Unable to Import Internal Certificate to Lync Deployment wizard Local Store

Similar Messages

• Unable to import PKCS12 certificate file to ACE module

  Hi,
  I'm currently in the process of replacing my CSS-appliances with the ACE module. So far everything's been smooth, but when I'm trying to import a certificate file to the respective context using the "crypto import"-command, ACE can't recognize the filetype, it's just marked as UNKNOWN. On the CSS I had to specify PKCS12 as the fileformat, but this is apparently not an options on the ACE. Does anyone know the equivalent commmand on how to import a PKCS12-file to the ACE?
  Thankx
  /Ulrich
  PS! I haven't created a cert chaingroup, as I was told this would not be necessary.

  Hi Ulrich,
  Short answer is you cannot import PKCS12 format. You'll need to extract the component parts into PEM format outside of the ACE and then use crypto import.
  You will also need a chaingroup unless this is a self-signed certificate. Again any intermediate and root certificates will need to be in PEM format.
  HTH
  Cathy

• Import a certificate into Sun/Java/Deployment/security/trusted.clientcerts

  Hi I'm trying to make a java applet, it has to add a certificate in the Keystore Sun/Java/Deployment/security/trusted.clientcerts.
  The problem is that to store, I have to enter a password. I enter "". ToCharArray () but when I try to view the certificates, it does not appear in the java control panel.
  And when I try to import a certificate from the java control panel throws the following error "keystore was tampered with or password was incorrect".
  Code:
  private void guardarKeyStore(KeyStore ks) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException{
  FileOutputStream out = new FileOutputStream(System.getenv("APPDATA").replace("\\", "/")+"/Sun/Java/Deployment/security/trusted.clientcerts");
  ks.setCertificateEntry("someAlias", decodeCertificate(somebase64));
  ks.store(out, "".toCharArray());
  out.close();
  }

  Francisco26 wrote:
  I Want to insert a certificate into trusted.clientcerts via java applet.
  This certificate have to appear in the java control panel. (Security->Certificates->user->client autentication)
  Why that? Because i need to do an applet that download a certificate response from a request to a CA.Which to paraphrase EJP is undesirable, insecure and untrustworthy. What you are asking would allow an untrustworthy site to declare itself trustworthy.

• Lync edge internal Certificate

  Hi guys, i have an interesting problem. I'm switching my TMg server for a Palo Alto server, and when i do an external test, it fails and its showing my internal cert not the SAN certificate bound to the external dmz nic, and yes i've reassigned the certs
  multiple times to make sure.
  Any one ever see anything like this. works perfectly on TMG :|

  I have 1 Lync Standard Frontend and 1 Edge, the edge server has 2 NICs, 1 internal and 1 in the DMZ with three IPs and 1 to 1 NAT. It has static routes for the internal network.
  I'm aware there is no SAN requirement for internal. What i cant figure out is why externally tests are seeing the internal certificate.
  Testing remote connectivity for user test@i*.com to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
  Additional Details
  Elapsed Time: 16269 ms.
  Test Steps
  Attempting to resolve the host name sip.i*.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 190.********
  Elapsed Time: 186 ms.
  Testing TCP port 443 on host sip.i*.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 193 ms.
  Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
  Additional Details
  Elapsed Time: 15560 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.i*.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=cerberus.*.com, Issuer: CN=ICONS-CA, DC=i*, DC=com.
  Elapsed Time: 15501 ms.
  Validating the certificate name.
  Certificate name validation failed.
   <label for="testSelectWizard_ctl12_ctl06_ctl02_ctl01_tmmArrow">Tell
  me more about this issue and how to resolve it</label>

• Can't assign certificate in Lync Edge Server

  Hello, everyone
  I've installed Lync Server, internally it works fine, but while i'm deploying edge server, i have a certificate problem. On request assign certificate step, I've issued by online certificate authority, after request i see following error:
  The certificate has been issued by the online certification authority and is installed to the local certificate store, however it is not valid. Make sure that the Root certificate, and necessary certificate chain is installed on this server.
  I've downloaded root certificate from CA and imported to trusted root certificate of edge server. I think root certificate is valid, because non domain members which imported root certificate, sign in Lync successfully.
  I also sent offline certificate request (http://technet.microsoft.com/en-us/library/gg412750.aspx), importing certificate was successful. But  there are no certificates in assign
  certificate wizard. I checked personal certificates using mmc, there were certificates i have requested.
  How can I solve this problem? Please help me!
  Regards and thanks for any help :)
  Enkhee

  Hi,
  You need to access htt://CAserver/certsrv to download the certificate chain in the edge server. Open MMC and install the Certificate chain with the following steps(To import the CA certification chain for the internal interface ):
  http://technet.microsoft.com/en-us/library/gg412750.aspx
  Check whether the Certificate chain is installed successfully in the
  Trusted Root Certification Authorities.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Missing certificate in Lync Certificate Store

  Hello
  I'm trying to deploy an Edge server for our actual Lync environment.
  Internal cert installed fine. But for external cert, i'm stucked.
  I've made the request, sent it to the certificate authority, then I received a couple of '.crt' files by email.
  I've imported all of them in the Trusted Root Certification Authority of my Edge server.
  But still I can't assign a certificate because there is only the Internal certificate available in the Certificate Store.
  Thanks for any help you will provide

  Hi,
  If your deployment includes multiple Edge Servers, make sure export the certificate along with its private key.
  Also make sure you request the certificate correctly.
  You can check the process with the help of the link below of “Set up certificates for the external edge interface for Lync Server 2013”:
  http://technet.microsoft.com/en-us/library/gg398409.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Deployment Wizard Not Allowing Certificate Update

  Hey, everyone!
  I needed to add new SANs to our Lync Server SSL (ucupdate-r2 subdomain for Polycom CX700 with old firmware). I logged into our GoDaddy account and I requested the new SAN. I validated it through email and then downloaded the CRT file.
  I then launched the Deployment Wizard and chose to rerun the "Request, Install or Assign Certificates." In Certificate Wizard, I select Import Certificate and select the new GoDaddy SSL. It imports just fine. Next, I select the Default Certificate
  and then Assign. The new SSL doesn't appear in the list of available certs, though.
  I don't know if the server is just confused since they're technically the same cert but with a couple extra SANs.
  So I launched MMC and went looking for the newer version of the cert. It wasn't there, so I imported it into Personal > Certificates, which is where the previous certificate is located. It imported fine, except the new one doesn't have indicate that a
  "private key corresponds to this certificate."
  I still relaunched the Certificate Wizard from the Deployment Wizard, but the cert is again now listed.
  I'm not sure what to try now.
  Could someone please help?
  Thanks!
  -Eric

  Hi,
  Check if
  you have the proper Certificate Chain for GoDaddy specially the intermediate
  CA.
  Last week
  I renewed a GoDaddy cert and the intermediate CA changed.
  David

• Unable to enroll Computer certificates on Server 2008 R2 and older

  I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer
  certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still
  works.
  I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks
  > Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates
  I want are listed with:
  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this
  operation, or the CA is not trusted."
  I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that
  the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.
  Any ideas?
  Thank you!

  Hi Amy.
  Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.
  I also created a copy of an existing certificate (Web Server) but am unable to see it when I go to New > Certificate Template to Issue.  Our domain has had plenty of time to replicate the copied template.
  I don't recall making any changes that would have affected a computer's ability to enroll.  There has been some Group Policy work done and a new certificate template was created and marked to issue, but this problem was picked up by accident when I
  went to generate internal certificates back in October.  All administrative work is done as the domain Administrator account.
  We didn't have issues with this CA when it was first built, so something did change.  We don't have a large PKI environment, just some internal web sites, so if it comes to it I may just start over with everything.  When we moved to Server 2012
  on this system it was an upgrade from a Server 2003 CA that was never properly used or maintained.  It may be better just to clean everything and get one consistent root certificate again.
  Alan

• Unable to Import objects into ID

  Hi All,
          For your support I have completed the development work and I have moved to Quality from Development. But while trying to import the one scenario in to Quality System from Development in XI, I am getting the following Error:-
  Internal error: Unable to transfer changes for object Service | Q14CLNT120 to change list "XI 3.0 Import" (9a590f30-7245-11dc-9266-00306ee97ef1) since object still in change list "XI 3.0 Import" (3ae5e660-701d-11dc-942e-00306ee97ef1)
  I have somehow managed to import another scenario last week into Quality, although now I am unable to import. But while trying to activate the imported scenario into Quality System I am getting another Error as below:-
  Unable to move object. Change lists were not part of the same import
  I tried to activate the change list..but no woek.
  Could anyone please advice?
  BR
  Soumya

  Have you checked the GUID in SLD in both the systems?
  <b>SLD-->Software Components, to check the GUID.</b>
  You can do one thing, first of delete imported objects which are not getting activated from QA, also delete the SWCV from Integration Repository.
  <b>Note:</b> Before deleting SWCV, make sure any other working objects are not there in the same SWCV. 
  Now, if <b>SWCV & GUID</b> in both systems are <b>same</b> then again:
  1. Export the objects from Dev (.tpz file)
  2. Imort the same .tpz file to QA system.
  Now go to Repository of QA and
  1. <b>Tools --> Import Design Objects</b>
  2. <b>Tools --> Transfer from system landscape Directory --> Update Application Components.</b>
  Select your components and press Finish button.
  And finally try to Acitvate your objects.
  Regards,
  Sarvesh 
  *****Reward points, if found helpfull.

• How to export/import the certificates for/from 'Partner company' step-by-step in exchange 2013

  Dear  EXCHANGE EXPERTS,
  I am a newbie in "Exchange World" and I try hard to learn and figure out how Exchange messaging works.
  Sometimes the searches for information are gratified with wonderful articles and blogs, but sometimes days of searches bring you nothing but tiredness.
  I cannot find a clear information (step-by-step) how to exchange the certificates with the Partner company for TLS mutual communication in Exchange 2013.
   I would appreciate the help of experts.
  Vi

  Hello
  "You can do it on several ways. If both organizations are using publicly trusted certificate on Exchange servers, you are good to go. If that’s not the case you will have to cross-import Root CA certificates on both sides. Alternatively, you can also
  issue certificates for SMTP for both Exchange organization from a single trusted RootCA. Anyway, the point is that each Exchange server must trust the certificate installed (and assigned to SMTP service) on another Exchange server"
  'Trusted Root Certification" -->yes /local computer/
  if your company and partner company have a public cert and assigned to smtp service not need do
  anything with cert.
  if not have public cert but have cert from own internal ca booth company, you need
  cross-import Root CA certificates to exch servers and is ok. you send root ca caert to company and partner company send  his own root  certificate and that inport to local computer 'Trusted Root Certification"
  store on exch server.
  if not have internal ca only self signed you need send self signed cert
  sorry my english

• Unable to import metadata using OBI 11g Admin tool

  Hello folks,
  I am new to OBI. I am trying to build a RPD. For that purpose I am trying to import some tables from database but I am unable to. I created DSN and also tried using OCI but no help. The OBI Admin tool client and database is installed under other user's account. Is that the reason I am unable to import tables?
  I am getting this error:
  Internal Error-Unable to initialize NLS during driver load - When I try to use ODBC &
  Connection failed --When I try to use OCI.
  Can someone shed some light on this issue.
  Thanks,
  Edited by: 950330 on Jan 21, 2013 11:17 AM

  Use Call Interface: Default (OCI 10g/11g)
  Data source Name->hostname:port/ServiceName or TNS name
  like
  localhost:1521/XE
  make sure you able to ping connect the database using tnsentry or
  tnsping <tnsname>
  from command prompt.
  Let me know for issues if helps pls mark
  Edited by: Srini VEERAVALLI on Jan 21, 2013 1:17 PM

• Unable to import-'Pictures' folder is missing in Destination panel?

  My 'Pictures' folder is missing in my Destination panel, as well as 'Users', etc. It shows my C-drive which shows 'My music', but not 'my pictures'.  When I click on 'create/choose' new distination folder using Explorer window, I choose the 'pictures' folder from there, but it doesn't create it.  Not having this problem on my desktop computer, only my laptop (both are pc). For this reason, I'm unable to import photos. Any help is appreciated!

  sorry
  Win7.  I have tried to import via  the computer's card reader and also direct from my D3 camera, I am trying to import them onto my computer's internal SSD drive.  It is a brand new computer and this is one of the first things I have used it for
  I hope this helps
  D

• Cisco Network Setup Assistant Unable to install the certificate on Android KitKat

  Greetings,
  I'm having issues with deploying the CA. Although the Cisco app fails, the user cert (but no CA) appears to install and is accessible during wifi setup. I am running the latest version of Cisco Network Setup Assistant 1.2.42. The phone is running Android KitKat 4.4.4, not rooted, running stock T-Mobile rom. I'm able to authenticate with the guest side, and get as far as Installing Certificates... Reference the screen shots attached. 
  Error message cisco Network Setup Assistant: "Unable to install the certificate. Exit the application and run it again to continue to the installation."
  I have ran the application several times, it keeps returning to this same message.
  After failure of the Cisco app, I noticed there is a certificate manager with CA cert and key, and than subsequently one new key continues to loop after until I cancel (also in screenshots).
  I have tried decryption, removing all security, and clearing credentials, yet the problem persists. Any help is appreciated. 

  Greetings,
  I'm having issues with deploying the CA. Although the Cisco app fails, the user cert (but no CA) appears to install and is accessible during wifi setup. I am running the latest version of Cisco Network Setup Assistant 1.2.42. The phone is running Android KitKat 4.4.4, not rooted, running stock T-Mobile rom. I'm able to authenticate with the guest side, and get as far as Installing Certificates... Reference the screen shots attached. 
  Error message cisco Network Setup Assistant: "Unable to install the certificate. Exit the application and run it again to continue to the installation."
  I have ran the application several times, it keeps returning to this same message.
  After failure of the Cisco app, I noticed there is a certificate manager with CA cert and key, and than subsequently one new key continues to loop after until I cancel (also in screenshots).
  I have tried decryption, removing all security, and clearing credentials, yet the problem persists. Any help is appreciated. 

• Unable to import an item to keychain

  I am trying to import a certificate in the X509Anchor in my keychain. Under both users i get the error:
  "An error has occurred. Unable to import an item.
  100013"
  I did a disk permissions repair, and a keychain firstaid and neither helped. I am able to import a certificate to other keychains

  This is probably happening because you don't have Write access to the System/Library/Keychains folder - by default the permissions are 755 (Root has read/write, Wheel has Read and Everyone has Read).. to alter the X509Anchor you actually have to allow yourself write access to this folder (this is not recommended, and if you do this make sure you put the permissions back as you found them)

• Mixing on-premise and Office 365 Lync deployment - slightly complicated

  Hi,
  I wonder if anyone could help with a configuration/deployment issue we've got.
  The environment has some slight complications so bear with me:
  We have a small development environment say called, XYZ.com - unfortunately when it was created the domain was actually called XYZ.com rather than something like XYZ.local. That aside it's a small environment hosting an on-premise Exchange and Lync deployment.
   Exchange does not handle email for XYZ.com domain instead it uses a different domain, say for example, XYZtest.com. Lync works fine if I login using the XYZtest.com email address sip.
  There is also a separate Office 365 deployment which so happens to also use the XYZ.com which is used by various people dotted around the world as part of the organisation. This has both and Exchange and Lync online service.
  My question is - how can I use Lync to login to both my local, on-premise Lync service as well as the Lync Online service? I don't necessarily need the logged in simultaneously - I just need to be able to login to either service.
  What DNS config should I be have? (ie. SRV, CNAME records, etc.)
  Also the other thing to note is that there is potential for confusion as both the local domain XYZ.com is the same used for the Office 365 one and so need to ensure I can force Lync to keep them seperated.
  Any help or suggestion would be much appreciated.
  Cheers
  E

  Yes If you have the latest updates installed for the Lync you can at a time you can login to one Lync setup 
  for each sip domain wether online or or premise you need the following DNS records 
  For all clients except for the Lync Windows Store app During DNS lookup, SRV records are queried and returned to the client in the following order:
  lyncdiscoverinternal.<domain>   A (host) record for the Autodiscover service on the internal Web services
  lyncdiscover.<domain>   A (host) record for the Autodiscover service on the external Web services
  _sipinternaltls._tcp.<domain>   SRV (service locator) record for internal TLS connections
  _sipinternal._tcp.<domain>   SRV (service locator) record for internal TCP connections (performed only if TCP is allowed)
  _sip._tls.<domain>   SRV (service locator) record for external TLS connections
  sipinternal.<domain>   A (host) record for the Front End pool or Director, resolvable only on the internal network
  sip.<domain>   A (host) record for the Front End pool or Director on the internal network, or the Access Edge service when the client is external
  sipexternal.<domain>   A (host) record for the Access Edge service when the client is external
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph