SSL Certificate & Local Access

Hi everyone,
I'm currently in the process of re-keying exchange with a new certificate.
Currently, outlook clients have the following configuration:
Mail Server: server01.domain.local
HTTP Proxy: exchange.domain.com.au
Therefore the current SSL is keyed for:
Primary: exchange.domain.com.au
Alternate: server01.internal.local, autodiscover.domain.com.au, autodiscover.internal.local
With the old certificate, this is fine - however from November the 1st 2015 SSL authorities are allowing only external fully qualified domain names.
Therefore the SSL can ONLY be key for:
Primary: exchange.domain.com.au
Alternate: autodiscover.domain.com.au
This means that when connecting to exchange server01.domain.local I receive an error stating the the name on the certificate does not match the name of the host (because it's connecting locally).
Is there any way of adjusting configuration in Exchange for users to connect to the external exchange.domain.com.au even though they are local? I would obviously need to update autodiscover etc also
Cheers,
Anthony

There are two possible solutions using SSL certificate from public and pricate 
1. Use ssl cert from public CA for public domain name (exchange.domain.com.au) on Reverse proxy servers like ISA or TMG for external access. and use Internal CA for internal names on exchnage server (server01.internal.loca)
or
2.You can create another site using separate NIC card on exchange server. Use Internal CA certificate on Default site and public CA certificate on New site.

Similar Messages

  • Why, when I successfully connect to Server 2012 Essentials R2 via Anywhere Access does the Remote Desktop Connection use the self signed certificate for RDP instead of the SSL certificate I installed when I set up access anywhere?

    Scenario:
    Windows Server 2012 R2 Essentials
    I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
    So far so good.
    The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
    a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
    The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local  instead of the SSL Certificate I installed, which is
    remote.acmedomain.com
    If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
    My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?

    Because....
    the server does not have a 'trusted' certificate assigned to it.
    Only the RDP Gateway has the trusted certificate for the external name.
    If you want to remove that error, you have to do one of the following:
    Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
    So, something like,
    server.domain.publicdomain.com
    Or,
    Install that certificate on your remote computer so it is trusted.
    Robert Pearman SBS MVP
    itauthority.co.uk |
    Title(Required)
    Facebook |
    Twitter |
    Linked in |
    Google+

  • When accessing Intranet sites that use SSL Certificates issued by our internal PKI, FF for Windows give an error of "improperly formatted DER-encoded message"

    When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
    Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.

    Hi Guigs2,
    From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
    registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
    The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix?

  • Jabber Guest server Local SSL certificate

    Hi , trying to download a local ssl certificate from jabberguest server and issued a 'generate a new self signed certificate' request. system shows 'a certificate signing request is being created, please wait' . unfortunetly its been like that for 2 days now - even after rebooting the server it still reports the same. (version is 10.5.3.115)....any advice appreciated.....TIA , Jeff

    Jeff,
    I had a look at my Jabber Guest server this morning and oddly enough I found the same thing as you did. I'm not sure when the server got into this state however I can say it has been fully functional. Anyway, there are two options that you generally should have.
    1) "Generate a New Self-Signed Certificate"
    2) "Create a New Certificate Signing Request"
    To restore these options I had to run the certificate scripts through the root of the system.
    1) cd /opt/cisco/webcommon/scripts/
    2) ./createcsr.sh   (This is for the Cert Signing Request)
    3) ./selfsigned.sh  (This is for the Self Sign)
    After running each script you'll need to run through the general certificate questions.
    I hope this helps.
    -P

  • Can't access Exchange ActiveSync server - SSL certificates not being used

    When I try to set up my email via Exchange ActiveSync to a corporate server, I am unable to connect. I am using the same exact settings as on an iPhone, where I am able to successfully connect.
    Reading the console log in the iPhone configuration utility, the problem appears to be that the iPad is not using the corporate certificates I have installed to enable SSL access to the Exchange server. These certificates are installed in the exact same way they are on my iPhone, where they work correctly.
    Has anyone else had a similar problem accessing Exchange mail using SSL certificates? Any ideas on how to fix this? Or is this a bug in the iPad software?

    IM having the same problem. iPhone works fine on exchange atvwork but iPad with same settings says cannot connect to exchange server. Have you figured anything out yet?
    Tom

  • Outlook Web Access fails after migrating SSL certificate to dedicated SSL gateway

    Hi we have just migrated our SSL certificate form our Outlook exchange server, outlook web access works perfectly but two of our users who have Blackberry devices set up to get their email via owa now fail. 
    Everything worked fine before the migration.
    The new SSL gateway is an Apache box running mod_proxy, mod_SSL and mod_sec.  Protecting the box running owa and IIS6.
    I can provide the http.conf etc, but I can see the traffic passed by Apache but I am getting a 401 message on the way back through to the device.
    Is there a specific IIS/Exchange or Apache config I need to enable to allow BB access?
    Thanks in advance
    Mike

    Hello there!
    You may have run up against some of the complexities between BIS and OWA. There are a couple of circumstances where BIS can't integrate to OWA. Plus, if the mailbox name changed, that may be the problem as well. While I'm neither a BIS nor OWA admin, I can point you to information resources that hopefully can help you.
    Try this article.
    And this one.
    And this one.
    And this one.
    You also can search the public KBs for more relevant articles:
    http://www.blackberry.com/btsc/microsites/microsite.do
    Good luck and let us know!
    Occam's Razor nearly always applies when troubleshooting technology issues!
    If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
    Join our BBM Channels
    BSCF General Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • Install GoDaddy SSL Certificate to Windows Server 2012 - Access Anywhere

    I would like to activate Access Anywhere on my windows server 2012 essentials. I went through the guided steps and purchased a SSL certificate from Godaddy. Godaddy doesn't offer support regarding the correct installation process of their certificates
    using iis 8 (server 2012 essentials). I noticed that Access Anywhere requires a PFX certificate and Godaddy only provided a PKCS #7 and a cer. file. Please let me know if Godaddy's certificates are compatible with windows server 2012 essentials. Without Access
    Anywhere functioning on my server, the usefulness of the server greatly decreases. Your assistance is greatly appreciated. Thanks. 

    All you need is the standard, lowest level, single domain, no email, no bells, no whistles, no UCC.  Just a simple SSL cert.  Even SBS standard which adds email to the RWA feature, only requires that, thanks to the magic of the dev. team.
    Larry Struckmeyer[SBS-MVP] If your question is answered, please mark the response as the answer so that others can benefit.

  • Cisco ASA 5505 and comodo SSL certificate

    Hey All,
    I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
    Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
    On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
    What am I missing here? I can post config if anyone needs it.
    (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

    It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
    ASA Version 9.0(2)
    hostname MyDomain-firewall-1
    domain-name MyDomain.com
    enable password omitted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd omitted
    names
    name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
    name 10.200.0.0 MyDomain_New_IP description MyDomain_New
    name 10.100.0.0 MyDomain-Old description Inside_Old
    name XXX.XXX.XX.XX Provider description Provider_Wireless
    name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
    name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
    ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
    ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address Cisco_ASA_5505 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address Provider 255.255.255.252
    boot system disk0:/asa902-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 10.0.3.21
    domain-name MyDomain.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network MyDomain-Employee
    subnet 192.168.208.0 255.255.255.0
    description MyDomain-Employee
    object-group network Inside-all
    description All Networks
    network-object MyDomain-Old 255.255.254.0
    network-object MyDomain_New_IP 255.255.192.0
    network-object host MyDomain-Inside
    access-list inside_access_in extended permit ip any4 any4
    access-list split-tunnel standard permit host 10.0.13.1
    pager lines 24
    logging enable
    logging buffered errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-712.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
    route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
    route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
    route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record "Network Access Policy Allow VPN"
    description "Must have the Network Access Policy Enabled to get VPN access"
    aaa-server LDAP_Group protocol ldap
    aaa-server LDAP_Group (inside) host 10.0.3.21
    ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http MyDomain_New_IP 255.255.192.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint LOCAL-CA-SERVER
    keypair LOCAL-CA-SERVER
    no validation-usage
    no accept-subordinates
    no id-cert-issuer
    crl configure
    crypto ca trustpoint VPN
    enrollment terminal
    fqdn vpn.mydomain.com
    subject-name CN=vpn.mydomain.com,OU=IT
    keypair vpn.mydomain.com
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpool policy
    crypto ca server
    shutdown
    crypto ca certificate chain LOCAL-CA-SERVER
    certificate ca 01
        omitted
      quit
    crypto ca certificate chain VPN
    certificate
        omitted
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca
        omitted
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint VPN
    telnet timeout 5
    ssh MyDomain_New_IP 255.255.192.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    dynamic-filter updater-client enable
    dynamic-filter use-database
    dynamic-filter enable
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
    ssl trust-point VPN outside
    webvpn
    enable outside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
    anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
    anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
    anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
    default-domain value MyDomain.com
    group-policy MyDomain-Employee internal
    group-policy MyDomain-Employee attributes
    wins-server none
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value MyDomain.com
    webvpn
      anyconnect profiles value MyDomain-employee type user
    username MyDomainadmin password omitted encrypted privilege 15
    tunnel-group MyDomain-Employee type remote-access
    tunnel-group MyDomain-Employee general-attributes
    address-pool MyDomain-Employee-Pool
    authentication-server-group LDAP_Group LOCAL
    default-group-policy MyDomain-Employee
    tunnel-group MyDomain-Employee webvpn-attributes
    group-alias MyDomain-Employee enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
    : end
    asdm image disk0:/asdm-712.bin
    asdm location MyDomain_New_IP 255.255.192.0 inside
    asdm location MyDomain-Inside 255.255.255.255 inside
    asdm location MyDomain-Old 255.255.254.0 inside
    no asdm history enable

  • SSL Certificate Exception everytime a connection is established

    Hello guys!
    I am trying to authenticate a website running SharePoint 2010. But everytime a connection is established, an SSL/TLS exception is thrown. The following is the code I am using. Any idea??
    The exception is: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
    using System;
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using System.Runtime.InteropServices.WindowsRuntime;
    using Windows.Foundation;
    using Windows.Foundation.Collections;
    using Windows.UI.Xaml;
    using Windows.UI.Xaml.Controls;
    using Windows.UI.Xaml.Controls.Primitives;
    using Windows.UI.Xaml.Data;
    using Windows.UI.Xaml.Input;
    using Windows.UI.Xaml.Media;
    using Windows.UI.Xaml.Navigation;
    using System.Net;
    using System.Net.NetworkInformation;
    using Windows.Networking.Connectivity;
    using System.Net.Http;
    using System.Xml.Linq;
    using System.Text;
    using Windows.Web.Http.Filters;
    using Windows.Security.Cryptography.Certificates;
    // The Blank Page item template is documented at http://go.microsoft.com/fwlink/?LinkId=234238
    namespace TestApp
        /// <summary>
        /// An empty page that can be used on its own or navigated to within a Frame.
        /// </summary>
        public sealed partial class MainPage : Page
            public MainPage()
                this.InitializeComponent();
            private static HttpWebRequest CreateWebRequest(string url, NetworkCredential credentials)
                //Initialize new instance of HttpBaseProtocolFilter, which implements IHttpFilter.  
                string action = "http://schemas.microsoft.com/sharepoint/soap/GetWebCollection";
                HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
                req.Credentials = credentials;
                req.Headers["SOAPAction"] = action;
                req.ContentType = "text/xml;charset=\"utf-8\"";
                req.Accept = "text/xml";
                req.Method = "POST";
                return req;
            static string soapEnvelope = @"<soap:Envelope xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'><soap:Body></soap:Body></soap:Envelope>";
            //static string soapEnvelope =
              //         @"<?xml version=""1.0"" encoding=""utf-8""?> <soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema""
    xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""> <soap:Body> <Login xmlns=""http://schemas.microsoft.com/sharepoint/soap/""> <username>{0}</username> <password>{1}</password>
    </Login> </soap:Body> </soap:Envelope>";
            private static XDocument CreateSoapEnvelope(string content)
                StringBuilder sb = new StringBuilder(soapEnvelope);
                sb.Insert(sb.ToString().IndexOf("</soap:Body>"), content);
                XDocument soapEnvelopeXml = XDocument.Parse(sb.ToString());
                return soapEnvelopeXml;
            private static void InsertSoapEnvelopeIntoWebRequest(XDocument soapEnvelopeXml, HttpWebRequest webRequest)
            webRequest.BeginGetRequestStream((IAsyncResult asynchronousResult) =>
                    HttpWebRequest request = (HttpWebRequest)asynchronousResult.AsyncState;
                    Stream postStream = request.EndGetRequestStream(asynchronousResult);
                    soapEnvelopeXml.Save(postStream);
                    //postStream.Close();
                    request.BeginGetResponse(new AsyncCallback(GetResponseCallback), request);
                    }, webRequest);
            private static void GetResponseCallback(IAsyncResult asynchronousResult)
                HttpWebRequest request = (HttpWebRequest)asynchronousResult.AsyncState;
                HttpWebResponse response = (HttpWebResponse)request.EndGetResponse(asynchronousResult);
                Stream streamResponse = response.GetResponseStream();
                StreamReader streamRead = new StreamReader(streamResponse);
                string responseString = streamRead.ReadToEnd();
                //do whatever with the response 
                //streamResponse.Close();
                //streamRead.Close();
                //response.Close();
            private void Button_Click(object sender, RoutedEventArgs e)
                NetworkCredential credentials = new NetworkCredential("<user>", "<password>", "<domain>");
                HttpWebRequest request = CreateWebRequest("https://the_website_I_am_trying_to_connect_to", credentials);
                XDocument soapEnvelope = CreateSoapEnvelope("<GetWebCollection xmlns=\"http://schemas.microsoft.com/sharepoint/soap/\" />");
                InsertSoapEnvelopeIntoWebRequest(soapEnvelope, request);
                    

    Hi,
    According to your description, my understanding is that when you access a https web service, it occurs the “The underlying connection was closed. Could not establish trust relationship for the SSL/TLS secure channe” error.
    To overcome this error, you need to install the certificate that is used by the web service provider in the server that will be calling the web service.
    Open Microsoft Management Console (Start --> Run      --> mmc.exe);
    Choose File --> Add/Remove Snap-in;
    In the Standalone tab, choose Add;
    Choose the Certificates snap-in, and click Add;
    In the wizard, choose the Computer Account, and then      choose Local Computer. Press Finish to end the wizard;
    Close the Add/Remove Snap-in dialog;
    Navigate to Certificates (Local Computer)
    Choose a store to import:
    If you have the Root CA       certificate for the company that issued the certificate, choose Trusted       Root Certification Authorities;
    If you have the       certificate for the server itself, choose Other People
    Right-click the store and choose All Tasks -->      Import
    Follow the wizard and provide the certificate file you      have;
    Here are some detailed articles for your reference:
    http://www.c-sharpcorner.com/uploadfile/anavijai/could-not-establish-trust-relationship-for-the-ssltls-secure-channel/
    http://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap
    Thanks
    Best Regards
    Jerry Guo
    TechNet Community Support
    Hello Jerry,
    Thank you very much for your reply.
    But what about Windows Phone? I am running the same code on´WP 8.1 as a store app, and returns an exception at the same place: the GetResponseCallBack.
    Any workaround? Can I run a code from the app that uses the certificate or at least installs it?
    Thanks a lot. 

  • Can't find SSL certificate in SQL server configuration manager?

    Hi 
    It's been 2 days and I need a help. I have visited a number of sites and I still can't make it work
    Two severs I have: Windows 2012 Standard with SQL 2008 R2 and SQL 2012 
    I am trying to set it up on SQL 2008 R2 right now. 
    I have a certificate from a CA and did the followings.
    1. Open MMC
    2. Add Certificates Snap-in as a computer account (In fact, I tried all the three accounts)
    3. Right click-on Personal folder and All taks and Import 
    4. Installed the certificate with Certificate import Wizard
    5. The certificate shows up under Personal/Certificates and Trusted Root Certification Authorities/Certificates
    I did this with a local administrator account as well as MSSQL account(SQL Server service account I created). Even though the server is part of domain, SQL server is set up with local accounts. 
    This is a simply summary. I tried everything in the article such as 'Create Custom Request'. 
    I am not sure what I am missing. Why can't I see the certificate in SQL Server configuration manager? 
    I even made MSSQL (service account) as administrator. Not working.  
    as I am not using the domain service account, I believe below is not relevant. 
    Missing detail on "Install a certificate in the Windows certificate store..."
    When following recommended security procedures and running SQL server under a domain service account, the service will fail to start after assigning a certificate to the protocols.  This is because the service account does not have permissions to read
    the private key.  Fix this in the Certificates MMC snap-in (preferably right after installing the certificate.)  Select the certificate you just imported, then in the Action menu select "Manage private keys."  Grant the domain service
    account read access to the private key of the server certificate.
    Below is the few of reference I looked at.. 
    https://support.microsoft.com/en-us/kb/316898/
    https://msdn.microsoft.com/en-us/library/ms191192(d=printer).aspx
    https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
    http://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-
    http://blogs.msdn.com/b/sqlserverfaq/archive/2010/05/28/inf-permissions-required-for-sql-server-service-account-to-use-ssl-certificate.aspx

    Hi Dinesh 
    Thanks for the reply. 
    I did looked into the both sites as well. but it did not work. 
    Below is the step to install SQLs server certificate. and I was stuck with Step 9. when click 'next' in the wizard, I am not getting into a place to select 'computer' as certificate type. 
    Do you know what is wrong please? 
    Open the Microsoft Management Console (MMC): click Start, then click Run and in the Run dialog box type: MMC
    On the File menu, click Add/Remove Snap-in...
    Select Certificates, click Add.
    You are prompted to open the snap-in for your user account, the service account, or the computer account. Select the Computer Account.
    Select Local computer, and then click Finish.
    Click OK in the Add/Remove Snap-in dialog box.
    Click to select the Personal folder in the left-hand pane.
    Right-click in the right-hand pane, point to All Tasks, and then click Request New Certificate...
    Click Next in the Certificate Request Wizard dialog box. Select certificate type 'Computer'.
    You can enter a friendly name in text box if you want or leave it blank, then complete the wizard.
    Now you should see the certificate in the folder with the fully qualified computer domain name

  • Installing certificate for access to exchange 2003 server

    My exchange server requires that a certificate be installed to enable remote access. Since the iPhone does not support disk mode like the iPod there appears to be no way to install the certificate. Are there any workarounds?
    iPhone Windows XP

    Whole migration from Exchange 2003 server to Exchange 2010 server has been done and applied 3rd party SSL certificate on Exchange 2010 servers also.
    Hi,
    According to your description, everything about exchange 2010 is ready.
    Why don't you follow the mail flow as below?
    Internet Emails > Ironport > Exchange 2010 (smart host) > Exchange 2003 servers
    Please refer to the following article:
    Move Internet Mail Flow from Exchange 2003 to Exchange 2010
    Configure mail flow by using one of the methods listed below depending on the needs of your organization. This will enable Internet message flow through your Exchange 2010 Hub Transport servers.
    Configure Internet Mail Flow Through Exchange Hosted Services or an External SMTP Gateway
    Configure Internet Mail Flow Directly Through a Hub Transport Server
    Remove the SMTP connector in Exchange 2003 that is used to handle Internet mail. Your account needs to be a member of the local administrators group and a member of a group that has had the Exchange Administrators role applied at the administrative group
    level.
    In Exchange System Manager, expand the Organization node, expand
    Administrative Groups, expand <AdministrativeGroupName>, expand
    Routing Groups, expand <RoutingGroupName>, and then select
    Connector.
    In the right-hand pane, right-click the connector you want to delete and select
    Delete.
    Click OK to confirm the deletion.
    Hope this helps!
    Thanks.
    Niko Cheng
    TechNet Community Support

  • Generating CSRs for SSL Certificates

    Hi all,
    I am trying to generate CSRs for SSL Certificates, in order to set up a secure (https) dynamic dns connection to my router.
    I am supposed to access to the following directory through the Terminal:
    cd /usr/local/ssl/private
    But all I can access is /usr, I cannot go any further. I always get the message "/local: No such file or directory." Even if I am logged as root.
    I might be making some mistakes, but I do not understand what is going on.
    Thanks
    Enrique

    The error message you posted says there is no "/local" which is true.
    There is a "/usr/local"
    If you are cd'ing one directory at a time, don't lead them with a /
    For example:
    cd /usr
    cd /local
    Will give you the error you describe
    cd /usr
    cd local
    Will put you into /usr/local
    If this doesn't solve your issue, please post the exact steps you are taking.
    Jeff

  • SSL certificate renewal

    I need to update the SSL certificates on two domains hosted on my OS X 10.5.8 server. It appears that renewal cannot happen in Server Admin.
    After extensive web reading, I find that under 10.4 you had to use both Server Admin and and Keychain Access to accomplish the renewal. Here is the official Apple instructions:
    http://support.apple.com/kb/TA24487?viewlocale=en_US
    Is this the same in 10.5?
    My problem is that I have only access via SSH to my server and thus cannot run Keychain Access as a GUI. I found that the terminal command 'security' can do much of this, but its man page is highly cryptic and I fear for my certs as I try this. Any help with usage of 'security' to achieve export of a domains certs, deletion, and importation as per the above instructions?
    What if using 'Server Admin', I delete the domain certificate before I request and reinstall the new one? This would leave a small hole of uncovered access, but I can live with that. But I don't want to do this to find out that the Keychain Access app is going to throw a fit?
    Any help from someone who has done this successfully would be appreciated. Thanks.

    To renew your SSL certificate, you can do one of two things:
    1) Use your existing CSR to acquire your new certificate.
    2) Generate a new CSR to acquire your new certificate.
    If you choose to use your existing CSR, you will need to know which keystore file you are currently using and the password you assigned to that keystore file.
    Here are the steps to find out which keystore file you are currently using:
    1) Login to the PostX Administration Console (GUI)
    2) Click on the Configuration tab.
    3) Navigate to Web Servers and Proxies > Web Server Config > Connection Listeners > HTTPS (SSL) Connection Listener.
    4) You should see a keystore file field. This is will display the path to the keystore file you are currently using.
    If you do not remember the password to your current keystore file, we strongly suggest that you create a new CSR.
    To generate a new Certificate Request (CSR):
    1) Login to the PostX Administration Console (GUI)
    2) Click on the Keys and Certificates tab
    3) Click on SSL Setup and select Get Certificate Request
    4) Fill out the form and hit submit. Your new CSR will be generated in a text box on the page.
    5) Copy and paste the CSR onto a local text file which you can then send to your CA of choice.
    For more information on the SSL certificate process as well as importing the certificate please refer to our Knowledge Base article 845 at http://tinyurl.com/2n6qru.

  • SSL/Certificate creation/distribution questions

    I'm extremely new to SSL and using certificates and have been having some trouble figuring out exactly how to create and implement them.
    Environment background:
    Currently, my entire network is closed off from the outside world. It's a mac-only network, basically sandboxed from a PC-only network via a router (to provide access to the internet, that's provided from the PC network). No port forwarding is set up and I don't have any external IP addresses pointing to my router, so currently there's no way for an outside source to see my network. With not really any need for secure traffic, SSL and certificates aren't really needed (basically, it's a video dept at a university with ~150 users). However, once I get external access (the main IT dept's been "working" on this with our ISP for, um, about a year <coughcough>), I'm wanting to do some stuff with VPN as well as wikis and chat (chat could theoretically be useful internally now). Even though we don't really have much worth hacking, once I get a window to the outside world, I'd like to button up my server/network as much as possible.
    Since all my services will be set up and provided by me, I'm comfortable using certificates I create instead of purchasing any--if I knew how to do this, which brings me to my questions. I've tried creating a certificate within Server Admin, but it says it's not trusted (and clients don't seem to see it, anyway). I've also tried the instructions here: www.eclectica.ca/howto/ssl-cert-howto.php, but got an error when actually running the openssl command (OpenSSL is installed and appears to be functional). How do I get a trusted certificate(s) and then, how do I distribute them to the clients so they see and use them? Exactly what path are these created to, or should be placed, etc?
    I'd initially like to use SSL for increasing the security of my logins (all network users), but like mentioned, I'd also like to secure other services (is a cert needed/useable for VPN?). In that regard, do I only need one certificate, or would I need certificates for each separate service?
    Sorry for the long post, but thanks for any help.

    Hi There,
    If you create a "self signed" certificate you will get warning messages in your browser but can configure your browser to accept these warnings. This is ok if it is just a local access machine and you are the only one accessing it.
    If outside people are going to be accessing it, you will want to use a 3rd party SSL certificate from a trusted authority such as Verisign, GeoTrust etc.
    Here is a good article on how to create the CSR on 10.6
    http://support.apple.com/kb/HT3976
    Hope this Helps,
    Eric Holtzman
    Hosting 4 Less

  • SSL Certificate question (minor issue)

    I have a Windows 2012 server setup with RDS.  I have about 10 virtual machines already setup - my whole VDI infrastructure.  Everything is working fine - accessing the vm's internally and externally, however, I have issues w/the certificate.
    I am using a self-signed certificate (until I can my client to pay for a real SSL cert).
    I have created an A record for my DNS at my hosting company that points to my public IP (e.g. remote.mycompany.com instead of typing in the IP address), the port forwarding on my router kicks in and sends the https traffic to my RD Gateway (my Windows 2012)
    and the user will see the RDWeb page and can log in from there.  The cert is pointed to remote.mycompany.com too.  However, my server is called vdi-remote2.mycompany.com.  Naturally, when using IE to access the RDWeb page, their address bar
    in IE will be red with the cert error/warning.
    First they are greeted with the "There is a problem with this website's security certificate" and will click on continue to the this website.  Upon inspection of the certificate, it will say "This CA Root certificate is not trusted.  To
    enable trust, install this certificate in the Trusted Root Certification Authorities store."  Ok, I can install it (and have), but I still get the red address bar in my IE.
    Needless to say, I'd like to clean this all up.  The users are non-technical people and when they see this stuff, they freak out.  We know what it all means - we're technical folks, but I'd like to clean it all up and just have it nice and security.
     Green or no address bar when using https in the address bar.
    How can I clean this all up though when I have external users accessing https://remote.mycompany.com/rdweb and internal users accessing https://vdi-remote2/rdweb.  I don't recall the possibility to have two certs for one website (the RDWeb).  So,
    I'm a bit confused on all this cert stuff.  I could keep everything as is and just train the users, but I'd rather not.
    Thank you in advance for your reply.

    Hi Steve,
    Thanks for your comment.
    Yeah, your understanding is correct as you have commented that “Things are working, but ONLY after I install the cert in the trusted root certification authorities store.”
    Trusted certificate is required for RDS server.
    I would like to suggest you that first of all certificate must be placed in (local computer)/Personal Store, and the
    certificate must be signed by trusted authority. Please check below link which state that “If the RD Gateway server is configured to use a Secure Sockets Layer (SSL) certificate that is not signed by a trusted
    certification authority, users might be unable to connect to internal network resources (computers) through the RD Gateway server. “ 
    RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority
    You may export your certificate (and its private key) to a .pfx file using the Certificates mmc snapin.  By that way you can use the .pfx file for the RDS Role Services.
    Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
    For your comment “One user was having issues.  Once I installed the cert on her computer, she has no more issues logging in and launching a remote session. “, I can say that if the issue is mostly due to certificate only then
    if you will purchase trusted authority certificate then as per my knowledge you’re all problem regarding login and certificate will be solved.
    More information:
    1. Configuring RDS 2012 Certificates and SSO
    2. RD Web Access Web site to use a trusted certificate
    (Thread might helpful to understand)
    Hope it helps!
    Thanks,
    Dharmesh

Maybe you are looking for

  • Bind Variable Brain Teaser - Accessing a filtered Parent from a Child

    Hi Guys and Gals, Using JDev 11.1.2.4.0. I have two tables, the parent(Scenarios) and the child (Orders).  They are setup as such: SELECT Scenarios.SCENARIO_ID,                Scenarios.NAME,                Scenarios.COMPANY_ID FROM SCENARIOS Scenari

  • Path to includes are not resolving when define is used

    in a Php document path to a class specified with a string resolved without a problem: require_once ( './classes/class.php' ); However, if a defined variable is used, the path does not resolve and Dreamweaver doesn't help with method hints: define ( C

  • Printer C6180 wont print

    My Photosmart C6180 will not recognize that the new maginta ink cartrige is full, I have tried two new ones.  And it will not print with black only.  I shut the printer off and started over with no success.  Also shut it down again, removed all ink c

  • Setting Oracle date in Unix

    Lately I have made a change in the date/time by modifying the timezone. I rebooted the Unix Server and the date is now as I want. However I have noticed that Oracle Enterprise Manager (10g) is still displaying time with the old timezone. Do I need to

  • Maximum Volume Control - Padlocked!!!

    Hi ipod guys Can anyone tell me how to unlock the maximum volume control - seems that a combination has been set, but I don't know what it is, so can't adjust the volume control. Is there a way to re-set it to 0000? I've looked all through discussion