File (tarantella security certuse)
  Installed the Chained CA cert (tarantella security customca)
  Review/validate certinfo (tarantella security certinfo)
  The TTA-installed Apache webserver was fine with the wildcard certificate
  since I was able to goto:
  https://subdomain.mycompany.com (FYI, the subdomain is NOT "www")
  But after I went to:
  https://subdomain.mycompany.com/tarantella/
  I got the following errors in my Java Console:
  Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop
  server...
  Secure Global Desktop 4.10.903: Using secure connection to
  Secure Global Desktop server subdomain.mycompany.com:443
  Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted
  for this Secure Global Desktop server (subdomain.mycompany.com) due to
  name
  mismatch.
  Secure Global Desktop 4.10.903: Client dropping connection.
  Secure Global Desktop 4.10.903: Unable to connect: Certificate
  (*.mycompany.com) not accepted for this Secure Global Desktop server
  (subdomain.mycompany.com) due to name mismatch.
  Secure Global Desktop 4.10.903: Missing negotiation feature cgi script
  Is there a way that I can get the applet to do a regex-ish match on thename
  for wildcard certs?
  Cyrus

• Cannot install applications because the certificate for .... is not valid

  Hello,
  We have an in house enterprise app that can no longer update.  We have taken the steps outlined here.  These steps include installing a SSL certificate on the server from a trusted CA (GeoTrust) that shows as valid in Safari on OSX.  Also the http to https redirect has been setup and verified in Safari and FireFox.  Addtionally, the plist file's XML has been manually updated to point HTTPS.  New installs work on iOS 7.1 without an issue. 
  However, the program has automatic updates that fail with the message "Cannot install applications because the certificate for .... is not valid".
  The update process works like this:
  A Plist file exists on the server that contains the version number of the build on the server.   The app will download the file and parse it into a NSDictionary then the verison into an NSString.  If the version doesn't match the current version then the user is prompted to install updates.
  When the user says yes to the prompt a UIApplication is sent the Open URL message with a hard coded download URL that looks like this:
  imts-services//?action=download-manifest&url=http://www.example.com/app/Release.plist
  On iOS 7.1 the user will receive the message "Cannot install applications because the certificate for example is not valid".   This error occurs even thought the certificate is valid.  It almost looks like the URL isn't respecing the redirect from the server.
  Has anyone else seen this?  Is there a work around for it?  Or do I have to redeploy the app (with an HTTPS in the hard coded URL)?

  kkoishi, cskimble, OS 7.1 update forced all software installation services to use the HTTPS protocol instead of HTTP. Here is Apache config that adds certificate support and code for changing links in existing *.plist files automatically: http://cases.azoft.com/how-to-fix-certificate-is-not-valid-error-on-ios-7/
  More ideas on Stack: http://stackoverflow.com/questions/20276907/enterprise-app-deployment-doesnt-wor k-on-ios-7-1/22527000#22527000

• Question on "use java .... for [applet]" option in IE

  posted April 30, 2003 09:27 AM
  If a plug-in is installed, IE includes an option under the advanced tab, similar to this: "use Java 1.4.1_02 for [applet]"
  Im trying to understand exactly what this is. Sorry if what I'm saying is obvious... If your HTML has the [applet] tag rather than the [object] tag, IE will use the sun plug-in? If true, and since the [applet] tag does not automatically down load a plug-in, the client would have to have this plug-in already installed?
  Is is also true that this advanced option in IE does not have anything to do with an applet using the [OBJECT] tag. If the [object] tag is in the html, then the browser will always use the plug-in regardless of whether the IE option is checked?
  Thanks for your help! Soon I'll have this applet technology down, but still many questions...

  New versions of Internet Explorer will automatically grab the Java plugin specified to run applets that are coded on webpages using the <APPLET> tag. The plugin would have had to be pre-installed on the machine - as it will not automatically download the plugin to do this. Only the <Object> tag will do that.
  And yes...this only affects the <APPLET> tag. Any OBJECT tags you will encounter that require a specific JDK will still prompt you to download that if you don't have it and will use that version, regardless of whether that advanced option is selected.
  You can also do some configuation with newer plugins via the icon located in your Control Panel.
  Good luck with applets... just wait until you have to implement one for the Crackintosh. ;-)

• SSL + certificate (will login automatically)

  I am using SSL with certificate and installed 3 certificates for 3 different user account on one PC.
  On login, by click the Portal's Login URL, Web Browser will asking user to choose a certificate.
  All of certs choosed will automatically logged on the right user without asking pasword again. I think this is an expected behaviour.
  How could I configure to have user fill password according to certificate he/she choose?
  TIA,
  ferry sends.

  believe that this is a setting in the browser. You should set this to "ask every time".
  cu
  Andreas

• Every time I try to open a new web page a window pops up saying the certificate for the page is invalid?? It won't let me on my emails or Facebook

  Every time I try to open a new web page a window pops up saying the certificate for the page is invalid?? It won't let me on my emails or Facebook

  This could be a complicated problem to solve, as there are several possible causes for it.
  Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
  Step 1
  From the menu bar, select
             ▹ System Preferences... ▹ Date & Time
  Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
  Check the box marked 
            Set date and time automatically
  if it's not already checked, and select one of the Apple time servers from the menu next to it.
  Step 2
  Start up in safe mode and log in to the account with the problem.
  Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.
  Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.
  The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
  If the problem is not reproducible in safe mode, then it's caused by third-party "anti-virus" or "security" software. If you know what that software is, remove it as directed by the developer after backing up all data. If you don't know what it is, ask for instructions.
  Step 3
  Triple-click anywhere in the line below on this page to select it:
  /System/Library/Keychains/SystemCACertificates.keychain
  Right-click or control-click the highlighted line and select
            Services ▹ Show Info
  from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
  Repeat with this line:
  /System/Library/Keychains/SystemRootCertificates.keychain
  If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.
  Step 4
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad and start typing the name.
  In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
  In the Keychains list, there should be items named System and System Roots. If not, select
            File ▹ Add Keychain
  from the menu bar and add the following items:
  /Library/Keychains/System.keychain
  /System/Library/Keychains/SystemRootCertificates.keychain
  Open the View menu in the menu bar. If one of the items in the menu is
            Show Expired Certificates
  select it. Otherwise it will show
            Hide Expired Certificates
  which is what you want.
  From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled
            Secure Sockets Layer (SSL)
  select
            no value specified
  Close the inspection window. You'll be prompted for your administrator password to update the settings.
  Now open the same inspection window again, and select
            When using this certificate: Use System Defaults
  Save the change in the same way as before.
  Revert all the certificates with non-default trust settings. Never again change any of those settings.
  Step 5
  Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
  Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
            Help ▹ Keychain Access Help
  from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
  Step 6
  From the menu bar, select
            Keychain Access ▹ Preferences... ▹ Certificates
  There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to  CRL.
  Step 7
  Triple-click anywhere in the line of text below on this page to select it:
  /var/db/crls
  Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
  A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
  Restart the computer, empty the Trash, and test.
  Step 8
  Triple-click anywhere in the line below on this page to select it:
  open -e /etc/hosts
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in the same way you launched Keychain Access.
  Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:
  # Host Database
  # localhost is used to configure the loopback interface
  # when the system is booting.  Do not change this entry.
  127.0.0.1                              localhost
  255.255.255.255          broadcasthost
  ::1                                        localhost
  fe80::1%lo0                    localhost
  If that's not what you see, post the contents of the window.

• Renew Machine Certificate for multiple Servers

  Hi,
  We have Windows 2003 Enterprise CA which issues certificates to servers which are used for various purpose like Wifi Authentication, Secure RDP. We have checked that the certificates are going to expire within few weeks. We want to renew certificates before
  expiry but the number of servers is high so we cannot do it manually by logging into each server.
  We doesn't have ACRS enabled for computer certificates and even if we configure it now that will not help.
  Is there a way to renew the certificates for all the servers remotely.

  On Tue, 15 Apr 2014 11:39:43 +0000, Sukhwin08 wrote:
  We already have auto-enrolment enabled through GPO. The settings are as follows
  Automatic certificate management........ Enabled Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates .........Enabled
  Update and manage certificates that use certificate templates from Active Directory ..........Enabled
  I think that you're confusing Automatic Certificate Request Services and
  autoenrollment. In your first post in this thread you mention ACRS, however
  the above settings are for autoenrollment. ACRS is only for certificates
  that are based upon V1 certificate templates and then only for machine
  certificates. Autoenrollment on the other hand does not work for anything
  less than V2 certificates and supports both machine and user certificates.
  If you're using V1 certificate templates then you can set autoenrollment
  settings in a GPO and it will not have any impact at all.
  Paul Adare - FIM CM MVP
  Remember the signs in restaurants "We reserve the right to refuse
  service to anyone"? The spammers twist it around to say "we reserve
  the right to serve refuse to anyone." -- SPAMJAMR & Blackthorn in nanae

• CUP Automatic reject request

  Hello,
  inspired by the great blog from Frank Bannert (/people/frank.bannert/blog/2009/06/19/configure-bobj-ac-53-cup-that-workflows-only-appear-if-violations-detected) to have a workflow (triggered from IdM) that only appears if SoD-violation is detected, I want to go further:
  Can anyone tell me how to create a workflow step in CUP that automatically rejects the request?
  The idea is to have a request from IdM for a person to get a role. This request now comes to CUP. With the basic construction mentioned in the blog above, there is a obligatory SoD check. If there is no violation, the request is granted in CUP automatically and sent back to IdM. If there is a violation, I now want the request to be rejected in CUP automatically (instead of a manual step with user interaction).
  Is this possible - and how?
  Thanks in advance
  Matthias Arlt

  Hi Matthias,
  maybe I need to correct this - it is technically possible, but you need to make the distinction whether a request had SoD risks on IdM. The risk analysis service will tell you if there were risks, you can have  a "no stage" path to come back without user intervention.
  What is it that you want to mass upload - initial user/role assignments, or ongoing requests?
  You can also do a simulation in RAR before the upload, or a risk analysis immediately after that. If it's a one time thing, it probably doesn't qualify for a special implementation.
  Can you tell us in a bit more detail what it is you want to do? There surely is a solution, it's just not easy to find from the information so far.
  Frank.

• Quality Certificates for Finished Goods

  Dear Friends,
  Please guide me to map in SAP for the below Scenarios of Quality Certificates.
  There are two types of Certificates for Finished Products
  1.     Permanent Certificates
  We have certifications from some Institutes for Finished products.
  e.g.  TUV: IEC 61215 Ed.2, IEC 61730 & UL1703
  These Certificates are sent to customers only on Demand.
  I want to create all these certificates in SAP and assign materials to them. Print should come manually.
  2.     IV Testing Report (Certificates for each Product).
  Each Product is tested by a machine for its efficiency and power. A Current-Voltage relationship Graph is produced by the Machine. We call it IV TESTING REPORT. Each product has its IV Testing Report and it is sent with the product to customers.
  Print of this certificate should come automatically with each Billing Invoice in SD.
  Regards
  Prashant Atri

  These requirements can all be handled by the standard SAP COA process.  You simply have to create a couple of different SAP script forms.  One for the stand COA where you report out the values where you actually test the product via your machine, (requirement 2). 
  For the frost requirement, you need to reproduce and send copies of outside certifications.  I assume you actually have a paper copy of these and that these are for specific products.  For these, you create separate COA outputs, one for each cert type.  You create a SAPscript form for each.  These forms will be identical with but one exception.  In the form, instead setting it up for reporting characteristics and product info, you create it with one frame that is a bitmap.  (your programmers should be familiar with doing this for putting on company logos on various forms).  Instead of displaying a logo in those frame, you display the bitmap image of the cert you want to use. So the SAPcript is very easy, just a single bitmap along with anything else you decide you want to include on the form.
  All your certs can then be sent automatically at time of delivery just like any regular COA.
  FF