Question about Certificates

Similar Messages

• Another Question about Certificate-based Authentication

  Hello,
  I was successful in PDC-based authentication, but have the
  requirement to further improve this.
  For this, I have to use the "Match Certificate in LDAP"-feature.
  I have modified a user to include a "userCertificate"-attribute,
  and pointed the parameters to access to the directory server.
  Until now, I had no success.
  In the Logfile "amAuth"-Logfile I can see this message:
  <------------------>8-------------------->8------------------------>
  com.sun.identity.authentication.spi.AuthLoginException: Error in locating registered certificate
  <------------------>8-------------------->8------------------------>
  In the Directory Server log, I can only see a successful bind-request,
  but, interestingly, no search:
  <------------------>8-------------------->8------------------------>
  [28/Sep/2004:10:47:17 +0200] conn=3352 op=-1 msgId=-1 - fd=109 slot=109 LDAP connection from 127.0.0.1 to 127.0.0.1
  [28/Sep/2004:10:47:17 +0200] conn=3352 op=0 msgId=8782 - BIND dn="cn=Directory Manager" method=128 version=2
  [28/Sep/2004:10:47:17 +0200] conn=3352 op=0 msgId=8782 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
  <------------------>8-------------------->8------------------------>
  Anyone successful with this feature?
  Regards,
  Juergen Maihoefner

  Hi there
  I got a couple of doubts about the Certificate Authentication module, maybe you can help!
  First, have you made any documentation on how you made this work ? Is it at all possible to get the source code of the module you have made? I think I'll need to create a costum module aswell because of very specific client requisits.
  My problem ( and I'll be posting a new thread with this, but just in case you have this on your watch list ) is that I need to have both user/password and Cert Based authentication enabled. I'll create a chain with both modules as sufficient. My problem is : the documentation tells me that I need to have the containers (I suspect both the server and the agents ) with SSL enable and (and this is the tricky part) with Client Authentication Enabled . Now my problem is : when on the http listener, I configure it with security and enable that listener with Client Authentication, when I try to access the container on the secure listener I get an error (in firefox) or the browser asks me to select a certificate ( on IE ). When I dont provide a certifica it gives me the same error as firefox.
  Basically, what I believe is happening is that with Client Authentication, the container will always request a certificate from the browser. Which isn't exactly what I want. I need to AM protected resources on this specific realm to allow authentication of a user based on a user/password OR a Certificate.
  Basically what I want to know is : do I need to have Client Authentication Enabled on the http listener ? Did I miss read the documentation? Is there a really good how-to on how to do this ? Can you give me a hand?
  Thanks loads for your help
  Rp

• Question about certificates required for publishing a script extension!

  Hi,
  I'm in the latest steps of creating my new In-Design plugin and I was studying the ways I can publish it and Adobe Exchange looks like a good option, but here they are saying:
  Paid Content must have a certified signature. (Content posted as Free will be accepted with a self-signed certificate.)Extension Manager should be able to verify the Producer’s signature. An application should be signed by a certificate issued by one of the following certificate authorities:
  Chosen Security Thawte, Globalsign, Verisign, Comodo, Usertrust, Godaddy
  And here, they say:
  blah ... so that you know that a trusted authority certificate will no longer be required. ...
  So, I'm a bit confused, my question is:
  1. is it required really to have these certificates?!
  2. If yes, how we are supposed to do this?
  Any idea would be much appreciated,
  thx, mim

• Another Mail question about certificates.

  Hi all
  I know there have been a lot of posts on that but I didn't find any answer working. I have an IMAP account whose certificate is said to be invalid by Mail.app. I tried ticking the always trust box, it did not change anything. Mail won't trust even without restarting it.
  The detailed message is "The certificate for this server is invalid... etc." and then in the display under it "Unable to display certificate." It also works perfectly well in thunderbird.
  Thanks if you have any answer.

• Question about Kurts comments discussing the seperation of AIA & CDP - Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy - Kurt L Hudson MSFT

  Question about the sentence in bold. What is the meaning behind this comment?
  How would you separate the role of the AIA and CDP from a CA subordinate server? I can see where I add a CES and CEP server which has those as well, but I don't completely understand his comment. Because in this second step, (http://technet.microsoft.com/en-us/library/tlg-key-based-renewal.aspx)
  he shows how to implement CES and CEP.
  This is from the guide located at: http://technet.microsoft.com/library/hh831348.aspx
  Step 3: Configure APP1 to distribute certificates and CRLs
  In the extensions of the root CA, it was stated that the CRL from the root CA would be available via http://www.contoso.com/pki. Currently, there is not a PKI virtual directory on APP1, so one must be created.
  In a production environment, you would typically separate the issuing CA role from the role of hosting the AIA and CDP.
  However, this lab combines both in order to reduce the number of resources needed to complete the lab.
  Thanks,
  James

  My concern is, they have a 2-3k base of xp systems, over this year they are migrating them to Windows 7. During this time they will also be upgrading hardware for the existing windows 7 machines. The turnover of certificates are going to be high, which
  from what I've read here, it worries me.
  http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx
  The application then can go to those locations to download the CRL. There are, however, some potential issues with this scenario. CRLs over time can get rather large
  depending on the number of certificates issued and revoked. If CRLs grow to a large size, and many clients have to download CRLs, this can have a negative impact on network performance. More importantly, by
  default Windows clients will timeout after 15 seconds while trying to download a CRL. Additionally,
  CRLs have information about every currently valid certificate that has been revoked, which is an excessive amount of data given the fact that an application may only need the revocation status for a few certificates. So,
  aside from downloading the CRL, the application or the OS has to parse the CRL and find a match for the serial number of the certificate that has been revoked.
  With the above limitations, which mostly revolve around scalability, it is clear that there are some drawbacks to using CRLs. Hence, the introduction of Online Certificate
  Status Protocol (OCSP). OCSP reduces the overhead associated with CRLs. There are server/client components to OCSP: The OCSP responder, which is the server component, and the OCSP Client. The OCSP Responder accepts status
  requests from OCSP Clients. When the OCSP Responder receives the request from the client it then needs to determine the status of the certificate using the serial number presented by the client. First the OCSP Responder determines if it has any cached responses
  for the same request. If it does, it can then send that response to the client. If there is no cached response, the OCSP Responder then checks to see if it has the CRL issued by the CA cached locally on the OCSP. If it does, it can check the revocation status
  locally, and send a response to the client stating whether the certificate is valid or revoked. The response is signed by the OCSP Signing Certificate that is selected during installation. If the OCSP does not have the CRL cached locally, the OCSP Responder
  can retrieve the CRL from the CDP locations listed in the certificate. The OCSP Responder then can parse the CRL to determine the revocation status, and send the appropriate response to the client.

• Question about Single Sign On

  Hi Gurus!
  I have a question about the following scenario:
  The login in EP6 is with the NT User (adriano.oliveira), but to access the SAP applications I need to use another User (aoliveira - the size of the NT User is bigger than SAP User length).
  I know this works with user mapping, but the problem is that each user will need to configure his mapping (5000 users). Then I think the option is to use the SAP Logon tickets.
  My doubt is: Is it possible to validate a user id at login (in the EP6 SP10) and generate the client certificate with another user id???
  Important: In the AD (Active Directory), for each NT User id, there is a field with the SAP User id. I could use this field...
  Thanks for any help.
  Regards,
  Adriano

  Adrianao,
  You can maintain reference SAP Server.
  http://help.sap.com/saphelp_nw04/helpdata/en/ed/845896b89711d5993900508b6b8b11/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/0b/d82c4142aef623e10000000a155106/content.htm
  Hope this helps,
  thanks,
  Praveen

• Question about required workshop classes for OCP

  Im working on finishing up my OCP in a few months. Quick question about the workshop class. Is there a test at the end of the week?
  Also how do most people pay for these classes? They are pretty steep and my company doesnt pay for stuff like this for me. Im paying totally out of my own pocket. Also why is the online class the same amount as the instructor lead class? Its not like im in a room at some building that Oracle has to lease for use or something.

  RedDeuce wrote:
  Im working on finishing up my OCP in a few months.What Certificate exactly are you working towards?
  Also how do most people pay for these classes? They are pretty steep and my company doesnt pay for stuff like this for me. Im paying totally out of my own pocket.Then talk to your employer again or maybe look for other jobs that support your plan better.
  Also why is the online class the same amount as the instructor lead class? Its not like im in a room at some building that Oracle has to lease for use or something.They know that you might save on expenses for travel and hotel etc.

• Question about PHP

  I am completely new to programming and have enjoyed Linux so much, that I would like to go into PHP next. Currently I am a University student with a dead end major (Russian Studies). I am looking to get a certificate in PHP over the course of this next year and to find a little better job with it than I could get with my current degree. I would do a Google search for this, however, I have come to like Arch and the community that surrounds it and wanted to know if any you fine web programmers out there, had any suggestions for free online courses in PHP or book that could be purchased. I was also wondering what a good PHP certification exam to take would be. I have seen the Zend exam and was considering doing a test prep for this after I learn a little more about PHP and SQL. Thank you for your help and suggestions!

  Berticus wrote:
  As  I said, to most people, taxonomy doesn't matter.  It does matter to other people, and I don't mean people like me who have these little pet peeves.
  It matters to people who know a lot of languages who need to know when to use what language.  There isn't a single programming or scripting language that can be everything, so it's important for people, mostly software engineers, to know taxonomy, so they can pick a language most optimal for what they need to get done.  Most of the time, when you're dealing with very complex systems.  Instead of using one language for the whole system, you'll find out you'll be using COBRA to handle hardware, C++ to handle interface and C to tie everything together or something like that.
  I mean when you're differentiating between an interpretted language (script) and a program, the issue is efficiency and speed.  No matter what you do, an interpretted language is inherently slower and less efficient than a programming language.  Even Java that is compiled, is compiled to Java Native Language or something like that, and requires the Java Virtual Machine to interpret it (that's why Java gets it's own branch).  I believe it's the fastest interpretted language, but how does it compare to a natively compiled program?  It's still slower.
  Even when you know you're going to use a programming language, you still have choices, because each programming language can be split into a high, middle, and low level language.  Reasons for using different levels are due to how quickly do you need to write the program, how portable does the program need to be, how easy should other people be able to read the program, does it need to have low level abilities such as handling memory directly.  Then there's also the question about how your program is going to flow.  Is it functional or object oriented?
  It's not so much an opionated matter when you think about it.  It's more along the lines of do you need this knowledge or not?  For most people, I'm willing to bet that's everybody who posts in this thread, that information is not important, they don't need to know it, because they handle very, very simple applications compared to the complex systems that do indeed require the programmer or scripter to know the difference.
  Actually, the difference between interpreted and compiled (and faux-compiled) languages is different from the difference between programming and scripting languages, interpreted languages can also be programming languages, and compiled languages can be scripting (although this happens very little and is really pointless and tedious to do )
  'Scripting' usually refers to code meant to extend upon a framework or program separate from the script itself, whereas 'programming' is creating applications that are on their own, separate applications, regardless of whether they're run though an interpreter at runtime. The difference is a bit vague, and you are right in that interpreted languages are often used for scripting, but it is not necessary, look at something like python, this can be used both as scripting for automating tasks quickly by using it's immense library, as well as for creating stand alone applications, which would be programming. (PHP is virtually always scripting, though)
  Either way I prefer the term 'coding'

• Question about SSLM configure

  I have a question about our SSLM configure, please see the following example:
  service aa-SSL
  virtual ipaddr 172.25.17.15 protocol tcp port 443 secondary
  server ipaddr 172.24.92.6 protocol tcp port 80
  certificate rsa general-purpose trustpoint www.app.aa.com
  no nat server
  inservice
  crypto pki trustpoint www.app.aa.com
  revocation-check none
  rsakeypair www.app.aa.com
  crypto ca import www.app.aa.com pkcs12 tftp:xxx
  ======================================
  Once we finish the configuration, we could find the corresponding cer in SSLM, like:
  crypto pki certificate chain www.app.aa.com
  My first question is how to remove this cert if we want to decommission aa-ssl environment? Is it only with “no crypto pki certificate chain www.app.aa.com”
  If we have another environment like www.pre.app.aa.com shared the same VIP with www.app.aa.com. My second question is could I create only one ssl entry with wildcard like the following configuration:
  service aa-SSL
  virtual ipaddr 172.25.17.15 protocol tcp port 443 secondary
  server ipaddr 172.24.92.6 protocol tcp port 80
  certificate rsa general-purpose trustpoint *.app.aa.com
  no nat server
  inservice
  Please advice! I would appreciate it!

  You can remove the certificate but you need to be in certificate chain configuration mode to delete certificates. An example configuration is provided here
  http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.html#wp1043434

• A question about CommonName (Subject)

  Hello
  Can someone please help me with the following question
  I understand the 'original' idea behind DN (e.g. CN=,OU,O=,C=) was the idea of have a central world word directory centrally controlled for all countries to use (a bit like a global AD). However due to security and political concerns it never took off. I
  therefore believe the full DN is an obsolete concept?
  If the above is correct (correct if wrong please), then is it true to say the only part of the name that matters in the DN is the CN e.g. CN=www.MyWebSite.com,ou=IT,o=MyCorp,c=UK
  So what I am saying is the 'Subject' is the important entity as that it is the Subject and who is bound the Public key is the CA is satisfied and creates the cert.
  Therefore is the Subject the whole DN or just the CN part?
  For example if I first issue a cert to a WEB server like so CN=www.MySite.com,OU=IT,O=BigCorp,C=UK than one year latter related the cert with one whose DN was CN=www.MySite.com,OU=IT,O=SmallCorp,C=UK whereby the A record for
  www.MySite.Com pointed to the Same WEB Server I bel#Regardsieve this would work the same in both instances as its just matching the CN and not the DN is that correct?   Thanks AAnotherUser__
  AAnotherUser__

  > I therefore believe the full DN is an obsolete concept?
  it is not obsolete. Where did you read that?
  > Therefore is the Subject the whole DN or just the CN part?
  Subject is the whole DN. In various scenarios, various RDNs are processed to authenticate the entity.
  > Regardsieve this would work the same in both instances as its just matching the CN and not the DN is that correct?
  in this case, programmatically only CN is bound to an entity during SSL handshake. However, they might be different entities and user may elect to stop trust any certificate if the rest of the DN is not the one expected.
  You should understand that CN only doesn't provide enough information about certificate holder. For example, "CN=John Wayne, O=VeriSign, C=US" is not the same as "CN=John Wayne, O=Maple Leaf, C=CA". The purpose of DN is to uniquely identify
  two entities over the world with matching RDNs. Therefore, you should include in CN as much information as possible.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Question about using a SATA drive through an Epress34 card???

  I have a basic question about OSX and how it treats a SATA drive hung from an Express34 SATA card. So OSX just treats any drive as a mounted drive as far as I know bbut what about when booting...
  If, at boot up, I use the 'cmd C' option to select an external SATA dirve hanging off of an Express34 SATA card, will OSX see that drive as if it just were the internal drive in the MBP or is there some inherant difference between the real internal drive and any other SATA drive?
  I guess the question is... does the cmd C option really just tell the OS to treat this drive as though it were the interal drive and boot from it (assuming the drive is bootable of course) or is ot doing something else.
  If that is the case, why can't I use an external drive and install BootCamp on it, assumiong that I booted from this drive?
  Is there a difference between an external SATA drive from an Express34 card and an external firewire drive?
  TIA,
  Peter

  vedderfan94 wrote:
  why?
  *From the itunes store terms of service*:
  +to purchase from an iTunes Store in a particular country, you must have both a residential address and a billing address in that particular country. Items on any particular country's iTunes Store are available only for distribution to customers who use a credit card, debit card, iTunes Gift Certificate, or iTunes Gift Card issued in and for that country.+
  JGG

• Questions about your new HP Products? HP Expert Day: January 14th, 2015

  Thank you for coming to Expert Day! The event has now concluded.
  To find out about future events, please visit this page.
  On behalf of the Experts, I would like to thank you for coming to the Forum to connect with us.  We hope you will return to the boards to share your experiences, both good and bad.
   We will be holding more of these Expert Days on different topics in the months to come.  We hope to see you then!
   If you still have questions to ask, feel free to post them on the Forum – we always have experts online to help you out.
  So, what is HP Expert Day?
  Expert Day is an online event when HP employees join our Support Forums to answer questions about your HP products. And it’s FREE.
  Ok, how do I get started?
  It’s easy. Come out to the HP Support Forums, post your question, and wait for a response! We’ll have experts online covering our Notebook boards, Desktop boards, Tablet boards, and Printer and all-in-one boards.
  We’ll also be covering the commercial products on the HP Enterprise Business Community. We’ll have experts online covering select boards on the Printing and Digital Imaging and Desktops and Workstations categories.
  What if I need more information?
  For more information and a complete schedule of previous events, check out this post on the forums.
  Is Expert Day an English-only event?
  No. This time we’ll have experts and volunteers online across the globe, answering questions on the English, Simplified Chinese, and Korean forums. Here’s the information:
  Enterprise Business Forum: January 14th 7:00am to 12:00pm and 6:00pm to 11:00pm Pacific Time
  Korean Forum: January 15th 10am to 6pm Korea Time
  Simplified Chinese Forum: January 15th 10am to 6pm China Time
  Looking forward to seeing you on January 14th!
  I am an HP employee.

  My HP, purchased in June 2012, died on Saturday.  I was working in recently installed Photoshop, walked away from my computer to answer the phone and when I came back the screen was blank.  When I turned it on, I got a Windows Error Recovery message.  The computer was locked and wouldn't let me move the arrow keys up or down and hitting f8 didn't do anything. 
  I'm not happy with HP.  Any suggestions?

• Have questions about your Creative Cloud or Subscription Membership?

  You can find answers to several questions regarding membership to our subscription services.  Please see Membership troubleshooting | Creative Cloud - http://helpx.adobe.com/x-productkb/policy-pricing/membership-subscription-troubleshooting- creative-cloud.html for additional information.  You can find information on such topics as:
  I need help completeing my new purchase or upgrade.
  I want to change the credit card on my account.
  I have a question about my membership price or statement charges.
  I want to change my membership: upgrade, renew, or restart.
  I want to cancel my membership.
  How do I access my account information or change update notifications?

  Branching to new discussion.
  Christym16625842 you are welcome to utilize the process listed in Creative Cloud Help | Install, update, or uninstall apps to install and evaluate the applications included with a Creative Cloud Membership.  The software is fully supported on recent Mac computers.  You can find the system requirements for the Creative Cloud at System requirements | Creative Cloud.

• Questions about using the Voice Memos app

  I'm currently an Android user, but will be getting an iPhone 6 soon. My most used app is the voice memos app on my Android phone. I have a couple questions about the iPhone's built-in voice memos app.
  -Am I able to transfer my voice memos from my Android phone to my iPhone, so my recordings from my Android app will show up in the iPhone's voice memos app?
  -When exporting voice memos from the iPhone to computer, are recordings in MP3 format? If not, what format are they in?
  -In your opinion, how is the recording quality of the voice memos app?

  You cannot import your Android voice memos to your iPhone's voice memo app.  You might be able to play the Android memos and have the iPhone pick up the audio and record it.
  Here is the writeup about sending voice memos from the iPhone to your computer (from the iPhone User Guide):
  App quality is excellent.

• Re: Question about the Satellite P300-18Z

  Hello everyone,
  I have a couple of questions about the Satellite P300-18Z.
  What "video out" does this laptop have? (DVI, s-video or d-sub)
  Can I link the laptop up to a LCD-TV and watch movies on a resolution of 1080p? (full-HD)
  What is the warranty on this laptop?

  Hello
  According the notebook specification Satellite P300-18Z has follow interfaces:
  DVI - No DVI port available
  HDMI - HDMI-out (HDMI out port available)
  Headphone Jack - External Headphone Jack (Stereo) available
  .link - iLink (Firewire) port available
  Line in Jack - No Line in Jack port available
  Line out Jack - No Line Out Jack available
  Microphone Jack - External Micrphone Jack
  TV-out - port available (S-Video port)
  VGA - VGA (External monitor port RGB port)
  Also you can connect it to your LCD TV using HDMI cable.
  Warranty is country specific and clarifies this with your local dealer but I know that all Toshiba products have 1 year standard warranty and also 1 year international warranty. you can of course expand it.