Generating a certificate
Hey All,
So I just received an email saying that my vpn.xxxx.com is expiring.
I'm trying to renew it but it wants a Certificate Signing Request.
I've done this in servers before, but not in a 2811 router.
Is there a command I use to generate it?
Assuming you already have the CA trustpoint configured in IOS, here is the command:
config t
crypto ca enroll TRUSTPOINT_NAME
Similar Messages
-
Problem with Generate a certificate and Key
I have a Cisco S370 and generated a certificate Key to block HTTPS pages.
I require a CA signs the certificate generated by the Cisco S370, but the CA returns me an error and asks the key is changed to 2048, but I have no option to do this in the GUI, look in the CLI but can not find any option to change the HTTPS certificate key 2048
You can change the certificate that was generated by the WSA S370 to 2048In addtition to Kush's response, we had a similar thread in the past. Please refer to:
https://supportforums.cisco.com/message/3900340?referring_site=bss&channel=bdp#3900340
Also, please note it would be advisable to refer to this Feature Request using Cisco Bug ID CSCzv70884 instead of
86121.
You can search for Bug IDs using Cisco Bug Search Tool :
https://tools.cisco.com/bugsearch/
From this tool, you can not only obtain info about the bug but also open TAC cases and Save the bug so you can get updates.
Regards,
-Valter -
Problem Generating a certificate request
I have a couple of Windows 2003 R2 SP2 servers hosting several instances of ADAM. I am using certreq to generate the certificate requests for these servers so I can use SSL in connecting to ADAM but I am getting an error. This is the request.inf I am using (pretty much straight from an MS article...) to generate the request...
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=servername.childdomain.rootdomain.com" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
I am using this command.... certreq -new request.inf request.req
After hitting enter, it sits there for about 10 seconds and gives me this error back...
Certificate Request Processor: Access is denied. 0x80070005 (WIN32: 5)
[RequestAttributes]
I have searched on this error and have not found much of anything on it. This process seems to work fine on other servers that I have, but these two servers both generate this error. Both servers are clean builds and only have ADAM installed on them. I am a local admin on both servers so it doesn't appear that there should be any permission issues as implied by the error message.
Anyone have any ideas?
Thanks!Hello Bryan,
First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.
Meanwhile, please verify the security permission on the MachineKeys directory:
1. Open Windows Explorer, and find the MachineKeys directory in the following location:
Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys
2. Right-click the directory, and click Properties.
3. Click the Security tab, and ensure that the full control permission for the Administrators
How to: Change the Security Permissions for the MachineKeys Directory
http://msdn.microsoft.com/en-us/library/bb909654.aspx
Hope it helps. -
How to generate a certificate request with more than one OU?
We're using Sun Java System Web Server 6.1 SP4. The Corp. has it's own CA and organize their certificates in a hierarchical rule with more then one organization unit (OU) in a chain.
So what we need is generate a certificate requeste with more than one OU, but the Web Server wizard has only one text field for it. We've already tried to fill in this field the complete chain of OUs like "ou=orgX, ou=deptY, ou=secZ" and didn't work either.
Thank's in advance,
Jeff!Do you have tried with the command line "certutil" ?
#<SERVER-ROOT>/bin/https/admin/bin/certutil -
Generate TDS certificate for which the spool already exists
Hi,
I have a query.
Sometime back I have generated TDS certificate and the same was present in the spool.
I did not take any print and it was deleted from spool and no more available.
What can I do to generate the same certificate ?
If I go for re-printing, I get it as a duplicate certificate.
Kindly suggest
Regards
SravanHi Milind,
Thanks for your prompt response.
Though we go for a Z development the print we get will be a duplicate one which may not be acceptable.
Is there any chance of retrieving the spool and generating it.
Regards
Sravan -
Generate a Certificate Signing Request
Hey guys, I'm new to the Safari developer program and I'm having problems with the Generate a Certificate Signing Request for my PC. It worked fine on my Mac but not on my windows 7 PC. I follow the steps, saving the file then opening "CMD.exe" and type in the request and place "" with the path of the file saved in step one but once I hit enter it gives me a
Requires a Mac and your keychain.
-
How to generate CSR (certificate signing request) in PKCS#10 format
Hi,
First, I am a novice in security issues.
Problem:
I know how to generate CSR using PKCS#10 format with keytool. However I need to implement this functionality in my application. Unfortunately I can't find any docs describing this issue.
Do anybody know about some API where I just pass data and it will generate CSR for me?
Many Thanks,
MisoHi again,
After a long research I am finally able to generate PKCS#10 cert. request files:
public static void generatePKCS10() throws Exception {
// generate PKCS10 certificate request
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
String sigAlg = "MD5WithRSA";
// generate private key - use java.util.SecureRandom for entropy
keyGen.initialize(1024, new SecureRandom());
KeyPair keypair = keyGen.generateKeyPair();
PublicKey publicKey = keypair.getPublic();
PrivateKey privateKey = keypair.getPrivate();
PKCS10 pkcs10 = new PKCS10(publicKey);
Signature signature = Signature.getInstance(sigAlg);
signature.initSign(privateKey);
//common, orgUnit, org, locality, state, country
X500Name x500Name = new X500Name(
"CName", // CN
"OUnit", // OU
"Organization", // O
"Bratislava", // L
"Slovakia", // S
"SK"); // C
pkcs10.encodeAndSign(new X500Signer(signature, x500Name));
// PKCS10 request generated
pkcs10.print(System.out);
Problem 1:
However, this generates only a request with X500 subject's name ("CN, OU, O, ..."). But I also want to specify other things like "Key Usage" (example: "Digital Signature, Key Encipherment, etc.") or "Generic IA5 String" (example: "Only for test purposes."). How to do that?
Problem 2:
I'm also having trouble to find javadoc for "sun.security" package. As you can see, I'm using "sun.security.pkcs.PKCS10" class for generating CSR in PKCS10 format, but can't find any javadoc for it.
Many thanks,
Miso -
Is there a way to generate server certificates in a multi-controller environment?
Q: Is there a way to generate server certificates in a multi-controller environment?
A: 1. For PEAP, only the Radius Server needs a certificate, not the controller. Managing a certificate for each controller for 802.1x when you can alternatively manage a single certificate for each radius server is a mistake.
2. For Captive Portal, if you don't want your guest or company users to have an untrusted error every time they hit the captive portal you will need a public certificate that all your users will trust. That could either involve (1) A different certificate for each controller with the subject being the fqdn of each controller or (2) a single, identical certificate that has the SAN or Subject ALT Name filled out with the FQDN of each controller listed in the SAN field (https://www.digicert.com/subject-alternative-name.htm)
Here is an example of a cert with multiple fqdns in the Subject Alternative Name field below: Of course, you will have to pay for each SAN that you have added to the certificate. If you will have an environment where you have a VRRP and that is the ip address that the clients will be redirected to, you should make the SAN point to the VRRP.
A document on certificates that is specifically geared toward ClearPass, instead of controllers is here: Certificates 101 V1.0 It speaks to certificates on ClearPass, but the concepts are the same...
Solution:-
We can use ClearPass server to generate the CSR, where the CN is named after the 1st controller, which included all the Subject Alternate Names (SANs) for the other 3 controllers as well as the master controllers (in case of an N+1 failover). This allows to save/export the private key as a file.
After submitting the CSR for a UCC and after receiving the cert, then proceed to chain the cert to include server, all intermediate and root CAs. Then copy the chained cert as well as the private key file to a MacBook so that we can use OpenSSL to create a PFX formatted cert as follows:
sudo openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem
Once this generated a PFX cert, upload it to all controllers and used it under Configuration > Management > General for both “WebUI Management Authentication Method” as well as “Captive Portal Certificate” (even though the ClearPass Guest captive portal is using a different cert for the captive portal page itself).
https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/Create-a-CSR-with-multiple-SANsSorry I'm still confused here. What you are describing makes no sense for properly using TestStand.
Maybe I can help you find the right solution if I can understand your goal?
Do you want to dynamically populate the variables (Locals and FileGlobals) with values? Or do you want to dynamically create the variables from scratch (i.e. add subproperties to the sequence file) based on some file?
Generally what happens is people want an ASCII file (in your case I'm guessing CVS) such that they can change the values of variable so that when TS is executing it will load those values and use them. In this case NI recommends the Property Loader. There is an example for this in <TestStand>\Examples. Open the workspace and look for the PropertyLoader example. Also, if you google "proprety loader teststand" then you will find various articles which may assist you.
When you say "define the variables for the sequence/sequence file" Are you actually referring to manually right clicking in the sequence file and saying Insert Local? or are you just saying that you change the value of a variable?
Thanks,
jigg
CTA, CLA
teststandhelp.com
~Will work for kudos and/or BBQ~ -
How can we generate TDS Certificate in SAP
Dear SAP Experts,
Plz tell me how can we generate TDS Certificate in SAP. Thanks in advanceHi,
Check the building block library under http://help.sap.com/bp_bblibrary/600/BBlibrary_start.htm and filter on country india
N70: External Financial Accounting Local
Regards
K.R -
Hello,
How to re-generate Server Certificates fir WL 6.1?
ca.pem
democert.pem
demokey.pem
Our current Certificates will be expired soon.
Thanks,
Oleg. -
How do I generate a Certificate Signing Request (CSR)?
If I buy an SSL in godaddy, how do I generate the CSR? If my site is hosted in BC, who is the web server? I've had a few sites search for the name of the web server and it comes up as unknown every time.
Hi
You can not host your own SSL certificate on Business Catalyst at this stage.
When you upgrade your site with an online store and shopping cart, you don't need to worry about purchasing a SSL certificate. In fact, this system does not support SSL certificates from third-party vendors because each SSL certificate is set to a single server, and the hosting servers for the live site are built in large clusters; purchasing a certificate for every server would be cost prohibitive.
When a customer purchases items from you, the system utilizes the secure URL that is included with every site to ensure that the customer's credit card number and other personal information entered ion a live site are protected using Secure Socket Layers (SSL) technology.
More Details :
http://forums.adobe.com/thread/984496
http://kb.worldsecuresystems.com/kb/secure-urls.html
If you need an update or more depth information regarding same, please get in touch with BC support team and they will help you out.
Thanks,
Sanjit -
Does a 2012 DC generate exchange certificates on Exchange 2007 server?
The reason I ask is because we have a 2008 server environment with a few 2012 servers in the mix, one being a DC. It is time to renew our self-signed certificates on our exchange server and when I attempt to do this via the Get-ExchangeCertificate command,
I get a warning stating the following:
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence.
On further investigation I noticed we have a certificate that I do not remember from years past nor do I ever remember getting that warning message before. We have not used third party CA's. Notice the items in bold, the certificate is an enterprise cert, not
self signed and linked to our 2012 DC. There appear to be no services assigned to it but we still get that warning.
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {EXCHANGESERVERNAME.DOMAIN.NAME}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=DOMAIN-DC3-CA, DC=DOMAIN, DC=NAME
NotAfter : 12/31/2014 4:36:02 PM
NotBefore : 12/31/2013 4:36:02 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 2D00XXXXXXXXXXXXXXXXXXXXXXX
Services : None
Status : Valid
Subject : CN=EXCHANGESERVERNAME.DOMAIN.NAME
Thumbprint : 4886XXXXXXXXXXXXXXXXXXXXXXXXXX
So my question is two-fold, why is this certificate here (was it generated by our 2012 DC) and will it effect anything when it expires? If so, how do I renew it?OK, so it is normal. We did add the 2012 DC to our existing server environment later on. It is not our primary DC.
So, since there are no services assigned, when it expires in a few days, there will be no effect? If there will be an issue, how do I go about renewing it exactly?
I am not aware of us requesting an Enterprise CA, however our previous manager could have. I am not familiar with the process.
Basically, I ignored the "This certificate will not be used for external TLS connections warning" and created and enabled new self-signed certs for our mail server. The warnings in the event log that the old certs are about to expire have
stopped. So that should be that then right?
So as of now, we show 3 certificates, one being the enterprise one I mentioned which will expire in a few days. (Is this normal or should we just have one self signed cert that has all services?) I have a feeling this configuration isn't optimal.
Thumbprint
Services Subject
2038XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ...WS CN=WMSvc-MAILSERVERNAME
B52BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX IP..S CN=MAILSERVERNAME
4886XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ..... CN=MAILSERVERNAME.DOMAIN.NAME -
'Generate your certificate' page never gets past 'generate'
I've been waiting several hours now, and tried through various different paths, and on several different days.
Generally, I've created a request (two now), following instructions, selected the file, and clicked on 'Generate'.
I'm stuck with a spinning 'Loading...' message. The only thing I can think of that might otherwise break this is the fact that I have expired certificates and provisioning profiles in my account.
How do I get past this? Am I the only one with this problem?
Thanks!
- ArunasUse safari instead of chrome solve the problem for me...
-
Generate a certificate request with API (CSR, PKCS#10)
Hi everybody,
I want to request for a certificate using a PKCS10 File.
I generate this file with this code :
package test;
import sun.security.pkcs.*;
import sun.security.x509.*;
import java.security.*;
import cryptage2.RSACryptor;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import com.sun.crypto.provider.SunJCE;
import java.io.*;
public class TestPKCS10
public static void main(String argv[]){
try{
// provider
SunJCE jce = new SunJCE();
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(jce);
// generate KeyPair
KeyPair pair = RSACryptor.generateKeyPair();
// get Instance of signature with MD5 algorithm
Signature dsa = Signature.getInstance("MD5withRSA");
// get Private Key
PrivateKey priv = pair.getPrivate();
// init Signature with private Key
dsa.initSign(priv);
// sign
byte[] sig = dsa.sign();
// info for X509 are in X500Name Object
X500Name x500name = new X500Name(
"Nicolas LEFEUVRE","IN","InTech","Schifflange","Luxembourg","Luxembourg");
// signer : bind Signature and X500Name
X500Signer signer = new X500Signer(dsa,x500name);
// get public Key
PublicKey publicKey = pair.getPublic();
// create PKCS10 with public key
PKCS10 pk = new PKCS10(publicKey);
// sign and encode the PKCS10
pk.encodeAndSign(signer);
// save in file PKCS10_2
PrintStream out =
new PrintStream(new FileOutputStream("c:/temp/pkcs10_2"));
catch(Exception e){e.printStackTrace();}
The PKCS10 look like this :
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBuTCCASICAQAweTETMBEGA1UEBhMKTHV4ZW1ib3VyZzETMBEGA1UECBMKTHV4ZW1ib3VyZzEUMBIGA1UEBxMLU2NoaWZmbGFuZ2UxDzANBgNVBAoTBkluVGVjaDELMAkGA1UECxMCSU4xGTAXBgNVBAMTEE5pY29sYXMgTEVGRVVWUkUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMzTrStPIyUyygFTU5p6QjGyLfAXncUvwA/i+sK2wY1S6EFYGGd7luGXI3NekVvEEzwIZ+eQ+STB7J7XVik8REubJl6gXlZTcrOdVzg6JJtHwbDoTpZnB09hGGZUzdyKsnGVIwZ4Un54Z44BZBm5qeOqYMKLK50YCC6ACqdfu/rpAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBViesKVPfgkGSB2MYIln6yWPGmOjbLsdGdzSr/EWbtIAuT75ROZpeKKHzpfuHDC1xpbs0iZYvRACujyqeqRHIzomHu6NW7v2+B5CkoP5YsxXswr25fBMRawRckqnzMuZz79G1bi3CtQbh+MbdwvDvvs7DucPgsI7Cn8Fbg214C9Q==
-----END NEW CERTIFICATE REQUEST-----
I use Microsoft Certificate Server (a service of Microsoft NT2000 server) to generate certificate, I have this message :
�The request subject name is invalid or too long. 0x80094001 (-2146877439)C�
Any idea ?Nicolas, i'm not sure but can you try it anyway?
replace Nicolas LEFEUVRE
with Nicolas_LEFEUVRE
There is something about blanks in the Common Name
I'm not sure how or what, but just give it a try! -
How tt generate default certificate
Hi,
I'm trying to generate my own certificate but getting error while running the command on cmd
javatool -genkey -alias tomcat -keyalg RSA as i'm running this command it prompts for password immidiately after.
I'm not getting what is the default password and if there was any pre entered password then how can i remove that password?
I want to create a certificate so that i can import it with my application and make ssl level connection with tomcat server running behind.
Thanks in advanceHi,
I don't know if this can help you a little bit. It is about generate certificate for Application Server.
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html
Good luck.
Maybe you are looking for
-
How to call java method from xsl
hi friends, How to call a java method from xsl, i have a xsl file which will call the java method and retrieve the value and display it to the user. but its work well when i set xalan.jar and xerces.jar and the java class files in my classpath and ru
-
Using fortran library flush() in a subroutine
Hi, Using studio 11. There is a different behavior when using flush() in main compared to when using it in a subroutine. flush() doesn't work in a subroutine. When using flush() in main the output is flushed to th i/o unit. When using flush() in a su
-
2 questions when using mobile me
got email saying that my stolen ipod was located and i could view its location for 24 hours but didn't get the email til after that time is there any way to view where it was located? and 2nd is there anyway to retrieve my serial #
-
Expanded node and children are seen only after second expansion
Hi, I am using a simple JTree control. I am populating children of nodes dynamically when the node is expanded. For this, I first add a "dummy" item for each node under the root, so that the "+" sign appears next to the node. When a node is expanded,
-
U00AB DataAccessException u00BB when calling CAF web service
Hi expert, When launching any operations through a web service created in CAF-CORE (release Portal EP 70 SPS12), I get the error message «PersistenceManager was closed » (see log). While after launching the related methods in caf test tool, it works