Creating non-exportable certificates

Similar Messages

• Root CA certificate marked as non-exportable

  Hello All.
  I've found myself with an odd issue. A few months ago I migrated from an old 2008R2 Enterprise CA to a new 2012R2 Core Enterprise CA. I exported the Root CA cert from the old server using the following:
  certutil.exe backupkey C:\Temp\Migration
  That made a P12 file with the private key. I then imported the Root CA on the new server (after decommissioning the old server, installing ADCS, etc) using this command:
  certutil.exe importpfx "blah.p12"
  I continued the rest of the CA Migration steps per TechNet articles (http://technet.microsoft.com/en-us/library/31eca881-0744-447a-ae7a-597310b9d9bf(v=ws.10)#BKMK_PrepDest
  http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx).
  Things have been fine for months but I wanted to do a scheduled backup of our CA cert and got an error:
  C:\Scripts>Certutil.exe -p Blah -backupkey
  CABackupCertUtil: -backupKey command FAILED: 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)
  CertUtil: Key not valid for use in specified state.
  This error appears to be because my Root CA cert is marked as non-exportable. I verified this by using the Certificates MMC and the option is greyed out.
  My understanding is that importing a PFX with no options marks the private key as exportable but for some reason mine didn't. I'm not sure why but the issue at hand is to fix this for the future.
  I can see 2 possible options. To re-import the P12 file (I still have the original file) or to possibly renew the Root CA certificate although I'm not sure if that will allow it to be exportable.
  We have a lot of certificates issued by this new CA so I'm looking for suggestions or caveats since I can't find anyone else with similar issues.
  Thanks!

  > Would I have 2 CA certificates when I look at the properties of the CA in the MMC?
  you can delete existing key from the store and re-import from PFX file.
  > My understand was that it imports by default with the private key being exportable
  Not sure about certutil (haven't used this parameter for a while). You can try to run it again and check whether it will allow key export.
  > Would I have 2 CA certificates when I look at the properties of the CA in the MMC?
  no, you will still see the same certificate list as before, because this list is maintained by renewals and internal CA database information.
  > Or do you think it would be as easy as re-importing?
  Re-import will solve the issue. If certutil won't help, then use MMC.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• [AS][INDCC] How to set Color Conversion field to No Color Conversion when creating PDF Export preset

  How can i set Color Conversion field in Export to PDF dialog to No Color Conversion when creating PDF Export preset? i have done a bit of searching and have found where it has been recommended to set effective pdf destination profile to use no profile but it doesn't seem to be producting the expected results.

  Yes, it seems that i had to make the change after creation, not while creating the preset. thank you.
  tell application "Adobe InDesign CC"
       set newPreset to make new PDF export preset with properties ¬
            {name:"preset name", standards compliance:none, acrobat compatibility:acrobat 7}
       tell newPreset to set PDF color space to unchanged color space
  end tell

• Create a Distribution Certificate as a p.12 file in Keychain Access not working?

  I need to create a Distribution Certificate as a p.12 file. I downloaded my ios_distribution.cer file from iOS Provisioning Portal/Certificates/Distribution/Download but this file will not install on my Keychain Access Certificates. Once installed I need to export as .p12. Why can't I install this .cer file to my keychain access? Thanks

  Hi EDUR142, did you find a way round this? If so, please let me know.
  I currently can see that these certificates are there in Keychain Access under System'Certificates'.
  However in System'Keys' the relevant keys are not there. And in Login'Keys' there are 4 keys that might be the correct ones: 2 public keys, 2 private keys. BUT they do not have an arrow on the left so I cannot see if the correct certificate is associated with them (as it described in the Adobe step by step guide to DPS pg19).
  If this is simliar to your issue last year, and you found a solution, pls reply. Thank you.

• Unable to Export certificates as Personal Information Exchange - PKCS #12 (.PFX) file format.

  We are using Windows 2003 Certificate Authorities, and we are unable to Export certificates as .PFX, our only options are, DER encoded binary X.509 (.CER), Base-64 encoded X.509 (.CER), or Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B).  The .PFX option is grayed out in the Certificate Export Wizard on the CA.
  This posses a problem because our Windows 2008 server running IIS 7 wants us to import a certificate as .PFX
  can someone explain what is happening and how to fix it please

  Greg --
  The private key doesn't exist on the CA, but it does exist on the computer on whic you created the request. Here's what happens when you request a certificate.
  If you're generating a request with a new key pair -- which you will in the vast majority of cases -- Windows first generates the public and private key pair. The private key is written to a key store. Where the key store is located will depend on which
  Cryptographic Service Provider (CSP) or Key Storage Provider (KSP) is specified in the template. KSPs were introduced in Windows Server 2008/Vista, and are only available in v3 templates. In the case of most of the default Microsoft CSP/KSPs (with the exception
  of those used with Smart Cards), the key store is located in either the user's profile, or in the case of computer certificates, the All Users profile. It is at this point, by the way, that the properties of that private key are also written to the key store.
  One property of interest to you immediately is whether or not Windows should allow the private key to be exported.
  Once the key pair is generated, the request is then created. The request contains the information that should be in the certificate. This information is generally specified by the template with the exception of the Subject field, which contains the Common
  Name or Distinguished name of whoever is requesting the certificate. In the case of IIS, the Subject will be your site name. The public key is included in the request. Windows then signs the request with the newly created private key.
  Windows also creates a dummy certificate object in the Certificate Enrollment Requests store so that it knows that there is an outstanding request.
  At this point, the request is saved to a file or sent to an online CA depending on how you generated the request. Note that the private key is
  not sent to the CA in most cases. The exception to this rule occurs when you have Key Archival enabled on the CA, and the template specifies that the private key should be archived in the CA database. If this is the case, Windows retrieves
  the CA Exchange certificate from the CA and uses the public key in that certificate to encrypt the newly created private key. This encrypted private key is included in the request.
  Once the CA receives the request, it processes that request to determine if it should issue the certificate or not. In the case of the Enterprise CA, this decision is based on the permissions on the template. One can also specify that certain templates
  require CA manager approval before they can be issued. Assuming that everything is correct in the request, and that the necessary information can be retrieved from Active Directory (perhaps the user's email address, or the computer's DNS host name -- it depends
  on the settings in the template), and that any CA Manager approvals specified in the template have been performed, the CA builds the certificate and signs it with its current private key. The certificate has been created.
  This certificate is stored in the CA database, which is why you can export it in the Certificate Authority snap-in. If the encrypted private key for that certificate has been included in the request to be archived, the CA decrypts it first with its CA Exchange
  private key, and then re-encrypts it using the public key(s) for any Key Recovery Agents configured on the CA. The newly encrypted private key is also stored in the CA database. Note that this encrypted private key can only be retrieved and decrypted
  by a valid KRA.
  The CA then returns the certificate to principal who requested it. If the request was first saved as a file and then submitted to the CA you have to retrieve the certificate manually. It is only returned automatically if you submitted the request via the
  Certificiates MMC, or if the application you use to submit the request retrieves it for you. IIS does this, when you use the certificate request wizard to request a Web Server certificate.
  When the client has received the certificate, it locates the dummy certificate object in the Certificate Enrollment Requests store. From this object, Windows copies the location of the key store for the private key (among other things). This dummy certificate
  object is then deleted, and the new certificate is imported into the Personal store. The private key information is then written to an internal property of the certificate in the store. This is how Windows locates the private key of that certificate in order
  to use it when you invoke the associated certificate.
  When you go to export the certificate and private key, Windows reads the private key locate information from the certificate properties in order to find the key store wherein it is located. Assuming export is allowed, the certificate and private key are written
  to a password protected PFX file.
  That's how a certificate request gets turned into a certificate, and explains why the private key doesn't exist on the CA. If you need to generate a PFX file, then you'll have to export the certificate from the computer on which you generated the request.
  Hope this helps.
  Jonathan Stephens
  Jonathan Stephens

• Server 2012 CDP PKI Setup on Subordinate CA - Active Directory Certificate Services could not create an encryption certificate

  Hi,
  When I check pkiview.msc on my 2012 Subordinate CA I get the error shown in the first picture below. I'm also getting errors similar to below in the event log:
  "Active Directory Certificate Services could not create an encryption certificate.  Requested by contoso\admin1.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)."
  I'm assisting in setting up a 2 tier PKI infrastructure using Windows 2012. The root CA looks good, but we're getting errors on the subordinate. The server was working, but we discovered that the server would only issue certificates with a maximum of a 1
  year expiry date - obviously no good, so we decided to run through the following commands on the root CA (as recommended byhttp://www.techieshelp.com/subordinate-ca-increase-certificate-validity/)
  certutil -setreg ca\ValidityPeriodunits "Years"
  certutil -setreg ca\ValidityPeriod "5"
  restarted AD certificate services on the root and subordinate CA.Then did the following on the subordinate CA:
  1.On the Subordinate CA create a new CA request by right clicking the server in ADCS and select New Request.
  2.Supplied the original request file from the subordinate CA (I couldn't find a way of generating a new request file)
  3.Issued the certificate using the Root CA.
  4.On the Subordinate CA ADCS installed new CA cert.
  However, I keep on getting CDP or AIA errors on my subordinate CA.Also I'm missing a CDP field value when I look at the certificate listed in the personal and trusted certification authority store on my subordinate CA.
  In addition, when I look at my CDP locations in Certificate Authority, I see a lot of CDPs, but I'm not sure if I need them all - I suspect I could just get away with LDAP, the C:\windows path and a single http:// path.
  I've tried renewing the existing certificate and CRL on my subordinate CA, but that didn't work either.
  Please advise.
  Thanks

  Ok, the process to renew the subordinate CA is incorrect. Once the registry setting to change the validity period was made on the root CA, the root CA ADCS service needs to be restarted. That is the only time those keys are read. Then:
  1) On the subordinate CA, open the CA tool, right click the CA and select Renew CA Certificate. You can use the same key, no need to create a new one. It will create a NEW certificate request file
  2) Copy that to the Root CA and submit like you would have done during the initial install
  3) Approve the request and export the issued certificate
  4) On the subordinate CA, in the CA tool, right click the CA and choose Install CA Certificate.
  You can not reuse request files.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• How do I Create an Android Certificates for Phone Gap?

  I wanted to know how to create an Android Cerficiate that I can use in Phone Gap. I tried to use the certificate that I created in Flash but apparently Phone Gap is no longer accepting these kinds of certificates.
  If anyone knows of a straight-forward, designer friendly article or resource that explains how to do this, it would be much appreciated. Flash makes its super simple to create an Android Certificate.

  Thank Nancy. This is helpful.
  However, Flash Professional has built-in panel that allows you to create an Android certificate in under 30 seconds.
  The information from Android and Phone Gap is helpful but seems to be unecessarily clunky. Since this is my first time creating an Android certificate (outside of Flash) it looks like this process will take a few hours (or more) assuming trial and error and reading through the documentation.
  I was just wondering if there is a simpler solution available, something similar to the process in Flash Professional.

• Getting error while exporting certificate to OIF Certificate Validation

  Hi All,
  Currently I am working with Oracle identity federation 10.1.4.0.1. I am facing one problem while exporting certificate to Certificate Validation, the error I am getting after importing certificate at console is:
  ERROR - oracle.security.crypto.asn1.ASN1FormatException: Got tag 0 instead of 16.
  Write failed: Broken pipe
  But It doesn't displaying any error in webapge after exporting certificate.
  Any help in this regard really appreciated.
  Thanks,
  Iceman
  Edited by:OIF version included

  If the certificate is in text PEM format, please ensure that the actual certificate content is enclosed within:
  -----BEGIN CERTIFICATE-----
  MII................
  -----END CERTIFICATE-----
  Thats all. It should also not have the certificate in text. Just the content within those lines.
  Hope this helps.

• Getting error while trying to create the push certificate...

  I am getting the following error while trying to create a push certificate for the mdm from the apple site.
  Certificate Signature Verification failed because the signature  is invalid.
  I am mdm vendor as well as the customer. I did the following steps.
  openssl x509 -inform der -in mdm_identity.cer -out mdm.pem
  openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem
  openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
  openssl req -inform pem -outform der -in customer.csr -out customer.der
  created the plist_encoded file using a java program which uses the "SHA1WthRSA"
  When i tried to upload the plist_encoded file to the apple site (https://identity.apple.com/pushcert/), it creates a file with the following error
  {"ErrorCode":-80018,"ErrorMessage":"Certificate Signature Verification failed","ErrorDescription":"Certificate Signature Verification failed because the <a href=\"http://www.apple.com/business/mdm\" target=\"_blank\">signature<\/a> is invalid."}
  Any help would be greatly appreciated....

  Please see the solution in (The Descriptive Flexfield With Application Name Receivables (AR) and Name Party Site Information (HZ_PARTY_SITES) Is Not Frozen [ID 743262.1]).
  Thanks,
  Hussein

• Apex 3.1.2.00.02 creates invalid export file (that gives ORA-20001 error)

  Hi
  I want to let you know, that sometimes APEX 3.1.2.00.0 creates invalid export file.
  Older apex 3.0 created correct file.
  For example: our application has page button, where "Optional URL Redirect" is:
  Page: &APP_PAGE_ID.
  Request: FLOW_XMLP_OUTPUT_R11531800061044170_et
  If we export application into file f110.sql and try to import it to the same workspace on the same server, we get error:
  {color:#0000ff}ORA-20001: GET_BLOCK Error. ORA-20001: Execution of the statement was unsuccessful. ORA-06550: line 28, column 111: PLS-00103: Encountered the symbol "_" when expecting one of the following: ) , * &amp; | = - + &lt; / &gt; at in is mod remainder not rem =&gt; .. &lt;an exponent (**)&gt; &lt;&gt; or != or ~= &gt;= &lt;= &lt;&gt; and or like LIKE2_ LIKE4_ LIKEC_ as between from using || multiset member SUBMULTISET_ The symbol &a
  {color}In exported f110.sql file the invalid section is:
  {color:#0000ff}wwv_flow_api.create_page_branch(
  p_id=&gt;11762805016890347 + wwv_flow_api.g_id_offset,
  p_flow_id=&gt; wwv_flow.g_flow_id,
  p_flow_step_id=&gt; 4,
  p_branch_action=&gt; 'f?p=&APP_ID.:&APP_PAGE_ID.:&SESSION.:FLOW_XMLP_OUTPUT_R'||to_char({color}{color:#0000ff}{color:#ff0000}*10255206661122183_et*{color}+wwv_flow_api.g_id_offset)||':&DEBUG.:::',
  p_branch_point=&gt; 'AFTER_PROCESSING',
  p_branch_type=&gt; 'REDIRECT_URL',
  p_branch_when_button_id=&gt;11761415275883875+ wwv_flow_api.g_id_offset,
  p_branch_sequence=&gt; 10,
  p_branch_comment=&gt; 'Created 20-JUUNI-2008 12:05 by XXXX');{color}
  If we exported the same application in apex 3.0, this section was correct:
  {color:#0000ff}wwv_flow_api.create_page_branch(
  p_id=&gt;11762805016890347 + wwv_flow_api.g_id_offset,
  p_flow_id=&gt; wwv_flow.g_flow_id,
  p_flow_step_id=&gt; 4,
  p_branch_action=&gt; 'f?p=&APP_ID.:&APP_PAGE_ID.:&SESSION.:FLOW_XMLP_OUTPUT_R*10255206661122183_et*:&DEBUG.:::',
  p_branch_point=&gt; 'AFTER_PROCESSING',
  p_branch_type=&gt; 'REDIRECT_URL',
  p_branch_when_button_id=&gt;11761415275883875+ wwv_flow_api.g_id_offset,
  p_branch_sequence=&gt; 10,
  p_branch_comment=&gt; 'Created 20-JUUNI-2008 12:05 by XXXX');{color}
  Best Regards,
  T&otilde;nu

  Thanks for pointing that out. We'll fix it. It does appear though, that in 3.0, the offset would not be added to the number part of the request value, so if you installed the application as a different application ID or into a different workspace, the request would have failed.
  Scott

• How to create the Export Data and Import Data using flat file interface

  Hi,
  Request to let me know based on the requirement below on how to export and import data using flat file interface.....
  Please provide the steps involved for the same.......
  BW/BI - Recovery Process for SNP data. 
  For each SNP InfoProvider,
  create:
  1) Export Data:
  1.a)  Create an export data source, InfoPackage, comm structure, etc. necessary to create an ASCII fixed length flat file on the XI
  ctnhsappdata\iface\SCPI063\Out folder for each SNP InfoProvider. 
  1.b)  All fields in each InfoProvider should be exported and included in the flat file. 
  1.c)  A process chain should be created for each InfoProvider with a start event. 
  1.d)  If the file exists on the target drive it should be overwritten. 
  1.e)  The exported data file name should include the InfoProvider technical name.
  1.f)  Include APO Planning Version, Date of Planning Run, APO Location, Calendar Year/Month, Material and BW Plant as selection criteria.
  2) Import Data:
  2.a) Create a flat file source system InfoPackage, comm structure, etc. necessary to import ASCII fixed length flat files from the XI
  ctnhsappdata\iface\SCPI063\Out folder for each SNP InfoProvider.
  2.b)  All fields for each InfoProvider should be mapped and imported from the flat file.
  2.c)  A process chain should be created for each InfoProvider with a start event. 
  2.d)  The file should be archived in the
  ctnhsappdata\iface\SCPI063\Archive directory.  Each file name should have the date appended in YYYYMMDD format.  Each file should be deleted from the \Out directory after it is archived. 
  Thanks in advance.
  Tyson

  Here's some info on working with plists:
  http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduc tion/chapter1_section1.html
  They can be edited with any text editor. Xcode provides a graphical editor for them - make sure to use the .plist extension so Xcode will recognize it.

• Which CZ-Schema tables get affected when we create Non BOM items in OCD?

  Hi,
  Please LIST ALL the CZ tables which gets affected when we create Non BOM structure.
  Or Else Atleast suggest a means where I can get which tables are getting affected(i.e, In which CZ tables rows are being inserted).
  Thanks.
  Edited by: 1008308 on May 28, 2013 2:03 AM

  I cannot speak for Murali, but from my experience...this information is not available in particular manual or documentation. These table names are known over the course of working with the product over a period of time, seeing SQL statements inside working code, working on bugs alongside Oracle Support and Development, etc. However, there is some information available in the following locations to help you out:
  * CZ Implementation Guide - Section D - CZ Subschemas (http://docs.oracle.com/cd/E18727_01/doc.121/e14322/T440679CHDJBBFB.htm). This part of the manual lists the key tables used for various activities (product structure, publishing, UI, etc.)
  * ETRM (http://etrm.oracle.com) also has some useful information. Not every table is described, but many of them are. As an example, here is what you might find as a description of the CZ_PS_NODES table:
  +"The CZ_PS_NODES table contains the entire structure of a product model. Data can be imported from Oracle Bill of Materials. Each project has a root (product) node. When the project structure is imported, project structure nodes mirror the imported BOM structure. Nodes of type REFERENCE are used to include a separate project ("model") into another psnode project tree."+
  Thanks,
  Jason

• How to create non cumulative Key Figure.

  Friends Let me know steps for creating Non Cumulative Key Figure, can any one tell me where can i get documents for this. points will be rewarded

  Hi,
  check these help links
  http://help.sap.com/saphelp_nw04/helpdata/en/8f/da1640dc88e769e10000000a155106/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/95/1ae03b591a9c7ce10000000a11402f/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6305e07211d2acb80000e829fbfe/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6312e07211d2acb80000e829fbfe/content.htm
  It's a big topic so it's not possible to write everything here.
  You can search the forums also.
  Thanks

• Creating non binary trees in Java

  Hi everybody actually i am used in creating binary trees in java,can u please tell me how do we create non binary -trees in java.

  Hi,
  Can u let us know the application area for Non binary tree.
  S Rudra

• Service sucks I can't creat editing exporting PDFS

  I can't create editing exporting PDFS

  Hi flossiem94432250,
  Please specify more on the same.
  What exactly do you wish for? Do you want to export PDFs to other formats?
  Let me know.
  Regards,
  Anubha