Renewed push certificate, do I have to re-enroll devices

Similar Messages

• Renewing Push Certificate with renamed Apple ID

  Hello everyone,
  I have a specific problem here:
  - I set up an OS X Lion Server at work to manage a bunch of iOS devices with Profile Manager
  - I created an Apple-ID for my work-email to request a Push Certificate for that server
  - I then RENAMED the Apple-ID to a functional email-address (however, my original one is still setup as alternative email address)
  - I can still see my Push Certificate when login in to the Push Certificate Portal
  - Now, I need to renew that certificate in 30 days.
  Question 1: Can I renew that certificate using the Server.app (which still knows my old email-address) or do I need to rename my Apple-ID AGAIN to the old state before doing so?
  Question 2: Will I need to re-enroll my iOS devices with either option stated above?
  Question 3: I plan to upgrade to Mountain Lion Server - in the process, I will be asked for an Apple-ID for the Push Certificate ... will it be clever enough to recognize my renamed Apple-ID, or do I need to rename it before that as well?
  Question 4: Is it possible to let Apple Support handle this mess, has anyone tried that successfully so far?
  Thanks for reading :-)
  Best regards,
  Olaf

  I'd like to share my experience how the process went.
  As initially stated, I needed to renew my Push Certificate within 30 days, but had renamed my Apple ID (from [email protected] to [email protected]).
  Renewing meant, re-enrolling all devices. Somebody suggested, I should upgrade to Mountain Lion Server first, THEN renew, it would be easier then (you know, click one button and BOOM, magic..).
  So, the idea then was
  - Perform in-place-upgrade
  - re-enroll certificate after upgrade
  short answer... that didn't work out.
  Before upgrading, I trained on a cloned system.
  In the process of the upgrade, you HAVE to enter an Apple-ID (i.e. email address) to connect to the APNS ... that means it either is exactly the one you created the Push Certificate with in the first place, or you re-enroll or your devices - Apple gives a nice warning message during the process.
  OK, gnashing teeth, I renamed the Apple-ID back to the original state and tried the in-place upgrade again, this time on the production server ... what should go wrong,  it worked out before on the clone (sans the certificate part) ... hhhm ... not this time. It seemed to be some problem with the Raid card. But hey, that's what Carbon Copy Cloner, psqldump and Timemachine are for, right?
  Wrong.
  After the restore, my production machine came up fine, everything worked - except pushing anything to my devices.
  So, technically I restored OS X Lion Server to a running state AND had 3 different means of backup, just in case (CCC, Timemachine, scripted DB dumps and OD dumps)  and still in the end, I had a bunch of devices that needed to be re-enrolled. Brilliant.
  More gnashing teeth. Now, knowing I need to re-enroll anyway, I installed ML Server from scratch, created a new Push certificate (using [email protected].), re-entered ALL mobile devices, policies and groups by hand (oops, Apple dropped psqldump support in ML Server, there is no database import from prior versions..FRAK) and re-enrolled all devices, happy users assured.
  And now the fun part: If you sign your mobile profiles (you know, that checkbox in Server App) for extra security, you need to take care of your Code Signing Certificates validity. You can renew this easily (one click, BOOM, magic).
  The Code Signing Certificate is valid for 1 year.  If you renew this certificate, re-enrollment is mandatory.
  DOUBLE-FRAK.
  So in the end, it didn't matter at all that I renamed my Apple-ID back and forth, it didn't matter that the in-place upgrade didn't work out and I had to do a clean install, there was actually no option of pulling this stunt without re-enrolling all devices, at least when the Code signing certificate were to expire.
  Please Apple, FIX this. It can not be, that I have to re-enroll all my devices EVERY YEAR. Why are your certificates only valid one year? Why can't you design a convenient mechanism to renew all certificates and push them to the devices automatically?

• Renewing Push Certificates?

  Hi,
  For newstand apps - do push certificates need to be renewed? Does anyone have information on how to do this?
  Thank you.

  1. No, Apple does not send a notification. If your dev and dist p12 cents expire, your app will be rejected at some point in the submission process--I don't recall when. It might be while building the app. If you don't update your app, expired dev and dist certs don't matter. Users can still use your app as before. You can even submit an app with expired push certs and your app will work fine--except for push, of course.
  2. The distribution app in the store and on users' devices will still work if the distribution p12 is expired, but you'll need to update the cert before you resubmit a new version of the app. That's my understanding. An expired push production cert affects only push itself. If your push cert is expired, you'll get an error message when you click Notify. Users can still subscribe, download, and view articles regardless of push, but they won't get badges or background downloads.
  3. If your dev and dist p12 certs are expired, just update them before you submit a new version. You don't need to rush to do it. For the p12 push cert, I don't believe that you need to resubmit the app. I believe that if you revoke and rebuild the push certs, the change is registered with Apple, and you can click Notify without an error. I'll be testing this soon.

• How do I Renew a Push Certificate? - when I follow instructions.

  When I go to Server and in Settings/Edit/Renew (to renew a push notification)
  I get the following:
  "The current certificate cannot be renewed. You must acquire a new certificate and reconfigure your devices."
  No further instructions on how to acquire the "new" certificate.
  Someone please lead me in the right direction?
  Thank you.

  I seem to be in a bit of a circular reference on this. The notifications part of the Server app tells me I cannot renew the certificate. When I go to "Manage my Certificates" and log into the portal, it  tells me I must use the server app to obtain a new certificate. I'm still using Mountain Lion on my server and while I can live with this, my log is being bombarded with expired certificate notices that there doesn't seem a straightforward mechanism to fix.

• SChannel error- The SSL server credential's certificate does not have a private key information property attached to it.

  We have a public SSL certificate that allows for Active Directory sync with LDAPS on port 636 with our email smart host. This was working fine and suddenly stopped working and we are now getting SChannel errors Event ID 36869. There were no changes made
  to the Exchange server, the firewall or the DC which holds the certificate. I have run a new certreq from the DC and then re-keyed the public SSL certificate and re-installed 3 times but the error does not go away and AD Sync with the vendor
  fails. When I run LDP.exe the connection on port 636 fails with "cannot open connection" and the system event log throws the S Channel event 36869 "The SSL server credential's certificate does
  not have a private key information property attached to it"  There is no software firewall set on the DC. When I run Certutil -VerifyStore MY  it shows the current certificates as well as the revoked and expired certificates
  correctly. Certificate 0 is the public cert and is listed with Server and Client authentication, the FQDN of the server is correct and "Certificate is Valid" is listed. The private cert is Certificate 1 and has server and client authentication, the
  FQDN is correct, Private key is not exportable and it ends with Certificate is Valid. I do not see a point in re-keying the cert again until I figure out what the root of the problem is. I have read in some forums that the private cert should not be set to
  expire after the public cert but that does not make a lot of sense when in a situation like this the private cert is of course newer than the public. In fact it is too early to renew the public cert. I have been troubleshooting this for a few days and at this
  point I would have to drop my AD sync with the vendor to LDAP in order to add new users. I do not want to do that for obvious reasons and I do not want to have our spam filtering and email archive service running without Directory sync. Any help would be greatly
  appreciated.

  Hi,
  Have you tried this?
  How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services
  http://support.microsoft.com/kb/889651
  Best Regards,
  Amy

• Error while renewing the certificate in SSLM

  Hi,
  While renewing the certificate on SSLM I am getting the following error
  % failed to parse or verify imported certificate.
  I am able to upload root certificate successfully.
  I am sure that I renewed the certificate using the correct parameters.
  Please advise
  Regards
  Jithesh

  Hi Jithesh,
  This error can occur when you install the identity certificate and do not have the correct intermediate or root CA certificate authenticated with the associated trustpoint. You must remove and reauthenticate with the correct intermediate or root CA certificate. Contact your 3rd party vendor in order to verify that you received the correct CA certificate.
  Cheers!!
  Sachin

• SSPR registration and reset started to fail after renewing the certificates

  Hi,
  On our FIM 2010 R2 environment (version 4.1.3599.0), after renewing the certificates used on FIM Service/Portal and Password Reset/Registration servers two days back, both the password registration and reset no longer work but instead fails on the  last
  step of the process. So for example when user browse to https://passwordreset.domain.com and fills in their domain\username and click next, FIM will send a security code (SMS OTP) to user´s mobile phone and once user then fills in code and click Next, the
  Communication error 3008 is shown to user. Same happens in the last step of the registration where user reviews that the mobile number is correct before clicking finally next. Once clicked the same error as is with Reset portal is shown to user. 
  Other changes than renewing the certificates have not been done to the environment after it was working last time two days ago. Synchronization of users/groups create in FIM Portal works normally towards AD.
  All servers within FIM environment are on same domain and subnet and firewall is off on all servers.
  The following error message as an example is recorded on FIM app log on either of the SSPR servers (two in NLB):
  The error page was displayed to the user.
  Details:
  Title: Communication Error
  Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
  Source: 
  Attributes: 
  Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration.
  This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException:
  An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an
  HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException:
  Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
  The following error message as an example is recorded on FIM app log on either of the FIM Service/Portal servers (two in NLB):
  Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims,
  Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)
  Both http://fimservice.domain.com:5726 or http://fimservice.domain.com:5725 can be accessed ok using web browser from the SSPR servers. The url of http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration gives http 400 bad
  request which is ok.
  At least the following fixes provided on urls below have been tried out or were in place already but did not fix the issue:
  http://social.technet.microsoft.com/wiki/contents/articles/24629.fim-troubleshooting-sspr-registration-error-3008-an-error-occurred-while-receiving-the-http-response.aspx
  https://social.technet.microsoft.com/Forums/en-US/ae16496e-413a-45b7-a0d1-b39652c6478a/fim-password-registration-portal-error-3008-communication-error?forum=ilm2 (we have exactly the same three errors on FIM app log as mentioned in this post)
  https://social.technet.microsoft.com/Forums/en-US/aa14cff7-6b93-4413-8c75-737dd08bd25f/error-when-resetting-password-on-sspr?forum=ilm2
  https://social.technet.microsoft.com/Forums/en-US/aab6d5ef-667a-4ea9-876d-415c56852da9/sspr-password-reset-failure?forum=ilm2 (no such lines on FIMService config files)
  Can anyone help us with this and provide some tips what to check next on the environment? As the most weird thing here is that everything was working just fine before the certificates were renewed on all servers and no other changes were done on the environment. 
  -Pappa75

  Hi,
  Have you Stop-Start the FIM Service? If not then try this after performing this step. Also, there may be a possibility that the service won't be able to start if there is issue with the certificate.
  The SSPR issue is related to certificate only, which might have some missmatch in the thumbprint value or some other problem.
  If there is a problem with thumbprint of certificate, then you might see error in the Event Viewer and which can be resolved by making the certificate's thumbprint same within registry.
  Regards,
  Manuj Khurana

• Why do I keep getting "Error getting push certificate" when trying to enable Profile Manager

  I keep getting this stupid error message!  The Stupid Workgroup manager doesn't work! Won't allow me to do anything!  What is the point in that! Sorry, just having a rant as I have just purchased this server which I can't do anything with.  Can't get Profile Manager working because I keep getting error getting push certificate and cannot associate any user with a group.  I can delete groups and users from AD but just wont allow me to create anything.  The padlock is open so am authenticated.  WHAT IS GOING ON WITH APPLE!

  And do you know what is really sad, 3 hours later and I am still waiting for a confirmation email from Apple.  No wonder the UK use mostly Windows!

• Renew Machine Certificate for multiple Servers

  Hi,
  We have Windows 2003 Enterprise CA which issues certificates to servers which are used for various purpose like Wifi Authentication, Secure RDP. We have checked that the certificates are going to expire within few weeks. We want to renew certificates before
  expiry but the number of servers is high so we cannot do it manually by logging into each server.
  We doesn't have ACRS enabled for computer certificates and even if we configure it now that will not help.
  Is there a way to renew the certificates for all the servers remotely.

  On Tue, 15 Apr 2014 11:39:43 +0000, Sukhwin08 wrote:
  We already have auto-enrolment enabled through GPO. The settings are as follows
  Automatic certificate management........ Enabled Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates .........Enabled
  Update and manage certificates that use certificate templates from Active Directory ..........Enabled
  I think that you're confusing Automatic Certificate Request Services and
  autoenrollment. In your first post in this thread you mention ACRS, however
  the above settings are for autoenrollment. ACRS is only for certificates
  that are based upon V1 certificate templates and then only for machine
  certificates. Autoenrollment on the other hand does not work for anything
  less than V2 certificates and supports both machine and user certificates.
  If you're using V1 certificate templates then you can set autoenrollment
  settings in a GPO and it will not have any impact at all.
  Paul Adare - FIM CM MVP
  Remember the signs in restaurants "We reserve the right to refuse
  service to anyone"? The spammers twist it around to say "we reserve
  the right to serve refuse to anyone." -- SPAMJAMR & Blackthorn in nanae

• Wrong Pin error while renewing SAprouter certificate

  Hi,
  i tried renewing Saprouter certificate from marketplace.
  while installing the certificate using the command below, we get the following error.
  E:\usr\sap\saprouter>sapgenpse import_own_cert -c srcert.txt -p local.pse
  import_own_cert: Couldn't open PSE "E:\usr\sap\saprouter\local.pse"
  ERROR in af_open: (1824/0x0720) Wrong PIN for PSE
  ERROR in secsw_open: (1824/0x0720) Wrong PIN for PSE
  ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong PIN for PSE
  Please suggest a solution for this issue. Is there any command to install the certificate by providing the PIN which we have given while generating local.PSE file.
  Thank you.

  Hi Mamta,
  Did you goted the solution as mark issue.
  If yes kindly share the solution, i am getting same issue.
  Waiting for ur reply.
  Thanks
  Santosh

• Error while uploading Push Certificates into DPS Pannel

  Hello,
  i've been trying to upload Push Certificates (they're p.12 exported via keytool) but when submitting them into dps notification panel i get the error of invalid push (dev & dist) certificate. Why can this be?

  It means your certificates are invalid. Are you sure they have a valid start and end expiration date? If you can't figure it out call enterprise support for assistance. You can find contact information by logging into http://digitalpublishing.acrobat.com/ and looking at the bottom middle of the screen for the support contact link.
  Neil

• Automatic renewal of certificates through CEP / CES.

  We currently have a PKI on Windows 2008 R2 and in this case as customers use notebooks with Windows 7 SP1.
  I have problem with the automatic renewal of computer certificate through CEP / CES.
  Services CEP / CES are installed on the same server, the CA is in another server.
  You want to automatically renew computer certificate through Internet.
  These services are configured to only computer certificate renewal and renovation to allow authentication using a certificate previously issued to PC.
  The first computer certificate is issued automatically through the settings in Group Policy in Active Directory, then the team has its certificate is configured PC Local Group Policy to configure the server URL CEP / CES.
  I have no problem when I do the renewal through the MMC, only occurs when the team wants it done automatically.
  Error events are:
  Event ID 68
  Certificate enrollment for Local system failed in authentication to policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
  (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))
  Event ID 67
  Certificate enrollment for Local system failed to load policy from policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
  (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))
  Event ID 6
  Automatic Certificate enrollment for Local system failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The documentation used to install CEP / CES is:
  http://www.microsoft.com/en-us/download/details.aspx?id=1746
  I thank anyone who can guide me with this problem.
  Greetings.

  Hi,
  I think "Auto Renewal of certificates through Internet (CEP / CES)" is a new feature in ADCS of Windows 2012. Not sure whether it can be realized in Server 2008.
  Anyway, here are two links which might be useful to you:
  Enabling CEP and CES for enrolling non-domain joined computers for certificates
  http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
  So anybody got autoenrollment working for CES on non-domain-joined computer?
  http://www.networksteve.com/forum/topic.php/So_anybody_got_autoenrollment_working_for_CES_on_non-domain-join/?TopicId=28451&Posts=2
  Niko

• Renew SAProuter Certificate

  Dear all,
  anyone has detailed steps in how to renew SAProuter certificate in AS/400 environment.
  help and advice are highly appreciated and rewarded.
  thanks.
  regards,
  Kent

  Hello Kent,
  Refer to following steps:
  Saprouter needs to be stopped before doing this activity.
  1. Logon to host with username and password of SAP router service credentials
  2. Stop the Saprouter service 3. Make a backup of the folder E:\usr\sap\saprouter
  3a. This can be deleted after a successful upgrade
  4. Delete this 4 files in E:\usr\sap\saprouter
  4a. certreq
  4b. cred_V2
  4c. localpse
  4d. srcert
  5. Generate the certificate request using the following command 5a. E:\usr\sap\saprouter>sapgenpse get_pse u2013v u2013r certreq u2013p local.pse "your distinguish name"
  Example- "CN=sap12301.oii.dom, OU=0000810973, OU=SAProuter, O=SAP, C=DE"
  5b. Enter a PIN of <xxxx>
  6. Copy the contents of certreq to the clipboard
  7. Go to http://www.service.sap.com/saprouter-sncadd
  8. Paste the contents of the clipboard into the form
  9. This will generate a new certificate, copy its contents into a file called srcert
  9a. You will have to create srcert
  10. Then import the certificated using the following command
  10a. E:\usr\sap\saprouter>sapgenpse import_own_cert u2013c srcert u2013p local.pse
  10b. Enter the PIN of <xxxx>
  11. The setup the logon using the following command
  11a. E:\usr\sap\saprouter>sapgenpse seclogin u2013p local.pse
  11b. This will create a file called cred_V2
  12. Check if the certificate has been loaded correctly by using the following command
  12a. E:\usr\sap\saprouter>sapgenpse get_my_name u2013v u2013n Issuer
  13. Start the Saprouter service
  The distinguished name must be:
  "CN= your hostname, OU 1234 ,OU=SAProuter,O=SAP,C=DE "
  Let me know of any questions
  Rohit

• Renew SSL Certificate for for two Exchange 2010 Server and the new rules.

  I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.

  Hi there , 
  My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
  if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ? 
  This topic first appeared in the Spiceworks Community

• Connection could be validated error in production after renewing FAST Certificate

  I have renew the FAST certificate in admin and non admin servers and copied to Sharepoint Application server and ran the 
  PS C:\> .\SecureFASTSearchConnector.ps1 –certPath “C:\FASTSearchCert.pfx” –ssaName “ ” –username “DOMAIN\SP_Farm”
  It error out: Connection to contentdistributor fast.contoso.com:13391 could not be validated.
  Check your certificates and ssa configuration and make sure that instance of FAST Search Server backend is running.
  And I try to run 
  Ping-SPEnterpriseSearchContentService –HostName "FQDN"
  The ConnectionSuccess value for FASTSearchCert should show "True" if the certificate is configured
  properly.
  Connection success is always false. 
  I have done IISreset and tried to renew the certificates couple of times. But no user. 
  Can anyone please try to point me in right direction.
  Thanks

  Hello
  KPallela,
  Can you confirm the below items?
  What service pack and CU do 
  you have applied to your Fast Search for SharePoint 2010 environment?
  Are you putting the port 13991 in your Ping-SPEnterpriseSearchContentService command? 
  For example: Ping-SPEnterpriseSearchContentService domain.com:13391
  Can you confirm that your %fastsearch%\etc\Contentdistributor.cfg has the correct port number 13990
  Can you confirm that the Fast Content SSA content distributor section is configured with the correct port number 13991 in the UI?
  Can you confirm that the certificate is found in the MMC on the SharePoint crawler node is not showing expired (since you have renewed it)
  Can you confirm that the Search Service account is a member of the FastSearchAdministrators group
  Can you check if the thumbprint for the contentdistributor in %fastsearch%\etc\nodeconf.xml matches what is in %fastsearch%\etc\node.xml (note: It is not recommended
  to update these files manually)
  Can you confirm that the
  steps you followed to generate the new certificate match the TechNet article
  http://technet.microsoft.com/en-us/library/ff381244(v=office.14).aspx
  Can you verify that when you ran
  .\SecureFASTSearchConnector.ps1 –certPath “C:\FASTSearchCert.pfx” –ssaName “ ” –username “DOMAIN\SP_Farm” that the –ssaName did not contain the “ “ as the parameter, but rather
  the actual name of  your SSA (example: “Fast Content SSA”)
  Can 
  you confirm that there is not a special character in your search service account, such as a dollar sign?
  Let us know your findings, and if you have any questions on the above.
  Thanks!
  Rob Vazzana | Sr Support Escalation Engineer | US Customer Service & Support
  Customer Service   & Support                         
    Microsoft| Services