SJSWS 7.0 CSRs and CERTs

Similar Messages

• CSR to Cert Authority not including SAN info.

  Hello,
  We have a Windows 2012 CA that we have enabled SAN certs on.  This has always work up to a few weeks ago.  Users would create a CSR and use the CA to generate the cert successfully but they would always be missing the SAN info.  Strange!
  How do I troubleshoot what is going on here?
  Thanks!
  Shawn

  Hi,
  Did you follow the below article to request a certificate with a SAN?
  How to Request a Certificate With a Custom Subject Alternative Name
  http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx
  For how to create SAN CSR for IIS web server, we may follow the below link
  http://techontip.wordpress.com/2011/06/06/how-to-create-a-san-certificate-signing-request-for-iis-web-server/
  Hope this helps.
  Regards,
  Yan Li
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Regards, Yan Li

• How do we permit a trainee to sit together with a CSR and silent monitor?

  We are using a Cisco 7940 series phone.  I have two new hire CSR's coming soon.  I want them to be able to sit with an experienced CSR and silent monitor calls as they are taken, without using a speaker.  I can't find the solution to this anywhere.  Surely I'm not the first manager to want to do this!  Help!!!!!

  UPDATE:
  Our headsets are Plantronics, Model CS55.  They will  not sync up to one base station.  A "headset training adaptor" can be purchased, part# 03929-63, for $39.95, from several sources.  The adaptor is nothing more than the  "Y" adaptor I just purchased from Radio Shack.  However, it does have a mute button for each user.  Our headsets have mute buttons but, they beep every 15 seconds when on mute.
  I don't think the cost will put us out of business and sounds like the better answer.  I'm the newbie at this organization and am a little amazed they've trained using open speakers all this time.
  Thank you everyone for the ideas!

• I'm Having trouble with OWA and Certs after the Rollup 7 for SP3 installation. any idea? update 2961522-

  Hi, everyone.
  I'm Having trouble with OWA and Certs after the Rollup 7 for SP3 installation. any idea? update 2961522-
  after running get-OWAVirtualDirectory or test-OWAConnectivity i'm getting a message that says "OWA it's Orphan, No Metadata information can be found."
  I only have the OWA users impacted.- anywhere users, and ActiveSync are working well.-
  Thanks,
  Fabian Alberto Campo
  MCT-MCSA 2012-MCITP365-MCTS
  Fabián A. Campo H. Consultor tecnico @ IXO Ltda. MCT MCP MCTS MCSA HP-APS Cra. 67 No. 167 – 61 of 303 Bogotá, Colombia

  Hi Fabian,
  Is there any error code when user access their mailbox on OWA. Please confirm if there is no results returned in EMS when you run Get-OWAVirtualDirectory cmdlet. Also check whether there is any Event Logs related to OWA in Exchange.
  In IIS manager, make sure the OWA virtual directory is listed in the Default Web Site. In EMC, we can navigate to Server Configuration > Client Access, select server and turn to Outlook Web App tab. Then we can click Reset Virtual Directory in the right
  Actions pane to reset OWA virtual directory.
  Additionally, please restart IIS service by running iisreset /noforce from a Command Prompt window.
  Regards,
  Winnie Liang
  TechNet Community Support

• Redirect and cert

  I am working on setting up Lync 2013 in an environment that has multitenant Exchange running.  We have a HLB to handle the load balancing and certs.  Right now all exchange users no matter what domain they are in they are redirected to a single
  connection point on the HLB that uses a cert with only one domain name on it.
  I can not seem to get the Lync system to do the same.  any suggestions would be greatly appreciated.  Thanks in advance!!

  Hi,
  As I know, it is supported if your users want to sign in with one sip domain. You may need to get further information from your certificate provider.
  You can refer to the link of “Microsoft Lync Server 2013 Multitenant Hosting Pack Deployment Guide”:
  http://www.microsoft.com/en-in/download/details.aspx?id=39101
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Datasheets and certs of conformance

  Hi,
  I was wondering if anybody knows how I can get my hands on datasheets and certificates of conformance for spare parts? I've been searching online but to no avail, I've contacted HP helplines and customer services but again, to no avail. I'm looking for IEC, UL, CSA, RoHS and REACH certs of conformance, as well as a data sheet for the part 5066-1122. Its a universal external power adapter for multiple HP applications. It is a genuine HP spare part but when I request and look for this items, I just get passed from one customer services rep to the next.
  If anyone knows where I can get these, I'd really appreciate being informed.
  Thanks in advance folks.

  You should consider to use a certificate enrollment web services (which are intended for such scenarios):
  http://technet.microsoft.com/en-us/library/dd759209.aspx
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Wallet and Cert location with OHS in front of B2B

  Hi,
  I am trying to figure out how many and what types of Certs are needed as well as where the wallet should reside in the following scenario. We have a stand alone OHS in a public DMZ which is forwarding our inbound trading partner messages to the MidTier server which contains B2B. We have also configured B2B to use the public DMZ OHS as a proxy when sending outbound messages to the trading partners. The RosettaNet PIPs that we will be implementing require signing (non-repudiation), encryption and SSL.
  I assume that SSL must be enabled on the public DMZ OHS, but does it have to be enabled on the MidTier server as well? I believe that if we had to enable it on both servers, then different certs would be required for the different servers, but I am not sure.
  Also, we have to configure the outbound messages from our B2B with all of this (signing, encryption and SSL). Does this require a cert and wallet on the B2B server or on the OHS or both? I know that when configuring the trading partner within B2B, the cert must be accessed, but I am completely confused on if this is the cert that we use on OHS or something different.
  Thanks so much for any help you can provide!
  Darrin

  Hi Darrin,
  Certificates will be used at both OHS and Midtier. At OHS you are receiving incoming traffic so your server certificate should be there (in PKCS 12 format). From midtier, you are sending messages to your TP's (your Outbound), so your client certificate should be at Midtier at following location-
  Oracle_Home/Apache/Apache/conf/ssl.wlt/default
  At above location three files should be there-
  1. cwallet.sso
  2. ewallet.p12 (Your Client cert with all trading partners server cert public key in base 64 format including CA's cert as well)
  3 ewallet.txt (export of whole ewallet.p12 in ".txt" format)
  Give path of ewallet.txt in your tip.properties file.
  SSL would be enabled at both midtier and OHS, but if OHS is sending messages to midtier at HTTP port then do not enable transport security in your host tp's delivery channel.
  You have to upload certificates which will be used for siging and encryption at resepective tp's delivery channel.
  Wallets are used for client and server authentication and signing and encryption in outbound where as certs uploaded at tp's delivery channel are used for decrypting the incoming message as well as verifying the tp's signature in message.
  Regards,
  Anuj
  Edited by: Anuj Dwivedi on Feb 11, 2009 12:28 PM

• New Firefox ESR and certs

  Hi all: I downloaded and installed the newest Firefox ESR (31) this AM. I know that ZCM may not support this new version but I wanted to test it anyway. Right off Firefox refuses to load the ZCC website stating that the CA in untrusted. Gone in this new version of Firefox is the ability to bypass and load the CA anyhow. We use the internal ZCM CA rather than our external eDirectory CA. Should I change ZCM to use a new certificate minted by our eDir CA? If so, do I need to touch all the workstations in our zone?
  Thanks, Chris.

  What makes you think there is an issue about the ZCM Cert?
  It's more of a Firefox Bug Really, which fails to trust certs you have
  trueted that are self-signed vs using someone such as Verisign.
  This really impacts AD Certs, ZCM Certs, , eDir Certs, etc.. etc...
  In Short, There was a goof at Mozilla.....
  On 8/7/2014 8:26 AM, darryl82 wrote:
  >
  > I think that option will be disabled as of Firefox 33. is there a way to
  > fix the zenworks certs?
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Anyone else misled by Verizon CSRs and even insulted by one?

  @I tried to update to the lollipop OS.  It bricked my phone.  It powers up to an image of the dead android with a red triangle with a black exclamation point in the center, then it will turn itself off and back on to the dead android again.  I cannot find a direct line to speak to a customer service rep with Verizon.  I do not understand why a contact number is not given on the website.  I had to do an internet search for that information.  A refurbished phone is being sent as a replacement. 
  My father has Alzheimer's and if I am not with him, I have to be able to be contacted by the person caring for him.  This phone is useless.  I don't see this as an issue with Verizon, I see it as an issue with the phone and the phone manufacturer.  However, I have been given the runaround by customer service and they do not make it easy for their customers to contact them.
  I was told the replacement phone would be sent to me via overnight delivery.  It did not arrive and I checked the tracking number and it was actually sent via 2-day delivery service.  I was told that I might be able to get a loaner phone, based on my situation, from a local Verizon store while waiting for the replacement.  I was later told that no Verizon store in my area has a loaner phone available. 
  The representative on the chat-support line told me that Verizon no longer offered  loaner phones.  This contradicted what I had been told by multiple people, all day.  He then said that I should ask a friend if they have a spare phone that could be used.  He said that would be the best option for a temporary solution, but only if I had friends that liked me well enough to loan me their spare phone.
  This is the second time I have had to have a replacement phone sent to me.  I have a special needs family member and I cannot be without a phone.  His joke, though I see it as a joke and no personal malice was intended, was completely unprofessional and inappropriate.  I submitted the request for the chat transcript to be emailed to me, though the Verizon website.  I have not received the email of that transcript, either.  I remarked, in the closing survey, that I did not appreciate his remark and that it was in very poor taste.  I have not received any kind of reaction to my information given in that customer service survey.
  I switched from Sprint to Verizon for the coverage and what I thought was quality customer service.  Whether intentional or unintentional, I have been misled and insulted by the company with whom I had chosen to do business.  I can and will make the choice to take my business to its competitor, now.
  Does anyone know of an email address or link that I can use to get the details of my experience to someone at Verizon that can, at the very least, say the actions of their representative were not typical of their company?  I'm not trying to yell and scream until I get something for nothing.  My mind is made up.  I will take my business elsewhere.  I just do not feel that I should be insulted and treated in this manner because I am merely one of millions of customers and my business is not important to them.
  Can anyone point me in the right direction?

  nuno2112 wrote:
  I was told the replacement phone would be sent to me via overnight delivery.  It did not arrive and I checked the tracking number and it was actually sent via 2-day delivery service.  I was told that I might be able to get a loaner phone, based on my situation, from a local Verizon store while waiting for the replacement.  I was later told that no Verizon store in my area has a loaner phone available.
  The representative on the chat-support line told me that Verizon no longer offered  loaner phones.  This contradicted what I had been told by multiple people, all day.
  I don't see this as a contradiction. You were told you MIGHT be able to get a loaner phone, not that you WOULD be able to get a loaner phone. This made no mention of Verizon's policy one way or the other. Possibly some locations have local programs to provide loaners where others don't necessarily have them. If it was Verizon policy to give loaners, ALL locations would have them. It is possible Verizon leaves it up to the local manager/store for that decision to provide such a program. You very well may be able to get a loaner phone from a Verizon location.
  nuno2112 wrote:
  He then said that I should ask a friend if they have a spare phone that could be used.  He said that would be the best option for a temporary solution, but only if I had friends that liked me well enough to loan me their spare phone.
  This is the second time I have had to have a replacement phone sent to me.  I have a special needs family member and I cannot be without a phone.  His joke, though I see it as a joke and no personal malice was intended, was completely unprofessional and inappropriate.
  I don't see this as a joke, either, simply an attempt to help you out. I have loaned/given my old phones out to friends/relative MANY times in the past. I wouldn't necessarily give them out to just anyone, though, as I may actually need it in the future. What some see as a slight, other might not necessarily agree.

• Keystores and Certs etc

  Hi, we've got a webapp running in Tomcat. It makes a call (using HttpUrlConnection) to an external site using HTTP. We're getting this in the logs:
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetFrom what I've read, this is usually because the external site's public key isnt in the keystore. So, I've (hopefully) found the correct keystore and imported the public keys. But I still get the same error.
  So, I wrote some basic test programs, using HttpUrlConnection like this:
  URL url = new URL(address);
  HttpURLConnection conn = (HttpURLConnection)url.openConnection();
  conn.connect();and also for good measure using SSLSockets
  SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(host, port);I was expecting to see the same problem on my own PC here, but both connection methods work fine... I thought my code would fail until I manually imported the site's certificates into my keystore (I've been testing with HTTPS sites that my PC never seen before)
  Any ideas what could be causing the original exception if it's not a missing public key as I originally thought?
  Thanks

  Hi sdf_iain, and a warm welcome to the forums!
  I'm on Leopard at the moment, but in fact, the etc folder is an Alias here, and identical in content to the private/etc folder!

• Sign in authentication and cert questions!

  Hi guys,
  I have read this Lync 2010 article: http://blogs.technet.com/b/nexthop/archive/2012/11/28/lync-2010-client-authentication.aspx
  It states that for internal users one use kerberos v5, tls-dsk and ntlm v2, and for extenral users on use tls-dsk and ntlm v2.
  Once one have authenticated one will retrieve a certificate that is valid for 180 days.
  Now... is this valid for Lync client/server 2013 as well? or is there something new? I cannot find this information on technet...
  For the serverpart one use OAuth i guess?

  Hi,
  Yes, client-server authentication is the same with mechanism for Lync 2010.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ISE 1.2 and WildCard Cert

  hello,
  i"ve found a great post from Aaron Woland about how to make/install/use Wildcard certificate.
  http://www.networkworld.com/community/blog/what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise
  but there is something that was not answered by his post.
  Can i use WildCard cert to register node to an ISE deployement? Aka adding a Monitor only node to a admin only node
  create CSR, receiving Cert from CA, adding CA root, binding cert to CA root then exporting key, then importin on Mon node then try to register mon node? my first test didnt go well.
  Any input would be appreciated

  Basant,
  I agree with what you are saying but it seems that your statement contradicts the write up on the Cisco user guide for 1.2, there are no limitations and one of the benefits stated by the doc is that you can use wildcard certs as a cost saving measure which will allow you to install the cert on all ISE nodes.
  I do have a corporate wildcard certificate and I will attempt to register two nodes together and see what the result is.
  Also the true benefit of a wildcard cert is where the CN is *.domain.com, you should not have to generate a CSR where the CN=iseblah.domain.com with a SAN of *.domain.com, I do not think that is a cost effective wildcard cert since the CN has the fqdn of the ISE node.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html
  Tarik Admani
  *Please rate helpful posts*

• Using internal SSL Certs for Webview and Reskill (ICM 7.2.X)

  Hi,
  I would like to use corporate ssl certs for webview and reskill to avoid the user having to install the self signed certificate on the local machine. Has anyone any experience of this? Can it cause any unforseen problems?
  My plan for webview is to create the certificate request in IIS for the default website, use this csr to generate the cert, then complete it by uploading the certificate.
  For reskilling, I will assume I will have to do some command line stuff here ...
  eg: keytool -genkey -keyalg RSA -keystore hostname.key
  to create the key,
  keytool -certreq -keyalg RSA -keystore hostname.key -file hostname.csr
  to create the csr, and
  keytool -import -trustcacerts -alias tomcat -file hostname.cer -keystore hostname.key
  to import the new cert
  Suggestions or comments for anyone who has tried this before would be appreciated.
  Regards,
  Brian

  I've never done it on a version so old, but at the end of the day it's just IIS and Tomcat and importing an SSL cert is very standard.
  david

• Problem with Logic 8 and Ik Multimedia's CSR

  I am having a strange problem with Ik Multimedia's CSR and Logic 8. I installed CSR on my computer. It is listed in the Audio Units manager. For some reason, however, CSR is only showing up in one saved Logic project --- when I open up any other project or start a new project, CSR no longer shows up. I have trashed preferences, reloaded all AUs, etc... I am stumped. Any suggestions?

  Aside from having the proper version, make sure you are trying to open CSR onto a STEREO channel strip. Otherwise, it won't be available from the AU pull down menu.

• Using keytool to generate self signed cert. for Microsft Certificate Mrg.

  Hi All,
  I want to be able to generate a self signed certificate that I can Import into
  Microsoft's Certificate Manager, to enable an HTTPS Listener for
  Microsoft's WinRM and WinRS.
  The certificate would only be for internal use, not used externally.
  Here's the problem. I can create a certificate using this (path obscured):
  "C:\Program Files\.....\jre\bin\keytool" -genkey -al
  ias dMobX -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=your-f5c57803
  53" -keypass changeit -validity 90 -storetype pkcs12 -keystore "C:\Program Files
  \......\jre\lib\keystore\.keystore" -storepass changeit
  "C:\Program Files\......\jre\bin\keytool" -export -alias dMob
  X -file "C:\Program Files\......\jre\lib\keystore\dMobX.cer" -stor
  etype pkcs12 -keystore "C:\Program Files\.......\jre\lib\keystore\.
  keystore" -storepass changeit -v
  Microsoft's Certificate Manager will accept it, the .cer, using "Import", into
  Trusted Root Certification Authorities, but when I run the command to create the HTTPS Listener, I get this error message:
  The WS-Management service cannot find the certificate that was requested.
  If I use another tool, like selfssl, I can generate a self signed certificate using:
  selfssl /N:CN=your-f5c5780353 /K:1024 /V:90 /P:443 /T
  This will populate a certificate in Trusted Root Certification Authorities,
  and when I run the command to create the HTTPS Listener, it succeeds with
  no problem.
  So my question is, am I doing something wrong with keytool, or are there
  extra steps that I need to take, or is it even capable of generating a "self signed
  certificate" that will work in the above case?
  There are some concepts involved, certificate wise, that I'm not sure about.
  Do I need to create a CSR and use a tool like openssl, as a CA, and
  use the resulting certificate?
  I just want to be able to programmatically create the needed certificate using keytool, or
  using an API.
  Thanks,

  Download the latest JDK on http://download.java.net/jdk7/binaries/.
  Run "keytool -genkeypair -ext KU=? -ext EKU=? ...". Substitute the "?" with the usages you see in the other cert (for example, "digitalSignature" or "codeSigning". If there are multiple ones, separate with comma).