Problem reading IdP Partner signing certificate from metadata

We're trying to set up SAML 2.0 based authentication on WLS 11g (10.3.5.0).
We are now stuck for the reason that we can't enable IdP Partner because there is no signing certificate visible in WLS allthough it is in the metadata. Everything else is being read from the metadata just fine.
We haven't been able to find anyhting related through Google, has anybody had similar problems?

Hi Trina,
> in the Token Signing certificate there is no option to export the private key
Please locate certificate template which you used to issue the Token Signing certificate, then expand the Request Handling tab of its properties. After that, check the Allow private key to be exported option as below:
Best Regards,
Amy

Similar Messages

Profile Manager Code Signing Certificate from GoDaddy .spc

Convert the .spc to .cer for Profile Manager compatability.
Thought I'd share how to convert a code signing certificate acquired from go daddy as it downloads as a .spc file that Profile manager will not accept.
When you download your code signing certificate from go daddy it will be a .spc file as stated above, and profile manager needs a .cer file.
Take your .zip file over to a Windows 7 or better PC and double-click the .zip file.
Then double-click the enclosed certificate.
This will open the windows certmgr.
Expand the certificate and locate your certificate (Should be the one with your company name )
Right-Click the desired certificate, select all tasks, then Export
Export the certificate as a DER .cer file.
Now copy the exported .cer certificate to your Server App/Certificates and import it into the Pending Certificate.
Once that's done also add the .cer certificate to your keychain.
Remember to replace the expiring certificate if applicable
LJS

After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already.
Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap. (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
{FWIW, this is a user forum and the folks from Apple may or may not see your report. If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

Problem with placing self-signed certificate in trust store on WLS 10.3

I have had some problems setting up two-way SSL on WLS 10.3.2.
1. I have not been able to use the java properties listed on
http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
to use the native Java SSL implementation rather than the certicom. Has anyone else had success using these?
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
-DUseSunHttpHandler=true
-Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
2. When I use the ValidateCertChain to validate my keystore with the self-signed certificate I get the message
CA cert not marked with critical BasicConstraint indicating it is a CA
Certificate chain is invalid
which I read was a problem with certificates generated by keytool, yet I find I was not able to circumvent this
by setting the property weblogic.security.SSL.enforceConstraints to off in the WLS server environment.
Has anyone else noticed this?
3. The error I get is
####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server
<[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1297793541204> <BEA-000000> <Exception during hands
hake, stack trace follows
java.lang.NullPointerException
at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.findInTrusted_Validity(Unknown Source)
####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tunin
g)'> <<WLS Kernel>> <> <> <1297793541207> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
Are there other conditions besides the issue about the missing Basic Constraint field that can raise an
alert with type 40?
4. Steps I used to generate jks keystore for inclusion in trust keystore (actual values substituted):
** keytool -genkey -alias mykey -keystore mykeystore -validity 35600 \
-dname "cn=Common Name, ou=Common Name, o=Org, l=location, s=state, c=US" \
-storepass mypass -keypass mypass
** exported a DER format head certificate of mykey into mykey.cer.der
** keytool -import -trustcacerts -keystore DemoTrust.jks -alias mykey -file mykey.cer.der
Any comments appreciated and thanks for this forum.

Faisal,
Certicom has an internal restriction that a Date must be notBefore 1970 and notAfter 2105 inclusive.The Java-generated key is valid until Wed Mar 14 11:03:59 EDT 2108. Your knowledge of this area is
quite impressive, thank you so much for this!

Problem with adding CA signed Certificate to DSEE Ldap Instance

I am trying to enable SSL with the SUN DSEE LDAP server.
DSEE version: 6.0
Solaris version: 10.3
I am following instructions from the SUNDSEE-ADMIN guide to generate the cert request, and got the signed certificate file. So here is my procedure:
1. generate cert request:
dsadm request-cert ...
2. send the request file to CA
3. got the signed cert back from CA with format like this:
----------BEGIN CERTIFICATE------------
----------END OF CERTIFICATE----------
So now I got two files at hand: the cert request, and the signed cert.
Then I am trying to add the cert to the cert store for my LDAP instance:
$ dsadm add-cert /path/to/instance my-cert ldapcert.crt
Unable to find private key for this certificate.
Failed to add the certificate.
$ dsadm add-cert -C /path/to/instance my-cert ldapcert.crt
This command will complete. But if you list cert, you can only see the CA cert, no new server cert.
My question is, where is this private key file stored? I searched on the forum, and someone mentioned the private key is generated when you issue request-cert command.
So how can I add the server cert? What procedure am I missing here? If you only get one cert file which only has the public key in it from CA, how do you add the server cert apart from the CA cert?
Let me know if I have a wrong understanding for the procedure.
Thanks!

I looked at this certificate under windows. It has a certificate chain issued for our LDAP server:
CA root
|----- LDAP server
It looks fine. It is the signed server cert.
I tested import-cert the self-signed cert which has both the private key and public key packed together, and it worked. A new cert is shown up for both "dsadm list-certs" and "dsadm list-certs -C".
But when trying to import the CA-signed server cert, it complains that no private key is found.
I am following instructions from this link:
http://docs.sun.com/app/docs/doc/819-0995/6n3cq3aqp?a=view
But if I do add-cert, I got this error:
$ dsadm add-cert /path/to/instance my-cert ldapcert.crt
Unable to find private key for this certificate.
Failed to add the certificate.It works to import the CA cert though. Can someone advise about the private key missing issue?
Thanks.

Removing Self-Signed Certificates from Personal Store (Lync)

I believe a member of my team has a solution to the below but I wanted to weigh in on the PS forum area and see if there were additional thoughts.
Short story, the Lync client self-signed cert is creating an issue with our updated PKI infrastructure. In testing, when a user logs in with the new Infra. PKI chain the Lync client give a certificate error. When the *usersup*.cer is deleted
from the personal store, everything is fine. I've turned off the issuing of the client cert on the server side and running off AD authentication is fine. I need to automate the removal of 6K+ user's personal certs. Below is a PS script
that does what I need to do but the prompt has to be elevated and elevating prompts for that many users poses an issue, if anyone has experience with this and has an alternative solution, please feel free to share.
$certs = Get-ChildItem cert:\CurrentUser\My | where { $_.Issuer –like 'CN=Communications Server' }
foreach ($cert in $certs) {
    $store = Get-Item $cert.PSParentPath
    $store.Open('ReadWrite')
    $store.Remove($cert)
    $store.Close()

Since you're trying to remove certificates from the user store, elevation shouldn't be required. I'm able to remove certs from a non-elevated prompt. What's the error you're getting?
Also, you might be able to simplify your script to the following:
Get-ChildItem cert:\CurrentUser\My | where { $_.Issuer –like 'CN=Communications Server' } | Remove-Item -WhatIf
If that looks right, you can remove the -WhatIf and let it do its thing (you can also add the -Confirm switch if you want to answer Yes/No to each certificate).

Problems generating a self-signed certificate using SDK

Adobe AIR 1.1 SDK was extracted to "D:\AIR\SDK\" in XP Pro
SP2 system. Also Java 2 runtime version 1.4 installed.
When I'm trying to generate a self-signed certificate I typed
the following in command line:
D:\AIR\SDK\bin\adt.bat -certificate -cn SelfSign 2048-RSA
newcert.p12 pass123
After a short delay an "unable to create output file" message
appears in command console and an empty (0 byte length) newcert.p12
created.
What may be the problem?
Also I would like to know if there was another way to create
self-signed certificates or is it possible to build air packages
without signing the source code?
Thanks in advance and sorry for bad English!

I haven't seen this error occur before. It could indicate a
full drive or similar condition that might prevent writing to the
file.
Can you try using Java 1.5? Although 1.4 is officially
supported, I think 1.5 receives much more testing.
You can create self-signed certificates using other tools. If
you do that, make sure the certificate is marked as usable for
code-signing; otherwise, adt won't accept it.
You cannot create air packages without signing them.

Getting self-signed certificates from an internal server...

Hi!
Thanks to the beautiful [Andreas Sterbenz's|http://blogs.sun.com/andreas/entry/no_more_unable_to_find] article I was able to download the two self generated certificates from the mail server and store them in a single file. So I expected things to work like a charm but soon I had to change my mind due to the (usual) error:
javax.mail.MessagingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:571)
at javax.mail.Service.connect(Service.java:288)
at javax.mail.Service.connect(Service.java:169)
at com.agiletec.plugins.webmail.aps.system.services.webmail.WebMailManager.initInboxConnection(Unknown Source)
at com.agiletec.plugins.webmail.aps.tags.WebmailIntroTag.doStartTag(Unknown Source)
[etc etc]
So here's the first question: Is it correct to store the certificates in the system properties with the following code?
System.setProperty("javax.net.ssl.trustStore", certificateInUse); // <--- path of the file where I've stored the certificates
System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); // password used
System.setProperty("javax.net.ssl.trustStoreType","JKS");
I haven't gone in the depth of the SSL theory but it seems to me that my webapp stores the certificates and keeps on connecting in the standard (non SSL) way....
Thanks in advance for the time spent reading!
Matteo

Have you tried setting the "Always trust" property? Double click the certificate in Keychain Access and allow it to have always trust for email.
Also, make sure that bundles are enabled for mail.
(Forget the command, google for "defaults write com.apple.mail enableBundles")
That did it for me.
Br,
T

Problem signing certificates from external token (smart card)

I can not sign PDF documents with an external token (smart card) through a card reader of a Cherry keyboard.
The card drivers perfectly detect the card and certificates in it, however when trying to sign a certificate in Adobe and select the location of the certificate click in the option "A device attached to this computer" ... I get an error indicating that no device is connected to the computer appears.
I have tried several different card readers, it seems a problem of drives because the middleware card recognizes all tested certificates readers, however it seems that Adobe is not able to find the card reader. It has happened with several teams. In one team made a clone and deploy it to another machine with the same hardware environment, the firm run properly in the pdf that clone, however on the original computer is not working.
You have any idea what could be the problem? Thank you very much in advance.

If the digital ID's corresponding public-key certificate is not getting added to either the Windows Certificate Store, or Mac Keychain Access when you plug the card into the card reader, then you need to load the PKCS#11 module via the Acrobat UI. The module will be a DLL on Windows or a bundle file on the Mac. The problem is there is no one file name to look for, you would need to consult the hardware's documentation to find the name of the file. Once you know the name you can add the P11 module from the Security Settings dialog and then Acrobat will then see the digital ID(s) loaded on the smart card.
Steve

Antenna - problem reading in a property value from the build.xml file

Hi
I have declared a property in build.xml file of my project like
<property name="debug" value="true" />I want to read the value of this property in my source code like
//#if debug == "true"
//#endifAbove method doesnt work. I tried using method below but it didnt work as well
//#if ${debug} == "true"
//#endifCan anyone please help me how can i read this value?
Thank you

you can get your key bytes with byte [] keyBytes = mykey.getEncoded();
and then write your byte array in a file.
to get back your key :
SecretKey myKey = new SecretKeySpec(keyBytes,"TripleDES");

Thawte code signing certificate problem

Hi everyone!
I wonder if someone here could help me out a little bit?
I just received a code signing certificate from Thawte, but nobody mentioned that I should have enrolled it with Firefox (I have mac). So I used my default browser Safari. And now I can´t find any instructions how to change that certificate to a file that I can use in my Flex 3 when I export an AIR installer. All the instructions tell me to use Firefox, but it´s too late. I have to use same browser I have used earlier.
I send this answer to Thawte too, but I´m not sure when they answer...

Well, yes, apparently Keychain Access doesn't let you export the entire certificate chain.
See http://forums.adobe.com/thread/234000 for a post on essentially the same issue.
I haven't tried it, but maybe you can import the certificate into Firefox and then re-exported it with the entire certificate chain. Or do the same with the Java keytool utility. You could also set the ADT command line parameters to access the Mac Keychain directly, but then you couldn't use the built-in Flash/Flex Builder export. Those are the only options I can think of if you can't get help from Thawte.

Signing with Code Certificate from COMODO ?

Hi,
does anyone have some experience with a Code Signing Certificate from COMODO ?
I exported the certificate from Chrome or IE and tried the signing for a ja file,
but get:
jar signed.
Warning:
The signer's certificate chain is not validated.
Can anyone help me ?
Many thanks.

According to tzengs suggestion I tried to export the certificate again from firefox using "backup all" instead of "backup" with no effect.
One thing which I am still not sure of:
Can my client give me a p12 certificate which I can use as it is to sign my application using the provided password or do I have to process this certificate first?
Depending on the answer to this question I need to take different action:
YES: I need to tell my client to export the certificate in a different manner in order to "create the complete chain"
NO: The certificate from my client is fine but I still need to figure out how to change the certificate so that I don't get the error.
Thanks for your help.

How to register iOS device when using self signed certificate with apple Server?

Hi,
I have installed the server.app by Apple and used a slef signed certificate for my server. Now I want to register my different devices (iMac, iPhone etc.). I could register the iMac without problesm (I just had to add my self signed certificate to the trusted certificates)
Sadly, with the iPhone it is not that easy. I can install the "trust profile", but still after that I can not register my device. It seems like it does not accept my self signed certificate for device registration. When adding a registration profile, I get the error "www._mydomain_.tld/devicemanagement/api/device/auto_join_ota_service" is not valid.
Nethertheless, I can install a profile with setting, e.g. my imap settings, via the profile management without problems.
Does anyone have an idea how to get around the problem with the self signed certificate?
Best regards

Try deleting the Server.app and download it again from the App Store, restart.
My Server is also using self signed certificates and is working with iOS device (Trust Profile needed first).

Importing self-signed certificate

Hi there!
I have some problems in importing SSL certificates on my macbook.
There are 2 certificates that needs to be imported: the root CA certificate, which is self-signed naturally and private user certificate, which is signed by above-mentioned CA.
The first file in .crt format, which is consists of CA public key and sign. The second file in .p12 format, which is consists of encrypted public and private keys.
The problem is:
I can't import nor CA neither my personal certificate.
The CA cert should be imported at "CA" tab in keychain, but the import button ("+") is inaccesible here:
http://img.200133883.info/big//%D0%A1%D0%B2%D1%8F%D0%B7%D0%BA%D0%B0_%D0%BA%D0%BB %D1%8E%D1%87%D0%B5%D0%B9-20120313-143521.png
When I tried to double-click CA.crt I got the import error # -67762 which saying that attribute "key length" was invalid. The same thing with my personal certificate.
Could somebody explain me, how should I import those two SSL certificated?

I'm using self-signed certificate from SBS. Right now it's not the question, if something is misconfigured within my certificate (I'm aware of SBS certificate problems), the problem is that E90 WILL NOT recognize .cer or .der files as certificates.
There must be someone, who can answer this really simple question, which certificate formates are supported on E90.
You will find this type of question posted many times on different forums, with diiferent suggestion, but they simply don't work.
Again my error is "file format not supported"

CA-Signed certificate: Received fatal alert: bad_certificate

Hello. I am still trying to get rmi ssl to work in the way I want (see my post http://forums.sun.com/thread.jspa?threadID=5351278&tstart=15 ).
I read that CA signed certificates are preferred to self signed certificates due to several reasons. Due to the fact, that I want to run a lot of different services, each with an own certificate, it is out of question to let them be signed by a real CA (for now all is in a testing environment and once I have solved all the problems this might become an option).
So for now, I create my own certificate authority and sign the certificates for my services (who interact with each other via ssl).
If there is a flaw in my setup, please tell me. If not continue reading.
In my scenario, a service A is querying a server S to discover a service B. S sends all the information about B back to A, including the certificate of B (so A can use ssl to talk to B). I use client authentication.
Each component uses a keystore, which acts as a truststore at the same time.
When I use self signed certificates and import them to the other keystores (using keytool) everything works as it should.
My setup using ca-signed certificates fails.
At the beginning the server has all the certificates in his keystore (A & B & S, which were signed with the servers secret key, who acts as my CA). A contains the servers certificate and his own, which has been signed with the servers private key (A &S). B contains the servers certificate and his own, which has been signed with the servers private key (B & S).
As far as I understand ssl, if A wants to talk to B, it needs the certificate of B (and needs to trust it).
In my scenario, A is receiving the certificate of B, when it queries the server for information about B. The certificate is imported into As keystore (works), but the method call fails with:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Is rmi ssl creating and using selfsigned certificates from the private keys in the keystore? Maybe I made a mistake, but I don't see it.
A has a certificate of B (and trusts it, because it was signed by an authority whose certificate is trusted from the beginning). B should trust the certificate of A (because it was signed by the same authority). So why is there a bad certificate?
My guess is, in the ssl handshake, A is using his private key to create a self signed certificate and is sending this to B. B has no reason of trusting a self-signed certificate and the handshake fails.
If you have any ideas, I appreciate them a lot.

ejp wrote:
So for now, I create my own certificate authority and sign the certificates for my services (who interact with each other via ssl).So all you have to do is ensure that every client trusts your CA.This is done by importing the CA's certificate into each trust store.
Each component uses a keystore, which acts as a truststore at the same time.That's a really bad idea. They serve completely different purposes. Don't do that.Ok, I will change that. So the trust store is used for certificates I trust (which then can be used by ssl), the keystore is used to store secret keys or if I want to do "cryptography by hand".
As far as I understand ssl, if A wants to talk to B, it needs the certificate of B (and needs to trust it).That's true if B is a server. If A is the server in this scenario it is B that needs to trust A.
In my scenario, A is receiving the certificate of B, when it queries the server for information about B. The certificate is imported into As keystore (works)Should be truststoreI will change that it's only imported into the trust store (-> will do the separation of trust/key store).
but the method call fails with:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificateSo there is something wrong with the certificate that B sent.Yes, but I don't know why. I created a certificate signing request (csr) for B (using keytool) and then used openssl to create the certificate. When I use a private key and openssl to create a selfsigned certificate e.g. create csr for B, export private key of B, use openssl to create the certificate with the private key of B), it has the same checksum as a self signed certificate using keytool.
The trust store of B contains the CA signed certificate of B and the CA certificate. I don't understand why it is a "bad certificate".
Maybe separating key and trust store will solve the problem or give some new hints.
Is rmi ssl creating and using selfsigned certificates from the private keys in the keystore?No. SSL doesn't generate certificates at all. You do. SSL just looks in the keystore for a certificate to send that matches what the peer will accept, and sending that.
So maybe the CA cert is used for it, which would be fault. I'm going to check that.
A has a certificate of B (and trusts it, because it was signed by an authority whose certificate is trusted from the beginning). B should trust the certificate of A (because it was signed by the same authority).> A and B don't need mutual trust unless you have needClientAuth set 'true' somewhere, which you haven't mentioned.I mentioned it, but it came to my mind at the end of my post, so it's kind of hidden in the text. So, I do use client authentication.> > My guess is, in the ssl handshake, A is using his private key to create a self signed certificate> No. See above.> > and is sending this to B. B has no reason of trusting a self-signed certificate and the handshake fails.> No. There is something wrong with the certificate that was received by the side that first got the bad_certificate alert.Thanks a lot. I see several things clearer now.

Can you use a self signed certificate on an external Edge Server interface?

Hi,
I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
cert is valid (root and intermediate have been checked for validity).
At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
Thx

Drago,
Thanks for all your help. I got it working.
My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
Let me update everyone about self-signed certificates:
YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
intermediate have been checked for validity).
Here are my notes:
Create/enable your own external Certificate Authority (CA) running on a server with internet access.
On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
You should have already completed: Step1 and Step 2.
Run or Run Again "Step 3: Request, Install or Assign Certificates".
Install the "Edge internal" certificate.
Click "Request" button to run the "Certificate Request" wizard.
You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
Once the certificate has been created, use "Import Certificate" to import it.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
Install the "Edge External" certificate (public Internet).
Click the "Request" button to run the "Certificate Request" wizard.
Press "next"
Select "Prepare the request now, but send it later (offline certificate request).
Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
Fill in the organization info.
Fill in the Geographical Information.
The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
Select your "Configured SIP domains"
"Configure Additional Subject Alternative Names" if you want. Otherwise, next.
Verify the "certificate Request Summary". Click next.
Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
For the "External Edge certificate (public Internet), click "Assign".
The "Certificate Assignment" wizard will run.
Click next.
From the list, select your cert "EXTERNAL-EDGE".
Finish the wizard to "complete".
You are finished on the server.
Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
Browse
Select "Trusted Root Certification Authorities"
Finish the wizard.

Problem reading IdP Partner signing certificate from metadata

Similar Messages

Maybe you are looking for