Root and Issuing Cert Enrolment

I have a 2012 2 tier PKI environment. Offline root CA and 4 Enterprise Issuing CA's. The offline root CA has been published to AD, the enterprise issuing CA's are in AD by virtue of being enterprise CA's. My question is how did the root cert and the issuing
CA's certs get into the local stores on each machine. Auto enrolment has not been configured on the computer OU's.
Is there a GPO in the default domain policy, or is there another mechanism that does this? certutil -pulse does an reenrolment for any pending certs (root and issuing included) what mechanism is this calling, ie.e what protocol is this using.
Thanks

Hi,
as soon you have published a root or intermediate ca certificate to AD the certs get distributed to all machines with the next gpupdate run. There is no actual GPO setting required for that. But there is a GPO setting so that you can distribute ca certs
from e.g. business partners to only a subset of machines.
Depending on you configuration autoenrollment triggers over API the pki client to request a new certificate over RPC/DCOM or HTTPS (not /certsrv !) (http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#How_Certificate_Enrollment_Web_Service_Differs_from_CA_Web_Enrollment)
Regards,
Lutz
it is not quite correct statement. Certificate publishing relies on autoenrollment/enrollment triggers. If there is no configured autoenrollment policy and no enrollment (manual) performed, the certificate will not be downloaded from Active Directory.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new:
SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

Similar Messages

[NameConstraintsExtension] not taking effect on Sub-CA request, nor Root-CA issued cert

I need to constrain the valid names for a child CA, and want this attribute visible in the certificate. I have placed the required entry in Policy.inf, and Capolicy.inf in both the Root and the Child CA, but I'm unable to get the .REQ file nor the
issued certificate to have the required constraint.
I have pasted in a full output of my INF files in the following Serverfault.com link
http://serverfault.com/q/576651/51457

Hi,
Will rebooting the server can make this.
And hope the below article could be useful:
Windows Server 2008 R2 CAPolicy.inf Syntax
http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx
Regards,
Yan Li
Regards, Yan Li

Permissions error during Cross-Forest Cert enrollment

Hello,
When attempting to manually enroll for a Cert on a 2012 R2 server, I get the 'Certificate types are not available' msg with the 'You cannot request a cert at this time because no certificate types are available' msg. When I click the 'Show all templates'
box, all the cert types are shown with a Status: Unavailable and the msg 'The permissions on the certificate template do not allow the current user to enroll for this type of cert'.
In this instance, the CA infrastructure is in the Resource forest with the server attempting a cert enroll in the Account forest. Both Forests are 2008 R2 with a two-way Forest Trust. We followed all steps in the 'Cross-forest Certificate Enrollment
with Windows Server 2008 R2' doc published by Microsoft with no issues. The PKISync worked fine and we do see the Root and SubCA1 certs on the machine we are trying to manually enroll a cert on. We implemented all the steps to ensure this machine
receives a cert the same way machines in the Resource forest receive certs. We've validated the base Trust/Network infrastructure and all checks out. However, the Resource root forest and domain is all one and on the same domain controllers whereas
the Account forest has the classical Forest root with two separate domain controllers and then a child domain with a number of domain controllers. The child domain is where the server lives which we are trying to manually enroll a cert.
As a point of clarification, the server computer account was added to a Global Security group in the Account Forest. This group was added to a Domain Local Security group in the Resource Forest which has the Read/Enroll/AutoEnroll permissions on the
Cert Template.
Any suggestions on what could be causing the permissions errors?
Thanks for your help! SdeDot

Certificate Template permissions can never be assigned to a Domain Local group, only to Universal or Global groups.
The correct strategy in a multi-forest scenario is the following:
1) Create a universal group for the certificate template in the account forest (say
Accountdomain\pki-authcert-u)
2) Create a universal group for the certificate template in the resource forest (say Resourcedomain\pki-authcert-u)
3) Create multiple global groups in each domain in the account forest (if three domains in the forest, create three global groups - one in each domain). Then add the user accounts to the global group in the same domain)
4) Create multiple global groups in each domain in the resource forest (if three domains in the forest, create three global groups - one in each domain). Then add the user accounts to the global group in the same domain)
5) On the certificate template, assign the two universal groups Read, Enroll, (and Autoenroll) permissions. That is both Accountdomain\pki-authcert-u and Resourcedomain\pki-authcert-u
6) Run the pkisync.ps script again to replicate the new permissions
The reason you cannot use domain local groups is that the certificate template is stored in the Configuration naming context which is replicated to each domain in the forest (account or resource in your case).
A domain local group can only be used in the domain where the group exists (not good for PKI objects in the configuration NC.
Brian

CACs and DoD certs on Macs

I've got a user who's having some odd issues, and I'm told other users in our organization see similar issues, oddly, intermittently, inexplicably, etc. My user has a MacBook Pro running 10.7.5 with an SCR331 reader and she had PKard 1.2 That was working for her, and then it wasn't. She complained that she could no longer access CAC-enabled sites. There was an error about her certs being rejected as being signed by "Unknown" (I don't have the verbatim error here, she isn't available right now).
My first thought was, she needs the DoD root and intermediate certs added to her keychain. I'm used to HAVING to add them to Windows and Linux machines, but every time this comes up, the response is kind of a vague, "Oh, Macs don't need that, it'll 'just work' without them", and I just don't understand how that could be. But, she was able to use her CAC previously without the DoD certs.
Anyway, I did get them added, but that didn't help. I was able to log on to my profile and use my CAC just fine. I had someone else help me (I'm new to OS X), and he wound up uninstalling PKard and installing OpenSC 0.12, and his CAC started working in her profile. But she couldn't use hers, so I created her a new profile, and she could use her CAC again, for a few days. Now she can't any more. I was discussing this with someone else, who says, "Oh, this is a known issue, it happens all the time, we haven't been able to find a particular solution that works, etc."
I was just poking around in my keychain a little to see what I could see. One thing I notice is, DOD CA-30, for example (which is the CA that signed the certs on my CAC) has a red warning, "This certificate has an invalid issuer". The issuer is "DoD Root CA 2", and that certificate shows up with a green "This certificate is valid". So I'm a little puzzled there. My CAC works just fine on this machine (also 10.7.5, and I'm using PKard 1.2)
I'm sure my overarching question probably has several possibly mostly-unrelated parts to it. I'm not a huge PKI expert, and I'm no Mac expert. It seems very possible that there are facets of PKI in general, or as implemented by DoD, that I'm lacking, as well as details about how Apple implements PKI. So, my ears are open to any suggestions, possibilities, etc.

I suggest you contact the makers of PKard and ask them.
I am using the open-source Smart Card Service (http://smartcardservices.macosforge.org) on Mountain Lion and it was pretty much plug-and-play.

ASA7.0(2) CA Trustpoint Configuration with Root and Subordinate CA

I'm trying to replicate a configuration that was done on my Con3015 to my ASA5520. I was given 2 CA certificate's: A Root and Subordinate and was told to load both or it will not work.
The ASA's use trustpoint configuration. I couldn't load both under one trustpoint so I created two trustpoints.
After loading both CA certificates using file-based enrollment, which trustpoint do I create a PKCS#10 enrollment file against?
Also, I don't understand how both trustpoints are associated. At the end I'd have 2 trustpoints (1 RootCA and 1 SubCA) but only 1 identity will be associate with 1 of the trustpoints.
Is it necessary to add specific commands in the trustpoint configuration?
Is it even necessary to have both CA certificates (Root and Sub CA) installed??

Hello Aignacio,
I have the same problem now. Did you find an solution. If yes could you please send me the prosedure for migrate from 3015 to asa in terms of ca config
Thanks
Dogan

Does root and CA certificate both are same?

Hi All,
Can anyone help us in understanding root and ca cet are same?
keytool -genkey -alias kumar-keyalg RSA -keystore keystore.jks(created keystore)
keytool -certreq -alias "kumar" -keystore keystore.jks -file domain.csr(Created CSR)
keytool -import -trustcacerts -kumar -file Thawte.crt -keystore keystore.jks
Afte this we are facing an error "Failed to establish chain from reply"
Next i m goint to do this
keytool -import -trustcacerts -alias kumar -file mytrustedcert.crt -keystore keystore.jks
Please help me why i am getting error
Please check the alias clearly( do we need to use the only same)
Regards
vasu

Hi Vasu,
You need to use same alias while creating private key in keystore(keytool -genkey), creating a certificate request(keytool -certreq) and importing the signed certificate (sent by CA) (keytool -import) to keystore.
According to you if we create a differerent alias while importing a CA and signed cer(ex: alias a for CA cert and alias b for signed cert) then which alias will be providing at host tp..?You should use alias b (signed cert alias or private key alias)
if they has given only one cert then wat we will share with trading partnes?You should share the public cert of your corresponding private key.
we submitted csr to out cert team and they has given only one cert which includes CA, is this enough or do we need to ask for other certificate also?Your cert team should provide you one signed certificate and one (or two) CA certificates. You should first import CA certs (root and intermediate CA) and then import the signed CSR.
Regards,
Anuj

Root and Intermediate Certifcate

I have a probleme with installing a Certificate into the ASA. I have followed the following link http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml but I keep getting a error bij installing the certificate that I received from my 3rd Party CA Vendor.
I have followed the instructions 5 times and I still get the error ERROR: Failed to parse or verify imported certificate or Certificate does not contain general purpose public key. I think that reason why I am getting this error is because of my certificate needs a root and intermerdiate certificate.
The certificate I want to install is Comodo PositiveSSL. So can anyone help me how I can solve this problem?

I have checked the certiticate on my computer after I installed the root and intermediate certificate and certificate looks perfect.
I get tehe errors after I installed the root or intermediate certificate. So the questionnis how can I install a root and intermediate ceritficate.
The certificate is based on CSR.
Sent from Cisco Technical Support iPad App
heck if you can decode it with SSL before you jump to conclusions.
Are you installing identity or SA/subCA certs? Is the cert based on a CSR or pre-genrated by CA?

Default acl permissions for root and user?

after running permissions i keep getting acl permissions changed and will repair. Apparently it doesn't. Is their a manual way of resetting to defaults for both root and user.

Turns out they didn't change themselves, but authentication got out of whack. This post fixed it for me, but I just jogged access on ical and blogs. Not sure which or both is needed, but after I toggled them over and back I was up and running again.
<SNIP>
Solution found athttp://michaeljin.wordpress.com/2010/01/05/locked-out-of-mac-os-x-server/
It’s blog update time! Updates have been a little scarce lately, been super busy with getting trophies on PS3
Anyway, recently encountered the following with a Mac mini server running Snow Leopard Server:
Despite being able to ARD / Screenshare the Mac mini, I was unable to get any further than the login window. Authentication credentials are obviously valid. No weird access permissions have been set. However, the weird thing was, I can connect to the server via Server Admin tools (from another Mac) and all other services were running without a hitch.
After much head scratching it turns out to be a sACL (Service Access Control List) issue.
This thread solved the mystery!
http://discussions.apple.com/thread.jspa?threadID=1654864
To save you the trouble, I’ll lay it out here. I cannot take credit for this, but Randall can!
Open Server Admin on a computer (any), and connect with the local admin to the machine.
Select the server and authenticate.
Select Settings, then go to Access. You’ll want to make sure that Login Window and SSH have the local admin account listed if you select the option to “Allow only these users”. For now, I would suggest making sure all services have “Allow all users and groups” selected.
If (as in my case) it was set to Allow All in the first place, simply toggle the settings – back and forth.
Save.
Try logging in again… should be a good one!
</SNIP>

Grid Install root.sh issues

Hi,
i try to install the Grid 11.2.0.3 on a SLES 11 Pathlevel 1.
I get the following error during the root.sh execution on node1.
./root.sh
Performing root user operation for Oracle 11g
The following environment variables are set as:
    ORACLE_OWNER= oracle
    ORACLE_HOME= /pro/app/11.2.0/grid
Enter the full pathname of the local bin directory: [/usr/local/bin]:
The contents of "dbhome" have not changed. No need to overwrite.
The contents of "oraenv" have not changed. No need to overwrite.
The contents of "coraenv" have not changed. No need to overwrite.
Entries will be added to the /etc/oratab file as needed by
Database Configuration Assistant when a database is created
Finished running generic part of root script.
Now product-specific root actions will be performed.
Using configuration parameter file: /pro/app/11.2.0/grid/crs/install/crsconfig_params
Can't use string ("") as a subroutine ref while "strict refs" in use at /pro/app/11.2.0/grid/crs/install/crsconfig_lib.pm line 12127.
/pro/app/11.2.0/grid/perl/bin/perl -I/pro/app/11.2.0/grid/perl/lib -I/pro/app/11.2.0/grid/crs/install /pro/app/11.2.0/grid/crs/install/rootcrs.pl execution failedEvery search via google and in this forum was not helpful.
So, if anyone can point me in the right direction i will be very thankfully.
Joerg
Because of the mentioned configuration file crsconfig_params i put the relevant part of it on the end of this post:
SILENT=false
ORACLE_OWNER=oracle
ORA_DBA_GROUP=oinstall
ORA_ASM_GROUP=oinstall
LANGUAGE_ID=AMERICAN_AMERICA.AL32UTF8
TZ=Europe/Berlin
ISROLLING=true
REUSEDG=false
ASM_AU_SIZE=1
USER_IGNORED_PREREQ=true
ORACLE_HOME=/pro/app/11.2.0/grid
ORACLE_BASE=/pro/app/oracle
OLD_CRS_HOME=
JREDIR=/pro/app/11.2.0/grid/jdk/jre/
JLIBDIR=/pro/app/11.2.0/grid/jlib
VNDR_CLUSTER=false
OCR_LOCATIONS=NO_VAL
CLUSTER_NAME=gebh
HOST_NAME_LIST=node1,node2
NODE_NAME_LIST=node1,node2
PRIVATE_NAME_LIST=
VOTING_DISKS=NO_VAL
#VF_DISCOVERY_STRING=%s_vfdiscoverystring%
ASM_UPGRADE=false
ASM_SPFILE=
ASM_DISK_GROUP=DG_OCR
ASM_DISCOVERY_STRING=
ASM_DISKS=ORCL:OCR1_1,ORCL:OCR1_2,ORCL:OCR1_3,ORCL:OCR2_1,ORCL:OCR2_2,ORCL:OCR2_3
ASM_REDUNDANCY=NORMAL
CRS_STORAGE_OPTION=1
CSS_LEASEDURATION=400
CRS_NODEVIPS='node1-vip/255.255.0.0/bond0,node2-vip/255.255.0.0/bond0'
NODELIST=node1,node2
NETWORKS="bond0"/10.1.0.0:public,"bond1"/192.168.177.0:cluster_interconnect
SCAN_NAME=gebh-scan.gebh-rac.de
SCAN_PORT=1521
GPNP_PA=
OCFS_CONFIG=
# GNS consts
GNS_CONF=false
GNS_ADDR_LIST=
GNS_DOMAIN_LIST=
GNS_ALLOW_NET_LIST=
GNS_DENY_NET_LIST=
GNS_DENY_ITF_LIST=
#### Required by OUI add node
NEW_HOST_NAME_LIST=
NEW_NODE_NAME_LIST=
NEW_PRIVATE_NAME_LIST=
NEW_NODEVIPS='node1-vip/255.255.0.0/bond0,node2-vip/255.255.0.0/bond0'
############### OCR constants
# GPNPCONFIGDIR is handled differently in dev (T_HAS_WORK for all)
# GPNPGCONFIGDIR in dev expands to T_HAS_WORK_GLOBAL
GPNPCONFIGDIR=$ORACLE_HOME
GPNPGCONFIGDIR=$ORACLE_HOME
OCRLOC=
OLRLOC=
OCRID=
CLUSTER_GUID=
CLSCFG_MISSCOUNT=
#### IPD/OS
CRFHOME="/pro/app/11.2.0/grid"

Hi,
I could not identify what is your problem with information wich you provided.
But I belive it's permission issue, because the error is raised when he try create some directory
2012-01-31 12:07:30: 6: crsconfig_lib   crsconfig_lib.pm     11749 File::Path::mkpathIf its a new installation try remove /etc/oracle and re-run root.sh if it's a upgrade check permission and contents of files olr.loc under /etc/oracle.
The permission of /etc/oracle must be chmod 755 and chown root:root
A root.sh script can error out and/or fail under one of the following conditions:
- Problem with the network configuration.
- Problem with the storage location for the OCR and/or voting files.
- Permission problem with/var/tmp (specifically /var/tmp/.oracle).
- Some other configuration issue.
- An Oracle bug.
Most configuration issues should be detectable by running the Cluster Verification Utility with the following syntax (input the nodelist):
cd <GRID_HOME>/bin
./cluvfy stage -pre crsinst -n <nodelist> -r 11gR2 -verboseI suggest you read the tech note below.
Troubleshooting 11.2 Grid Infastructure Installation Root.sh Issues [ID 1053970.1]
Regards,
Levi Pereira
Edited by: Levi Pereira on Feb 1, 2012 12:32 AM

Plymouth graphical boot, encrypted root, and systemd...

I'm having some difficulty getting Plymouth working with an encrypted root, and, systemd in the initramfs. I had identical issues getting Plymouth working without systemd in the initramfs, so that doesn't seem to be the issue.
I installed plymouth-git from the AUR. I similarly tried this with the non-git AUR package as well, with no different results. While trying to use the non-git package, I used the sd-plymouth mkinitcpio module from Celti's Github (He maintain's the -git AUR package), as posted in the comments. This enables support for systemd support inside the initramfs for plymouth, through using the sd-plymouth hook in place of the normal plymouth flag. When using the normal plymouth flag, and base + udev in place of systemd in my hooks, the same thing happens, so it seems unlikely to be the systemd implementation.
Anyhoo, when using plymouth and plymouth-encrypt in my hooks, I never get asked for a password to decrypt the root volume. It just presents the splash, and, that's all I ever see. After a couple of minutes, it dumps me to a black screen.
The contents of my /etc/mkinitcpio.conf file
MODULES=""
BINARIES=""
FILES=""
HOOKS="systemd sd-plymouth autodetect modconf block keyboard plymouth-encrypt filesystems fsck"
COMPRESSION="gzip"
COMPRESSION_OPTIONS=""
I use rEFInd, not grub or gummiboot, and my kernel options are as follows:
rd.luks.name=945737e7-94a0-49a0-b1ab-b51cb497ec4a=root root=/dev/mapper/root initrd=intel-ucode.img initrd=initramfs-linux.img rw nomodeset add_efi_memmap quiet splash
When booting, I'm greeted with my rEFInd GUI, it drops to a black screen for a fraction of a second, and loads Plymouth, and, sits there for about 90 seconds before dumping me to a black screen. When I type something on the keyboard, it shows up in the console, on top of the splash screen. It's almost as if plymouth isn't hooking the input. It fails to ask for a password or decrypt my root, too. I do notice when not using sd-plymouth, the splash logo appears to have an input box as if it at least knows it's attempting to decrypt it, but again, the input fails to go into the splash screen, but shows up (in cleartext) in the console at the top corner.
Suggestions would be appreciated.

Without hacking the encrypt hook, you'll only be able to unlock one volume at the same time. Afaik the device mapper asks for a password for each encrypted partition, and using one for all won't work, you have to repeat the process for each partition, whereas the encrypt hook only seems to be able to handle one partition. You can hack it, but I haven't done that (yet), it's already quite messy you have to hack the hook file to make it apply to non-root partitions.

PROBLEM: Filemaker Server is ROOT and ROOT can't see mounted shares

We have Filemaker server 8 running on our machine and have found a silly problem. Filemaker has a built in tool to backup databases. Databases can be backed path can be over the network by typing:
filemac:/[volume]/[path]
Unfortunately, the process "Filemaker" is owned by ROOT, while the server (another OSX server) is owned by the user "filemaker". In theory ROOT is god, and can do anything, but for some reason ROOT doesn't appear to be able to get to shares owned by a user on the machine. Can anyone help me with any of the following potential sollutions?
1) Mount a share on startup as ROOT
2) Allow ROOT read/write to shares that other users have mounted
3) Change "ownership" of the "Filemaker" proccess to be a user (instead of ROOT)
Worse case I could back up the files locally, and then create an applescript to PUSH the files where they're supposed to live, but that feels like one more thing that could go wrong to me, and I like to have as few moving parts as possible.
Thanks in advance

This is incorrect, Filmaker Server is not "ROOT" and you probably won't have much satisfaction pursuing your line of thinking.
ps -aux | grep -i filemaker
fmserver 457 3.0 -2.5 186340 53236 ?? Ss 19Mar06 316:56.83 /Library/FileMaker Server/Tools/fmserverd
fmserver 431 1.1 -0.4 93736 8576 ?? Ss 19Mar06 179:51.17 /Library/FileMaker Server/Tools/fmserver_helperd
I think you may be confusing the parent process with posix user/group permissions. Yes, the parent process of many running processes will show as "root", because the initial process that launches others runs as/belongs to root.
the "root" user in *nix has full permissions and can see mounted shares. You may have some other issues due to misconfiguration, sorry.
Just in case you are doing so, no matter what anyone tells you anywhere, it is not a good idea to log in as "root" via the GUI (when the server finishes booting and asks for a username and password).
One should not do this for a number of reasons.
As for your FM Server problem, I've done two migrations/updates to FM 8 server & client quite recently.
The installation creates a new system user and group, which you will not see without selecting the "show system users" in Workgroup Manager.
The user (ie: owner) is (shortname) fmserver , and the group is fmsadmin
FM Server stores the working databases in /Library/FileMaker Server
and that "FileMaker Server" directory is owned by fmserver:fmsadmin
You should not change that or FM won't run properly, if at all.
You can point to whatever directory you wish, using FM Server's built-in backup automation.
What is probably throwing you off, is that, unless you put a trailing slash at the end of the path you enter (in the dialog for the FM Server built-in backup routine), it will tell you:
"invalid path"

Report for Req Material and Issue Material for Project/WBS

Dear All,
My client need a report for a WBS element-wise material required and material issue with value.
Let me know if any standard report avialble for same??
Or Incase of devlopment which are the tables we can use to Get req qty and issue qty of materials?
Thanks and Regards,
Atul R. Rajmane

Dear Shirkant,
Thanks for your input. I am using CN52N report.
I this I have selected Req Qty, Qty Received, Qty Withdrawn, Shortfall Qty. I am getting figures in Req Qty, Qty Withdrawn, Shortfall Qty but I am not able to get Qty Received figure. Let me know how I can get it i.e. for this any Note is required or any other configuration??
If I can get this figure than I can use this report for requirement.
Thanks and Regards,
Atul R. Rajmane

In my Macbook Pro, on a few occassions, the apple menu bar blacks out. its displayed as a negative image. The desktop wallpaper get greyed out and i get a blank screen as wallpaper. No idea why this happens. I reset the system and issue gets resolved.

In my Macbook Pro, on a few occassions, the apple menu bar blacks out. its displayed as a negative image. The desktop wallpaper get greyed out and i get a blank screen as wallpaper. No idea why this happens. I reset the system and issue gets resolved.

AshwinVC wrote:
I reset the system and issue gets resolved.
How?

Material wise reciept and Issue report with Opening and Closing Stock

Hi
I need a report,Material wise Receipt and issue with Opening and Closing stock.Is there any standard report available in SAP ?
Or we have to go for Customised Report.
Please reply

Hi,
MB5B gives total receipts - if i click on the receipts i can view the multiple material documents - BUT is there any way to drill down the reciepts or view the breakup of the receipts on the same screen OR is there any other report for this.
Regards,
Laxmi

Opening closing stock receipts and issues analysis

Hi,
Is it possible to match the values in the MC.A (Total Receipts and Issues Values) to Gl Accounts,
If it is possible How?

Hi,
from within the MC.A there is a link directly to the accounting documents that are involved.
Go to the menu option Extras > accounting doc for material when you have the data for a material displayed.
By careful and make sure that you have selected the correct flag on the values window of the initial selection screen.
Steve B

Root and Issuing Cert Enrolment

Similar Messages

Maybe you are looking for