Extension signing certificate issues

Similar Messages

• Get Adobe Extension Signing Certificate

  Hello,
  I am a Creative Cloud member and have been working on developing an Extension for InDesign and InCopy versions CS 5.x and above. We are intending to extend the support for other Adobe products also at a later date. Until now, I have been signing the zxp file with a certificate that I created via ExtensionBuilder, but now, we are getting ready to ship the extension to some of our prospective customers as a beta version for some feedback. And for that I need to get the extension signed with a certificate by a recognized authority, so that user does not get an error looking message while installing the extension.
  I did look around a little on Adobe forums and google but could not get a concrete list or steps to do so. What I need to know is:
  1. what all kinds of certificates are available,
  2. how to choose which one I should go for,
  3. how to get the certificate,
  4. certificate's validity (number of uses / time period) and
  5. the cost involved.
  I believe the process of signing the extension will be the same (I am using ant script to build and sign the zxp); please correct me if I am wrong.
  Any help is much appreciated.
  - Swati.

  I was kind of stuck on this one. We need to dispatch the extension to the customers for feedback. I have been searching online for a clue but no luck.
  Any help will be much appreciated.
  Does Adobe give out extension signing certificate? If not, any preferences?

• Problem setting up OCSP in LAB "Bad signing certificate on Array Controller" Signing Certifcate: not found

  Hello
  Can someone please help me with the following question.
  In my LAB I have setup the following (MSDB subscription)
  Windows 2003 R2 Active Directory (Forest and Domain at "Windows Server 2003" level)
  2012 R2 offline Root CA (published the ROOT CA certificate to member server "LocalMachine/Trusted Root Certification Authorities" store via GPO as could not recall the certutil command to publish to directory services)
  2012 R2 online enterprise issuing CA (works fine)
  Setup OCSP on a separate server following a number of article
  Templates To Issue > OCSP Response Singing
  Gave the OCPS Server "Read", "Enrol"  (some confusion in various articles about also assigning Auto Enrol permission but I did not)
  Gave Network Service account same permissions as above
  Configured AIA extension on issuing CA for http://OCSPServer1/ocsp
  opened the OCSP MMC and configured Revocation Configuration called MyConfig, choose the issuing CA cert by browsing AD The wizard picked up the CA and the Template no problem and the wizard automatically selected the check box to Auto Enrol
  etc..
  However I get the following message at the end of the wizard "Bad singing certificate on array controller" and under array controller section certificate status says "Signing Certificate: Not Found"
  Check MMC > Certificates > Services > OCSPSvc\_MyConfig_  no certificate present
  At issuing CA > Certificate Authority > Issued Certificates   no OCSP signing certificate issued.
  Do I need to public the ROOT CA Cert to AD too rather than pushing to LocalMachine\Trusted Root Certification Authorities via GPO?
  I have also tried giving the OCSP Server and Network Service 'Auto Enrol" rights on the template but no difference.
  What I would like to also know please is, what triggers the "enrolment" for the OCSP cert, is this when you complete the OCSP Revocation Configuration wizard? and does the OCSPSvc then re-enrol for another cert in two weeks, even without auto enrol
  configuration on the template?
  Thanks very much in advance
  AAnotherUser__
  AAnotherUser__

  OK A little more information (should have thought about checking the Windows event logs first)
  One the OCSP Server, when completing the "Revocation Configuration" Wizard I get two Error events in the Windows Application Log as follows
  Event ID 34
  The Online Responder Service encountered an error while submitting the enrollment request for configuration Config9 to certification authority SubCA01.LAB.local\LAB-SUBCA01-CA. The request ID is -1.(The permissions on this certification authority do not allow
  the current user to enroll for certificates. 0x80094011 (-2146877423 CERTSRV_E_ENROLL_DENIED))
  Followed by Event ID 23
  The Online Responder Service could not locate a signing certificate for configuration Config9.(Cannot find the original signer. 0x8009100e (-2146889714 CRYPT_E_SIGNER_NOT_FOUND))
  So much clearer as to where the issue lies, will do some further digging
  Thanks
  AAnotherUser__
  AAnotherUser__

• Export extension to ZXP with self-signed certificate

  Hello,
       I am having this issue with Extension Manager not allowing the install of an extension exported from Extension Builder with a self-signed certificate. It always says that the signature is invalid, even with the sample projects exported packages. I am on Mac OS Snow Leopard. Anyone else experiencing this ?
  Regards.

  Hello,
       I am having this issue with Extension Manager not allowing the install of an extension exported from Extension Builder with a self-signed certificate. It always says that the signature is invalid, even with the sample projects exported packages. I am on Mac OS Snow Leopard. Anyone else experiencing this ?
  Regards.

• Adobe AIR 3 Performance Issues and Code Signing Certificate Problem

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

• Need HELP getting my signed certificate to be recognized by Extension Builder in Eclipse! Getting Error in Windows!

  When I use Extension Builder 3 in Eclipse to package my files into a .zxp ... I get an 'invalid certificate' error.  Working in Windows, with Photoshop CC 2014.
  This .p12 certificate does currently work find in Configurator 4 for my CS6 panels.
  Please help me get this working! Thank you!

  Hi hdbrew,
  "extension doesn't contain a valid signature" is a warning message that I've got in the past when Adobe Extension Manager (AEM) wasn't up to date - so you might check whether you've the latest version here: https://creative.adobe.com/en/products/extension-manager.
  Paid vs. Free (self signed) certificates: I had a paid one in the past (no AEM warnings) but there are a couple of shortcomings IMHO:
  1. With Adobe Add-ons, AEM and its warning alerts are bypassed altogether (files are deployed via the CC app) - so from the user point of view there's no difference between self-signed and paid certificates.
  2. An extension signed with a paid certificate stops working when the certificate expires. Self signed ones keep working even past the expiration date.
  And three, I find it "peculiar" to pay a third party authority to certificate Adobe that I am who I am in order to be allowed to developed for... Adobe itself (lot of words to say: free is cheaper ).
  Extension Builder for bundling: as I wrote, personally I don't use EB - it's not been updated in a while (it's been acknowledged by the EB team too - who has kept releasing updates as CEP libraries) and I prefer a simple code editor + command line for signing and packaging, so others can be more helpful than me.
  Yet, if you don't need to package an hybrid extension, it's a matter of a simple line, such as:
  ./ZXPSignCmd -sign yourSourceFolder yourDestFolder/yourExtensionName.zxp yourCertFile.p12 yourCertPassword -tsa https://timestamp.geotrust.com/tsa
  Conversely, if you need to go hybrid (i.e. to deploy extra stuff alongside with your extension, e.g. a plugin) it's a matter of compiling an MXI file and the whole process is slightly more complex. Anyway, you can find information in the blogpost I mentioned earlier (the full series of 16 Tips so far is here).
  Regards,
  Davide Barranca
  www.davidebarranca.com
  www.cs-extensions.com

• Code-signing Certificate Renew issue

  We recently renewed our Verisign code-signing certificate, only to discover that it breaks the auto-update process with the notorious error "This application cannot be installed because this installer has been mis-configured." We were able to make it work by using the ADT -migrate command. That is all well and wonderful. But there are two issues I see. First, there is a 180 day cut-off, beyond which users can no longer be updated. Then, when our certificate gets renewed again next year we might be stuck in a situation where we have to choose which users get to be updated and which are orphaned and are forced to uninstall/re-install.
  Furthermore, how much of this pain we have to live with becomes a function of how long a certificate we are willing to pay for. If we're a small company forking out the money for a 3 year certificate might be kind of painful. Why should this be a factor? Why is it not straight-forward to renew the same certificate and have installations back to the beginning of time be alright with it?
  It could be there is something about the renewal process that is not right. However, when I renewed my Verisign cert their process pretty much forced me to keep everything about the renewed cert the same as the original, otherwise it would not be a 'renewal'.
  If there is an arcane trick we are missing I would be most appreciate to know what it is. This should not be this difficult.
  Thanks
  Kevin

  Hi Kevin,
  I've asked around and learned that the process as you describe is "as designed".  However, there are stratigies for minimizing the downsides.
  For more information, please see the following documents:
  AIR 2.6 Extended Migration Signature Grace Periods
  Update Strategies for Changing Certificates
  Update Your Applications Regularly
  Code Singing in Adobe AIR
  Hope this helps,
  Chris

• Certificates issues [self-signed + enrollment]

  Hi everyone,
  I would like to ask to go through my issues with certificates. At first I have problem with self-signed certificates on Debian box. I tried to import them (certificate chain - do you have experience with it? what about p12 format? should be used pem/der format?) to system store placed in /usr/share/ca-certificates/XY/ + /etc/ca-certificates.conf + dpkg-reconfigure ca-certificates. Nothing changed, I'm still getting warnings relate to my certificates. I tried to google it without success http://blog.bstpierre.org/fixing-certificate-errors-with-cisco-anyconnect - including comments relate to another ca directory destination bellow. So, shortly...where should be stored my certificates and what format should be used.
  Second thing...what does mean message in Connection Banner: Certificate Enrollment: Please enter the username and one-time password provided by your administrator? This is system password (on my debian box)?
  OS + Client versions
  Description:    Debian GNU/Linux 7.2 (wheezy)
  Release:    7.2
  Codename:    wheezy
  Cisco AnyConnect VPN Client version 2.3.2016
  Thanks for advices.

  Personally I have used the self signed certificate and used the AD Group policy to distribute the certificate. I think it would be possible to import a certificate from your PKI into SCUP. Have you tried this?
  Louis

• How to issue a self-signed certificate to match Remote Desktop Gateway server address requested

  I have an RDG server named gw.domain.local with port 3389/tcp forwarded from
  gw.example.com.
  Using RDGM snap-in I created a self-signed SSL certigicate with FQDN gw.example.com.
  But when I connect over RDP from outside the local network I'm getting an error:
  Your computer can't connect to the computer because the Remote Desktop Gateway server address requested and the certificate name do not match
  Because certificate subject name is gw.domain.local indeed.
  So there question is: how to issue a certificate properly, or how to assign an existing one the name to match?

  Hi,
  Thanks for your post in Windows Server Forum.
  The certificate error which you are facing seems like certificate mismatch error, something like the security certificate name presented by the TS Gateway server does not match the TS Gateway name. You can try reconnecting using the FQDN name of the TS Gateway
  server. You can refer below article for more troubleshooting.
  TS Gateway Certificates Part III: Connection Time Issues related to TS Gateway Certificates
  And for creating a SSL certificate for RD gateway, you can refer beneath articles.
  1.  Create a Self-Signed Certificate for the Remote Desktop Gateway Server
  2.  Obtain a Certificate for the Remote Desktop Gateway Server
  Hope it helps!
  Thanks,
  Dharmesh

• Issue with Self Signed Certificate Web Sites

  I tried searching, but wasn't really getting the answer or help I needed so I figured I would just start a new topic. At my work we have a test server that we use for development and we have a couple of Web Services on there that use Self Signed Certificates. At work, I have a PC (Windows 7) and a Mac Mini (OS X) both of which can connect to the Web Services just fine. But at home, I can't access any of the Web Services at all, my browsers and Xcode keep timing out. I know the Web Service is public, I've accessed it before from other machines outside of work it's just at home I can't. I have an iMac at home, with a linksys router and I don't know if it's a setting on my home computer or network that could be causing it but I don't even get the message in Safari, Chrome or Firefox that the site has a self signed or bad certificate so I know something isn't letting me communicate. Any help would be great (all of the answers I have found suggested to purchase a certificate, which in this case isn't appropriate since they are used for Development until we feel they are ready for production in which case we purchase the certificate). Thanks.

  new information:
  I tried an other lumia800, the https page worked.
  The difference of the two phone was only the language
  My phone language was english (US), the other was hungarian.
  After that, I switched my phone language settings to hungarian, and tada... the self signed https page worked.
  I switched back to english(US) and stopped working.
  than I tried english(GB) and worked again.
  I did not try other languages, but it looks, if I use english-US language, I cannot see any invalid certificated page
  In other language settings, there is no problem.

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...

• Checklist for Exchange Certificate issues

  Checklist for Exchange Certificate issues
  1. 
  Why certificate is important for Exchange and What are Certificates used for
  Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
  securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
  Certificates are used for several things on Exchange Server. Most customers also use certificates
  on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
  IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
  POP/IMAP
  SMTP
   2. 
  Common symptoms for
  certificate issue
  Here we can see three different types of the certificate warning, mainly from the Outlook
  side.
  a.
  Certificate mismatch issue
  b.
  Certificate trust issue
  c.
  Certificate expiration issue
  3. 
  Checklists
  In this section, checklists will be provided according to the three different scenarios:
  Certificate Mismatch Issue
  [Analysis]:
  This issue mainly occurs because the URL of the web services Outlook tries
  to connect does not match the host name in the certificate.
  [Checklist]:
  Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
  Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
  In this scenario, you need to check the host name for the following services:
  Autodiscover
  EWS
  OAB
  ECP
  UM
  If any of the urls above does not match the one in the certificate, refer to the following article to change
  it via EMS:
  http://support.microsoft.com/kb/940726
   1.
  Do not forget to restart the IIS service after applying the changes above.
   2. Make sure a valid certificate is enabled on the IIS service.
  Certificate Trust Issue
  [Analysis]:
  For the self-signed and PKI-based (Enterprise)
  certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
  certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
  greatly simplifies deployment.
  [Checklist]:
  If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
  If it is a 3^rd-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
  client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
  Certificate Expiration Issue
  [Checklist]:
  When a certificate is about to expired, we just need to renew it by referring the following article:
  Renew an Exchange Certificate
  http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
  To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
  [How to set a reminder to alert the administrator when a certificate is about to expired]:
  It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
  certificate expiration. Or there can be a large user impacts.
  Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
  If it’s not quite visible, we can refer to the following solution:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  OWA certificate revoked issue
  [Analysis]:
  IE
  includes support for server certificate revocation which verifies that an issuing
  CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
  are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
  [Solution or workaround]:
  1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
  2. If not, check whether the certificate has a private key.
  3. Remove the old certificate and import the new one.
  Workaround:
  IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
  checkbox.
  4. 
  More References
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  More on Exchange 2007 and certificates - with real world scenario
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

  (Reported previous post with link to SIS package to moderator)
  This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
  Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
  But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
  At this point, try 2.7.0 which is out now:
  http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
  Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
  I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
  Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

• Can you use a self signed certificate on an external Edge Server interface?

  Hi,
  I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
  interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
  cert is valid (root and intermediate have been checked for validity).
  At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
  Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
  Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
  I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
  Thx

  Drago,
  Thanks for all your help. I got it working.
  My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
  Let me update everyone about self-signed certificates:
  YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
  I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
  intermediate have been checked for validity).
  Here are my notes:
  Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
  On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
  Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
  You should have already completed: Step1 and Step 2.
  Run or Run Again "Step 3: Request, Install or Assign Certificates".
  Install the "Edge internal" certificate.
  Click "Request" button to run the "Certificate Request" wizard.
  You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
  Once the certificate has been created, use "Import Certificate" to import it.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
  In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
  Install the "Edge External" certificate (public Internet).
  Click the "Request" button to run the "Certificate Request" wizard.
  Press "next"
  Select "Prepare the request now, but send it later (offline certificate request).
  Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
  Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
  Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
  Fill in the organization info.
  Fill in the Geographical Information.
  The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
  Select your "Configured SIP domains"
  "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
  Verify the "certificate Request Summary". Click next.
  Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
   Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
  In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
  For the "External Edge certificate (public Internet), click "Assign".
  The "Certificate Assignment" wizard will run.
  Click next.
  From the list, select your cert "EXTERNAL-EDGE".
  Finish the wizard to "complete".
  You are finished on the server.
  Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
  When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
  Browse
  Select "Trusted Root Certification Authorities"
  Finish the wizard.

• How to fetch certificates issued in past

  Hi,
  I have a long list of templates issued in my Client's Issuing CA, some of them are not in use. If I try to export " Issued Certificates" list from CA, it hangs.
  I want to know how many certificates and last certificate issed from a specific template for fine-tuning and seggregation purpose. Please let me know how we can check that status.
  Thanks
  Neha Garg

  Hi Paul,
  I am getting the output like this :
  C:\Windows\system32>certutil -view -restrict "certificate template=<1.3.6.1.4.1.
  311.21.8.10269956.2688026.1196953.3333800.9810006.227.1092942.575204>"
  Schema:
    Column Name                   Localized Name                Type    MaxLength
    Request.RequestID             Request ID                    Long    4 -- Index
  ed
    Request.RawRequest            Binary Request                Binary  65536
    Request.RawArchivedKey        Archived Key                  Binary  65536
    Request.KeyRecoveryHashes     Key Recovery Agent Hashes     String  8192
    Request.RawOldCertificate     Old Certificate               Binary  16384
    Request.RequestAttributes     Request Attributes            String  32768
    Request.RequestType           Request Type                  Long    4
    Request.RequestFlags          Request Flags                 Long    4
    Request.StatusCode            Request Status Code           Long    4
    Request.Disposition           Request Disposition           Long    4 -- Index
  ed
    Request.DispositionMessage    Request Disposition Message   String  8192
    Request.SubmittedWhen         Request Submission Date       Date    8 -- Index
  ed
    Request.ResolvedWhen          Request Resolution Date       Date    8 -- Index
  ed
    Request.RevokedWhen           Revocation Date               Date    8
    Request.RevokedEffectiveWhen  Effective Revocation Date     Date    8 -- Index
  ed
    Request.RevokedReason         Revocation Reason             Long    4
    Request.RequesterName         Requester Name                String  2048 -- In
  dexed
    Request.CallerName            Caller Name                   String  2048 -- In
  dexed
    Request.SignerPolicies        Signer Policies               String  8192
    Request.SignerApplicationPolicies  Signer Application Policies   String  8192
    Request.Officer               Officer                       Long   
  4
    Request.DistinguishedName     Request Distinguished Name    String  8192
    Request.RawName               Request Binary Name           Binary  4096
    Request.Country               Request Country/Region        String  8192
    Request.Organization          Request Organization          String  8192
    Request.OrgUnit               Request Organization Unit     String  8192
    Request.CommonName            Request Common Name           String  8192
    Request.Locality              Request City                  String  8192
    Request.State                 Request State                 String  8192
    Request.Title                 Request Title                 String  8192
    Request.GivenName             Request First Name            String  8192
    Request.Initials              Request Initials              String  8192
    Request.SurName               Request Last Name             String  8192
    Request.DomainComponent       Request Domain Component      String  8192
    Request.EMail                 Request Email Address         String  8192
    Request.StreetAddress         Request Street Address        String  8192
    Request.UnstructuredName      Request Unstructured Name     String  8192
    Request.UnstructuredAddress   Request Unstructured Address  String  8192
    Request.DeviceSerialNumber    Request Device Serial Number  String  8192
    RequestID                     Issued Request ID             Long    4 -- Index
  ed
    RawCertificate                Binary Certificate            Binary  16384
    CertificateHash               Certificate Hash              String  128 -- Ind
  exed
    CertificateTemplate           Certificate Template          String  254 -- Ind
  exed
    EnrollmentFlags               Template Enrollment Flags     Long    4
    GeneralFlags                  Template General Flags        Long    4
    PrivatekeyFlags               Template Private Key Flags    Long    4
    SerialNumber                  Serial Number                 String  128 -- Ind
  exed
    IssuerNameID                  Issuer Name ID                Long    4
    NotBefore                     Certificate Effective Date    Date    8
    NotAfter                      Certificate Expiration Date   Date    8 -- Index
  ed
    SubjectKeyIdentifier          Issued Subject Key Identifier  String  128 -- In
  dexed
    RawPublicKey                  Binary Public Key             Binary  4096
    PublicKeyLength               Public Key Length             Long    4
    PublicKeyAlgorithm            Public Key Algorithm          String  254
    RawPublicKeyAlgorithmParameters  Public Key Algorithm Parameters  Binary  4096
    PublishExpiredCertInCRL       Publish Expired Certificate in CRL  Long    4
    UPN                           User Principal Name           String 
  2048 -- In
  dexed
    DistinguishedName             Issued Distinguished Name     String  8192
    RawName                       Issued Binary Name            Binary  4096
    Country                       Issued Country/Region         String  8192
    Organization                  Issued Organization           String  8192
    OrgUnit                       Issued Organization Unit      String  8192
    CommonName                    Issued Common Name            String  8192 -- In
  dexed
    Locality                      Issued City                  
  String  8192
    State                         Issued State                 
  String  8192
    Title                         Issued Title                 
  String  8192
    GivenName                     Issued First Name             String  8192
    Initials                      Issued Initials               String  8192
    SurName                       Issued Last Name              String  8192
    DomainComponent               Issued Domain Component       String  8192
    EMail                         Issued Email Address          String  8192
    StreetAddress                 Issued Street Address         String  8192
    UnstructuredName              Issued Unstructured Name      String  8192
    UnstructuredAddress           Issued Unstructured Address   String  8192
    DeviceSerialNumber            Issued Device Serial Number   String  8192
  Maximum Row Index: 0
  0 Rows
     0 Row Properties, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Total Fields, Total Size = 0, Max Size = 0, Ave Size = 0
  CertUtil: -view command completed successfully.
  but it doesnt give me the output that I am looking for. I want to know details of last certificate issued by a given template and its validity status.
  Please let me know if I need to make any changes in command.
  Thanks
  Neha Garg

• How to update revoked certificate issue with CS5 suite?

  I have a security issue found with a Nessus scan that states:
  Synopsis: An application installed on the remote Windows host is signed by a revoked certificate.
  Description&#8232;: The remote host is using Adobe software that has been digitally signed by a revoked certificate. An Adobe build server was compromised, which has caused at least two malicious utilities to be signed with Adobe's code signing certificate. Any software signed by this revoked certificate (including legitimate Adobe software) is no longer trusted.
  I have followed everything I found on how to correct this, but most information is regarding CS6.  I have updated the certificate through Acrobat (version 9), but that has not fixed my issue. 
  The programs it says that are affected are:
  Bridge.exe
  Extension Manager
  Illustrato
  Photoshop
  I see no way to update anytype of certificate in these programs.
  Is it just that CS5 is no longer supported, or have I missed an update?
  Thanks,
  Dan

  Rahul,
  You can do this in the doDMl method of your Entity Object.
  See this white paper:
  http://www.oracle.com/technology/products/jdev/collateral/papers/10131/businessrulesinadfbctechnicalwp.pdf
  If you have follow-up questions, please use the JDeveloper forum, since your question is not related to JHeadstart.
  Steven Davelaar,
  JHeadstart Team.