Generate Certificates for WLC and clients

Similar Messages

• Issuing certificates for user and clients from different forest/domain

  Hello,
  at first I would like to say that I have made some researches on this forum and in the Internet overall.
  I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
  Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
  Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
  now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
  What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
  I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
  see all templates which I should see, but when I try to enroll I got an error:
  (translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
  My root CA cert is added to trusted publishers for computer and user node as well.
  What could be wrong? If you have any ideas or questions, please share or ask. 
  Thank you in advance.

  Everything is clear, I have Certificate Enrollment Web Services installed and configured,
  problem is what i get from certutil - TCAInfo
  ================================================================
  CA Name: COMPANY-HATADCS002-ISSUING-CA
  Machine Name: COMPANYClustGenSvc
  DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
  Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
  CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
   NotAfter: 2019-02-14 12:44
  Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
  Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
    Enterprise Subordinate CA
  dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_NT_AUTH
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      CRL 02:
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      ThisUpdate: 2014-02-14 12:16
      NextUpdate: 2024-02-15 00:36
      d7bafb666702565cae940a389eaffef9c919f07a
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 11:55
    NotAfter: 2024-02-14 12:05
    Subject: CN=HATADCS001-COMPANY-ROOT-CA
    Serial: 18517ac8a4695aa74ec0c61b475426a8
    b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  Exclude leaf cert:
    5b309c67a8b47c50966088a4d701c8526072c9ac
  Full chain:
    413b91896ba541d252fc9801437dcfbb21d37d91
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
  A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
  Supported Certificate Templates:
  Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
  Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
  Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
  Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
  Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
  Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
  Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
  Validated Cert Types: 7
  ================================================================
  COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
    Enterprise Subordinate CA
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
    Online
  CertUtil: -TCAInfo command completed successfully.
  please put some light on it because it's driving me crazy :/
  Thanks in advance
  one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding 
  "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

• Certificates for Server and Client to install . Pls advice

  I am doing File --XI --- File scenario with FTPS.
  Currently consider only File -- XI part now.
  We go point by point: for this link:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc
  Blog says:
  1. In the visual admin of XI make Server Public and Private keys.
  2. In the visual admin of XI make Client Public and Private keys.
  Suppose File Sender System is Server and XI is Client
  Questions:
  a. Do I need make Server Public and Private keys In the visual admin of XI ?
  b. Do I need make Client Public and Private keys In the visual admin of XI ?
  Generic Rule -- system1 sends its public key to system2 and  similarly system2 sends its public key to system1.
  c. For Export keys and Import keys as given in blog
  -- I am not able to get this part given from Page 38 - 41 of this blog.
  Pls advice me
  Regards
  Edited by: Henry A on Mar 3, 2008 1:07 PM
  Edited by: Henry A on Mar 3, 2008 1:08 PM
  Edited by: Henry A on Mar 3, 2008 1:54 PM

  Hi DecaXD,
  thank you for quick response :)
  on the client site i tried to establish the connection to the work repository with the following connection information:
  Login information*:
  Oracle Data Integrator Connection
  Login name = odi_server
  User = SUPERVISOR
  Database connection (Master Repository):
  User = odim
  URL = jdbc:oracle:thin:@<server ip>:1521:orcl
  A work repository could be found, but the connection failed! (?!)
  " ODI-26130: Connection to the repository failed.
  oracle.odi.core.config.NotWorkRepositorySchemaException: ODI-10147: Repository type mismatches.     
  Could not get JDBC Connection; nested exception is java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Invalid SQL-Query for validating the connection (+translated from german into english+) "
  my ODI configuration on the server site (loged in as: odiw):
  topology tab*:
  Physical architecture:
  Technology:
  Definition:
  Dataserver name = oracle_db_11gr2
  User = odiw
  JDBC-URL = jdbc:oracle:thin:@10.168.178.131:1521:orcl
  Datasource:
  Agent = OracleDIAgent
  JNDI-Name = [DataSourceName]
  Agents:
  Definition:
  Name = OracleDIAgent
  Host = <IP of the server>
  Port = 8001
  Webapplicationcontext = oraclediagent
  Datasources:
  Dataserver = oracle_db_11gr2
  JNDI-Name = [DataSourceName]
  Logical architecture:
  Technology:
  Defintion:
  Name = oracle_db_11gr2
  Context = aMIS_dev
  Physical schema = oracle_db_11gr2.ODIW
  Agent:
  Name = OracleDIAgent
  Context = aMIS_dev
  Physical agent = OracleDIAgent
  when i test the connection of the data server (topology>physical architecture>technology>oracle>oracle_db_11gr2) with the OracleDIAgent i receive the
  " ODI-26039: Connection failed.
  oracle.odi.runtime.agent.invocation.InvocationException: javax.naming.NameNotFoundException: Unable to resolve '[DataSourceName]'. Resolved ''; remaining name '[DataSourceName]' "
  since testing the connection on the server site failed in first place, i couldn't test the connection on the client site.

• BSR code on TDS Certificate for Customer and vendor in india

  Hi
  We have a requirement to print BSR code on TDS Certificates for customer and Vendor in india.
  Currently the BSR code for Customer TDS certificates picked up from Bank branch ( BNKA-BRNCH ) field and
  for vendor TDS certificates picked up from Bank Key field.
  There is a 3rd party sowtware running monthly to update the BNKA table. so we are not following the standard process and we are implemented another options to picked up the BSR code for TDS certificate printing on Vendor/Customers.
  For Vendor TDS certificate, we implemented SAP notes 1299729 & 1338645
  to print the BSR code from Tax Number1 (T012-STCD1) field and it is working fine.
  For customer TDS certificate also we want program to pickup BSR code
  from Tax Number1 (T012-STCD1) field
  Please let me know is there any other SAP correction Notes avalible to print the BSR code on Customer TDS certificates from  Tax Number1 (T012-STCD1) field.
  Thanks
  Risha

  answews

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/

• HT1014 I'm working with imovie 08 and converted movie originally from VHS tape to .m4v files imovie wouldn't recognize it.  I converted to .mov files and imovie generated thumbnails (for hours) and shows a New Event but there is nothing there. Any help?

  I'm working with imovie 08 on Macbook pro OS X and converted movie originally from VHS tape to .m4v files imovie wouldn't recognize it.  I converted to .mov files and imovie generated thumbnails (for hours) and shows a New Event but there is nothing there. Any help?

  markmc78 wrote:
  .. I'm really struggling with the concept of events/clips/projects.
  consider usage of a diff. editor.. iMovieHD6, you're entitled for a free downlaod at apple.com:
  http://www.apple.com/support/downloads/imovieHD6.html
  but IF you're relaxed, opened your mind, follow the bright light, ommmm.. for Events & Stuff:
  your intended workflow will add another step of quality-degradition (8mm>>avi>>mp4>>iM08) ..
  consider the free tool Mpeg Streamclip www.squared5.com for 'chopping' that 90min beast into pieces..
  rename these new chunks, follow advice given on my site:
  http://karsten.schluter.googlepages.com/im08changeeventdate
  there's the manual..
  http://manuals.info.apple.com/en/iMovie08_GettingStarted.pdf
  and the most recommended books from Mr Pogue's Missing Manual series..

• Unchained certificate for WLC management interface

  Hi all ,
  I  want to know , how to generate unchained certificate for the managemetn  interface of WLC ? . Whether Root CA will be giving this unchained  certificate ?
  Because WLC management wont support chained certificate..
  Thanks,
  Vijay.

  Hello Vijay,
  Just go through this short cisco doc regarding generating CSR for Third-Party Certificates and Download Unchained Certificates to the WLC:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

• No F4 value for system and client field for create job request

  Hi,
  While creating a job request in Solution manager system filed and client filed F4 is not working , it does not show any value.
  Do you have  any idea regarding this issue.
  Thansk & Regards,
  kaushal

  Hello  Kaushal,
  you habe to link user, key user i.e. a business partner (BP), and managed system and this work like this:
  a) User <-> BP: start transaction BP, assign role Employee to your business partner and enter the user name on tab Identification
  b) BP <-> managed system: start transaction BP, select role General and enter the External System Identifier (format: <managed system ID> <installation number> <client> <user in managed system>) on tab Identification
  Alternative: Use transaction BP_GEN to create valid business partners for managed systems
  See also the Solution Manager Implementation Guide (IMG):
  -> transaction SPRO
  .> SAP Solution Manager Implementation Guide
  -> SAP Solution Manager
  -> Cross-Scenario Settings
  then
  -> Business Partners
  and
  -> iBase
  (Note that IMG path (and labels) might vary in between support packages)
  Kind regards,
  Martin
  http://service.sap.com/jsm

• Certificate for Portal and BackendSystems. What do I have to take careAbout

  Hello,
  I would like to buy a certificate for the secured HTTP but I don't know what I have to take care about?
  Where do you buy your certificates? Can I use "wildcards"-certificates for the portal and the backend-systems.
  Is there a good shop for buying a certificate in Germany?
  Thanks, Vanessa

  Vanessa,
  You can approach both Verisign and Thawte and collect information.
  In case of Thawte, you can just go their site and there is an option for an online free chat with a Thawte associate. He/she will then guide you further.
  They will also share the details required for the certificate to get authorized.
  Plus before ordering, you can also check the correctness of ur certificate for free on their site.
  Hope this helps.
  Regards,
  Ritu

• Can't get Mail to recognize Thawte certificate for signing and encrypting

  I got a certificate from Thawte and double clicked on the p12 file. This installed the certificate in the login section of the Keychain. I read in several places that it must be in the X509Anchors chain in order to work. However, whenever I try to import it or copy it there I can't get past the authentication screen. I give it the password to decrypt the p12 file and that works, but then it asks for a password for the X509Anchors keychain. I'm giving it my login password, but that doesn't work. What am I doing wrong?

  You shouldn't have to do anything with the X509Anchors keychain. The X509Anchors keychain contains certificate authority (CA) certificates, i.e., certificates associated with CA's that sign certificates. In it you'll find various CA certificates for thawte among others.
  After you've successfully imported your thawte cert into your login chain, restart mail (I don't think you need to restart keychain access, but it wouldn't hurt).
  Now when you compose a message, you should see encrypt and sign buttons to the right and below the subject line. This of course assumes the email address configured in mail is the same as the one in the thawte certificate.

• New XSAN Buildout - 10.5.8 vs. 10.6 for MDC and clients

  I am planning on building out a large XSAN utilizing Promise RAIDs, and 2 Xserve MDC's, with a few Final Cut Workstations on Qlogic 5802 switches. I was planning on using Apples 10.6 latest OS, with latest XSan 2.2. I'm being told if I really want rock solid performance I should stick with all my Final Cut clients and Xserves at 10.5.8, because there are some issues that exist if we I use the latest versions of OS and client. Can someone please comment on the validity of that statement. I'm hesitant to install an operating system that is over a year out of date.

  I'm actually wondering about something similar. I have 2 brand new Xserves running 10.6.3 and a Xsan 2.2 connected via the fiber. The FCP clients that connect up are all on 10.5.8 also connected in via the fiber. I have not had any issues with the clients being on a lesser version of the OS but I am wondering if I upgrade the server to 10.6.4 will anything break??? I may upgrade one client today to 10.6.4 and see how that goes first.

• Certificate for WLC web auth - HELP

  Hi all
  I need to buy a cert for my WLC web authentication
  I have read the document below
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml              
  However, I want to fill in the details and generate the CSR via the provider im buying the cert from, thawte
  Am I ok doing all this via the provider, or do I need to use open SSL to generate the CSR?    
  Can anyone post the steps in here I need to take when purchasing and installing a chained certificate on my WLC.
  The WLC has the latest version of code.
  cheers
  Carl

  Here are the instructions for a chained certificate.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  It's simple enough, copy and paste the chanin below the certificate when you generate the final.pem.
  Main thing to remember when compiling the final.pem use a version of OpenSSL < 1.0 as it won't install.
  If your provider will generate the CSR for you it should be fine, but you will need the private key to recompile the certificate.
  As you'll be using OpenSSL to recompile the certificate you may as well use it to generate the CSR, there's not much to it.
  Thanks
  Chris

• How to configure ODI for server and client correct?

  Hi forum,
  this is my first post and i hope you guys can help me out ...
  i
  am new to ODI and WLS and in my case ODI need to run on a server where a couple of clients can connect to, work on the same project with their own workspaces and accounts.
  The database will be located on the same server.
  As far as i understood, i need to install the the ODI Java EE type (not the standalone type) with a WLS ?!
  iI already nstalled
  JDK 6u41 (x64),
  ODI 11g (11.1.1.6, generic),
  Oracle DB 11g R2 enterprise and
  WebLogic 11g (10.3.6, generic)
  on the Server and now i am trying to connect to the ODI repositories from a client with an ODI standalone installation.
  I am now trying to insert a Data Source into the physical agemt (not even sure if i need to do this in my case).
  Following these instructions (http://docs.oracle.com/cd/E17904_01/integrate.1111/e12643/setup_topology.htm#CHDHJBAD) i get an ODI-26029 error.
  Below are some configuration information of the software i installed.
  h3. ODI
  Installation:
  Installationtype: full
  Oracle home directory: Oracle_ODI1
  Agent name: odi_agent
  Agent port: 1987
  Repositories/connection:
  Master repository user = odim
  Work repository user = odiw
  Work repository name = WORKREP1
  JDBC connection string = jdbc:oracle:thin:@localhost:1521:orcl
  *odim and odiw have been created manually with grant options on connect and resource
  Physical agent (with no datasource defined):
  Name = OracleDIAgent
  Host = localhost
  Webapplicationcontext = oraclediagent
  Port = 8001
  Protocol = http
  Physical data server:
  Name = oracle_db_11gr2
  User = odiw
  JDBC connection string = jdbc:oracle:thin:@localhost:1521:orcl
  Physical schema:
  Schema (schema) = ODIW
  Schema (work schema) = ODIW
  Context = aMIS_dev
  Logical schema = oracle_db_11gr2
  Logiacal schema
  Context = aMIS_dev
  Physical schema = oracle_db_11gr2.ODIW
  Context:
  Name = aMIS_dev
  Logical agent = OracleDIAgent
  Physical agent = OracleDIAgent
  Logical schema = oracle_db_11gr2
  Physical schema = oracle_db_11gr2.ODIW
  Logical schema:
  Name = oracle_db_11gr2
  Context = aMIS_dev
  Physical schema = oracle_db_11gr2.ODIW
  Logical agent
  Name = OracleDIAgent
  Context = aMIS_dev
  Physical Agent = OracleDIAgent
  h3. Oracle DB 11g R2
  Installation
  Global database name = orcl.otera.local
  SID = orcl
  h3. WebLogic 11g:
  +1. generate new basic WebLogic Server domain+
  Domainname = ODI-DOMAIN
  Admin name = weblogic
  Admin server name = AdminServer
  Listening port = 7001
  Managed server name = odi_server1
  Managed server port = 8001
  +2. extend an existing WebLogic domain+
  Choose extension source: ODI - Agent, ODI - Agent Libraries, Oracle JRF
  Window: Configure JDBC compontent schema:
  Driver = Oracle's Driver (Thin) for Instance connection; Versions: 9.0.1 and higher
  Schema owner = odim
  DBMS/Service = orcl
  Hostname = localhost
  Port = 1521
  Client name = LocalODIMachine
  Listening address of the accountmanager = localhost
  Listening port of the accountmanager = 5556
  Really hope you guys can help me quick.
  Thanks in advance

  Hi DecaXD,
  thank you for quick response :)
  on the client site i tried to establish the connection to the work repository with the following connection information:
  Login information*:
  Oracle Data Integrator Connection
  Login name = odi_server
  User = SUPERVISOR
  Database connection (Master Repository):
  User = odim
  URL = jdbc:oracle:thin:@<server ip>:1521:orcl
  A work repository could be found, but the connection failed! (?!)
  " ODI-26130: Connection to the repository failed.
  oracle.odi.core.config.NotWorkRepositorySchemaException: ODI-10147: Repository type mismatches.     
  Could not get JDBC Connection; nested exception is java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Invalid SQL-Query for validating the connection (+translated from german into english+) "
  my ODI configuration on the server site (loged in as: odiw):
  topology tab*:
  Physical architecture:
  Technology:
  Definition:
  Dataserver name = oracle_db_11gr2
  User = odiw
  JDBC-URL = jdbc:oracle:thin:@10.168.178.131:1521:orcl
  Datasource:
  Agent = OracleDIAgent
  JNDI-Name = [DataSourceName]
  Agents:
  Definition:
  Name = OracleDIAgent
  Host = <IP of the server>
  Port = 8001
  Webapplicationcontext = oraclediagent
  Datasources:
  Dataserver = oracle_db_11gr2
  JNDI-Name = [DataSourceName]
  Logical architecture:
  Technology:
  Defintion:
  Name = oracle_db_11gr2
  Context = aMIS_dev
  Physical schema = oracle_db_11gr2.ODIW
  Agent:
  Name = OracleDIAgent
  Context = aMIS_dev
  Physical agent = OracleDIAgent
  when i test the connection of the data server (topology>physical architecture>technology>oracle>oracle_db_11gr2) with the OracleDIAgent i receive the
  " ODI-26039: Connection failed.
  oracle.odi.runtime.agent.invocation.InvocationException: javax.naming.NameNotFoundException: Unable to resolve '[DataSourceName]'. Resolved ''; remaining name '[DataSourceName]' "
  since testing the connection on the server site failed in first place, i couldn't test the connection on the client site.

• Certificates for IPSEC vpn clients in ASA 8.0

  Hello!
  I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.
  Same configuration does not work with ASA 8.0 I get error
  CRYPTO_PKI: Checking to see if an identical cert is
  already in the database...
  CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
  b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
  CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
  CRYPTO_PKI: Cert not found in database.
  CRYPTO_PKI: Looking for suitable trustpoints...
  CRYPTO_PKI: Found a suitable authenticated trustpoint CA1.
  CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage
  (40)
  CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve
  revocation status if necessary
  ERROR: Certificate validation failed. Peer certificate key usage is invalid, ser
  ial number: 250F3ECE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=
  xx
  CRYPTO_PKI: Certificate not validated
  Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
  The CA enrollement is terminal.
  THANKS!

  The cert needs to have the Digital Signature key usage set.
  Not sure what templates are available on MS CA, but it should be something like "Ipsec user" I suppose.
  To make ASA 8 behave the same as ASA 7 (i.e. disable th check on the cert's key usage), configure:
  crypto ca trustpoint
  ignore-ipsec-keyusage

• Custom protocol handler for Server and Client

  Hi there,
  I have been reading about "A New Era for Java Protocol Handlers" from http://java.sun.com/developer/onlineTraining/protocolhandlers/ . I would like to redesign my existing codes to suit this architecture.
  The article mentioned about write client side application. I am wondering whether it will be possible to use the same architecture for server side as well ?
  If it is possible, it will be the very kind of you all to guide me to the right direction. Thank you in advance.

  Thanks for your input. Yeah, the article has been there for quite sometimes. That's why I am a bit sceptical about using it. The strange thing is that there has not been any updates about this topic since then (searched in google and not many web pages are mentioning this thing). I am wondering whether it is a good choice to change the code or not.