Installing a certificate from a Certificate Authority

I don't understand the process of a installing a certificate.
I have got to the step where I have a sign request.
Now I want to import the certificate. I am using tomcat.
The instruction that I have say that I need to import a certificate from a signing authority. It give me the following command.
keytool -import -alias root -keystore <your_keystore_filename> \
-trustcacerts - file <filename_of_the_chain_certificate>
I found link to verisign for installing the intermediate CA certificate that says you need to copy and past some text that basically says "begin certificate" block of text , "end of certificate".
Where do I copy this block of text? Do I save it to a text file and them use it in the "filename_of_the_chain_certificate" example mentioned above. I don't see any examples that show all the details of the steps.
Thanks.

Hi Simon,
It looks like you're trying to do PEAP authentication on a specific SSID, is that correct?
Once you have the certificate generated, you'll upload it at the following location:
Topline Menu -> Commands
Then you'll choose "download file" and choose the certificate type to install it.
PEAP usually calls for a server side certificate (on your authentication server) to be installed on that server. Then you have to configure the controller for 802.1x authentication on the SSID itself. Pointing to one of the authentication servers listed on the "WLAN" Menu under security "AAA Servers". The servers themselves are entered in the "Security" Menu under either RADIUS or TACACS+ tab.
I can point you in the proper direction if you need more assistance, as I've done this many times. I just need more clarification on what you're trying to accomplish.
Regards,
Jerry

Similar Messages

  • Request a digital certificate from a certification authority

    How do I request a digital certificate from a certification authority?

    You will generate and submit a certificate-signing request to a vendor.  Here's the general sequence for obtaining a certificate for OS X Server 10.8.

  • Computer certificates expiring within 6 weeks disappearing from machines when computer certificates from two certificate authorities are present

    2008 R2 single tier enterprise certificate authority with root certificate expiring within 6 weeks, also domain controller
    2012 R2 single tier enterprise certificate authority with root certificate valid for more than the next year, also domain controller
    Both servers are approved as certificate authorities for the domain and can issue computer certificates using the computer certificate template. There is a group policy object applied to all workstations that contains an automatic computer certificate request,
    but the actual "certificate services client auto-enrollment" element is "not configured". This process seems to work like a round robin in that computers with no certificate can wind up with a certificate from either certificate
    authority. I need all PCs to have both certs for a DirectAccess migration. I have successfully used SCCM to ensure all PCs have both certificates using compliance rules and a script using certreq.exe.
    A machine will keep both certs until the older computer certificate moves into the 6 week window of expiration, then it gets purged. I have observed this behavior for over a month, even when the CA root certificate wasn't so close to expiring. I
    can't figure out what setting is triggering the purge, but need to stop it. Maybe it's coming from default settings in local machine policy for an element that should be disabled in the group policy object supplying the automatic certificate request?
    The worst part of this issue is that I can't recreate the purging behavior with gpupdates or restarts on my test machines.

    You should not be using Automatic Certificate Request Service (ACRS) for this - it was designed for Windows 2000 and is generally deprecated. Secondly, the reason it is acting like a round-robin as you describe it, is that templates are generally configured
    to attempt to renew within 6 weeks of their expiration. Since the 2008 R2 CA is expiring within 6 weeks, it cant issue anything longer than its own remaining lifetime. It is a well known issue that issuing a certificate within the renewal period will cause
    problems.
    What you should do it use AutoEnrollment and issue a certificate with a very small renewal period (1 week perhaps) by creating a custom V2 template and issuing that from your 2008 R2 CA. Then on the 2012 R2 CA you will need ANOTHER template, as the computer
    will only enroll for a certificate from each template. This one can be configured with a normal lifetime and renewal period.
    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

  • How to differentiate user certificate from computer certificate?

    Hi,
    As titled, what is best and accurate way to do this?
    Thanks!
    Ah_Chao|| MCSE,VCP,EMCSAe

    This is not exposed in the UI anywhere for the templates. However, you can run the command below to dump the properties of a template to see all the details.
    certutil -template -v "your-template-name"
    The value you are looking for is:
      TemplatePropDescription = Computer
    or
      TemplatePropDescription = User
    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

  • If I've installed an app from the app store and the author's distribution certificate expires, my app will still run or not? Thanks a lot.

    If I've installed an app from the app store and the author's distribution certificate expires, my app will still run in my device or not?
    For example in the case that the author won't renew the certificate itself, i guess his app will be removed from the app store; but what happens to the apps installed in the devices?
    Thanks a lot.

    The author's certificate is only used to authenticate the author when the app is uploaded to the app store.
    The app is then signed by Apple before being added to the app store.
    Nothing will happen to your app except you won't get any updates.
    Evertually, iOS upgrades could stop the app from working if you upgrade iOS beyond what the app supports.

  • New install of SQL 2014 Std MSDN. Get "The SQL Server product key is not valid. To proceed, re-enter the product key values from the Certificate of Authenticity (COA) or SQL Server packaging."

    Trying to install a new version of SQL 2014 Std 64 or x86. Installing on Windows 8.1Pro 64bit machine.
    I get:
    "TITLE: SQL Server Setup failure.
    SQL Server Setup has encountered the following error:
    The SQL Server product key is not valid. To proceed, re-enter the product key values from the Certificate of Authenticity (COA) or SQL Server packaging.
    Error code 0x858C0017."
    I looked at the summary log and that is the only error.
    I made sure there were no other instances of SQL on this machine. Uninstalled all VS2013 and sql instances just in case. IF there is somewhere to check if a previous version or license is causing the issue, i would be glad to check.
    Any help would be appreciated.

    Hi,
    Please read this thread with similar issue
    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/bdd94577-515c-49fa-be44-008eacece057/installing-sql-server-2012-on-a-new-vm-error-code-0x858c0017?forum=sqlsetupandupgrade
    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
    My Technet Articles

  • Requesting certificate from certificate authority

    I am in the last step of migrating from a personal account to a business account. I need to remove my old certificate, request a new one from the Certificate Authority in my keychain access. I attempt to get the new certificate, but it says the Certificate Authority email address is required. Does anybody know it or know how to bypass this step? Thanks

    I am actually working on getting this setup for user Certs. and I am having some trouble. Can you tell me how you got this working?

  • How do i remove the authorized signature from a certificate widget on captivate 8?

    Does anyone know how to remove the authorized signature from a certificate widget on captivate 8?
    or
    How to build my own widget to include quiz results/score and print widget?

    Strange workaround, but just checked it and it works (even for responsive project): you can drag the Signature, I dragged it as far out as possible (to the bottom) and when previewing the Certificate it was gone.
    Do you need a widget? It is not that easy if you need it both for SWF and HTML output because I'm aware at this moment of only very few widgets available on the market. You can create a slide with all you need, using the quizzing system variables and a button with a JS to print?
    Maybe some inspiration here: Intermediate Score Slides - Captivate blog

  • Installing Certificate from Microsoft CA (.pfx) in Cisco Prime Infrastructure 1.2

    Hello,
    we are trying to install certificates from our CA on our Cisco Prime Infrastructure 1.2
    What we get from our colleagues is a file in .pfx format, containing an exportable key and the whole certificate chain.
    On the prime server, using openssl 0.9.8, we exportet the key and converted the file to .pem.
    When trying to install the certificate, we get the following error code:
    prime# ncs key importkey key-nopw.pem newcert.pem repository certificate
    INFO: no staging url defined, using local space.        rval:2
    ERROR: dowload of key-nopw.pem failed.  rval:-200
    Does anyone have an idea what formats can be used for prime ssl certificates and how to install them?
    The official guide has only little information on how to make a csr and install the certificate.
    Best regards,
    Joerg

    I solved the same problem 5min ago.!
    select the device and press syc ..that helped me ...

  • How install SSL certificate from Thawte?

    Hi,
    Given:
    PEM-certificate issued by the company (a lot of different services), the private-key to it.
    What is needed:
    Push it into the ABAP and JAVA, so that when an appeal was heard as a certificate from a trusted source. 
    question:
    How to do it?

    Hi Evgeniy,
    Can you please read through the following guide which should help with your configuration:
    http://scn.sap.com/docs/DOC-26144
    Regards,
    James

  • How do I install this self-signed SSL certificate?

    I haven't been able to connect to the jabber server I've been using (phcn.de) for quite some time now, so I filed a bug report with mcabber. The friendly people there told me to install phcn.de's self-signed certificate, but I can't figure out for the life of me how to do that.
    I know I can download something resembling a certificate using
    $ gnutls-cli --print-cert -p 5223 phcn.de
    Which does give me something to work with:
    Resolving 'phcn.de'...
    Connecting to '88.198.14.54:5223'...
    - Ephemeral Diffie-Hellman parameters
    - Using prime: 768 bits
    - Secret key: 767 bits
    - Peer's public key: 767 bits
    - PKCS#3 format:
    -----BEGIN DH PARAMETERS-----
    MIHFAmEA6eZCWZ01XzfJf/01ZxILjiXJzUPpJ7OpZw++xdiQFBki0sOzrSSACTeZ
    hp0ehGqrSfqwrSbSzmoiIZ1HC859d31KIfvpwnC1f2BwAvPO+Dk2lM9F7jaIwRqM
    VqsSej2vAmAwRwrVoAX7FM4tnc2H44vH0bHF+suuy+lfGQqnox0jxNu8vgYXRURA
    GlssAgll2MK9IXHTZoRFdx90ughNICnYPBwVhUfzqfGicVviPVGuTT5aH2pwZPMW
    kzo0bT9SklI=
    -----END DH PARAMETERS-----
    - Certificate type: X.509
    - Got a certificate list of 1 certificates.
    - Certificate[0] info:
    - subject `CN=phcn.de', issuer `CN=phcn.de', RSA key 1024 bits, signed using RSA-SHA, activated `2009-05-04 08:26:21 UTC', expires `2014-04-08 08:26:21 UTC', SHA-1 fingerprint `d01bf1980777823ee7db14f8eac1c353dedb8fb7'
    -----BEGIN CERTIFICATE-----
    MIIBxzCCATCgAwIBAgIINN98WCZuMLswDQYJKoZIhvcNAQEFBQAwEjEQMA4GA1UE
    AwwHcGhjbi5kZTAeFw0wOTA1MDQwODI2MjFaFw0xNDA0MDgwODI2MjFaMBIxEDAO
    BgNVBAMMB3BoY24uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALqS+tnB
    tNruBGdcjw0o+BWSdfkKH4T3VpS7bkrsS0q7RD5iUIao7jH2lJqTk1TrLbQe28+R
    H0X9Ya+w22iYFea2l3wkrTnBfgdSZbRhpSxgVvC2QEBMoSrEQoRpo5lzXadRlob/
    RQ+rhu/cWCNeiRJzfkmNirPVEciGKQHrwKxxAgMBAAGjJjAkMCIGA1UdEQQbMBmg
    FwYIKwYBBQUHCAWgCwwJKi5waGNuLmRlMA0GCSqGSIb3DQEBBQUAA4GBALFBalfI
    oESZY+UyVwOilQIF8mmYhGSFtreEcUsIQvG1+cgD16glKehx+OcWvJNwf8P6cFvH
    7yiq/fhMVsjnxrfW5Hwagth04/IsuOtIQQZ1B2hnzNezlnntyvaXBMecTIkU7hgl
    zYK97m28p07SrLX5r2A2ODfmYGbp4RD0XkAC
    -----END CERTIFICATE-----
    - The hostname in the certificate matches 'phcn.de'.
    - Peer's certificate issuer is unknown
    - Peer's certificate is NOT trusted
    - Version: TLS1.0
    - Key Exchange: DHE-RSA
    - Cipher: AES-128-CBC
    - MAC: SHA1
    - Compression: NULL
    - Handshake was completed
    - Simple Client Mode:
    Unfortunately, the above command spits out more than a certificate. Do I need the additional information? If so, what do I need it for? Where do I need to put the certificate file?

    Hi,
    I recently found out a way how to install test or self-signed certificates and use it with S1SE.
    See:
    http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
    Follow the instructions there
    1. Create CA
    2. Create root ca certificate
    Now install the root-ca-certificate in S1SE -> Security>Certificate Management and Install a "Trusted Certificate Authority".
    Paste the contents of the file: cacert.pem into the message-text box.
    Then restart the server. Now your CA-Cert should be visible in the Manage Certificates menu.
    The next step is to send a certificate-request from S1SE to your e-mail-address.
    The contents of the e-mail the server sends to you (certificate request) must be pasted into the file: newreq.pem.
    Now just sign the Request:
    CA.pl -sign
    The last step is that you have to paste the contents of the file newcert.pem into the message-box of the Security>Certificate Management - now under the option Certificate for "This Server".
    Then you have to reboot the server/instance again and it should work with your certificate.
    Regards,
    Dominic

  • How do i install a self signed server certificate

    After using the admin tool to generate a request CSR, how do I sign this myself for testing purposes so I can install it and therefore run using https?
    I have keytool and certutil both available on the system.
    My most recent solution was to cut and paste the request to www.thawte.com/cgi/server/test.exe and it would return a certificate that was good for 21 days. This however is not the solution I am looking for.
    Thanks

    Hi,
    I recently found out a way how to install test or self-signed certificates and use it with S1SE.
    See:
    http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
    Follow the instructions there
    1. Create CA
    2. Create root ca certificate
    Now install the root-ca-certificate in S1SE -> Security>Certificate Management and Install a "Trusted Certificate Authority".
    Paste the contents of the file: cacert.pem into the message-text box.
    Then restart the server. Now your CA-Cert should be visible in the Manage Certificates menu.
    The next step is to send a certificate-request from S1SE to your e-mail-address.
    The contents of the e-mail the server sends to you (certificate request) must be pasted into the file: newreq.pem.
    Now just sign the Request:
    CA.pl -sign
    The last step is that you have to paste the contents of the file newcert.pem into the message-box of the Security>Certificate Management - now under the option Certificate for "This Server".
    Then you have to reboot the server/instance again and it should work with your certificate.
    Regards,
    Dominic

  • How to Install a trusted self signed certificate in iPhone?

    Hi,
    I'm trying to install a self signed CA certificate in an iPhone 4S (IOS 5.1) but always the certificate is showed as "Not Trusted".
    I have an iPhone 4 (same IOS 5.1) and when I install the same certificate it appear as Trusted. I have the same behavior in some iPads.
    I think this is the reason because my VPN is not working. When a try to use a Cisco VPN with certificate always receive the "Could not validate the server certificate." error in the devices how can't trust in my CA.
    Anyone have a clue about how to resolve this?

    You need to use a profile updater like iPhone configuration utility.
    1. Create a configuration profilecredential.
    2. In the profile go in credential and add/import the root certificate from the authority you want to have.
    3. Install the profile on the device.
    I should work.
    HTH,
    ../Bruno

  • How to request certificate from a non-domain computer

    We using a Windows Server 2008 R2 Enterprise CA to issuing webserver-certificates (SSL). The CA-Server is a member of a AD-Domain and online. Now we want to request certificates from computers like Windows Server 2008 R2 or Linux Server which aren't member
    of the domain.
    How we can request certificates automatically with a script remote from these Windows Servers, for example ? Is it possible to use  the "Certificate Enrollment Web Service" without the "Certificate Enrollment Policy Web Service" ?
    Is it possible to use certreq in this scenario ?
    Thanks for your help.

    Now I have found a solution. Shortly I want describe the way:
    Prerequirements:
    1. ADCS Enterprise Certification Authority is installed
    2. ADCS Certificate Enrollment Web Service is installed on a server
    3. ADCS Certificate Enrollment Policy Web Service is installed on an other server
    Steps to do:
    1. Prepare a request-file for a certificate
    2. On a computer which is not a member of the Domain/Forest of the CA-Service: submit the request to the CA and receive the issued certificate. The following command have to written in one line without line breaks.
      certreq -submit
        -Username {domain}\{username}
        -p {password}
        -PolicyServer "https://{FQDN CertificateEnrollmentPolicyWebService-Server/-Alias}/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
        -config "https://{FQDN CertificateEnrollentWebService-Server/-Alias}/{CAName}_CES_UsernamePassword/service.svc/CES"
        -attrib "CertificateTemplate:{TemplateName}"
        {Enter Path and Name of the Request-File}
        {Choose Path and Filename for certificate}
       Sample:
       certreq -submit
            -Username contoso\Serviceaccount
            -p P@ssw0rd
            -PolicyServer "https://CAPolicyEnroll.contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
            -config "https://CAWebEnroll.contoso.com/IssuingCA1_CES_UsernamePassword/service.svc/CES"
            -attrib "CertificateTemplate:MyOwnSSLTemplate"
            request.req
            sslcert.cer
    3. Now you can find a file with your requested certificate locally in path you have choosen for the certificate-file.
    I hope this will be helpful for other people enrolling certificates on non-domain member computers.

  • While logon to lync it gives error " there was a problem verifying the certificate from the server "

    i already go through all threads related to my question. but not even one thread is satisfying my question  ok my problem is again the same it gives me error as i mentioned in title. client OS is XP. actually can somebody tell  me which certificate
    i should import in which name of certificate group.
    N ya why error has occur. help me 
    thanks in advance 
    jayesh rohit

    You'll want the CS root certificate in the trusted root certificate authorities area of the machine store (vs the user store).  If there are any subordinate CAs with intermediate certificates, put them in the intermediate certification authorities area. 
    Verify that the certificate has the correct SANs for you server.  Did you generate the certificate from the deployment wizard, did you check the box for the sip domains as you went through the wizard?  Is the certificate internally signed by your
    certificate authority?  Are you attempting to connect internally or externally when you see the issue? 
    Can you confirm that your SRV records for _sipinternaltls._tcp.domain.com have the correct port and hostname and that the hostname is also resolvable?  Can you do the same for _sip._tls.domain.com?
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

Maybe you are looking for