Using PowerShell to request a public certificate for webconf. What type should I specify

Similar Messages

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• Public certificate for lync/exchange

  Hi guys,
  I need to buy public certificate for lync 2013. Shall I include SAN name for my Office web apps(OWA) too ? which currently included in my Exchange SAN certificate.
  anyone has good links on configure lync with existing exchange 2013 ? and also link to configure lync edge in order for external access. our plan to use windows 2012 R2.
  this is 1st time for me to configure lync and I need help. thx

  Hi Developer_75,
  Agree with Thamaraw, You can include all SAN records in to a single certificate.
  And there are some links for your reference.
  Integrating Microsoft Lync Server 2013 and Microsoft Outlook Web App 2013
  Configuring Microsoft Exchange Server 2013 Unified Messaging for Microsoft Lync Server 2013 voice mail
  Configuring the use of high-resolution photos in Microsoft Lync Server 2013
  Lync External Access
  Best regards,
  Eric

• Request Sub-CA-Certificate for Ironport WSA

  How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.
  Thanks for your help.

  Here is the solution for this question:
  The steps to use the sample inf file are:
  run the command: certreq.exe -new certreq.inf cacert.req
  submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
  install the certificate by running the command: certreq.exe -accept newcacer.cer
  export the certificate to a PFX file including the private key
  using openssl convert the PFX file to PEM format with the following steps:
            * extract the certificate file (the signed public key) from the pfx file:
              openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
            * extract private key from a pfx file and write it to PEM file:
              openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
            * remove the password from the private key file:
              openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
  That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).
  Sample for the INF-File:
  [Version]
  Signature="$Windows NT$"
  [Strings]
  CACN = "Issuing CA"
  [NewRequest]
  Subject = "CN=%CACN%"
  Exportable = True
  MachineKeySet = True
  KeyLength = 2048
  KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
  KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
  KeyContainer = "%CACN%"
  [Extensions]
  2.5.29.19 = "{text}ca=1&pathlength=0"
  Critical = 2.5.29.19

• Edge Public Certificate for Single Edge Pool + Reverse Proxy

  I have a public certificate that was ordered prematurely and the SN does not match the current set up of the access URL.  The company that the certificate was ordered from does not allow editing of the SN or what they call domain name without paying
  for an entirely new certificate.  I do, however, have ample SANs that I can play with.  I do not have a whole lot of experience with public certificates and am definitely not use to this "set in stone" deal.  I've also included my
  reverse proxy urls in the SAN portion but that, last time I checked, is still "Ok" to use one cert for Edge and RP to reduce costs.
  Current Cert Example:
  SN access.domain
  SAN access1.domain
  conf1.domain
  lyncdiscover.domain
  ...etc.
  Edited Certificate
  SN access.domain
  SAN newaccess.domain
  newconf.domain
  Lyncdiscover.domain
  ..etc
  So, my question is as follows:
  Can I save my public cert and myself some heartache by either adding the new entries in the SAN area or using DNS in a way, or did I just learn a costly lesson?

  You're fine if I understand the question.  If the question is: Am I screwed if the common name doesn't match the access edge name? Then the answer is "You're fine".
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  "The subject name of the certificate is the Access Edge service external interface fully qualified domain name (FQDN) or hardware load balancer VIP (for example, access.contoso.com).  Note: For Lync Server 2013, this is no longer a requirement,
  but it is still recommended for compatibility with Office Communications Server. "
  So, recommended and considered good practice, but not required.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Request Smartcard Logon certificates for more than 2 years from Certificate Authority

  Dear all,
  I have setup a Certificate Services in a Windows Server 2008 R2 domain and I request certificates via the CA webpage
  http://ipofdomainserver/certsrv using the SmartCard logon custom template.
  The problem is that my certificates are only valid for 2 years even though when I created my custom Smartcard logon I selected for validity period 5 years. 
  I read in documentation that issued certificates cannot have a greater validity than the root that signed them.
  What and where I should modify to be able to request certificates from the template for more years than standard 2 ?
  Ps: WINSC-CA is valid for 5 years. Should I generate a new WINSC-CA ? How ?

  I was successfully able to create a root CA for 20 years, issued a certificate and login using smartcard using the following procedure:
  1. I increased the CA lifetime to 20 years by using this link http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html
  Created the file CAPolicy.inf in %SYSTEMROOT% with following content
  [Version]
  Signature=”$Windows NT$”
  [certsrv_server]
  RenewalValidityPeriod=Years
  RenewalValidityPeriodUnits=20
  2. Renew CA root using this guide  https://technet.microsoft.com/en-us/library/cc780374(v=ws.10).aspx
  Console Root -> Certification Authority -> select domain -> Right click -> All Tasks ->
  Renew CA certificate
  3. Delete from Console Root -> Certificates (local computer) -> Trusted Root Certification
  Authority -> Certificates the *WINSC-CA that has the previous lower validity, and from 
  Certificates (local computer) -> Personal, the *WINSC-CA that was lower validity
  4. I performed a reboot here
  5. Change in Console Root -> Certificate Templates -> Smartcard Logon Custom Template (my custom duplicate template) -> Properties -> Validity 10 years
  6. Change in registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
  to value 10 for 10 years.
  7. Request a new certificate from CA webpage http://ipofdomain/certsrv and let the webpage write it to
  smartcard (I was making sure there is no other certificate on the smartcard)
  8. Try to log in. At this point it should throw an erorr that smartcard logon is not supported for this
  account type. This is becuase we need to enroll it again for domain authentication
  9. Console Root -> Certificates (local Computer) -> Personal -> Right click -> All Tasks ->
  Request new Certificate -> Next -> Active Directory Enrollment -> Next -> Select Domain Controller Authentication -> Enroll -> Finish.
  Now you should be able to login using your smartcard and 10 years generated certificate.
  Though I have a problem at step 3, after CA server reboots the *WINSC-CA certificate with lower
  validity is restored automatically, but the certificates are generated for 10 years.
  What am I doing wrong ? How can I delete the lower validity root CA ?

• Public Certificate for ACS

  Can anyone tell me if there are security issues with using a public certificate on ACS to be utilized for PEAP authentication? Trying to make this more manageable for our Windows Mobile devices and what they have for default for root CA's. Thanks

  I would say partial yes to your post. Since, ACs is going to assign certificate, if ACS server is secure, hence the certifcate.

• What type should I use ? long Binary ??

  Hi everyone:
  I want to use MySQL as my Database.But I come across a problem. MySQL have some data types like "long text ,  long binary ,  long blob,smallint " I know data type varchar is java String only. What java data type should I use according MySQL? For example : What is long binary in Java ? Is it Blob? Thks

  Another thing you can do, is do a query with the fields in question, and then use
  Object o = ResultSet.getObject(i)
  System.out.println( o.getClass().getName());
  to figure out what kind of class you should use.

• How do you determine when to use a LAN or a PUBLIC IP for connections?

  I'm using CFStreamCreatePairWithSocketToHost to connect to a server.
  I have a public IP address of example.dyndns.com which points to my home office router.
  On my home office router I forward port 1234 to a specific server (192.168.2.55)
  That specific server runs a service offering data etc. to an iPhone app.
  When I am away from the office I user CFStreamCreatePairWithSocketToHost to connect to example.dyndns.com.
  No problem. Connection is made and everything runs lovely.
  When I am in the office and on the lan however - the connection fails. Basically the packet goes out to the router, or to dyndns, u turns and comes back but doesn't get forwarded to 192.168.2.55.
  If I change the code to point to 192.168.2.55 of course it runs fine, but then won't run when I am not on wifi in the office of course.
  Is there an elegant way to deal with this? The router has no configurable options that I am able to identify to allow this u-turn type of traffic.
  I could I suppose on startup test a connection, then in the stream event handler flip it from WAN to LAN IP on a failure. But that's very combersome - it doesn't easily allow an office user to drop in and out of the office wifi transparently (sure they could kill then restart the app but that's just plain ugly).
  Any feedback/sample code people can offer would be appreciated. :-)
  Dave.

  Llessur999 wrote:
  That is a reasonable approach. Without changing network configuration, I don't see an alternative. A few considerations:
  Based on your experience, will the length of time to detect unreachability (a network timeout?) cause a usability issue?
  Must you support a scenario where a user transitions LAN-to-WAN or WAN-to-LAN while using the app?
  If this is used by a wide audience, will configuring the primary/fallback be straightforward?
  I don't think there's a usability issue.
  Yes. The app is designed for a brick/mortor location that essentially wants to drive the user to the location. The user has to ability to interact with specific hardware components at the location via server/port communications - some of which they can do while they are remote. While they are on location, they need to retain that ability to interact with local equipment even more. Users could be asked to not go on the location wifi of course but that just seems silly and an overall bad user experience.
  The primary/fallback configuration should all be done within code (no user interaction). For example the WAN IP will always be X.X.X.X (be it Public IP or dyndns - makes no difference), while the LAN configuration will always know that the lan server it needs to communicate will always be at a specific LAN IP (192.168.x.x).
  It would be  godsend to have some sort of API call (or class) that can accept a call to CFStreamCreatePairWithSocketToHost to a specific IP and on seeing that it's unreachable automatically try the secondary IP before returning a failure on the stream.

• Feature Request - CSS code generation for advanced font - type options

  Thanks to everyone for the amazing work done in Photoshop and Illustrator to enhance the ability to generate and use character and paragraph styles translated to CSS. The last two releases have brought designers something they could only dream of and talk about for the last decade, and now these tools are being delivered!
  This request is to consider being able to use advanced character styles in Illustrator, such as X/Y percentage height/width of fonts, rotation or baseline shift to generate CSS for these options. As of this post, I haven't been able to find that CSS3 even supports these options, except possibly the 'font-stretch' rule, which does not appear to be supported yet in most browsers - see CSS Fonts Module Level 3 - W3C Candidate Recommendation, October 2013.
  Sometimes, designers get very picky about wanting type to look just so, including making fonts look taller or wider in a design, although perhaps much to the horror of the original type designer
  thanks very much,
  Mark

  I'll also add this is a feature that should be carried over into Adobe Photoshop too.
  Within Adobe Photoshop if you want to size type in terms of pixels the type is, again, sized according to the Em square. Unless you're setting type at pretty large pixel sizes the rendered type really ends up looking pretty bad. That's because the edge of the baseline and the edge of the cap height line are never aligned to the pixel grid. You end up with type that's fuzzy looking on all sides. If designers were able to tell Photoshop "make this lettering 20 pixels tall according to the capital letters" the lettering would looking a whole lot better. Perfectly crisp edges on the base lines and cap height lines.

• How can I use one Add-on prior to another for specific MIME-types?

  I'm using Shockwave Flash plugin to watch some videos on YouTube, StreamCloud, etc. It also handles .mkv and .mp4 files/streams. After installing VLC Web plugin to handle MIME-types like mp3/4, mkv additionally and prior to the Flash plugin, Firefox keeps using Flash to handle those types insted. I cannot find options to set the desired priorities. Only disabling the Flash plugin solves my problem, but also keeps me from watching Flash contents, which Is not acceptable.
  Did I miss something or is this Firefox's fault?

  If you type or paste '''about:plugins''' in the address bar and press Enter, you can see which plugins are associated which various content types.
  I do not know how to prioritize one over the other for the same content type if the plugin settings (plugins often have an interface outside of Firefox to adjust their settings) do not allow that.
  As for MP4, I don't think Flash normally would be selected. I suspect the website is specifying a Flash media player and streaming the MP4 through that. If you want to hide the Flash plugin from a particular website, you can use the Permissions tab of the Page Info dialog.
  Click the padlock or globe icon in the address bar, then More Information, then Permissions. The top section of the Permissions panel should be "Activate Plugins". Here you can select Block for Flash for the current site. After reloading the page, does the media play using a different plugin?

• There are sites i want to use but i must have Adobe Flash  for them what can i do

  there are some sites i want to go to and use but they wont let me on because i dont have Adobe Flash and Safari wont let me download it what can i do

  Use a different platform that supports Flash.
  Adobe has abandoned development of Flash for iOS. It turns out there were so many problems in the rewrite for iOS that they didn't figure it was worthwhile so they quit.
  Allan
  http://www.spiderholster.com/single-camera-system.html

• What are the best settings to use on the Sony Cybershot DSC HX1 for taking portrait type photos?

  I have used the portrait setting on the SCN selection but always end up with fuzzy edges on my photos.  Are there manual settings that I can adjust that would correct this problem?  I have done every other techniqe that I can find to "stabilize" the camera and no matter how still I stand, I still end up with fuzzy edges.  Any ideas? 

  Hi bethstange,
  Welcome to the Sony Community!
  May I ask if this fuzziness show up when you're not using the Portrait mode? Portrait mode will give you an image with a blurred background while the subject is sharpened. We don't recommend this mode when taking group shots as the subject in the center of the image will be the only one in focus. For everyday shots, we recommend setting the drive mode to Intelligent Auto. This setting will automatically detect and adjust the shooting settings for you. No need to change the Scene modes for different scenarios. 
  We recommend using the SCN modes when you intend to shoot a certain type of scenario without changing the type of subject. An example would be setting the camera to shoot Landscapes, this setting will give you a wider depth of field than shooting portraits of people.
  More information about the camera is available here. 
  If my post answers your question, please mark it as "Accept as Solution". Thanks_Mitch
   

• We love apple email, but it does not play wall with other venders when you want to use your own domain (lags, disconnections, etc.)?   What vendor should we use to make it push and work well?  We want to stay with Apple Mail.

  Help, our AppleMail does not play well with other Vendord to use our own domain.   iCloud mail works great, but so far others we have tried lag, disconnec, etc. not nearly as good as icloud mail.   Should we try exchange or office 365 plans with Apple Mail/  a lot more expensive?

  Microsoft Exchange is the best business solution, Office 365 will give a hosted version that works well, as you noted it is not the cheapest. You should also look at Zimbra, an excellent service.

• At 625 need 640 for mortgage, what else should I pay down

  Company Account number Date opened Balance Status Negative Indicator? [?]  University Fcu 6/2010$520Paid or paying as agreedDetailsCapital One 6/2010$0Charged off as bad debtDetailsUniversity Fcu 12/2011$2,202Paid or paying as agreedNoDetailsUniversity Fcu 3/2014$1,302Paid or paying as agreedNoDetailsSecurity Finance Corpora 12/2014$380Paid or paying as agreedNoDetailsUniversity Fcu 6/2012$0Paid or paying as agreedNoDetailsUniversity Fcu 6/2011$0Paid or paying as agreedNoDetailsUniversity Fcu 6/2011$0Paid or paying as agreedNoDetailsUniversity Fcu 2/2014$12,926Paid or paying as agreedNoDetailsSantander Consumer Usa 6/2010$030 days past dueDetailsUniversity Fcu 6/2010$0Paid or paying as agreedNoDetails  I can pay down my loc with my cu, and pay down my cc its at 14% I can pay down to report under 9%, that might give me a boost. I took out that SF loan for a boost, I owe 270 on it, it hasn't report since late April, so maybe it will report this month, last time it reported I got a 19pt increase, anything else I need to do, I can't apply for anything, I'm officially applying for a home loan next month, I need 15pts! The baddies I have left are that charge off, and on my EX I have 3 medical bills in collection, and one my EQ I have one med collection, was told to leave those alone. The neg on my cc was when I was 30 days late back in 2013. I can pay down the line of credit will that help? 

  nate79416 wrote:
  Company Account number Date opened Balance Status Negative Indicator? [?]  University Fcu 6/2010$520Paid or paying as agreedDetailsCapital One 6/2010$0Charged off as bad debtDetailsUniversity Fcu 12/2011$2,202Paid or paying as agreedNoDetailsUniversity Fcu 3/2014$1,302Paid or paying as agreedNoDetailsSecurity Finance Corpora 12/2014$380Paid or paying as agreedNoDetailsUniversity Fcu 6/2012$0Paid or paying as agreedNoDetailsUniversity Fcu 6/2011$0Paid or paying as agreedNoDetailsUniversity Fcu 6/2011$0Paid or paying as agreedNoDetailsUniversity Fcu 2/2014$12,926Paid or paying as agreedNoDetailsSantander Consumer Usa 6/2010$030 days past dueDetailsUniversity Fcu 6/2010$0Paid or paying as agreedNoDetails  I can pay down my loc with my cu, and pay down my cc its at 14% I can pay down to report under 9%, that might give me a boost. I took out that SF loan for a boost, I owe 270 on it, it hasn't report since late April, so maybe it will report this month, last time it reported I got a 19pt increase, anything else I need to do, I can't apply for anything, I'm officially applying for a home loan next month, I need 15pts! The baddies I have left are that charge off, and on my EX I have 3 medical bills in collection, and one my EQ I have one med collection, was told to leave those alone. The neg on my cc was when I was 30 days late back in 2013. I can pay down the line of credit will that help? I cannot tell what kind of accounts these are. For best scoring, you want all but one of your revolving accounts reporting $0 balance, and the one repoting a balance should be under 10% of its limit. You also get a bit of a boost when your installment loans go below 50%