WINRM HTTPS listener and Certificate renewal

hello,
I am planning to setup winrm over HTTPS only on multiple 2008R2 systems.
All computers are joined to same domain and are configured to request/renew computer certificate from local CA (via GPO).
When setting up winrm listener over HTTPS, it creates ok with current certificate thumbprint.
My question is, what happens to WINRM listener when computer certificate gets renewed (i assume it will have new thumbprint)? Would i need to recreate listeners everytime that happens?  Can't imagine managing this in large environments where different
computers renews certs at different time.... Whats your approach in this situation?
thanks in advance for all answers!

Hi,
The purpose of configuring WinRM for HTTPS is to encrypt the data being sent across the wire. 
WinRM HTTPS requires a local computer "Server Authentication"
certificate with a CN matching the hostname, that is not expired, revoked, or self-signed to be installed.  So I think after the cretificate gets renewed, the
WINRM listener  will have a new certificate too.
Regards,
Yan Li
Regards, Yan Li

Similar Messages

  • SSL and Java and Certificate Renew

    I was making a conection to AD through LDAP and SSL (LDAPS://server:636) and everything was working well.
    So, the server certificate will expire 11/1/2006. We used the Certificates Add-in on MMC of the server to obtain a new certificate and imported him in cacerts (the truststore). We've deleted the old certificate from cacerts
    Now, the connection cannot be done.
    Why? How do I renew a certificate? If the certificate expires the conection cannot be done?
    Thanks
    Patrick

    Hi,
    Refer the below link ...
    http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/content.htm
    Thanks
    Anil

  • Custom PL/SQL servlet for HTTP Listener like HTMLDB

    We would like to migrate our applications from apache that use a custom perl application server to the xdb http listener and would need to be able to write a custom pl/sql servlet for the listener
    eg
    <servlet xmlns="http://xmlns.oracle.com/xdb/xdbconfig.xsd">
    <servlet-name>Custom</servlet-name>
    <servlet-language>PL/SQL</servlet-language>
    Can this be done? (Well obviously, HTMLDB did it.)
    Is information available to do this?
    Information on the request (url/headers/content) and response (headers/content) objects
    of the http listener would be needed.
    Our pl/sql applications look like
    create package my_app as
    procedure my_job (request xmltype);
    end;
    This is why we need to do the servlet ourselves and why dbms_epg is not suitable.

    Currently
    we don't plan to allow large input to be passed as a
    CLOB parameter to the procedure. Is there a use-case
    for this?YES ;). I have seen this coming up quite a few times in this forum.
    1) we cannot edit sql scripts in Apex directly (>32KB), this is quite inconvenient to download, edit and upload again. If we are talking about sql scripts, they are often larger than 32KB.
    2) building an application where the user can directly edit or copy/paste spreadsheet data or xml data. It is quite a restriction to only have 32KB at your hand.
    3) the common workaround would be to split the data in 32KB chunks and then reassemble them in the backend. Quite tedious.
    4) editing larger HTML texts for a portal application for example.
    5) editing larger HTML texts for a forum application for example.
    ... the list goes on ...
    Another argument is that all other major technologies like servlets, jsps, perl, php, python they are all capable of handling this kind of data. I often feel it is too much of a restriction.
    What do others in the forum think? Feedback is welcome!!!
    Thanks,
    ~Dietmar.

  • Questions about Http Listener

    Hi,everybody:
    I'm testing a project building on oas4.0 and solaris system.After I installed OAS,I did some setting about site.I create a new http listener,and then start,but failed.The error is:"Error: you must specify a root directory mapping before all other mappings.see (DirMaps).The Server could not initialize."
    But I've set the root directory,what's the meaning of it,and how to improve it? If U know,pls tell me.
    Thanks.

    Hi Wei,
    I could be wrong here, but as far as I know, OAS is a pretty old product
    and -- if I remember correctly -- quite buggy. That's why Oracle replaced
    it with 9iAS. I would imagine that OAS is probably de-supported now.
    Perhaps you should consider upgrading to 9iAS (if possible)?
    Good Luck,
    Avi.

  • WinRM HTTPS Certificate

    I'm trying to get WinRM to run over HTTPS using GPO configuration, and I'm having difficulty with the Certificate part.
    I've got it working fine over HTTP.
    The article
    http://otherdutiesasrequired.com/wp-content/uploads/2014/07/PSRemotingHTTPsConfig.pdf is very promising, but he glosses over the Certificate part.
    TechNet indicates: "This certificate needs to be marked as a Server Authentication Certificate.  It must also support Secure Sockets Layer (SSL).  No certificate needs to be configured for the WinRM client.  The certificate is used only
    if the WinRM service is enabled for remote access."
    I haven't found any other step-by-step. What I have found (especially on TechNet) related to WinRM HTTPS has been extremely vague.
    I'm running AD Server 2012 with Win7 and Win 8.1 clients. I have a Certificate Server running on my domain.
    I just need a step-by-step for configuring whatever I need on the CA and for the clients. Interestingly, I haven't seen any indication anywhere on whether the Certificates need to be User or Computer level Certs. And whether every session (User or Computer)
    needs one, or only the initiating machine, or the target machine, or both.
    Any help would be appreciated. Thanks.
    Can anyone point me to a resource/doc or provide instructions?

    I corresponded with Eric, whose blog on this topic of WinRM over HTTPS I referenced; the article is on his site
    OtherDutiesAsRequired.
    Eric pointed me to a  TechNet Article, which basically covers exactly what I want - EXCEPT that it's for Server 2008. I’m running a native Server 2012
    AD and Certificate Server.
    I followed the directions in the
    TechNet Article, and implemented Eric's script as it had successfully worked for him. But the script results in an error.
    Here's the script:
    $ipProperties = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()
    $Hostname = “{0}.{1}” -f $ipProperties.Hostname,$ipProperties.DomainName
    $CertThumbprint = Get-ChildItem “Cert:\LocalMachine\My” | Select -First 1
    $CertThumbprintValue = $CertThumbprint | foreach-Object {$_.Thumbprint}
    New-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”HTTPS”} -ValueSet @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue}
    And here's the error:
    New-WSManInstance : The WinRM client cannot process the request. The Enhanced Key Usage (EKU) field of the certificate is not set to “Server Authentication”. Retry the request
    with a certificate that has the correct EKU. At C:\Users\administrator\Desktop\WinRM-config-https-listener.ps1:5 char:1  + New-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”HT … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo : InvalidOperation: (:) [New-WSManInstance], InvalidOperationException  + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.NewWSManInstanceCommand
    Eric wasn't sure what was going on, but wasn't able to spend the time to troubleshoot.
    The problem appears that the issue seems to be related to the “Enhanced Key Usage” field of the certificate.
    In the certificate template in the Extensions tab - Application Policies, I tried first to ADD “Server Authentication” and then to replace “Client” with “Server Authentication”, but I’m still getting the same error.
    Do any of you Certificate / PowerShell / GPO guru's out there have any ideas?

  • Cisco ISE Admin and EAP certificate renewal

    Hi board,
    maybe I'm asking a rather dumb question here, but anyway :)
    I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
    Here's the thing I do, when I initially install an ISE node
    1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
    2.) Sign CSR and bind certificate on ISE node - done
    Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
    CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
    So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
    How do you guys do this in your deployments?
    Thanks in advance and sorry again if this is a silly question.
    Johannes

    you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
    Certificate Renewal on Cisco Identity Services Engine Configuration Guide
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

  • Questions on Listener and EM Http port.

    Q1 --
    Listener process L1 is currently listening to 3 databases: CDB1, CDB3, CDB. Using DBCA I create 1 more DAtabase CDB2 and enable dynamic registration.
    Which two commands of Listener Control Utility (lsnrctl) would I use to determine whether dynamic registration occured for the database CDB2, with L1 listener process ?
    A. SHOW L1
    B. SPAWN L1
    C. STATUS L1
    D. SERVICES L1
    E. STATUS LISTENER
    F. SERVICES LISTENER
    G. SHOW current_listener
    ~~~~~~~~~~~~~~~~~~~~~~~~
    Q2 ---
    Exhibit :
    SERVER ERROR
    The following information 'Could not connect ot the server'
    Please contact the administrator.
    While trying to access EM Database Control by using a browser you get an error. See exhibit.
    On further investigation, you find that the Oracle Database 10g installation has just finished and your colleague who installed the software has noted down all the port numbers.
    How do you determine the port number of the HTTP listener that is being used by EM Database Control ?
    A. From the sqlnet.ora file
    B. From the tnsnames.ora file
    C. From the listener.ora file
    D. From the portlist.ora file
    E. By using the Operating System utilities

    hi,
    1- >
    This parameter you need to set init.ora file "LOCAL_LISTENER " so that when the instance starups... the PMON will dynamically registers the Listener..
    Added information on 11g is that you got new paramter "DYNAMIC_REGISTRATION_listener_name"
    Which enable or disable dynamic registration. When set to on, the listener accepts dynamic registration; when set to off, the listener refuses dynamic registration. Static registrations are not affected.
    By Default is "on"
    D
    Q2 >
    D
    - Pavan Kumar N

  • Oracle service, Listener and http server does not start automatically

    Hello,
    I have Oracle 9i release 2 installed on Unix HP box if system restart in case of power failure the Oracle service, Listener and http server does not start automatically, is there any ready reference available to check what's wrong is happening(I don't have knowledge of Unix).
    Thanks, Khawar.

    Hi Rajesh,
    Thanks for reply, I will check this link and will be back if facing problem.
    Regards, Khawar.

  • OAS 4.0.8 and HTTP Listener Configuration

    I have installed the enterprise version of OAS 4.0.8 on both NT 4.0 sp5 and Solaris 2.6 with the appropriate patches as specified in documentation.
    On both installs I have the same problem with the http listener. If I select any of the property pages under a listener I get the error message "Page contains no data ..."
    The listeners are up and running and I can get to the administrative http listener at 8889 via a browser.
    thanks for your help,
    don.
    [email protected]

    Problem solved my nis and dns domains are different and we work from dns. I had to use the oasnetconf utility to correct the machine id such that it reflected the dns domain.
    Maybe this should be queried at install time...

  • Manually starting Intelligent Agent Configuration Assistant and HTTP Listener

    I have installed Oracle 9i on Solaris 8 and it stopped with an "Out of Memory" error during the Starter Database creation. I have fixed the memory problem and have now manually started the Database Configuration Assistant manually and managed to install a new database. Now I am trying to start the Intelligent Agent Configuration Assistant and the Apache HTTP Listener, but I cannot find out how to do this so that I can continue on with and complete the installation process from where I left off.
    Do anyone know how to do this? I would appreciate any help that anyone can give.
    Thanks
    Anthony

    Lets start with what product you are installing and why. An Oracle database installation, in and of itself, does not install an HTTP server.
    Of course one might also wonder why you are, just now, installing software so old it is in desupport.

  • Changing the MaaS360 MDM Apple ID and certificate during cert renewal

    Kumar (MaaS360) wrote:You cannot change your Apple ID to renew the certificate. For existing devices to continue working, you need to renew the same certificate under the same Apple ID you created during the initial sign up.If for some reason, you do not know the Apple ID you used or the owner is no longer with the company, reach out to our helpdesk with your account #. We can provide you details about your APNS certificate. Post this, you can reach out to Apple to see if they can move the original certificate to a new Apple ID.Kumar, thanks for information and luckily we still have access to the Apple ID that created the initial certificate. The reason I was asking is because the Apple ID that was used to create the first cert was someone's personal account and I was looking to see if I could change it to a new dedicated Apple ID...

    Has anyone who is using Spiceworks MaaS360 MDM, attempted to change their Apple ID during the certificate renewal process?
    In other words, has anyone attempted to use a different Apple ID (other than the one used to create the initial certificate) to create the new CSR during the certificate renewal?
    My certificate is up for renewal and I would like to use a different Apple ID for creating the new certificate. Just wanted to see if anyone else has successfully attempted this.
    This topic first appeared in the Spiceworks Community

  • SSL certificate renewal

    I need to update the SSL certificates on two domains hosted on my OS X 10.5.8 server. It appears that renewal cannot happen in Server Admin.
    After extensive web reading, I find that under 10.4 you had to use both Server Admin and and Keychain Access to accomplish the renewal. Here is the official Apple instructions:
    http://support.apple.com/kb/TA24487?viewlocale=en_US
    Is this the same in 10.5?
    My problem is that I have only access via SSH to my server and thus cannot run Keychain Access as a GUI. I found that the terminal command 'security' can do much of this, but its man page is highly cryptic and I fear for my certs as I try this. Any help with usage of 'security' to achieve export of a domains certs, deletion, and importation as per the above instructions?
    What if using 'Server Admin', I delete the domain certificate before I request and reinstall the new one? This would leave a small hole of uncovered access, but I can live with that. But I don't want to do this to find out that the Keychain Access app is going to throw a fit?
    Any help from someone who has done this successfully would be appreciated. Thanks.

    To renew your SSL certificate, you can do one of two things:
    1) Use your existing CSR to acquire your new certificate.
    2) Generate a new CSR to acquire your new certificate.
    If you choose to use your existing CSR, you will need to know which keystore file you are currently using and the password you assigned to that keystore file.
    Here are the steps to find out which keystore file you are currently using:
    1) Login to the PostX Administration Console (GUI)
    2) Click on the Configuration tab.
    3) Navigate to Web Servers and Proxies > Web Server Config > Connection Listeners > HTTPS (SSL) Connection Listener.
    4) You should see a keystore file field. This is will display the path to the keystore file you are currently using.
    If you do not remember the password to your current keystore file, we strongly suggest that you create a new CSR.
    To generate a new Certificate Request (CSR):
    1) Login to the PostX Administration Console (GUI)
    2) Click on the Keys and Certificates tab
    3) Click on SSL Setup and select Get Certificate Request
    4) Fill out the form and hit submit. Your new CSR will be generated in a text box on the page.
    5) Copy and paste the CSR onto a local text file which you can then send to your CA of choice.
    For more information on the SSL certificate process as well as importing the certificate please refer to our Knowledge Base article 845 at http://tinyurl.com/2n6qru.

  • Customizing Certificate Renewal

    We are developing system that makes use of Certificate Server. But, only our system is visible form the Internet,
    CS is hidden behind the firewall.
    We've developed a solution, that makes it possible to request for certificate from our system, then forwards the request to CS, and vice versa, we fetch the page which installs the certificate and forwards it to end-user.
    But, when talking about renewal, we have a problem.
    CS interface for certificate renewal expects, that user legitimates with its expiring (or expired) certificate and then
    CS regenerates new certificate (with validity customized via console) and installs it on client browser.
    We expected similar functionality as with requesting for certificate. User fills out the request, sends it to CS, and admin after checking issues the certificate. More, the admin is responsible for renewing the certificate, not the user, as in previous scenario.
    Also, authenticating with client certificate makes it impossible to forward the request and response by us (we cannot fetch the certificate from the user browser to use it for communication with CS)...
    Maybe some of You have solution that satisfies our needs?
    Maybe CS has another interface, which we didn't explore, allowing certificate renewal without presenting user certificate.
    Or you developed your own, custom solution, that can be suitable for us...
    Thanks for help!
    Michal Szklanowski
    Java Architecte
    empolis Poland

    You have to create certificate request(CSR) from the same instance on which you are trying to install the certificate.
    You need to copy the production server's *.dbs in <ws-install-dir>/https-<instance>/config and run a pull-config --force command to pull the changes into Admin Server.
    If you use WS7.0 Admin Server for certificate renewal, AFAIK a new set of private and public key is generated.

  • Regarding Certificate Renewal

    Hi all,
    i am using sun java communication suite 5 + portal server 7.1.
    My Webmail and Application Server is using the same certificate which will expire soon. If I can get any information about the certificate renewal.
    regards
    Adeel

    Hi,
    Try it with the new license page:
    <a href="http://service.sap.com/sap/bc/bsp/spn/minisap/minisap.htm">http://service.sap.com/sap/bc/bsp/spn/minisap/minisap.htm</a>
    For the old-style license key (license string) choose <b>NSP - SAP NetWeaver 04</b>.
    For the new license key (license file) choose <b>NSP - SAP NetWeaver 2004s</b>
    Hope this helps.
    Kind regards,
    Klaus

  • Verisign Certificate Renewal - Help!!!

    Hi Guys,
         I am a beginner in Adobe Flex.
         The digital certificate from verisign got expired which I used in my flex builder 3, packaging it while exporting an AIR application.
         My organisation renewed it and gave me a certificate .p12 file stating that it is a renewed one.
         I used that renewed file in place of the old .p12 file in the application package and exported it to an AIR application.
         But, I was not able to install that application anymore as it results in "The installation of this application is damaged. Try re-installing the application or contact the publisher for assistance." error.
         Later, I double clicked that .p12 file and registered it with trusted enterprise certificates. Now the application installed fine. But it did not work in another PC. Later It worked when I did the same process in that PC also(i.e. I double clicked that .p12 file and registered it with trusted enterprise certificates in that PC).
         In that process I found that the previous certificate was "VeriSign Class 3 Code Signing 2009-2 CA" and the renewed one is "VeriSign Class 3 Code Signing 2010 G5". Is this the reason???
         Or am I doing something wrong while exporting the release build???? Somebody please help me ASAP.
         FYI -  I am using this verion SDK "<application xmlns="http://ns.adobe.com/air/application/1.5">" in my app.xml file.
    Thanks & Regards,
    Raj
    Message was edited by: TomCruise06

    What do you mean by "Call" a certificate? A certificate is not "called". It is a container for an asymmetric cryptographic key. What you normally do with the certificate is "extract" the key so that you can use it
    for a cryptographic operation. In .Net, you typically use the classes in System.Security.Cryptography to do this. See example here:
    http://www.ultradevelopers.net/Blog/21

Maybe you are looking for