PKI setup using 3rd party certificates

Similar Messages

• Cisco IOS CA using 3rd Party Certificate

  Hi,
  Can I use 3rd Party certificate such as verisign, on Cisco IOS CA ? All i can see on cisco.com is self-signed certificate from router.
  Thanks
  -santo-

  Santo,
  That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.
  Private PKI is not based on self signed certificates - only the root CA might need something like it :-)
  That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.
  Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).
  M.

• Farm member not using 3rd party certificate

  I have a Microsoft server 2008 R2 RDS farm using a broker and NLB farm nodes.
  In the farm member node ( not the broker ), I open  “Remote Desktop Session Host Configuration” tool I selected “member of farm RD Connection Broker” and in the “general” tab under the “certificate” section I clicked “select” and picked the 3rd party
  Certificate.
  This is a Farm member. When I use a rdp client to go to farmName.domain.com I get a pop up with a certificate error and it shows the certificate as serverName.domain.com and not the name in the “farm” certificate.
  How can I troubleshoot this issue.

  Hi,
  Iniitally seems the certificate is not from valid trusted authority. So please check the trusted authority. Apart there is mismatch in certificate name with server name. 
  The name in the Subject line of the server certificate (certificate name, or CN) must match the FQDN, or the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates.
  If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. 
  The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.
  In addition, please check beneath article for reference.
  Configuring Remote Desktop certificates
  http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Exchange Server 2010 Edge Transport Subscription Issue while moving Internal CA Certificate to 3rd Party Certificate

  My Client have a Exchange 2010 Organization with Single Domain Single Forest.
  They were using Internal CA Certificate and a TLS Cert.
  As a POC we are doing a POC for Exchange 2010 Hybrid Office 365 Environment.
  For this 3rd Party CA is Mandatory and they have bought a Geo Trust Certificate.
  Now when they have installed cert on both HUB as well as EDGE servers, he was prompted to do edge subscription again.
  HUB and CAS are combined on the server at both Main and DR Site.
  When they try to do edge subscription again they are getting the following error.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.

  I was finding out the solution and got this.
  1-Certificate will import on both EDGE and HUB Servers.
  2-Edge Sync will use Self-Sign Certificate (but I an unable to find how do I configure this)
  3-some communication between Edge and Hub will be encrypted via 3rd party Certificate.
  Could anyone suggest, which services on HUB must based in this 3rd party cert.
  All the external communication must be encrypted via 3rd party CA and communication between HUB-EDGE will set on self-sign Cert. How do I do this.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.
  Hi,
  Please run Get-ExchangeCertificate | fl to check your Exchange certificate settings. Also confirm if the 5E470560626E313646730C177FCA66728E2BAFF7 certificate is your trusted 3rd party cert.
  Please use Enable-ExchangeCertificate cmdlet to assign SMTP service to your self-signed certificate in your Edge server.
  Regards,
  Winnie Liang
  TechNet Community Support

• WLC5760 - CSR request for 3rd party certificate

  I need to generate a CSR request to obtain a 3rd party certificate for my WLC.
  i am not sure how i can do that. all document availble are for wlc 4400.
  let me know if the same process will apply to wlc5760 as well.

  Thanks Matteo,
  I managed to get it done, Yes I used OpenSSL to generate CSR.
  Here what I have learnt about it, including WebAuth Cert installation on 5760. This may be useful to someone else.
  http://mrncciew.com/2014/07/30/5760-webauth-certificates/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• 3rd party certificate on WiSM controllers

  Hi,
  On my corporate wireless net, there is an SSID to allow guests to reach the Internet. They receive a voucher with 1-day valid credentials and are asked to open a browser, which is redirected to a login page https://1.1.1.1/login.html.
  The controllers in the acnhor group have a 3rd party certificate installed. It is generated for a company URL like: guest.companyname.com
  So when the browser hits the login screen, it stops and issues a warning about receiving a valid certificate but for a different URL.
  We have an external DNS-record which resolves the company URL to 1.1.1.1.
  I see a possible solution, if the URL of the Internal (default) URL can be changed to https://guest.companyname.com/login.html because if this is keyed in manually, I receive the login page right away without warnings. This is obviously what we want the guest to see.
  The controllers run 7.0.230.0 software as well as the WLC.
  Hope someone has the simple answer to this???

  Putting 1.1.1.1 (VIP address) is a test to bypass the certificate.  It is pretty simple, if you have done it a hundred times.  But to start of from the basic, make sure that the user is being anchored to the guest wlc.  You should see an entry of the client on the guest anchor and the client should be in the WEBAUTH_REQD state until they go through the login proccess in which they will be in the RUN state.  If you don't , then I can see why the 3rd party certificate is not working.  SO you should see the client on the foreign and the anchor wlc.  Make sure of this first.
  Did you not restart the anchors when you put in the FQDN in the VIP?
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Is it safe to use 3rd party chargers

  is it safe to use 3rd party chargers on the ipod touch 4g or can it mess up the touchscreen or should i get the official apple ones because i have heard some of them blowing up :O and catching fire so do they get hot while they are charging (uk 3 pin) thanks

  I sometimes charge mine from my iPad 1 charger or my Griffen charger I purchased from my 3G Nano.
  s.salmanhussain10 wrote:
  bob please tell me so its safe to charge from ipad original charger? n from any iphone(original/3rdparty) charger ?
  thanx

• Getting chapters from PPro 2.0 into Encore 2.0 while using 3rd party encoder

  Placing chapters in Premiere is a HUGE time saver. However, I also like to use 3rd party software to encode my videos to MPEG (Canopus ProCoder2.0). This process loses the Chapter information that the .avi file carries. Is there any way to get the chapter information into Encore while still using ProCoder?

  Ok, thanks. I really wish Adobe would allow users to import and export chapter information. That would greatly increase my workflow. The thing that kills me is that in Encore 1.0, the chapters were connected to the timeline, not the video. So I could drop the AVI file into a timeline in Encore to create the chapter points, then delete it and place my MPEG video in its place. But Adobe got rid of this capability in 1.5.

• What is the difference between Outlook features using exchage server and using 3rd party mail server ?

  Hi~ I'd like to know what the difference is between Outlook features using exchage server and using 3rd party mail server.
  If I use 3rd party mail server with Outlook, Outlook features are the same as Exchange Server ?
  I want to use all Outlook features..

  The basic features (and many advanced features) are identical in all accounts. With pop3, your mail, calendar, contacts, tasks, notes are stored in a pst and are only on the computer. IMAP accounts only sync email back to the server, not calendar,
  contacts, and tasks. Outlook.com EAS accounts (aka Hotmail) syncs calendar and contacts back to the server. Exchange mailboxes stores everything on the server - mail, calendar, contacts, custom views, rules - and if you open the mailbox in outlook on
  any other computer, the mailbox is identical. Because everything is on the server, you'll have much better syncing with smartphones and tablets with Exchange mailboxes.
  Calendar sharing, open other users folder, and retention policies are Exchange-only. Mail Tips and apps (linked under the reading pane header in Outlook 2013) are Exchange-only.
  Diane Poremsky [MVP - Outlook]
  Outlook & Exchange Solutions Center
  Outlook Tips
  Subscribe to Exchange Messaging Outlook weekly newsletter

• Can I use 3rd party instruments/plug-ins/loops with Garageband '11 running OS X 10.6.8? and how do I install?

  Can I use 3rd party instruments/plug-ins/loops with Garageband '11 running OS X 10.6.8? and how do I install?

  10.6.8 won't run on a PowerPC Mac. 
  10.6.8 also won't run the latest Java.  Here's what version of Java you can run:
  https://discussions.apple.com/docs/DOC-5532

• Does any one used 3rd party components like ICEFaces ?

  Hi
  Thank you for reading my post.
  does any one used 3rd party components like ICEFaces components with Creator Studio?
  What are other components pack that we can use in Creator?
  thanks

  OK, thanks to Peter Hanusiak, and Oracle Consulting consultant in Slovakia, I have resolved my issue and I'm hoping that the same solution may apply for you. See below for the instructions from Peter that helped me out. Note that since our applications are different, the specific libraries and locations that you need to confirm compatibility for may be different.
  Hope this helps,
  Dave
  I had similar problem. And in my case it was caused by different ADF from JDev and SOA Suite and SOA order booking demo.
  Because I can't test it now, I'll tell just what I remember.
  In SOADEMO is somewhere folder SOADEMO-CLIENT\UserInterface\public_html\WEB-INF\lib
  where you can find
  adf-faces-impl.jar
  jsf-impl.jar
  Try to find exactly the same libs in Jdev and copy&paste from Jdev to SOADEMO folder. then find the libs in SOASuite, and copy&paste from Jdev to SOA Suite those libs. Restart SOA Suite. Deploy Soademo-Client. And hopefully it will work.

• Cannot enter 3rd-party certificate into SCUP 2011 on Server 2012

  Hello all,
  I am trying to deploy SCUP 2011 on Server 2012 with a SCCM 2012R2 primary site w/WSUS onboard.
  Client is using a 3rd-party Digisign cert from a CA that is trusted through the enterprise. This cert has been imported into the private store and exported as a .pfx to be loaded into SCUP 2011. The Digisign cert is in the TrustedPublishers and Trusted Root
  stores.
  Administrator registry hack applied for Server 2012
  Options of SCUP 2011: Successfully connect to SCCM local site server and local WSUS server. However, when I browse and select the exported .pfx, I am not prompted for a password for the cert, and no certificate information is displayed. Also, there are no
  entries in the Trusted Publishers tab.
  I am stumped at this point. Any suggestions? SCUP just isn't looking at the cert (which was ordered according to the requirements in the SCUP blog.
  Thanks,
  -P

  A couple of questions...
  1. How, and where exactly, did you import the PFX to the WSUS Server (SUP)? Most notably.. the fully-signed cert needs to be in a cert store named *WSUS*, which has been notably difficult to create except when using the WSUS API to create it.
  2. You don't need to export the PFX for SCUP, only the CER (provided that the PFX is properly held on the WSUS server); but even so, if you already have the original cert from Digisign, why bother exporting from the store to import... you already *had* the
  full cert that could be imported to SCUP?
  3. If you're not prompted for the password of the PFX, that suggests that it wasn't exported with a password, or, since no cert information is available, maybe the export failed completely?
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Going from a self signed certificate to a 3rd party certificate....

  Hello all...
  I have an Apache webserver running both the GroupWise WebAccess and the
  Netware FTP server. Up until now, I have used self signed SSL certificates
  on each of them to provide security. Now, we are going to a 3rd party issued
  certificate for both of them.
  Any idea how I set up the apache server so it will use the 3rd party cert
  instead of the self signed one...?
  Also, if you know how to set it up with the FTP server as well, it would
  help.
  (And, yes I know this is not the right forum, but in the interest of not
  repeating my work, I was hoping to bend the rules some.....)
  Thanks in advance....
  Delon E. Weuve
  Senior Network Engineer
  Office of Auditor of State
  State of Iowa
  USA

  As far as the FTP goes, can you be more specific? Where is this ini file
  that I need to modify? And how do I modify it?
  Thanks.
  Delon E. Weuve
  Senior Network Engineer
  Office of Auditor of State
  State of Iowa
  USA
  >>> On 6/25/2008 at 2:34 PM, in message
  <[email protected]>, Richard Beels
  [SysOp]<[email protected]> wrote:
  > close enough on the group... :-)
  >
  > for apache, it's easy peasy, find the bit in your httpd.conf and where
  > it says:
  >>>>
  > SecureListen 443 "SSL CertificateDNS"
  >>>>
  >
  > change it to whatever you've neamed the new cert, such as:
  >>>>
  > SecureListen 443 "DigiCert"
  >>>>
  >
  > which should give you a clue as to what I recc. for 3rd party certs.
  > :-)
  >
  >
  > As to ftp, it should be the same, i.e. ini file fiddly bit...
  >
  >
  > --
  > Cheers!
  > Richard Beels
  > ~ Network Consultant
  > ~ Sysop, Novell Support Connection
  > ~ MCNE, CNE*, CNA*, CNS*, N*LS

• 3rd party Certificate and AAA Authentication

  I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
  In the connection profile i have set up that users should authenticate using both certificate and AAA.
  Due to a high security requirement, the user certificate is issued from a 3rd party.
  This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
  I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
  Problem:
  If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
  I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
  So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
  I am happy for any help that could point me in the right direction on how to accomplish this.
  Best regards,
  Kenneth

  I actually got a better idea, and i think this will work great!
  One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
  After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
  So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
  [123] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [department=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
  I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
  [138] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  Worked like a charm!
  I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
  Thank you for the input Marcin

• Using 3rd party binary in script that is run as job

  Hi all,
  I have several scripts to do various tasks with IIS logs we receive from all our various web servers.  One script unzips logs, another logparses to grab a few fields then sftp to a 3rd party for analysis, another will encrypt the original zip files
  in prep for ftp to 3rd party, another will ftp to that 3rd party, and yet another will analyse the logs with our in house analytiscs application.
  I want to have a master script that will run these other scripts as jobs so that it will control when to start certain scripts based on the state of the jobs.  It all seemed to work great as I was setting up test jobs, until I added '3rd' party executables
  like 7-zip, ftp.exe, winscp, etc...  The jobs would just go to failed state when they hit the executables.
  That's not my current problem though as I found out that if I used the
  -windowstyle hidden option for start-process then everything ran as expected, that is until I wanted to log output from the 3rd party app.  FTP for example.
  I tried this:
  $ftpexe = "C:\windows\System32\ftp.exe"
  $ftpscr="d:\scripts\ftpscrtmp.txt"
  "open 111.1.1.1`r`nSomeFTPuser`r`nSomepassword <..bunch of other ftp commands>" | Out-File -FilePath $ftpscr -Append -Encoding "ASCII"
  start-process -wait -filepath $ftpexe -argumentlist $ftparglist  -RedirectStandardOutput $ftplog -windowstyle hidden
  However, asking powershell to redirect output of a hidden window was probably like asking someone to cover their eyes and read a book and it let me know it.
  I have tried without using -windowstyle hidden and not having any luck.  I want to capture the output of the ftp commands so that I can make sure the file was transferred successfully.  If I run the script without -windowstyle hidden and not as
  a job it works, and I can test the output.  I really want to be able to run this script as a job AND get the output of the ftp to a file... advice?
  Thanks in advance!

  This works with no problem for me.
  Start-Process -wait -filepath ftp.exe -argumentlist  '-s:c:\scripts\ftpcmd.txt' -RedirectStandardOutput c:\scripts\ftp.log
  I get no window and the file gets written.
  This is my ftp command file:
  open ftp.microsoft.com
  anonymous
  [email protected]
  ls
  bye
  ¯\_(ツ)_/¯