Creating certificates for a subdomain

Similar Messages

• Question about creating Certificates for Out of Band management

  I would like to use out of band management for supporting clients in remote offices.  I am following the instructions at http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_AMT2008_cm2012 in the "Deploying Certificates
  for AMT" section.  It says:
  If you cannot complete steps 18 or 19, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified
  certificate templates unless you are using the Enterprise Edition of Windows Server 2008.
  My Certificate Authority server is Server 2008R2 Standard.  When I right click on Certificate Templates -> New -> Certificate Template to Issue, I do not see the ConfigMgr AMT Provisioning and ConfigMgr AMT Web Server Certificates.  I know
  the box says 2008 Standard isn't supported, but I am using 2008R2 Standard, not 2008.  Why am I not able to see either certificate.  If it is because I am using the Standard Edition, than how can I create the certificates needed?  Upgrading
  to Enterprise is not an available solution (cost reasons).  Does this mean that OOB management certificate creation is not supported on Server 2008R2 Standard, and so I will not be able to use ConfigMgr 2012 SP1 for out of band management because I am
  unable to generate the required certificates?

  Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
  In order to use the cert template, you must use an Enterprise version of Windows. Only the Enterprise (or datacenter) version have the right version of the Certificate server.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Using internally created certificate for IP-HTTPS lisenter temporarily during testing. Any issues?

  We are planning our Direct Access environment now and plan to also use SSTP VPN on the same box.
  I understand that the best practice is to use a certificate published by a public CA for the outward facing IP-HTTPS listener and we plan to do this however during testing we would like to use a certificate created from our internal CA. If our testing phase
  is successful and we plan to go ahead we would then buy a public CA certificate and replace the internally created one.
  I would just like to know how much of an issue/hassle it would be to do this. I believe that during the DA setup wizard it automatically inserts the certificates you provide. Is it a problem to change it afterward? Do you have uninstall DA and run through the
  wizard again? Thanks.

  Or you can use a Public 30-day trial SSL that is supported on all Clients.
  The hassle of changing it, will be the same as when you are renewing a public SSL certificate in the future. And yes, you have to re-run the wizard again, after you have imported the new SSL certificate on the DA server.

• Can't create Certificate for AIR file

  I am using Fireworks CS4 on mac OSX 10.5.7. I have created a prototype interface and am trying to create an AIR file of it to test. I cannot get Fireworks to create a self-signed digital certificate. Before I applied the FW update to take it to 10.0.3 FW just did nothing but popped up a message saying the certificate file could not be found. After updating to 10.0.3 I get an error message saying certificate creation failed. All posts on the net for windows computers with this problem point to the Java Run-time environment, but the update of this is handled by Apples software updates.
  Anyone have any ideas, its getting very frustrating.

  I am assuming that you have installed the updates for the mac including the version available automatically from Mac software updates. You can create a certificate manually from the AIR panel from within Fireworks itself.

• Creating certificate in ms-word for training and event management  sap hr

  hi, everybody, i used ole programming,to create certificate for attendee but i need to save in perticular directory,but all files are opening ,could anybody tell how to save in a perticular directory instead opening every file.

  upgraded SAP Frontend from 4.6c to 4.6d.

• Creating Certificates

  I am creating certificates for my program and they need to be able to use a mail merge to insert the names onto the certificates.  I am trying to create the certificates in Word but it never works right for me.  Is it possible to an InDesign file or PDF with mail merge to add the certificate names?

  Absolutely. Look up Data Merge in the help files.

• New SSL certificate for M670 process?

  Can someone help me with the current process for installing a new certificate on an M670 running 8.1.0-476?  Do I still use OPENSSL to generate the private key, and then get the certificate signed and import the certificate via CLI, pem format?
  Can I install a SAN certificate?  I have one DNS name spam.domain.com for the two (internal and external) SPAM quarantine interfaces and another name mspam.domain.com for the management interface.
  Appreciate the input, I only do this every three years and the process has changed the last two times and I find nothing in the documentation. 
  Jason

  Jason -
  You can use a SAN certificate - as long as the machine names are specified and signed off in the cert by your signer.
  Had previous saved notes for similar questions in the past --- see if this helps:
  For full create and install:
  http://tools.cisco.com/squish/39054
  Starting with AsyncOS version 7.1 it is possible to generate a self-signing request on the ESA appliance. This can be used as a workaround to create certificates for SMAs.
  On an ESA, create a self-signed certificate that will be used for the SMA. This can be done under GUI: Network > Certificates
  Detailed description how to generate a certificate can be found within the knowledge base article 1634.
  It is important, when creating a certificate, for common name to use the hostname of the SMA (M-Series) and not of the ESA (C-Series), so that the certificate can be properly used. Submit and commit changes.
  Use GUI: Network > Certificates > Export Certificates to export certificate.
  Give it a file name (e.g. mycert) and password that will be used when converting the certificate. Exported certificate will be in .pfx format. The M-Series only supports .pem format for importing, so this certificate needs to be converted.
  To convert certificate from .pfx format to .pem format, please use the following OpenSSL syntax:
  openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
  Windows version of OpenSSL can be downloaded from:http://www.slproweb.com/products/Win32OpenSSL.html  Make sure Visual C++ 2008 Redistributable is installed first before the OpenSSL Win32.
  Versions for Mac, Linux, and other operation systems can be downloaded from http://www.openssl.org/source/
  After converting the certificate to the correct format, one should now have available both - the certificate and the corresponding key in .pem format. It is recommended to sign it by a trusted Certification Authority (CA). Cisco doesn't recommend a specific CA, this is up to the choice of the customer.
  To have this signed, simply select "Download certificate signing request" in the GUI of the ESA (Network > Certificates >select the corresponding certificate created for the SMA) and submit it to the trusted CA of choice.
  The signed certificate or the self-signed certificate, and the key in .pem format, can be imported now in the SMA. To learn how to do it, please use the corresponding Installing Certificates on an IronPort Email Security Appliance.
  Let me know!
  -Robert

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• Creating an Azure VM from an existing snapshot, does not automalically create a certificate for remoting

  Hi,
  As the title says, I have problems with an Azure VM created from an image I captured of an Azure VM.
  For easier deployment of my server I created one, running everything on localhost, such that I could take an image of it and re-deploy this image, by which I will speed up the process of creating a server substantially. However, this process requires me to
  be able to remotely control the azure VM, such that I can reconfigure the server to use the new name.
  My problem is that the certificate which is usually created automatically for me (under the cloud service on which the VM is created), is not created when I deploy a server on a new cloud service from this snapshot I have made. 
  Can anybody help me? 
  Thanks in advance!
  Regards
  Magnus

  Hi Susie,
  Sorry for the late answer, I've had a busy last week. Thank you for answering.
  You're quite right. The scenario you describe is exactly what I've done. The reason for doing this is because I am creating a script for installing my company's product on an Azure VM. I am using powershel for this purpose and therefore I need to be able
  to remote control it from powershell.
  So far I manually transfered everything, but as it is ~70GB of files it takes alot of time. So I tried installing everything on localhost (which works perfect) and taking a snapshot of the machine, but when I spin a new Azure VM up from this image I need
  to change a few database references and IIS settings in order to make it work. To do this I was hoping to be able to remotely control the machine with powershell, but since it does not create a certfificate I cannot do this.
  Furthermore creating and uploading a certificate will, from my understanding, require me to install it on the server, which in turn will need me to manually do some work anyways, where as the whole idea of automating the process is lost.

• How to create a SHA256 SAN Certificate for Exchange

  Dear.
  When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
  It seems that it's not possible to do this through the New-exchangecertificate.
  Do you know the alternative command when using certreq for the following Exchange command:
  New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
  -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
  Thanks for the feedback.
  Regards.
  Peter
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Peter,
  There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
  as follows:
  1. Open MMC.exe. Click File >
  Add/Remove snap in…
  2. In the Available snap-ins tab, select Certificates >
  Add > Computer account > Local computer >
  Finish.
  3. Expand Certificates (Local Computer) > Personal > Certificates.
  4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
  5. click Next > Proceed without enrollment policy > Next > Next.
  6. In Certificate Information page, click Details > Properties.
  7. Then you can fill in the needed information for your request.
  8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
  sha256.
  9. Click OK > Next. Fill in File Name and select the request location.
  10. Finish it and send this request to the certificate authority.
  Regards,
  Winnie Liang
  TechNet Community Support

• Create a certificate for non domain-joined PCs

  We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
  PCs look to the CA to get their trusted certificate from.
  This is the issue I am encountering:
  Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
  However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
  "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
  "DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!

  It sounds like the question you are really asking is :
  How do I designate the internal root CA as a trusted root CA
  Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
  This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
  Run Certutil -addstore CA IssuingCA.crt 
  Brian

• Want to create new certificate for the SYSTEM PSE

  when i got o tcode 'STRUSTSSO2" In my system i am seeing a wrong certificate for the system PSE.
  i want to delete and and create a new certificate.
  Can some one tell me detail steps how i can remove the existing  certificate and create a new one.
  I am going to use the new certificate for SSO from portal to this server.
  Thanks
  Andy

  Hi Andy,
  To remove the System PSE, follow the procedure described in [SAP Help|http://help.sap.com/saphelp_nw70/helpdata/EN/b6/23273aafa35d46e10000000a11402f/frameset.htm].
  To create a new one, see the procedure [here|http://help.sap.com/saphelp_nw70/helpdata/EN/07/03473cbff75b01e10000000a114084/frameset.htm].
  Regards,
  Henk.

• Iplanet 6.0 creating a development SSL certificate for internal use

  With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
  Is there a tool to create my own SSL certificate for development work with iplanet 6.0?

  With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
  Is there a tool to create my own SSL certificate for development work with iplanet 6.0?

• How tto create exp certificate for an employe?

  Hi All
  my requirement is to create the experiance certificate for the employee...
  can any body give brief idea regarding this...
  Thanks in Advance
  Sandeep

  You can use the READ_TEXT function module to retrive the std texts created in SO10.
  ~Suresh

• Standard or UUC/SAN certificate for RDS

  I successfully deployed RemoteApp using self-assigned certificate.
  Now is the time to replace it with Trusted one.
  From what I found UUC/SAN certificate will allow to secure subdomains, unique domains and websites.
  My RDS deployment is limited to one domain only.
  Does wildcard certificate means that during certificate creation on Trusted site (ex GoDaddy) I will have an option to enter:
  *.my_domain.com for a subject and then use it for any RDS server?
  So it will be just a standard certificate with wildcard.
  &quot;When you hit a wrong note it's the next note that makes it good or bad&quot;. Miles Davis

  Hi,
  If you plan to have RD Connection Broker, RD Gateway, RD Web Access all on the
  same server you can purchase a single-name certificate, which is much cheaper than a wildcard. 
  If you need a wildcard then you would purchase a wildcard certificate from the public authority, create your certificate request with a Common Name of *.domain.com, submit this to the authority, and then complete the request with the response.
  For example, on your RD Web Access server you could open IIS Manager, select the server name in the left pane, double-click on Server Certificates in the middle, click Create Certificate Request.  Fill out the information, select 2048 bits, etc., save
  as a file.  Open the file in Notepad, copy the request, then paste it into the appropriate box in the trusted authorities web site.
  The public certificate providers have step by step instructions for creating a request for an IIS website and installing the resulting response.  You can usually follow those if you are unsure.
  Once you have your certificate installed on your RD Web server, open up certlm.msc, navigate to Personal store, right-click on the certificate and export it and its Private key as a .pfx file.  This is what you will use to apply the certificate in Server
  Manager -- RDS -- Overview -- Tasks -- Deployment Properties -- Certificates tab.  You apply the certificate to 1 purpose at a time until you have all four purposes set to your new wildcard certificate.
  -TP