Renew SAProuter Certificate

Similar Messages

• Wrong Pin error while renewing SAprouter certificate

  Hi,
  i tried renewing Saprouter certificate from marketplace.
  while installing the certificate using the command below, we get the following error.
  E:\usr\sap\saprouter>sapgenpse import_own_cert -c srcert.txt -p local.pse
  import_own_cert: Couldn't open PSE "E:\usr\sap\saprouter\local.pse"
  ERROR in af_open: (1824/0x0720) Wrong PIN for PSE
  ERROR in secsw_open: (1824/0x0720) Wrong PIN for PSE
  ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong PIN for PSE
  Please suggest a solution for this issue. Is there any command to install the certificate by providing the PIN which we have given while generating local.PSE file.
  Thank you.

  Hi Mamta,
  Did you goted the solution as mark issue.
  If yes kindly share the solution, i am getting same issue.
  Waiting for ur reply.
  Thanks
  Santosh

• SAProuter Certificate's is going to expiry  can i renew it before

  Dear all
  I need to know that my SAProuter Certificate's is going to expiry on 30 of this month. So can I renew it before or I have to apply and renew after it expiry.
  Regards,
  Kumar

  Hi,
  Thanks for you suggestion. I am having some quries as you have suggest the link .i have followed it
  1     the file u201Cgetcert.ceru201D I cant find in my ststem
  2
  G:\usr\sap\saprouter>sapgenpse.exe import_own_cert -c srcert -p local.pse*
  import_own_cert: Couldn't open PSE "G:\usr\sap\saprouter\local.pse*.pse"
  ERROR in af_open: (4129/0x1021) The PSE does not exist
  ERROR in secsw_open: (4129/0x1021) The PSE does not exist
  ERROR in sec_open: (4129/0x1021) The PSE does not exist
  ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "G:\usr\sap\sap
  router\local.pse*.pse"
  remove the * than it is ok
  G:\usr\sap\saprouter>sapgenpse.exe import_own_cert -c srcert -p local.pse
  CA-Response successfully imported into PSE "G:\usr\sap\saprouter\local.pse"
  3  K:\usr\sap\saprouter>sapgenpse seclogin -p local.pse -O sncadm
  running seclogin with USER="soladm"
  ERROR in lookup_sid_by_username: (10/0x000a) LastError=1332: No mapping between
  account names and security IDs was done.
  Given this sapgenpse seclogin -p local.pse than it is ok
  Regards,
  Kumar

• Saprouter Certificate Expired

  It appears that our the certificate that our saprouter.exe uses has expired.  I am not able to create connections to our saprouter from the Service Marketplace.  I get the following in the dev_rout file in E:\usr\sap\saprouter
  Mon Dec 10 15:18:39 2007
  ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'
  [sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3340]
        GSS-API(maj): The referenced credentials have expired
        GSS-API(min): Validity date of certificate is invalid
      Unable to establish the security context
      target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
  ERROR => ErrISetSys: error info too large [err.c        931]
  Mon Dec 10 15:18:39 2007
  LOCATION    SAProuter 38.0 on 'sapslm01'
  ERROR       GSS-API(maj): The referenced credentials have expired
  GSS-API(min): Validity date of certificate is invalid
  target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
  TIME        Mon Dec 10 15:18:39 2007
  RELEASE     700
  COMPONENT   SNC (Secure Network Communication)
  VERSION     5
  RC          -4
  MODULE      sncxxall.c
  LINE        3340
  DETAIL      SncPEstablishContext
  SYSTEM CALL gss_init_sec_context
  ERRNO      
  ERRNO TEXT 
  DESCR MSG NO
  DESCR VARGS GSS-API(maj): The referenced credentials have expired;;;;
  ;;;;GSS-API(min): Validity date of certificate is invalid;;;;
  ;;;;target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
  DETAIL MSG N
  DETAIL VARGS
  COUNTER     72
  <<- ERROR: SncProcessOutput()==SNCERR_GSSAPI
  ERROR => NiSncIInitHdlSecurity: SncProcessOutput failed (rc=-4;00000000002A7050) [nisnc.c      1098]
  ERROR => NiSnc2Connect C1/-1, 194.39.131.34 (rc=-17) [nirout.cpp   2811]
  ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'sapslm01.OII.DOM' failed (rc=-17) [nirout.cpp   2238]
  How do I renew this certificate?  I did not setup the saprouter and the person who did is no longer here.  Please advise.

  Hello Drew,
  For configuring the SAP router follow the steps below.
  Step 1:
  Download the SAP Router and SAP Cryptographic software from market place and place this under the folder usr\sap\saprouter. This folder is called as saprouter’s home folder. Extract these files with sapcar.
  Step 2:
  Apply for the certificate with the distinguished name of your company. This distinguished name can be found in service market place under the link
  http://service.sap.com/saprouter-sncadd and the certificate for saprouter should be applied in the same link.
  Step 3:
  With this distinguished name generate the PSE file with sapgenpse program located in saprouter folder.
  Step 4:
  After generating certreq file in saprouter folder edit the file and copy the content of the file under the link http://service.sap.com/saprouter-sncadd
  Step 5:
  After copying click “Request Certificate” in right most corner which generates the required certificate.Copy the content of the generated file and paste it into a text file in saprouter folder. Rename the file into “srcert” and install the certificate using sapgenpse command.The PIN which we have given in the previous step should be correctly to install the certificate.
  Step 6:
  After installing the certificate successfully credentials were to be added to the certificate. Only the added credentials will be allowed to start the saprouter program.
  Step 7:
  After adding credentials we can check the installation of certificate with sapgenpse command.
  Step 8:
  After verifying the certificate the SAPRouter program will be started in port number 3299.
  Note:
  SAP Router table should be correctly defined for accessing the systems through SAP router.
  regards,
  Anandha Krishnan R

• SAProuter certificate

  Dear Expert,
  I would like to ask regarding the SAProuter certificate.
  Our SAProuter certificate will expire soon, on June 2009.
  However, this year we already discontinue the Enterprise Support maintenance contract.
  Therefore we will no longer be able to send OSS messages and also ask SAP support to connect remotely to our SAP Systems through SAProuter and SNC.
  Now, since we have other branches and mobile users we were using the SAProuter for them to connect to our SAP System remotely and where they have Internet connection. We use the SAProuter String in the SAP Logon settings to do this.
  After June 2009, can we still use the SAProuter for our external users without renewing the certificate?
  Thank you and we will appreciate your prompt reply on this matter.
  Best regards,
  Josephine

  Thank you for your reply but when I tried to go into SAP Market Place to apply for a new certificate there was a selection to make in the first part where there is the Target (on SAP-side).
  So I realized that I do not need a certificate if we will not use the SNC to connect to SAP for support because since we already discontinue the service then we do not need to connect anymore to SAP for OSS messages or remote connection to and from SAP Support.
  Just to make sure I'm in the right track,
  The message below is the message we received from SAP when our certificate was about to expire on June 2008.
  "Your certificate will expire on 22. June 2008.
  IF YOU USE THIS SAPROUTER WITH SECURE NETWORK COMMUNICATION (NOT VPN) THIS WILL MEAN THAT YOU CAN NO LONGER USE THIS SAPROUTER TO ESTABLISH A CONNECTION TO THE SAP SUPPORT."
  Does this mean that we only need the certificate for connecting to SAP through SNC for Support?
  Now that we do not need to connect to SAP for support then does this mean we can still use the SAProuter program for the purpose of providing a connection to external users (from branch and home users) to our Company's SAP System?
  The SAProuter service can be started with different switches and parameters. So if the certificate is only needed with the -K switch for (-K [myname]  : activate SNC; if given, use 'myname' as own sec-id) does this mean that I just don't use this -K switch which needs a certificate for the SNC connection to and from SAP then the SAProuter will still run normally?
  I'll just start the SAProuter service with the needed switches like the following:
  start router : saprouter -r
  -R routtab   : name of route-permission-file  (default ./saprouttab)
  and no need for the -K switch anymore since we will no longer need the SNC connection to SAP for support.
  To conclude my question, is the saprouter certificate only needed for the -K [myname] switch in the saprouter command?
  Please advise.
  Thank you.
  Josephine

• Error while renewing the certificate in SSLM

  Hi,
  While renewing the certificate on SSLM I am getting the following error
  % failed to parse or verify imported certificate.
  I am able to upload root certificate successfully.
  I am sure that I renewed the certificate using the correct parameters.
  Please advise
  Regards
  Jithesh

  Hi Jithesh,
  This error can occur when you install the identity certificate and do not have the correct intermediate or root CA certificate authenticated with the associated trustpoint. You must remove and reauthenticate with the correct intermediate or root CA certificate. Contact your 3rd party vendor in order to verify that you received the correct CA certificate.
  Cheers!!
  Sachin

• [solved] dovecot errors after renewing SSL certificate

  System:
  OS X Server (Mountain Lion) 2.2
  Using a single SSL Certificate for all services.
  Symptom:
  Users can't log into their IMAP accounts hosted on OS X Server (Mountain Lion) after renewing SSL Certificate
  Diagnostics:
  Give you an indication whether it's this problem. Some or all may apply:
  Log shows all kinds of dovecot errors. e.g.
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  config: Fatal: Error in configuration file /Library/Server/Mail/Config/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf shows commented out lines:
  ssl_cert
  ssl_key
  ssl_ca
  Solution:
  Go to the Certificates pane of the Server App  and choose Secure Services Using: Custom
  Set IMAP and POP server certificates to to None
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf
  Now set Secure Services Using: <My single SSL Certificate for all services>
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf and you should now see all the ssl* settings as you would expect, and pointing to the correct SSL certificate  in /etc/certificates
  Hope this works for you too!

  I had something similar happen. When I do anything with SSL certificates it deletes any regular websites. Only the sites that are setup for https are listed.
  Couldn't understand why my website wasn't working and it turned out that the system had deleted it. The web server had multiple host set and I had to rebuild all the ones that had used port 80. All the ones that use 443 were fine.
  Hope this helps.

• SSPR registration and reset started to fail after renewing the certificates

  Hi,
  On our FIM 2010 R2 environment (version 4.1.3599.0), after renewing the certificates used on FIM Service/Portal and Password Reset/Registration servers two days back, both the password registration and reset no longer work but instead fails on the  last
  step of the process. So for example when user browse to https://passwordreset.domain.com and fills in their domain\username and click next, FIM will send a security code (SMS OTP) to user´s mobile phone and once user then fills in code and click Next, the
  Communication error 3008 is shown to user. Same happens in the last step of the registration where user reviews that the mobile number is correct before clicking finally next. Once clicked the same error as is with Reset portal is shown to user. 
  Other changes than renewing the certificates have not been done to the environment after it was working last time two days ago. Synchronization of users/groups create in FIM Portal works normally towards AD.
  All servers within FIM environment are on same domain and subnet and firewall is off on all servers.
  The following error message as an example is recorded on FIM app log on either of the SSPR servers (two in NLB):
  The error page was displayed to the user.
  Details:
  Title: Communication Error
  Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
  Source: 
  Attributes: 
  Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration.
  This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException:
  An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an
  HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException:
  Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
  The following error message as an example is recorded on FIM app log on either of the FIM Service/Portal servers (two in NLB):
  Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims,
  Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)
  Both http://fimservice.domain.com:5726 or http://fimservice.domain.com:5725 can be accessed ok using web browser from the SSPR servers. The url of http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration gives http 400 bad
  request which is ok.
  At least the following fixes provided on urls below have been tried out or were in place already but did not fix the issue:
  http://social.technet.microsoft.com/wiki/contents/articles/24629.fim-troubleshooting-sspr-registration-error-3008-an-error-occurred-while-receiving-the-http-response.aspx
  https://social.technet.microsoft.com/Forums/en-US/ae16496e-413a-45b7-a0d1-b39652c6478a/fim-password-registration-portal-error-3008-communication-error?forum=ilm2 (we have exactly the same three errors on FIM app log as mentioned in this post)
  https://social.technet.microsoft.com/Forums/en-US/aa14cff7-6b93-4413-8c75-737dd08bd25f/error-when-resetting-password-on-sspr?forum=ilm2
  https://social.technet.microsoft.com/Forums/en-US/aab6d5ef-667a-4ea9-876d-415c56852da9/sspr-password-reset-failure?forum=ilm2 (no such lines on FIMService config files)
  Can anyone help us with this and provide some tips what to check next on the environment? As the most weird thing here is that everything was working just fine before the certificates were renewed on all servers and no other changes were done on the environment. 
  -Pappa75

  Hi,
  Have you Stop-Start the FIM Service? If not then try this after performing this step. Also, there may be a possibility that the service won't be able to start if there is issue with the certificate.
  The SSPR issue is related to certificate only, which might have some missmatch in the thumbprint value or some other problem.
  If there is a problem with thumbprint of certificate, then you might see error in the Event Viewer and which can be resolved by making the certificate's thumbprint same within registry.
  Regards,
  Manuj Khurana

• Renew Machine Certificate for multiple Servers

  Hi,
  We have Windows 2003 Enterprise CA which issues certificates to servers which are used for various purpose like Wifi Authentication, Secure RDP. We have checked that the certificates are going to expire within few weeks. We want to renew certificates before
  expiry but the number of servers is high so we cannot do it manually by logging into each server.
  We doesn't have ACRS enabled for computer certificates and even if we configure it now that will not help.
  Is there a way to renew the certificates for all the servers remotely.

  On Tue, 15 Apr 2014 11:39:43 +0000, Sukhwin08 wrote:
  We already have auto-enrolment enabled through GPO. The settings are as follows
  Automatic certificate management........ Enabled Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates .........Enabled
  Update and manage certificates that use certificate templates from Active Directory ..........Enabled
  I think that you're confusing Automatic Certificate Request Services and
  autoenrollment. In your first post in this thread you mention ACRS, however
  the above settings are for autoenrollment. ACRS is only for certificates
  that are based upon V1 certificate templates and then only for machine
  certificates. Autoenrollment on the other hand does not work for anything
  less than V2 certificates and supports both machine and user certificates.
  If you're using V1 certificate templates then you can set autoenrollment
  settings in a GPO and it will not have any impact at all.
  Paul Adare - FIM CM MVP
  Remember the signs in restaurants "We reserve the right to refuse
  service to anyone"? The spammers twist it around to say "we reserve
  the right to serve refuse to anyone." -- SPAMJAMR & Blackthorn in nanae

• Renewing Push Certificate with renamed Apple ID

  Hello everyone,
  I have a specific problem here:
  - I set up an OS X Lion Server at work to manage a bunch of iOS devices with Profile Manager
  - I created an Apple-ID for my work-email to request a Push Certificate for that server
  - I then RENAMED the Apple-ID to a functional email-address (however, my original one is still setup as alternative email address)
  - I can still see my Push Certificate when login in to the Push Certificate Portal
  - Now, I need to renew that certificate in 30 days.
  Question 1: Can I renew that certificate using the Server.app (which still knows my old email-address) or do I need to rename my Apple-ID AGAIN to the old state before doing so?
  Question 2: Will I need to re-enroll my iOS devices with either option stated above?
  Question 3: I plan to upgrade to Mountain Lion Server - in the process, I will be asked for an Apple-ID for the Push Certificate ... will it be clever enough to recognize my renamed Apple-ID, or do I need to rename it before that as well?
  Question 4: Is it possible to let Apple Support handle this mess, has anyone tried that successfully so far?
  Thanks for reading :-)
  Best regards,
  Olaf

  I'd like to share my experience how the process went.
  As initially stated, I needed to renew my Push Certificate within 30 days, but had renamed my Apple ID (from [email protected] to [email protected]).
  Renewing meant, re-enrolling all devices. Somebody suggested, I should upgrade to Mountain Lion Server first, THEN renew, it would be easier then (you know, click one button and BOOM, magic..).
  So, the idea then was
  - Perform in-place-upgrade
  - re-enroll certificate after upgrade
  short answer... that didn't work out.
  Before upgrading, I trained on a cloned system.
  In the process of the upgrade, you HAVE to enter an Apple-ID (i.e. email address) to connect to the APNS ... that means it either is exactly the one you created the Push Certificate with in the first place, or you re-enroll or your devices - Apple gives a nice warning message during the process.
  OK, gnashing teeth, I renamed the Apple-ID back to the original state and tried the in-place upgrade again, this time on the production server ... what should go wrong,  it worked out before on the clone (sans the certificate part) ... hhhm ... not this time. It seemed to be some problem with the Raid card. But hey, that's what Carbon Copy Cloner, psqldump and Timemachine are for, right?
  Wrong.
  After the restore, my production machine came up fine, everything worked - except pushing anything to my devices.
  So, technically I restored OS X Lion Server to a running state AND had 3 different means of backup, just in case (CCC, Timemachine, scripted DB dumps and OD dumps)  and still in the end, I had a bunch of devices that needed to be re-enrolled. Brilliant.
  More gnashing teeth. Now, knowing I need to re-enroll anyway, I installed ML Server from scratch, created a new Push certificate (using [email protected].), re-entered ALL mobile devices, policies and groups by hand (oops, Apple dropped psqldump support in ML Server, there is no database import from prior versions..FRAK) and re-enrolled all devices, happy users assured.
  And now the fun part: If you sign your mobile profiles (you know, that checkbox in Server App) for extra security, you need to take care of your Code Signing Certificates validity. You can renew this easily (one click, BOOM, magic).
  The Code Signing Certificate is valid for 1 year.  If you renew this certificate, re-enrollment is mandatory.
  DOUBLE-FRAK.
  So in the end, it didn't matter at all that I renamed my Apple-ID back and forth, it didn't matter that the in-place upgrade didn't work out and I had to do a clean install, there was actually no option of pulling this stunt without re-enrolling all devices, at least when the Code signing certificate were to expire.
  Please Apple, FIX this. It can not be, that I have to re-enroll all my devices EVERY YEAR. Why are your certificates only valid one year? Why can't you design a convenient mechanism to renew all certificates and push them to the devices automatically?

• Automatic renewal of certificates through CEP / CES.

  We currently have a PKI on Windows 2008 R2 and in this case as customers use notebooks with Windows 7 SP1.
  I have problem with the automatic renewal of computer certificate through CEP / CES.
  Services CEP / CES are installed on the same server, the CA is in another server.
  You want to automatically renew computer certificate through Internet.
  These services are configured to only computer certificate renewal and renovation to allow authentication using a certificate previously issued to PC.
  The first computer certificate is issued automatically through the settings in Group Policy in Active Directory, then the team has its certificate is configured PC Local Group Policy to configure the server URL CEP / CES.
  I have no problem when I do the renewal through the MMC, only occurs when the team wants it done automatically.
  Error events are:
  Event ID 68
  Certificate enrollment for Local system failed in authentication to policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
  (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))
  Event ID 67
  Certificate enrollment for Local system failed to load policy from policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
  (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))
  Event ID 6
  Automatic Certificate enrollment for Local system failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The documentation used to install CEP / CES is:
  http://www.microsoft.com/en-us/download/details.aspx?id=1746
  I thank anyone who can guide me with this problem.
  Greetings.

  Hi,
  I think "Auto Renewal of certificates through Internet (CEP / CES)" is a new feature in ADCS of Windows 2012. Not sure whether it can be realized in Server 2008.
  Anyway, here are two links which might be useful to you:
  Enabling CEP and CES for enrolling non-domain joined computers for certificates
  http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
  So anybody got autoenrollment working for CES on non-domain-joined computer?
  http://www.networksteve.com/forum/topic.php/So_anybody_got_autoenrollment_working_for_CES_on_non-domain-join/?TopicId=28451&Posts=2
  Niko

• Renew SSL Certificate for for two Exchange 2010 Server and the new rules.

  I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.

  Hi there , 
  My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
  if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ? 
  This topic first appeared in the Spiceworks Community

• Connection could be validated error in production after renewing FAST Certificate

  I have renew the FAST certificate in admin and non admin servers and copied to Sharepoint Application server and ran the 
  PS C:\> .\SecureFASTSearchConnector.ps1 –certPath “C:\FASTSearchCert.pfx” –ssaName “ ” –username “DOMAIN\SP_Farm”
  It error out: Connection to contentdistributor fast.contoso.com:13391 could not be validated.
  Check your certificates and ssa configuration and make sure that instance of FAST Search Server backend is running.
  And I try to run 
  Ping-SPEnterpriseSearchContentService –HostName "FQDN"
  The ConnectionSuccess value for FASTSearchCert should show "True" if the certificate is configured
  properly.
  Connection success is always false. 
  I have done IISreset and tried to renew the certificates couple of times. But no user. 
  Can anyone please try to point me in right direction.
  Thanks

  Hello
  KPallela,
  Can you confirm the below items?
  What service pack and CU do 
  you have applied to your Fast Search for SharePoint 2010 environment?
  Are you putting the port 13991 in your Ping-SPEnterpriseSearchContentService command? 
  For example: Ping-SPEnterpriseSearchContentService domain.com:13391
  Can you confirm that your %fastsearch%\etc\Contentdistributor.cfg has the correct port number 13990
  Can you confirm that the Fast Content SSA content distributor section is configured with the correct port number 13991 in the UI?
  Can you confirm that the certificate is found in the MMC on the SharePoint crawler node is not showing expired (since you have renewed it)
  Can you confirm that the Search Service account is a member of the FastSearchAdministrators group
  Can you check if the thumbprint for the contentdistributor in %fastsearch%\etc\nodeconf.xml matches what is in %fastsearch%\etc\node.xml (note: It is not recommended
  to update these files manually)
  Can you confirm that the
  steps you followed to generate the new certificate match the TechNet article
  http://technet.microsoft.com/en-us/library/ff381244(v=office.14).aspx
  Can you verify that when you ran
  .\SecureFASTSearchConnector.ps1 –certPath “C:\FASTSearchCert.pfx” –ssaName “ ” –username “DOMAIN\SP_Farm” that the –ssaName did not contain the “ “ as the parameter, but rather
  the actual name of  your SSA (example: “Fast Content SSA”)
  Can 
  you confirm that there is not a special character in your search service account, such as a dollar sign?
  Let us know your findings, and if you have any questions on the above.
  Thanks!
  Rob Vazzana | Sr Support Escalation Engineer | US Customer Service & Support
  Customer Service   & Support                         
    Microsoft| Services

• Renew root certificate

  Hi all, 
  My self-signed root cert is expiring. I would like to ask if I renew this certificate at my CA server, will it affect my Exchange 2007 , especially mail flow? If so, how do I renew it without affecting? 
  I am most likely be renewing it without generating the new key. 
  Appreciate for any suggestions

  Hi,
  Based on my experience, a new self-signed certificate should be trusted by all clients. Thus, there will be security alert when clients try to use the new certificate. To deploy the certificate for all clients, we can depend on group policy:
  http://unixwiz.net/techtips/deploy-webcert-gp.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  However, I recommend you confirm it on our Windows server forum as the above suggestion.
  To renew a self-signed certificate, you can refer to the following article：
  http://www.ncol.net/how-to-renew-a-self-signed-certificate-in-exchange-server-2007/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support
  Thank you Angela for the reply, I have renewed my Exchange certificate. It is the root certificate that I need to do. If I were to renew the existing root cert, extending the expiry date, will all my clients connecting to the CA be automatically be updated
  or I need to create a cert and install every PC connecting on my office lan?
  Thanks again for the reply. Please do not stop the other suggestions from coming. I am grateful for all helpful advice I could get.

• LDAP stopped / renew & expired certificate

  I replaced expiring certificates with new ones, and removed the old ones a couple of weeks ago.
  However, on the date of the old expiring certificates, email accounts are not responding and I am unable to authenticate in my Workgroup Manager, apparently because the LDAP server is stopped. I surmise that the LDAP server is stopped because of the change of certificate.
  I have deselected and reselected the new certificate in the Open Directory server with reboots to no avail.
  Can anyone point me to how to get the system (or LDAP/Open Directory) to honor the new certificates correctly?
  The old certificates are expired, and were removed. The new certificates (self-signed) appear good.
  TIA!
  -jason

  I was able to get everything working again by following this thread:
  http://discussions.info.apple.com/message.jspa?messageID=12566235
  It is frustrating that documentation around the use & renewal of certificates in OS X Server is lacking.