Renew CA Certificate with Different CSP (or KSP)

Similar Messages

• Renewing Push Certificate with renamed Apple ID

  Hello everyone,
  I have a specific problem here:
  - I set up an OS X Lion Server at work to manage a bunch of iOS devices with Profile Manager
  - I created an Apple-ID for my work-email to request a Push Certificate for that server
  - I then RENAMED the Apple-ID to a functional email-address (however, my original one is still setup as alternative email address)
  - I can still see my Push Certificate when login in to the Push Certificate Portal
  - Now, I need to renew that certificate in 30 days.
  Question 1: Can I renew that certificate using the Server.app (which still knows my old email-address) or do I need to rename my Apple-ID AGAIN to the old state before doing so?
  Question 2: Will I need to re-enroll my iOS devices with either option stated above?
  Question 3: I plan to upgrade to Mountain Lion Server - in the process, I will be asked for an Apple-ID for the Push Certificate ... will it be clever enough to recognize my renamed Apple-ID, or do I need to rename it before that as well?
  Question 4: Is it possible to let Apple Support handle this mess, has anyone tried that successfully so far?
  Thanks for reading :-)
  Best regards,
  Olaf

  I'd like to share my experience how the process went.
  As initially stated, I needed to renew my Push Certificate within 30 days, but had renamed my Apple ID (from [email protected] to [email protected]).
  Renewing meant, re-enrolling all devices. Somebody suggested, I should upgrade to Mountain Lion Server first, THEN renew, it would be easier then (you know, click one button and BOOM, magic..).
  So, the idea then was
  - Perform in-place-upgrade
  - re-enroll certificate after upgrade
  short answer... that didn't work out.
  Before upgrading, I trained on a cloned system.
  In the process of the upgrade, you HAVE to enter an Apple-ID (i.e. email address) to connect to the APNS ... that means it either is exactly the one you created the Push Certificate with in the first place, or you re-enroll or your devices - Apple gives a nice warning message during the process.
  OK, gnashing teeth, I renamed the Apple-ID back to the original state and tried the in-place upgrade again, this time on the production server ... what should go wrong,  it worked out before on the clone (sans the certificate part) ... hhhm ... not this time. It seemed to be some problem with the Raid card. But hey, that's what Carbon Copy Cloner, psqldump and Timemachine are for, right?
  Wrong.
  After the restore, my production machine came up fine, everything worked - except pushing anything to my devices.
  So, technically I restored OS X Lion Server to a running state AND had 3 different means of backup, just in case (CCC, Timemachine, scripted DB dumps and OD dumps)  and still in the end, I had a bunch of devices that needed to be re-enrolled. Brilliant.
  More gnashing teeth. Now, knowing I need to re-enroll anyway, I installed ML Server from scratch, created a new Push certificate (using [email protected].), re-entered ALL mobile devices, policies and groups by hand (oops, Apple dropped psqldump support in ML Server, there is no database import from prior versions..FRAK) and re-enrolled all devices, happy users assured.
  And now the fun part: If you sign your mobile profiles (you know, that checkbox in Server App) for extra security, you need to take care of your Code Signing Certificates validity. You can renew this easily (one click, BOOM, magic).
  The Code Signing Certificate is valid for 1 year.  If you renew this certificate, re-enrollment is mandatory.
  DOUBLE-FRAK.
  So in the end, it didn't matter at all that I renamed my Apple-ID back and forth, it didn't matter that the in-place upgrade didn't work out and I had to do a clean install, there was actually no option of pulling this stunt without re-enrolling all devices, at least when the Code signing certificate were to expire.
  Please Apple, FIX this. It can not be, that I have to re-enroll all my devices EVERY YEAR. Why are your certificates only valid one year? Why can't you design a convenient mechanism to renew all certificates and push them to the devices automatically?

• Problems in using a certificate with  different versions of JVM

  Hi friends,
  I am facing a typical problem:
  I have to use a certificate which uses the sha1DSA signing algorithm to contact a web service(I am coding a client). I was using J2SDK_1.4.1_02 before. I added the certificate to keystore and it was working fine. But if I upgraded my JRE to 1.4.2_13 the same code doesn't work,. I got the following exception:
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
       at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA12275)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA12275)
       at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:570)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(DashoA12275)
       at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection.post(HttpSOAPConnection.java:263)
       at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(HttpSOAPConnection.java:151)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:121)
       at TestRequest.getCustomerInfo(TestRequest.java:60)
       at TestRequest.main(TestRequest.java:122)After some investigation I found that this JRE is accepting only certificate with sha1RSA signature algorithm. Please help me if anybody knows why this occurs or is this an issue which is to be addressed in server side.

  Hi Michal,
  Keeping in mind the recommendations of the Production Checklist...
  All other things being equal, homogenous deployments are usually less prone to surprises.
  But JDK 1.6 is noticeably faster than JDK 1.4, and features much better JMX support as well, so it's a probably the better option.
  Jon Purdy
  Oracle

• Renew Subordinate CA with new key

  We have one Enterprise Root CA and one Subordinate CA server in our environment. Subordinate CA issues certificates to many DCs and Webservers.
  Now the certificate of Subordinate CA is getting expired and we have to renew. I would like to know what will happen if I renew Subordionate certificate with new key pair? all the existing certificates issued by Subordinate CA become invalid? or still
  continue to funtion till expiry date?
  Mahi

  Thanks Mark for the information.
  My Sub CA Certificate is going to expire on 30th May. SubCA has issued ceritificates to application's like TestApp1, TestApp2, TestApp3. The existing certificate issued by Sub CA installed on these applications are expiring on 30th May.
  I am plannig to renew SUb CA certificate with different Key this weekend i.e on 26th april and also increasing the certificate keylength to 2048 bits.
  When renew SubCA certificate with different key, the existing certificates installed on TestApp1, TestApp2, TestApp3 still continue function till its expiry i.e 30th May? Hope renewing SubCA certificate with different key will not disturb the existing
  certificates installed on TestApp1, TestApp2, TestApp3. Becase I am planning to renew certificates installed on TestApp1, TestApp2, TestApp3 in first week of May as I can not have downtime on 26th april.
  Apologizes I am asking this question repeatedly.
  Mahi

• Renew SSL Certificate for for two Exchange 2010 Server and the new rules.

  I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.

  Hi there , 
  My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
  if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ? 
  This topic first appeared in the Spiceworks Community

• Jars can't be signed with different certificates---even by Sun?

  I am deploying an application which uses the following jar files:
  com.example.application.jar
  com.example.support.jar
  javax.activation.jar
  javax.mail.jar
  The latter two are jars signed from Sun, yet JWS complains that the jars have been signed with different certificates. I'm forced to unpack the Sun jars and repackage them,signing them with my own certificate.
  Isn't this a little restrictive? Shouldn't jars signed by Sun be exceptions to the "all jars signed by the same certificate" requirement?
  Garret

  Thanks! The JNLP 1.5 MR specification is a bit opaque about exactly how to do this, but the following site has an example that helped:
  http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/faq.html
  The example didn't mention whether I can request all permissions for the component extension, but I suppose I can. Nothing seems to indicate whether I can have component extensions reference other component extensions (JavaMail requires JAF, for example), but it seems to work.
  By requesting full permissions for the component extensions, though, I now get two dialogs presented to the user, the first asking if my application should be trusted, and the second asking if Sun Microsystems should be trusted.
  If I remove all-permissions from the JavaMail component extension, yet request it for the main application (thereby only presenting the user with one confirmation dialog), will I still be able to perform restricted functionality using JavaMail, such as connecting to remote servers?
  Here's what I'm now using, in hopes that it benefits someone else. The main JNLP:
       <resources>
            <jar href="com.example.jar"/>
            <extension name="JavaMail" href="javax.mail.jnlp"/>
       </resources>
  ...javax.mail.jnlp:
  <?xml version="1.0" encoding="UTF-8"?>
  <jnlp spec="1.0+" codebase="http://localhost:8080/" href="javax.mail.jnlp">
       <information>
            <title>JavaMail</title>
            <vendor>Sun Microsystems, Inc.</vendor>
            <description>JavaMail API.</description>
            <homepage href="http://java.sun.com/products/javamail/"/>
       </information>
       <security>
            <all-permissions/>
       </security>
       <resources>
            <jar href="javax.mail.jar"/>
            <extension name="JAF" href="javax.activation.jnlp"/>
       </resources>
       <component-desc/>
  </jnlp>javax.activation.jnlp:
  <?xml version="1.0" encoding="UTF-8"?>
  <jnlp spec="1.0+" codebase="http://localhost:8080/" href="javax.activation.jnlp">
       <information>
            <title>JAF</title>
            <vendor>Sun Microsystems, Inc.</vendor>
            <description>JavaBeans Activation Framework extension.</description>
            <homepage href="http://java.sun.com/products/javabeans/glasgow/jaf.html"/>
       </information>
       <security>
            <all-permissions/>
       </security>
       <resources>
            <jar href="lib/javax.activation.jar"/>
       </resources>
       <component-desc/>
  </jnlp>Garret

• SHA256 certificate with Signature Algorithm as RSASSA-PSS not supported in FireFox but it is the only option available

  I have just built a new PKI infrastructure for issuing SHA2 certificates. When I duplicate a template and set it up to use KSP instead of CSP to enable SHA2 signing, the only provider I have available is the Microsoft Software Key Storage Provider which
  translates into RSASSA-PSS. I am also allowing the Private Key to be exported due to the fact that the cert and Key need to be placed on multiple servers such as in a cluster.
  I am finding that FireFox does not support certificates which use RSASSA-PSS and have tracked it to a few Bugzilla reports. IE and Chrome appear to not have any problem with this.
  I want to change the provider to something that FireFox supports while still being able to issue SHA2 certs. I am finding that if I unmark the "Allow Key to be Exported" on the template when I build the it, other options for providers appear.
  I need to be able to support the big 3 browsers: IE, Firefox, and Chrome while still allowing the key to be exported. I used AlternateSignatureAlgorithms=1 for the capolicy.inf file on both the offline root and Intermediate CA's. I read a post somewhere
  that changing the Root to AlternateSignatureAlgorithms=0 and renewing the Intermediate CA certificate could solve the problem but I do not understand how I can obtain a HSA2 certificate for the Intermediate if that is not enabled.
  I could use some assistance with this if someone knows how to make this work. Many thanks.
  Brian B.

  Brian,
  There is no correlation at all between the
  AlternateSignatureAlgorithms=1  or 0 line and the use of SHA256. In my book, it is recommended when you get into the weirder combinations (Elliptical curve versions, etc.)
  If you do as you plan (using AlternateSignatureAlgorithms=0),
  then the CA certificates will show Sha256RSA as the signature algorithm, and be universally accepted.
  As you stated... 
  1) Change the capolicy.inf on the root CA and renew the root CA certificate.
  2) Change the CAPolicy.inf on the issuing CA and renew the issuing CA certificate
  Now start issuing the KSP certificates, they will be usable on Firefox
  Brian 

• Replace Self-Signed FAST Search Certificate with Third Party Certificate

  We are trying to replace the Self-Signed FAST Search Certificate with Third Party Certificate in our SP 2010 environment. And are facing issues while enabling the SSL communication between the FAST servers and the corporate servers.
  Our FAST search servers are in a different farm than that of the Corporate Servers.
  The details of the certificate we received is as follows:
  Issued to : FastSearchCert
  Issued By: Issuer Name
  Valid From: 4/21/2015 to 4/20/2017
  We were able to successfully renew the certificate on the FAST Search Server by following the below steps:
  1.  Login to the Administrative and the Non-Administrative nodes 
  of the FAST server. Go to Windows Service and stop the FAST Search for SharePoint and the FAST Search for SharePoint Monitoring services in both the servers.
  Follow the below steps in the Administrative Node followed by the Non-Administrative Node
  2. 
  Install the certificate in the following paths in the certificate store:
  “Certificates(Local Computer)\Personal”
  “Certificates(Local Computer)\Trusted Root Certification Authorities”
  3. Ensure that the user account configured for the “FAST Search Server 2010 for SharePoint” has access to the private key of the certificate.
  4. Go the Administrative node of the FAST farm and follow the below steps:
  Go to the certificate store.
  Expand the Personal folder and then click the Certificates folder. Double-click the third party signed FAST certificate.
  Open the Details tab and then click Thumbprint. Note down this thumbprint.
  5. Next, open
  Microsoft FAST Search Server 2010 for SharePoint with Administrator
  Privileges.
  6.
  Navigate to the directory, “D:\FASTSearch\installer\scripts” and execute the below command to replace the current certificate with the newly created
  third party signed FAST certificate.
  .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint".
  7. The FAST certificate was renewed successfully.
  Once the certificate has been renewed successfully in both the nodes, follow the below step:
  8. Start the FASTSearch for SharePoint and the FAST Search
  for SharePoint Monitoring services in the administrator server.
  Next, while enabling the SSL communication between the FAST servers and the other corporate servers, we follow the below steps:
  1. 
  Copy the new certificate from any of the FAST servers to all the web-front end and application servers in the corporate farm, in order to enable SSL communication between these servers and the FAST farm.
  2.   Also, copy the script
  ‘SecureFASTSearchConnector.ps1’ from the location “%FASTSearchFolder%\installer\scripts” in the FAST servers 
  to the web-front end and application servers of the corporate farm.
  3.  Follow the below steps on each of the servers in the corporate farm:
  Open ‘SharePoint 2010 Management Shell’ with administrator privileges and navigate to the directory in which
  SecureFASTSearchConnector.ps1’ script is located.
  And then, execute the below command:
   .\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" –ssaName “FASTCibtebtSSA” –username “DOMAIN\SP_Farm”
   Where,
  -certThumbprint 
  - Thumbprint of the certificate
  -ssaName – FAST Content SSA
  -username – The account configured to run the SharePoint
  Search Service
  On execution of the above command, we receive an error message stating that the "Connection to the Content Distributor servername.corp.abc.org: 14391 could not be validated...instance of FAST search server backend is running"
  Please help us resolve this issue. We have not been able to find the cause of the above error for a long time.
  Any help is much appreciated.

  Your tip on exporting from eDir to locate a missing private key was very helpful. Here are my steps to renew an expired third party certificate when the private key, generated 30 months ago in my case, could not be located.
  In iManager, browse the tree and locate the likely certificate object. The Attributes for the object show Subject Name = webmail.acme.com. Selected the certificate and exported to webmailcert.pfx.
  Then, the openssl commands in TID 7004039, "How to convert a SSL PFX to a PEM file", were run against the .pfx file to create cert.pem, key.pem and server.key files.
  TID 7015500, "How to determine if private key belongs to public key (certificate)", was followed to determine if the public key (downloaded from third party) and private key (just retrieved from iManager) match - they did - that is, the private key converted from webmailcert.pfx matches the downloaded certificate.
  TID 7013103, "How to create a .pem File for SSL certificate Installations", was followed to manually create a server.pem file using openssl.
  TID 7010584, "How to setup SSL Certificate for Apache", part labeled "Additional Information" was followed to modify /etc/apache2/vhosts.d/vhost-ssl.conf file. Server.pem file created above copied to /etc/apache2/ssl.crt/ and /etc/ssl/servercerts/ directories as specified in vhost-ssl.conf.
  Restarted apache2.
  www.digicert.com has an SSL Certificate Checker that can be used to verify the installation is successful.

• Error while renewing the certificate in SSLM

  Hi,
  While renewing the certificate on SSLM I am getting the following error
  % failed to parse or verify imported certificate.
  I am able to upload root certificate successfully.
  I am sure that I renewed the certificate using the correct parameters.
  Please advise
  Regards
  Jithesh

  Hi Jithesh,
  This error can occur when you install the identity certificate and do not have the correct intermediate or root CA certificate authenticated with the associated trustpoint. You must remove and reauthenticate with the correct intermediate or root CA certificate. Contact your 3rd party vendor in order to verify that you received the correct CA certificate.
  Cheers!!
  Sachin

• Secure connection failed: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space) PLEASE HELP ME!!

  I have gone to this website almost everyday for years and I have not changed anything in my internet settings, but now I'm getting this message: secure connection failed: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space) The only thing I KNOW I did differently, was I installed a CAC reader to my computer, since then, this has been happening. Is there a setting I can change?? E-mail is: [email protected] Thanks! Megan

  There were recently several users getting this error code who use AVAST 2015. If you recently got that program, please see:
  * [https://support.mozilla.org/questions/1029578 Can NOT access https://www.google.com for google voice, mail etc.]
  * [https://support.mozilla.org/questions/1028985 Avast Forum connection failed - works in Chrome etc.]
  * [https://support.mozilla.org/questions/1028190 Since last FF update I can't sign out of Yahoo and when I close FF it tells me it has crashed.]

• [solved] dovecot errors after renewing SSL certificate

  System:
  OS X Server (Mountain Lion) 2.2
  Using a single SSL Certificate for all services.
  Symptom:
  Users can't log into their IMAP accounts hosted on OS X Server (Mountain Lion) after renewing SSL Certificate
  Diagnostics:
  Give you an indication whether it's this problem. Some or all may apply:
  Log shows all kinds of dovecot errors. e.g.
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  config: Fatal: Error in configuration file /Library/Server/Mail/Config/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf shows commented out lines:
  ssl_cert
  ssl_key
  ssl_ca
  Solution:
  Go to the Certificates pane of the Server App  and choose Secure Services Using: Custom
  Set IMAP and POP server certificates to to None
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf
  Now set Secure Services Using: <My single SSL Certificate for all services>
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf and you should now see all the ssl* settings as you would expect, and pointing to the correct SSL certificate  in /etc/certificates
  Hope this works for you too!

  I had something similar happen. When I do anything with SSL certificates it deletes any regular websites. Only the sites that are setup for https are listed.
  Couldn't understand why my website wasn't working and it turned out that the system had deleted it. The web server had multiple host set and I had to rebuild all the ones that had used port 80. All the ones that use 443 were fine.
  Hope this helps.

• Wildcard SSL Certificates with MFE?

  Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
  We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
  Before doing anything I figured I'd try a website that used a wildcard certificate.
  When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
  My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
  If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
  Thanks.

  This is interesting question. I look forward testing this myself
  What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
  Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you!

• SSPR registration and reset started to fail after renewing the certificates

  Hi,
  On our FIM 2010 R2 environment (version 4.1.3599.0), after renewing the certificates used on FIM Service/Portal and Password Reset/Registration servers two days back, both the password registration and reset no longer work but instead fails on the  last
  step of the process. So for example when user browse to https://passwordreset.domain.com and fills in their domain\username and click next, FIM will send a security code (SMS OTP) to user´s mobile phone and once user then fills in code and click Next, the
  Communication error 3008 is shown to user. Same happens in the last step of the registration where user reviews that the mobile number is correct before clicking finally next. Once clicked the same error as is with Reset portal is shown to user. 
  Other changes than renewing the certificates have not been done to the environment after it was working last time two days ago. Synchronization of users/groups create in FIM Portal works normally towards AD.
  All servers within FIM environment are on same domain and subnet and firewall is off on all servers.
  The following error message as an example is recorded on FIM app log on either of the SSPR servers (two in NLB):
  The error page was displayed to the user.
  Details:
  Title: Communication Error
  Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
  Source: 
  Attributes: 
  Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration.
  This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException:
  An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an
  HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException:
  Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
  The following error message as an example is recorded on FIM app log on either of the FIM Service/Portal servers (two in NLB):
  Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims,
  Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)
  Both http://fimservice.domain.com:5726 or http://fimservice.domain.com:5725 can be accessed ok using web browser from the SSPR servers. The url of http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration gives http 400 bad
  request which is ok.
  At least the following fixes provided on urls below have been tried out or were in place already but did not fix the issue:
  http://social.technet.microsoft.com/wiki/contents/articles/24629.fim-troubleshooting-sspr-registration-error-3008-an-error-occurred-while-receiving-the-http-response.aspx
  https://social.technet.microsoft.com/Forums/en-US/ae16496e-413a-45b7-a0d1-b39652c6478a/fim-password-registration-portal-error-3008-communication-error?forum=ilm2 (we have exactly the same three errors on FIM app log as mentioned in this post)
  https://social.technet.microsoft.com/Forums/en-US/aa14cff7-6b93-4413-8c75-737dd08bd25f/error-when-resetting-password-on-sspr?forum=ilm2
  https://social.technet.microsoft.com/Forums/en-US/aab6d5ef-667a-4ea9-876d-415c56852da9/sspr-password-reset-failure?forum=ilm2 (no such lines on FIMService config files)
  Can anyone help us with this and provide some tips what to check next on the environment? As the most weird thing here is that everything was working just fine before the certificates were renewed on all servers and no other changes were done on the environment. 
  -Pappa75

  Hi,
  Have you Stop-Start the FIM Service? If not then try this after performing this step. Also, there may be a possibility that the service won't be able to start if there is issue with the certificate.
  The SSPR issue is related to certificate only, which might have some missmatch in the thumbprint value or some other problem.
  If there is a problem with thumbprint of certificate, then you might see error in the Event Viewer and which can be resolved by making the certificate's thumbprint same within registry.
  Regards,
  Manuj Khurana

• Client side certificates with OpenScript

  Hello there,
  Is there any information on using client side certificates with OpenScript?
  What types of certificates can it handle? .P12-files?
  Regards

  I run a serlvet using jsdk1.2 in a system........
  But clients who r accessing this site.. some are able to go through ..
  but some people who r in our LAN but at different places couldnt conect to serlvet.....
  and they get the followwing errror
  can yu help me in solving the problemmmmmmmm...(mail me to vijai_tata @ yahoo.com )
  java.net.SocketException: Software caused connection abort: socket write error
  at java.net.SocketOutputStream.socketWrite0(Native Method)
  at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
  at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
  at sun.servlet.http.HttpOutputStream.writeOut(HttpOutputStream.java:483)
  at sun.servlet.http.HttpOutputStream.flushBytes(HttpOutputStream.java:35
  7)
  at sun.servlet.http.HttpOutputStream.flush(HttpOutputStream.java:343)
  at sun.servlet.http.HttpOutputStream.finish(HttpOutputStream.java:181)
  at sun.servlet.http.HttpOutputStream.close(HttpOutputStream.java:421)
  at sun.servlet.http.HttpResponse.finish(HttpResponse.java:338)
  at sun.servlet.http.HttpServerHandler.handleConnection(HttpServerHandler
  .java:133)
  at sun.servlet.http.HttpServerHandler.run(HttpServerHandler.java:90)
  at java.lang.Thread.run(Thread.java:534)

• CSS 11501 - wildcard certificate with subject alternative names

  Hi,
  I generated a wildcard certificate for my company type *. mycompany.com in a CSS 11501.
  For the site sub-domain1.mycompany.com worked fine, for the site sub-domain2.sub-domain1.mycompany.com didn't worked.
  I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
  Thank you very much,
  Cláudio Soares

  Hi,
  The CSS is indifferent to the Common Name in an SSL certificate used for SSL termination,
  so using a wildcard certificate would be no different than using a standard certificate.
  If using the CSS to generate the Certificate Signing Request, just enter the Common
  Name with the leading asterisk for the subdomain portion of the hostname. Example:
  Common Name (your domain name) [www.mycompany.com]*.domain.com
  The only difference in configuring SSL termination would be that you could
  reuse the SSL certificate (in the ssl-proxy-list) for all the different vips that the
  subdomains resolve to without having to worry about pop-up warnings on client's browsers
  (example attached). Or, if your subdomains resolve to the same vip, the CSS configuration
  wouldn't be any different.
  Regards,
  Siva