Root and Intermediate Certifcate

Similar Messages

• Does root and CA certificate both are same?

  Hi All,
  Can anyone help us in understanding root and ca cet are same?
  keytool -genkey -alias kumar-keyalg RSA -keystore keystore.jks(created keystore)
  keytool -certreq -alias "kumar" -keystore keystore.jks -file domain.csr(Created CSR)
  keytool -import -trustcacerts -kumar -file Thawte.crt -keystore keystore.jks
  Afte this we are facing an error "Failed to establish chain from reply"
  Next i m goint to do this
  keytool -import -trustcacerts -alias kumar -file mytrustedcert.crt -keystore keystore.jks
  Please help me why i am getting error
  Please check the alias clearly( do we need to use the only same)
  Regards
  vasu

  Hi Vasu,
  You need to use same alias while creating private key in keystore(keytool -genkey), creating a certificate request(keytool -certreq) and importing the signed certificate (sent by CA) (keytool -import) to keystore.
  According to you if we create a differerent alias while importing a CA and signed cer(ex: alias a for CA cert and alias b for signed cert) then which alias will be providing at host tp..?You should use alias b (signed cert alias or private key alias)
  if they has given only one cert then wat we will share with trading partnes?You should share the public cert of your corresponding private key.
  we submitted csr to out cert team and they has given only one cert which includes CA, is this enough or do we need to ask for other certificate also?Your cert team should provide you one signed certificate and one (or two) CA certificates. You should first import CA certs (root and intermediate CA) and then import the signed CSR.
  Regards,
  Anuj

• Root and Issuing Cert Enrolment

  I have a 2012 2 tier PKI environment. Offline root CA and 4 Enterprise Issuing CA's. The offline root CA has been published to AD, the enterprise issuing CA's are in AD by virtue of being enterprise CA's. My question is how did the root cert and the issuing
  CA's certs get into the local stores on each machine. Auto enrolment has not been configured on the computer OU's.
  Is there  a GPO in the default domain policy, or is there another mechanism that does this? certutil -pulse does an reenrolment for any pending certs (root and issuing included) what mechanism is this calling, ie.e what protocol is this using.
  Thanks

  Hi,
  as soon you have published a root or intermediate ca certificate to AD the certs get distributed to all machines with the next gpupdate run. There is no actual GPO setting required for that. But there is a GPO setting so that you can distribute ca certs
  from e.g. business partners to only a subset of machines.
  Depending on you configuration autoenrollment triggers over API the pki client to request a new certificate over RPC/DCOM or HTTPS (not /certsrv !) (http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#How_Certificate_Enrollment_Web_Service_Differs_from_CA_Web_Enrollment)
  Regards,
  Lutz
  it is not quite correct statement. Certificate publishing relies on autoenrollment/enrollment triggers. If there is no configured autoenrollment policy and no enrollment (manual) performed, the certificate will not be downloaded from Active Directory.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Assigning default values to root and subnode attributes

  Hello,
  I created a BO with a root node. In order to assign some default values after a root instance is created, I've implemented a determination. Everything is working as expected. When the instance is created (and only then) the init method is processed and the default values get assigned.
  As a next step, I added a subnode. I need to assign some default values to a new instance as well. So, I've created a determination for this subnode, in the same way as I did it for the root node.
  Now, when a new instance is created, the init method of the root is processed, but not the init method of the subnode. Only when I change a value of a subnode attribute and do a save, the init method of the subnode is processed and the init method of the root node as well (overwriting any changes with the default values, which is wrong).
  How can I achieve that after instance creation (and only at this point), the init method of the root and then the init method of the subnode are processed?
  Thanks for any advice.
  regards,
  Ulli

  Hi Ulli,
  It should work if you have configured as rightly mentioned by Tilmann.
  but If you want to debug the framework to understand the behaviour, you have to go to class - /BOBF/CL_FRW.
  Put a break-point in any of these method - CHECK_AND_DETERMINE / DO_DETERMINATIONS
  / DO_DETERMINATIONS_RETRIEVE
  / DO_DETVAL
  Thanks,
  Bharath.

• Flex mobile project: web root and root path for a remote web service?

  Hi all,
  i'm trying to set up the testdrive tutorial for flex mobile project, with flash builder 4.5
  and php data.
  I've uploaded the files on my remote web space (e.g. http://mywebsite.org, and the
  test file is http://mywebsite.org/TestDrive/test/test.php... and it works
  correctly)... But when i'm setting properties of the project, i don't know what
  to write into the web root and root path fields... I thing root path is simply
  http://mywebsite.org... and whatever i write in the other fields (output folder
  too) i have errors when i click on "validate configuration"...
  What should i put into those fields? is zend framework (and gateway.php)
  strictly necessary?
  As you can see... i'm a bit confused....
  Many thanks for any help
  Bye
  Alex

  I thought it was a simple question...
  No advice?

• Where is the cron for root and how to edit at start-up?

  I was using Cronnix (as I am not very familiar with cron, unix etc). to create a root system task to reboot my server every night.
  As I hit safe I noted I made a mistake and have it run every minute. so I do to get in any more.
  So there are two solutions I can see. One is to remove the file that holds the information. in order to this I need to know where it is and I do not.
  or to get in over command S at startup and change it there.
  Or?
  FYI I can get to the computer in T mode via an other one.
  as you might imagine any help is more than welcome.

  I'd go for the single-user mode startup and edit the crontab from there.
  Hold Cmd-S during power up. Once the system finishes booting follow the instructions on screen to mount the root filesystem, then log in as root and run:
  crontab -e
  use the arrow keys to move to the offending cron entry then type:
  dd
  <esc>
  qw!
  The 'dd' deletes the current line. <esc> (the Escape key) switches to command mode and 'qw!' tells vi to quit and save the file.
  From there you should be able to exit to resume normal startup.

• System with encrypted root and random passphrase

  Hello,
  everybody
  I`ve got some question regarding some kind of secure systems.
  After a short period of time, i had the idea of a system with some
  security constructions in regarding some special situations.
  This is as most of the time not really importend for me, but sometimes
  i like to think about some very paranoid situations just for fun.
  so every critisim is enjoyed and nice to hear.
  I know that everything is only as secure as the weakest link, this especially the
  case with the higher applications which provide services, increased with a network
  and based with the underlying system and the physical access to the hardware.
  So it will for sure has flaws, but i try to concentrade myself at this time to
  the basics and maybe someone has the knowledge what is possible with an increasing
  effort known at this time and possibilities of technology today.
  Let`s say i have a system providing some services. It is headless so no physical keylogger
  could be implemented. It has a bios protection and can only boot from usb. I`ve got
  2 usbsticks. One with an encrypted system which autologin as root and the other usbstick
  provides the keyfiles needed that the system will boot at all. The system boots into tmpfs
  and then use /dev/random to generate a new long passfrase which becomes the new root-password.
  The new password will be written to the second usbstick with a date and maybe other unigue
  indicators (seperated from the original keyfile). So the new password is different of the
  original booting one. This password is only valid for let`s say 12 hours after that the system
  has to be rebooted. Maybe at this point the tmpfs rest storage has to be overwritten with
  /dev/zero to delete every entry of the old one. (does the system system crash here? i don`t
  know). After that the usbsticks are ejected and keeped save by the maintainer. The system has
  also be keeped physical safe -- like in a safe.
  So what is the main point here. The system gets a new and automaticaly generated password
  every working day. The maintainer has the possibility to access the running maching with the
  saved new password. The enemy can`t really insert a permanent access to the system because
  of the everday changing password. The maintainer can leave the system alone in the safe,
  and is only one who has the the sticks. Two sticks a more secure than one unencrypted.
  I think this can also be expanded with a diskless system for more network systems, waiting
  with sshd for the passphrase procedure keep everything "live" and every service passphrased
  of the user, like files access to another system.
  I don`t think that not somebody had the same idea, so there has to be flaws.
  Oh and by the way:
  How can i forbid that the user can use strg+alt+del to reboot?
  How can i see when network cable has been unplugged, maybe with an optical indicator
  connected as a serial input to the lights of the switch ot maybe a more electrical way
  examined with a serial input connected to the main system?
  When i load the / system into a tmpfs i know exactly how big it is (there is no logging i don`t
  know the size of a running /tmp ) and i will give it only the exactly size and mount the user tmpfs seperate.
  So when the enemy gains user privileges he can only expand the user filesystem space for his
  use, but he want to expand the root filesystem , the sytem will crash and maybe reboot, which
  could maybe be recognized? Ok if he have root he could hardlink to the userspace. Hmmh i don`t know.
  Maybe i should post this thread, but i want to know more.
  There are many questions remained, but i am no coder and i will try not to go to far of my
  knowledge. So ....
  thanks for your answers
  and
  greetings

  Without hacking the encrypt hook, you'll only be able to unlock one volume at the same time. Afaik the device mapper asks for a password for each encrypted partition, and using one for all won't work, you have to repeat the process for each partition, whereas the encrypt hook only seems to be able to handle one partition. You can hack it, but I haven't done that (yet), it's already quite messy you have to hack the hook file to make it apply to non-root partitions.

• Best way to increase root and home part sizes

  Just want to check what means to increase size of root and home. Here's the drive with them now:
  Device Boot Start End Blocks Id System
  (xp) /dev/sdc1 * 1 7649 61440561 7 HPFS/NTFS
  /dev/sdc2 7650 8865 9767520 83 Linux (root)
  /dev/sdc3 8866 12512 29294527+ 83 Linux (home)
  /dev/sdc4 12513 60801 387881392+ 5 Extended
  /dev/sdc5 12513 12998 3903763+ 83 Linux (swap)
  /dev/sdc6 12999 60801 383977566 83 Linux (stuff)
  Everything is backed up and I have other drives to move the /dev/sdc6 over onto temporarily. I have burned GParted LiveCD but I have never used it, would I boot into it and basically see GParted and be able to delete/edit/etc. my partitions?
  Now here's where I get a bit confused: Will I have to delete root and/or home to increase their sizes? If so, what is the right way to copy root back over when I am done the partitioning? I have never copied a root back over onto the system. If I use something as simple as cp -pr, then from where would I do it? Would it be some console I can get into from the Arch LiveCD or something?
  Thanks for your help!

  jbromley wrote:
  If you move the sdc6 partition off of this drive to make space available, then gparted should be able to move and resize the remaining partitions to take advantage of the remaining space. This means that you shouldn't have to copy over your root and home partitions after the resize. Of course, you'll want backups of these partitions just in case.
  You second questions is good just for general knowledge. As mentioned above, you shouldn't have to do this. If you do need to copy over root/home the best way is to use some LiveCD to boot your machine. System Rescue CD and grml are two good rescue/admin type CDs, but I'll bet you can get to a console using the gparted live CD. Once your system is booted with some live CD,  mount your root/home partitions and your backup copy and copy over the root/home partitions from your backup. Something as simple as cp -pr should work here. Once you're done copying, unmount the drives and reboot. When you reboot after resizing a partition you'll probably have to run fsck, but it shouldn't be a problem.
  It's all pretty straightforward. Note that resizing big partitions might take a long time. Oh yeah, be sure to back up your partitions before doing any of this.
  jbromley, you give quality answers. Furthermore, you could use your Arch install cd as the "rescue" disk. It has all the tools you need to mount your partitions and copy files. But you shouldn't have to do that if gparted works.

• Arbitration mailboxes exist in root and child domains, which to delete?

  Hi,
  I discovered a problem with my Arbitration Mailboxes when setting up a Moderated Distribution group. The moderator wasn't receiving an email from Exchange advising that there was a message that needed to be approved or declined. A bit of digging in Message
  Tracking and the Event log (IDs 9214 & 9217) revealed that the email address for the MS Exchange Approval Assistant exists twice, in both our root and child domains. 
  The question is which to delete, the account in root or child? All of the users are in the child domain so presumably it's the account in root which I should delete, but I'm not 100% sure.
  Any pointers very welcome.
  Cheers.

  Hi,
  Agree with Andy. The arbitration accounts are in the root domain by default. You should delete the account in child domain. Then you can use the Get-Mailbox -Arbitration | fl displayname command to check if you can get this system mailbox in child domain.
  If you can't get this system mailbox in the child domain, you need to run the following command, so that the scope of the search is changed to the forest level.
  Set-ADServerSettings –ViewEntireForest $true
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• What's def of field group and intermediate data set

  what's def of field group and intermediate data set

  The drawing panel cannot draw the figures, what's
  wrong?You can't have written this much code and then suddenly detected it doesn't work at all. You must now restart from the point where you had a working program. Then you add code is small increments and see to it that it works in each step and you understand why it works. This method is called stepwise refinement and it does wonders.

• ASA7.0(2) CA Trustpoint Configuration with Root and Subordinate CA

  I'm trying to replicate a configuration that was done on my Con3015 to my ASA5520. I was given 2 CA certificate's: A Root and Subordinate and was told to load both or it will not work.
  The ASA's use trustpoint configuration. I couldn't load both under one trustpoint so I created two trustpoints.
  After loading both CA certificates using file-based enrollment, which trustpoint do I create a PKCS#10 enrollment file against?
  Also, I don't understand how both trustpoints are associated. At the end I'd have 2 trustpoints (1 RootCA and 1 SubCA) but only 1 identity will be associate with 1 of the trustpoints.
  Is it necessary to add specific commands in the trustpoint configuration?
  Is it even necessary to have both CA certificates (Root and Sub CA) installed??

  Hello Aignacio,
  I have the same problem now. Did you find an solution. If yes could you please send me the prosedure for migrate from 3015 to asa in terms of ca config
  Thanks
  Dogan

• Network Design - Root and Non root bridges

  Hi,
  We have a network set-up as the below image. Where the switches have STP enable to handle the muliple paths for the data to flow.
  What I would like to know is should the 2 bridges plugged into the same switch e.g Switch A (Bridge A and Bridge B) both be root bridges and (Bridge C and Bridge D) both be non root.
  Or should for example, Bridge A be a root and Bridge C a non root and Bridge B a non root and Bridge D the root?
  Similarly with the rest of the other bridges E, F, G and H
  Thanks

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  Ah, I think I understand.  So the wireless bridges are "transparent" to the rest of the network.  They just convert wired to wireless and back again.
  If I have that right, we can ignore them and just consider your switches.
  In that case, it appears you have two L2 loops, those formed by the dual paths between switches A and B and between switches C and D.  From a topology standpoint, it doesn't seem to matter what switch you select as root and secondary root.  However, as switches B and C are the interior switches, I would suggest those as your root and secondary root switches.

• Uploading of signed certificate Server certificate and Intermediate certifi

  Hello,
  We are implementing SSL for the first time on NW AS JAVA 7.0. I have received signed certificate from the CA.
  It contains Web server certificate and Intermediate certificate.
  I guess we import the Webserver CSR response. I not sure on what is the intermediate certificate and they say it is mandatory.
  Can you please guide.
  Thanks.
  Siddhartha

  Sorry Here,
  Hope I understand this correctly.
  The Comodo Positive SSL is a Web certificate. Although I ask OD to use it, it didn't.
  Then Profile Manager expects a "code signing" certificate which is why all it saw was Open Directory's one.
  Francois

• Fan running.. "kernel root" and "WindowServer"

  pllleeeeaassee help!!!
  my fan wont stop running, and when i go to activitiy monitor, the processes "kernel root" and "WindowServer" are both taking up almost 60% of my CPU each... i've already tried resetting the PMU and PRAM... but when i dont think the PMU is successfully resetting, because i always have the correct time and date when i boot up again..?
  what do i do???

  my bad.. the file name is "kernel_task", not kernel root... "root" is the user though
  i've repaired the permissions... also, i'm not running my computer from the adaptor alone, no battery... so the fan has quit running (since no battery) yet these two operations are still sucking the CPU like mad outta me.... what are they working so hard on? and how can i get them to stop?

• 1242 as Root and Non Root

  Hi Everyone,
  I am setting up pair of 1242 APs as Root and Non-Root bridge, i am not able to find the Install Mode on the 1242 AP while setting the Non Root for Best signal.
  any help will be appreciated.
  HM

  Hi HM,
  AFAIK, we do not have the INSATALL mode on the 1242 AP if we are using it as ROOT and NONROOT.. this is available only on 1310 bridge or 1410 bridges.. not on 1242AP..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull