ISE Identity Certificate.

Hi there,
Does anyone have any experience with Publicly signed ID certificates for ISE.
We are going to be deploying Guest Services via CWA. When a user connects to the portal they get a certificate error as the current ID certificates are only signed by our internal CA and nobody but internal users will have that CA installed.
I went to an external provider (Geotrust) and wanted to get a Public CA signed Certificate with the CN = guestportal.company.com and SAN fields of internalserver.company.local.lcl, Private IP of BOX and External IP of Box. I get this Error from Geotrust.
Certificates that expire      after November 1st, 2015 may not contain an internal server IP address or      server name. Please modify SAN entry to continue.
Researching further into this it seems that all Certificates being issued by Public CA’s need to abide by the following new rules.
“What is an Internal Name?
An internal name is a domain or IP address that is part of a private network. Common examples of internal names are:
    Any server name with a non-public domain name suffix. For example, www.contoso.local or server1.contoso.internal.
    NetBIOS names or short hostnames, anything without a public domain. For example, Web1, ExchCAS1, or Frodo.
    Any IPv4 address in the RFC 1918 range.
    Any IPv6 address in the RFC 4193 range.”
Has anyone got around this? Or will the guests just have to put up with the Certificate error? Also I'll have to change the PSN's hostname to the CN which has implications for it joining our internal active directory so not keen on that.
I've ready that LDAP might be my only solution which I am not really keen on see below.
https://supportforums.cisco.com/docs/DOC-37562

I have run into he same situation with public CAs. I need two separate certs, a public https one and an internal EAP one, each on a different domain. Is this possible? if so how do you generate the certs for two different domains? The public one is straight ford as it will have the correct domain on configure on the ISE node. However for the EAP cert how will an internal PKI react to a CSR generated by a box on a different domain?
Recently I had a conversation with the TAC engineer. And the outcome seemed positive. The outcome from that conversation was the following:
- Https wild card certificate from Public issuer with example.org.au
- CLI change on ISE nodes to change their domain to org.au
- The company DNS must be able to resolve the ISE FQDN node names with example.org.au. For example - ISE01.example.org.au.
- The EAP certificate can be issued from the legacy Corporate PKI with a domain of example.local
However in a response to the same question the account team have said:
In response to checking if ISE can deployed with multiple domain certificates such as for http management on example.org and EAP on example.internal.org
The reason why this is not possible is because for installing a certificate in ISE you need to pass few conditions -
"Cisco ISE checks for a matching subject name as follows:
1.Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node’s FQDN.
2.If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
3.If no match is found, the certificate is rejected."

Similar Messages

Reference identity certificate in EAP-TLS setting

How to reference identity certificate that was provisioned thru SCEP in the final configuration profile send to the device. The device signs the final request with the identity certificate, but it doesn't send the UUID so that we can insert it into EAP-TLS wi-fi payload as "PayloadCertificateUUID". Appreciate any help/pointers on this matter.
Thanks.

Refresh your Cisco ISE trusted certificate.
This issue can also arise if the Cisco ISE FQDN2 changes and/or the name of the
certificate imported on the client machine has changed
The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine may be configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.

The enrollment server did not provision a valid identity certificate

I'm working on rolling my own MDM service, and I'm trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web service in C# .Net and I know that the device can get a valid certificate when I just send the SCEP payload. However when I also include an MDM payload that points to the SCEP payload's UUID via the IdentityCertificateUUID key, I get the following error, "The enrollment server did not provision a valid identity certificate." This configuration is the one that is sent after the user chooses to install the initial enrollment configuration (step 1 of phase 2 in this diagram).
The device doesn't appear to even make an attempt at connecting to my server, and thanks to server side logging I know that it never reaches my SCEP web service page. This seems to indicate that there's something wrong with the certificate I use to sign the payload. I've separately tried signing it with my SSL certificate (from a pre trusted root authority), my customer MDM push certificate (chained from our vendor cert), and my self-signed root certificate authority certificate (created via makecert.exe) that the SCEP service uses to issue new certificates (i.e. device identity certificates).
I've looked at the output from the iPCU (iPhone Configuration Utility) when I create a profile with both the MDM and SCEP payloads, and it isn't a valid profile (I've even tried copying it nearly wholesale). However when I install the profile via the iPCU the error doesn't come up and it begins the SCEP enrollment process without issue.
A side note - using a preexisting MDM vendor is not an option here.
Below is the profile I'm using:
<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
        <dict>
          <key>PayloadContent</key>
          <array>
            <dict>
              <key>PayloadContent</key>
              <dict>
                <key>Challenge</key>
                <string>this is a challenge</string>
                <key>Key Type</key>
                <string>RSA</string>
                <key>Key Usage</key>
                <integer>5</integer>
                <key>Keysize</key>
                <integer>1024</integer>
                <key>Name</key>
                <string>mycompany</string>
                <key>Retries</key>
                <integer>3</integer>
                <key>RetryDelay</key>
                <integer>0</integer>
                <key>Subject</key>
                <array><array><array>
                  <string>CN</string>
                  <string>mycompany</string>
                </array></array></array>
                <key>URL</key>
                <string>https://mysite.com/scep.aspx</string>
              </dict>
              <key>PayloadDescription</key>
              <string>Configures SCEP</string>
              <key>PayloadDisplayName</key>
              <string>SCEP (mycompany)</string>
              <key>PayloadIdentifier</key>
              <string>com.mycompany.mdm.scep1</string>
              <key>PayloadOrganization</key>
              <string></string>
              <key>PayloadType</key>
              <string>com.apple.security.scep</string>
              <key>PayloadUUID</key>
              <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
              <key>PayloadVersion</key>
              <integer>1</integer>
            </dict>
            <dict>
              <key>AccessRights</key>
              <integer>3</integer>
              <key>CheckInURL</key>
              <string>mysite.com/checkin.aspx</string>
              <key>CheckOutWhenRemoved</key>
              <false/>
              <key>IdentityCertificateUUID</key>
              <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
              <key>PayloadDescription</key>
              <string>Configures MobileDeviceManagement.</string>
              <key>PayloadIdentifier</key>
              <string>com.mycompany.mdm.mdm2</string>
              <key>PayloadOrganization</key>
              <string></string>
              <key>PayloadType</key>
              <string>com.apple.mdm</string>
              <key>PayloadUUID</key>
              <string>ed0ae41d-1aa7-4721-9fe9-139c1072132c</string>
              <key>PayloadVersion</key>
              <integer>1</integer>
              <key>ServerURL</key>
              <string>https://mysite.com/checkin.aspx</string>
              <key>SignMessage</key>
              <false/>
              <key>Topic</key>
              <string>com.apple.mgmt.mypushsubject</string>
              <key>UseDevelopmentAPNS</key>
              <true/>
            </dict>
          </array>
          <key>PayloadDescription</key>
          <string>Profile description.</string>
          <key>PayloadDisplayName</key>
          <string>Test Profile</string>
          <key>PayloadIdentifier</key>
          <string>com.mycompany.mdm</string>
          <key>PayloadOrganization</key>
          <string>mycompany</string>
          <key>PayloadRemovalDisallowed</key>
          <false/>
          <key>PayloadType</key>
          <string>Configuration</string>
          <key>PayloadUUID</key>
          <string>13321058-4037-478c-9b1e-ef6f810065cb</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
        </dict>
      </plist>

I got in touch with Apple about this.
Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment. According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi guys,
I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

ISE, BYOD: win clients reject ISE local-certificate

Hello!
We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.
Windows clients cannot connect to 802.1x SSID with the following error on ISE:
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.
The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.
If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.
So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window

Are there any recommendations from Cisco about the issue with Windows?
I believe there's a new version of smart solution design guide coming up.
The current one does not mention anything to do with certs in "User Experience" chapter.
You can check one of the possible approaches in Nico's document:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
(It can be easily expended).
I think irt. PEAP we will always say that the cert or the root/sub CA cert should be already trusted on the device when perfoming enrollment.
Will try to dig in, can't say I promise to get something concrete though.

Java.io.IOException: Invalid identity certificate signature

Hi,
My WebLogic 11g is running on a Windows Server 2008 64 bit server. I have obtained a certificate with private key for this Windows server. Now I would like to use this certificate and private key for my WebLogic server.
What I have done:
1. Exported server certificate using mmc.exe to my_domain.pfx
2. Extracted my certificates and key with OpenSSL:
openssl pkcs12 -in my_domain.pfx -out tempcertfile.crt -nodes
3. Cut and pasted the section
-----BEGIN RSA PRIVATE KEY-----
(Block of Encrypted Text)
-----END RSA PRIVATE KEY-----
of the generated tempcertfile.crt to file my_domain.key
4. Copied the second set of -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- from tempcertfile.crt to file TrustedRoot.crt
5. Used keytool to create a new trust certificate keystore:
keytool -import -trustcacerts -file TrustedRoot.crt -alias server -keystore new_trust_keystore.jks -storepass NEWPASSWORD
where NEWPASSWORD is the new password of the keystore
6. Used utils.ImportPrivateKey to create a new identity certificate keystore:
java utils.ImportPrivateKey -keystore new_identity_keystore.jks -storepass NEWPASSWORD -storetype JKS -keypass NEWPASSWORD -alias server -certfile tempcertfile.crt
-keyfile my_domain.key -keyfilepass PFXPASSWORD
7. Configured WebLogic to use the new trust and identity certificate keystores
When I try to start the WebLogic server it shuts down again with the following log:
####<22-03-2012 07:10:42 CET> <Critical> <WebLogicServer> <HID-1041559> <AdminServer> <main> <<WLS Kernel>> <> <> <1332396642889> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
java.io.IOException: Invalid identity certificate signature: [***]
at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:64)
     at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:296)
     at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76)
     at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: weblogic.management.configuration.ConfigurationException: Invalid identity certificate signature: [***]
Does anybody know what I'm doing wrong?
Thanks in advance, Steffen

The solution is that the certificates in tempcertfile.crt must be in the correct order. The order must be:
Identity certificate
Intermediate certificate
Root certificate
The identity certificate can be located easily in tempcertfile.crt since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the tempcertfile.crt.
After I changed the order of the certificates it worked fine.
Regards Steffen

WS-Security: Fail to configure Keystore and Identity Certificates

Hi,
This is my first question here!
I want to set a secure web service, following the guide "Web Services Security Guide" i set up the keystore and Identity Certificates with a keystore that contains two certificates created by me, I set the keys to be used as signature and encryption. Not define any method for authentication.
I deployed the application to the server (oc4j_extended_101350) and up to this point apparently everything went well.
I created a web service proxy to test the web service with jdeveleper, but when I call the web service method the server responds with the error:
java.rmi.ServerException:
start fault message:
Internal Server Error
: End fault message
at oracle.j2ee.ws.client.StreamingSender._raiseFault (StreamingSender.java: 571)
at oracle.j2ee.ws.client.StreamingSender._sendImpl (StreamingSender.java: 401)
at oracle.j2ee.ws.client.StreamingSender._send (StreamingSender.java: 114)
at clientmessageoc4jstda.proxy.runtime.MyWebService1SoapHttp_Stub.getHelloWorld (MyWebService1SoapHttp_Stub.java: 77)
at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.getHelloWorld (MyWebService1SoapHttpPortClient.java: 42)
at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.main (MyWebService1SoapHttpPortClient.java: 30)
On the server the following error occurs:
ERROR OWS-04005 error has occurred on port: () http://messagelevelsecurity/ MyWebService1SoapHttpPort: oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: java.lang.NullPointerException.
The client and server are not in the same directory.
The class exposed by the web service is a simple Hello World.
public class HelloWorld {
public HelloWorld() {
public String getHelloWorld(){
return "Hello World";
Thanks in advance
I apologize for my English

I had to add : " outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");" to the client code and it started working !

Windows 8.1 Device Identity Certificate

I am implementing Windows 8.1 MDM and seems to be stuck on Certificate Enrollment web service step.
I am sending the below response and Windows client seems to be proceeding further by sending DM Initialization and responding to SyncML requests from the server.
I also can see the certificate using certmgr under Certificate->Personal->Certificates, where the certificate is marked as "Valid" and notes that the device has a private key that corresponds to the certificate.
The CA is a self-signed CA and CA certificate is placed under Root/System in wap-provisioning response (see it below)
However, I was expected to see Client Identity certificate to be be a part of all SyncML requests coming from the client.
Should the client send identity certificate with SynML messages? If yes, what could be wrong in the way I set the certificate?
If no, what the right way to get device certificate?
<wap-provisioningdoc version="1.1">

<characteristic type="CertificateStore">

<characteristic type="Root">
<characteristic type="System">

<characteristic type="ED1CF6EB4BE80017DDD7A076957FC438B689A7D2">

<parm name="EncodedCertificate" value="MIIDbzCCAlegAwIBAgIJAKZI3oplYTv2MA0GCSqGSIb3DQEBCwUAME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNQXBwZGlnaW8gVGVzdDEaMBgGA1UEAwwRQXBwZGlnaW8gVGVzdCBNRE0wHhcNMTQwODE0MDU1NDE5WhcNMjUwNzI3MDU1NDE5WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUFwcGRpZ2lvIFRlc3QxGjAYBgNVBAMMEUFwcGRpZ2lvIFRlc3QgTURNMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyOxdnl8PEtvfyhPzj9ANeLKF3YR6nFvOuIKHW/HDXAMIodtcRSf2qyPEZ3+l5f2/TZojjX401AnQeBdSKijdkKWqLboxp6237ZVdlezT1Xw7c6dmxJUwDKekUhEHJd6Ru8Rsu7c0Bzn79F7LOEGkNkGGy+LG12xzwDwg+tx3GZwVRfoMZcjtJNM9vwZCxrkgjYvJPDUl2yIca7MTl61w1wSZaOpnd2xJNbsIC3myD6oXIJoeVTEQE+XXlZcKGYs1Puv0ekdZt4P2+XUj3grHD7+XTqu0oPLFQRw0mbjyFbw4c6/8HDOrHYXr1SkHL5rm21eaN84ssFzXdf0aF2RY3wIDAQABo1AwTjAdBgNVHQ4EFgQUJRCDC1HaVsVZF8uMeakHmBrDwEIwHwYDVR0jBBgwFoAUJRCDC1HaVsVZF8uMeakHmBrDwEIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAncr1ZHB6wuwGaQXGvdVXF22VVLU41ojkw4EcU6/5H+LiRwBGpgDSwPnssqia+/zNukEI8s1zxbo3UHOS29hGFwEPKlsYVzbCaAnXDtfmMrxG8FmoSCEmcoYbCg0nEGsQXPbdgbwsF7V2equclxouvAHs36j0qNoIqu2Mwmkf6XBaLKEFiJ4nX89AFqNLDq5TjrJ9lSG6WnM3l8Gn4c28FPsPnrvtuoNNX4nBTJOXe57h48raawvN3UAstSGsofgQV1rbHj+qZ9EnIdiaaUVZk54CVY8Ic+4Z/8v18Z06s/2bMwHEgd+tICHdCPL9cs4SJNZ2vTick93rtYtMNYE8cA==" />
</characteristic>
</characteristic>
</characteristic>


<characteristic type="My" >
<characteristic type="User">

<characteristic type="4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E">

<parm name="EncodedCertificate" value="MIID1jCCAr6gAwIBAgIGDOsyplYiMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNQXBwZGlnaW8gVGVzdDEaMBgGA1UEAwwRQXBwZGlnaW8gVGVzdCBNRE0wHhcNMTUwMTA1MDQwNDIwWhcNMzAwMTAxMDQwNDIwWjAvMS0wKwYDVQQDEyQ4NjRlNjk5NC04NzJlLTQzOGMtYWJjNy1kYmM2N2ZmZTI1NzYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoFYRQG+OnkHm+Zv9wNeTICnSSrkWVf50rRWb1OVSuMTHEgNfDMpdbjb3tZZucmo1WWcJHiMpMiFmSF1KfNVttIPZK0+pX3eqAwnTlt7YcdV3OhQShE9mh7caalUxQLBZNBeKjXzj0erQgzt1CleIDWGikg11iuGHSlwRyb7aRMvYsXOppfdH9vIebNznKavaRG0IPi4joOR161bmwQ4bPmMiYuQ49MEvSx92F/g+F2dI7bPeo6is7AqQO7iA1woVyGgeI0M0IpQDLftO0EwSXlLNFjDTBsqWH2PZrCkQNXPyuP1/vPiHuiYyBugdCpK1quc4HnMrXEuYBz+xqUV+1AgMBAAGjgdgwgdUwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0OBBYEFOySgxF+y4dZX5ilGJi0yi7n1NjCMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMH4GA1UdIwR3MHWAFCUQgwtR2lbFWRfLjHmpB5gaw8BCoVKkUDBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUFwcGRpZ2lvIFRlc3QxGjAYBgNVBAMMEUFwcGRpZ2lvIFRlc3QgTURNggkApkjeimVhO/YwDQYJKoZIhvcNAQEFBQADggEBAD6ee4/RfIFddNmaY+Bw5KShe42mvDOoYeOxKbzA6S4qcMJxzfRMkXqtPxAqni7BdxxhIuVpBdfL3dEFWMyA6fRxX/mGo4cp4ZxdFhs5ADvTu51stRECVKo9LKoT2Y8NzQxc5th0GwXcCMKBm6iR1UV6DKhjFaLDNv8F2B+cOeSVaBrJdDBcokBkX/kPOWEzQHtMEMD3OBgLrJAW1Xv/OvBjE2KlhAfDWNImXT7DkUbaDmqbg25GO/qTkSCUspe978OTHrVkOy8n/sJLSkVn9VQe1HRVTZOo1XSZRFcz50OUI3lgetcDyQl/WWDJL6PLDDhNP+URq4mn/dGByN58NOk=" />
<characteristic type="PrivateKeyContainer">
<parm name="KeySpec" value="2"/>
<parm name="ContainerName" value="ConfigMgrEnrollment"/>
<parm name="ProviderType" value="1"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</characteristic>

<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>

<parm name="PROVIDER-ID" value="TestMDM"/>
<parm name="NAME" value="TestMDM"/>


<parm name="SSPHyperlink" value="https://192.168.1.121:8080" />

<parm name="ADDR" value="https://192.168.1.121:8080/server/mdm/windows/mdm.svc" />
<parm name="ServerList" value="https://192.168.1.121:8080/server/mdm/windows/mdm.svc" />
<parm name="ROLE" value="4294967295"/>

<parm name="CRLCheck" value="0"/>
<parm name="CONNRETRYFREQ" value="6" />
<parm name="INITIALBACKOFFTIME" value="30000" />
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />


<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3d864e6994-872e-438c-abc7-dbc67ffe2576&Stores=MY%5CSystem%EF%80%80MY%5CUser" />
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="dummy"/>

<parm name="AAUTHDATA" value="bm9uY2UK"/>

</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="DIGEST"/>

<parm name="AAUTHNAME" value="https://192.168.1.121:8080/test"/>
<parm name="AAUTHSECRET" value="dummy"/>
<parm name="AAUTHDATA" value="nonce"/>
</characteristic>
</characteristic>

<characteristic type="Registry">
<characteristic type="HKLM\Security\MachineEnrollment">
<parm name="RenewalPeriod" value="90" datatype="integer" />
</characteristic>
<characteristic type="HKLM\Security\MachineEnrollment\OmaDmRetry">

<parm name="NumRetries" value="8" datatype="integer" />

<parm name="RetryInterval" value="15" datatype="integer" />
<parm name="AuxNumRetries" value="5" datatype="integer" />
<parm name="AuxRetryInterval" value="3" datatype="integer" />
<parm name="Aux2NumRetries" value="0" datatype="integer" />
<parm name="Aux2RetryInterval" value="480" datatype="integer" />
</characteristic>
</characteristic>

<characteristic type="Registry">
<characteristic type="HKLM\Software\Windows\CurrentVersion\MDM\MachineEnrollment">
<parm name="DeviceName" value="" datatype="string" />
</characteristic>
</characteristic>
<characteristic type="Registry">
<characteristic type="HKLM\SOFTWARE\Windows\CurrentVersion\MDM\MachineEnrollment">

<parm name="SslServerRootCertHash" value="ED1CF6EB4BE80017DDD7A076957FC438B689A7D2" datatype="string" />

<parm name="SslClientCertStore" value="My%5CSystem" datatype="string" />

<parm name="SslClientCertSubjectName" value="CN=864e6994-872e-438c-abc7-dbc67ffe2576" datatype="string" />

<parm name="SslClientCertHash" value="4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E" datatype="string" />
</characteristic>
<nocharacteristic type="HKLM\Security\Provisioning\OMADM\Accounts" />
<characteristic type="HKLM\Security\Provisioning\OMADM\Accounts\037B1F0D3842015588E753CDE76EC724">
<parm name="SslClientCertReference" value="My;System;4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E" datatype="string" />
</characteristic>
</characteristic>
</wap-provisioningdoc>

Eric,
I do have APPAUTH portion in the wap-provisioningdoc
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="dummy"/>

<parm name="AAUTHDATA" value="bm9uY2UK"/>

</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="DIGEST"/>

<parm name="AAUTHNAME" value="https://192.168.1.121:8080/test"/>
<parm name="AAUTHSECRET" value="dummy"/>
<parm name="AAUTHDATA" value="nonce"/>
</characteristic>
My Windows 8.1 (tablet, not a phone) does not send SyncML DM Auth Request. I.e. it sends session initialization, then I send a <get> command to which client responds appropriately. But no <Cred> is sent.
I also do not see any connection attempts to the server name (https://192.168.1.121:8080/test)
Oleg

Device Identity Certificate - what will happen when it expires?

Hi everybody,
when enrolling an iPad within osx server device manager (..\mydevices) a payload is sent to the device, if inspected under General preferences / Remote Management / More details it reveal itself as composed by
1) Mobile Device Management - that's the endpoint of management - the osx server in short
2) A Device Identity Certificate, expiration one year from the enrollment
Basically my question is: what's going to happen after one year?
The certificate will be auto-renewed, or all of the remote management profile will have to be removed, and the device re-enrolled from scratch?
It may seem an easy question, but I haven't be able to find a definitive answer to the question, and with 1.000 iPads already enrolled I'm starting to be a bit worried.
Thank you for any help!

It is now known that iWeb, and iDVD, has been discontinued by Apple. This is evidenced by the fact that new Macs are shipping with iLife 11 installed but without iWeb and iDVD.
On June 30, 2012 MobileMe will be shutdown. However, iWeb will still continue to work but without the following:
Features No Longer Available Once MobileMe is Discontinued:
◼ Password protection
◼ Blog and photo comments
◼ Blog search
◼ Hit counter
◼ MobileMe Gallery
All of these features can be replaced with 3rd party options.
I found that if I published my site to a folder on my hard drive and then uploaded with a 3rd party FTP client subscriptions to slideshows and the RSS feed were broken. If I published directly from iWeb to the FPT server those two features continued to work correctly.
There's another problem and that's with iWeb's popup slideshows. Once the MMe servers are no longer online the popup slideshow buttons will not display their images.
Click to view full size
However, Roddy McKay and I have figured out a way to modify existing sites with those slideshows and iWeb itself so that those images will display as expected once MobileMe servers are gone. How to is described in this tutorial: #26 - How to Modify iWeb So Popup Slideshows Will Work After MobileMe is Discontinued.
It now appears that the iLife suite of applications offered on disc is now a discontinued product and the remaining supported iApps will only be available thru the App Store from now on. However, the iLife 11 boxed version that is still available at the online Apple Store (Store button at the top of the page) and those still on the shelves of retailers will include iWeb and iDVD. Those two apps were listed in small, gray text on the iLife 11 box that I bought.
Personally, if I didn't already have a copy I would purchase one to have it for reinstallation purposes if ever needed.
This may be of some interest to you: Life After MobileMe.
OT

Use wildcard identity certificate for SSLVPN

I have a wildcard identity certificate *.example.com that I would like to use for SSLVPN connections, but haven't been able to get it installed. Has anyone been able to do this?

I found the issue. We were attempting to import the PEM version and not the PKCS12 version that contained the private key. I was able to get it to work.

Using iPCU, how to select an identity certificate

When using iPCU, the option to select an identity certificate within the VPN configuration payload is greyed out (even though certificates have been defined in the Credentials section). Is there a different underlying requirement to be able to specify which certificate should be used for the VPN connection? (Windows 7 running iPCU version 3.6.2.300).
Thanks.

Umer, thanks for your response.
It seems like other applications are locking the card/reader for few seconds.
For listening to card-insertion, I am using terminals.waitForChange(); inside while (true) loop.
If I execute my code communicating to card immediately after terminals.waitForChange(); returns then my code fails(select applet still works but other card communication fails with ResponseAPDU: 2 bytes, SW=6d00).
But if I add sleep for 7 seconds or so before communicating to card then my code is able to communicate with card.
    static class EventWaitThread extends Thread {
        public void run() {
            while (true) {
                CardTerminals terminals = factory.terminals();
                try {
                    for (CardTerminal terminal : terminals.list(CardTerminals.State.CARD_INSERTION)) {
                        Card card = terminal.connect("*");
                        CardChannel channel = card.getBasicChannel();
                        selectApplet(channel);
                        printCardStatus(channel);
                    terminals.waitForChange();
                    sleep(7000);
                } catch (CardException e) {
                    e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
        }

ASA5505 is using wrong identity certificate

I recently updated our ASA firmware from 8.4.(7)3 to 9.0.(4)24 and noticed afterwards that my web-facing interface (for SSL remote access vpn) was suddenly using a self-signed certificate. When I look at the identity certificates using ASDM, the only certificate listed is the one I installed from GoDaddy (and the one that it should be using - see screenshot). Anyone know what I can do to switch back to my GoDaddy cert?

Thanks, I ran that command and that appears to have fixed it. Strange, I don't have that line in any of my previous configs and it always worked fine.

BEA-090156 Invalid identity certificate signature:

I have a pfx format certificate and private key for my weblogic 9.2 server. I followed all necessary steps of importing the private key and certificates into the correct keystores. But I got a "Invalid identity certificate signature" error when my weblogic server starts. I am able to import this pfx file into my Internet Explorer 6 and view its details. So how would I go about resolving this issue? Thanks.

If you want to use keytool to self sign the certificate then use the below command:
command to generate certificate:
keytool -genkey -alias pidcbox1 -keyalg RSA -keysize 1024 -keypass mykeypass -keystore pidcbox1identity.jks -storepass mystorepass
command to check the certificate:
keytool -list -v -keystore pidcbox1identity.jks -storepass mystorepass
command to self sign the certificate:
keytool -selfcert -v -alias pidcbox1 -keypass mykeypass -keystore pidcbox1identity.jks -storepass mystorepass -storetype jks
Thanks
Rahul Gupta

BEA-090156 Invalid identity certificate signature with custom stores

How does one go about resolving BEA-090156 <Invalid identity certificate signature> when using custom keystores. As I have DoD certificates with a root that isn't in the standard JDK keystore, how does one go about resolving this issue. I created the keystores with the DoD certs, but get this message when trying to use them. Pls advise.
Thanks.

The solution is that the certificates in tempcertfile.crt must be in the correct order. The order must be:
Identity certificate
Intermediate certificate
Root certificate
The identity certificate can be located easily in tempcertfile.crt since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the tempcertfile.crt.
After I changed the order of the certificates it worked fine.
Regards Steffen

How to globally set WiFi to use device management identity certificate for all users?

I'm using Apple's Profile Management service in Mountain Lion, and discovered through serendipity that an enrolled device can authenticate on EAP-TLS to our WPA2-Enterprise Wifi using the Device Managment Identity Certificate instead of an individually-generated-for-user x509 cert. This is extremely convenient, because then we can effectively revoke a device's cert by unenrolling the device.
However, I haven't been able to figure out how to make WiFi always designate EAP-TLS and select the Device Management Identity Certificate globally (whether through /usr/bin/networksetup or through the Profile Manager).
Does anybody have any pointers on how to do this? My goal is to have an OS X >= 10.7 machine at a network login prompt capable of logging into the machine, authenticated against the Open Directory server the machine is already bound to. At present a wireless user cannot do this, as the machine's Wifi preferences haven't yet been set to use the aforementioned device management cert.
Thanks!

Making customisation from the default profile is generally considered poor practice and quite often doesn't work out as planned. (If you're interested in some more information on this, [http://mockbox.net/windows-7/227-customise-windows-7-default-profile.html see here] see here)
This article should help you with developing and deploying your customised Firefox 4 installation (without touching the Windows 7 default user profile):
http://mockbox.net/configmgr-sccm/174-install-and-configure-firefox-silently.html

ISE Identity Certificate.

Similar Messages

Maybe you are looking for