Certificate type in cert profile

Similar Messages

• LSMW to Load Cert Profiles (QC01) & handling Blank Fields

  I have been trying to create an LSMW to Create New Certificate Profiles (Transaction QC01).  As their doesn't seem to be any other way of doing it I have been creating the LSMW with Standard Batch Input Recording. 
  The first problem I had was that each Cert Profile (master record) may contain many Characteristic Detail Records.  There is however no way of indicating next record when doing the recording.  To fix this problem someone suggested determining the max # of Char Detail records I have and do one long recording with all 9 char's filled in.  Using this method I only have one source structure and a very long list of source fields for that structure.  Therefore everything pertaining to each cert is one long record.  e.g.,
  Cert Type:      Cert
  Cert Profile:   Profile_A
  Cert Version:   00001
  Tdname:         My_Logo
  Search Field:   My Search Text
  Short Text:     My short text
  Sortnr_1:       My 1st Char #
  Kategorie_1:    My 1st Category
    and so on for all fields for the 1st character and then
    we go onto the 2nd char
  Sortnr_2:       My 2nd Char
  Kateforie_2:    My 2nd Category
    and so on for all fields for the 2nd character and then
    we go onto the 3rd char.  This keeps going for 9
    characters
  My LSM runs fine until it gets to the 1st of the 9 char's that does not exist.  Meaning that my Recording and source files all have 9 characters, but the data file may only have 2.  When it gets to the 3rd one (i.e., sortnr_3 for the 3rd characteristic it complains and says to enter a value between 1 and 9999.  For the Maintain Mappings I do have each of the fields set with the IS NOT INITIAL FLAG so it puts a / in. 
  if not CERTPROFILESCHAR_STR-SORTNR_3 is initial.
    QC01_CERTPROF-SORTNR_3 = CERTPROFILESCHAR_STR-SORTNR_3.
  endif.
  How can I get this LSMW to work when the recording is based on 9 character details, but the data file may be based on anywhere between 1 to 9?  Or is there another way to do this?
  HELP Please and thank-you.

  Hi,
  Let me know whether it is required field or optional field.if it is required it should not accept you this kind of records.if it is optional then then in flat file you give a TAB space like bellow.
  vendor details in flat file
  1)  100000      USA          HDFC           1054621450
  2)   100004      USA                                   3040000578
  From above example vendor 1 has bank name HDFC,but 2 doesn't has any bank name.so pace the cursor atend letter of USA and enter tab twice and save the flat file.
  by doing this the system doen't fill any data into that field,if you dont maintain this tab, the account specifyied as 3040000578
  will be fetched for the field bank name.
  Try this and let me know.
  Thank you.

• QM Certs of Analysis - Cert Profile Short Text

  Hi,
  I have a number of certificate profiles that define the output parameters for certificates of analysis that are printed from the QM batches. The practical use of this functionality is to generate a certificate of analysis for approved stock to be delivered to customers. The certificate profile typically contains
  1. A layout set (that will govern certificate layout)
  2. Material Assignment (the materials that the certificate can be used for)
  3. Inspection characteristic assignments (e.g. the test results you wish to appear on the cert)
  For each characteristic you can also choose to output short text as the characteristic specification. Unfortunately this short text field is limited in size. What I require is a way to display lengthy characteristic specifications on a certificate of analysis, for example
  Test name 1           Test Specification not limited to e.g. 30 chars              test result
  Thanks in advance for any advice or tips.
  Regards,
  Gary
  Edited by: Gary McSherry on Oct 7, 2009 9:53 AM

  David,
           First of all you need to be sure that the characteristics you assigned in a profile are in the Inspection plan(If using Inspection plan)
           Second you need to assign this profile to the material (QC15) and the certificate type.
            These are two main things you have to consider when creating a certificate.Please reward if this helps.Also if you having problems please met me know.thanks
  Naik

• ISE Cert profile - SAN vs Common Name

  Hi 
  I have got the following problem:
  - Wireless Workstation authenticate using certificates and cert profile matches SAN
  - recently added BYOD devices that wont work unless I use cert profile matching Common Name
  Is there any way to split Wireless 802.1X rule in 2 halves so I can match:
  - Wireless 802.1X and Workstations  -> Cert Profile would be using SAN
  - Wireless 802.1X and Apple Devices -> Cert Profile would be using Common Name
  So far I failed in my attempt to split Wireless 802.1X and ended up having to CONTINUE on Failed Authentication on Cert Profile matching Common Name + securing access on Authorization rules which is not ideal.
  With this solution iPADs go through full authentication but Workstations hit that CONTINUE option as Common Name attribute is not found in Cert for them.
  based on that link http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1382708
  i should be able to use SAN for Windows workstations and Common Name seems only option for iPADs so should be able to split Authentication Rule somehow?

  I have had a similar issue before and got around it by creating a new store rule under authentication. The biggest sticking point is finding an attribute to use for differentiation purposes. If you are using the same SSID it makes it hard but the easiest differentiator I have found is WLAN ID or Radius Called-station ID. Basically make a rule for CN cert profile that matches on WLAN ID 1 and then make a rule for SAN cert profile that matches on WLAN ID 2. You maybe able to find other differentiators in your deployment but the options are limited in authentication versus authorisation.

• Type of cert needed for anyconnect ikeV2

  Hi Everyone,
  I have created CSR for anyconnect IkeV2.
  When i ask the cert vendor what should i ask them that which type of cert i needed for IkeV2?
  We do not want users to use ssl like https://xyz.com and connect and download the client.
  We want users machine pre installed with anyconnect and profile and connect using IkeV2.
  Regards
  Mahesh

  Hi Marvin,
  I got cert from Entrust.
  it has 3 options server cert,root cert and chain cert.
  i installed the server cert on the ASA and now  status of cert has changed from pending.
  When i connect to anyconnect ikev2 it still gives me cert warning line non trusted cert.Do i need to do any config change in anyconnect ikev2?
  Regards
  Mahesh

• Cisco Webex Meeting Server v2.5 Certificate Type

  Dear Team,
  We have installed Cisco Webex Meeting Server v2.5 and we need to but a public CA.
  i have created the CSR file (Using SAN) and i sent to the CA vendor but they asked my about the certificate type.
  Cisco or Tomcat or what?
  i have searched in Admin and Planning guide but i didn't find the answer.
  Apprentice your answer.
  BR,
  HS

  Hi HS,
  Apache/Tomcat cert is what you need.
  Kind regards,
  -Dejan

• Yosemite Server Signed Certificate vs OD and Profile Manager

  Hello Again,
  For more info on my setup follow the thread exchange Yosemite Server forward zone vs SSL types
  I've purchased a Comodo Positive SSL that covers www.example.com and example.com
  I asked OS X Server to use it and it went on to set up this Comodo signed Certificates up for Calendar, Mail (Pop and iMAP), Mail (SMTP), Messages and Websites.....
  ... But not for Open Directory which uses the xyz.example.com OD Intermediate CA.
  In Profile Manager, Configuration Profile Sections, I have checked "Sign Configuration Profile" and the only choice if I click the "edit" button is the "xyz.example.com OD Intermediate CA".
  1- Should OD use the Comodo Certificate like all other services?
  2- Will the Comodo certificate appear in the Profile Manager If I tell OD to use it?
  Francois

  Sorry Here,
  Hope I understand this correctly.
  The Comodo Positive SSL is a Web certificate. Although I ask OD to use it, it didn't.
  Then Profile Manager expects a "code signing" certificate which is why all it saw was Open Directory's one.
  Francois

• WLC Web GUI Certificate type displayed

  Hi,
  We Converted some APs from IOS to LWAPP and had them successfully Join a WLC.
  We have, to date, never bought owned or otherwise possessed an AP which talks LWAPP out of the box.
  However the WLC Web GUI says, under the Wireless heading, that AP Certificate Type is "Manufacture Installed" .
  Shouldn't it say "Self-Signed" ?
  regards, MH

  Thankyou for your reply.
  Looking at Cisco document,
  "Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode"
  I can see where it confirms what you said about MIC,
  "Factory installed certificates are referenced by the term MIC, which is an acronym for Manufacturing
  Installed Certificate. Cisco Aironet access points shipped before July 18, 2005, do not have MIC, so
  these access points create a self-signed certificate when upgraded to operate in lightweight mode."
  Most of this document talks about SSC not MIC and is indisciminate about the age of the AP.
  So if I'm converting 1131AG APs bought in 2006 from Autononous to LWAPP am I dealing with MIC not SSC?
  Regards, MH

• QM Certificate Type at GR

  Hi Experts,
  Certificate type configured with "Control without certif. with E Without Lot: Blocked Stock, with lot: Status.
  Is there a way to avoid the stock being moved to blocked stock if the material is not Inspection Type activated for '01' for a particular plant ?
  The other option was using Error message. Can we change the error message ?
  Regds
  Joe

  Hi
  Either use c: without lot :Error & with lot:status
  or use UserExit:
  QBCK0003 Extended QM check for goods receipt

• Anyconnect XML Profile Certificate Matching - Multiple Certs different Issuer

  Hi Guys
  I am trying to setup an xml profile for cisco anyconnect that will look at multiple certificates that could be issued from 2 different CA's.....
  Currently having trouble setting this up and it does not look like it is possible..
  Is there a way around this?
  Regards
  Mohamed

  The AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are:
  •Key Usage
  •Extended Key Usage
  •Distinguished Name
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin7.html#wp1000158

• I've picked certificates from my cert card which Thunderbird can see but it can't actually decrypt or sign with them. (Encrypt works)

  Thunderbird 31.3.0
  Win7 Enterprise, SP1 (all patches, corporate maintained)
  ActivClient x64 - 7.0.2.403
  I just got a new machine from corporate. The old one had ActivClient 6.2.0.133 and I had it working there. With my cert card inserted, TB can see the certs on the card. It lists them in the "Your Certificates" tab in the cert manager. And in the account settings, security section it lets me pick certs for digital signing and encryption. But when I try to use them to sign or decrypt an email it doesn't work. It does let me encrypt an email which others can read. I've checked about:config and it matches what I picked in account settings.
  When I try to decrypt it gives me the boilerplate:
  " Thunderbird cannot decrypt this message
  The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key.
  Possible solutions:
  If you have a smartcard, please insert it now.
  If you are using a new machine, or if you are using a new Thunderbird profile, you will need to restore your certificate and private key from a backup. Certificate backups usually end in ".p12"."
  If I try to sign it says "Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail." TB only lets me pick the cert named "Digital Signature" for use in the first place! And the cert's properties according to TB are "This certificate has been verified for the following uses: SSL Client Certificate, Email Signer Certificate". So TB knows it is good for signing. I'm out of things to try at this point.
  Thanks for the help.

  I've found a bit more information. When I'm trying to sign an email and check the cert info from the compose message window->security->view the cert that TB is trying to use, it is using the wrong cert and not the one I selected! No wonder it doesn't work! It is using a cert only specified for "Email Recipient Certificate" instead of the one I selected in account settings that is for "Signing, Non-repudiation" according to account settings and "SSL Client Certificate" + "Email Signer Certificate" according to the certificate manager.
  This pretty clearly seems like a bug. I've never submitted a bug to TB before. Can I get some help doing that? I'm not a SW developer of any kind. This is completely breaking my ability to use TB. Half of my email traffic is encrypted.

• Types of certs required for OAM infrastructure

  We are building out an OAM 10.1.4.3 system and are going to use cert mode. My question is will these need to be server certs, or can we use client certificates on the machine, also will we require separate certificates for each component, including webgates?
  Thanks,
  Andy

  are you using MS CA? if yes then with standard CA use the default template type I think it is named as "Administrator" or "end user" can not remember. If its an enterprise CA then you should have a "web server" type template available, you can use this if you want but as I said the extended key useage bit (EKU) for server authentication and/or client authentication is not required.
  Just ensure to get a reply in base 64.
  Thanks,

• SPA122 1.3.2(014) HTTPS ssl cert profile problem

  Hello,
  I have a problem since upgrading SPA122 from 1.3.1(003) to 1.3.2(014). The profile rule is using https to get the config files every 1 hour or so
  this was never a problem: the rule is a FQDN, the SPA does DNS lookup gets the IP and asks the web server for the config file. both 1.3.1 and 1.3.2 do ask the file with the resolved IP address rather then the FQDN.
  now the web server has a valid certificate for that FQDN, but as the SPA122 is asking the file with the IP address the cert is not valid (CN Incorrect: CN is wildcard *.domain.com and IP address is not the FQDN)
  in 1.3.1 the SPA didn't seem to care too much , got the file and provisioned, the 1.3.2 nos gives error and sais cert err!
  I changed the FQDN for security reasons: here is what the log of the SPA says: prule is https://FQDN:9192
  Nov 15 14:37:13 Y.Y.Y.Y SCAPC_init(): provision_enable=1 prule=https://ruxxx1.axxxxxxxxxxs.com:9192/xm-$MA.ipr tftp=192.168.1.3
  but here is what the SPA asks then:
  Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:40:43 Y.Y.Y.Y FMM >>>> Requesting profile
  Nov 15 14:40:43 Y.Y.Y.Y ssl cert err 20
  Nov 15 14:40:43 Y.Y.Y.Y create ssl connection failed
  Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Resync failed: https_get failed
  Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Resync failed: https_get failed
  Nov 15 14:40:43 Y.Y.Y.Y FMM >>>> Failed profile
  while in 1.3.1 it got it fine:
  Nov 15 14:36:42 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:36:42 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:36:42 Y.Y.Y.Y FMM >>>> Requesting profile
  Nov 15 14:36:44 Y.Y.Y.Y ok=20
  Nov 15 14:36:44 Y.Y.Y.Y content len (hdr) =21056"
  Nov 15 14:36:44 Y.Y.Y.Y content len (pld) =21056
  Nov 15 14:36:44 Y.Y.Y.Y response code =200
  Nov 15 14:36:44 Y.Y.Y.Y [FPRV] Upgrade status flags cleared
  Nov 15 14:36:44 Y.Y.Y.Y [FPRV] Upgrade status flags cleared
  Nov 15 14:36:44 Y.Y.Y.Y Firmware downgrade limit()
  Nov 15 14:36:44 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Successful resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:36:44 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Successful resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:36:44 Y.Y.Y.Y FMM >>>> Successful profile
  IS this a BUG??:
  - Shouldn't the SPA do the https GET with the FQDN rather then the IP address?
  - Is this because the certificate is a wildcard?
  - the cert is from GEOTrust (RapidSSL), should be trusted
  Thanks
  Sven

  - the cert is from GEOTrust (RapidSSL), should be trusted
  Definitely no. Why you think RapidSSL certificate should be trusted ?
  If you are going to configure device in factory default state, then you need to have certificate issued by CA trusted by your device. Or you can add certificate of your preferred CA to device by hand, then you can use certificate issued by such CA as well (but not after reset to factory default).

• Minimum ssl certificate type

  We run webaccess and currently self-sign. This of course
  results in a warning for our users (employees). I am
  looking at getting an ssl certificate but don't know which
  type is needed. Seems like most certificate authorities
  have a quickie ssl which requires very little verification
  and a standard ssl which requires more information. I don't
  need an EV certificate.
  So, can I get by with the cheapest certificate to avoid the
  warning message??
  Chris

  It really depends on what Windows and/or the browser recognizes as a trusted CA. We use Trustwave certs for our WA SSL. Windows and IE trusts them, though Firefox doesn't seem to. However, at least Firefox can always trust it, unlike Win/IE.
  We used Verisign initially, and they were around $2k for a 3-year cert. Trustwave was about $200 for the same. So we switched and haven't looked back. We also have several other webapps that use Trustwave certs.
  HTH,
  Aaron

• Log forwarding from a non-domain server certificate types

  I'm trying to set up a source initiated subscription (Log forwarding) where the event source server is not in the same domain as the event collector server. I'm following these steps:
  https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx
  It states that for this to work I need the following:
  The collector computer should have a server authentication certificate (certificate with a server authentication purpose) in a
  local computer certificate store.
  And 
  The source machine should have a client authentication certificate (certificate with a client authentication purpose) in a
  local computer certificate store.
  I'm looking to use a third party certificate authority to get the 2 above client and server certs. My question is what type of certificates will I need  for this to work? As there seem to be a lot of types and I am new to certs.

  Hi Chard,
  You can just request certificates from Computer Certificate Template. Certificate issued from Computer Certificate Template can be used for both Client and Server authentication.
  Here is a related article below for you:
  Certificate Templates Overview
  https://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
  In addition, if you have further query regarding certificates or CA, please refer to security forum below:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]