Client Certificate Expiration

Similar Messages

• From time to time, I can't verify the expiration of my client certificate on IIS.

  I have a IIS web server and a CA(AD CS) server built on a 2008R2 virtual machine.
  I require a client certificate in order to access the web server.
  It works very well but FROM TIME TO TIME, a 403 error code is returned.
  According to the trace log(FailedReqLogFiles), a 0x80092013 error occurs.
  Once this 403 error occurs, it last for about an hour and then everything goes back to normal.
  In order to find out what is the problem, I have done setup:
  - CRL has a publication time of 1 hour
  - (Delta CRL) has a publication time of 30minutes.
  also:
  - Both web server and CA server are not on a domain but a workgroup
  - The CA certificate is registered on the web server & client on the root & intermediate certificate registrar.
  - Both setups are patched to the latest windows update
  As far as I've checked the log:
  - on the web server log(source: CAPI2), there is an event id 53 at almost every hour for both the CRL & delta CRL
  but before the problem occurs the event id 53 is only reported on the delta CRL and nothing on the CRL.
  - By the way, System32\config\systemprofile\AppData\LocalLow\Microsoft\X509Objects, the .crl file for the problematic update is only present on the delta CRL.
  - On the CA server's IIS access log, there is just the delta CRL access that is registered.
  - Below is the log on the CA server IIS's access log (XXX-CA is for anonymous sake):
  2014-04-16 10:51:34 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
  2014-04-16 10:51:39 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
  2014-04-16 11:52:05 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 265
  2014-04-16 12:52:22 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
  2014-04-16 12:52:28 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
  - I think that the 403 error is due to the fact this CRL is not getting reached but why would this happen?
  - Is there an other way than to restart the OS in order to clear this problem in a shorter time than 1 hour?
  side note:
  - this problem happens on the client setup too.
  - the log is shorten but if there is any filter to apply to get better information, please tell me.
  I would appreciate any helps on this matter!
  nb:
  this is a translation from a Japanese text.

  Hi,
  The error message will occur if IIS cannot download CRLs of the client certificate, in other words, if the CA is shut down or there are network connectivity issues between web server and CA when Internet Information Services try
  to download the client certificate’s CRL.
  Therefore, please make sure that there is no network connectivity issue between the web server and CA, you can
  find the IP address of the problem CDP server then add an entry to the HOSTS file on the IIS computer.
  Here are some related KB articles below I suggest you refer to:
  IIS returns HTTP "403.13 Client Certificate Revoked" error message although certificate is not revoked
  http://support.microsoft.com/kb/294305/en-us
  You receive a "403.13 client certificate revoked" error message when you connect to a computer that is running Windows Server 2003 and Internet Information Services 6.0
  http://support.microsoft.com/kb/884115/en-us
  Best Regards,
  Amy

• ISE - What happens when the on-boarded certificate expires?

  I'm trying to design a good BYOD deployment model but have a few questions that need direct answers.  I have down how to go about on-boarding and getting a certificate on a device, the ISE provides great flow for this to happen in many ways.  My questions come from a design perspective before and after the BYOD deployment is completed.
  1. Figuring out a method to validate the device is a Corporate asset or a BYOD asset.
       (I don't want to install a certificate on just any device, or perhaps I do but I need to give permissions to all resources if its a Corporate Device, and more resitrictions if it's BYOD, so how do I figure this out during the provisioning phase?)
       a. Use MDM (May not have one, or if you do we are still waiting on ISE 1.2 for that integration)
       b. Build a Group for provisioning admins, if user PEAP-MSCHAPv2 account is from this group install a certificate. (issue here is that the end user looses administration of the device in the my device portal as the device is now registered to the provisioning admin)
       c. Pre-populate MAC into ISE as all Corporate devices should be provisioned by I.T. before they go to the end user (I think this is good but can see push back from customers as they don't want to add more time to the process)
       d. Certs on any IOS or Android device, provide access based on user group and do not worry if device is Company asset or not (I believe that this is the easiest solution and seems to be what I find in the guides)
       e. Other options I have not thought about, would love input from the crowd
  2. What happens to the device once the Certificate expires?
       (I don't know the answer to this, my thought would be the user or device will fail during the authentication policy and this creates a mess)
       a. Tell the user to delete the profile so they can start all over again (creates help desk calls and frustrated users)
       b. Use MDM for Cert management (may not have one)
       c. Perhaps the client uses SCEP to renew based on the cert template renew policy and there are no issues (this is me wishing)
  Would appreciate some feed back and would like to know if anyone has run into these issues.                   

  Neno,
  Sorry but I don't have any other info on using a public CA, Cisco says to use internal CA's for PKI.  I think the best practice in 1.2 comes out will be to use one interface for Web Management and a different interface for Radius, profiling, posture, and on boarding.  This way you can use your private CA for EAP and a public CA for web traffic.  Have you tried a public CA bound to management and a private CA for EAP yet?
  I did do a session on EAP-TEAP, they explained how it will work and also discussed EAP-FASTv2.  EAP-FASTv2 is available now but you must use anyconnect as your supplicant.  Microsoft and all other vendors will have EAP-TEAP native once it is fully released and comissioned as it will be the new gold standard for EAP.  It will support TLS, MD5, and CHAPv2.  If you are interested I have the PDF of the presentation I attended that shows the flow of how EAP-TEAP will work.  This is much better than wasMachineAuthenticated and machine auth caching, which has many down falls.
  I currently do machine and user auth I just don't require them.  If Machine auth then allow machine on vlan-x with access to AD, DNS, and blah blah.  Then a seperate rule to say user auth gets more access, although I require EAP-TLS for both and if you think about it you are accomplishing the same thing if your PKI is setup correctly.  Make it so users and machines can only auto enroll, that way you know the only way they got their cert was from GPO policy.  I won't go into anymore detail, but there is lots you can do.

• Computer certificates expiring within 6 weeks disappearing from machines when computer certificates from two certificate authorities are present

  2008 R2 single tier enterprise certificate authority with root certificate expiring within 6 weeks, also domain controller
  2012 R2 single tier enterprise certificate authority with root certificate valid for more than the next year, also domain controller
  Both servers are approved as certificate authorities for the domain and can issue computer certificates using the computer certificate template. There is a group policy object applied to all workstations that contains an automatic computer certificate request,
  but the actual "certificate services client auto-enrollment" element is "not configured". This process seems to work like a round robin in that computers with no certificate can wind up with a certificate from either certificate
  authority. I need all PCs to have both certs for a DirectAccess migration. I have successfully used SCCM to ensure all PCs have both certificates using compliance rules and a script using certreq.exe.
  A machine will keep both certs until the older computer certificate moves into the 6 week window of expiration, then it gets purged. I have observed this behavior for over a month, even when the CA root certificate wasn't so close to expiring. I
  can't figure out what setting is triggering the purge, but need to stop it. Maybe it's coming from default settings in local machine policy for an element that should be disabled in the group policy object supplying the automatic certificate request?
  The worst part of this issue is that I can't recreate the purging behavior with gpupdates or restarts on my test machines.

  You should not be using Automatic Certificate Request Service (ACRS) for this - it was designed for Windows 2000 and is generally deprecated. Secondly, the reason it is acting like a round-robin as you describe it, is that templates are generally configured
  to attempt to renew within 6 weeks of their expiration. Since the 2008 R2 CA is expiring within 6 weeks, it cant issue anything longer than its own remaining lifetime. It is a well known issue that issuing a certificate within the renewal period will cause
  problems.
  What you should do it use AutoEnrollment and issue a certificate with a very small renewal period (1 week perhaps) by creating a custom V2 template and issuing that from your 2008 R2 CA. Then on the 2012 R2 CA you will need ANOTHER template, as the computer
  will only enroll for a certificate from each template. This one can be configured with a normal lifetime and renewal period.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

• What happens if the certificate expire on a ISE PSN

  What happens if a PSN certificate expire? Does all other nodes in the cluster looses the communication channel to that PSN node? 
  What is the procedure to install a new certificate on a PSN node with the expired certificate?
  Does the PSN node still handle client RADIUS requests that does not depend on the PSN cerfificate?
  Tanks!

  You definitely want to renew the certs before they expire. Otherwise the effects can be very devastating to your ISE environment depending on what the certificates are used for :) Below are a couple of links that you can use to obtain more info on both of your questions:
  ISE version 1.2:
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html
  ISE Version 1.3:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#concept_D7826198A3304303AD046DB981DA4FE6
  Thank you for rating helpful posts!

• ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures

  Dears,
  I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.
  which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.
  - authentication-failure ignore [Only]
  OR
  - authentication-failure redirect cert-expired
  OR
  - authentication-failure ignore with authentication-failure redirect cert-expired
  Appreciate your help

  Dear Kanwalsi
  To pass only cert-expired !!! what do you think to apply the following
  parameter-map type ssl TEST
  authentication-failure ignore
  authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
  authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
  authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
  authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
  authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
  authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
  authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302

• Update Client Certificates on Oracle Identity Federation (SP)

  I need to update the certs on OIF (we are Service Provider's) as my client certificates are expiring soon.
  I am planning of doing below step to upload new certificates . Please let me know if this is the right way or if i am missing anything here..Please let me know asap ..Thanks!
  In the EM console, under OIF server-> security and trust -> under trusted CAs and CRLs, find and delete the existing certificate (deleting existing certificate is not mandatory) for this partner and upload the new certificates.
  Then Generate Metadata a new and upload it again under the partners side.

  Can you guys help?
  801072, user12038686, OIDM,

• [solved] weechat client certificates broken?

  Is anybody successfully using weechat to authenticate to OFTC by sending a cert? I'm seeing nonsense behavior when I try.
  I'm following the weechat instructions here: http://www.weechat.org/files/doc/stable … rtificates and also looking at OFTC's doc here: http://www.oftc.net/oftc/NickServ/CertFP
  Verification via CA works fine (observe the 3rd line down):
  20:12:26 oftc | irc: connecting to server irc.oftc.net/6697 (SSL)...
  20:12:26 oftc | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange
  20:12:26 oftc | gnutls: peer's certificate is trusted
  20:12:26 oftc | gnutls: receiving 4 certificates
  20:12:26 oftc | - certificate[1] info:
  20:12:26 oftc | - subject `CN=oxygen.oftc.net', issuer `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,[email protected]', RSA key 2048 bits, signed using RSA-SHA, activated
  | `2009-08-07 14:31:48 UTC', expires `2010-08-07 14:31:48 UTC', SHA-1 fingerprint `852cb9bbab6ae5c5c3d4a745e255b175006e7314'
  20:12:26 oftc | - certificate[2] info:
  20:12:26 oftc | - subject `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,[email protected]', issuer `O=Open and Free Technology Community,OU=Certification
  | Authority,CN=ca.oftc.net,[email protected]', RSA key 2048 bits, signed using RSA-SHA, activated `2008-05-25 00:10:59 UTC', expires `2013-05-24 00:10:59 UTC', SHA-1 fingerprint
  | `e45b2de35faec3e999209e34f7ce4c05b6adb73c'
  20:12:26 oftc | - certificate[3] info:
  20:12:26 oftc | - subject `O=Open and Free Technology Community,OU=Certification Authority,CN=ca.oftc.net,[email protected]', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
  | Interest,OU=hostmaster,CN=Certificate Authority,[email protected]', RSA key 2048 bits, signed using RSA-SHA, activated `2008-05-24 23:53:25 UTC', expires `2013-05-23 23:53:25 UTC', SHA-1 fingerprint
  | `27361360dd639f5ee74b07468345516fc0f052f1'
  20:12:26 oftc | - certificate[4] info:
  20:12:26 oftc | - subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,[email protected]', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
  | Interest,OU=hostmaster,CN=Certificate Authority,[email protected]', RSA key 4096 bits, signed using RSA-SHA, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint
  | `af70884383820215cd61c6bcecfd3724a990431c'
  But then, when weechat tries to use my cert and key to do mutual auth, it fails. Notice that it claims to find a cert with the same subject as OFTC's CA in my client.pem file, which is nonsense:
  20:12:26 oftc | gnutls: sending one certificate
  20:12:26 oftc | - client certificate info (/home/ataraxia/.weechat/ssl/client.pem):
  20:12:26 oftc | - subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,[email protected]', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
  | Interest,OU=hostmaster,CN=Certificate Authority,[email protected]', RSA key 4096 bits, signed using RSA-SHA, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint
  | `af70884383820215cd61c6bcecfd3724a990431c'
  20:12:26 oftc =!= | irc: TLS handshake failed
  20:12:26 oftc =!= | irc: error: Insufficient credentials for that request.
  I've double- and triple-checked that the contents of client.pem (MY cert and key, and nothing to do with OFTC or SPI) are correct.
  What is going on here? Is weechat really using the wrong creds to authenticate me? (If that's so, at least it explains the "Insufficient credentials" error, as of course I don't have the key for SPI's CA.) Does this work for other people? Google finds no complaints of such a bug.
  I'm quite experienced with X509, so you don't need to explain things in baby terms here.
  Last edited by ataraxia (2010-08-12 14:18:55)

  gour wrote:I've tried on #weechat, but no response...it's quite dead there. 
  Weechat dev returned from vacation and tried to reproduce problem without success yesterday.
  Then I found out what's wrong...weechat uses openssl-1.0.0.a on Archlinux which, somehow, produces ucompatible cert which weechat cannot read properly.
  After creating cert with openssl-0.9.80, everything is fine now.
  Sincerely,
  Gour

• Certificate expired

  Hello,
  I have a problem on a linux ZLM server.
  My certificate seems to be expired. Through the web interface I cannot loggin to the zlm server.
  The error I receive in my browser :
  Error: The LDAP server ("ldap://zlm01.roj.just.fgov.be:10636") appears to be down. Make sure ndsd is running on the server.
  everything is running.
  In the logs I see something of certificate expired .
  To test I changed the date of my server an after this I could login without any problems.
  Any Ideas ??
  Thanks
  Erik Vandenputte.

  On Tue, 14 Sep 2010 09:06:03 +0000, vdpuerik wrote:
  > Is there no commandline way to do this on the linuxserver itself ?
  If you are not familiar with the edirectory administration it is better
  to use console one. There is a command that might fix it but that also
  changes a few things in the edirectory configuration and then it must be
  configured back that further ZLM updates will not have problems with it.
  Therefor use consoleone, it's not that complicated.
  I guide you through:
  1. start consoleone, if no login window appears, click on the tree symbol
  user name: admin
  password: <the password of the ZLM Administrator>
  tree: the full dns name of the zlm server or the ip address of it
  context: system
  -> then login, if that doesn't work you can also try to just enter "\
  \<zlm server ip address>" in start / run. Then the novell client would
  open a login box and you can use the same data as above
  2. on the left side expand the TREE entry
  3. select the system below and notice that you see on the right side
  certificates called:
  SSL CertificateIP
  SSL CertificateDNS
  IP AG <xx.xx.xx.xx>
  DNS AG <full dns name>
  Those certificate were created during the ZLM server installation and
  were valid for two years. You do not need to touch them, you can create
  another one beside. That step is described in the cool solution article I
  posted before. Create anew certificate which is valid for 5 years assign
  it to the zlm server and restart the zlm services and everything should
  be back.
  Rainer

• Safari client certificate problem w/ Canada Post website

  I am using OSX 10.8.5 and Safari 6.1.1
  I'm trying to use the Canada Post website for online shipping (ship-in-a-click) via the site:
  http://www.canadapost.ca/personal/tools/cst/intro-e.asp
  When I choose my option (in this case INTERNATIONAL) a pop-up opens asking to select a client certificate. A list of five certificates, which are all apparently valid and not expired, is given. No matter which certificate I select I cannot get past this pop up window. It just pops back up again.
  The certificates are all in the form:
  com.apple.idms.appleid.prd. then a very lengthy alpha numeric string
  From what I have read with certificate problems you can just delete them and next time you visit the site will ask you to select a new one. However, in this case, with all the certificates seemingly being valid, I don't think that will be the solution. Although, I am a complete novice when it comes to these issues.
  Can anybody suggest something other than using Firefox/Chrome etc. although if that is the ONLY choice then so be it. But surely this can be solved within Safari, no? The rest of the Canada Post site seems to behave OK with Safari.
  Thank you.

  Neither.  I am on Mavericks and it shows the exact same issue, so it neither fixes the problem or intoduces new ones, at least with my site.
  I also noticed that it is somewhat based on the loction (IP) of the server because on my local laptop (During development) and on our QA server would try and send a certificate that it should not send.  HOWEVER once we implemented the SSL client certificate on our production server it would no longer send the certificate.  I have no idea why and speculate that it is because our production server has a public IP.
  If you want you can use my site and see if the problem persists for you there (http://whf.to); however given the seemingly random why Safari decides to send certificates you may or may not see the issue.  If Safari does indeed send a certificate you should get an error page that details what happened (in somewhat lay-terms).
  Sorry that Mavericks doesn't fix the issue for you.

• Client Certificate Rejected, repeatedly +with great vigor

  Hi all --
  Perhaps you can give me a hand. I recently got a new Macbook Pro -- my first new CPU since the ole' clamshell back in 2001. Very happy with it as a whole but also finding that I am a bit behind the times in terms of my understanding of the software. Here is the problem: Yesterday I tried to access a page using Safari (2.0.3) from my history. I do not believe that it was a secure page as it was part of the dartmouth.edu website but it may have been. Anyway, a dialouge box popped up asking for my to use FileVaultMaster keychain. I did not know that I had such a thing but I typed in my master password. The page still did not open, but Safari displayed a text box saying that there was an error -- this particular error, in fact:
  <begin quote>
  The error was: “client certificate rejected” (NSURLErrorDomain:-1205) Please choose Report Bug to Apple from the Safari menu, note the error number, and describe what you did before you saw this message
  <end of quote>
  Now, when I try to access the basic Dartmouth homepage of http://www.dartmouth.edu, Safari converts it automatically to https://www.dartmouth.edu and asks for the keychain and then displays the error. I tried emptying the cache and resetting Safari (and even restarting the computer, although I understand that that is no longer necessairy with OS X) but to no avail. Can anyone clue me as to what is happening, and why?
  Thanks much in advance,
  -Sparco03
  MacBook Pro   Mac OS X (10.4.5)  

  I emailed [email protected] about this problem and here is the response. The solution of getting a valid Dartmouth certificate doesn't apply to non Dartmouth users, so I'm not sure what to do in that case.
  "You need to check your Keychain. The reason you are getting that error is because Safari is sending a Client Certificate back to the web server (which asked for it), but the web server can't verify that it's a good certificate. This usually happens when you have an expired certificate, or you have a non-Dartmouth certificate that Safari is likely sending because it can't find a Dartmouth one."
  "Whichever of these is the case, the solution is to get a valid Dartmouth certificate, which you can generate by going to https://collegeca.dartmouth.edu/ and following the directions on the web page. If you have an expired Dartmouth cert, you will need to delete that before you import your new, valid certificate."
  "The reason all of this is happening is specific to Intel Macs. The mechanism that Dartmouth has used, better than 7+ years, to authenticate browser users to web site (Kerberos) uses the SideCar helper application. This application doesn't run on Intel Macs, and it most likely never will. Fortunately, Dartmouth installed client certificates as an additional/alternate solution for web site authentication a few years ago. Since client certs work great on Intel Macs, we had to force Intel Macs to always use HTTPS when connecting to any site on www.dartmouth.edu. That way we can always be able to ask for your client cert, so that we don't break your ability to access protected sites that live on the www.dartmouth.edu server."

• OHS not passing the client certificate in headers to WebLogic 11g

  I'm struggling with the ssl configuration on Oracle HTTP Server, I have it configured so that it request the correct client certificate, I select it but when it performs the http redirects between itself and WebLogic none of the headers I configured in the httpd.conf are passed to WebLogic.
  ssl.conf
  # OHS Listen Port
  # Listen 4443
  Listen 443
  <IfModule ossl_module>
  ## SSL Global Context
  ## All SSL configuration in this context applies both to
  ## the main server and all SSL-enabled virtual hosts.
  # Some MIME-types for downloading Certificates and CRLs
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl
  # Pass Phrase Dialog:
  # Configure the pass phrase gathering process.
  # The filtering dialog program (`builtin' is a internal
  # terminal dialog) has to provide the pass phrase on stdout.
  SSLPassPhraseDialog builtin
  # Inter-Process Session Cache:
  # Configure the SSL Session Cache: First the mechanism
  # to use and second the expiring timeout (in seconds).
  SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
  SSLSessionCacheTimeout 300
  # Semaphore:
  # Configure the path to the mutual exclusion semaphore the
  # SSL engine uses internally for inter-process synchronization.
  <IfModule mpm_winnt_module>
  SSLMutex "none"
  </IfModule>
  <IfModule !mpm_winnt_module>
  SSLMutex pthread
  </IfModule>
  ## SSL Virtual Host Context
  <VirtualHost *:443>
  # SSL Engine Switch:
  # Enable/Disable SSL for this virtual host.
  SSLEngine on
  # Client Authentication (Type):
  # Client certificate verification type and depth. Types are
  # none, optional and require.
  SSLVerifyClient optional
  # SSL Cipher Suite:
  # List the ciphers that the client is permitted to negotiate.
  SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  # SSL Certificate Revocation List Check
  # Valid values are On and Off
  SSLCRLCheck Off
  #Path to the wallet
  SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin">
  SSLOptions +StdEnvVars
  </Directory>
  BrowserMatch ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0
  SimulateHttps On
  </VirtualHost>
  </IfModule>
  I added the following to the httpd.conf
  LoadModule certheaders_module "${ORACLE_HOME}/ohs/modules/mod_certheaders.so"
  AddCertHeader HTTPS
  AddCertHeader SSL_CLIENT_CERT
  AddCertHeader SSL_CLIENT_S_DN
  AddCertHeader SSL_CLIENT_S_DN_CN
  AddCertHeader SSL_SERVER_CERT
  The only errors I see in the logs are:
  [ERROR:32] [OHS-9999] [core.c] [host_id: angkor.englink.bah.com] [host_addr: 127.0.0.1] [tid: 1335089472] [user: root] [ecid: 004bXaue_EwFw000jzwkno0006kT00000K] [rid: 0] [VirtualHost: main] File does not exist: /u01/app/oracle/Middleware/WT/Runtime/config/OHS/englink/htdocs/favicon.ico
  Other things to mention:
  I do have a certificate error but I don't see anything in the logs as to why and to be honest i'm not sure where to look.
  And I did not originally configure this server but i'm concerned that the above thinks the host_addr is 127.0.0.1 instead of the actual ip of the server (should I change this?)
  Any help is appreciated.
  Edited by: 843394 on Mar 10, 2011 6:28 AM

  Were you able to resolve this issue? I am currently having the same issue. I thought that it was likely that my ssl.conf didn't have SSLOptions +ExportCertData ... but I still have the issue after modifying ssl.conf.                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Asa5505 client certificate renewal

  folks
  i have an asa 5505 as an ssl vpn termination point
  users are authenticated by certificate and username/password
  the asa is using a self generated certificate and issuing client certificates to users
  my problem:
  one of my user certs has expired and i can't find how to renew it
  i have found how to enable the enrollment threshold to notify users in advance of an expiry
  can anyone point me in the right direction or do i have to force a new enrollment?
  thanks to anyone taking the time to reply

  Deleting the profile will just make the device appear as a brand new BYOD device which needs BYOD on-boarding. The process/experience should not be any different than when the device was first on-boarded. Thus, the user can delete the profile at anytime. Obviously there will be no access until the re-on-boarding happens but again that is not any different than when the device was setup originally. To answer your last question: It really depends on how you setup your policies but just because the device is registered it does not mean that it won't go through the on-boarding process. In addition, if your rules are setup in such way that the device must NOT be registered for on-boarding to succeed then the BYOD user(s) can use the My Devices portal to manually delete the iOS device from ISE without the need of admin intervention. 

• Lync Internal and external certificate expiration alerts.

  Hello Everyone,
  We are supporting Lync environment for one of our clients.
  We a have fear of encountering certificate expiration if we somehow might not remember.
  Is there any possible way that we can monitor the Lync certificate(Internal or Public) expiration via SCOM.
  If yes, what could be the standard procedure for achieving and testing this.
  Thank you!!!
  BR,
  Ammi.

  Hi,
  Please also refer to the link below of “Monitoring Expiring Certificates using SCOM”:
  http://blogs.technet.com/b/sgopi/archive/2012/05/18/monitoring-expiring-certificates-using-scom.aspx
  If you don’t deploy SCOM, CertExpAlerter offers an easy and free solution to monitor your certificates.
  You can refer to the link below:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Exchange Mail Certificate Expired

  Since our certificate expired this past weekend no one outside the firewall can connect to the Exchange server via Outlook or OWA.
  Our IT Director created a new certificate on the Exchange Server, but users trying to get mail on mobile phones or from home computers cannot connect to the exchange server.  What could be the cause?  Does the new certificate have to be installed
  on each client computer? Reason I ask is that we have people all over the country.

  Hi,
  Before we go further, I'd like to confirm if the certificate is self-signed certificate or internal CA certificate.
  If yes, I'd like to say, to confirm users trust the certificate, we need to install the certificate on everu clients.
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support