Issuing Certificates to a DMZ server

I'm in the process of setting up a PKI infrastructure for an SCCM 2012 environment. In order to manage travelling laptops over the internet, we installed a new Windows 2012 R2 server in the DMZ. To communicate properly with the travelling
SCCM clients, we need to install 2 certificates on this DMZ server. This DMZ server is in a different forest/domain than the SCCM and CA server, with no trusts established between it and our production domain. If it makes any difference, there
is also no DNS forwarding, but I have added an entry to the hosts file on the DMZ server, and to the internal CA and SCCM servers (all Windows 2012 R2), so that they can resolve each other.
I've created the 2 certificate templates per the SCCM documentation on the internal CA server, but in the Security tab, there is no way for me to add the DMZ server for the "Read and Enroll" rights (since it's in another, untrusted forest.)
Since I can't enroll the certificates through the MMC console of the DMZ server, my next thought was that I could use the CA web enrollment method, and try to get certificates enrolled that way. However, when I type in
http://MY_CA_SERVER/certsrv, Internet Explorer spins for about 10-15 seconds, and then I get "Page cannot be displayed." I added the webpage to the Trusted Sites in IE, but that did not help. Visiting
the CA webpage from a domain-joined computer works fine; it's just not working from the DMZ server.
Does this sound like a communications/port issue? Between my internal domain and this DMZ server, I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open. Do I need anything additional for Certificate Authority communication?
If I'm not approaching this in the correct manner, I'm also open to other suggestions on how to install these 2 certificates properly.
Thanks in advance for any advice.

> I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open.
please, close RPC ports in your perimeter firewall. Instead of using legace web pages, I would consider to set up a new Certificate Enrollment Web Servcies (which first appeared in Windows Server 2008 R2):
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
if it is not possible to install CEP/CES services, then you can use the following guide (although it requires some manual procedures):
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

Similar Messages

Configure Windows Server Essentials (2012R2) "Identified problem": "Certificate Issuer is installed on this server" stops the configuration

On a server 2012R2 Essentials when trying to install the essentials experience the first install works ok but the configuration allways stops with the message "Certificate Issuer is installed on this server" and no way to continue the configuration.
Windows/Logs/CBS/
2014-07-24 21:10:04, Info CBS TI: --- Initializing Trusted Installer ---
2014-07-24 21:10:04, Info CBS TI: Last boot time: 2014-07-24 18:36:03.489
2014-07-24 21:10:04, Info CBS Starting TrustedInstaller initialization.
2014-07-24 21:10:04, Info CBS Ending TrustedInstaller initialization.
2014-07-24 21:10:04, Info CBS Starting the TrustedInstaller main loop.
2014-07-24 21:10:04, Info CBS TrustedInstaller service starts successfully.
2014-07-24 21:10:04, Info CBS No startup processing required, TrustedInstaller service was not set as autostart
2014-07-24 21:10:04, Info CBS Startup processing thread terminated normally
2014-07-24 21:10:04, Info CBS Starting TiWorker initialization.
2014-07-24 21:10:04, Info CBS Ending TiWorker initialization.
2014-07-24 21:10:04, Info CBS Starting the TiWorker main loop.
2014-07-24 21:10:04, Info CBS TiWorker starts successfully.
2014-07-24 21:10:04, Info CBS Universal Time is: 2014-07-24 19:10:04.379
2014-07-24 21:10:04, Info CBS Loaded Servicing Stack v6.3.9600.17200 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17200_none_fa7026dd9b04586e\cbscore.dll
2014-07-24 21:10:04, Info CSI 00000001@2014/7/24:19:10:04.379 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7ffd2cb360e5 @0x7ffd2de92e53 @0x7ffd2de924ac @0x7ff60b37d2df @0x7ff60b37d9e4
@0x7ffd588d2385)
2014-07-24 21:10:04, Info CBS Could not load SrClient DLL from path: SrClient.dll. Continuing without system restore points.
2014-07-24 21:10:04, Info CBS SQM: Initializing online with Windows opt-in: True
2014-07-24 21:10:04, Info CBS SQM: Cleaning up report files older than 10 days.
2014-07-24 21:10:04, Info CBS SQM: Requesting upload of all unsent reports.
2014-07-24 21:10:04, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2
2014-07-24 21:10:04, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6
2014-07-24 21:10:04, Info CBS NonStart: Set pending store consistency check.
2014-07-24 21:10:04, Info CBS Session: 30386034_3758808251 initialized by client WinMgmt.
2014-07-24 21:10:04, Info CBS Enumerating Foundation package: Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, this could be slow
2014-07-24 21:10:05, Info CSI 00000002 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x172dbed940
2014-07-24 21:10:05, Info CSI 00000003 Creating NT transaction (seq 1), objectname [6]"(null)"
2014-07-24 21:10:05, Info CSI 00000004 Created NT transaction (seq 1) result 0x00000000, handle @0x25c
2014-07-24 21:10:08, Info CSI 00000005 Poqexec successfully registered in [ml:26{13},l:24{12}]"SetupExecute"
2014-07-24 21:10:08, Info CSI 00000006@2014/7/24:19:10:08.151 Beginning NT transaction commit...
2014-07-24 21:10:08, Info CSI 00000007@2014/7/24:19:10:08.182 CSI perf trace:
CSIPERF:TXCOMMIT;32854
2014-07-24 21:10:08, Info CSI 00000008 CSI Store 99552754976 (0x000000172dce7d20) initialized
2014-07-24 21:10:08, Info CSI 00000009@2014/7/24:19:10:08.182 CSI Transaction @0x172e9bcaa0 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002
and client id [26]"TI5.30386034_3758808251:1/"
2014-07-24 21:10:08, Info CSI 0000000a@2014/7/24:19:10:08.182 CSI Transaction @0x172e9bcaa0 destroyed
2014-07-24 21:10:19, Info CBS Session: 30386012_3156824848 initialized by client DISM Package Manager Provider.
2014-07-24 21:12:19, Info CBS Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
2014-07-24 21:12:19, Info CBS TiWorker signaled for shutdown, going to exit.
2014-07-24 21:12:19, Info CBS Ending the TiWorker main loop.
2014-07-24 21:12:19, Info CBS Starting TiWorker finalization.
2014-07-24 21:12:19, Info CBS Ending the TrustedInstaller main loop.
2014-07-24 21:12:19, Info CBS Starting TrustedInstaller finalization.
2014-07-24 21:12:19, Info CBS Ending TrustedInstaller finalization.
2014-07-24 21:12:20, Info CBS Ending TiWorker finalization.
Any ideas?
//Christer

Hi Justin!
nltest /server:"servername" /sc_reset:"domaninname" returns: "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN"
Dcdiag /q returns : An error occurred. EventID: 0xC0001B77
The text log was not small enough to post here..
Regards.
Christer
Can not find anything directly related in windows-logs but here is the latest log from CBS folder..
2014-07-28 11:04:25, Info CSI 00000888 [DIRSD OWNER WARNING] Directory [ml:520{260},l:118{59}]"\??\C:\Windows\Inf\Windows Workflow Foundation 3.0.0.0\041D" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"sv-se", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:25, Info CSI 00000889 [DIRSD OWNER WARNING] Directory [ml:128{64},l:126{63}]"\??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en" is not owned but specifies
SDDL in component Microsoft.Dtc.PowerShell.Non_msil.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088a [DIRSD OWNER WARNING] Directory [ml:134{67},l:132{66}]"\??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US" is not owned but specifies
SDDL in component Microsoft.Dtc.PowerShell.Scripts.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088b [DIRSD OWNER WARNING] Directory [ml:520{260},l:134{67}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088c [DIRSD OWNER WARNING] Directory [ml:520{260},l:118{59}]"\??\C:\Windows\Inf\Windows Workflow Foundation 3.0.0.0\0000" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088d [DIRSD OWNER WARNING] Directory [ml:520{260},l:114{57}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft" is not owned but specifies SDDL
in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088e [DIRSD OWNER WARNING] Directory [ml:520{260},l:144{72}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0" is not owned
but specifies SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088f [DIRSD OWNER WARNING] Directory [ml:520{260},l:94{47}]"\??\C:\Program Files (x86)\Reference Assemblies" is not owned but specifies SDDL in component
Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:30, Info CSI 00000890 Ignoring duplicate ownership for directory [l:72{36}]"\??\C:\Windows\microsoft.net\authman" in component Microsoft.Interop.Security.AzRoles, Version
= 6.3.9600.16384, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:31, Info CSI 00000891 [SR] Verify complete
2014-07-28 11:04:31, Info CSI 00000892 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:31, Info CSI 00000893 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:36, Info CSI 00000894 [SR] Verify complete
2014-07-28 11:04:36, Info CSI 00000895 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:36, Info CSI 00000896 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:40, Info CSI 00000897 [DIRSD OWNER WARNING] Directory [ml:520{260},l:120{60}]"\??\C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList" is not owned but specifies
SDDL in component NetFx-ASSEMBLYLIST_XML, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope neutral, PublicKeyToken = {l:8 b:b03f5f7f11d50a3a}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:42, Info CSI 00000898 [SR] Verify complete
2014-07-28 11:04:42, Info CSI 00000899 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:42, Info CSI 0000089a [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:46, Info CSI 0000089b [SR] Verify complete
2014-07-28 11:04:46, Info CSI 0000089c [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:46, Info CSI 0000089d [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:52, Info CSI 0000089e [SR] Verify complete
2014-07-28 11:04:52, Info CSI 0000089f [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:52, Info CSI 000008a0 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:58, Info CSI 000008a1 [SR] Verify complete
2014-07-28 11:04:58, Info CSI 000008a2 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:58, Info CSI 000008a3 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:02, Info CSI 000008a4 [SR] Verify complete
2014-07-28 11:05:02, Info CSI 000008a5 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:05:02, Info CSI 000008a6 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:08, Info CSI 000008a7 [SR] Verify complete
2014-07-28 11:05:08, Info CSI 000008a8 [SR] Verifying 52 (0x0000000000000034) components
2014-07-28 11:05:08, Info CSI 000008a9 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:09, Info CSI 000008aa [DIRSD OWNER WARNING] Directory [ml:520{260},l:56{28}]"\??\C:\Windows\system\Speech" is not owned but specifies SDDL in component Windows-Media-SpeechSynthesis-WinRT,
pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:05:09, Info CSI 000008ab Ignoring duplicate ownership for directory [l:56{28}]"\??\C:\Windows\system\Speech" in component Windows-Media-SpeechSynthesis-WinRT, Version =
6.3.9600.16384, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:05:09, Info CSI 000008ac [SR] Verify complete
2014-07-28 11:05:09, Info CSI 000008ad [SR] Repairing 1 components
2014-07-28 11:05:09, Info CSI 000008ae [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:09, Info CSI 000008af Hashes for file member \??\C:\Program Files\Windows Server\Bin\WebApps\RemoteAccess\Web.config do not match actual file [l:20{10}]"Web.config"
Found: {l:32 b:jiP+IRWGZxsG0nX6il5MCZofFThiSfytb8Ih27r5EPk=} Expected: {l:32 b:KR7DbPqdCKMwdiZI2XDSr42o4ujtpZlzfX9ud+ODKRM=}
2014-07-28 11:05:09, Info CSI 000008b0 [SR] Repairing corrupted file [ml:520{260},l:120{60}]"\??\C:\Program Files\Windows Server\Bin\WebApps\RemoteAccess"\[l:20{10}]"Web.config" from
store
2014-07-28 11:05:09, Info CSI 000008b1 [SR] Repair complete
2014-07-28 11:05:09, Info CSI 000008b2 [SR] Committing transaction
2014-07-28 11:05:09, Info CSI 000008b3 Creating NT transaction (seq 2), objectname [6]"(null)"
2014-07-28 11:05:09, Info CSI 000008b4 Created NT transaction (seq 2) result 0x00000000, handle @0xba4
2014-07-28 11:05:11, Info CSI 000008b5@2014/7/28:09:05:11.308 Beginning NT transaction commit...
2014-07-28 11:05:11, Info CSI 000008b6@2014/7/28:09:05:11.470 CSI perf trace:
CSIPERF:TXCOMMIT;163479
2014-07-28 11:05:11, Info CSI 000008b7 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired
2014-07-28 11:07:13, Info CBS Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
2014-07-28 11:07:13, Info CBS TiWorker signaled for shutdown, going to exit.
2014-07-28 11:07:13, Info CBS Ending the TiWorker main loop.
2014-07-28 11:07:13, Info CBS Starting TiWorker finalization.
2014-07-28 11:07:13, Info CBS Ending the TrustedInstaller main loop.
2014-07-28 11:07:13, Info CBS Starting TrustedInstaller finalization.
2014-07-28 11:07:13, Info CBS Ending TrustedInstaller finalization.
2014-07-28 11:07:13, Info CBS Ending TiWorker finalization.
Regards. Christer

Could not establish TLS connection on port 7001 - "unable to get local issuer certificate"

tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.0.7.168" Src-port="29127" Dst-ip="<Public IP>" Dst-port="7001" Detail="unable to get local issuer certificate" Protocol="TLS" Common-name="ewe.<domainname>.com" Level="1" UTCTime="2014-11-12 12:48:20,071" 2014-11-12T15:48:05+03:00
Getting above error on Expressway-C server while establishing TLS connection with Expressway-E in DMZ. I have enabled static NAT on Expressway-E and give the Public IP on peer address of Expressway-C. At that time, i was getting DNS resolution error on Expressway-C so we added a host record on local DNS for Public IP. Later, I created CSR from both Expressway C & E server and ask local microsoft team to issue Local CA certificates. After uploading, i was getting above error (Failed to establish TLS). Also i have uploaded company (wilcard) Public certificates (issued from Geotrust) and we are getting the samer error and Expressway server could not establish TLS connection on port 7001. Firewall connections are done and i double checked it.
Expressway ver 8.2

Yes, Exp-C > Peer Address (FQDN of Exp-E)
Certificate of Exp-E -> When generating CSR from Exp-E, automatically FQDN (Exp-E(hostname).domainname.com) will be shown. Then this CSR will be send to local CA or Public CA to generate a certificate. OR you meant to say in Exp-E CSR we need to add FQDN of Exp-C server also in alternative name and vice versa too.
Yes, root certificates & intermediate certificates are uploaded to trusted CA.

How to Read file from Application in DMZ Server (page on DMZ)

Hi All,
i am trying open a file from application server from OAF page on DMZ server .
i am getting the error 'either not supported file type or file is damaged '.
i am taking the path of production server to read the file from DMZ server .
Please let me know what is the issue .
Thanks
Raju

Please post the details of the application release, database version and OS.
i am trying open a file from application server from OAF page on DMZ server .Is the issue with all OAF pages or with specific ones only?
i am getting the error 'either not supported file type or file is damaged '.Please check Apache log files for details about the error (error_log* and access_log*).
i am taking the path of production server to read the file from DMZ server .What type of DMZ configuration you have?
Thanks,
Hussein

There is a problem with the security certificate of the proxy server. Error code 18 and 38.

Hi All,
After several hours and a short night of sleep I'm out of ideas and hopefully someone here can help me trying to solve this one. First of all the situation:
Exchange 2013 on a remote location with a CA-certificate.
Outlook 2010 and 2013 on different locations, locally installed and on RDS.
When I open Outlook on my laptop all is fine, no errors, good sync, no problem. But when I open Outlook on our Remote Desktop Servers with Outlook 2013 I'm getting errors like "There is a problem with the security certificate of the proxy server. The
name on the security certificate is invalid or does not match the name of the site. Outlook is unable to connect to this server. (Error code 18)". Opening Outlook 2010 the message is the same, but the error code now is 38.
After this Outlook opens and is working, there's one more error though. After a while an security warning pops up with the message: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the
site's security certificate. * The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. * The security certificate is valid. * The name on the security
certificate is invalid or does not match the name of the site."
Strangest thing is, it is the certificate of my RDS! It isn't my valid en officially bought certificate from my mailserver. What's going on? I'm out of options, what I've tried so far (in random order):
- restarting mailserver and AD;
- restarting switches;
- restarting routers;
- restarting RDS, AD and all other servers;
- bypassed proxyserver for RDS;
- created a new profile;
- checked recently installed updates;
- checked certificate on mailserver;
- checked RDS on a different location, working fine.
Nothing helped, what can I do next? Please advice.
Regards.

Found a thread that solves half my problem (https://social.technet.microsoft.com/Forums/office/en-US/70d18244-889a-4d95-ac3f-e234672a82b2/there-is-a-problem-with-the-proxy-servers-security-certificate-error-when-starting-outlook?forum=exchangesvrclients).
The first message can be suppressed by adding this to the Exchange config:
set-outlookprovider -Identity EXCH -CertprincipalName msstd:webmail.domain.tld
set-outlookprovider -Identity EXPR -CertprincipalName msstd:webmail.domain.tld
Giving the command get-outlookprovider, gives me empty information regarding the certprinipalname. Filled
this and after recreating the profile or deleting the ost-file I still have the second alert with the local certificate of my RDS.
Not completely where I want to be, any help regarding the second alert is greatly appreciated!

Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

Hello,
I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
* Note. No back ups to work with aside from whats mentioned below.
DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up.
The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
"No Exchange servers are available in any Active Directory sites. You can’t connect to remote
Powershell on a computer that only has the Management Tools role installed."
Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc per instructions only to discover I couldnt relaunch it because there was
no way how. So I copied another msc file that happened to be on the DC Server 1 back to Exchange Server 2 and got it to launch again.
Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
it is using the Certificate Authority Service.
I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
"The Trust Relationship between this workstation and primary domain failed."
I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started.
I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
Marty

I recommend that you open a ticket with Microsoft Support before you break things more.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

.p12 Certificate import in weblogic server 10.3.6.0

Hi,
I am facing a issue regarding certificate import in weblogic server 10.3.6.0. In my project I built a java webservice where a https url is invoked with xml input(correct format).Https url is restricted. I can not open this url from my browser. I got '403 : Forbidden' error in browser as well as webservice log in server. I asked my client. They gave me one .jks and one .p12 certificated file and password. When I installed this .p12 (giving password) in my local windows computer, I am able to open that https in my browser.I have imported this .p12 certificate in 'cacerts' as well as 'DemoTrust.jks' in weblogic server and restarted the server. But i am getting the same error(403 : Forbidden) in weblogic server.
Where should I import this .p12 in weblogic server? I mean in which key store.
FYI,
This code is running fine in 10g production server.I haven't developed this code. I have migrated this code to 11.1.1.7.0.
I am using this .jks() in the java code.
        System.setProperty("javax.net.ssl.keyStore", keyStore.jks);
        System.setProperty("javax.net.ssl.keyStorePassword", "<password>");
Weblogic server is running in unix environment.
Read many posts... But did not any find right solution. Can anybody please help me solve this.

If i remember correctly, .p12 will have both the public and private key.
You need to convert it to a jks and configure the server to use this jks
Converting certificate formats | Middleware wonders!!
Weblogic SSL configuration
Thanks,
Faisal

Certificate problem in Proxy Server (ODSEE 11g)

I am having a problem adding a CA Certificate to the Proxy Server. I followed the steps in the documentation, however I get the error: "keytool error: java.lang.Exception: Public keys in reply and keystore don't match".
From what I have read, this error means that the alias name I am using when I add the new certificate is already being used. As per the documentation...
When you request a CA-signed certificate, a temporary self-signed certificate is created. When you receive and install the CA-signed certificate from the CA, the new certificate replaces the temporary self-signed certificate.
... and this does happen. However when I bring in the new cert to replace... I get the mentioned error.
If I use a different alias, it doesn't give me an error. However, I can't see it when I use the "dpadm list-certs" command (although it is there when I use the keytool command). More importantly, the "defaultservercert" is still the certificate being used when accessing the server.
So the big question is... How do I get the Proxy Server to use the new CA Certificate?
I've tried using the keytool command in many different ways, and it fails each time. Lesson learned: don't mess with the keystore via keytool. Any changes made are not recognized by the Proxy Server.
I don't have access to this Proxy Server via DSCC because I do not have the password for the account running the services (a restriction made by the client), so it all to be done via CLI.
The operating system is Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC.
Here are some outputs:
$ ./dsee7/bin/dpadm list-certs ./dsee7/instances/PROXY01
Alias Valid from Expires on Self-signed? Issued by Issued to
defaultservercert 2012/06/18 09:23 2014/06/18 09:23 y CN=wpsun882:25389 Same as issuer
1 certificate found.
$ ./dsee7/bin/dpadm request-cert name devB2ADIRPROXY01.domain.com org 'COMPANY INC' org-unit IT city 'Eden Prairie' state Minnesota country US --keysize 2048 -o ./dsee7/ca-cert.csr ./instances/PROXY01 ca-cert
$ ./dsee7/bin/dpadm list-certs ./dsee7/instances/PROXY01
Alias Valid from Expires on Self-signed? Issued by Issued to
defaultservercert 2012/06/18 09:23 2014/06/18 09:23 y CN=wpsun882:25389 Same as issuer
ca-cert 2012/06/18 09:25 2014/06/18 09:25 y C=US, ST=Minnesota, L=Eden Prairie, O=COMPANY INC, OU=IT, CN=devB2ADIRPROXY01.domain.com Same as issuer
2 certificates found.
$ ./dsee7/bin/dpadm add-cert ./dsee7/instances/PROXY01 ca-cert ./dsee7/wpsun882.pem
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Thanks in advance!

I can elaborate it further
class GUI extends JFrame implements Runnable
public void updateGUI()
//update the GUI
class MailListener extends Thread
GUI refernce; // Reference to the GUI class
public MailListener(GUI g)
reference = g;
public void run
while(true)
//wait for a message and call the updateGUI() method of
GUI class when u get a message
}

Does a 2012 DC generate exchange certificates on Exchange 2007 server?

The reason I ask is because we have a 2008 server environment with a few 2012 servers in the mix, one being a DC. It is time to renew our self-signed certificates on our exchange server and when I attempt to do this via the Get-ExchangeCertificate command,
I get a warning stating the following:
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence.
On further investigation I noticed we have a certificate that I do not remember from years past nor do I ever remember getting that warning message before. We have not used third party CA's. Notice the items in bold, the certificate is an enterprise cert, not
self signed and linked to our 2012 DC. There appear to be no services assigned to it but we still get that warning.
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {EXCHANGESERVERNAME.DOMAIN.NAME}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=DOMAIN-DC3-CA, DC=DOMAIN, DC=NAME
NotAfter : 12/31/2014 4:36:02 PM
NotBefore : 12/31/2013 4:36:02 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 2D00XXXXXXXXXXXXXXXXXXXXXXX
Services : None
Status : Valid
Subject : CN=EXCHANGESERVERNAME.DOMAIN.NAME
Thumbprint : 4886XXXXXXXXXXXXXXXXXXXXXXXXXX
So my question is two-fold, why is this certificate here (was it generated by our 2012 DC) and will it effect anything when it expires? If so, how do I renew it?

OK, so it is normal. We did add the 2012 DC to our existing server environment later on. It is not our primary DC.
So, since there are no services assigned, when it expires in a few days, there will be no effect? If there will be an issue, how do I go about renewing it exactly?
I am not aware of us requesting an Enterprise CA, however our previous manager could have. I am not familiar with the process.
Basically, I ignored the "This certificate will not be used for external TLS connections warning" and created and enabled new self-signed certs for our mail server. The warnings in the event log that the old certs are about to expire have
stopped. So that should be that then right?
So as of now, we show 3 certificates, one being the enterprise one I mentioned which will expire in a few days. (Is this normal or should we just have one self signed cert that has all services?) I have a feeling this configuration isn't optimal.
Thumbprint
Services Subject
2038XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ...WS CN=WMSvc-MAILSERVERNAME
B52BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX IP..S CN=MAILSERVERNAME
4886XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ..... CN=MAILSERVERNAME.DOMAIN.NAME

Setup SSL on ABAP : the issuer certificate is unknown

Hello,
I've been asked to set up the SSL on SAP 6.20 web applications servers (4.7).
I've carefully followed the instructions given in sap note 510007 : sapcryptolib installed, parametres configured, SSL server PSE configured, etc ..
Now, we have to create a certificate request and send it to our CA.
But, before to do that I wanted to test SSL server.
I found in the sapmarketplace that you can request a SSL Test Server Certificates, apparently it works exactly like the "real" SSL Server Certificates exept that it is temporary ( 8 weeks).
Therefore, I've generated the certificate request, sent it to sap trust certificate center, and imported the certificate response into the PSE, exactly as described in sap documentation.
Then I've established the trust relashionship necessary when using the SSL server PSE, I mean that I've imported the CA root certificate that the server should trust : TC TrustCenter Class 2 CA
Then I have inserted it into the server PSE's certificate list. In the end, I've restarted the ICM.
I wanted to test the SSL feature by sending https requests to the WAS but I got the following error (firefox):
******************************:1443 uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
Unknown identity, certificate is not trusted because it hasn't been verified by a recognized authority
As you can imagine, I checked the certificate authorities in the browser, and TC TrustCenter Class 2 CA exists ... so I really do not underdtand where does the error come from ? Maybe from the TEST server certificate ?
I encounter the same behaviour with IE7.
Thank you in advance for your help.
Best regards.
Raoul.
Edited by: Raoul Shiro on Mar 30, 2009 8:58 PM

Hi Raoul,
the SSL Test Server Certificates are issued from the SAP Server CA. You need to install the root certificate of the SAP Server CA in your browser. You can download this root certificate from [http://service.sap.com/tcs] -> Download Area -> Root Certificates.
Best regards,
Klaus

SSL Strust : Issuer certificate missing in database

Hi,
I am apply ssl in Abap stack STRUST. When i apply the certificate respond from the CA , it showing error
Issuer certificate missing in database:CN=DigiCert High Assurance CA-3, OU=www.digicert.c
Any idea??
Thanks

In Strust, goto Certificate->Database, create a new "ROOT CA" entry ex;Z_NETCA.
Select any PSE(System PSE) ->Certificate->Import and Import the "Issuer Certificate".
Certificate->Export->Database>Select Z_NETCA, CA, Some description ->OK
Now you will be able to import your certificate response without any issues.
To Get the "Issuer Certificate" open your certificate response(certificate) , goto Certification Path TAB and select the next level higher to your Server CA and ->View Certificate->Goto Details tab and Copy to File->Export in base64 or DER format.

Issuing certificates for user and clients from different forest/domain

Hello,
at first I would like to say that I have made some researches on this forum and in the Internet overall.
I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest,
now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
see all templates which I should see, but when I try to enroll I got an error:
(translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
My root CA cert is added to trusted publishers for computer and user node as well.
What could be wrong? If you have any ideas or questions, please share or ask.
Thank you in advance.

Everything is clear, I have Certificate Enrollment Web Services installed and configured,
problem is what i get from certutil - TCAInfo
================================================================
CA Name: COMPANY-HATADCS002-ISSUING-CA
Machine Name: COMPANYClustGenSvc
DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
NotAfter: 2019-02-14 12:44
Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
Enterprise Subordinate CA
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=HATADCS001-COMPANY-ROOT-CA
NotBefore: 2014-02-14 12:34
NotAfter: 2019-02-14 12:44
Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
Serial: 618f3506000000000002
Template: SubCA
9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 02:
Issuer: CN=HATADCS001-COMPANY-ROOT-CA
ThisUpdate: 2014-02-14 12:16
NextUpdate: 2024-02-15 00:36
d7bafb666702565cae940a389eaffef9c919f07a
Issuance[0] = 1.2.3.4.1455.67.89.5
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=HATADCS001-COMPANY-ROOT-CA
NotBefore: 2014-02-14 11:55
NotAfter: 2024-02-14 12:05
Subject: CN=HATADCS001-COMPANY-ROOT-CA
Serial: 18517ac8a4695aa74ec0c61b475426a8
b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Issuance[0] = 1.2.3.4.1455.67.89.5
Exclude leaf cert:
5b309c67a8b47c50966088a4d701c8526072c9ac
Full chain:
413b91896ba541d252fc9801437dcfbb21d37d91
Issuer: CN=HATADCS001-COMPANY-ROOT-CA
NotBefore: 2014-02-14 12:34
NotAfter: 2019-02-14 12:44
Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
Serial: 618f3506000000000002
Template: SubCA
9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Supported Certificate Templates:
Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
Validated Cert Types: 7
================================================================
COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
Enterprise Subordinate CA
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Online
CertUtil: -TCAInfo command completed successfully.
please put some light on it because it's driving me crazy :/
Thanks in advance
one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding
"A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

Certificate Authority - How to issue Certificates without extensions?

We are operating a Windows 2012 Server PKI with an Enterprise Subordinate Certificate Authority that is issuing Certificates through an AD Certificate Template, however there are certain certificate extensions that need
to be excluded.
We are following the procedure defined in ;
http: //blogs.technet.com/b/pki/archive/2007/01/03/how-to-exclude-the-certificate-template-name-from-certificates-to-be-issued.aspx
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7
net stop certsvc
net start certsvc
This does not have any effect as issued certificates continue to have the extensions in them after the change.

Can you confirm that this command contains EDITF_DISABLEEXTENSIONLIST flag enabled:
certutil -getreg policy\editflags
if not, then you should enable it:
certutil -setreg policy\editflags +EDITF_DISABLEEXTENSIONLIST
and restart CA service.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

How can i access dmz server via public ip from inside?

hi all !
As shown in Figure，how can i access the server in dmz zone via public？
i can access it via private ip 192.168.1.1 now,but i can't access it via 101.100.1.2.
who can help me ?
thank you !

Hi,
You would have to configure Static NAT from DMZ to INSIDE for the server in the same way you have done for DMZ to OUTSIDE.
Basically in the following way for example
object network DMZ-WEB
host 192.168.1.1
nat (dmz,inside) static 101.100.1.2
This would enable your users on the "inside" to access the "dmz" server with the public IP address. And naturally only with the public IP address after this NAT.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni

Issuer certificate invalid - firefox 36.0.4 - internal website

I have a few internal web servers that are used to manage networking equipment. These web sites get this error.
"Secure Connection Failed
An error occurred during a connection to XXX. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)"
I have added exceptions. did not change the symptom.
If I revert to an older version of FF I have no problems.
Obviously I would like to continue using FF but more and more of the things i do on my internal network are no longer working wth FF. It seems every update breaks something else i used to be able to do.
Getting VERY old and Ive about had it. Please fix this.

''guigs2 [[#answer-711204|said]]''
<blockquote>
Hi tgood69,
It is quite possible that the network machines are running into this issue because of the new CA guidelines mentioned below:
*[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/]
</blockquote>
yay.. a policy... intended to break things...
Pretty much done with FF then. I have a JOB to do and when one of my tools makes my job MUCH more difficult. Then that tool needs to be thrown away.

Issuing Certificates to a DMZ server

Similar Messages

Maybe you are looking for