VPN Design using CA (certificate authority)

Similar Messages

• UCS Manager and using Microsoft Certificate Authority

  Has anybody gone through the process of setting up UCS Manager with a certificate issued from a Microsoft Certificate Authority?  If so I would appreciate some assistance.  I was able to successfully create a request and have generated the certificate, but I see no way of being able to put the request and the certificate chain back into UCS Manager.

  First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.
  Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.
  Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.
  I hope that helps.
  Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

• Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

  Hello,
  I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
  Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
  Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
  * Note. No back ups to work with aside from whats mentioned below.
  DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up. 
  The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
  "No Exchange servers are available in any Active Directory sites. You can’t connect to remote
  Powershell on a computer that only has the Management Tools role installed."
  Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc  per instructions only to discover I couldnt relaunch it because there was
  no way how. So I copied another msc file that happened to be on the DC Server 1  back to Exchange Server 2 and got it to launch again. 
  Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
  it is using the Certificate Authority Service.
  I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
  "The Trust Relationship between this workstation and primary domain failed."
  I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
  I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started. 
  I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
  https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
  and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
  Marty

  I recommend that you open a ticket with Microsoft Support before you break things more.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• How to find/replace existing certificates before decommissioning certificate authority?

  We plan to decommission a multi-use server that also contains our internal certificate authority and replace it with new dedicated CA servers in a more secure design (offline root CA etc.).
  Before we decommission our existing CA servers, how do we find a list of all the issued certificates that are still valid?
  We would need replace all those old certificates with new certificates from our new CA so the applications that use them don't break when the old certificates are removed/revoked and before we remove the GPO setting that makes our current CA a trusted root
  CA for our domain computers. 

  on CA server you can filter issued certificates by "Certificate Expiration Date" column. In the Certification Authority MMC snap-in, select Issued Certificates folder, then click View -> Filter. Add a filter that would filter certificates
  where "Certificate Expiration Date" is greater than current date.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Certificate Authority - Custom Temp not showing up. W2k8R2ent

  Hi Guys,
  Couldn't see a forum for CA so I had to post it here. Hopefully its the right place.
  (Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise)
  So here's the issue I am trying to create and export certificate for other users (eobo).
  It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template.
  The new template CopyOfUser i changed(of confirmed) following settings:-
  General Tab = Publish Cert in Active Directory
  Request Handling = Allow private key to be exported & Enroll subject without req any input
  Security : I am logging as domain administrator and it has  Read/Write/Enroll
  Issurance Req: This number of authorized signature = 1
  & Application Policy & Client Authentication.
  Subject Name : Build from AD (Fully Distinguished name)
  Selected boxes : Include email name / Email name / UPN
  Now problem is i cannot see the custom template on Enable Certificate Templates.
  I am very new to CA so I am sure i am missing something or doing something wrong.
  Would love some help.

  Hi,
  I’d suggest if the steps below doesn’t help to remove the CA. Make sure you are using Enterprise Edition (no upgrade from 2K3 or 2K9 standart) of windows
  and install it again as Enterprise Root CA. Check and see if you still have the issue before tweaking the CA further:
  Open ADUC and check navigate to [Buildin > users > properties > members] and make sure the fallowing security groups are present.
    - Authenticated users
   - Domain Users
   - Interactive
  Open ADSI Edit and navigate to
  [Domain Naming context > DC=<DomainNAme>, DC=<DomainNAme> > CN=Users > CN=Cert Publishers > properties > security ]
   and give [Read] and [write]
  permissions to [Authenticated users] group
  Restart the CA.
  Check permissions on the CA:
  Open the [Certificate Authority] console and right click on [properties > Security] and add the fallowing permissions:
  [Authenticated Users]
  [V] Request Certificates
  [Domain Admins]
  [V] Read
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Enterprise Admins]
  [V] Issue and Manager Certificates
  [V] Manage CA
  [Administrators]
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Domain Controllers]
  [V] Read
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Domain Computers]
  [V] Read
  [V] Request Certificates
  Will appreciate if you give feedback if this has helped you. If yes please select “Mark
  as answer”.
  Best Regards,
  Spas Kaloferov
  MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 
  NetShell Services & Solutions | “Design the future with simplicity and elegance”
  Visit me at:
  www.spaskaloferov.com
  |
  www: www.netshell-solutions.com

• The affects of removing a certficate template from a Certificate Authority

  I have inherited what I am beginning to believe is a poorly designed PKI Infrastructure. I have 1 root CA and 2 Issuing CAs all 2008 R2. My root certificate authority is expiring in about 2 months so I am planning to renew it and the Subordinate CAs soon.
  I see that the root CA has issued a lot of certificates and that many templates are available. The root is not offline. (I know not best practice).
  I would like to remove these templates from the Root CA and allow the subordinates to do all the issuing. If I do this before I renew the Root CA then all the certs currently issued will expire in 2 months and not be renewed on the Root CA.
  My questions are:
  In the scenario above will the certificates originally issued by the Root CA be renewed on the Subordinate CAs?
  Most of these certs seem to be auto enrolled. Will Auto Enrollment know to go to the Subordinate CA from now on?
  Are there any other concerns with taking this action that I should be aware of?
  Most of the certificate templates on the Root CA are default templates and I believe are Auto Enrolled. (I haven’t manually issued certs for these templates)
  Basic EFS
  Computer (I know this one is auto enroll)
  Domain Controller

  First, you have to renew all CA certificates starting with root (down to hierarchy) before you proceed.
  > In the scenario above will the certificates originally issued by the Root CA be renewed on the Subordinate CAs?
  yes. Clients will use any enterprise CA that supports specified template.
  > Most of these certs seem to be auto enrolled. Will Auto Enrollment know to go to the Subordinate CA from now on?
  again, yes, see above.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.

• Certificate Authority w/ NDES-SCEP

  Hello,
  I am embarking on a project that I would like to get some feedback on.
  We are in the process of implementing iPhones into our network. The iPhone is going to run a VPN. Most likely, we will run the Anyconnect VPN client. I have this
  and it is working fine.
  However, we have to manually connect to the VPN, put in the domain password, and connect before we can check our email. This is cumbersome. So, I am trying to use
  certificate based authentication and the iPhones “connect on demand” feature.
  I have read about a number of people using a Windows Server and running Certificate Services & Network Device Enrollment Service. This uses a protocol called
  SCEP – Simple Certificate Enrollment Protocol. The idea is that the iPhone would be issued a certificate by the windows server. Then, when it went to connect to the VPN, it would present the certificate as credentials to the ASA. The ASA would send the
  certificate to the windows server and the windows server would tell the ASA if it’s good. If the windows server said it was good, the ASA would then allow the VPN to connect.
  I have the Certificate Authority (windows server 2008 R2) installed and running. However, I am encountering some trouble getting the iPhone to get the certificate
  from it.
  I have read a number of white papers and forum postings from Microsoft, Cisco, and Apple. Some indications are that it’s feasible, but I am crossing a lot of
  technologies that are new to me and I am not sure if I am working uphill or what.
  My questions are…
  1). Is this is known configuration? Have you seen this configuration before? Was it successful?
  2). Does this sound feasible? Is there a more feasible way to provide VPN connectivity? The goal is to open the VPN from the phone when they open the email application,
  without having any user interaction.
  3). Within the Microsoft Certificate Services server, am I going to be able to manage the certificates individually and identify jim’s certificate separate
  from sally’s certificate? Or, sally’s iphone certificate separately from sally’s ipad certificate? Also, what is made to prevent anyone from enrolling a device with the server?
  4). Do you know of any good documentation on this? I have read a number of articles and white papers. But, for some reason, there still seems to be something lacking.
  Seems like all the established documentation only addresses one aspect of this.
  At any rate, any comments or suggestions in regards to the above would be much appreciated. I appreciate that this is a Microsoft forum. So, I don't expect much commentary
  in regards to the Cisco / Apple side of this. But, whatever you can conribute from the windows server perspective would be great.

  Hello,
  it will be better to ask in Security Forums: http://social.technet.microsoft.com/Forums/fr-FR/winserversecurity/threads
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft
  Student Partner 2010 / 2011
  Microsoft Certified
  Professional
  Microsoft Certified
  Systems Administrator: Security
  Microsoft Certified
  Systems Engineer: Security
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified
  Technology Specialist: Windows 7, Configuring
  Microsoft Certified
  IT Professional: Enterprise Administrator

• Certificate authority Server (Digitial Certificate)

  Hi Everyone ,
  We are planing to to buy a digital Certificate Manager, which we will be using to issue certificates to our all the cisco routers placed at ATM machines.
  so that they can be authenticated and then to be connected via VPN to main branch.
  I did some google and found many certificate authority issuing server , like , RSA , Digi-Cert , IBM and many more, i am just confused which one is best to implement here.
  Any suggestion will be highly appriciated.

  If this is internal and you only need it for devices you controll you can create your own Certificate Authority on Linux/Windows
  http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx (windows)
  http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ (linux - fedora)

• How do I use the Certificate Assistant to set up secure email for clients

  I was at first thrilled to find the Certificate Assistant, and now I'm frustrated. I need to have secure, encrypted email for my psychotherapy clients. I thought that if I created my own certificate authority and then issued certificates to my clients, I would be fine. But I can't get this to work. I set up my own authority, but when I try to get a certificate (using a different email account) I can't get it to work. For example, I go to the website created on mac.com and click the "download an invitation" button and then click the download, which opens the Assistant. I fill out the form, but I get an error saying I haven't configured an email account. How do I "configure" an email account? I mean, I use this account all the time; what more configuration does it need?
  Second question. Will anybody with a Windows machine be able to use that webpage? Seems like it's a mac only program, so what good is it in the real world?
  I know I could try to do this with Thawte or whatever, but asking my clients to get trusted so I can use encryption is unreasonable. If not having my own authority (if I could get THAT to work) is there any other way? Are there any good things to read about this? With the federal HIPAA privacy requirements, there are lots of doctors wrestling with this question.

  If you are referring to your "iCloud account", then simply tap "settings / iCloud" - delete the account you are currently logged in with, and add the correct one.
  iCloud Set up - http://www.apple.com/ca/icloud/setup/.

• How do I set up my own certificate authority

  I tried google on the above question, and the most recent thing I found was 7 years old. replacing the phrase used generates a lot of hits with a very poor signal to noise ratio.
  I have OpenSSL (in the cygwin distribution), which is quite recent, but frankly its documentation leaves just about everything to be desired. I found pyca, but it has no documentation at all (and it is a couple years old).
  I tried the steps appended below, but invariably the attempt to sign the certificates fails with an obscure error message about OpenSSL not finding one thing or another.
  At this stage, I just don't care whether I do this using something in the J2SDK such as keytool or OpenSSL, as long as I can get it done. Or if there is some other opensource software tool I can use, terrific. This is primarily for the purpose of securing communications within an Intranet, and secondarily for signing applets and applications distributed through WebStart. If I am not mistaken, I'll need a certificate for each of my servers. Right?
  If you know of an URL where this is well explained and illustrated, great. Give that to me.
  Otherwise, a simple illustration (or a correction of what I've appended below) would be appreciated. I believe I understand what ought to be happening. It ought to be rather simple to do, but there are these irritating and frustrating minor details getting in the way. For example, the steps I show below seem simple, but everything appears to get messed up by some of the contents of openssl.cnf in 'usr/ssl', in the cygwin directory, and there is no explanation of how to set things up for the first time you use OpenSSL within Cygwin (or on unix for that matter).
  Any assistance would be appreciated.
  Thanks,
  Ted
  ========failed attempt=====================
  # Generation of Certificate Authority(CA)
  openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config /usr/ssl/openssl.cnf
  # Create server request and key
  openssl req -new -keyout server-key.pem -out server-req.pem -days 36502 -config /usr/ssl/openssl.cnf
  # Remove the passphrase from the key
  openssl rsa -in server-key.pem -out server-key.pem
  # Sign server cert
  openssl ca -policy policy_anything -out server-cert.pem -infiles server-req.pem -config /usr/ssl/openssl.cnf
  # Create client request and key
  openssl req -new -keyout client-key.pem -out client-req.pem -days 36502 -config /usr/ssl/openssl.cnf
  # Remove a passphrase from the key
  openssl rsa -in client-key.pem -out client-key.pem
  # Sign client cert
  openssl ca -policy policy_anything -out client-cert.pem -infiles client-req.pem -config /usr/ssl/openssl.cnf

  The following works for me:
  NB: Some of the output has been removed in the interests of privacy (this will not affect the outcome)
  1. Create CA key and certificate
  1.1 Create a new file called "serial" containing the value "01".
  1.2 Create an empty file "index.txt"
  1.3 Create a subdirectory "newcerts"
  1.4 Execute.... create a key for your CA
  [ben@localhost ca]$ openssl genrsa -out ca.key 2048
  Generating RSA private key, 2048 bit long modulus
  .....................................+++
  ..........................................................+++
  e is 65537 (0x10001)
  1.5 Execute... create a certificate for your own CA
  [ben@localhost ca]$ openssl req -config ./openssl.cnf -new -x509 -key ca.key -out cacert.pem -days 365
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  Country Name (2 letter code) [GB]:
  County or State (full name) []:
  City or town (eg, Hitchin) []:
  Organization Name (eg, company) []:
  Organizational Unit Name (eg, section) []:
  Common Name (eg, your name or your server's hostname) []:
  Email Address []:
  2. Create PK key and .csr
  2.1 Execute...
  [ben@localhost ca]$ keytool -genkey -alias PK
  Enter keystore password: password
  What is your first and last name?
  [Unknown]:
  What is the name of your organizational unit?
  [Unknown]:
  What is the name of your organization?
  [Unknown]:
  What is the name of your City or Locality?
  [Unknown]:
  What is the name of your State or Province?
  [Unknown]:
  What is the two-letter country code for this unit?
  [Unknown]:
  Is CN=, OU=, O=, L=, ST=, C=GB correct?
  [no]: yes
  Enter key password for <PK>
  (RETURN if same as keystore password):
  2.2 Create .csr
  [ben@localhost ca]$ keytool -certreq -alias PK -file PK.csr
  Enter keystore password: password
  3. Sign PK with CA cert
  [ben@localhost ca]$ openssl ca -config ./openssl.cnf -in PK.csr -out PK.pem -keyfile ca.key -days 365
  Using configuration from ./openssl.cnf
  Check that the request matches the signature
  Signature ok
  Certificate Details:
  Serial Number: 0 (0x0)
  Validity
  Not Before: Jan 5 19:48:33 2006 GMT
  Not After : Jan 5 19:48:33 2007 GMT
  Subject:
  countryName = GB
  stateOrProvinceName =
  organizationName =
  organizationalUnitName =
  commonName =
  X509v3 extensions:
  X509v3 Basic Constraints:
  CA:FALSE
  Netscape Comment:
  OpenSSL Generated Certificate
  X509v3 Subject Key Identifier:
  D6:2D:7E:71:77:9E:1A:BB:54:69:98:63:6A:6A:E2:BA:12:C4:D7:DD
  X509v3 Authority Key Identifier:
  keyid:92:7C:33:7C:EC:1D:76:C5:B8:F0:30:6D:10:12:40:E5:E7:EA:24:31
  DirName:/C=GB/ST=/L=/O=/OU=/CN=/emailAddress=
  serial:F0:D1:38:36:65:6D:71:D5
  Certificate is to be certified until Jan 5 19:48:33 2007 GMT (365 days)
  Sign the certificate? [y/n]:y
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated
  4. Convert PK certificate into DER format
  [ben@localhost ca]$ openssl x509 -in PK.pem -out PK.der -outform DER
  5. Import CA certificate into keystores
  [ben@localhost ca]$ keytool -import -alias ca -file cacert.pem
  Enter keystore password: password
  Owner: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
  Issuer: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
  Serial number: f0d13836656d71d5
  Valid from: Thu Jan 05 19:41:09 GMT 2006 until: Fri Jan 05 19:41:09 GMT 2007
  Certificate fingerprints:
  MD5: AF:3D:8E:25:12:24:04:1F:40:70:BC:A0:9E:0E:44:84
  SHA1: B8:E8:0B:A5:86:33:21:0C:B5:3C:6E:F2:DE:7B:31:0F:59:AE:21:E4
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  6. Import signed PK into keystore
  [ben@localhost ca]$ keytool -import -alias pk -file PK.der
  Enter keystore password: password
  Certificate reply was installed in keystore
  REF:
  http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm
  http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#ownca
  http://www.openssl.org/docs/apps/ca.html#
  openssl.cnf:#
  # OpenSSL example configuration file.
  # This is mostly being used for generation of certificate requests.
  # This definition stops the following lines choking if HOME isn't
  # defined.
  HOME               = .
  RANDFILE          = $ENV::HOME/.rnd
  # Extra OBJECT IDENTIFIER info:
  #oid_file          = $ENV::HOME/.oid
  oid_section          = new_oids
  # To use this configuration file with the "-extfile" option of the
  # "openssl x509" utility, name here the section containing the
  # X.509v3 extensions to use:
  # extensions          =
  # (Alternatively, use a configuration file that has only
  # X.509v3 extensions in its main [= default] section.)
  [ new_oids ]
  # We can add new OIDs in here for use by 'ca' and 'req'.
  # Add a simple OID like this:
  # testoid1=1.2.3.4
  # Or use config file substitution like this:
  # testoid2=${testoid1}.5.6
  [ ca ]
  default_ca     = CA_default          # The default ca section
  [ CA_default ]
  dir          = .               # Where everything is kept
  certs          = $dir/certs          # Where the issued certs are kept
  crl_dir          = $dir/crl          # Where the issued crl are kept
  database     = $dir/index.txt     # database index file.
  #unique_subject     = no               # Set to 'no' to allow creation of
                           # several ctificates with same subject.
  new_certs_dir     = $dir/newcerts          # default place for new certs.
  certificate     = $dir/cacert.pem      # The CA certificate
  serial          = $dir/serial           # The current serial number
  #crlnumber     = $dir/crlnumber     # the current crl number must be
                           # commented out to leave a V1 CRL
  crl          = $dir/crl.pem           # The current CRL
  private_key     = $dir/private/cakey.pem# The private key
  RANDFILE     = $dir/private/.rand     # private random number file
  x509_extensions     = usr_cert          # The extentions to add to the cert
  # Comment out the following two lines for the "traditional"
  # (and highly broken) format.
  name_opt      = ca_default          # Subject Name options
  cert_opt      = ca_default          # Certificate field options
  # Extension copying option: use with caution.
  # copy_extensions = copy
  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  # so this is commented out by default to leave a V1 CRL.
  # crlnumber must also be commented out to leave a V1 CRL.
  # crl_extensions     = crl_ext
  default_days     = 365               # how long to certify for
  default_crl_days= 30               # how long before next CRL
  default_md     = md5               # which md to use.
  preserve     = no               # keep passed DN ordering
  # A few difference way of specifying how similar the request should look
  # For type CA, the listed attributes must be the same, and the optional
  # and supplied fields are just that :-)
  policy          = policy_match
  # For the CA policy
  [ policy_match ]
  countryName          = match
  stateOrProvinceName     = match
  organizationName     = match
  organizationalUnitName     = optional
  commonName          = supplied
  emailAddress          = optional
  # For the 'anything' policy
  # At this point in time, you must list all acceptable 'object'
  # types.
  [ policy_anything ]
  countryName          = optional
  stateOrProvinceName     = optional
  localityName          = optional
  organizationName     = optional
  organizationalUnitName     = optional
  commonName          = supplied
  emailAddress          = optional
  [ req ]
  default_bits          = 1024
  default_keyfile      = privkey.pem
  distinguished_name     = req_distinguished_name
  attributes          = req_attributes
  x509_extensions     = v3_ca     # The extentions to add to the self signed cert
  # Passwords for private keys if not present they will be prompted for
  # input_password = secret
  # output_password = secret
  # This sets a mask for permitted string types. There are several options.
  # default: PrintableString, T61String, BMPString.
  # pkix      : PrintableString, BMPString.
  # utf8only: only UTF8Strings.
  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  # MASK:XXXX a literal mask value.
  # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  # so use this option with caution!
  # we use PrintableString+UTF8String mask so if pure ASCII texts are used
  # the resulting certificates are compatible with Netscape
  string_mask = MASK:0x2002
  # req_extensions = v3_req # The extensions to add to a certificate request
  [ req_distinguished_name ]
  countryName               = Country Name (2 letter code)
  countryName_default          = GB
  countryName_min               = 2
  countryName_max               = 2
  stateOrProvinceName          = County or State (full name)
  stateOrProvinceName_default     =
  localityName               = City or town (eg, Hitchin)
  localityName_default          =
  0.organizationName          = Organization Name (eg, company)
  0.organizationName_default     =
  # we can do this but it is not needed normally :-)
  #1.organizationName          = Second Organization Name (eg, company)
  #1.organizationName_default     = World Wide Web Pty Ltd
  organizationalUnitName          = Organizational Unit Name (eg, section)
  organizationalUnitName_default     =
  commonName               = Common Name (eg, your name or your server\'s hostname)
  commonName_max               = 64
  emailAddress               = Email Address
  emailAddress_max          = 64
  # SET-ex3               = SET extension number 3
  [ req_attributes ]
  challengePassword          = A challenge password
  challengePassword_min          = 4
  challengePassword_max          = 20
  unstructuredName          = An optional company name
  [ usr_cert ]
  # These extensions are added when 'ca' signs a request.
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
  basicConstraints=CA:FALSE
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
  # This is OK for an SSL server.
  # nsCertType               = server
  # For an object signing certificate this would be used.
  # nsCertType = objsign
  # For normal client use this is typical
  # nsCertType = client, email
  # and for everything including object signing:
  # nsCertType = client, email, objsign
  # This is typical in keyUsage for a client certificate.
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  # This will be displayed in Netscape's comment listbox.
  nsComment               = "OpenSSL Generated Certificate"
  # PKIX recommendations harmless if included in all certificates.
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer:always
  # This stuff is for subjectAltName and issuerAltname.
  # Import the email address.
  # subjectAltName=email:copy
  # An alternative to produce certificates that aren't
  # deprecated according to PKIX.
  # subjectAltName=email:move
  # Copy subject details
  # issuerAltName=issuer:copy
  #nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
  #nsBaseUrl
  #nsRevocationUrl
  #nsRenewalUrl
  #nsCaPolicyUrl
  #nsSslServerName
  [ v3_req ]
  # Extensions to add to a certificate request
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  [ v3_ca ]
  # Extensions for a typical CA
  # PKIX recommendation.
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  # This is what PKIX recommends but some broken software chokes on critical
  # extensions.
  #basicConstraints = critical,CA:true
  # So we do this instead.
  basicConstraints = CA:true
  # Key usage: this is typical for a CA certificate. However since it will
  # prevent it being used as an test self-signed certificate it is best
  # left out by default.
  # keyUsage = cRLSign, keyCertSign
  # Some might want this also
  # nsCertType = sslCA, emailCA
  # Include email address in subject alt name: another PKIX recommendation
  # subjectAltName=email:copy
  # Copy issuer details
  # issuerAltName=issuer:copy
  # DER hex encoding of an extension: beware experts only!
  # obj=DER:02:03
  # Where 'obj' is a standard or added object
  # You can even override a supported extension:
  # basicConstraints= critical, DER:30:03:01:01:FF
  [ crl_ext ]
  # CRL extensions.
  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  # issuerAltName=issuer:copy
  authorityKeyIdentifier=keyid:always,issuer:always

• Certificate Authority is not being seen by windows server 2003 machines

  Good Afternoon,
  We recently installed a certificate authority using windows server 2008 r2. There was an old certificate authority that had went bad and the role could not be uninstalled on the bad server. The new certificate authority works with windows 2008 machines but
  does not work with server 2003 machines. Mainly trying to get the domain controller certificate. At first it was stating that the rpc was unavailable for the CA. I tried to delete the remnants under the sites and services role of the old server. The error
  now it states that it can not find a certificate authority. As stated above the newer machines (Server 2008)  can see the certificate authority and request certificates but older machines cant. Any assistance on what to do next will be greatly appreciated.
  Attached is the error I receive when trying to request a certificate through the CA mmc.
  dmg

  It is possible to change the hash algorithm a CA uses  to support XP and 2003 "out of the box" without the hotfix.
  But it would be better to have two CAs in parallel - one using a more modern algorithm and a CA supporting a "legacy" algorithm - and the latter should only be used as long as there are clients that aren't able to validate the other algorithms.
  On the CA, start regedit and locate the following registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA>\CSP
  I am assuming that the Software CNG provider is used with SHA256 or higher (not with SHA1).
  Change CNGHashAlgorithm to SHA1 and restart the CA service.
  The setting can be reverted by changing the value back. All certificates and all CRLs signed by this CA will use the new hash algorithm after the restart.

• Untrusted server cert chain & does not recognize the certificate authority

  I have java code that makes an ssl connection to an HTTPS server.
  The code workes fine when I connect to a server that has a
  certificate that was issued by a recognizable authority.
  But when I try to connect to our test HTTPS server which has a
  certificate that was created by ourselves for debug, I get this
  java exception: "untrusted server cert chain".
  When I connect to our test HTTPS server with a browser, I get
  this message from the browser in a popup window:
  "www.xyz.com is a web site that uses a security certifcate to
  identify itself. However netscape 6 does not recognize the
  certificate authority that issued this certificate."
  At this point I am able to accept the certificate in the popup
  window and continue.
  Question: In my java code how can I accept a certificate
  that was signed by an unrecognizable authority just like the
  browser can. Or during debug, how can I set an override
  to accept ALL certs no matter what.
  Thanks.....Paul

  You will have to import your server test certificate into your client machine keystore. By default the keystore will be the 'cacerts' file in JAVA_HOME/jre/lib/security, get your server certificate in .pem format and use keytool to import it to the client.
  keytool -import -alias <anything> -file <full path of .pem file> -keystore <full path of cacerts file>
  The keystore password is 'changeit' by default, keytool comes with the JDK.
  The reasoning behind this is to prevent the misuse of test certificates, the client has to consciously import an untrusted certificate. When you install a real certificate on your server the client will be automatically validated if bought from a trusted CA (Thawte, Verisign).
  Take a look at the java.security.KeyStore class, you can use it to view your certificate chain.
  Ronny.

• SSL certificates and/ or Oracle Certificate Authority

  Our Oracle infrastructure is as follows:
  1.Database server
  (a)Oracle 9i R2 database
  (b) Oracle ApEx 2.2
  2. Infrastructure server
  (a) Oracle 10g (9.0.4.x.x) Infrastructure
  (b) OID - configured as external authentication to Microsoft 2003 Active Directory LDAP version 3
  (c) SSO - configured as Windows Native authentication
  3. Application server
  (a)Oracle 10g (9.0.4.x.x) Forms and reports server
  Network traffic currently is not encrypted. All we need is to ensure that network traffic is encrypted between the the end-user PC and all servers (database or app server)
  I was reading through Oracle Certificate Authority and Secure Sockets Layer.
  1. Is there a difference between the two products?
  2. Which product would be best to ensure the encryption (authentication is provided through MS LDAP)
  Thanks,
  Mayura

  Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
  SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
  The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
  To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
  1. From the web browser to the middle tier
  2. End user to database
  3. from the middle tier to OID
  4. from the middle tier to the database
  5. From OID to active directory

• How to filter certificate templates in Certificate Authority snap-in with the correct values

  How to filter certificate templates in Certificate Authority snap-in with the correct values
  I have a 2012 R2 server running Microsoft Certificate Authority snap-in.
  I want to do a filter on a specific Certificate Template which i know exists in the 'Issued Certificates' folder.
  All the documentation i can find seems to suggest i copy the certificate name and use this in the View Filter.
  1). I add the 'Certificate Template' option into the Field drop-down.
  2). I leave the Operation as the '=' symbol
  3). I paste in just the name of the template in question. for example: 'my computers'
  The search results always come back blank 'There are no items to show in this view.' even when i know there are many instances of this template. I've tried on a win 2008 server and same issue.
  Is there a correct value to enter for the Certificate Template name?
  Can this be done easier using certutil commands?
  When i run the certutil tool i can confirm i have several issued templates. Certutil -catemplates -v > c:\mytemplate_log.csv
  Anybody know what i'm doing wrong?
  I seem to be getting nowhere with this one.

  > But its important you are using the template name, not the display name
  this is incorrect. OIDs are mapped to *display name*, not common name (it is true for all templates except Machine template). That is, in order to translate template name to a corresponding OID, you need to use certificate template's display name. And, IIRC,
  template name in the filter can be used only for V1 templates. For V2 and higher, OID must be used.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.