Multiple certificates on Issuing CA server

Similar Messages

• Anyconnect XML Profile Certificate Matching - Multiple Certs different Issuer

  Hi Guys
  I am trying to setup an xml profile for cisco anyconnect that will look at multiple certificates that could be issued from 2 different CA's.....
  Currently having trouble setting this up and it does not look like it is possible..
  Is there a way around this?
  Regards
  Mohamed

  The AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are:
  •Key Usage
  •Extended Key Usage
  •Distinguished Name
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin7.html#wp1000158

• Issuing Certificates to a DMZ server

  I'm in the process of setting up a PKI infrastructure for an SCCM 2012 environment. In order to manage travelling laptops over the internet, we installed a new Windows 2012 R2 server in the DMZ.  To communicate properly with the travelling
  SCCM clients, we need to install 2 certificates on this DMZ server.  This DMZ server is in a different forest/domain than the SCCM and CA server, with no trusts established between it and our production domain.  If it makes any difference, there
  is also no DNS forwarding, but I have added an entry to the hosts file on the DMZ server, and to the internal CA and SCCM servers (all Windows 2012 R2), so that they can resolve each other.
  I've created the 2 certificate templates per the SCCM documentation on the internal CA server, but in the Security tab, there is no way for me to add the DMZ server for the "Read and Enroll" rights (since it's in another, untrusted forest.) 
  Since I can't enroll the certificates through the MMC console of the DMZ server, my next thought was that I could use the CA web enrollment method, and try to get certificates enrolled that way.   However, when I type in
  http://MY_CA_SERVER/certsrv, Internet Explorer spins for about 10-15 seconds, and then I get "Page cannot be displayed."  I added the webpage to the Trusted Sites in IE, but that did not help.  Visiting
  the CA webpage from a domain-joined computer works fine; it's just not working from the DMZ server.
  Does this sound like a communications/port issue?  Between my internal domain and this DMZ server, I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open.  Do I need anything additional for Certificate Authority communication? 
  If I'm not approaching this in the correct manner, I'm also open to other suggestions on how to install these 2 certificates properly.
  Thanks in advance for any advice.

  > I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open.
  please, close RPC ports in your perimeter firewall. Instead of using legace web pages, I would consider to set up a new Certificate Enrollment Web Servcies (which first appeared in Windows Server 2008 R2):
  http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
  if it is not possible to install CEP/CES services, then you can use the following guide (although it requires some manual procedures):
  http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Multiple Certificates for the same WLS

  Hi,
  IHAC who asks the following:
  Background
  Bigshop Limited carried out a soft launch of our e-tailing website under
  the
  url fonzie.bigshop.com.au
  We have a verisign certificate setup up for 128 bit ssl under the
  knownname
  fonzie.bigshop.com.au
  All ssl connections that connect to the site with this url are able to
  establish an SSL session.
  Current Issue
  Bigshop is now in the process of carrying out the public launch of the
  website. The public url for the website will be www.bigshop.com.au
  We have generated new public/private key pair and a Certificate Signing
  Request (CSR) and have ordered a new certificate from verisign
  Could you please advise if it is possible to operate two certificates
  for
  the one server. This will allow our www.bigshop.com.au and
  fonzie.bigshop.com.au url's to operate concurrently and enable both to
  establish SSL session with valid certificates.
  Is what they want to do possible ?? any suggestions
  appreciated,
  regards,
       Patrick.

  Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
  In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
  one certificate per server.
  -utpal

• Keychain Access: Adding multiple Certificates, signed by the same CA

  Hello, Community.
  I have recently posted my request for help in this thread:
  http://discussions.apple.com/thread.jspa?messageID=10448884
  Now, I am facing a new problem: I wish to add a new Certificate to the Keychain, but whenever I try, it tells me the item exists, and does not add it to the Keychain. It adds the keys perfectly fine, both public and private, but not the Certificate.
  What can I do to have multiple Certificates, signed by the same CA.
  I cannot add them to my Keychain, so that will be of no help. And I have tried to create every Certificate anew in the same Keychain, but this will not work, either. I created they Certificates and exported them before I went on to the next and they are now on my desktop. This is very inconvenient, as the keychain is distributed over a network as a shared Keychain and resides in a Snow Leopard Server (Domestic version, not Snow Leopard Server). Our business is one day behind, but since it is now weekend, I hope to get this issue resolved by Monday morning, send out the e-mails we should have and update our register with sales.
  Could I please have some advice?
  Also, if this topic is handled in full in another thread, please post the links, so I can read up on this topic and try to find a solution.
  Thank you for your time.
  Kashidom Nenakh
  Mantha Designs incorporated
  http://www.manthadesigns.net
  [email protected]

  http://www.isi.edu/~brian/security/kerberos.html

• SSTP VPN fails with Error 0x80092013 when certificate is issued by an Enterprise CA

  I have spent several days trying to configure an SSTP VPN in an environment with a 2008R2 Enterprise CA server without much luck. I have been using the example found at   http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx which
  works very well as long as you configure the CA Extensions tab with an http CRL Distribution point that is included in the CRLs and CDP extension of issued certificates and is available to the client prior to VPN connection.
  Basically my lab environment is as follows:
  Separate 2008R2 domain controller, Single 2008R2 Enterprise CA / RRAS server with one nic. I know the instructions that I mentioned above use an RRAS server with 2 nics but I don't want my RRAS server serving as a router. I have an external hardware firewall
  that port forwards port 443 to my single nic in my RRAS server and this entire configuration works fine as long as I am using a standard CA configuration. The RRAS was configured using the custom option and only VPN was chosen. Since my RRAS server is behind
  a NAT router, the dns name my external client uses to connect is different than the internal name of my RRAS server.
  In the example above, a Windows 2008R2 CA server is configured as a standalone non-enterprise root CA. As long as I stick with a standard CA, I have no problem and everything works.
  My problem is that if I configure my Windows Server 2008R2 Enterprise server as an Enterprise Root CA, My Windows 7 client always gets an "Error 0x80092013 The revocation function was unable to check revocation because the revocation server was offline."
  I'm not certain, but I think the problem is with the way that I request the certificate for my RRAS server. When I configure a standalone standard root CA and use the web enrollment page and use an Advanced Certificate Request, I get a page that I can use
  to fill out the external dns name that I use to connect to SSTP, choose a Server Authentication Certificate,  choose to mark keys as exportable and submit my request. Once I install this key in the Certificates (local computer) / Personal / Certificates
  store, everything works and my client can connect as long as I have installed the root CA certificate on my client.
  When I install my CA as an Enterprise Root CA server, everything changes. I no longer have the same options to install a custom certificate. Instead of getting the same page as I do with a standard CA, I get my choice of Certificate Templates. Prior to this,
  I have duplicated the Computer template in the CA authority and configured the subject name to "supply in request" and configured my CA to issue it. I have tried issuing my RRAS SSTP certificate using the web enrollment and I have also tried using the certificates
  plugins in mmc to request custom certificates and tried using an alternative subject name, filling out the DNS option with my external dns name.
  When it is all said and done, I end up with an RRAS SSTP certificate that has CRL Distribution Points defined as URL=http://www.mywebsite/CertEnroll/myCA.crl and it is available to my client or anyone. I have compared the certificate issued by an Enterprise
  CA vs the Standard CA and I find little difference in the two. I also know that I can reach this RRAS SSTP certificate from my client by going to  https://myexternaladdress.mydomain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/and
  I can view the padlock in IE and view my internal RRAS certificate. The CRL Distribution point looks no different when I have a standard vs an Enterprise CA but my client always fails with the Error 0x80092013 when I have issued the RRAS SSTP certificate
  with the Enterprise CA.
  I have probably re-setup this lab about 20 times and am getting very familiar with getting it set up quickly and working with the standard CA but I want to use an Enterprise CA environment.
  What am I missing? How can I make this work with an Enterprise CA? How can I troubleshoot this?
  Thanks,
  Rod
  Rod Miller

  Thanks for  your reply. I did read the article and addressed that issue in the first part of my previous post. I don't think that the website where I am hosting my CRL has directory browsing permissions or that I have the ability to set them but the
  point of my question was everything works using that same public website when I use a standard CA to create my certificate but does NOT work when I create the certificate using an Enterprise CA.
  Rod
  Rod Miller

• There is a problem with the security certificate of the proxy server. Error code 18 and 38.

  Hi All,
  After several hours and a short night of sleep I'm out of ideas and hopefully someone here can help me trying to solve this one. First of all the situation:
  Exchange 2013 on a remote location with a CA-certificate.
  Outlook 2010 and 2013 on different locations, locally installed and on RDS.
  When I open Outlook on my laptop all is fine, no errors, good sync, no problem. But when I open Outlook on our Remote Desktop Servers with Outlook 2013 I'm getting errors like "There is a problem with the security certificate of the proxy server. The
  name on the security certificate is invalid or does not match the name of the site. Outlook is unable to connect to this server. (Error code 18)". Opening Outlook 2010 the message is the same, but the error code now is 38.
  After this Outlook opens and is working, there's one more error though. After a while an security warning pops up with the message: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the
  site's security certificate. * The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. * The security certificate is valid. * The name on the security
  certificate is invalid or does not match the name of the site."
  Strangest thing is, it is the certificate of my RDS! It isn't my valid en officially bought certificate from my mailserver. What's going on? I'm out of options, what I've tried so far (in random order):
  - restarting mailserver and AD;
  - restarting switches;
  - restarting routers;
  - restarting RDS, AD and all other servers;
  - bypassed proxyserver for RDS;
  - created a new profile;
  - checked recently installed updates;
  - checked certificate on mailserver;
  - checked RDS on a different location, working fine.
  Nothing helped, what can I do next? Please advice.
  Regards.

  Found a thread that solves half my problem (https://social.technet.microsoft.com/Forums/office/en-US/70d18244-889a-4d95-ac3f-e234672a82b2/there-is-a-problem-with-the-proxy-servers-security-certificate-error-when-starting-outlook?forum=exchangesvrclients).
  The first message can be suppressed by adding this to the Exchange config:
  set-outlookprovider -Identity EXCH -CertprincipalName msstd:webmail.domain.tld
  set-outlookprovider -Identity EXPR -CertprincipalName msstd:webmail.domain.tld
  Giving the command get-outlookprovider, gives me empty information regarding the certprinipalname. Filled
  this and after recreating the profile or deleting the ost-file I still have the second alert with the local certificate of my RDS.
  Not completely where I want to be, any help regarding the second alert is greatly appreciated!

• How do I install multiple KMS keys on one server?

  I currently am working at Phelps County Regional Medical Center in Rolla, MO and my question is: How do I install multiple KMS keys onto one server? This is very urgent and I have the KMS activating Windows 7 but, I also need all my Office keys, Windows
  8, and Windows 8.1  to be activated via KMS. the current KMS is a Windows Server 2008 R2 server. Please help me out and thank you for your time! :)

  you need to apply the following update (http://support.microsoft.com/kb/2885698)to your KMS server so you can license up to Windows 8.1.  From there your key for 8.1/2012R2 will license everything
  downwards and then you can also install your Office KMS key without issue.  If its Office 2013 then you need to download the files here (http://www.microsoft.com/en-us/download/details.aspx?id=35584) 
  Be kind and Mark as Answer if I helped.

• Multiple users logged into one server, each users printer has a different name, application needs ONE name to print to.

  Multiple users logged into one server, each users printer has a different name, application needs ONE name to print to. 
  I'm NOT in any way a Terminal Services expert and I need help trying to get an application program working in a multi-user environment.
  The issue is that the printer changes for every user that is logged in. The application needs to print NOT to the default printer, but to a "special" printer which is selected in the application... let's call it a label printer to simplify the explanation.
  You have your default regular printer, easy for the application to find that one, and then you have a special printer that labels get printed onto. The application needs to know what printer is the label printer. So we allow the user to select that in the
  application and the selection is stored in a config file in 
  C:\ProgramData\mfgr\prog\setting files
  I don't have access to the application so I can't change how this works.  
  In the "regular" world, selecting the label printer driver to use should be per machine, NOT per user. When a new user logs into a machine, the physical printer doesn't go "poof" and a new printer suddenly appear. Same printer for all
  users.
  Yet in terminal services, the physical machine is "merged" with the virtual machine on the server. And there can be many users logged in at the same time. So each users real machine (and real printer) is injected into the "fake" terminal
  services machine. The name of the printers is made unique for each user. So the printers DO go "poof" and change names depending on the user logged into terminal services.
  So user "A" logs in and sets up the application to print to "LabelPrinterForUserA" (or whatever the name of the printer happens to be), that setting is stored in the ProgramData subfolder, and all is well. Later, user "B" logs
  in, and when they print, the application tries to print to "LabelPrinterForUserA" which doesn't exist for user B or is only accessible by user A. If user B re-configures, that breaks it for user A. 
  SOLUTION 1: The way that /should/ work (in my mind) is that you define one "generic" printer in Terminal Services... call it "Virtual Label printer" and when the user wants to print to it, the print job gets re-directed back to whatever
  physical printer is actually connected to their local workstation. There is a map of virtual printer to actual printer depending on the current user. The application is told once to print to "Virtual Label Printer" for all users.
  SOLUTION 2: Or... there should be some way to make the ProgramData sub folders separate per user. E.g. when user "A" tries to access:
  C:\ProgramData\mfgr\prog\setting files
  they actually get 
  C:\UserData\UserA\AppData\mfgr\prog\setting files
  and user "B" gets
  C:\UserData\UserB\AppData\mfgr\prog\setting files
  So the question I have is: Does either of those solutions exist hidden somewhere in the setup of terminal server? Or is there another way around this issue that I don't know?

  I don't really have a "for sure" answer to this, but because people here can't seem to deal with a question that hasn't been answered I'll provide the best answer I did receive from ServerFault.com user Nathan:
  I can feel your pain with using old software on terminal servers ...the solution I've come up with definitely won't scale as it requires some manual configuration, but I've gotten this method to work with our label printers (which require to be
  printed to an LPT port...yep, that old).
  Share your USB-connected printers to the network on each machine. Then, have the user log in on aunique session for each of them
  (a TS account cannot be shared among computers for this to work) and install a network printer pointing to the USB one they shared. Try to use a DNS name to account for possible DHCP movements.
  After, it should work. Each user can do this since display names can be identical as long as the ports are different (which they are).
  This was clarified by the following series of comments:
  I think you are on to something here, and I originally advised the admin to do this. The problem he ran into is that it setup the printer names in the TS as "printer on usersworkstation"
  and he could not rename it except to change the "printer" to whatever. E.g. the "on userworkstation" remained. I believe there is another way of installing the printer which avoids this, but I can't find it. Ages ago, one used to do NET
  USE LPT2 \\computer\printer password /USER:domain\user /PERSISTENT:YES and then tell the driver to print to LPT2 –  James
  Newton Mar
  17 at 16:21   
  @JamesNewton That's actually the exact method we used. The way around the "network printer" part is to install it as local printer and map it to a TCP/IP port that way. –  Nathan
  C Mar
  17 at 16:28
  You mean in the case where the printers are TCP/IP connected and not local USB / LPT to the users workstation? That makes sense. Wonder if this will work for USB connected printers... –  James
  NewtonMar
  17 at 16:35   
  @JamesNewton You'd share the local printer on the client's PC then on the server connect via TCP/IP to it. You'd need static addresses or use DNS names if DHCP, though. –  Nathan
  C Mar
  17 at 16:51
  Ah. Yes. I see. Looks like the LPT thing should work even with a USB connected printer:superuser.com/questions/182655/… –  James
  Newton Mar
  17 at 17:09   

• .p12 Certificate import in weblogic server 10.3.6.0

  Hi,
  I am facing a issue regarding certificate import in weblogic server 10.3.6.0. In my project I built a java webservice where a https url  is invoked with xml input(correct format).Https url is restricted. I can not open this url from my browser. I got '403 : Forbidden' error in browser as well as webservice log in server. I asked my client. They gave me one .jks and one .p12 certificated file and password. When I installed this .p12 (giving password) in my local windows computer, I am able to open that https in my browser.I have imported this .p12 certificate in 'cacerts' as well as 'DemoTrust.jks' in weblogic server and restarted the server. But i am getting the same error(403 : Forbidden) in weblogic server.
  Where should I import this .p12 in weblogic server? I mean in which key store.
  FYI,
  This code is running fine in 10g production server.I haven't developed this code. I have migrated this code to 11.1.1.7.0.
  I am using this .jks() in the java code.       
          System.setProperty("javax.net.ssl.keyStore", keyStore.jks);
          System.setProperty("javax.net.ssl.keyStorePassword", "<password>");
  Weblogic server is running in unix environment.
  Read many posts... But did not any find right solution. Can anybody please help me solve this.

  If i remember correctly, .p12 will have both the public and private key.
  You need to convert it to a jks and configure the server to use this jks
  Converting certificate formats | Middleware wonders!!
  Weblogic SSL configuration
  Thanks,
  Faisal

• Multiple certificate stored in Browser

  I run certificate request using https://.../oca/sso_oca_link and also /oca/user.
  eg. with these User DN:
  => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
  => cn=tova,cn=users,dc=subdom,dc=mydomain,dc=com
  => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
  By requesting certificate several times from the same PC using several user account, have result in multiple certificate stored in Browser.
  When visit my secure web using Internet Explorer 6, a window raised and lists these
  "users"
  "users"
  "users"
  By using Netscape Navigator 7.1: a window appear with a bit more information display
  "users's myOrganisation"
  "users's myOrganisation"
  "users's myOrganisation"
  and some explanation eg
  Issued to:
  Subject: CN=ferry, CN=users, DC=subdom, DC=domain, DC=com
  Serial Number: 1C
  Valid from 23/09/2005 14:53:42 to 23/09/2006 14:53:42
  Issued by:
  Subject: CN=MyCcertificate Authority,...
  How to display USER NAME (according to CN) in the list instead of "users" ?
  or this is the expected behaviour?
  TIA,
  ferry

  Ok. I've found the solution.
  For reference to all you guys:
  ByteArrayInputStream bais = new ByteArrayInputStream( (byte[])attr.get() );
  CertificateFactory cf = CertificateFactory.getInstance("X.509");
  cert = (X509Certificate)cf.generateCertificate(bais);

• Certificate problem in Proxy Server (ODSEE 11g)

  I am having a problem adding a CA Certificate to the Proxy Server. I followed the steps in the documentation, however I get the error: "keytool error: java.lang.Exception: Public keys in reply and keystore don't match".
  From what I have read, this error means that the alias name I am using when I add the new certificate is already being used. As per the documentation...
  When you request a CA-signed certificate, a temporary self-signed certificate is created. When you receive and install the CA-signed certificate from the CA, the new certificate replaces the temporary self-signed certificate.
  ... and this does happen. However when I bring in the new cert to replace... I get the mentioned error.
  If I use a different alias, it doesn't give me an error. However, I can't see it when I use the "dpadm list-certs" command (although it is there when I use the keytool command). More importantly, the "defaultservercert" is still the certificate being used when accessing the server.
  So the big question is... How do I get the Proxy Server to use the new CA Certificate?
  I've tried using the keytool command in many different ways, and it fails each time. Lesson learned: don't mess with the keystore via keytool. Any changes made are not recognized by the Proxy Server.
  I don't have access to this Proxy Server via DSCC because I do not have the password for the account running the services (a restriction made by the client), so it all to be done via CLI.
  The operating system is Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC.
  Here are some outputs:
  $ ./dsee7/bin/dpadm list-certs ./dsee7/instances/PROXY01
  Alias Valid from Expires on Self-signed? Issued by Issued to
  defaultservercert 2012/06/18 09:23 2014/06/18 09:23 y CN=wpsun882:25389 Same as issuer
  1 certificate found.
  $ ./dsee7/bin/dpadm request-cert name devB2ADIRPROXY01.domain.com org 'COMPANY INC' org-unit IT city 'Eden Prairie' state Minnesota country US --keysize 2048 -o ./dsee7/ca-cert.csr ./instances/PROXY01 ca-cert
  $ ./dsee7/bin/dpadm list-certs ./dsee7/instances/PROXY01
  Alias Valid from Expires on Self-signed? Issued by Issued to
  defaultservercert 2012/06/18 09:23 2014/06/18 09:23 y CN=wpsun882:25389 Same as issuer
  ca-cert 2012/06/18 09:25 2014/06/18 09:25 y C=US, ST=Minnesota, L=Eden Prairie, O=COMPANY INC, OU=IT, CN=devB2ADIRPROXY01.domain.com Same as issuer
  2 certificates found.
  $ ./dsee7/bin/dpadm add-cert ./dsee7/instances/PROXY01 ca-cert ./dsee7/wpsun882.pem
  keytool error: java.lang.Exception: Public keys in reply and keystore don't match
  Thanks in advance!

  I can elaborate it further
  class GUI extends JFrame implements Runnable
  public void updateGUI()
  //update the GUI
  class MailListener extends Thread
  GUI refernce; // Reference to the GUI class
  public MailListener(GUI g)
  reference = g;
  public void run
  while(true)
  //wait for a message and call the updateGUI() method of
  GUI class when u get a message
  }

• Does a 2012 DC generate exchange certificates on Exchange 2007 server?

  The reason I ask is because we have a 2008 server environment with a few 2012 servers in the mix, one being a DC. It is time to renew our self-signed certificates on our exchange server and when I attempt to do this via the Get-ExchangeCertificate command,
  I get a warning stating the following: 
  WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence.
  On further investigation I noticed we have a certificate that I do not remember from years past nor do I ever remember getting that warning message before. We have not used third party CA's. Notice the items in bold, the certificate is an enterprise cert, not
  self signed and linked to our 2012 DC. There appear to be no services assigned to it but we still get that warning.
  AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {EXCHANGESERVERNAME.DOMAIN.NAME}
  HasPrivateKey : True
  IsSelfSigned : False
  Issuer : CN=DOMAIN-DC3-CA, DC=DOMAIN, DC=NAME
  NotAfter : 12/31/2014 4:36:02 PM
  NotBefore : 12/31/2013 4:36:02 PM
  PublicKeySize : 2048
  RootCAType : Enterprise
  SerialNumber : 2D00XXXXXXXXXXXXXXXXXXXXXXX
  Services : None
  Status : Valid
  Subject : CN=EXCHANGESERVERNAME.DOMAIN.NAME
  Thumbprint : 4886XXXXXXXXXXXXXXXXXXXXXXXXXX
  So my question is two-fold, why is this certificate here (was it generated by our 2012 DC) and will it effect anything when it expires? If so, how do I renew it?

  OK, so it is normal. We did add the 2012 DC to our existing server environment later on. It is not our primary DC.
  So, since there are no services assigned, when it expires in a few days, there will be no effect? If there will be an issue, how do I go about renewing it exactly?
  I am not aware of us requesting an Enterprise CA, however our previous manager could have. I am not familiar with the process.
  Basically, I ignored the "This certificate will not be used for external TLS connections warning" and created and enabled new self-signed certs for our mail server. The warnings in the event log that the old certs are about to expire have
  stopped. So that should be that then right?
  So as of now, we show 3 certificates, one being the enterprise one I mentioned which will expire in a few days. (Is this normal or should we just have one self signed cert that has all services?) I have a feeling this configuration isn't optimal.
  Thumbprint                                
  Services   Subject
  2038XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  ...WS     CN=WMSvc-MAILSERVERNAME
  B52BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  IP..S      CN=MAILSERVERNAME
  4886XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  .....        CN=MAILSERVERNAME.DOMAIN.NAME

• 2012 SCCM SP1 Distribution Point Certificate store error on Server 2003 R2

  Has anyone had this issue on Server 2003 R2 where you are getting this error listed below? All content is being distributed ok. But, monitoring is showing errors with all my Distribution points and I want these errors to go away so I don't have to sift through
  all the darn errors.
  Thanks for your help. Daniel.
  Report status message 0x40000952 to MP
  Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance.
  The parameter is incorrect. (Error: 80070057; Source: Windows)
  Status message has been successfully sent to MP from remote DP

  I have found the error message in the smsdpmon.log on a Windows Server 2003 SP2 system acting as a Distribution Point (only).  The error shows up when / during a scheduled content validation on that server and is repeated after each package is "validated".
  From the smsdpmon.log:
  - Start to evaluate package share for package 'XXX0004F' version 5 ...
  - Package XXX0004F is verified successfully
  - Report state message 0x40000950 to MP
  - Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
  - Report Body: <ReportBody><StateMessage MessageTime="20140315150802.000000+000" SerialNumber="5"><Topic ID="XXX0004F" Type="901" IDType="0"/><State ID="2384" Criticality="0"/><UserParameters Flags="0" Count="2"><Param>XXX0004F</Param><Param>["Display=\\DPSERVNAME.domain.com\"]MSWNET:["SMS_SITE=XXX"]\\DPSERVNAME.domain.com\</Param></UserParameters></StateMessage></ReportBody>
  - Report status message 0x40000950 to MP
  - Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
  - Status message has been successfully sent to MP from remote DP
  - Report status message 0x80000954 to MP
  - Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
  - Status message has been successfully sent to MP from remote DP
  I tried to pretty up the above - not sure that I was successful.
  The site server is a Windows Server 2012 R2 Standard running SCCM 2012 R2.

• Error in importing multiple excel sheets to SQL Server

  I have a package which imports multiple excel sheets to SQL server using a For each Container. However I am getting the following error message "Excel Source failed validation and returns validation status "VS-NEEDSNEWMETADATA".
  Can you please advise me of the steps to potentially resolve this issue ?
  Many thanks
  Scott

  Hi Scott,
  Based on your scenario, you need to implement dynamic columns mapping which is not natively supported by managed source/destination adapters. To achieve dynamic columns mapping, we need to make use of Script Component to parse the input columns and dynamically
  map them to the destination columns.
  References:
  http://munishbansal.wordpress.com/2009/06/09/dynamic-columns-mapping-%E2%80%93-script-component-as-destination-ssis/ 
  http://blog.quasarinc.com/ssis/best-solution-to-load-dynamically-change-csv-file-in-ssis-etl-package/ 
  http://stackoverflow.com/questions/13836874/script-task-in-dft-doesnt-get-excecuted 
  Regards,
  Mike Yin
  TechNet Community Support