Intermediate CA certificate and the Root CA certificate

Similar Messages

• Message: Subscription subscription already contains 100 subscription certificates and the maximum allowed is 100.

  I've started getting this error in CD  builds on visual studio online:
  An attempted http request against URI https://management.core.windows.net/{subscription guid}/certificates returned an error: (400) Bad Request.
  Additional Exception Information:
  Error Code: BadRequest
  Message: Subscription {subscription guid} already contains 100 subscription certificates and the maximum allowed is 100.

  Hi
  beastrabbit,
  Since this thread is more related to Azure management portal, I will move it to the right forum for a professional response. Thanks for your understanding.
  Best regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• The name and the root of the hard drive change, how can i reset it?

  the name and the root of the hard drive change, how can i reset it?

  That sort of thing doesn't happen automatically,. Someone had to change it. Just rename it anything you like. Right click on it and select Get Info then in the Name and Extension are name what you like.

• Xerces Sockets and The root element is required

  Hi,
  I have a problem with Xerces 1.4.3 saying "The root element is required in a well-formed document.". The story is as follows:
  When I read the XML from a file, it works OK.
  But when I send the file over a socket stream, and try to parse it in the client side, it gives this silly message.
  I am sure that there is no space before <?xml ... ?> and also the xml file is well formed.
  I guess someone can say Xerces 2 solves this problem but I am using JBuilder 7 and I could not install the new xerces over old one. If someone knows how to do this please let me know. (Copying the jars into jbuilder7/lib does not seems to work as the file names are different and it wont overwrite the old xerces parser)
  Any solution?
  Thanks,

  saving and parsing is working fine. hehe :)
  seems that the parser is somewhat going crazy.
  btw. I had written a class extending InputStream, so that it reads more than one file from a socket stream. But I have used it in this save and parse test and it worked so I dont think I have problems with that.
  In one forum here, I saw someone saying that changing the version solved his problems about this silly thing. I think I wil try this.
  Tankut

• Certificates from CA's and the keystore

  Hello all,
  I have tracked through a series of forum topics that seem to ask similar questions and receive similar answers regarding both signing jars and using the certificates for communications.
  Forgive the overlap, but I have a slightly related question.
  Is the only way to use the keystore (and keytool to manage the keystore) when signing jars by generating a key pair at the start? Is that why all the examples always start with that option, and none of them start from a scenario that is different?
  Is it possible to come in with an existing CA signed certificate, and the CA's root certificate and sign the jars? Would that setup work for communication at all?
  I have tried this for signing, and both certificates end up as trustedCertEntries within the keystore, but this does not allow the signing of jars since there is no keyEntry. The error message is:
  "jarsigner: Certificate chain not found for: and. and must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."
  I have not tried it for communication.
  Is there some other alternative to generating the key-pair directly in the keystore, exporting the csr, and getting the CA to sign and reply to that csr?
  My question stems from a customer wanting to only provide the certificate they want to use, and maybe the CA root cert if necessary.
  Thanks much in advance!
  Edited by: gennadius on Dec 19, 2007 3:52 PM

  Is it possible to come in with an existing CA signed certificateBut this isn't the beginning of the process.
  A signed certificate results from a Certificate Signing Request (CSR) being submitted to a CA.
  A CSR is generated from a private key/public key pair. But it only contains the public key. So you have to get it signed and then re-import it to the same keystore which originally contained the private key, to complete the association between the signed cert and the private key.
  The signed certicificate is a public authentication that the owner of this certificate uniquely owns this public key, which corresponds to a private key. Without the private key the entire exercise can't get started.
  So unless you can find a way to get the private key from whereever it was when the CSR process was started, just importing the signed certificate doesn't give you a prioviate key. Without a private key, you can't sign things, decrypt, be an SSL authenticated endpoint, etc.
  And if you could cart private keys around like that, they wouldn't be private, so the entire point of PKI is lost.

• By changing CDP do i need to reissue the CA certificate and all previously certificates?

  Hi all,
  Given a Windows 2003 based CA what would be the impact of changing the CRL Distribution Point?
  I mean if i change the CDP by adding or removing entries in the Extensions tab of the CA properties, do i need to reissue a CA certificate and all  previously issued certificates?
  Many thanks,

  Well, that depends. When you change the extension for a new CDP location, that setting is used for certificates issued or renewed from that moment going forward. Do you have to renew the old certificates? That's the part that depends on your objective. If
  you want ALL certificates to use the new location and not the old one, then yes, all the existing certificates would need to be renewed. The extension property is permanently affixed to the certificate.
  If the CDP point in question is an HTTP location it may be possible to use DNS to "move it". One of the things I often advocate is the use of a DNS name alias that is resolvable internally and externally. With this defined as the CDP/AIA location,
  you can move the location around as future needs dictate without reissuing anything. 
  If you were not fortunate enough to have an alias, one other option is to retire the host name that the current CDP is located on (some random server) and use that as an alias in DNS (A Record or C Name) and point to a new location.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• I need to create public and private keys for security certificate and I can't find the certificate. Where is it?

  I purchased a security certificate, and the site tells me that it was successfully installed. I need to export the certificate so that I can create the public and private keys, but I cannot find the certificate to do so.

  Thank you.

• 10.10.1.2:8090 uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. The certificate is only valid for a id="cert_domain_link" please help me how to fix such type of problems?

  sir, each time when i open my browser i'm facing such type of error certificate and closing browser at the same instant. i don't know how to fix it please help me

  Hi,
  If you click on the certificate '''Details''' it would show the root Certificate Authority (the topmost one) and any intermediate CAs that signed/issued this security certificate. You would need at least the root CA certificate to be installed ('''Import''') and trusted in the Firefox certificate database ('''Tools '''('''Alt '''+ '''T''') > '''Options '''> '''Advanced '''> '''Encryption '''> '''View Certificates''' > '''Authorities'''), though sometimes depending on the server configuration you may need all the certificates in the hierarchy to be installed.
  [https://support.mozilla.org/en-US/kb/Options%20window%20-%20Advanced%20panel?as=u Options > Advanced]
  [https://support.mozilla.org/en-US/kb/Options%20window Options]

• I need help with the Web Application Certificate

  Greets,
  The title says it all really. I need help with the Web Application Certificate.
  I've followed the instructions from here:
  https://www.novell.com/documentation....html#b13qz9rn
  I can get as far as item 3.c
  3. Getting Your Certificate Officially Signed
  C. Select the self-signed certificate, then click File > Certification Request > Import CA Reply.
  I can get the certificate in to the Filr appliance but from there I'm stuck.
  Any help much appreciated.

  Originally Posted by bentinker
  Greets,
  The title says it all really. I need help with the Web Application Certificate.
  I've followed the instructions from here:
  https://www.novell.com/documentation....html#b13qz9rn
  I can get as far as item 3.c
  ok when you have you self signed certificate and you requested an official certificate with the corresponding CSR then you just need to go back to the digital certificates console. To import the official certificate, select the self signed certificate, then click File > Certification Request > Import CA Reply. Then a new windows pops out to select the certificate from your trusted authority from your local hard disk. Find the file (.cer worked for me) and click ok. As soon as you do this in the digital certificates console the self signed certificate will change the information that now it is officially signed. Look at the second column and you should see the name of your trusted authority under "issue from"
  I personally had a lot of issues across all platforms. Especially Firefox and Chrome for android. Needed to pack all the root cert, intermediate cert and signed cert into one file and import as CA reply. Not even sure if this is correct now. But at least it works.

• HOW TO INSTALL ROOT (Authority) CERTIFICATES ON S4...

  Recently i bought a 6500 Classic and stupidly deleted my Authority Certificates.
  After trwaling the net for info on how to re-install certificates i couldnt find an answer apart from NO YOU CANT DO THIS.
  Well to that i say NUTS!!! because you can and i will show you how by simply following these steps.
  1. Create a New Folder on your desktop and call it whatever you like.
  2. Open notepad on your computer.
  3. Copy the text below into the Notpad file. (I got this from some website as they were using it for smething else but it does work so thanks to them or thanks to you if this is yours)
   <?xml version="1.0"?>
  <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <title>Install root CA</title>
  </head>
  <body>
  <p>
  <a href="der1.cer">Download a CA Cert1</a>
  <a href="der2.cer">Download a CA Cert2</a>
  <a href="der3.cer">Download a CA Cert3</a>
  <a href="der4.cer">Download a CA Cert4</a>
  <a href="der5.cer">Download a CA Cert5</a>
  <a href="der6.cer">Download a CA Cert6</a>
  <a href="der7.cer">Download a CA Cert7</a>
  <a href="der8.cer">Download a CA Cert8</a>
  <a href="der9.cer">Download a CA Cert9</a>
  <a href="der10.cer">Download a CA Cert10</a>
  <a href="der11.cer">Download a CA Cert11</a>
  </p>
  </body>
  </html>
  4. Save the Notpad file as type ALL FILES but when naming it just call it cert.html and save it to the folder you created on your desktop earlier.
  5. Now downlaod the Root Certificates you need to the same folder on your Desktop.
  6. When saving the first Certificate to the folder call it der1 ((make sure not to take out the file extension eg .cer)) then the second der2, third der3 and so on and so on till you get to der11. (Dont worry this will not rename the certificate when it installs on your phone.)
   Example of what the files in your Desktop folder should be called der1.cer, der2.cer etc etc.
  7. Now transfer the whole folder from your Desktop to your Mobile phone. (I did this by using Nokia PC Suite.)
   8. When the folder with the certificates and hmtl we made have been transfered to you phone navigate using your phone to that folder.
  9. Go into the folder and open the cert.html file. (Your browser will now open a page with 11 download links available)10. Now all you have to do is click on each link and accept each certificate remembering to save and they will install on your phone. (On my 6500 Classic i can check this by Navigating through my phone to Menu>Settings>Security>Authority Certificates)
   Notes:- Some errors you may receive when trying to download the certificates through your phone browser may be Already Exists, Expired Certificate and the most annoying is Corrupted Certificate.
  Already Exists - Shouldt allow you to save (DO NOT SAVE IF IT ALLOWS YOU)
  Expired Certificate - (DO NOT SAVE)
  Corrupted Certificate - Install the certificate on your computer first, then go to Tools>Internet Options>Content>Certificates.
  (save the certificate to other people tab) Browse for the certificate you installed then export it in DER format to the Desktop Folder you created then start process over again to get it onto your phone.
  Remember to delete any certificates as you go that you have already installed so you dont get mixed up.
  Any issues reply and i will do what i can to help and if anyone has Hutchinson 3G Root Certificates please let me know.
  Thanks.
  Message Edited by andyhardie on 15-Jul-2009 04:05 PM

  I have nokia 6300 s40v3 and when I tried to open cert.html it showed format unknown.
  What should I do. Can you tell me the format of bookmark so that can rename it to cer.(format)
  sir please give some guidense its very urgent
  reply at *******
  MODERATOR'S NOTE:
  Personal details removed by a moderator. We kindly ask you not to share your personal e-mail address or any other personal information publicly on this forum. This is for your personal safety and privacy.
  Message edited by Aikin19

• Error -2147415740 from Keychain when importing a root CA certificate

  I've been given an iMac at work to use as my primary workstation, and work in an environment that uses certificate based authentication. I was provided the root CA certificate as a .pem file to import into my system, and every time I try, Keychain Access throws an error of "-2147415740".
  Running "openssl x509 -inform pem -in cacert.pem -text" shows the certificate as valid, and specifically:
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (8192 bit)
  Modulus (8192 bit):
  I've seen a few other reports of this, and it seems to be tied to the certificate being signed with an 8192 bit key. Asking the company to change to a lower key to sign the certificate is not a possibility, as it would require redistribution across a high number of machines to work around what appears to be an OS X specific bug. Does anyone know a workaround?
  Out of curiosity, I took the certificate and imported it successfully into an iBook running OS X 10.4.0. The certificate continues to work all the way up to 10.4.8, but breaks once Security Update 2006-007 or 10.4.9 is applied. The certificate is also imported just fine on an iPad running iOS 4.2.1.
  For now, I have to avoid using any Apple provided tools, and many 3rd party OS X programs, negating the benefit of using OS X and an iMac.

  sigh
  Result 1, this thread
  Result 2, another person encountering the same problem and posted here on the discussion forums, unanswered, beyond me responding to see if it is the exact same situation I'm now running into.
  Result 3, a posting to the OpenCA users list, also confirming the problem, with no specific solution to the error. Only a workaround of resigning the CA with a 4096bit or lower key, a workaround that as I mentioned already, cannot be done here without forcing every other user in the company to do work for what appears to only be an OS X specific problem/bug.
  Please only respond again if you have an actual useful suggestion for this exact problem. These boards are to help facilitate discussion about problems leading to a solution. Neither of your generic responses has helped, and I'd appreciate it if you could avoid wasting more of my time following up on a new post notification.

• How to renew the issuing CA certificate

  Hi,
  We have one root CA and two issuing CAs setup in our environment in Windows server 2003 platform. The CA certificate of one of the issuing CA has expired and the other will expire in two weeks. The root
  CA certificate is valid through 2018.  The MS PKI infrastructure is primarily used for issuing workstation certificates via GPO to client
  machines for VPN two factor authentication.
  Any help you can provide will greatly be appreciated.
  Thanks in advance,
  V

  The ship has sailed on the issuing CA that expired. You need to uninstall certificate services and reinstall ADCS (I would consider setting up a new CA (new name, newer OS)
  The second issuing CA can be renewed anytime within the next two weeks. After the certificate expires, renewal is not possible.
  There is no risk in setting up the new CA. All of the certificates are expired as well on the first issuing CA, so there will be no loss of functionality.
  That being said, this is a horribly managed PKI. A CA should be renewed when half of its lifetime has expired. To leave a CA to the point of two weeks left or worse yet, letting the CA certificate expired is terrible. Who is managing the service - they really
  need to step it up
  Brian

• Site name) uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

  I am working with Firefox 35.0 I get the security certificate error message of site name) uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer).
  This happens on each page that I go to. I can pull the page up with no problem with Explorer. Please Help. I don't have any security software that would be stopping or scanning SSL.

  Check the date and time and time zone in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
  Check out why the site is untrusted and click "Technical Details" to expand this section.
  If the certificate is not trusted because no issuer chain was provided (sec_error_unknown_issuer) then see if you can install this intermediate certificate from another source.
  You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
  *Click the link at the bottom of the error page: "I Understand the Risks"
  Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
  *Click the "View..." button and inspect the certificate and check who is the <b>issuer of the certificate</b>.
  You can see more Details like intermediate certificates that are used in the Details pane.
  If <b>"I Understand the Risks"</b> is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab".
  *Note that some firewalls monitor (secure) connections and that programs like Sendori or FiddlerRoot can intercept connections and send their own certificate instead of the website's certificate.
  *Note that it is not recommended to add a permanent exception in cases like this, so only use it to inspect the certificate.

• Root CA certificate marked as non-exportable

  Hello All.
  I've found myself with an odd issue. A few months ago I migrated from an old 2008R2 Enterprise CA to a new 2012R2 Core Enterprise CA. I exported the Root CA cert from the old server using the following:
  certutil.exe backupkey C:\Temp\Migration
  That made a P12 file with the private key. I then imported the Root CA on the new server (after decommissioning the old server, installing ADCS, etc) using this command:
  certutil.exe importpfx "blah.p12"
  I continued the rest of the CA Migration steps per TechNet articles (http://technet.microsoft.com/en-us/library/31eca881-0744-447a-ae7a-597310b9d9bf(v=ws.10)#BKMK_PrepDest
  http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx).
  Things have been fine for months but I wanted to do a scheduled backup of our CA cert and got an error:
  C:\Scripts>Certutil.exe -p Blah -backupkey
  CABackupCertUtil: -backupKey command FAILED: 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)
  CertUtil: Key not valid for use in specified state.
  This error appears to be because my Root CA cert is marked as non-exportable. I verified this by using the Certificates MMC and the option is greyed out.
  My understanding is that importing a PFX with no options marks the private key as exportable but for some reason mine didn't. I'm not sure why but the issue at hand is to fix this for the future.
  I can see 2 possible options. To re-import the P12 file (I still have the original file) or to possibly renew the Root CA certificate although I'm not sure if that will allow it to be exportable.
  We have a lot of certificates issued by this new CA so I'm looking for suggestions or caveats since I can't find anyone else with similar issues.
  Thanks!

  > Would I have 2 CA certificates when I look at the properties of the CA in the MMC?
  you can delete existing key from the store and re-import from PFX file.
  > My understand was that it imports by default with the private key being exportable
  Not sure about certutil (haven't used this parameter for a while). You can try to run it again and check whether it will allow key export.
  > Would I have 2 CA certificates when I look at the properties of the CA in the MMC?
  no, you will still see the same certificate list as before, because this list is maintained by renewals and internal CA database information.
  > Or do you think it would be as easy as re-importing?
  Re-import will solve the issue. If certutil won't help, then use MMC.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

  Hi,
  I am trying to install CA root certificate on Windows 7, IE 9.
  Encounter error: "Untrusted Certificate".  "This certificate cannot be verified up to a trusted certificate authority."
  I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on
  the list.
  On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.
  I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".
  Anyone, any idea ?
  Regards,
  Eye Gee

  Hi,
  If you install the certificate but then cannot see it please read the following KB article:
  You cannot view certificate information in Windows Internet Explorer 7 or in Certificate Manager after you successfully import a certificate on a Windows Vista-based computer(although it applies to Windows Vista)
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;932156
  This is also because of this: Microsoft Security Advisory: Update for minimum certificate key length
  http://support.microsoft.com/kb/2661254
  To get rid of the error, you can self-signed certificate for a secured website in Internet Explorer.
  To do this, follow these steps:
  1. In Explorer Options, add the URL to your trusted sites. Exit Explorer.
  2. In Windows Internet Explorer, click Continue to this website (not recommended).
   A red Address Bar and a certificate warning appear.
  3. Click the Certificate Error button to open the information window.
  4. Click View Certificates, and then click Install Certificate.
  5. On the warning message that appears, click Yes to install the certificate and place it in your trusted certificates authority.
  6. Exit Explorer then open the page again. Error should be gone.
  I also would like to suggest you refer to the link below to learn more about certificates:
  Certificate errors: FAQ
  http://windows.microsoft.com/en-HK/internet-explorer/certificate-errors-faq#ie=ie-11
  Understanding Certificate Revocation Checks
  http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support