Import an SSL Private Key
Hello. Is it possible to export the Private Key from, say, my J2EE engine (I'm running a dual stack) and import it into my ABAP instance so that both systems use the same Private Key? They both have the same host name.
I guess its possible. Please correct me if i am wrong.
Please keep in mind, that simply importing a certificate as a certificate response won't work in this situation, since the public key from your CA and the public key in the individual PSEs already existing on the respective servers won't match.
following steps all the key pairs and certificates that are currently stored in the SSL Server PSEs on the target systems will be removed. If you want to keep them, you'll need to export them to a safe place.
Step 1: import the key pair into a PSE
Since pl.16 of SAPCRYPTOLIB, key pairs given in the format PKCS#12 can be imported into a PSE (note 745063). Since pl.24 of SAPCRYPTOLIB, also the import of key pairs given as PKCS#5, PKCS#8 or OpenSSL-PEM is supported (note 1159829).
Step 2: import the PSE resulting from Step 1) into the system's database All PSEs that are known to transaction STRUST will be exported from the database and distributed to the application servers at system startup. The related PSE files will be overwritten. So, the PSE resulting from the key pair import in step 1) needs to be imported into the database.
You'll need to go through a procedure similar to the one described in note 1178155, step 3.
- Copy the PSE from step 1) to your workstation/PC
- Start transaction STRUST
- Doubleclick the "FILE" icon in the navigation area (left hand side)
- Select the PSE on your workstation/PC
- Execute the menu item "PSE --> save as..." and choose the SSL Server
PSE as target. This will save the PSE from step 1 as SSL Server
standard PSE.
- The following step is a modification from note 1178155 which is
only applicable in your special situation: right mouse button click
on the SSL Server PSE entry in the navigation area. From the context
menu appearing, select "Change".
- Remove the distinguished names from all application server specific
PSEs in the list. Pressing the green tick mark ('save') will remove
all application server specific SSL Server PSEs, so the system is
forced to use the SS Server standard PSE instead.
Don't forget to restart the ICM in order to make your changes become effective.
Regards,
Jazz
Similar Messages
-
NAC and SSL - fails to import password protected private key
I am attempting to import an SSL certificate on my CCA Manager and Server. I purchased a wild card SSL cert *.domain.com. The private key used to generate the certificate was created on an Cisco ACS 3.2 server and has a password. When attempting to import the private key into the CCA Manager the browser times out and no error is reported.
My guess is that it is waiting for the password to allow access to the private key. Unfortunately there is no place on the form and no pop-up to enter the password.
Is there a command line option for importing a private key that may work for me?
Thanks
ShermThe best Possible way is to generate a CSR from the CCA server and then purchase a certificate using that CSR. Then you dont have problems with private keys.
Regards
sathappan -
In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?I believe you have to run Keychain Access as root to export the private key.
sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access -
Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
SSL certificate. By defaul the private key is not encrypted with password
(SSL.KeyEncrypted = false by default, according to the documentations) in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key from file
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is the same
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
MakotoThanks Tony - it worked!!
"Tony" <TonyV> wrote in message news:[email protected]...
It may be because the private key is both unprotected and in DER format.
There are some things to try:
1) Convert the private key file from a DER file to a PEM file and try
that:
a) Follow the for converting an unprotected private key at:
http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
b) Look at the resulting PEM file, it should look something like
this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
(Be sure there is no extra lines or whitespace after thefooter)
>
c) Change your configuration to point at the PEM file
If that doesn work, then you can try protecting the key with apassword
using
the wlkeytool utility (It should be in the server/bin directory). The
tool should prompt
for a password to use to protect it:
wlkeytool inputkey.pem outputkey.pem
Then change your configuration to use the protected private key, andset
the passwod to use.
Tony
"Makoto Suzuki" <[email protected]> wrote in message
news:[email protected]...
Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
same
SSL certificate. By defaul the private key is not encrypted withpassword
(SSL.KeyEncrypted = false by default, according to the documentations)in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key fromfile
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword
is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true
and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is thesame
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
Makoto -
Reconver SSL private key?
I have a bit of a dilemma since I tried to install an SSL certificate on my server that needs intermediate certs. Here's what I did:
1) In Server Admin, create a new key for my domain and use that key to create a CSR to send to a certificate authority. (This creates a public key, a private key and a self-signed certificate in the system keychain on the server).
2) Sent the CSR away and got the signed certificate back.
3) Used Server Admin to add the signed certificate to the existing domain cert (this replaces the self-signed cert). Restart services etc.
Here's the problem: the cert that I have needs intermediate certs installed in order to be functional- currently the certificate shows as an untrusted authority. If I delete the current certificate in Server Admin to start again from scratch, it will delete the private key that I need to reinstall. I downloaded the intermediate certificates from the CA's website, but now the certificate installed on the server can't be modified. Besides, there is no place to enter the intermediate certificates. My plan was to try to paste all the certs into the box where it asks for the new certificate, but no joy since it is now locked.
I would like to create a new certificate (there is a place in there to install intermediate certs), but I'll need to get my private key out of Keychain Access into a pem formatted file but I can't seem to get the thing to export.
Questions:
1) Is there a way to export a private key from Keychain Access so that it can be used for server admin?
2) Is there a way to get at this from the command line?
3) Is there some other procedure that can magically fix this problem?
Thanks,
MilesThanks,
This is the part that I was looking for:
Launch Keychain Access as root:
sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access &
I then went here http://www.gridsite.org/wiki/Convert_p12 and converted the p12 to pem so I could use it in server admin.
Thanks again,
Miles -
WBL 7.0 and SSL private key problem
Having generated certificate request, and associated private key, I obtained
the corresponding server level certificate. I am having problems starting the
server with the cert. I have configured my server appropriately, here is the SSL
configuration from the domain config.xml
<SSL Enabled="true" HostnameVerificationIgnored="true"
ListenPort="8090" Name="SampleServer"
ServerCertificateChainFileName="nasaca.pem"
ServerCertificateFileName="mydomain-cert.pem"
ServerKeyFileName="mydomain-key.pem"/>
and I am using -Dweblogic.management.pkpassword=mypassword
in the startup script, however I get :
java.lang.Exception: Cannot read private key from file /usr/user_projects/Sample/mydomain-key.pem.
Make sure password specified in environment property weblogic.management.pkpassword
is valid.
I have given the right password. So the question is why am I seeing the error
I am running this server on Sun Solaris. The password contains the usual ascii
characters, including shell special characters.
Any way checking the private key file ?
Also as we have seen problems with the particular certificate we get from the
CA, I wanted to use "utils.ValidateCertChain", alas this documented utility is
conveniently missing from weblogic.jar. Oh big blue, why didn't we go with you
Seriously, please help
TarangDarkit,
I have the same problem. Let me know if you find a solution to this problem.
Thanks,
Bharathi -
Importing a PKCS12 private key into java Keystore
Hi,
We have an existing private key, stored in a ".p12" file.
Currently, our existing program will access this file directly to retrieve the private key, however, we need to import this private key into a keystore so it can be retrieved by our new code.
Does anyone know whether it is possible to do this, and if so, is there any criteria that need to be met.
If it is possible, then how do we do it?
Assistance is appreciated!
Regards
Steve WilliamsSorry to cross-post, but I have a similar problem.
I have an existing certificate (public/private keypair) that I'm using in Microsoft IIS. Using Cert Manager in Windows2000 I export the certificate preserving the private key into a pfx file. I need to import the public/private keypair into the keystore. I also have the original certificate request and reply from Verisign if that helps any. I've looked everywhere and have been unable to find any information about doing this. Please Help!
If there is a way to do this using keytool that would be great. If someone knows how to programmatically do this that would also be great.
Thanks in advance,
Trey Caldwell
Software Engineer
Intrannuity, LLC
[email protected] -
Hi,
I would like to export my Portal private key, so that it can be used for network traffic capture (Wire shark).
Can anyone point me in the direction as to where this file can be exported.
Thanks
Kai
PS. Points will be awarded.....The Path to export the certificate is:
On the Portal
System administration -> system configuration -> Keystore administration -> download verify.der file
Regards,
Chengappa -
How to install PEM-format SSL private key from weblogic to NES
I have unexpired PEM-format certificates in my weblogic 8.1sp4 domain. Since the architecture requires us to use Iplanet 6.0sp2 as the http/https server, we have to move the certificates to iplanet side. Is that possible ? Especially the private key ? Iplanet has key8.db format files. How do I install a PEM key in iplanet and store it in key3.db file ? Thanks !
Hi
I've already found code to answer my second question, but my first question still remains, is there a way that I can change a Encrypted Private Key Info for PEM to DER format??? I tried to delete the header and footer of some key in PEM format and Base64 decode the body, but It launches a Exception when I'm trying to create the EncryptedPrivateKeyInfo object.
Thank you -
Two-way SSL: Private key is incorrectly read if the charset is set to UTF8
Looks like PEMInputStream and other related classes assumes the application charset
"iso81", but if the charset is something else, then "java.security.KeyManagementException"
is thrown.
We have everything setup and two-way ssl works when the encoding is not set. but
brakes if the encoding is UTF8.
WLS 7.0
OS - HP-UX
Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
app).
ThanksI would suggest posting this to the security newsgroup.
-- Rob
Govinda Raj wrote:
Looks like PEMInputStream and other related classes assumes the application charset
"iso81", but if the charset is something else, then "java.security.KeyManagementException"
is thrown.
We have everything setup and two-way ssl works when the encoding is not set. but
brakes if the encoding is UTF8.
WLS 7.0
OS - HP-UX
Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
app).
Thanks -
SSL CertGen & Private key import errors - 7.0
I am trying to install weblogic generated ssl certificate and because the private
key needs to be encrypted with a password, i am loading this in a new JDK keystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Created Private Key files - testkey.der and testkey.pem
com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
to encode X500Name.
at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
at utils.CertGen.createCertificateRequest(CertGen.java:312)
at utils.CertGen.processCommand(CertGen.java:185)
at utils.CertGen.main(CertGen.java:170)
com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
to encode X500Name.
at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
at utils.CertGen.createCertificateRequest(CertGen.java:312)
at utils.CertGen.processCommand(CertGen.java:185)
at utils.CertGen.main(CertGen.java:170)
I went ahead and ran the same CertGen on unix and got the certificate file and
the key file
to my box to check to see if i can install it. I created a new keystore with keytool,
loaded the private key with the alias and the password phrase, made this key store
the default keystore, supplied the management password, changed the files to read
the new cert file and key file.
Attached is the log for the SSL debug.
Do i need to import the private key stored in the JDK for weblogic ? I tried doing
that by running.
X:\>java utils.ImportPrivateKey X:\bea\user_projects\mydomain\mystore.jks mypass
myalias pvtPasswd X:\bea\user_projects\mydomain\localcert.pem X:\bea\user_projects\mydomain\localkey.pem
ImportPrivateKey will use existing X:\bea\user_projects\mydomain\mystore.jks
ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
ASN.1 tag
java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
Source)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
X:\>
Attached log is SSL debug enabled and it cant see the private key.
Any help is appreciated.
thanks,
mallik
[ssldebuglog.txt]"Mallik" <[email protected]> wrote in message
news:3f3274e9$[email protected]..
>
I am trying to install weblogic generated ssl certificate and because theprivate
key needs to be encrypted with a password, i am loading this in a new JDKkeystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
in hostnames. -
Private key import via ImportPrivateKey
I used the Certificate web app included with WLS 7.0 SP1 to generate my private
key and my CSR. I then used the CSR to request a certificate from my Dept. of
Defense Certificate Authority. I received my certificate. I then tried to use
the WLS ImportPrivateKey utility to import my key with the following steps as
shown in the ImportPrivateKey reference example.
1) I used keytool -printcert to verify the contents of my servercert.pem file
and my CAcert.pem file.
2) I combined the certificate returned for my server with the CA's root certificate
cat servercert.pem CAcert.pem > combined.pem
3) I converted my private key file produced by the Certificate web app to pem
format using the WLS der2pem utility
4) I ran the Import utility
java utils.ImportPrivateKey serverkey.jks store_pwd key_alias key_pwd combined.pem
server_private_key.pem.
I received the following error.
ImportPrivateKey will create serverkey.jks
ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
ASN.1 tag
java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
Source)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
Does anyone have an idea where I went wrong? Can anyone offer an explanation?
Thanks"Mallik" <[email protected]> wrote in message
news:3f3274e9$[email protected]..
>
I am trying to install weblogic generated ssl certificate and because theprivate
key needs to be encrypted with a password, i am loading this in a new JDKkeystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
in hostnames. -
I generated a CSR with the certificate servlet. I modified
config.xml in order to set the right files :
<SSL Enabled="true" ListenPort="7002" Name="test2" ServerCertificateChainFileName="config/mydomain/cacrt.pem"
ServerCertificateFileName="config/mydomain/servercert.pem"
ServerKeyFileName="config/mydomain/serverkey.der"/>
The serverkey.der is a copy of the file generated by the
certificate servlet.
At startup the following error occurs :
<30 juil. 01 20:23:26 CEST> <Alert> <WebLogicServer> <Security configuration problem
with certificate file config/mydomain/serverkey.der, java.io.EOFException>
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:133)
at weblogic.security.ASN1.ASN1Header.inputTag ASN1Header.java:125)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1028)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)
More over the conversion of the serverkey.der in serverkey.pem
with openssl gives the following error :
openssl rsa -in serverkey.der -outform PEM -out serverkey.pem
read RSA key
unable to load key
1276:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib
.c:662:Expecting: ANY PRIVATE KEY
and reading the file by the default W2K reader gives an error too.
Need help !Agree with S Guna, the ISP/Certificate Authority won't generate the private key, the request from your Lync server does. So the private key is already sitting on your Lync 2010 Server. Once you import the certificate generated by the certificate
authority, the private key and certificate should be paired and can be assigned to Lync.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
SSL: how to use Multiple Private key/Certificate pair for authentication.
Hi all,
i am implementing SSL in java using X509 Certificate/private key combination.
i have two set of private key/certificate pair.
one is factory default and another is generated at run time.
my problem is to try ssl connection with both pairs on same tcp/ip connection.
e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
Thanks In Advance
Saurabh AhujaClient code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
It's like this. The idea of PKI with SSL is as follows:
- the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
- the client has a truststore that trusts the server, one way or the other, see above.
- the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
- the server sends its cert to the client along with a digital signature signed by its private key.
- the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time. -
We have a public SSL certificate that allows for Active Directory sync with LDAPS on port 636 with our email smart host. This was working fine and suddenly stopped working and we are now getting SChannel errors Event ID 36869. There were no changes made
to the Exchange server, the firewall or the DC which holds the certificate. I have run a new certreq from the DC and then re-keyed the public SSL certificate and re-installed 3 times but the error does not go away and AD Sync with the vendor
fails. When I run LDP.exe the connection on port 636 fails with "cannot open connection" and the system event log throws the S Channel event 36869 "The SSL server credential's certificate does
not have a private key information property attached to it" There is no software firewall set on the DC. When I run Certutil -VerifyStore MY it shows the current certificates as well as the revoked and expired certificates
correctly. Certificate 0 is the public cert and is listed with Server and Client authentication, the FQDN of the server is correct and "Certificate is Valid" is listed. The private cert is Certificate 1 and has server and client authentication, the
FQDN is correct, Private key is not exportable and it ends with Certificate is Valid. I do not see a point in re-keying the cert again until I figure out what the root of the problem is. I have read in some forums that the private cert should not be set to
expire after the public cert but that does not make a lot of sense when in a situation like this the private cert is of course newer than the public. In fact it is too early to renew the public cert. I have been troubleshooting this for a few days and at this
point I would have to drop my AD sync with the vendor to LDAP in order to add new users. I do not want to do that for obvious reasons and I do not want to have our spam filtering and email archive service running without Directory sync. Any help would be greatly
appreciated.Hi,
Have you tried this?
How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services
http://support.microsoft.com/kb/889651
Best Regards,
Amy
Maybe you are looking for
-
How to restore edited messages after Thunderbird crash?
I work with several messages opened usually to check details of a conversation or for preparing the answer. When Thunderbird crashes all these open messages are lost. Some I edited are in the Drafts, the ones I just viewed are lost. Is there a way to
-
Creating PDFs from Word using Acrobat 9
I am trying to create a PDF using the 'convert to acrobat PDF' button from Word 2003. My PDF settings are set to embed the fonts. The resulting PDF has gaps in the text (bits where there is no text and should be). I have also tried going to File, Pri
-
PC crashed. iTunes was on it and now all files are gone. All music both purchased and copied from CDs is on iPad. How do I get the music back onto the PC without using the cloud. Afraid if sync will wipe all music from iPad.
-
What's the reason for high PING ms ?
My ping Is normally between 32 ms and 50 ms....what makes it change? I Unlugged router and modem...came down some to like 72 ms where before the unplug it was getting up to 107 ms
-
I updated my software and now I get the message blocked plug-in whenever I try to watch video in Safari. I installed the new Flash player but it still doesn't work. I've checked my plug-ins and uninstalled/reinstalled but nothing works. What can I do