STARTTLS issue, related to "Invalid" certificate

Hi,
We have an issue on one of our CAS servers that is not allowing STARTTLS. We have tracked this down to an invalid certificate. In fact I believe it is the certificate that is created when you install Exchange.
On each server we have two certificates, the second of which is the one that we use for Exchange web services etc. This one is working fine and mail flow and webmail etc. are not affected.
However when one of our Linux boxes lands on this server it does not offer TLS. The other two services do.
A screenshot from a working server
And one from the non-working server.
The receive connectors are configured with the servers "internal" DNS name i.e. WSR-EXCAS-101.mrc-cbsu.local and therefore does not find a valid certificate.
So the questions for me are:
1. Why would this certificate, that has not expired, become invalid?
2. How do I create a new self signed certificate for only SMTP while leaving the other certificate in place for all other services such as webmail?
My apologies if these seem like easy questions but I always feel a certain amount of unease when dealing with certificate questions! :-)
Howard Gyton

Hi,
Yes, I spoke to my colleague and he said he installed no certificates on that web server. He would have had to have installed 3 as well as you would need each of the self signed certs on each CAS server. He distinctly remembers not doing that.
Ordinarily they would use the FQDN of the CAS array. However for now we are pointing it at one of the individual hosts instead as it will sometimes land on the server with the issue.
So whether they connect to the CAS array DNS name or the individual servers host name it still works for 2 of the three, even without a cert installed on the web server.
As a quick test to prove this hypothesis I created a new Receive Connector on the server with the issue. Configured the same way as the other one that it would be using but I configured its remote server settings to only be the IP address of my desktop and
I also altered its FQDN from what it would ordinarily be, wsr-excas-101.mrc-cbsu.local to cas.mrc-cbu.cam.ac.uk, which is the FQDN of the CAS array and has a matching cert on the server. I then connected via PuTTY to port 25 on that server. It announces
itself as cas.mrc-cbu.cam.ac.uk and when I type EHLO I get the following:
250-cas.mrc-cbu.cam.ac.uk Hello [172.31.x.x]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
Hey presto, STARTTLS is now available, simply because it has a matching cert and since I am using PuTTY to connect it wouldn't matter if I had the cert installed on my desktop or not because PuTTY would not be aware of it.
EDIT: Just a quick update. I found another article regarding the creation of self-signed certificates for Exchange and it was easier than I suspected it would be. I had originally looked to go down the route of creating a CSR and having one of our Linux
boxes create it but it was easier than that.
I opened a Powershell session on the Exchange server and ran the command:
New-ExchangeCertificate
It then asks me if I want to overwrite the existing certificate, the OWA one that we use, and I say no. It then creates a new certificate, with exactly the right name which is only assigned to SMTP.
When I now telnet to that box I get the following:
250-WSR-EXCAS-101.mrc-cbsu.local Hello [172.31.x.x]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
TLS is now available once more. I still have no explanation as to why it became invalid in the first place but this also shows that you don't need to have the certificate installed anywhere else either. We have yet to test this in anger on our Linux server
as we need to wait for a maintenance window but I am reasonably confident that this will have fixed the issue.

Similar Messages

  • Issue generating a subordinate certificate - The certification authority's certificate contains invalid data

    Other recipients:
    Hi Guys, I have a root CA and a sub CA. I want to generate another Sub CA certificate from my current sub CA however when I try to do so either via web or csr file I get the below error: The certification authority's certificate contains
    invalid da
    <input role="presentation" style="width:1px;height:1px;opacity:0;" tabindex="-1" type="text" />
    Hi Guys,
    I have a root CA and a sub CA both windows 2008 R2 ent. I want to generate another Sub CA certificate from my current sub CA however when I try to do so either via web or csr file I get the below error:
    The certification authority's certificate contains invalid data. 0x80094005 (-2146877435). Denied by policy module.
    I have confirmed that the basic constraint attribute for my current subca is none so I should be able to generate a certificate for a new subca.
    Any assistance is greatly appreciated.
    Thanks.

    Hi,
    According to your description, you want to build a new CA which is under an existing sub CA (one of your two working sub CAs) to issue certificates to other devices, am I right?
    Based on my research, to achieve this, we need to install another
    Subordinate Certification Authority. During the installation process, this new sub CA will generate a certificate request to its parent CA.
    “The subordinate CA cannot be used until it has been issued a root CA certificate and this certificate has been used to complete the installation of the subordinate CA”, I quoted this
    sentence from the article I posted in my last reply.
    Therefore, in your case, the process flow should be like:
    Install a new sub CA.
    Generate a certificate request to its parent CA during installation.
    The parent CA approves this request.
    Installation of the subordinate CA has completed.
    The new sub CA issues new certificates to other devices.
    Please feel free to let me know if this method is not working.
    Best Regards,
    Amy Wang

  • Issue with Client Authenication Certificates within Bootable Media

    Hi All,
    I am in the process of deploying SCCM 2012 R2 in our environment parallel to our existing SCCM 2007 R3 environment. So far everything is working well. I have hit, however my first issue. This seems to be related to Client Authentication certificate validation.
    The problem occurs when booting from SCCM 2012 Task Sequence Bootable media and attempting to contact a local Management Point. I am using a USB Boot key at this point as I do not want to overlap with our existing PXE environment.
    The SMSTS.LOG shows the error 0x80072f8f. Specifically the error that I need to get past is:
    [TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    [TSMESSAGING]                : dwStatusInformationLength is 4
     TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    [TSMESSAGING]                : *lpvStatusInformation is 0x10
     TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    [TSMESSAGING]            :
    WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
     TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    [TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    I have followed all of the recommended steps that I can think of so far. I have:
    Ensured that the Server Authentication and client authentication certificate on all Site systems is correct (I.e. all certificates are based on Certificate Templates as per the TechNet documentation)
    Ensured the Root and Issuing CA's are registered within the SCCM 2012 Site
    The Distribution Point role and Bootable Media are using a dedicated Client Authentication certificate that has been imported via a .PFX
    Ensured this certificate is in a "Not blocked" state
    Ensured the Date and Time of each Site System and of WinPE during the boot process is in sync.
    Checked the MPControl.LOG on each of our 2 Management Points looking for errors. These logs are all clear.
    Checked the IIS Web Logs on the Management Points. These logs are also all clear.
    The SMSTS.LOG is successfully importing the Root CA certificates ....
    Root CA Public Certs=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)Importing certificates to root store TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    Added certificate to store or replaced matching certificate in store. TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    Added certificate to store or replaced matching certificate in store. TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    I have noticed that there are plenty of issues related to an invalid CA due to root CA import issues or CRL checking. We currently have CRL checking disabled and based on the "INVALID_CN" reference I don't believe CRL check is part of the equation.
    With regards to the Common Name I can confirm the following:
    The "ConfigMgr Client Certificate" Template used to auto enroll all domain joined systems is based upon the "Workstation Authentication" template. The Subject Field is set, as by default to "None". The SAN is set to DNS name.
    The "ConfigMgr OSD Certificate" Template used to create the client authentication certificate used on the DPs and Bootable Media is set to "Supplied at Request". I set a CN of "Configmgr OSD Certificate" for this certificate.
    I have tried using another client authentication certificate for the DPs and Bootable media that had no Subject Name defined.
    Can offer any suggestions as to where I might be going wrong?
    Thanks,
    Nathan Sutton
    NSutton

    Hi Jason,
    Here is the log as requested. I will post it up in separate messages.
    <![LOG[LOGGING: Finalize process ID set to 724]LOG]!><time="13:36:01.388+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="tslogging.cpp:1495">
    <![LOG[==============================[ TSBootShell.exe ]==============================]LOG]!><time="13:36:01.388+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728"
    file="bootshell.cpp:1055">
    <![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:01.404+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="util.cpp:964">
    <![LOG[Debug shell is enabled]LOG]!><time="13:36:01.404+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:1066">
    <![LOG[Waiting for PNP initialization...]LOG]!><time="13:36:01.419+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:60">
    <![LOG[RAM Disk Boot Path: MULTI(0)DISK(0)RDISK(0)PARTITION(1)\SOURCES\BOOT.WIM]LOG]!><time="13:36:01.419+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732"
    file="configpath.cpp:302">
    <![LOG[WinPE boot path: D:\SOURCES\BOOT.WIM]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="configpath.cpp:327">
    <![LOG[Booted from removable device]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="configpath.cpp:357">
    <![LOG[Found config path D:\]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:548">
    <![LOG[Booting from removable media, not restoring bootloaders on hard drive]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:582">
    <![LOG[D:\WinPE does not exist.]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:599">
    <![LOG[D:\_SmsTsWinPE\WinPE does not exist.]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:613">
    <![LOG[Executing command line: wpeinit.exe -winpe]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:860">
    <![LOG[Executing command line: X:\windows\system32\cmd.exe /k]LOG]!><time="13:36:02.935+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:860">
    <![LOG[The command completed successfully.]LOG]!><time="13:36:02.951+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:942">
    <![LOG[Successfully launched command shell.]LOG]!><time="13:36:02.951+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:432">
    <![LOG[The command completed successfully.]LOG]!><time="13:36:15.371+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:942">
    <![LOG[Starting DNS client service.]LOG]!><time="13:36:15.371+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:666">
    <![LOG[Executing command line: X:\sms\bin\i386\TsmBootstrap.exe /env:WinPE /configpath:D:\]LOG]!><time="13:36:15.890+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732"
    file="bootshell.cpp:860">
    <![LOG[The command completed successfully.]LOG]!><time="13:36:15.890+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:942">
    <![LOG[==============================[ TSMBootStrap.exe ]==============================]LOG]!><time="13:36:16.062+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212"
    file="tsmbootstrap.cpp:1165">
    <![LOG[Command line: X:\sms\bin\i386\TsmBootstrap.exe /env:WinPE /configpath:D:\]LOG]!><time="13:36:16.062+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212"
    file="tsmbootstrap.cpp:1166">
    <![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:964">
    <![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\TSRESNLC.DLL']LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="resourceutils.cpp:169">
    <![LOG[Current OS version is 6.2.9200.0]LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:3094">
    <![LOG[Adding SMS bin folder "X:\sms\bin\i386" to the system environment PATH]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212"
    file="tsmbootstrap.cpp:963">
    <![LOG[Failed to open PXE registry key. Not a PXE boot.]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:844">
    <![LOG[Media Root = D:\]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmbootstrap.cpp:1000">
    <![LOG[WinPE boot type: 'Ramdisk:SourceIdentified']LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:779">
    <![LOG[Failed to find the source drive where WinPE was booted from]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="2" thread="1212" file="tsmbootstrap.cpp:1036">
    <![LOG[Executing from Media in WinPE]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmbootstrap.cpp:1041">
    <![LOG[Verifying Media Layout.]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:1623">
    <![LOG[MediaType = BootMedia]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2607">
    <![LOG[PasswordRequired = false]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2633">
    <![LOG[Found network adapter "Realtek PCIe GBE Family Controller" with IP Address X.X161.12.]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="0"
    thread="1212" file="tsmbootstraputil.cpp:517">
    <![LOG[Running Wizard in Unattended mode]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2803">
    <![LOG[Loading Media Variables from "D:\sms\data\variables.dat"]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsremovablemedia.cpp:322">
    <![LOG[no password for vars file]LOG]!><time="13:36:16.156+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:247">
    <![LOG[Entering TSMediaWizardControl::GetPolicy.]LOG]!><time="13:36:16.156+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:527">
    <![LOG[Creating key 'Software\Microsoft\SMS\47006C006F00620061006C005C007B00350031004100300031003600420036002D0046003000440045002D0034003700350032002D0042003900370043002D003500340045003600460033003800360041003900310032007D00']LOG]!><time="13:36:16.172+480"
    date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="environmentscope.cpp:263">
    <![LOG[Environment scope successfully created: Global\{51A016B6-F0DE-4752-B97C-54E6F386A912}]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212"
    file="environmentscope.cpp:623">
    <![LOG[Creating key 'Software\Microsoft\SMS\47006C006F00620061006C005C007B00420041003300410033003900300030002D0043004100360044002D0034006100630031002D0038004300320038002D003500300037003300410046004300320032004200300033007D00']LOG]!><time="13:36:16.172+480"
    date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="environmentscope.cpp:263">
    <![LOG[Environment scope successfully created: Global\{BA3A3900-CA6D-4ac1-8C28-5073AFC22B03}]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212"
    file="environmentscope.cpp:623">
    <![LOG[Setting LogMaxSize to 1000000]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:555">
    <![LOG[Setting LogMaxHistory to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:556">
    <![LOG[Setting LogLevel to 0]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:557">
    <![LOG[Setting LogEnabled to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:558">
    <![LOG[Setting LogDebug to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:559">
    <![LOG[UEFI: false]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:569">
    <![LOG[Loading variables from the Task Sequencing Removable Media.]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:584">
    <![LOG[Loading Media Variables from "D:\sms\data\variables.dat"]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsremovablemedia.cpp:322">
    <![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:964">
    <![LOG[Setting SMSTSLocationMPs TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSMediaGuid TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSBootMediaPackageID TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSBootMediaSourceVersion TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSBrandingTitle TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSCertSelection TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSCertStoreName TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSDiskLabel1 TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSHTTPPort TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSHTTPSPort TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSIISSSLState TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSMediaCreatedOnCAS TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSMediaPFX TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSMediaSetID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSMediaType TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSPublicRootKey TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSRootCACerts TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSSiteCode TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSSiteSigningCertificate TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSStandAloneMedia TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSSupportUnknownMachines TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSTimezone TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSUseFirstCert TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSx64UnknownMachineGUID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSx86UnknownMachineGUID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    NSutton

  • Invalid Certificate Microsoft Outlook cannot sign or encrypt this message because you have no certificates which can be used to send from your e-mail address.

    Hi,
    I have a problem when trying to sign emails with an X.509 certificate in Outlook 2010. I constantly get the error message. The certificate is Verified for the email address I'm sending from.
    "Invalid Certificate
    Microsoft Outlook cannot sign or encrypt this message because you have no certificates which can be
    used to send from your e-mail address."I have no problem with signing documents in Word 2010 with the same certificate, only when trying to send email.Every check I can perform confirms that there's nothing wrong with the certificate. Yet, Outlook still says it is invalid.I have even tried installing a second X.509 for the same email address just to check. Outlook doesn't seem to like either certificate.I know this has been posted before, but I'm completely stuck here.Thanks,~Dan

    Hi,
    You may have checked the option "Encrypt contents and attachments for outgoing messages" in Outlook, please uncheck this to test if the problem persists.
    File -> Options -> Trust Center -> Trust Center Settings -> E-mail Security -> Clear the checkbox "Encrypt contents and attachments for outgoing messages" -> OK.
    Regards,
    Melon Chen
    TechNet Community Support
    It's recommended to download and install
    Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
    programs. Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
    [email protected]

  • Error on Invalid certificate serial number while configuring mutual SSL

    Hi Guys,
    I encounter this error(refer below) while running the EAI Outbound Body proxy.I'm currently trying to do outbound web service with a third party who uses SSL.
    Base on oracle support I have followed on how to import the CA certs and also I have added this two parameters in my outbound body proxy.
    siebel_transport_param:HTTPCertAuthority  = "CN=Siebel Test,OU=Oracle"
    siebel_transport_param:HTTPCertSerialNo =11223344
    I hit error:SBL-EAI-04116: HTTP Internet Exception during 'Data Send': 'The connection with the server was reset', code: '12031'
    When I check log file it says,
    Switched transport service direction to: 'Outbound'
    Error     Error     1     0000069e4f9a4e03:0     2012-04-27 19:55:30     Invalid certificate serial number ?11223344
    EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     Could not load the client certificate
    EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     *** HTTP Transport Parameters:
    EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     Request URL = https://Uknown/Uknown.asmx
    EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     Request Method = POST
    EAITransport     EAITransportGeneric     3     0000069e4f9a4e03:0     2012-04-27 19:55:30     Dropped old connection and creating new connection for 'Request'
    Error     Error     1     0000069e4f9a4e03:0     2012-04-27 19:55:30     Invalid certificate serial number ?11223344
    EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     Could not load the client certificate
    I try verify again the cert I imported and it says
    Serial Number : 11 22 33 44
    Issuer : CN=Siebel Test,OU=Oracle
    Guys, do you know what I'm missing?
    1) I have already check my inbound parameter do not have white spaces like this => 11223344
    2) I have added this double quatation in my HTTPCertAuthority because I suspected is required for Issuer with space value.
    3) When I try import from Siebel it put the cert into intermediate certificaiton tab but when I import to IE it went to other people tab. Is this expected ?
    The cert is working when I try import it to IE and when to this URL:https://Uknown/Uknown.asmx
    Thanks for reading,
    I hope some guys put some light
    Regards,
    Joey , MY

    See here:
    Audition 3 and the activation service
    and here:
    Error: Activation Server Unavailable | CS2, Acrobat 7, Audition 3

  • I get an Invalid Certificate notice when I try to access my https site for my printer. The serial number is the same as used by another certificate. In IE I was able to proceed to this address, but Firefox won't give me that option

    I get an Invalid Certificate notice when I try to access my https site for my printer. The serial number is the same as used by another certificate. In IE I was able to proceed to this address, but Firefox won't give me that option

    Hello,
    Thanks for contacting Mozilla Support!
    Many site issues can be caused by corrupt cookies or cache. In order to try to fix these problems, the first step is to clear both cookies and the cache.
    Note: ''This will temporarily log you out of all sites you're logged in to.''
    To clear cache and cookies do the following:
    #Go to Firefox > History > Clear recent history or (if no Firefox button is shown) go to Tools > Clear recent history.
    #Under "Time range to clear", select "Everything".
    #Now, click the arrow next to Details to toggle the Details list active.
    #From the details list, check ''Cache'' and ''Cookies'' and uncheck everything else.
    #Now click the ''Clear now'' button.
    Further information can be found in the [[Clear your cache, history and other personal information in Firefox]] article.
    Did this fix your problems? Please report back to us!
    Thank you.

  • Deploy infobus applet--"Invalidating certificate principals"

    Hi, lots of questions about deploying infobus applet had been
    posted previously, but none of them is my case.
    After finishing generating "package1.jar", I copy every *.jar,
    *.zip file into my deploy directory "c:\temp" as well as the
    package1.applet1.html. But while I open this html file in
    Netscape 4.7, no applet appear. In the java console, the
    following error message appear..
    Invalidating certificate principals in [file:/C|/temp/try/,]
    Can the applet be invoked without webserver?
    I had tried to transfer the whole directory to the website(sun
    webserver), the same error message appear( only change is the
    path now is [155.69.60.117:88])
    Can anyone tell me why?
    thx
    null

    This is hardly an Advanced Language Topic, nor is it Java-related. And who uses Netscape? I'm just playing with you. No but seriously, nobody is gonna answer that here. This is a JAVA forum.

  • Why do BT use an invalid certificate for signing e...

    Hello BT mods,
    In your online guides on setting up email, the instructions advise specifying the outgoing mail server as mail.btinternet.com, with SSL enabled. However, the certificate used to sign the connection is invalid! (This is because of a host name mismatch due to using a yahoo certificate) 
    This is pretty bad practise and doesn't help non-technical people understand online security! Is this mismatch going to get rectified, or do BT simply plan to tell customers to trust an invalid certificate?
    Cheers,
    --jenger

    See point 12 right at the end, the screenshot shows SSL ticked.
    http://bt.custhelp.com/app/answers/detail/a_id/996​0/kw/mail%20setup%20os%20x/related/1
    Looking at it again, point 11 shows to leave outgoing SSL unticked, which is not how I remember it from earlier in the week - not sure if this has been updated since I reported it by phone or not, I remember the previous point as including a tick for SSL enabled as well though.
    Incidentally, it would appear to work with outgoing SSL both enabled and disabled - I'd been running with SSL enabled for years, TBH this only came to light after I had problems sending email at the beginning of the week.
    I did call the helpdesk, which was A Bad Idea, as I not only got conflicting info from two different reps, but the first one managed to delete all the historical mail in my inbox, thanks for that! My own fault really, I should have known better than to let someone onto my computer with GotoAssist!  (And to be fair, the second guy I spoke to was actually really good, knew what he was talking about and everything. Just a shame my mail had already been deleted by then!)
    These forums are a MUCH better resource! )

  • Cannot connect to gmail - "invalid certificate" [SOLVED]

    Hi!
    When I try to connect to gmail I get a "Secure Connection Failed" error:
    An error occurred during a connection to www.google.com.
    You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:
    Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.
    (Error code: sec_error_reused_issuer_and_serial)
    I have no idea what caused this and can't find anything about it. It's pretty annoying as my check-new-mail script says I got 6 new mails :S
    Anyone got a clue?
    Edit: I'm using Firefox 3.5, or "Shiretoko". Seems like it came with the upgrade somehow, but it works on other machines running the same version.
    Last edited by spektre (2009-07-22 08:29:17)

    I had already deleted the google certificate without getting further, but now I deleted cert8.db and key3.db under ~/.mozilla/<my profile folder>/ because I was getting a bit frustrated
    Now it works! It must've used a certificate with another name that got blasted when I did a full purge.
    Thanks anyway, I don't think I would've tried it if you hadn't posted!

  • WRT300N Invalid Certificate Error

    I'm trying to connect to my router on a new computer. I type in the IP address and I get an error that says:
    "You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:
    Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number."
    I have connected to this router before on my old computer before it died. The only thing I have done is install the LinkSys software on this new computer, could that cause this error?
    Thank you for any help.

    It's not the router. It's more of the settings of your browser. You need to lower down the security settings to avoid this problem. Try to go to tools->internet options->content. Clear the SSL, and delete the existing certificates there.

  • Invalidating certificate

    How to correct this error message in Netscape:
    "Invalidating certificate principals in (Netscape)"
    My program is a small Applet of a few lines.

    This is hardly an Advanced Language Topic, nor is it Java-related. And who uses Netscape? I'm just playing with you. No but seriously, nobody is gonna answer that here. This is a JAVA forum.

  • Treo 800w / Exchange / invalid certificate

    Cannot get e-mail nor sync contacts, etc. using ActiveSync. Get "security certificate on this server is not valid" Support code 80072f06.
    There are two issues:
    1. The certificate is my SBS2003 self-issued certificate & works fine with Outlook Web Access, etc.
    2. Six weeks ago, the local Sprint store somehow configured this so it worked without any problem and without installing the certificate.
    I install the certificate using the native Windows Mobile 6.1 cert installer, but it does not work. I have tried editing the phone's registry using a variety of registry-editing tools to bypss cert-checking, but each attempt to edit the reg is met with "Access denied".
    Already deleted Exchange account & ActiveSync partnership & recreated - to no avail.
    Stuck.
    Post relates to: Treo 800w (Sprint)
    This question was solved.
    View Solution.

    Actually, you nailed it a couple of posts back. I finally deleted & recreated the cert, and it worked. Here was the problem: the SBS cert-creation wizard suggests this format for the server name:
    ServerName.Subdomain.Domain.com (FQDN of the server)
    However, from outside, the path is just Subdomain.Domain.com (no server name - the server name is relevant only inside the LAN).
    There were two red herrings here.
    1. The cert worked just fine with the server name in there for OWA.
    2. Someone at the Sprint store had gotten this working without the cert for a period of about three weeks. They did something six weeks ago that got it working without even having the cert installed; when that quit working, even they could not remember what they had done. I know there is a registry hack that can tell the Treo to bypass cert-checking, but neither of the mobile registry-editing tools I tried to do that would work - both gave me Access denied errors.
    All's well that ends well, though, I guess. Now I know to not take the SBS wizard's word for it on the path.
    Thank you very much. We appreciate the help.
    Post relates to: Treo 800w (Sprint)

  • Since I uninstalled avast! antivirus and installed Bitdefender Internet Security 2015 Thunderbird asks whether to accept an invalid certificate.

    Since I uninstalled avast! antivirus and installed Bitdefender Internet Security 2015 Thunderbird asks whether to accept an invalid certificate when trying to receive new messages.
    Please have a look at the two attachments (there seems to be a problem with uploading jpg files).
    Obviously Bitdefender manipulates the certificate (probably to be able to scan the mails via SSL connection). But I'm not sure.
    Would you recommend to confirm an exception for this certificate (permanently)?
    Thanks in advance.
    Greetings
    Marco

    Thank you, christ1.
    I found out that after disabling SSL Scanning in Bitdefender, this issue no longer exists.
    Maybe this can be considered as confirmation that this certificate really belongs to Bitdefender. Because that's actually what I'm concerned about, i.e. how to validate this certificate to make sure that Bitdefender is the issuer.

  • Recent rash of invalid certificates

    Running Safari 6.02 w/OSX 10.8.2
    Recently I've been getting a lot of invalid certificate errors trying to go to "common websites".
    Example - Safari can't identify the website www.google.com  The certificate for this website is invalid.
    This is something that has recently started occuring.  Is this a settings issue, some "malware", or a potentially a network issue?
    What's changed is I recently got a new Linksys wifi router.  Something I need to tweek there?
    I've deleted history including cookies, no difference.

    First, the process by which OS X checks the validity of root SSL certificates doesn't currently work behind an authenticating proxy, such as those used on some enterprise networks. If you're in that situation, contact your network administrator.
    If you're running a third-party firewall such as “LittleSnitch” or “Hands Off,” disable it and test.
    Are the current date (including the year) and time shown on your system clock? If not, correct them and test.
    Otherwise, launch the Activity Monitor application in any of the following ways:
    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
    ☞ Open LaunchPad. Click Utilities, then Activity Monitor in the icon grid.
    Select All Processes from the menu in the toolbar of the Activity Monitor window, if not already selected. Enter "ocspd" (without the quotes) in the "Filter" text field. Is a process with that name listed?
    If not, select Go ▹ Go to Folder from the Finder menu bar. Into the text box that opens, copy the following line of text:
    /var/db/crls
    From the folder that opens, move these two files to the Trash:
    crlcache.db
    ocspcache.db
    You’ll be prompted for your administrator password when you do this. Then reboot, empty the Trash, and try again.

  • How to issue a self-signed certificate to match Remote Desktop Gateway server address requested

    I have an RDG server named gw.domain.local with port 3389/tcp forwarded from
    gw.example.com.
    Using RDGM snap-in I created a self-signed SSL certigicate with FQDN gw.example.com.
    But when I connect over RDP from outside the local network I'm getting an error:
    Your computer can't connect to the computer because the Remote Desktop Gateway server address requested and the certificate name do not match
    Because certificate subject name is gw.domain.local indeed.
    So there question is: how to issue a certificate properly, or how to assign an existing one the name to match?

    Hi,
    Thanks for your post in Windows Server Forum.
    The certificate error which you are facing seems like certificate mismatch error, something like the security certificate name presented by the TS Gateway server does not match the TS Gateway name. You can try reconnecting using the FQDN name of the TS Gateway
    server. You can refer below article for more troubleshooting.
    TS Gateway Certificates Part III: Connection Time Issues related to TS Gateway Certificates
    And for creating a SSL certificate for RD gateway, you can refer beneath articles.
    1.  Create a Self-Signed Certificate for the Remote Desktop Gateway Server
    2.  Obtain a Certificate for the Remote Desktop Gateway Server
    Hope it helps!
    Thanks,
    Dharmesh

Maybe you are looking for

  • Is it possible to set up a dual boot on a computer that came with Windows 7 ? Would like to add Vista .

     Had to buy a new computer with windows 7. Found out later that one of my programs will only work with vista or later OS. Is it possible to add Vista to my new computer?   

  • Bought Apps Don't Open

    Unfortunately, I just had my iPhone looked at today at the Genius Bar because the battery life was being erratic. I haven't been using my phone for most of the day since then (when it did it worked fine), but just about a half hour ago I tried to ope

  • Ordering prints

    If I were to order prints thru iphoto 4, what type of paper would my prints come out on? is it glossy or matte? also, is there a delivery charge, or a minimum amount to purchase in order to receive my prints?

  • HT4858 How can stream my iphone photos to my macbook, through icloud, in a single folder?

    Each time it creates a new folder in iphoto which annoys me a lot! I would like to set and create a single folder where all the photos will be saved through icloud. Thank a lot! Christos

  • Transporting translations

    I have done some translations in structures (data elementes, domains), screens and lists in abap programs.(SE63/SAP 4.7) But that changes don't generete transports. How to add those all translations to transports ??