Multiple certificates on Issuing CA server
Hi,
Due to errors multiple certificates were issued from Root CA server for SubCA. Although old certificate was revoked from Root, but I see 2 certificates on Issuing CA. Also, because of 2 certificates, 2 CRLs are getting published everytime for each. Although
when I see web server certificate issued for IIS, it was signed by new certificate of Issuing CA. Also, in PKIview, I see CDP path for this CA with new CRL.
But my questions is that how shall I remove old one from Issuing CA as I am not gettign that option. Also, in AD i see 2 certficaates published for that CA. Will that cause any issue.
Thanks
Neha Garg
This is actually a normal state in PKI. When you renew a sub CA with a new key pair, ot will result in multiple CRL files.
- there is no need to remove the previous subca cert
- there is no need to revoke the previous subca cert (unless there are config or security issues)
- make sure the AIA paths use %4 in the paths to keep separate versions
- make sure that the CDP paths use %9 in the paths to keep separate versions
- make sure you publish *all* versions of .crts and .crls to *all* publication points
You need to leave all versions of the CA certs in play so that both current and previously issued certs can be validated
Brian
Similar Messages
-
Anyconnect XML Profile Certificate Matching - Multiple Certs different Issuer
Hi Guys
I am trying to setup an xml profile for cisco anyconnect that will look at multiple certificates that could be issued from 2 different CA's.....
Currently having trouble setting this up and it does not look like it is possible..
Is there a way around this?
Regards
MohamedThe AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are:
â¢Key Usage
â¢Extended Key Usage
â¢Distinguished Name
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin7.html#wp1000158 -
Issuing Certificates to a DMZ server
I'm in the process of setting up a PKI infrastructure for an SCCM 2012 environment. In order to manage travelling laptops over the internet, we installed a new Windows 2012 R2 server in the DMZ. To communicate properly with the travelling
SCCM clients, we need to install 2 certificates on this DMZ server. This DMZ server is in a different forest/domain than the SCCM and CA server, with no trusts established between it and our production domain. If it makes any difference, there
is also no DNS forwarding, but I have added an entry to the hosts file on the DMZ server, and to the internal CA and SCCM servers (all Windows 2012 R2), so that they can resolve each other.
I've created the 2 certificate templates per the SCCM documentation on the internal CA server, but in the Security tab, there is no way for me to add the DMZ server for the "Read and Enroll" rights (since it's in another, untrusted forest.)
Since I can't enroll the certificates through the MMC console of the DMZ server, my next thought was that I could use the CA web enrollment method, and try to get certificates enrolled that way. However, when I type in
http://MY_CA_SERVER/certsrv, Internet Explorer spins for about 10-15 seconds, and then I get "Page cannot be displayed." I added the webpage to the Trusted Sites in IE, but that did not help. Visiting
the CA webpage from a domain-joined computer works fine; it's just not working from the DMZ server.
Does this sound like a communications/port issue? Between my internal domain and this DMZ server, I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open. Do I need anything additional for Certificate Authority communication?
If I'm not approaching this in the correct manner, I'm also open to other suggestions on how to install these 2 certificates properly.
Thanks in advance for any advice.> I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open.
please, close RPC ports in your perimeter firewall. Instead of using legace web pages, I would consider to set up a new Certificate Enrollment Web Servcies (which first appeared in Windows Server 2008 R2):
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
if it is not possible to install CEP/CES services, then you can use the following guide (although it requires some manual procedures):
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Multiple Certificates for the same WLS
Hi,
IHAC who asks the following:
Background
Bigshop Limited carried out a soft launch of our e-tailing website under
the
url fonzie.bigshop.com.au
We have a verisign certificate setup up for 128 bit ssl under the
knownname
fonzie.bigshop.com.au
All ssl connections that connect to the site with this url are able to
establish an SSL session.
Current Issue
Bigshop is now in the process of carrying out the public launch of the
website. The public url for the website will be www.bigshop.com.au
We have generated new public/private key pair and a Certificate Signing
Request (CSR) and have ordered a new certificate from verisign
Could you please advise if it is possible to operate two certificates
for
the one server. This will allow our www.bigshop.com.au and
fonzie.bigshop.com.au url's to operate concurrently and enable both to
establish SSL session with valid certificates.
Is what they want to do possible ?? any suggestions
appreciated,
regards,
Patrick.Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
one certificate per server.
-utpal -
Keychain Access: Adding multiple Certificates, signed by the same CA
Hello, Community.
I have recently posted my request for help in this thread:
http://discussions.apple.com/thread.jspa?messageID=10448884
Now, I am facing a new problem: I wish to add a new Certificate to the Keychain, but whenever I try, it tells me the item exists, and does not add it to the Keychain. It adds the keys perfectly fine, both public and private, but not the Certificate.
What can I do to have multiple Certificates, signed by the same CA.
I cannot add them to my Keychain, so that will be of no help. And I have tried to create every Certificate anew in the same Keychain, but this will not work, either. I created they Certificates and exported them before I went on to the next and they are now on my desktop. This is very inconvenient, as the keychain is distributed over a network as a shared Keychain and resides in a Snow Leopard Server (Domestic version, not Snow Leopard Server). Our business is one day behind, but since it is now weekend, I hope to get this issue resolved by Monday morning, send out the e-mails we should have and update our register with sales.
Could I please have some advice?
Also, if this topic is handled in full in another thread, please post the links, so I can read up on this topic and try to find a solution.
Thank you for your time.
Kashidom Nenakh
Mantha Designs incorporated
http://www.manthadesigns.net
[email protected]http://www.isi.edu/~brian/security/kerberos.html
-
SSTP VPN fails with Error 0x80092013 when certificate is issued by an Enterprise CA
I have spent several days trying to configure an SSTP VPN in an environment with a 2008R2 Enterprise CA server without much luck. I have been using the example found at http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx which
works very well as long as you configure the CA Extensions tab with an http CRL Distribution point that is included in the CRLs and CDP extension of issued certificates and is available to the client prior to VPN connection.
Basically my lab environment is as follows:
Separate 2008R2 domain controller, Single 2008R2 Enterprise CA / RRAS server with one nic. I know the instructions that I mentioned above use an RRAS server with 2 nics but I don't want my RRAS server serving as a router. I have an external hardware firewall
that port forwards port 443 to my single nic in my RRAS server and this entire configuration works fine as long as I am using a standard CA configuration. The RRAS was configured using the custom option and only VPN was chosen. Since my RRAS server is behind
a NAT router, the dns name my external client uses to connect is different than the internal name of my RRAS server.
In the example above, a Windows 2008R2 CA server is configured as a standalone non-enterprise root CA. As long as I stick with a standard CA, I have no problem and everything works.
My problem is that if I configure my Windows Server 2008R2 Enterprise server as an Enterprise Root CA, My Windows 7 client always gets an "Error 0x80092013 The revocation function was unable to check revocation because the revocation server was offline."
I'm not certain, but I think the problem is with the way that I request the certificate for my RRAS server. When I configure a standalone standard root CA and use the web enrollment page and use an Advanced Certificate Request, I get a page that I can use
to fill out the external dns name that I use to connect to SSTP, choose a Server Authentication Certificate, choose to mark keys as exportable and submit my request. Once I install this key in the Certificates (local computer) / Personal / Certificates
store, everything works and my client can connect as long as I have installed the root CA certificate on my client.
When I install my CA as an Enterprise Root CA server, everything changes. I no longer have the same options to install a custom certificate. Instead of getting the same page as I do with a standard CA, I get my choice of Certificate Templates. Prior to this,
I have duplicated the Computer template in the CA authority and configured the subject name to "supply in request" and configured my CA to issue it. I have tried issuing my RRAS SSTP certificate using the web enrollment and I have also tried using the certificates
plugins in mmc to request custom certificates and tried using an alternative subject name, filling out the DNS option with my external dns name.
When it is all said and done, I end up with an RRAS SSTP certificate that has CRL Distribution Points defined as URL=http://www.mywebsite/CertEnroll/myCA.crl and it is available to my client or anyone. I have compared the certificate issued by an Enterprise
CA vs the Standard CA and I find little difference in the two. I also know that I can reach this RRAS SSTP certificate from my client by going to https://myexternaladdress.mydomain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/and
I can view the padlock in IE and view my internal RRAS certificate. The CRL Distribution point looks no different when I have a standard vs an Enterprise CA but my client always fails with the Error 0x80092013 when I have issued the RRAS SSTP certificate
with the Enterprise CA.
I have probably re-setup this lab about 20 times and am getting very familiar with getting it set up quickly and working with the standard CA but I want to use an Enterprise CA environment.
What am I missing? How can I make this work with an Enterprise CA? How can I troubleshoot this?
Thanks,
Rod
Rod MillerThanks for your reply. I did read the article and addressed that issue in the first part of my previous post. I don't think that the website where I am hosting my CRL has directory browsing permissions or that I have the ability to set them but the
point of my question was everything works using that same public website when I use a standard CA to create my certificate but does NOT work when I create the certificate using an Enterprise CA.
Rod
Rod Miller -
Hi All,
After several hours and a short night of sleep I'm out of ideas and hopefully someone here can help me trying to solve this one. First of all the situation:
Exchange 2013 on a remote location with a CA-certificate.
Outlook 2010 and 2013 on different locations, locally installed and on RDS.
When I open Outlook on my laptop all is fine, no errors, good sync, no problem. But when I open Outlook on our Remote Desktop Servers with Outlook 2013 I'm getting errors like "There is a problem with the security certificate of the proxy server. The
name on the security certificate is invalid or does not match the name of the site. Outlook is unable to connect to this server. (Error code 18)". Opening Outlook 2010 the message is the same, but the error code now is 38.
After this Outlook opens and is working, there's one more error though. After a while an security warning pops up with the message: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the
site's security certificate. * The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. * The security certificate is valid. * The name on the security
certificate is invalid or does not match the name of the site."
Strangest thing is, it is the certificate of my RDS! It isn't my valid en officially bought certificate from my mailserver. What's going on? I'm out of options, what I've tried so far (in random order):
- restarting mailserver and AD;
- restarting switches;
- restarting routers;
- restarting RDS, AD and all other servers;
- bypassed proxyserver for RDS;
- created a new profile;
- checked recently installed updates;
- checked certificate on mailserver;
- checked RDS on a different location, working fine.
Nothing helped, what can I do next? Please advice.
Regards.Found a thread that solves half my problem (https://social.technet.microsoft.com/Forums/office/en-US/70d18244-889a-4d95-ac3f-e234672a82b2/there-is-a-problem-with-the-proxy-servers-security-certificate-error-when-starting-outlook?forum=exchangesvrclients).
The first message can be suppressed by adding this to the Exchange config:
set-outlookprovider -Identity EXCH -CertprincipalName msstd:webmail.domain.tld
set-outlookprovider -Identity EXPR -CertprincipalName msstd:webmail.domain.tld
Giving the command get-outlookprovider, gives me empty information regarding the certprinipalname. Filled
this and after recreating the profile or deleting the ost-file I still have the second alert with the local certificate of my RDS.
Not completely where I want to be, any help regarding the second alert is greatly appreciated! -
How do I install multiple KMS keys on one server?
I currently am working at Phelps County Regional Medical Center in Rolla, MO and my question is: How do I install multiple KMS keys onto one server? This is very urgent and I have the KMS activating Windows 7 but, I also need all my Office keys, Windows
8, and Windows 8.1 to be activated via KMS. the current KMS is a Windows Server 2008 R2 server. Please help me out and thank you for your time! :)you need to apply the following update (http://support.microsoft.com/kb/2885698)to your KMS server so you can license up to Windows 8.1. From there your key for 8.1/2012R2 will license everything
downwards and then you can also install your Office KMS key without issue. If its Office 2013 then you need to download the files here (http://www.microsoft.com/en-us/download/details.aspx?id=35584)
Be kind and Mark as Answer if I helped. -
Multiple users logged into one server, each users printer has a different name, application needs ONE name to print to.
I'm NOT in any way a Terminal Services expert and I need help trying to get an application program working in a multi-user environment.
The issue is that the printer changes for every user that is logged in. The application needs to print NOT to the default printer, but to a "special" printer which is selected in the application... let's call it a label printer to simplify the explanation.
You have your default regular printer, easy for the application to find that one, and then you have a special printer that labels get printed onto. The application needs to know what printer is the label printer. So we allow the user to select that in the
application and the selection is stored in a config file in
C:\ProgramData\mfgr\prog\setting files
I don't have access to the application so I can't change how this works.
In the "regular" world, selecting the label printer driver to use should be per machine, NOT per user. When a new user logs into a machine, the physical printer doesn't go "poof" and a new printer suddenly appear. Same printer for all
users.
Yet in terminal services, the physical machine is "merged" with the virtual machine on the server. And there can be many users logged in at the same time. So each users real machine (and real printer) is injected into the "fake" terminal
services machine. The name of the printers is made unique for each user. So the printers DO go "poof" and change names depending on the user logged into terminal services.
So user "A" logs in and sets up the application to print to "LabelPrinterForUserA" (or whatever the name of the printer happens to be), that setting is stored in the ProgramData subfolder, and all is well. Later, user "B" logs
in, and when they print, the application tries to print to "LabelPrinterForUserA" which doesn't exist for user B or is only accessible by user A. If user B re-configures, that breaks it for user A.
SOLUTION 1: The way that /should/ work (in my mind) is that you define one "generic" printer in Terminal Services... call it "Virtual Label printer" and when the user wants to print to it, the print job gets re-directed back to whatever
physical printer is actually connected to their local workstation. There is a map of virtual printer to actual printer depending on the current user. The application is told once to print to "Virtual Label Printer" for all users.
SOLUTION 2: Or... there should be some way to make the ProgramData sub folders separate per user. E.g. when user "A" tries to access:
C:\ProgramData\mfgr\prog\setting files
they actually get
C:\UserData\UserA\AppData\mfgr\prog\setting files
and user "B" gets
C:\UserData\UserB\AppData\mfgr\prog\setting files
So the question I have is: Does either of those solutions exist hidden somewhere in the setup of terminal server? Or is there another way around this issue that I don't know?I don't really have a "for sure" answer to this, but because people here can't seem to deal with a question that hasn't been answered I'll provide the best answer I did receive from ServerFault.com user Nathan:
I can feel your pain with using old software on terminal servers ...the solution I've come up with definitely won't scale as it requires some manual configuration, but I've gotten this method to work with our label printers (which require to be
printed to an LPT port...yep, that old).
Share your USB-connected printers to the network on each machine. Then, have the user log in on aunique session for each of them
(a TS account cannot be shared among computers for this to work) and install a network printer pointing to the USB one they shared. Try to use a DNS name to account for possible DHCP movements.
After, it should work. Each user can do this since display names can be identical as long as the ports are different (which they are).
This was clarified by the following series of comments:
I think you are on to something here, and I originally advised the admin to do this. The problem he ran into is that it setup the printer names in the TS as "printer on usersworkstation"
and he could not rename it except to change the "printer" to whatever. E.g. the "on userworkstation" remained. I believe there is another way of installing the printer which avoids this, but I can't find it. Ages ago, one used to do NET
USE LPT2 \\computer\printer password /USER:domain\user /PERSISTENT:YES and then tell the driver to print to LPT2 – James
Newton Mar
17 at 16:21
@JamesNewton That's actually the exact method we used. The way around the "network printer" part is to install it as local printer and map it to a TCP/IP port that way. – Nathan
C Mar
17 at 16:28
You mean in the case where the printers are TCP/IP connected and not local USB / LPT to the users workstation? That makes sense. Wonder if this will work for USB connected printers... – James
NewtonMar
17 at 16:35
@JamesNewton You'd share the local printer on the client's PC then on the server connect via TCP/IP to it. You'd need static addresses or use DNS names if DHCP, though. – Nathan
C Mar
17 at 16:51
Ah. Yes. I see. Looks like the LPT thing should work even with a USB connected printer:superuser.com/questions/182655/… – James
Newton Mar
17 at 17:09 -
.p12 Certificate import in weblogic server 10.3.6.0
Hi,
I am facing a issue regarding certificate import in weblogic server 10.3.6.0. In my project I built a java webservice where a https url is invoked with xml input(correct format).Https url is restricted. I can not open this url from my browser. I got '403 : Forbidden' error in browser as well as webservice log in server. I asked my client. They gave me one .jks and one .p12 certificated file and password. When I installed this .p12 (giving password) in my local windows computer, I am able to open that https in my browser.I have imported this .p12 certificate in 'cacerts' as well as 'DemoTrust.jks' in weblogic server and restarted the server. But i am getting the same error(403 : Forbidden) in weblogic server.
Where should I import this .p12 in weblogic server? I mean in which key store.
FYI,
This code is running fine in 10g production server.I haven't developed this code. I have migrated this code to 11.1.1.7.0.
I am using this .jks() in the java code.
System.setProperty("javax.net.ssl.keyStore", keyStore.jks);
System.setProperty("javax.net.ssl.keyStorePassword", "<password>");
Weblogic server is running in unix environment.
Read many posts... But did not any find right solution. Can anybody please help me solve this.If i remember correctly, .p12 will have both the public and private key.
You need to convert it to a jks and configure the server to use this jks
Converting certificate formats | Middleware wonders!!
Weblogic SSL configuration
Thanks,
Faisal -
Multiple certificate stored in Browser
I run certificate request using https://.../oca/sso_oca_link and also /oca/user.
eg. with these User DN:
=> cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
=> cn=tova,cn=users,dc=subdom,dc=mydomain,dc=com
=> cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
By requesting certificate several times from the same PC using several user account, have result in multiple certificate stored in Browser.
When visit my secure web using Internet Explorer 6, a window raised and lists these
"users"
"users"
"users"
By using Netscape Navigator 7.1: a window appear with a bit more information display
"users's myOrganisation"
"users's myOrganisation"
"users's myOrganisation"
and some explanation eg
Issued to:
Subject: CN=ferry, CN=users, DC=subdom, DC=domain, DC=com
Serial Number: 1C
Valid from 23/09/2005 14:53:42 to 23/09/2006 14:53:42
Issued by:
Subject: CN=MyCcertificate Authority,...
How to display USER NAME (according to CN) in the list instead of "users" ?
or this is the expected behaviour?
TIA,
ferryOk. I've found the solution.
For reference to all you guys:
ByteArrayInputStream bais = new ByteArrayInputStream( (byte[])attr.get() );
CertificateFactory cf = CertificateFactory.getInstance("X.509");
cert = (X509Certificate)cf.generateCertificate(bais); -
Certificate problem in Proxy Server (ODSEE 11g)
I am having a problem adding a CA Certificate to the Proxy Server. I followed the steps in the documentation, however I get the error: "keytool error: java.lang.Exception: Public keys in reply and keystore don't match".
From what I have read, this error means that the alias name I am using when I add the new certificate is already being used. As per the documentation...
When you request a CA-signed certificate, a temporary self-signed certificate is created. When you receive and install the CA-signed certificate from the CA, the new certificate replaces the temporary self-signed certificate.
... and this does happen. However when I bring in the new cert to replace... I get the mentioned error.
If I use a different alias, it doesn't give me an error. However, I can't see it when I use the "dpadm list-certs" command (although it is there when I use the keytool command). More importantly, the "defaultservercert" is still the certificate being used when accessing the server.
So the big question is... How do I get the Proxy Server to use the new CA Certificate?
I've tried using the keytool command in many different ways, and it fails each time. Lesson learned: don't mess with the keystore via keytool. Any changes made are not recognized by the Proxy Server.
I don't have access to this Proxy Server via DSCC because I do not have the password for the account running the services (a restriction made by the client), so it all to be done via CLI.
The operating system is Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC.
Here are some outputs:
$ ./dsee7/bin/dpadm list-certs ./dsee7/instances/PROXY01
Alias Valid from Expires on Self-signed? Issued by Issued to
defaultservercert 2012/06/18 09:23 2014/06/18 09:23 y CN=wpsun882:25389 Same as issuer
1 certificate found.
$ ./dsee7/bin/dpadm request-cert name devB2ADIRPROXY01.domain.com org 'COMPANY INC' org-unit IT city 'Eden Prairie' state Minnesota country US --keysize 2048 -o ./dsee7/ca-cert.csr ./instances/PROXY01 ca-cert
$ ./dsee7/bin/dpadm list-certs ./dsee7/instances/PROXY01
Alias Valid from Expires on Self-signed? Issued by Issued to
defaultservercert 2012/06/18 09:23 2014/06/18 09:23 y CN=wpsun882:25389 Same as issuer
ca-cert 2012/06/18 09:25 2014/06/18 09:25 y C=US, ST=Minnesota, L=Eden Prairie, O=COMPANY INC, OU=IT, CN=devB2ADIRPROXY01.domain.com Same as issuer
2 certificates found.
$ ./dsee7/bin/dpadm add-cert ./dsee7/instances/PROXY01 ca-cert ./dsee7/wpsun882.pem
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Thanks in advance!I can elaborate it further
class GUI extends JFrame implements Runnable
public void updateGUI()
//update the GUI
class MailListener extends Thread
GUI refernce; // Reference to the GUI class
public MailListener(GUI g)
reference = g;
public void run
while(true)
//wait for a message and call the updateGUI() method of
GUI class when u get a message
} -
Does a 2012 DC generate exchange certificates on Exchange 2007 server?
The reason I ask is because we have a 2008 server environment with a few 2012 servers in the mix, one being a DC. It is time to renew our self-signed certificates on our exchange server and when I attempt to do this via the Get-ExchangeCertificate command,
I get a warning stating the following:
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence.
On further investigation I noticed we have a certificate that I do not remember from years past nor do I ever remember getting that warning message before. We have not used third party CA's. Notice the items in bold, the certificate is an enterprise cert, not
self signed and linked to our 2012 DC. There appear to be no services assigned to it but we still get that warning.
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {EXCHANGESERVERNAME.DOMAIN.NAME}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=DOMAIN-DC3-CA, DC=DOMAIN, DC=NAME
NotAfter : 12/31/2014 4:36:02 PM
NotBefore : 12/31/2013 4:36:02 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 2D00XXXXXXXXXXXXXXXXXXXXXXX
Services : None
Status : Valid
Subject : CN=EXCHANGESERVERNAME.DOMAIN.NAME
Thumbprint : 4886XXXXXXXXXXXXXXXXXXXXXXXXXX
So my question is two-fold, why is this certificate here (was it generated by our 2012 DC) and will it effect anything when it expires? If so, how do I renew it?OK, so it is normal. We did add the 2012 DC to our existing server environment later on. It is not our primary DC.
So, since there are no services assigned, when it expires in a few days, there will be no effect? If there will be an issue, how do I go about renewing it exactly?
I am not aware of us requesting an Enterprise CA, however our previous manager could have. I am not familiar with the process.
Basically, I ignored the "This certificate will not be used for external TLS connections warning" and created and enabled new self-signed certs for our mail server. The warnings in the event log that the old certs are about to expire have
stopped. So that should be that then right?
So as of now, we show 3 certificates, one being the enterprise one I mentioned which will expire in a few days. (Is this normal or should we just have one self signed cert that has all services?) I have a feeling this configuration isn't optimal.
Thumbprint
Services Subject
2038XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ...WS CN=WMSvc-MAILSERVERNAME
B52BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX IP..S CN=MAILSERVERNAME
4886XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ..... CN=MAILSERVERNAME.DOMAIN.NAME -
2012 SCCM SP1 Distribution Point Certificate store error on Server 2003 R2
Has anyone had this issue on Server 2003 R2 where you are getting this error listed below? All content is being distributed ok. But, monitoring is showing errors with all my Distribution points and I want these errors to go away so I don't have to sift through
all the darn errors.
Thanks for your help. Daniel.
Report status message 0x40000952 to MP
Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance.
The parameter is incorrect. (Error: 80070057; Source: Windows)
Status message has been successfully sent to MP from remote DPI have found the error message in the smsdpmon.log on a Windows Server 2003 SP2 system acting as a Distribution Point (only). The error shows up when / during a scheduled content validation on that server and is repeated after each package is "validated".
From the smsdpmon.log:
- Start to evaluate package share for package 'XXX0004F' version 5 ...
- Package XXX0004F is verified successfully
- Report state message 0x40000950 to MP
- Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
- Report Body: <ReportBody><StateMessage MessageTime="20140315150802.000000+000" SerialNumber="5"><Topic ID="XXX0004F" Type="901" IDType="0"/><State ID="2384" Criticality="0"/><UserParameters Flags="0" Count="2"><Param>XXX0004F</Param><Param>["Display=\\DPSERVNAME.domain.com\"]MSWNET:["SMS_SITE=XXX"]\\DPSERVNAME.domain.com\</Param></UserParameters></StateMessage></ReportBody>
- Report status message 0x40000950 to MP
- Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
- Status message has been successfully sent to MP from remote DP
- Report status message 0x80000954 to MP
- Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
- Status message has been successfully sent to MP from remote DP
I tried to pretty up the above - not sure that I was successful.
The site server is a Windows Server 2012 R2 Standard running SCCM 2012 R2. -
Error in importing multiple excel sheets to SQL Server
I have a package which imports multiple excel sheets to SQL server using a For each Container. However I am getting the following error message "Excel Source failed validation and returns validation status "VS-NEEDSNEWMETADATA".
Can you please advise me of the steps to potentially resolve this issue ?
Many thanks
ScottHi Scott,
Based on your scenario, you need to implement dynamic columns mapping which is not natively supported by managed source/destination adapters. To achieve dynamic columns mapping, we need to make use of Script Component to parse the input columns and dynamically
map them to the destination columns.
References:
http://munishbansal.wordpress.com/2009/06/09/dynamic-columns-mapping-%E2%80%93-script-component-as-destination-ssis/
http://blog.quasarinc.com/ssis/best-solution-to-load-dynamically-change-csv-file-in-ssis-etl-package/
http://stackoverflow.com/questions/13836874/script-task-in-dft-doesnt-get-excecuted
Regards,
Mike Yin
TechNet Community Support
Maybe you are looking for
-
I have an original @mac.com email address and also use my address at [email protected] I have no issues logging into iCloud account from my MacBook or accessing my account from my iPhone. But anytime I try to log into the iCloud website from my work
-
Mac Mini login not displayed after screensaver
I have a Mac Mini that routinely (several times a week) will not display the login screen after the screensaver has kicked in. The screensaver is running find (e.g. changing which pictures are displayed) but when you move the mouse to stop the screen
-
Need urgent help with query....
i need to print loc field with it but the logic is get ti loc code where the month is maximum... Need output like this K Loc M_1 M_2 M_3 M_4 M_5 M_6 A 1 2.5 4.5 0 0
-
How to get OS X to accept an SSL Cert the way other UNIX clients do?
I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC. I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another S
-
Need help with Web Services SDK.
I am new to Web Services SDK can I get documentation on same.