Question Certificat

Similar Messages

• Checklist for Exchange Certificate issues

  Checklist for Exchange Certificate issues
  1. 
  Why certificate is important for Exchange and What are Certificates used for
  Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
  securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
  Certificates are used for several things on Exchange Server. Most customers also use certificates
  on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
  IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
  POP/IMAP
  SMTP
   2. 
  Common symptoms for
  certificate issue
  Here we can see three different types of the certificate warning, mainly from the Outlook
  side.
  a.
  Certificate mismatch issue
  b.
  Certificate trust issue
  c.
  Certificate expiration issue
  3. 
  Checklists
  In this section, checklists will be provided according to the three different scenarios:
  Certificate Mismatch Issue
  [Analysis]:
  This issue mainly occurs because the URL of the web services Outlook tries
  to connect does not match the host name in the certificate.
  [Checklist]:
  Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
  Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
  In this scenario, you need to check the host name for the following services:
  Autodiscover
  EWS
  OAB
  ECP
  UM
  If any of the urls above does not match the one in the certificate, refer to the following article to change
  it via EMS:
  http://support.microsoft.com/kb/940726
   1.
  Do not forget to restart the IIS service after applying the changes above.
   2. Make sure a valid certificate is enabled on the IIS service.
  Certificate Trust Issue
  [Analysis]:
  For the self-signed and PKI-based (Enterprise)
  certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
  certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
  greatly simplifies deployment.
  [Checklist]:
  If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
  If it is a 3^rd-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
  client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
  Certificate Expiration Issue
  [Checklist]:
  When a certificate is about to expired, we just need to renew it by referring the following article:
  Renew an Exchange Certificate
  http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
  To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
  [How to set a reminder to alert the administrator when a certificate is about to expired]:
  It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
  certificate expiration. Or there can be a large user impacts.
  Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
  If it’s not quite visible, we can refer to the following solution:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  OWA certificate revoked issue
  [Analysis]:
  IE
  includes support for server certificate revocation which verifies that an issuing
  CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
  are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
  [Solution or workaround]:
  1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
  2. If not, check whether the certificate has a private key.
  3. Remove the old certificate and import the new one.
  Workaround:
  IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
  checkbox.
  4. 
  More References
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  More on Exchange 2007 and certificates - with real world scenario
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

  (Reported previous post with link to SIS package to moderator)
  This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
  Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
  But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
  At this point, try 2.7.0 which is out now:
  http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
  Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
  I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
  Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

• How do i deal with 'security certificate' issues on my iPad2? I'm unable to answer the security questions that pop up when Im trying to download an app because the pop up does not load properly...

  Basically my Ipad2 stopped allowing me to go to sites such as Tumblr a little while ago. It wouldn't display the page properly because of 'security certificate' issues. This in itself would not have been such a problem, but when I went to the App store to try and download the Tumblr App, a pop up appeared asking me to answer some security questions before I could successfully install the App. However, the pop up would not display correctly because of 'security certificate' issues and as a result I can't download any apps from the App Store. Can anyone help with this??

  Well, I maged to delete some stuff, download the update...
  My Mac mail is still not ok. Still only displays today, yesterday and everything is the 16th of the month previous to this?
  All a bit strange to say the least any suggestons on how to resolve this.
  I now have a second issue in all my emails at the very top of each it describes in detail the full information of
            Delivered-To:  
            Received:  
            Received:  
            Received:  
            Received:  
            X-Received:  
            Return-Path:  
            Received-Spf:
            Authentication-Results:
            Content-Type:  
            Mime-Version:  
            X-Mailer:  
            X-Cloudmark-Analysis:  
  Surely this should not be displayed rather insecure I would think. Any suggestions on how to amend

• How to exctract/backup a client certificate from Firefox for Android similar to question #1000240 but for the latest Firefox Beta for Android?

  As in #1000240 and in #1032181, I've installed a StartSSL login certificate in my Firefox for Android and having a problem with extracting/backuping it to use with another device/browser.
  I'm using the latest Firefox Beta for Android (35.0) at present; the Android version is 4.1.2, my phone model is Sony LT26i (Xperia S), so neither of the aforementioned questions asked at the Mozilla Support website do not contain any solution to the given problem.
  Any chance to recover the certificate?
  P. S. I haven't rooted my device; if getting a root is the only possible way to recover the certificate, I may consider doing so.

  You can try https://addons.mozilla.org/en-US/android/addon/copy-profile/ If that does not retrieve the file then see below.
  If you know the name and path of the file you can get it using run-as function of adb. See http://stackoverflow.com/questions/18471780/android-adb-retrieve-database-using-run-as
  If you end up down here you'll need root to be able to navigate the file system. I don't know the file name, though it is likely in your profile folder which can be determined by visiting about:cache in the Firefox address bar. It will be similar to /data/data/org.mozilla.firefox_beta/files/mozilla/$RANDOM.default/

• MAIL certificate question

  Lately I get a question box when I open MAIL.   I have Snow Leopard, and opted to keep Mobile Me at the switch this summer.   It has been working just fine,
  same as always with no change.  Now I get this:    note:  {   }   is a description from me for something I can not create here
  Verify Certificate.    
  The certificate for this server is invalid.  You might be connecting to a server that is pretending to be "mail.me.com" which could put your confidential infirmation at reks.  Do you want to connect to the server anyway?
  ☐   Always trust "mail.mac.com"  when connecting to "mail.me.com"
  {then there is a box enclosure}
  ☐     {this one is bwown}   Verification Class 3 Public Primary Certification Authority - G5
  {below, indented}    {an arrow like this one  ↵  pointing to the right to this bluish box,}  ☐     VeriSign Class 3 Extended Validation SSL SGC CA
  {then a larger bluish box:     "Mail.mac.com"
  Issued  by: VeriSign Class 3 Extended Validation SSLSGC CA Expires:  Friday, April 18, 2014.
  {then  a red circle with an X inside, statement in red}   This certificate is not valid (host name mismatch)
       Trust
       Details
  {my choices}     Hide Certificate          Cancel     Connect {in blue}
  --------------------------------end of warning--------
  Thank you in advance.    What should I do?   Is anyone else getting this?   The emails still coming in are directed to my email address.
  Tom

  I have iCloud eMail running in 10.4.11 & 10.5.8...
  Do not delete the old account yet. sign up for an iCloud account if you haven't.
  I understand .mac mail will still come through. Do not delete the old account yet.
  You cannot use .mac or MobileMe as type of Account, you have to choose IMAP when setting up, otherwise Mail is hard coded to change imap.mail.me.com to mail.me.com & smtp.mail.me.com to smtp.me.com, no matter what you try to enter.
  iCloud Mail setup, do not choose .mac or MobileMe as type, but choose IMAP...
  On second step where it asks "Description", it has to be a unique name, but you can still use your email address.
  IMAP (Incoming Mail Server) information:
            •          Server name: imap.mail.me.com
            •          SSL Required: Yes
            •          Port: 993
            •          Username: [email protected] (use your @me.com address from your iCloud account)
            •          Password: Your iCloud password
  SMTP (outgoing mail server) information:
            •          Server name: smtp.mail.me.com
            •          SSL Required: Yes
            •          Port: 587
            •          SMTP Authentication Required: Yes
            •          Username: [email protected] (use your @me.com address from your iCloud account)
            •          Password: Your iCloud password
  Also, you must upgrade your password to meet the new criteria:  8 characters, including upper and lower case and numbers.  If you have an older password that does not meet these criteria, when you try to setup mail on your mac, using all of the IMAP criteria listed above, it will still give a server error message.  Go to   http://appleid.apple.com         then follow directions to change your password, then go back to setting up your mail using the IMAP instructions above.
  Thanks to dpepper...
  https://discussions.apple.com/thread/3867171?tstart=0

• Windows Root Certificate authority questions.

  hello,
  I have 2 questions with regards to Offline ROOT CA in a 2 TIER Hierarchy :
  (1) Is it necessary to to ” map the Namespace of Active Directory to an Offline CA’s Registry Configuration” ? I didn’t do this step in my lab env and find this in some but
  but not all the online posts as well. what happens if we don't run this command on offline CA ?
  For instance:  certutil.exe –setreg ca\DSConfigDN CN=Configuration,DC=lab,DC=com 
  (2) What happens if i do not publish the ROOT CA certificate via "certutil -dspublish -f xxx.cer ROOTCA " command but instead just  push the root certificate  using Default Domain Group Policy Object to "Trusted Root Auth" store
  on all the domain machines ?  What are the pros/cons of using the certutil method vs the GPO method ?  
  Thanks
  Neeraj

  > Is it necessary to to ” map the Namespace of Active Directory to an Offline CA’s Registry Configuration” ?
  it is necessary only if you configure LDAP URLs for CRL Dsitribution Points and Authority Information Access extensions on Root CA (not recommended).
  > What are the pros/cons of using the certutil method vs the GPO method ?  
  different scopes. When publishing in Active Directory, it is downloaded to all
  *forest* members, while GPO covers only limited scope (domain, site or OU).
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• Java Digital Signature - certificate validation question

  I am not sure if this is possible but here is my problem/question:
  I need to publish a web based program in Citrix. My question is, everytime a user logs into Citrix and executes this application they are prompted to trust the Java certificate. Usually a user would choose "always trust" and they would not be prompted again. However, the Citrix environment is setup so that when a user logs out of Citrix all their user configuration is deleted. So the next time they log in, they are prompted once again to trust the Java cert.
  Is there a way to automatically sign this certificate before it prompts a user or a way to script something that wouldn't ask the user again to validate this? Sorry if this sounds like I have no idea what I am talking about but I don't :)
  The Citrix admin said he could launch this command or script (if possible) before the application is launched so it would sign the cert or place the needed cert in the users profile. Hope this makes sense.
  Any suggestions would be greatly appreciated.
  Thanks in advance,
  Scott

  Try the PDFBox mailing-list.

• Pre-order pickup, reward certificat​e, and payment option questions

  I pre-ordered an item on bestbuy.com for pickup at a local store. When I got there, I asked if I can use my reward certificate and the customer rep said that I couldn't. Is that true? 
  Another person next to her said she could back out the charges and re-enter the item, but when I told her I got it at a special pre-order price (gamers club unlocked price) she said she wouldn't be able to honor it.
  Also, if I bought an item online and picked it up at the store. Can I change my payment method at the register? I asked someone a couple weeks ago and they said they couldn't change payment methods.
  Solved!
  Go to Solution.

  Hi there Mcbutters-
  We appreciate that you choose Best Buy to place your pre-order!  I’m sorry to hear about the confusion you’ve had with this order and some others around how to get that reward certificate added to an order.  Hopefully I can help clear some things up for you.
  To answer your first paragraph, that it technically true.  When you place an order for in-store pickup, you are charged for the order when the store indicates it is ready for pickup.  At that point, the payment method cannot be changed.  However, once the transaction is complete, the store may be able to perform a return and then re-ring the purchase for you.  Keep in mind however, that any funds used from gift cards, reward certificates and your credit card would not be immediately available as in general it takes a few business days for those funds to go back on the cards or accounts.
  This leads me to my next point, which is generally we are unable to modify the payment method beyond changing a credit card on your order beyond 30 minutes after the order has been placed.  While your credit card is not charged until the item ships or the store indicates that it is ready for pickup, the card is generally authorized right away for 3-5 business days.  This is the same time frame we offer for changing shipping or pickup options as well, you can find more information on that here.  Another option would be to do as Batman1982 suggested and cancel your order to then place a new one.  Again, it may take a few business days for funds to return to gift cards, your My Best Buy account, etc.
  However, there should be no reason why they would not have been able to apply the 20% off new games software benefit that you get from being a Gamers Club Unlocked member.
  I hope that this helps, but if you have any further questions, please let me know.
  Bill|Senior Social Media Specialist | Best Buy® Corporate
   Private Message

• Certificate Based Authentication - Questions and Authentication Modules

  Hi Everyone
  I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
  The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
  What I now need to achieve is authentication base on one of these two way :
  - user and password authentication (which is working)
  - Certificate based authentication ( working on it )
  To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
  When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
  Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
  From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
  So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
  2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
  3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
  All for now,
  Thank you all for your help
  Rp

  Hi Rp,
  We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
  First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
  Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
  Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
  Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
  HTH,
  Vivek

• EAP-TLS User Certificate Question

  I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:
  I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.
  Thanks
  -Raun

  If you are using the MS Supplicant, you need the following registry settings:
  "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"
  "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"
  This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.
  As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.
  Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.

• Client certificate question

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tabla normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hello,
  I am novice with certs and I have a question. I want to implement EAP-TLS in a WPA deployment and I have a question about the client-side certificate.
  When I install a client certificate in a machine for a specific user, is this certificate only valid for this machine and this user? Or can I export this certificate and use it in another machine but the same user?
  Thanks in advance,

  From my experience, you can copy the certificate to another computer (assuming a modern OS).  There are two problems with this, though:
  1 - You must be able to export the entire certificate, including the private key, to be able to use the certificate on another machine.  Most PKI implementations prohibit/disable this.
  2 - If you can export the certificate, including the private key, then you are risking the loss of integrity of your PKI.  Someone else can get that cert with the private key and impersonate the user.

• Certificates with a Question Mark

  There are certificates on my BB with a question mark next to them instead of a check mark.  What does this mean, and how do I change it to a check mark?

  Might be a easy fix,
  Reboot the machine and hold the option key down on a wired or built in keyboard, a selection of bootable drives appears (hopefully) and you choose OS X and click the arrow to boot from it.
  Once in OS X, head to System Preferences and change the Startup disk, then back to OS X and reboot normally, what you did was remind the firmware what it's supposed to boot from.
  If you still have issues, then run through this
  ..Step by Step to fix your Mac
  Create a data recovery/undelete external boot drive
  BTW your data is not lost unless the boot drive itself is dead (then platter recovery services, expensive) or encrypted (good luck there)
  My computer is not working, is my personal data lost?
  Later when things are working again, review your backup options here
  Most commonly used backup methods

• A PKI Code Signing Certificate question.

  Hello,
  Can someone please help me with the following question.
  I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
  what I did.
  1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
  2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
  3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive
  a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the
  way I sorted this at the time was to take the whole certificate as above and import to this store.
  The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its
  private key' into the trusted publishers store?
  Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example),
  is that correct i.e. is that what it mean to sign code?
  if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value.
  Is this correct?
  My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would
  have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
  Basically I need to understand the above, in order to understand more about Crypto.
  I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored
  in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
  I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
  Thanks very much
  AAnotherUser__
  AAnotherUser__

  > The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store
  yes, it is not correct. Only public part should be imported to a Trusted Publishers container.
  >  is that correct i.e. is that what it mean to sign code
  exactly. Encryption with private key and decrypting with public key is called "digital signature".
  > if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same
  value. Is this correct?
  yes. Client uses only public part of the certificate to validate the signature.
  > As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  normally code signing certificates are not stored in Active Directory and should not be there, because signing certificate is included in the signature field.
  > I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me.
  this is wrong assumption. A user is responsible to protect signing private key from unauthorized use.
  > If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure
  wouldn't, because if something happens -- you will never know who compromised the key.
  as a general practice, we recommend to purchase at least few smart cards to store signing keys. Depending on a particular code development practice, there might be a dedicated employee (for example, manager of devs) who the only has access to a smart card
  (and PIN) and signs the code upon dev request. Or issue a dedicated smart card with unique signing certificate to each developer. However this will add a complexity in signing certificate trust management.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Exchange OWA Certificate Question

  Hello All
  I just have a question regarding exchange owa certificate which is about to expire. (owa.domain.com, autodiscover.domain.com, mail.domain.com )
  I have 
  Site one 
    Mailbox 2013 Server1
    CAS 2013 Server1
    Edge 2013
  Site 2
     Mailbox 2013 Server2
     Cas 2013 Server2
     Edge 2007
  Exchange high availability configured. On ECP I am seeing my OWA certificate about to expire on both CAS on the same day(same cert)
  I would like to create a new certificate, not renew as I have some old domains to remove from the cert.
  My question is, when I create the the new request from ECP - Cas Server1, send to the CA and then install the, how will this reflect for the certificate that is expired on CAS server2? 
  Thanks

  Hi nricki,
  Agree with Hinte, you can export the new certificate which was created in CAS1 server and then import it to CAS2 server.
  The following article for your reference:
  How to Export/Import an SSL Certificate to Multiple Exchange 2013 Servers
  Best regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Niko Cheng
  TechNet Community Support

• Build dataguard two more questions. password prompt and certificate error

  The fiirt two data guard instances are built. One is running fine the second I'm getting this error in the primarys alert log. it looks like it is a certificate error but I'm having a hard time nailing it down.
  BTW: Instance is 11.2.0.1
  Thread 1 advanced to log sequence 318 (LGWR switch)
  Current log# 6 seq# 318 mem# 0: +DATA/sfs01/onlinelog/group_6.4762.769266689
  SSL Client: Server DN doesn't contain expected SID name
  Archived Log entry 706 added for thread 1 sequence 317 ID 0x799622d4 dest 1:
  Thu Mar 22 12:46:48 2012
  SSL Client: Server DN doesn't contain expected SID name
  The third and final data guard instance I'm building is 3T and taking forever to restore. Two questions:
  1) Can I suspend rman and restart it.
  2) when I restart rman how do I keep it from prompting me for the password. I would prefer to put a nohup on a shell script.
  Here is the script. Right now I'm running it manually but would relly to run with nohup so I can go get lunch.
  rman target SYS@sor01_primary auxiliary / << EOF
  run {
  allocate channel C1 device type disk;
  allocate auxiliary channel C2 device type disk;
  allocate auxiliary channel C3 device type disk;
  allocate auxiliary channel C4 device type disk;
  allocate auxiliary channel C5 device type disk;
  duplicate target database for standby nofilenamecheck;
  release channel C1;
  release channel C2;
  release channel C3;
  release channel C4;
  release channel C5;
  EOF

  Hello (certificate error is vague. By that I mean whoever wrote that error message)
  Can I suspend rman and restart it? I believe no, stop and restart should work.
  Something like this, I use an env file can post if it helps :
  #!/bin/bash
  . /u01/app/oracle/dba_tool/env/DATABASE.env
  echo "Starting RMAN..."
  $ORACLE_HOME/bin/rman target SYS@sor01_primary auxiliary << EOF
  run {
  allocate channel C1 device type disk;
  allocate auxiliary channel C2 device type disk;
  allocate auxiliary channel C3 device type disk;
  allocate auxiliary channel C4 device type disk;
  allocate auxiliary channel C5 device type disk;
  duplicate target database for standby nofilenamecheck;
  release channel C1;
  release channel C2;
  release channel C3;
  release channel C4;
  release channel C5;
  }My env file ( yours will be different ) use env to check you compare to your profile
  export ORACLE_BASE=/u01/app/oracle
  export ORACLE_HOME=/u01/app/oracle/product/11.2.0.2
  export ORACLE_SID=STANDBY
  export ULIMIT=unlimited
  export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
  export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/network/lib
  export LIBPATH=$LD_LIBRARY_PATH:/usr/lib
  export TNS_ADMIN=$ORACLE_HOME/network/admin
  PATH=$ORACLE_HOME/bin:$ORACLE_BASE/dba_tool/bin:/bin:/usr/bin:/etc:/etc/X11/xserver/C:.
  export PATHI run from the cron which is similar to nohup as far as env goes.
  Best Regards
  mseberg
  Edited by: mseberg on Mar 22, 2012 2:32 PM
  Edited by: mseberg on Mar 22, 2012 2:41 PM