[Solved] Generating User Certificate Programmatically

I have a requirement to automatically generate a user certificate when a new user is created (via a custom form). Is it possible to do this with OCA? How? Are there any alternatives?
Thanks,
Brian

Couldn't find a way to do this. Our solution was to email the new user with a hyperlink to OCA where they can request and download their certificate.

Similar Messages

  • Problem Generating a certificate request

    I have a couple of Windows 2003 R2 SP2 servers hosting several instances of ADAM.  I am using certreq to generate the certificate requests for these servers so I can use SSL in connecting to ADAM but I am getting an error.  This is the request.inf I am using (pretty much straight from an MS article...) to generate the request...
    ;----------------- request.inf -----------------
    [Version]
    Signature="$Windows NT$
    [NewRequest]
    Subject = "CN=servername.childdomain.rootdomain.com" ; replace with the FQDN of the DC
    KeySpec = 1
    KeyLength = 1024
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
    I am using this command....  certreq -new request.inf request.req
    After hitting enter, it sits there for about 10 seconds and gives me this error back...
    Certificate Request Processor: Access is denied.  0x80070005 (WIN32: 5)
    [RequestAttributes]
    I have searched on this error and have not found much of anything on it.  This process seems to work fine on other servers that I have, but these two servers both generate this error.  Both servers are clean builds and only have ADAM installed on them.  I am a local admin on both servers so it doesn't appear that there should be any permission issues as implied by the error message. 
    Anyone have any ideas?
    Thanks!

    Hello Bryan,
    First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.
    Meanwhile, please verify the security permission on the MachineKeys directory:
    1.    Open Windows Explorer, and find the MachineKeys directory in the following location:
    Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys
    2.    Right-click the directory, and click Properties.
    3.    Click the Security tab, and ensure that the full control permission for the Administrators
    How to: Change the Security Permissions for the MachineKeys Directory
    http://msdn.microsoft.com/en-us/library/bb909654.aspx
    Hope it helps.

  • CProjects approval error - Signature not possible : no user certificate ex

    When i try to approve the phase in cProjects i get an error which says
    "Signature not possible : no user certificate exist".
    Where exactly do we maintain this certificate because i am not able to change the decision for phase approval.
    I have maintain the person responsible for project role via Organizational mgmt. in PPOCE and BP transactions. I have also specified personnel number and user in the identification tab in BP tcode.
    Please reply asap,
    Pratik.

    The issue is solved.
    1. Specify Personeel number - BP transaction
    2. Specify user name - BP transaction
    Additions made :-
    Specified external reference number - BP transaction
    Also made changes in Phase type settings related to approval where couple of statuses were changed.
    Regards;
    Pratik

  • Configure WLan for user certificate authentication

    I have windows CA and NPS (radius server).
    I want wireless clients / devices using active directory user certificates (generated by AD CA) to authenticate and encrypted to wireless WLAN.
    I have setup WLAN as [WPA2][Auth(802.1X)] and pointing to Radius server (windows NPS).
    My test notebook PC has ca.cer and username certificate installed in trusted and personal stores. And configure the wireless profile as "Microsoft: smart card or other certificate".
    However when I try to connect I got failed. And wireshark on NPS showing no traffic on port 1812.
    Could someone please help a look anything wrong on WLC setting?
    Thanks.
    GPING

    Hi, Scott,
    My WLC setting: SSID-Test, WPA2 802.1x, AES, Radius server overwrite interficace "ticked", Server1 - x.x.x.x port 1812,
    Local EAP auth - Enabled and profile = "Peap"
    On my NPS, I got 2 policies (enabled only one of them for test).
    NPS-Policy 1: Auth method = Microsoft PEAP -> "wireless server certificate", User group ="test users".
    On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft PEAP" with ca.cer installed and ticked . When "connect", I got connected with login user credential.
    NPS-Policy 2: Auth method = "Microsoft Smart card or other certificate" -> wireless server certificate"
    On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft Smart card or other certificate". Choose "use a certificate on this computer". (I have one user certificate installed on Personal store). Also ticked "Validate server certificate" and ticked the ca.cer which was installed. When "connect" I failed.
    I tried some other combination, like TKIP instead of AES, but I got "
    The settings saved on this computer for the network do not match the requiremen
    ts of the network" - really frastrated.
    Could please point me where got wrong?
    THanks
    GPING

  • Creating user accounts programmatically

    Hi,
    We would like to perform few activities programmatically in Azure as follows:
    1) Like to know the approach or APIs available to create the user accounts programmatically
    2) Also would like to know how to access the pricing model of the Azure cloud component programmatically
    Please help us at the earliest to the APIs/ways we requested.
    Thanks,
    Sathish Kumar.K

    Hi
    What's the user account mean here?
    Co-admin or Storage account?
    I wrote a blog about how to manage Azure programmatically
    here.
    You can use that class libraries to do that.
    If you have any further question, please let me know
    For the second question:
    In my memory  there isn't have any billing API for developers, you can only get the info by portal.
    My Blog
    Please use Make as Answer if my post solved your problem and use
    Vote As Helpful if a post was useful.

  • Anyconnect 3.1 and user certificate-based authentication

    Hi experts,
    I'm trying to test a basic full tunnel VPN connection from Anyconnect 3.1 installed on a Windows 7 machine to a Cisco ASA, using only certificate authentication.
    Steps i took:
    1) I've created a Windows 2008 certificate authority for testing, and imported the root CA certificate into both the Windows 7 client and into Cisco ASA
    2) I generated a certificate signing request on the W7 client, got that signed by W2008 CA and imported the signed certificate into W7. Both user certificate and root CA are in the personal certificate store
    3) On ASA, I've also generated a certificate signing request, got that signed by W2008 CA and imported the signed certificate back in ASA
    I then used ASDM to configure ASA to support Anyconnect on its untrust interface.
    When I use Anyconnect on the W7 client to connect to ASA, I got "No valid certificates available for authentication" and "certificate validation failure" messages as seen in the below screenshot
    I can confirm that both user and root CA certificate exist in the personal certificate store
    The corresponding ASA configuration and debug output are shown in the attached txt file. On the ASA, I've made sure its ID certificate has CN=<public IP of ASA> since I don't have a DNS setup in place.
    Can anyone suggest what could be wrong with my setup?

    Problem has been fixed by using IP address instead of hostname in the Anyconnect Client profile, since I don't have a DNS setup in my environment.
    Once that is done I was able to connect and authenticate using user certificates.
    ASA1# sh vpn-sessiondb detail anycon
    Session Type: AnyConnect Detailed
    Username     : cisco                  Index        : 2
    Assigned IP  : 10.5.1.100             Public IP    : 10.3.1.10
    Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent
    License      : AnyConnect Premium
    Encryption   : AES256                 Hashing      : none SHA1
    Bytes Tx     : 0                      Bytes Rx     : 30758
    Pkts Tx      : 0                      Pkts Rx      : 195
    Pkts Tx Drop : 0                      Pkts Rx Drop : 0
    Group Policy : GroupPolicy_VPN-CP1    Tunnel Group : VPN-CP1
    Login Time   : 06:40:49 UTC Wed Feb 19 2014
    Duration     : 0h:07m:38s
    Inactivity   : 0h:00m:00s
    NAC Result   : Unknown
    VLAN Mapping : N/A                    VLAN         : none
    IKEv2 Tunnels: 1
    IPsecOverNatT Tunnels: 1
    AnyConnect-Parent Tunnels: 1
    AnyConnect-Parent:
      Tunnel ID    : 2.1
      Public IP    : 10.3.1.10
      Encryption   : none                   Auth Mode    : Certificate
      Idle Time Out: 30 Minutes             Idle TO Left : 22 Minutes
      Client Type  : AnyConnect
      Client Ver   : 3.1.05152
    IKEv2:
      Tunnel ID    : 2.2
      UDP Src Port : 50530                  UDP Dst Port : 4500
      Rem Auth Mode: Certificate
      Loc Auth Mode: rsaCertificate
      Encryption   : AES256                 Hashing      : SHA1
      Rekey Int (T): 86400 Seconds          Rekey Left(T): 85941 Seconds
      PRF          : SHA1                   D/H Group    : 5
      Filter Name  :
      Client OS    : Windows
    IPsecOverNatT:
      Tunnel ID    : 2.3
      Local Addr   : 0.0.0.0/0.0.0.0/0/0
      Remote Addr  : 10.5.1.100/255.255.255.255/0/0
      Encryption   : AES256                 Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 28341 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607970 K-Bytes
      Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
      Bytes Tx     : 0                      Bytes Rx     : 31218
      Pkts Tx      : 0                      Pkts Rx      : 196
    NAC:
      Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
      SQ Int (T)   : 0 Seconds              EoU Age(T)   : 459 Seconds
      Hold Left (T): 0 Seconds              Posture Token:
      Redirect URL :

  • Problem loading/storing user certificate on 6230

    I have generated a certificate using keytool and have signed my midlet using the same certificate. I then sent the certificate via IR to my Nokia 6230. The phone recevies it but says unknown format. Any suggestions on how to send the certificate to the phone?
    The midlet loaded cant be started - the error message is "No Valid Certificate" - which i guess is correct since I havent loaded the certificate to the phone.
    On the phone, under services->settings->security settings there is a user certificates and Authority Certificates. I presume, when i eventually succeed in getting the certificate loaded on the phone it would show up under User Certificates. Is this a good assumption?
    thanks in advance,
    anish

    Hi Prateek,
    Thanks for the reply. I have got my certificate signed by CA. The problem is importing the client certificate into the Trusted CA's.
    When i try to import the client certificate into TrustedCA using the load button, after selecting the certi a pop up comes and asks for the password.
    I tried with two diff certifi and this happens only to one which has got digital signature. I have asked the customer who sends the request and they are saying there is no such kind of password.
    any help or suggestions would be appreciated
    Thanks,
    Srini

  • Is there a way to generate server certificates in a multi-controller environment?

    Q: Is there a way to generate server certificates in a multi-controller environment? 
    A: 1.  For PEAP, only the Radius Server needs a certificate, not the controller.  Managing a certificate for each controller for 802.1x when you can  alternatively manage a single certificate for each radius server is a mistake.
    2.  For Captive Portal, if you don't want your guest or company users to have an untrusted error every time they hit the captive portal you will need a public certificate that all your users will trust.  That could either involve (1) A  different certificate for each controller with the subject being the fqdn of each controller or (2) a single, identical certificate that has the SAN or Subject ALT Name filled out with the FQDN of each controller listed in the SAN field (https://www.digicert.com/subject-alternative-name.htm)
    Here is an example of a cert with multiple fqdns in the Subject Alternative Name field below:  Of course, you will have to pay for each SAN that you have added to the certificate.  If you will have an environment where you have a VRRP and that is the ip address that the clients will be redirected to, you should make the SAN point to the VRRP.
    A document on certificates that is specifically geared toward ClearPass, instead of controllers is here:  Certificates 101 V1.0  It speaks to certificates on ClearPass, but the concepts are the same...
    Solution:-
    We can use ClearPass server to generate the CSR, where the CN is named after the 1st controller, which included all the Subject Alternate Names (SANs) for the other 3 controllers as well as the master controllers (in case of an N+1 failover).  This allows to save/export the private key as a file.
    After submitting the CSR for a UCC and after receiving the cert,  then proceed to chain the cert to include server, all intermediate and root CAs.  Then copy the chained cert as well as the private key file to a MacBook so that we can use OpenSSL to create a PFX formatted cert as follows:
    sudo openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem
    Once this generated a PFX cert,  upload it to all controllers and used it under Configuration > Management > General for both “WebUI Management Authentication Method” as well as “Captive Portal Certificate” (even though the ClearPass Guest captive portal is using a different cert for the captive portal page itself).
    https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/Create-a-CSR-with-multiple-SANs

    Sorry I'm still confused here.  What you are describing makes no sense for properly using TestStand.
    Maybe I can help you find the right solution if I can understand your goal?
    Do you want to dynamically populate the variables (Locals and FileGlobals) with values?  Or do you want to dynamically create the variables from scratch (i.e. add subproperties to the sequence file) based on some file?
    Generally what happens is people want an ASCII file (in your case I'm guessing CVS) such that they can change the values of variable so that when TS is executing it will load those values and use them.  In this case NI recommends the Property Loader.  There is an example for this in <TestStand>\Examples.  Open the workspace and look for the PropertyLoader example.  Also, if you google "proprety loader teststand" then you will find various articles which may assist you.
    When you say "define the variables for the sequence/sequence file"  Are you actually referring to manually right clicking in the sequence file and saying Insert Local?  or are you just saying that you change the value of a variable?
    Thanks,
    jigg
    CTA, CLA
    teststandhelp.com
    ~Will work for kudos and/or BBQ~

  • How to renewal the Java Keytool DIgital Certificate programmatically?

    Hi,
    I created the self signed Digital certificate programmatically.My certificate got expired.I want to Renewal the Digital certificate programmatically.
    If any one is having idea to renewal the certificate,please share it to me.
    Thank you

    Whenever we want to renewal the certificate , we have to create new key store file and new certficate file .
    NO
    Absolutely not.
    I've just told you that.
    Instead of tcreating new certificate/keystore file, is it possible to update the +'valid from and Valid to date '+ alone in old keystore file?I've jsut answered that as well. I don't know what code you executed to generate the original certificate but you have to repeat the part that signed it.

  • Unable to import the user certificate into the Oracle Wallet Manager

    Hi,
    I am configuring the External Authentication plugin using the password filters.
    i am using the version 10.1.0.5.0 version of Oracle Wallet manager
    inorder to do that i am enabling the SSL mode.
    to enable the SSL mode i followed the some steps in OWM and OCA admin and user console.
    when i approved a certificate as admin and importing to the Oracle Wallet Manager, i got an error that
    User Certificate Installation failed.
    Possible errors:
    - Input was not a valid certificate
    - No matching certificate request found
    - CA certificate needed for certificate chain not found.
    Please install it first
    can anyone help me how to resolve this problem.

    hi,
    thanks for your reply pramod
    I tried to import the two certificate files(rootca.crt and server.crt). but i am got the same error.
    what may be the problem.

  • E-Recruiting generated user names

    We want to change the format of generated user names (for internal candidates). By default, if they don't already have a user name in IT0105 a user name gets generated in the format of EEXXXXXXXX where XXXXXXXX is their personnel number.
    The data is coming from the HR system to the E-Recruiting system by means of ALE. Other than inserting an 0105 record with desired user name in the IDoc is there any other way of changing the format of the generated user name?
    Thanks

    Hello Rich,
    there is no easy customizing / configuration way to replace the algorithm for the user name.
    Still there are different approaches to do this other than rewriting the IDoc and add a line. As the whole processing is a BAdI implementation you could replace it entirely by a customer implementation. This would be modification / enhancement free but as it is a quite large implementation it could be troublesome to key track of changes / corrections SAP does in the standard coding.
    Another way is the enhancement / modification of the coding as suggested above.
    There is also another BAdI which is called in the implementation itself (following a basic design rule there should always be one if sap delivers an implementation - in in this case it is really there :o)). You could use it to replace the standard user name assigned. Unfortunately this leaves you with this generated user which would have to be deleted so it is not the best choice from a performance and perhaps a security problem.
    Last solution I could imagine is changing the HRP558* table. It is used as a temporary storage for the IDoc data with EhP 4.
    All of these solutions have their pros and cons. Personally I'd use the posibility of changing the IDoc directly and add a line either in the outgoing BAdI on the HR server or in the inbound processing of the e-rec. server.
    Kind Regards
    Roman

  • Problem with Generate a certificate and Key

    I have a Cisco S370 and generated a certificate Key to block HTTPS pages.
    I require a CA signs the certificate generated by the Cisco S370, but the CA returns me an error and asks the key is changed to 2048, but I have no option to do this in the GUI, look in the CLI but can not find any option to change the HTTPS certificate key 2048
    You can change the certificate that was generated by the WSA S370 to 2048

    In addtition to Kush's response, we had a similar thread in the past. Please refer to:
    https://supportforums.cisco.com/message/3900340?referring_site=bss&channel=bdp#3900340
    Also, please note it would be advisable to refer to this Feature Request using Cisco Bug ID CSCzv70884 instead of
    86121.
    You can search for Bug IDs using Cisco Bug Search Tool :
    https://tools.cisco.com/bugsearch/
    From this tool, you can not only obtain info about the bug but also open TAC cases and Save the bug so you can get updates.
    Regards,
    -Valter

  • Generate User Login in "Create User" Request

    Hi Guys,
    I have more a problem. To create user, I am using a Request (Create User Template), I managed add the attributes that would necessary normally, but I use a Event Handler (Post-Process) to generate user login. So I marked the User Login in Attributes Restrictions, fixing an user login default for example: autogenerate.
    Then I created a new request to create user, I filled out all the fields that I marked to appear. I approved this request, and the user is created with the User Login generate by my Event Handler normally. The issue is, when I create 2 create user requests, as I use a Default value in the User Login attribute, if the first request still isn't approved, the second request isn't created because the "autogenerate" user login already being used.
    Exists some otherwise to I resolve this issue?
    Thanks

    Hi Bikash,
    Use a prepopulate adapter an attribute with timestamp is nice idea, but I use the "Create User" template CreateUserDataSet.xml and not exists a form in Design Console to associate the prepopulate adapter.
    I had thought in eventhundler because I use a method that check on Active Directory if the user login generated by other method, already is being used. And I use this eventhandler in HR GTC recon too.
    About XL.LDAPReservationPluginImpl, I opened the oracle.iam.identity.usermgmt.impl.plugins.reservation.ReservationInOID but I not understood as use this option. If I needs add in this class my method of generate user login. If I needs implement an new class similar to this class, using my methods and associate the name of class in XL.LDAPReservationPluginImpl.
    Thanks a lot

  • Unable to generate users.xml file

    Hi All,
    I have installed OCS 10.1.2.0.0.and applied the cumulative patchset and now on OCS 10.1.2.3.0
    Now i am trying to migrate users and their mail box from exchange 5.5 running on Windows NT 4 server.
    I have installed the esmigration tool on a machine running Windows XP SP2, Outlook 2003 client installed. I ran the tool and successfully created the system profile. Once done when i try extract users which should generate a users.xml file, i get an error saying "Unable to generate users.xml" file. When i look at the log file i can see the error which says invalid domain which is not true. The domain name is right and i have repeated the process more than 10 times, but still keep getting the same error. I tried using IMPA to IMAP as well as with MBOX , but still the same error. Has anyone seen such a behavior ?
    So i tried to choose plan B. As i do not have too many users i decided to export the users mail box as a pst file and then import it. This is not a problem, but what i do not know is that what do i need to do to enable coexistence mode on exchange, meaning when an email arrives, it first goes to exchange and then forwards a copy to OCS.Please note on my research i have found some notes on how to do this on exchange 2000 on a windows 2000 server with AD, but i couldn't find anything for Exchange 5.5 on NT4.
    Any assistance on this would be very helpful.
    Regards,
    Dipak

    Hi Dipak,
    If you do the migration from the Windows 2000 machine with outlook 2000 installed, and connected to Exchange 5.5 via an admin profile, then you will not see this issue.
    In case, it is not possible for you to move to new machine where above said environment exists, then you can request for a patch of migration tool that has fix for this issue. Please send an email to [email protected] or [email protected], for the fixed version.
    For your co-existence query: Please make use of alternate-recipient setup that exists on exchange 5.5 user properties. So, the emails will be routed to both exchange, and ocs server mailboxes of that user.
    If you have any further queries please send an email to [email protected]
    Thanks,
    Venkat

  • How to generate a certificate request with more than one OU?

    We're using Sun Java System Web Server 6.1 SP4. The Corp. has it's own CA and organize their certificates in a hierarchical rule with more then one organization unit (OU) in a chain.
    So what we need is generate a certificate requeste with more than one OU, but the Web Server wizard has only one text field for it. We've already tried to fill in this field the complete chain of OUs like "ou=orgX, ou=deptY, ou=secZ" and didn't work either.
    Thank's in advance,
    Jeff!

    Do you have tried with the command line "certutil" ?
    #<SERVER-ROOT>/bin/https/admin/bin/certutil

Maybe you are looking for