J2EE Certificate Renewal in PI 7.0

Similar Messages

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

• Exchange 2007 Webmail certificate Renewal

  Hi,
  If any one knows more details about how to renew the webmail certificate in Exchange 2007, Webmail certificate is ging to expire soon ...EventID 12018

  You can use powershell cmdlet Import-ExchangeCertificate to renew the certificate.
  To enable the certificate, execute Enable-ExchangeCertificate -Services IMAP,POP,IIS,SMTP -Thumbprint <cert-thumbprint-here>
  For more info, visit
  https://www.digicert.com/ssl-certificate-renewal-exchange-2007.htm

• Customizing Certificate Renewal

  We are developing system that makes use of Certificate Server. But, only our system is visible form the Internet,
  CS is hidden behind the firewall.
  We've developed a solution, that makes it possible to request for certificate from our system, then forwards the request to CS, and vice versa, we fetch the page which installs the certificate and forwards it to end-user.
  But, when talking about renewal, we have a problem.
  CS interface for certificate renewal expects, that user legitimates with its expiring (or expired) certificate and then
  CS regenerates new certificate (with validity customized via console) and installs it on client browser.
  We expected similar functionality as with requesting for certificate. User fills out the request, sends it to CS, and admin after checking issues the certificate. More, the admin is responsible for renewing the certificate, not the user, as in previous scenario.
  Also, authenticating with client certificate makes it impossible to forward the request and response by us (we cannot fetch the certificate from the user browser to use it for communication with CS)...
  Maybe some of You have solution that satisfies our needs?
  Maybe CS has another interface, which we didn't explore, allowing certificate renewal without presenting user certificate.
  Or you developed your own, custom solution, that can be suitable for us...
  Thanks for help!
  Michal Szklanowski
  Java Architecte
  empolis Poland

  You have to create certificate request(CSR) from the same instance on which you are trying to install the certificate.
  You need to copy the production server's *.dbs in <ws-install-dir>/https-<instance>/config and run a pull-config --force command to pull the changes into Admin Server.
  If you use WS7.0 Admin Server for certificate renewal, AFAIK a new set of private and public key is generated.

• Regarding Certificate Renewal

  Hi all,
  i am using sun java communication suite 5 + portal server 7.1.
  My Webmail and Application Server is using the same certificate which will expire soon. If I can get any information about the certificate renewal.
  regards
  Adeel

  Hi,
  Try it with the new license page:
  <a href="http://service.sap.com/sap/bc/bsp/spn/minisap/minisap.htm">http://service.sap.com/sap/bc/bsp/spn/minisap/minisap.htm</a>
  For the old-style license key (license string) choose <b>NSP - SAP NetWeaver 04</b>.
  For the new license key (license file) choose <b>NSP - SAP NetWeaver 2004s</b>
  Hope this helps.
  Kind regards,
  Klaus

• EAP-TLS - 802.1x - Certificate renewal

  Hello
  I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.
  Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.
  By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.
  Could somebody give me a hint if there are other Cisco solutions for this issue.
  I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?

  The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.
  What I don't get is the following:
  Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.
  The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).

• Certificate Services: CA-Xchg certificate renewal ignoring configuration settings

  Hi
  I'm seeing a problem with CA-Xchg renewal and I'm hoping someone can help. This is on w2k3 r2 SP2 CA machine that's attached to an HSM.
  The first time the CA issues itself the CA-Xchg certificate, it used all the correct settings (key length=2048, EncryptionCSP=<HSM vendor>, etc). The CA-Xchg certificate & keys are in the HSM so everything is fine.
  However, all other CA-xchg certificates since the very first one, now completely ignore the configured registry settings on the CA. These renewed CA-Xchg certificates keep the public/private keys locally on the OS and use a smaller key length (1024).
  This behavior was not seen in previous testing.
  The CRLFlag CRLF_USE_XCHG_CERT_TEMPLATE is not configured. as a precaution the CA exchange template has the same key length And CSP settings as the CA's registry (even though these settings are ignored if using the CA exchange template).
  The strangest thing is that the CA is still happily using/accessing it's CA keys in the HSM when signing certificates, publishing CRLs, etc, so it's not an "access to the HSM" problem. That and the very first CA-xchg certificate used the HSM fine.
  The CA is being used to issue certs for CLM so the CLM policy and exit modules are installed. I don't think this is doing anything as the policy module is configured to pass all non-CLM cert requests to the windows default policy module.
  is there some sort of "hard wired" default setting the this CA is reverting back to (for whatever reason) instead of what is configured in the registry?
  Setting the KRAFlag KRAF_DISABLEUSEDEFAULTPROVIDER isn't an option as that flag was added with 2008. it's not available in 2003
  any help, ideas, etc, is much appreciated
  cheers
  Todd

  Hi,
  Thank you for your question.
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Regards, Yan Li

• Code-signing Certificate Renew issue

  We recently renewed our Verisign code-signing certificate, only to discover that it breaks the auto-update process with the notorious error "This application cannot be installed because this installer has been mis-configured." We were able to make it work by using the ADT -migrate command. That is all well and wonderful. But there are two issues I see. First, there is a 180 day cut-off, beyond which users can no longer be updated. Then, when our certificate gets renewed again next year we might be stuck in a situation where we have to choose which users get to be updated and which are orphaned and are forced to uninstall/re-install.
  Furthermore, how much of this pain we have to live with becomes a function of how long a certificate we are willing to pay for. If we're a small company forking out the money for a 3 year certificate might be kind of painful. Why should this be a factor? Why is it not straight-forward to renew the same certificate and have installations back to the beginning of time be alright with it?
  It could be there is something about the renewal process that is not right. However, when I renewed my Verisign cert their process pretty much forced me to keep everything about the renewed cert the same as the original, otherwise it would not be a 'renewal'.
  If there is an arcane trick we are missing I would be most appreciate to know what it is. This should not be this difficult.
  Thanks
  Kevin

  Hi Kevin,
  I've asked around and learned that the process as you describe is "as designed".  However, there are stratigies for minimizing the downsides.
  For more information, please see the following documents:
  AIR 2.6 Extended Migration Signature Grace Periods
  Update Strategies for Changing Certificates
  Update Your Applications Regularly
  Code Singing in Adobe AIR
  Hope this helps,
  Chris

• Portal certificate renew

  Hi All,
  Need your help urgently.. i need to how to renew the system pse certificate... can we generate a new certificate in portal itself??

  Hi,
  first of all: what certificate are you talking about? From the replys you got you could see that we went in different directions. Are you talking about the SSL certificate (used for a secure connection to the portal) or the verify.der (used for SSO to backend systems).
  You won't get a warning message for either. In the SSL case you will simply get a security pop-up when accessing the portal saying that the certificate is no longer valid.
  In the SSO case SSO will simply stop working.
  I hope with the replys mentioned above you are able to create new certificates. If not, please come back and explain your situation in more detail.
  Regards,
  Holger.

• Automatic Smart Card Certificate Renewal

  We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.
  Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?
  There are two errors in the event log -
  Event ID:      16
  Description:
  Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).
  Event ID:      6
  Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 
  Thanks in advance.

  This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input
  during enrollment for smart card templates.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Certificate renewal with WPA2-Enterprise PEAP MS-CHAPv2

  Hello
  We have a wireless network which is secured with WPA2-Enterprise with PEAP and MS-CHAPv2. The Radius servers (Windows Server 2008r2 with the Radius Feature installed) currently use a public signed certificate. This is about to expire soon and will need to be renewed.
  The clients are non-managed and from all variety (OS, wifi-software, ...).
  The Wifi is 4400 controller based and managed with the new Prime Infrastructure 1.3.
  What is the best way to do the renewal with as little disturbance for the client as possible? The less manual interaction for the end user the better.
  Thanks
  Patrick                 

  Hello Patrick,
  As per your query i can suggest you the following steps-
  Since the root CA is the most critical CA in the hierarchy, you may prefer to have a strategy here that reduces the need to renew the root certificate often.
  The first consideration is choosing the key length of the root's public key and private key pair during setup of the root authority. By using a long key length, which is generally more secure against brute force attack than a shorter key length, you increase the length of time that the CA can use the same private key and have reasonable confidence that it has not been compromised. The second consideration is establishing the validity period of the root certificate itself. In general, you will want to create a root certificate that has a shorter validity period than the estimated lifetime of the key.
  For more information you can refer to the link-
  http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
  Hope this will help you.

• Subordinate Certificate renewal

  Hi All,
  The scenario here is, We have policy of issuing the server certificates with the validity of 4 years (due to some internal restrictions). Currently the Subordinate CA certs are expiring soon by Sep 2017 i.e. less than 3 years.
  The challenge here is If we renew the existing Subordinate CA certs, then we need to reissue all certificate issued so far. Which we don't want to do and not an option right now. or is there any alternatives/ Just renewing existing certs by retaining
  the existing Private keys, will it work ?
  another option having the 3rd Subordinate cert with min validity of 4 year and use it till the other 2 certs expiry date?
  Please Suggest
  Thanks in advance
  Prasad

  You don't have to re-issue existing certificates if you renew a CA - certificates issued before renewal are still valid as long as the CA certificate is available on AIA URLs and the CA keeps publishing CRLs signed by the old key ... which is the default.
  This would only fail if you had made weird changes to AIA and CDP URLs in the CA's configuration.
  Generally, the validity period of the CA should be chosen in such a way that you renew it X years before expiry -with X being the maximum validity period of any end-entity certificate. So if you want to issue server certificates with a life time of 4 years
  your CA's life time could e.g. be
  8 years, to be renewed every 4 years
  or 6 years, to be renewed every 2 years
  Elke

• Computer Certificate Renewal - Failing

  Greetings,
  System setup:  Server 2008 R2 with "Network Policy and Access Services" role configured to hand out wireless machine certificates to Windows 7 workstations.
  This has been set up for a year and has been working well. We have a groups policy which allows for auto-enrollment and all our workstations which are in the correct OU receive a certificate when thye connect to the network.
  The machine certs are good for a year.
  We are now approaching the end of the first year since we implemented this system and we are starting to see some of our workstations failing to connect to the wireless network.  When we look at the certificates on the workstation we see 2 certificates
  now (as opposed to the one that was there previously).  One of these is expired and one is current with an expiration date a year from now.  When we manually delete the expired certificate, we are able to connect to the wireless.
  Apparently when the certificate is renewed, a new certificate is dropped down, but the old certificate is not removed.  When the machine tries to connect the old cert is found and the connection fails.
  What I think should be happening is that the certs should be renewed not replaced, but I can't see anyway to enforce this.
  I know that when I manually renew the certificate on the workstation I have 4 choices:
  Request Certificate with new key.
  Request NEW Certificate with the same key
  Renew certificate with new key
  Renew this certificate with the same key
  What appears to be happening is that the workstations are doing a request, not a renew.
  I have been through my Radius config and the GPO and can't find anything that should affect this.  I know that the GPO is being applied to the machines, and I'm about 99% sure that the GPO is correct.
  Any ideas where I should be looking?
  Thanks,
  John Morgan

  Hi,
  Check your configuration, confirm that the following option is checked.
  Renew expired certificates, update pending certificates, and remove revoked certificates
  Configure Certificate Autoenrollment
  http://technet.microsoft.com/en-us/library/cc731522.aspx
  You can also manually revoke the expired certificate in CA.
  Hope this helps.

• 802.1x Certificate Renewal

  Hi,
  I have customer planning to deploy 802.1x in their wired network.
  1. They are using certificate, username and password to authenticate.
  2. Unauthorized user will be assigned to Guest Vlan with limited access to the network.
  3. The problem is, when the certificate is expired, user wont be able to authenticate to the network.
  4. How to allow user to renew the certificate when then dont have access to their network? Is there any work around?
  Thanks

  Users who fail 802.1X are not assigned to the Guest VLAN. They are denied access or, if the auth-fail VLAN is configured on the switch, they will go to the auth-fail VLAN. You can configure the auth-fail VLAN with enough access to get to the CA to renew the cert.
  Shelly

• Urgent - Updates no longer working after certificate renewal (production app)

  Hi,
  Updates pushed for our production AIR application are failing after a renewal of our expired code signing certificate, and performing the certificate migration procedure as outlined here:
  http://help.adobe.com/en_US/AIR/1.5/devappsflex/WS13ACB483-1711-43c0-9049-0A7251630A7D.htm l
  The error message appears as: "This application cannot be installed because this installer has been mis-configured. "
  The AIR app installer log indicates the source of the problem:
  "The certificate of the installed app fails to match either the signature or migration signature of the AIR file"
  However, the migration procedure has been executed exactly as described, using the correct certificates. The Adobe AIR 2.0.2 runtime (and adt) has been used.
  We need to push an important update asap, and advising our end users to reinstall is not feasible.
  I am willing to provide anything necessary to resolve this as quickly as possible. Please advise.

  Happy to report that we found the source of the issue ourselves:
  There is apparently a problem with ADT (at least in the AIR 2.0 SDK) where it will appear to perform a certificate migration succesfully, but in actual fact will silently fail and not update the .AIR file at all. This happens when the output filename is equal to the input filename, so this problem arises if you follow the example in the documentation:
  http://help.adobe.com/en_US/AIR/1.5/devappsflex/WS13ACB483-1711-43c0-9049-0A7251630A7D.htm l
  A simple workaround is to choose a different output filename. In any case, be wary that ADT does not provide feedback whether a migration actually was performed. Check the file timestamp and size to be sure.