RE: Certificates
Our issue was one of the SUB-DC02 certs expired and hosed the RADIUS server because it couldn't auto-renew it. At least that's what it looked like when I troubleshot and resolved the issue. -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, July 24, 2012 7:03 PM To: NT System Admin Issues Subject: RE: Certificates All the certs issued by SUB-DC02 are still valid for use, as long as the receiving system still trusts SUB-DC02 (e.g. Client1 connects to Server1, and because Client1 has Sub-DC02 in their Trusted Enterprise CAs or Trusted Intermediate CA or Trusted Root CA store, it will still trust the Server1's certificate) You should revoke SUB-DC02's signing certificate on ROOT-DC02 (assuming that is your root CA, and SUB-DC02 is an issuing CA). As long as your clients can connect to the revocation list published by ROOT-DC02, then they will stop trusting certs issued by SUB-DC02 You can also do the metadata clean-up in AD for references to SUB-DC02, which will stop various Windows wizards attempting to connect to it, as it will no longer be advertised in AD as an enterprise AD-integrated CA Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Tuesday, 24 July 2012 11:43 PM To: NT System Admin Issues Subject: RE: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? Yes. I'm tempted to just blow away any cert in the Issued Certificates folder on the CA that says SUB-DC02, but I don't know certs enough to know if there would be unintended consequences. I ran the certutil -dcinfo deleteBad command and it did remove some references, but not all. Actually this article looks like it's what I need: http://support.microsoft.com/kb/555151 I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. Yell!! Dave -Original Message- From: Steve Kradel [mailto:skra...@zetetic.net] Sent: Monday, July 23, 2012 6:43 PM To: NT System Admin Issues Subject: Re: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? The KB article should largely suffice (the metadata in AD aren't too complicated), just proceed with caution. I've done this on numerous occasions when tidying up customers' ADCS cruft. If you know that there are certs out there using a particular template, and you want to reissue them cleanly, you could supersede the template. Of course it's a bit tricky to know for sure as the old certificate database is toast. I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. --Steve On Mon, Jul 23, 2012 at 5:23 PM, David Lum david@nwea.org wrote: We have a DC that we rebuilt and apparently it was running certificate services and we didn't know about it until after the server was rebuilt. Details: 1. Running an MS tool it returns the result that A certification authority is inaccessible and it tells us SUB-DC02 is the cert authority that cannot be reached. 2. We rebuilt a SUB-DC02 a few months ago (old one died due to hardware failure) and we didn't know it was a certificate authority 3. The resolution suggested by the MS tool is this http://support.microsoft.com/kb/889250 4. The CA server we DO use and know about is ROOT-DC02. The instructions in step 3 make it look like I am to do the steps on ROOT-DC02, but I read is as this is how you decommissions the CA gracefully and not this is how you fix the removal of a CA that's already gone Thoughts? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums
RE: Certificates
On a related subject, with a Windows 2008 R2 native domain Certificate Authority (Enterprise CA with offline root) I can use the certificate MMC snapin to generate CSR and submit to the enterprise CA, with no problem. But on Windows 2003 R2 systems in same domain I can't use the Certificates Snapin to generate a CSR to submit for certificates for RDP encryption. But I can use IIS on Windows 2008 R2, Windows 2008 and Windows 2003 to generate certificate request to the same CA and it works flawlessly. The error is following: The wizard could not be started because one or more of the following conditions NO trusted Certificate Authorities available (That isn't true, I see the root CA certificate in my trusted certificate authorities and the enterprise EA is trusted by the Root CA therefore trust chain is correct) You do not have permissions to request certificates from the available CA's. (Again I can do this as my login account in the child domain, even though the CA is in the root domain, on windows 2008/windows 2008 R2) therefore that doesn't add up either. The available CA's issue certificates for which you don't have permissions ( again if I can do it as me in Windows 2008 and R2) then there really shouldn't be a difference to the same member servers in same child domain. Any ideas: This looked promising, but not sure if will fix the problem. http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot- certificate-enrollment-in-the-mmc-certificate-snap-in.aspx Anyone run into this in their CA deployements and operations that could shed some light on it? I am sure the permissions are right since I can do it with no issues on Windows 2008/2008R2 with a Windows 2008 R2 CA, but it seems Windows 2003 R2 is throwing a hissy fit and won't generate the CSR which I usually do via the certificate snapin. Any ideas, I would be appreciative, Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Wednesday, July 25, 2012 11:00 AM To: NT System Admin Issues Subject: RE: Certificates Our issue was one of the SUB-DC02 certs expired and hosed the RADIUS server because it couldn't auto-renew it. At least that's what it looked like when I troubleshot and resolved the issue. -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, July 24, 2012 7:03 PM To: NT System Admin Issues Subject: RE: Certificates All the certs issued by SUB-DC02 are still valid for use, as long as the receiving system still trusts SUB-DC02 (e.g. Client1 connects to Server1, and because Client1 has Sub-DC02 in their Trusted Enterprise CAs or Trusted Intermediate CA or Trusted Root CA store, it will still trust the Server1's certificate) You should revoke SUB-DC02's signing certificate on ROOT-DC02 (assuming that is your root CA, and SUB-DC02 is an issuing CA). As long as your clients can connect to the revocation list published by ROOT-DC02, then they will stop trusting certs issued by SUB-DC02 You can also do the metadata clean-up in AD for references to SUB-DC02, which will stop various Windows wizards attempting to connect to it, as it will no longer be advertised in AD as an enterprise AD-integrated CA Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Tuesday, 24 July 2012 11:43 PM To: NT System Admin Issues Subject: RE: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? Yes. I'm tempted to just blow away any cert in the Issued Certificates folder on the CA that says SUB-DC02, but I don't know certs enough to know if there would be unintended consequences. I ran the certutil -dcinfo deleteBad command and it did remove some references, but not all. Actually this article looks like it's what I need: http://support.microsoft.com/kb/555151 I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. Yell!! Dave -Original Message- From: Steve Kradel [mailto:skra...@zetetic.net] Sent: Monday, July 23, 2012 6:43 PM To: NT System Admin Issues Subject: Re: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? The KB article should largely suffice (the metadata in AD aren't too complicated), just proceed with caution. I've done this on numerous occasions when tidying up customers' ADCS cruft. If you know that there are certs out there using a particular template, and you want to reissue them cleanly, you could supersede the template. Of course it's a bit tricky to know for sure as the old certificate database is toast. I have a tool kicking around somewhere that'll scan AD for published certs and reports
RE: Certificates
Sure, but what I said still stands. The certs issued by SUB-DC02 (well, the ones that haven't expired yet), are still valid. Since you can't revoke them since you have no SUB-DC02, you can either: a) go around and remove them all manually b) go around and remove SUB-DC02 from the Trusted Root CA store for all your machines c) revoke SUB-DC02's signing cert from ROOT-DC02 (c) is easiest IMHO Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Thursday, 26 July 2012 1:00 AM To: NT System Admin Issues Subject: RE: Certificates Our issue was one of the SUB-DC02 certs expired and hosed the RADIUS server because it couldn't auto-renew it. At least that's what it looked like when I troubleshot and resolved the issue. -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, July 24, 2012 7:03 PM To: NT System Admin Issues Subject: RE: Certificates All the certs issued by SUB-DC02 are still valid for use, as long as the receiving system still trusts SUB-DC02 (e.g. Client1 connects to Server1, and because Client1 has Sub-DC02 in their Trusted Enterprise CAs or Trusted Intermediate CA or Trusted Root CA store, it will still trust the Server1's certificate) You should revoke SUB-DC02's signing certificate on ROOT-DC02 (assuming that is your root CA, and SUB-DC02 is an issuing CA). As long as your clients can connect to the revocation list published by ROOT-DC02, then they will stop trusting certs issued by SUB-DC02 You can also do the metadata clean-up in AD for references to SUB-DC02, which will stop various Windows wizards attempting to connect to it, as it will no longer be advertised in AD as an enterprise AD-integrated CA Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Tuesday, 24 July 2012 11:43 PM To: NT System Admin Issues Subject: RE: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? Yes. I'm tempted to just blow away any cert in the Issued Certificates folder on the CA that says SUB-DC02, but I don't know certs enough to know if there would be unintended consequences. I ran the certutil -dcinfo deleteBad command and it did remove some references, but not all. Actually this article looks like it's what I need: http://support.microsoft.com/kb/555151 I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. Yell!! Dave -Original Message- From: Steve Kradel [mailto:skra...@zetetic.net] Sent: Monday, July 23, 2012 6:43 PM To: NT System Admin Issues Subject: Re: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? The KB article should largely suffice (the metadata in AD aren't too complicated), just proceed with caution. I've done this on numerous occasions when tidying up customers' ADCS cruft. If you know that there are certs out there using a particular template, and you want to reissue them cleanly, you could supersede the template. Of course it's a bit tricky to know for sure as the old certificate database is toast. I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. --Steve On Mon, Jul 23, 2012 at 5:23 PM, David Lum david@nwea.org wrote: We have a DC that we rebuilt and apparently it was running certificate services and we didn't know about it until after the server was rebuilt. Details: 1. Running an MS tool it returns the result that A certification authority is inaccessible and it tells us SUB-DC02 is the cert authority that cannot be reached. 2. We rebuilt a SUB-DC02 a few months ago (old one died due to hardware failure) and we didn't know it was a certificate authority 3. The resolution suggested by the MS tool is this http://support.microsoft.com/kb/889250 4. The CA server we DO use and know about is ROOT-DC02. The instructions in step 3 make it look like I am to do the steps on ROOT-DC02, but I read is as this is how you decommissions the CA gracefully and not this is how you fix the removal of a CA that's already gone Thoughts? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body
RE: Certificates
What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? Yes. I'm tempted to just blow away any cert in the Issued Certificates folder on the CA that says SUB-DC02, but I don't know certs enough to know if there would be unintended consequences. I ran the certutil -dcinfo deleteBad command and it did remove some references, but not all. Actually this article looks like it's what I need: http://support.microsoft.com/kb/555151 I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. Yell!! Dave -Original Message- From: Steve Kradel [mailto:skra...@zetetic.net] Sent: Monday, July 23, 2012 6:43 PM To: NT System Admin Issues Subject: Re: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? The KB article should largely suffice (the metadata in AD aren't too complicated), just proceed with caution. I've done this on numerous occasions when tidying up customers' ADCS cruft. If you know that there are certs out there using a particular template, and you want to reissue them cleanly, you could supersede the template. Of course it's a bit tricky to know for sure as the old certificate database is toast. I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. --Steve On Mon, Jul 23, 2012 at 5:23 PM, David Lum david@nwea.org wrote: We have a DC that we rebuilt and apparently it was running certificate services and we didn't know about it until after the server was rebuilt. Details: 1. Running an MS tool it returns the result that A certification authority is inaccessible and it tells us SUB-DC02 is the cert authority that cannot be reached. 2. We rebuilt a SUB-DC02 a few months ago (old one died due to hardware failure) and we didn't know it was a certificate authority 3. The resolution suggested by the MS tool is this http://support.microsoft.com/kb/889250 4. The CA server we DO use and know about is ROOT-DC02. The instructions in step 3 make it look like I am to do the steps on ROOT-DC02, but I read is as this is how you decommissions the CA gracefully and not this is how you fix the removal of a CA that's already gone Thoughts? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Certificates
Voila, one free softwares: https://github.com/skradel/ShowAdCerts/tree/master/downloads/1.0.0.0 This tool basically scans AD via LDAP (you can set various options for what to search), loads any certs in the userCertificate field, and with the -v switch, attempts to verify them. By default it will just tell you the subject name, thumbprint, and expiration date. Add -r to dump the base64 .DER format certs suitable for piping into openssl for even more detail. I'm going to crosspost this to the ActiveDir list, it's actually a pretty handy tool. --Steve On Tue, Jul 24, 2012 at 9:43 AM, David Lum david@nwea.org wrote: What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? Yes. I'm tempted to just blow away any cert in the Issued Certificates folder on the CA that says SUB-DC02, but I don't know certs enough to know if there would be unintended consequences. I ran the certutil -dcinfo deleteBad command and it did remove some references, but not all. Actually this article looks like it's what I need: http://support.microsoft.com/kb/555151 I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. Yell!! Dave -Original Message- From: Steve Kradel [mailto:skra...@zetetic.net] Sent: Monday, July 23, 2012 6:43 PM To: NT System Admin Issues Subject: Re: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? The KB article should largely suffice (the metadata in AD aren't too complicated), just proceed with caution. I've done this on numerous occasions when tidying up customers' ADCS cruft. If you know that there are certs out there using a particular template, and you want to reissue them cleanly, you could supersede the template. Of course it's a bit tricky to know for sure as the old certificate database is toast. I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. --Steve On Mon, Jul 23, 2012 at 5:23 PM, David Lum david@nwea.org wrote: We have a DC that we rebuilt and apparently it was running certificate services and we didn't know about it until after the server was rebuilt. Details: 1. Running an MS tool it returns the result that A certification authority is inaccessible and it tells us SUB-DC02 is the cert authority that cannot be reached. 2. We rebuilt a SUB-DC02 a few months ago (old one died due to hardware failure) and we didn't know it was a certificate authority 3. The resolution suggested by the MS tool is this http://support.microsoft.com/kb/889250 4. The CA server we DO use and know about is ROOT-DC02. The instructions in step 3 make it look like I am to do the steps on ROOT-DC02, but I read is as this is how you decommissions the CA gracefully and not this is how you fix the removal of a CA that's already gone Thoughts? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Certificates
All the certs issued by SUB-DC02 are still valid for use, as long as the receiving system still trusts SUB-DC02 (e.g. Client1 connects to Server1, and because Client1 has Sub-DC02 in their Trusted Enterprise CAs or Trusted Intermediate CA or Trusted Root CA store, it will still trust the Server1's certificate) You should revoke SUB-DC02's signing certificate on ROOT-DC02 (assuming that is your root CA, and SUB-DC02 is an issuing CA). As long as your clients can connect to the revocation list published by ROOT-DC02, then they will stop trusting certs issued by SUB-DC02 You can also do the metadata clean-up in AD for references to SUB-DC02, which will stop various Windows wizards attempting to connect to it, as it will no longer be advertised in AD as an enterprise AD-integrated CA Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Tuesday, 24 July 2012 11:43 PM To: NT System Admin Issues Subject: RE: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? Yes. I'm tempted to just blow away any cert in the Issued Certificates folder on the CA that says SUB-DC02, but I don't know certs enough to know if there would be unintended consequences. I ran the certutil -dcinfo deleteBad command and it did remove some references, but not all. Actually this article looks like it's what I need: http://support.microsoft.com/kb/555151 I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. Yell!! Dave -Original Message- From: Steve Kradel [mailto:skra...@zetetic.net] Sent: Monday, July 23, 2012 6:43 PM To: NT System Admin Issues Subject: Re: Certificates What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? The KB article should largely suffice (the metadata in AD aren't too complicated), just proceed with caution. I've done this on numerous occasions when tidying up customers' ADCS cruft. If you know that there are certs out there using a particular template, and you want to reissue them cleanly, you could supersede the template. Of course it's a bit tricky to know for sure as the old certificate database is toast. I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. --Steve On Mon, Jul 23, 2012 at 5:23 PM, David Lum david@nwea.org wrote: We have a DC that we rebuilt and apparently it was running certificate services and we didn't know about it until after the server was rebuilt. Details: 1. Running an MS tool it returns the result that A certification authority is inaccessible and it tells us SUB-DC02 is the cert authority that cannot be reached. 2. We rebuilt a SUB-DC02 a few months ago (old one died due to hardware failure) and we didn't know it was a certificate authority 3. The resolution suggested by the MS tool is this http://support.microsoft.com/kb/889250 4. The CA server we DO use and know about is ROOT-DC02. The instructions in step 3 make it look like I am to do the steps on ROOT-DC02, but I read is as this is how you decommissions the CA gracefully and not this is how you fix the removal of a CA that's already gone Thoughts? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Certificates
Do the letters S.O.L. mean anything to you? You can add another sub but I think you are going to have to reissue all certs issues by the sub. I would call CSS, personally. But this isn't my area of expertise. From: David Lum [mailto:david@nwea.org] Sent: Monday, July 23, 2012 5:23 PM To: NT System Admin Issues Subject: Certificates We have a DC that we rebuilt and apparently it was running certificate services and we didn't know about it until after the server was rebuilt. Details: 1. Running an MS tool it returns the result that A certification authority is inaccessible and it tells us SUB-DC02 is the cert authority that cannot be reached. 2. We rebuilt a SUB-DC02 a few months ago (old one died due to hardware failure) and we didn't know it was a certificate authority 3. The resolution suggested by the MS tool is this http://support.microsoft.com/kb/889250 4. The CA server we DO use and know about is ROOT-DC02. The instructions in step 3 make it look like I am to do the steps on ROOT-DC02, but I read is as this is how you decommissions the CA gracefully and not this is how you fix the removal of a CA that's already gone Thoughts? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Certificates
What are you trying to achieve -- just clean up the stale enrollment publication data in the directory and make the error go away? The KB article should largely suffice (the metadata in AD aren't too complicated), just proceed with caution. I've done this on numerous occasions when tidying up customers' ADCS cruft. If you know that there are certs out there using a particular template, and you want to reissue them cleanly, you could supersede the template. Of course it's a bit tricky to know for sure as the old certificate database is toast. I have a tool kicking around somewhere that'll scan AD for published certs and reports on their validity, issuer, etc. Give me a yell if you think this would be handy here. --Steve On Mon, Jul 23, 2012 at 5:23 PM, David Lum david@nwea.org wrote: We have a DC that we rebuilt and apparently it was running certificate services and we didn’t know about it until after the server was rebuilt. Details: 1. Running an MS tool it returns the result that “A certification authority is inaccessible” and it tells us SUB-DC02 is the cert authority that cannot be reached. 2. We rebuilt a SUB-DC02 a few months ago (old one died due to hardware failure) and we didn’t know it was a certificate authority 3. The resolution suggested by the MS tool is this http://support.microsoft.com/kb/889250 4. The CA server we DO use and know about is ROOT-DC02. The instructions in step 3 make it look like I am to do the steps on ROOT-DC02, but I read is as “this is how you decommissions the CA gracefully” and not “this is how you fix the removal of a CA that’s already gone” Thoughts? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Encryption of RDP via Certificates
Yep just did that, and it shows that the access is authenticated via certificate, but when I do a sniff with wireshark, I am not seeing the TLS Handshake this is what concerns me. I can see in the tcp stream of the packets that the certificate and its CRL is requested and per the connection that Kerberos and Server Certificate is being used. The security layer is set to SSL (TLS1.0) and the Encryption Level is set to FIPS compliant and I set the security option use FIPS compliant Algorithms for Encryption Signing and Hashing. I have a call in with M$ on this just to verify the process is working as expected, but I would assume that if settings are set to TLS1.0 (SSL) and using FIPS compliant settings I should be using TLS 1.0 (so just like a SSL handshake you see the compatable algorithms between the workstation and the server which is sending its certificate etc etc) I will let everyone know what I find out, but I haven't seen any documentation to the contrary on the setup I have done on these. I just don't want an auditor coming back and saying that something isn't working correctly, or was done wrong and isn't giving the protections when I know it is and I have proof to verify it is. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, July 12, 2012 8:36 PM To: NT System Admin Issues Subject: RE: Encryption of RDP via Certificates Just use the web server certificate. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, July 12, 2012 2:57 PM To: NT System Admin Issues Subject: Encryption of RDP via Certificates If anyone has successfully done this and knows which Certificate Template in Microsoft CA to utilize for this, I would be greatful if you hit me off line. I am going nuts trying to use the Certificates Snapin to get a certificate created via a template on my server made for Server authentication, and its just not letting me do it. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Encryption of RDP via Certificates
Well it definitely works and was verified using TLSv1.0 with the proper strong ciphers. Now for the IIS 7.0 book to read this weekend written partly by Mr Schaefer... (looking forward to that) Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Friday, July 13, 2012 7:43 AM To: NT System Admin Issues Subject: RE: Encryption of RDP via Certificates Yep just did that, and it shows that the access is authenticated via certificate, but when I do a sniff with wireshark, I am not seeing the TLS Handshake this is what concerns me. I can see in the tcp stream of the packets that the certificate and its CRL is requested and per the connection that Kerberos and Server Certificate is being used. The security layer is set to SSL (TLS1.0) and the Encryption Level is set to FIPS compliant and I set the security option use FIPS compliant Algorithms for Encryption Signing and Hashing. I have a call in with M$ on this just to verify the process is working as expected, but I would assume that if settings are set to TLS1.0 (SSL) and using FIPS compliant settings I should be using TLS 1.0 (so just like a SSL handshake you see the compatable algorithms between the workstation and the server which is sending its certificate etc etc) I will let everyone know what I find out, but I haven't seen any documentation to the contrary on the setup I have done on these. I just don't want an auditor coming back and saying that something isn't working correctly, or was done wrong and isn't giving the protections when I know it is and I have proof to verify it is. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, July 12, 2012 8:36 PM To: NT System Admin Issues Subject: RE: Encryption of RDP via Certificates Just use the web server certificate. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, July 12, 2012 2:57 PM To: NT System Admin Issues Subject: Encryption of RDP via Certificates If anyone has successfully done this and knows which Certificate Template in Microsoft CA to utilize for this, I would be greatful if you hit me off line. I am going nuts trying to use the Certificates Snapin to get a certificate created via a template on my server made for Server authentication, and its just not letting me do it. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Encryption of RDP via Certificates
Just use the web server certificate. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, July 12, 2012 2:57 PM To: NT System Admin Issues Subject: Encryption of RDP via Certificates If anyone has successfully done this and knows which Certificate Template in Microsoft CA to utilize for this, I would be greatful if you hit me off line. I am going nuts trying to use the Certificates Snapin to get a certificate created via a template on my server made for Server authentication, and its just not letting me do it. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.orgmailto:ezi...@lifespan.org ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Encryption of RDP via Certificates
The only caveat I'd note is that some RDP clients will totally, unrecoverably freak out if they can't contact the CRL. So consider that if you're got the default AD-integrated CRL publication with any non-domain / non-trust clients and get an highly-available HTTP CDP at the top of the list. --Steve On Thu, Jul 12, 2012 at 8:36 PM, Michael B. Smith mich...@smithcons.comwrote: Just use the web server certificate. ** ** *From:* Ziots, Edward [mailto:ezi...@lifespan.org] *Sent:* Thursday, July 12, 2012 2:57 PM *To:* NT System Admin Issues *Subject:* Encryption of RDP via Certificates ** ** If anyone has successfully done this and knows which Certificate Template in Microsoft CA to utilize for this, I would be greatful if you hit me off line. I am going nuts trying to use the Certificates Snapin to get a certificate created via a template on my server made for Server authentication, and its just not letting me do it. ** ** Z ** ** Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
This patch removes certain MS CAs from one of the trusted CA stores. It should have nothing to do with your IAS server rejecting your own internally issued certs. Something else is up. Also rejection revocation: your IAS server might be rejecting your user's certificates. But that is not the same as revoking the certificates. Cheers Ken -Original Message- From: Troy Adkins [mailto:tadk...@house.virginia.gov] Sent: Tuesday, 5 June 2012 10:21 AM To: NT System Admin Issues Subject: Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates I'm getting an event Id 3, reason code 300, now on my IAS server from my user certificates. Sent from my iPad On Jun 4, 2012, at 9:49 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins tadk...@house.virginia.gov wrote: Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Isn't that what it's supposed to do? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
This may or may not be helpful/relevant: MSSA 2718704: Why and How to Reactivate License Servers in Terminal Services and Remote Desktop Services (http://goo.gl/eBdJc) (http://blogs.msdn.com/b/rds/archive/2012/06/05/follow-up-to-microsoft-security-advisory-2718704-why-and-how-to-reactivate-license-servers-in-terminal-services-and-remote-desktop-services.aspx) From the MSFT Remote Desktop Services (Terminal Services) Team Blog, via the inestimable Susan Bradley sbradcpa@... on the patch-management list. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
Both relevant and helpful. Thank you. Kurt On Tue, Jun 5, 2012 at 3:52 PM, Ben Scott mailvor...@gmail.com wrote: This may or may not be helpful/relevant: MSSA 2718704: Why and How to Reactivate License Servers in Terminal Services and Remote Desktop Services (http://goo.gl/eBdJc) (http://blogs.msdn.com/b/rds/archive/2012/06/05/follow-up-to-microsoft-security-advisory-2718704-why-and-how-to-reactivate-license-servers-in-terminal-services-and-remote-desktop-services.aspx) From the MSFT Remote Desktop Services (Terminal Services) Team Blog, via the inestimable Susan Bradley sbradcpa@... on the patch-management list. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Fwd: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
-- Forwarded message -- From: Current Activity us-c...@us-cert.gov Date: Mon, Jun 4, 2012 at 6:29 AM Subject: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates To: Current Activity current-activ...@us-cert.gov -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 US-CERT Current Activity Unauthorized Microsoft Digital Certificates Original release date: Monday, June 4, 2012 at 09:16 am Last revised: Monday, June 4, 2012 at 09:16 am Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack. The following certificates have been revoked by this update: * Microsoft Enforced Licensing Intermediate PCA (2 certificates) * Microsoft Enforced Licensing Registration Authority CA (SHA1) Microsoft has provided an update to all support versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2718704. US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risk. Relevant Url(s): http://technet.microsoft.com/en-us/security/advisory/2718704 Produced by US-CERT, a government organization. This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify This document can also be found at http://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT8y4OndnhE8Qi3ZhAQI7KQf9FJlkJKlULO6evs0oCeBvtrsfO7LEHdxZ J18LnH6PEpiNac3QjzVnaGYmZ5HM84UgoW0gqw1hmqCpFbo6xCqdqxB0wWjL7Qh1 7U5RstYN7riYCp1Z0mQsfhdrvD7Rpb0NTIGfFUJHN+/LUuFeY2YzjujgPw6PmqDo P+kUK3fda05WMlxFbUxSWQ3+hcCIfRv5rUY+87jDB2NDju+7Aqs/GfNZE2JORngp tKeA2ZoUo32AgFGpcDUZeGTwJlcBSGQFKmgHHlsjGEEeNB/Agn5wviX3bkIxieUX zbXft1vBMCa81cf3QtdZDb4FbvWIi7+AkmNQvbCkPJkw3M5elkS26Q== =nYRj -END PGP SIGNATURE- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
Thanks for the info, Kurt. A quick Google found this: http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx When an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure. Whoops. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
Yes. Not good. Patching Win7 doesn't invoke a reboot. Patching WinXP does invoke a reboot. I'm working on an announcement for our worker bees now... Kurt On Mon, Jun 4, 2012 at 3:57 PM, Ben Scott mailvor...@gmail.com wrote: Thanks for the info, Kurt. A quick Google found this: http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx When an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure. Whoops. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Sent from my iPad On Jun 4, 2012, at 6:47 PM, Kurt Buff kurt.b...@gmail.com wrote: -- Forwarded message -- From: Current Activity us-c...@us-cert.gov Date: Mon, Jun 4, 2012 at 6:29 AM Subject: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates To: Current Activity current-activ...@us-cert.gov -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 US-CERT Current Activity Unauthorized Microsoft Digital Certificates Original release date: Monday, June 4, 2012 at 09:16 am Last revised: Monday, June 4, 2012 at 09:16 am Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack. The following certificates have been revoked by this update: * Microsoft Enforced Licensing Intermediate PCA (2 certificates) * Microsoft Enforced Licensing Registration Authority CA (SHA1) Microsoft has provided an update to all support versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2718704. US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risk. Relevant Url(s): http://technet.microsoft.com/en-us/security/advisory/2718704 Produced by US-CERT, a government organization. This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify This document can also be found at http://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT8y4OndnhE8Qi3ZhAQI7KQf9FJlkJKlULO6evs0oCeBvtrsfO7LEHdxZ J18LnH6PEpiNac3QjzVnaGYmZ5HM84UgoW0gqw1hmqCpFbo6xCqdqxB0wWjL7Qh1 7U5RstYN7riYCp1Z0mQsfhdrvD7Rpb0NTIGfFUJHN+/LUuFeY2YzjujgPw6PmqDo P+kUK3fda05WMlxFbUxSWQ3+hcCIfRv5rUY+87jDB2NDju+7Aqs/GfNZE2JORngp tKeA2ZoUo32AgFGpcDUZeGTwJlcBSGQFKmgHHlsjGEEeNB/Agn5wviX3bkIxieUX zbXft1vBMCa81cf3QtdZDb4FbvWIi7+AkmNQvbCkPJkw3M5elkS26Q== =nYRj -END PGP SIGNATURE- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
I have run this patch on several Win7 and WinXP machines, and just ran it against my Win2k8 R2 TS/RDP server. Please detail exactly what you mean by it is still revoking my certificates. This is not something that should affect your internal CA infrastructure, unless you've somehow incorporated MSFT certs into your cert chain. Frankly, I'm not worried about patching my servers (on an emergency basis - I'll catch it in my regular cycle) except for the one mentioned above, because users actually do log into it - unless someone shows me I need to think differently about it. Kurt On Mon, Jun 4, 2012 at 6:02 PM, Troy Adkins tadk...@house.virginia.gov wrote: Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Sent from my iPad On Jun 4, 2012, at 6:47 PM, Kurt Buff kurt.b...@gmail.com wrote: -- Forwarded message -- From: Current Activity us-c...@us-cert.gov Date: Mon, Jun 4, 2012 at 6:29 AM Subject: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates To: Current Activity current-activ...@us-cert.gov -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 US-CERT Current Activity Unauthorized Microsoft Digital Certificates Original release date: Monday, June 4, 2012 at 09:16 am Last revised: Monday, June 4, 2012 at 09:16 am Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack. The following certificates have been revoked by this update: * Microsoft Enforced Licensing Intermediate PCA (2 certificates) * Microsoft Enforced Licensing Registration Authority CA (SHA1) Microsoft has provided an update to all support versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2718704. US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risk. Relevant Url(s): http://technet.microsoft.com/en-us/security/advisory/2718704 Produced by US-CERT, a government organization. This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify This document can also be found at http://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT8y4OndnhE8Qi3ZhAQI7KQf9FJlkJKlULO6evs0oCeBvtrsfO7LEHdxZ J18LnH6PEpiNac3QjzVnaGYmZ5HM84UgoW0gqw1hmqCpFbo6xCqdqxB0wWjL7Qh1 7U5RstYN7riYCp1Z0mQsfhdrvD7Rpb0NTIGfFUJHN+/LUuFeY2YzjujgPw6PmqDo P+kUK3fda05WMlxFbUxSWQ3+hcCIfRv5rUY+87jDB2NDju+7Aqs/GfNZE2JORngp tKeA2ZoUo32AgFGpcDUZeGTwJlcBSGQFKmgHHlsjGEEeNB/Agn5wviX3bkIxieUX zbXft1vBMCa81cf3QtdZDb4FbvWIi7+AkmNQvbCkPJkw3M5elkS26Q== =nYRj -END PGP SIGNATURE- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins tadk...@house.virginia.gov wrote: Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Isn't that what it's supposed to do? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
I'm getting an event Id 3, reason code 300, now on my IAS server from my user certificates. Sent from my iPad On Jun 4, 2012, at 9:49 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins tadk...@house.virginia.gov wrote: Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Isn't that what it's supposed to do? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
No Disclaimers in VIPER (caused by use of email digital certificates)
We just closed a case with Sunbelt.disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: No Disclaimers in VIPER (caused by use of email digital certificates)
I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt…disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
VIPER: NO Disclaimers in email (caused by email digital certificates)
We just closed a case with Sunbelt.disclaimers appeared in all Exchange email accounts except those using digital certificates. They have now explanation and no fix. Is anyone else experienced the same? Is anyone using email digital certificates, if yes from what company? Thanks - Cheers - Jeff Viper Enterprise v3.0.1.4.796 Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: VIPER: NO Disclaimers in email (caused by email digital certificates)
Kevin, I reworded and reposted this thread (minutes ago) hoping to stimulate more discussion.and before knowing you replied. Thank you. Interesting enough Sunbelt support, never saw anyone using a email digital certificate.thus could not offer a remedy. We do not represent the defense department so we can live without certificates, but since we are using, and with issues *maybe* someone has a quick remedy. Let's assume we were a VERY small minority and needed certificates.is this an issue with COMODO or all certificates in Viper? Based on your logic (below) all certificates would present Viper users with this issue. -J From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Friday, March 12, 2010 7:46 AM To: NT System Admin Issues Subject: Re: No Disclaimers in VIPER (caused by use of email digital certificates) I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt.disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: VIPER: NO Disclaimers in email (caused by email digital certificates)
You should do it with transport rules so a message can be re-signed. In my opinion. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, March 12, 2010 11:35 AM To: NT System Admin Issues Subject: RE: VIPER: NO Disclaimers in email (caused by email digital certificates) Kevin, I reworded and reposted this thread (minutes ago) hoping to stimulate more discussion...and before knowing you replied. Thank you. Interesting enough Sunbelt support, never saw anyone using a email digital certificate...thus could not offer a remedy. We do not represent the defense department so we can live without certificates, but since we are using, and with issues *maybe* someone has a quick remedy. Let's assume we were a VERY small minority and needed certificates...is this an issue with COMODO or all certificates in Viper? Based on your logic (below) all certificates would present Viper users with this issue. -J From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Friday, March 12, 2010 7:46 AM To: NT System Admin Issues Subject: Re: No Disclaimers in VIPER (caused by use of email digital certificates) I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.commailto:jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt...disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: VIPER: NO Disclaimers in email (caused by email digital certificates)
That would require AD integrated certificates, no? On Fri, Mar 12, 2010 at 11:37 AM, Michael B. Smith mich...@smithcons.comwrote: You should do it with transport rules so a message can be re-signed. In my opinion. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com *From:* Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] *Sent:* Friday, March 12, 2010 11:35 AM *To:* NT System Admin Issues *Subject:* RE: VIPER: NO Disclaimers in email (caused by email digital certificates) Kevin, I reworded and reposted this thread (minutes ago) hoping to stimulate more discussion…and before knowing you replied. Thank you. Interesting enough Sunbelt support, “never saw anyone using a email digital certificate”…thus could not offer a remedy. We do not represent the defense department so we can live without certificates, but since we are using, and with issues **maybe** someone has a quick remedy. Let’s assume we were a VERY small minority and needed certificates…is this an issue with COMODO or all certificates in Viper? Based on your logic (below) all certificates would present Viper users with this issue. -J *From:* Kevin Lundy [mailto:klu...@gmail.com] *Sent:* Friday, March 12, 2010 7:46 AM *To:* NT System Admin Issues *Subject:* Re: No Disclaimers in VIPER (caused by use of email digital certificates) I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt…disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: VIPER: NO Disclaimers in email (caused by email digital certificates)
Yes. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Friday, March 12, 2010 12:04 PM To: NT System Admin Issues Subject: Re: VIPER: NO Disclaimers in email (caused by email digital certificates) That would require AD integrated certificates, no? On Fri, Mar 12, 2010 at 11:37 AM, Michael B. Smith mich...@smithcons.commailto:mich...@smithcons.com wrote: You should do it with transport rules so a message can be re-signed. In my opinion. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.commailto:jeff.s.gottl...@gmail.com] Sent: Friday, March 12, 2010 11:35 AM To: NT System Admin Issues Subject: RE: VIPER: NO Disclaimers in email (caused by email digital certificates) Kevin, I reworded and reposted this thread (minutes ago) hoping to stimulate more discussion...and before knowing you replied. Thank you. Interesting enough Sunbelt support, never saw anyone using a email digital certificate...thus could not offer a remedy. We do not represent the defense department so we can live without certificates, but since we are using, and with issues *maybe* someone has a quick remedy. Let's assume we were a VERY small minority and needed certificates...is this an issue with COMODO or all certificates in Viper? Based on your logic (below) all certificates would present Viper users with this issue. -J From: Kevin Lundy [mailto:klu...@gmail.commailto:klu...@gmail.com] Sent: Friday, March 12, 2010 7:46 AM To: NT System Admin Issues Subject: Re: No Disclaimers in VIPER (caused by use of email digital certificates) I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.commailto:jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt...disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: VIPER: NO Disclaimers in email (caused by email digital certificates)
Yes, all certificate vendors would present this problem to ANY disclaimer system. It's not limited to Viper. If you think about what a digital signature is doing - alerting to any change to a message, this makes sense. A disclaimer is a change. So if Viper were to add a disclaimer, the recipient would get a signature warning. So the fact that Viper is not adding it is a working in your favor. Honestly, I am surprised that SB told you they never heard of anyone using signatures. I suspect that was really just the technicial you were dealing with. I wouldn't be surprised if it were actually a feature they included (but the technician didn't know about). Options: 1) tell people to use the cert only when needed (e.g. contract agreement, etc) 2) limit the certs to the small population that needs them - have them put the disclaimer in their normal signature file 3) integrate the certs into AD and use the transport rule as Michael suggested Kevin On Fri, Mar 12, 2010 at 11:34 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Kevin, I reworded and reposted this thread (minutes ago) hoping to stimulate more discussion…and before knowing you replied. Thank you. Interesting enough Sunbelt support, “never saw anyone using a email digital certificate”…thus could not offer a remedy. We do not represent the defense department so we can live without certificates, but since we are using, and with issues **maybe** someone has a quick remedy. Let’s assume we were a VERY small minority and needed certificates…is this an issue with COMODO or all certificates in Viper? Based on your logic (below) all certificates would present Viper users with this issue. -J *From:* Kevin Lundy [mailto:klu...@gmail.com] *Sent:* Friday, March 12, 2010 7:46 AM *To:* NT System Admin Issues *Subject:* Re: No Disclaimers in VIPER (caused by use of email digital certificates) I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt…disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: VIPER: NO Disclaimers in email (caused by email digital certificates)
Kevin is right, and I'll make sure the techs know. Changing a signed document goes directly against what a signed document is supposed to be... Alex From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Friday, March 12, 2010 12:35 PM To: NT System Admin Issues Subject: Re: VIPER: NO Disclaimers in email (caused by email digital certificates) Yes, all certificate vendors would present this problem to ANY disclaimer system. It's not limited to Viper. If you think about what a digital signature is doing - alerting to any change to a message, this makes sense. A disclaimer is a change. So if Viper were to add a disclaimer, the recipient would get a signature warning. So the fact that Viper is not adding it is a working in your favor. Honestly, I am surprised that SB told you they never heard of anyone using signatures. I suspect that was really just the technicial you were dealing with. I wouldn't be surprised if it were actually a feature they included (but the technician didn't know about). Options: 1) tell people to use the cert only when needed (e.g. contract agreement, etc) 2) limit the certs to the small population that needs them - have them put the disclaimer in their normal signature file 3) integrate the certs into AD and use the transport rule as Michael suggested Kevin On Fri, Mar 12, 2010 at 11:34 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.commailto:jeff.s.gottl...@gmail.com wrote: Kevin, I reworded and reposted this thread (minutes ago) hoping to stimulate more discussion...and before knowing you replied. Thank you. Interesting enough Sunbelt support, never saw anyone using a email digital certificate...thus could not offer a remedy. We do not represent the defense department so we can live without certificates, but since we are using, and with issues *maybe* someone has a quick remedy. Let's assume we were a VERY small minority and needed certificates...is this an issue with COMODO or all certificates in Viper? Based on your logic (below) all certificates would present Viper users with this issue. -J From: Kevin Lundy [mailto:klu...@gmail.commailto:klu...@gmail.com] Sent: Friday, March 12, 2010 7:46 AM To: NT System Admin Issues Subject: Re: No Disclaimers in VIPER (caused by use of email digital certificates) I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.commailto:jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt...disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: VIPER: NO Disclaimers in email (caused by email digital certificates)
Great! We can conclude.with a *much* better understanding of this issue and a workaround. Thank you Kevin. Alex. IMHO your tech(s) should be made aware (Ticket on this case was #137504). As For the record, despite his lack of understanding with certificates, he did a stand-up job (so I'm told) troubleshooting and correcting our corrupt Disclaimer Policy folder issues. This alluded our technical expertise.and that of two other SB techs. :~) -Jeff From: Alex Eckelberry [mailto:al...@sunbelt-software.com] Sent: Friday, March 12, 2010 10:04 AM To: NT System Admin Issues Subject: RE: VIPER: NO Disclaimers in email (caused by email digital certificates) Kevin is right, and I'll make sure the techs know. Changing a signed document goes directly against what a signed document is supposed to be... Alex From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Friday, March 12, 2010 12:35 PM To: NT System Admin Issues Subject: Re: VIPER: NO Disclaimers in email (caused by email digital certificates) Yes, all certificate vendors would present this problem to ANY disclaimer system. It's not limited to Viper. If you think about what a digital signature is doing - alerting to any change to a message, this makes sense. A disclaimer is a change. So if Viper were to add a disclaimer, the recipient would get a signature warning. So the fact that Viper is not adding it is a working in your favor. Honestly, I am surprised that SB told you they never heard of anyone using signatures. I suspect that was really just the technicial you were dealing with. I wouldn't be surprised if it were actually a feature they included (but the technician didn't know about). Options: 1) tell people to use the cert only when needed (e.g. contract agreement, etc) 2) limit the certs to the small population that needs them - have them put the disclaimer in their normal signature file 3) integrate the certs into AD and use the transport rule as Michael suggested Kevin On Fri, Mar 12, 2010 at 11:34 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Kevin, I reworded and reposted this thread (minutes ago) hoping to stimulate more discussion.and before knowing you replied. Thank you. Interesting enough Sunbelt support, never saw anyone using a email digital certificate.thus could not offer a remedy. We do not represent the defense department so we can live without certificates, but since we are using, and with issues *maybe* someone has a quick remedy. Let's assume we were a VERY small minority and needed certificates.is this an issue with COMODO or all certificates in Viper? Based on your logic (below) all certificates would present Viper users with this issue. -J From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Friday, March 12, 2010 7:46 AM To: NT System Admin Issues Subject: Re: No Disclaimers in VIPER (caused by use of email digital certificates) I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt.disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: VIPER: NO Disclaimers in email (caused by email digital certificates)
So is it a programmed feature? If so, it's the first disclaimer product I'm aware of that does it right out of the box. On Fri, Mar 12, 2010 at 1:03 PM, Alex Eckelberry al...@sunbelt-software.com wrote: Kevin is right, and I'll make sure the techs know. Changing a signed document goes directly against what a signed document is supposed to be... Alex *From:* Kevin Lundy [mailto:klu...@gmail.com] *Sent:* Friday, March 12, 2010 12:35 PM *To:* NT System Admin Issues *Subject:* Re: VIPER: NO Disclaimers in email (caused by email digital certificates) Yes, all certificate vendors would present this problem to ANY disclaimer system. It's not limited to Viper. If you think about what a digital signature is doing - alerting to any change to a message, this makes sense. A disclaimer is a change. So if Viper were to add a disclaimer, the recipient would get a signature warning. So the fact that Viper is not adding it is a working in your favor. Honestly, I am surprised that SB told you they never heard of anyone using signatures. I suspect that was really just the technicial you were dealing with. I wouldn't be surprised if it were actually a feature they included (but the technician didn't know about). Options: 1) tell people to use the cert only when needed (e.g. contract agreement, etc) 2) limit the certs to the small population that needs them - have them put the disclaimer in their normal signature file 3) integrate the certs into AD and use the transport rule as Michael suggested Kevin On Fri, Mar 12, 2010 at 11:34 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Kevin, I reworded and reposted this thread (minutes ago) hoping to stimulate more discussion…and before knowing you replied. Thank you. Interesting enough Sunbelt support, “never saw anyone using a email digital certificate”…thus could not offer a remedy. We do not represent the defense department so we can live without certificates, but since we are using, and with issues **maybe** someone has a quick remedy. Let’s assume we were a VERY small minority and needed certificates…is this an issue with COMODO or all certificates in Viper? Based on your logic (below) all certificates would present Viper users with this issue. -J *From:* Kevin Lundy [mailto:klu...@gmail.com] *Sent:* Friday, March 12, 2010 7:46 AM *To:* NT System Admin Issues *Subject:* Re: No Disclaimers in VIPER (caused by use of email digital certificates) I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt…disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: No Disclaimers in VIPER (caused by use of email digital certificates)
+1 It would alter the message and invalidate the certification - if happening post-certification (very likely). As I understand it, most disclaimer products apply the disclaimer as a last step during the outbound SMTP transport event. I'm sure Michael Smith can add much more detail to this. -- ME2 On Fri, Mar 12, 2010 at 7:46 AM, Kevin Lundy klu...@gmail.com wrote: I have no idea of that is a Viper feature or not, but I believe that is the way you would want it to operate isn't it? Otherwise, the insertion of the disclaimer would be modifying the email message, which would cause the signature to indicate tampering. On Fri, Mar 12, 2010 at 3:13 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We just closed a case with Sunbelt…disclaimers appeared in all email accounts except those using digital certificates. Was wondering if anyone else experienced the same. - Jeff Exchange 2003 Outlook 2007 Digital Security COMODO ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Certificates
The account you are using to do this with needs to have enroll permissions on the certificate server ...Tim From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 16, 2008 6:16 AM To: NT System Admin Issues Subject: RE: Certificates Here's what I get in the event log when trying to renew said certificate vis any of the options: Certificate Request Denied Denied by Policy Module Google has led be to a few items but to date all have failed (still searching though), has anyone seen this error and if so, what was the resolution? From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, December 15, 2008 11:27 AM To: NT System Admin Issues Subject: RE: Certificates Are there special considerations I am overlooking if I choose renew cert w/ same key? None that I know of. That's what I would do. ...Tim From: David Lum [mailto:david@nwea.org] Sent: Monday, December 15, 2008 9:54 AM To: NT System Admin Issues Subject: Certificates We have an internal certificate server here and it hold some certificates we use for our development web servers - the certificate is set to expire in two days. If I look at it under Certicates (Local Computer) / Personal / Certificates it's Issued to Server1, Issued by Server1 and expires 12/17/08. How do I renew it? If I select the certificste itself and select All Tasks, my options are: * Request cert with New Key * Request cert with Same Key * Renew cert with New key * Renew cert with Same key Are there special considerations I am overlooking if I choose renew cert w/ same key? I want the same cert with new date, but as you can tell I have zero experience with certifations... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Certificates
Here's what I get in the event log when trying to renew said certificate vis any of the options: Certificate Request Denied Denied by Policy Module Google has led be to a few items but to date all have failed (still searching though), has anyone seen this error and if so, what was the resolution? From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, December 15, 2008 11:27 AM To: NT System Admin Issues Subject: RE: Certificates Are there special considerations I am overlooking if I choose renew cert w/ same key? None that I know of. That's what I would do. ...Tim From: David Lum [mailto:david@nwea.org] Sent: Monday, December 15, 2008 9:54 AM To: NT System Admin Issues Subject: Certificates We have an internal certificate server here and it hold some certificates we use for our development web servers - the certificate is set to expire in two days. If I look at it under Certicates (Local Computer) / Personal / Certificates it's Issued to Server1, Issued by Server1 and expires 12/17/08. How do I renew it? If I select the certificste itself and select All Tasks, my options are: * Request cert with New Key * Request cert with Same Key * Renew cert with New key * Renew cert with Same key Are there special considerations I am overlooking if I choose renew cert w/ same key? I want the same cert with new date, but as you can tell I have zero experience with certifations... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Certificates
We have an internal certificate server here and it hold some certificates we use for our development web servers - the certificate is set to expire in two days. If I look at it under Certicates (Local Computer) / Personal / Certificates it's Issued to Server1, Issued by Server1 and expires 12/17/08. How do I renew it? If I select the certificste itself and select All Tasks, my options are: * Request cert with New Key * Request cert with Same Key * Renew cert with New key * Renew cert with Same key Are there special considerations I am overlooking if I choose renew cert w/ same key? I want the same cert with new date, but as you can tell I have zero experience with certifations... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Certificates
Are there special considerations I am overlooking if I choose renew cert w/ same key? None that I know of. That's what I would do. ...Tim From: David Lum [mailto:david@nwea.org] Sent: Monday, December 15, 2008 9:54 AM To: NT System Admin Issues Subject: Certificates We have an internal certificate server here and it hold some certificates we use for our development web servers - the certificate is set to expire in two days. If I look at it under Certicates (Local Computer) / Personal / Certificates it's Issued to Server1, Issued by Server1 and expires 12/17/08. How do I renew it? If I select the certificste itself and select All Tasks, my options are: * Request cert with New Key * Request cert with Same Key * Renew cert with New key * Renew cert with Same key Are there special considerations I am overlooking if I choose renew cert w/ same key? I want the same cert with new date, but as you can tell I have zero experience with certifations... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
signing certificates for Apache in SBS
Hi, Sorry for the cross posting, I don't know if in the Exchange mailing list I'd get the answer or is better to pose this question here We have a signed CA by Equifax and I'd like to know if I could sign certificates for our Apache Web servers. I have tried to issue a certificate request from apache but when I import it in the Certification Authority it says that is not following the right template. I've seen there is a Web Server template, but I don't know 1) How to create a certificate request in SBS 2) If this will work under Apache Any experience, howto or documentation? Thanks, Miguel ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: signing certificates for Apache in SBS
You go into IIS, then under the web site you wish to use and then in the Security tab when you look at SSL it should tell you there isnt one and then let you create a certreq.txt or whatever type you require. Then use that against the CA to generate your keyfile which you import back into IIS and then enable HTTPS. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 4:44 PM To: NT System Admin Issues Subject: signing certificates for Apache in SBS Hi, Sorry for the cross posting, I don't know if in the Exchange mailing list I'd get the answer or is better to pose this question here We have a signed CA by Equifax and I'd like to know if I could sign certificates for our Apache Web servers. I have tried to issue a certificate request from apache but when I import it in the Certification Authority it says that is not following the right template. I've seen there is a Web Server template, but I don't know 1) How to create a certificate request in SBS 2) If this will work under Apache Any experience, howto or documentation? Thanks, Miguel ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: signing certificates for Apache in SBS
Should this work with Apache? Miguel Benjamin Zachary - Lists wrote: You go into IIS, then under the web site you wish to use and then in the Security tab when you look at SSL it should tell you there isn’t one and then let you create a certreq.txt or whatever type you require. Then use that against the CA to generate your keyfile which you import back into IIS and then enable HTTPS. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 4:44 PM To: NT System Admin Issues Subject: signing certificates for Apache in SBS Hi, Sorry for the cross posting, I don't know if in the Exchange mailing list I'd get the answer or is better to pose this question here We have a signed CA by Equifax and I'd like to know if I could sign certificates for our Apache Web servers. I have tried to issue a certificate request from apache but when I import it in the Certification Authority it says that is not following the right template. I've seen there is a Web Server template, but I don't know 1) How to create a certificate request in SBS 2) If this will work under Apache Any experience, howto or documentation? Thanks, Miguel ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: signing certificates for Apache in SBS
I thought you had an apache server handing out certs and you wanted to make an https cert for the sbs server. Are you saying you have a CertSrv on SBS and you want to have apache request one? I would imagine that could be done if you can create the correct export.txt request file from apache that windows cert would understand. You could just goto the sbs/certsrv site, create a new cert and assign it the name and such and then save it and bring it over to the apache and install it (.pfx?) its not going to authenticate correctly anyway in a browser so probably doesnt matter the name as long as you get the encryption working. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 5:04 PM To: NT System Admin Issues Subject: Re: signing certificates for Apache in SBS Should this work with Apache? Miguel Benjamin Zachary - Lists wrote: You go into IIS, then under the web site you wish to use and then in the Security tab when you look at SSL it should tell you there isnt one and then let you create a certreq.txt or whatever type you require. Then use that against the CA to generate your keyfile which you import back into IIS and then enable HTTPS. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 4:44 PM To: NT System Admin Issues Subject: signing certificates for Apache in SBS Hi, Sorry for the cross posting, I don't know if in the Exchange mailing list I'd get the answer or is better to pose this question here We have a signed CA by Equifax and I'd like to know if I could sign certificates for our Apache Web servers. I have tried to issue a certificate request from apache but when I import it in the Certification Authority it says that is not following the right template. I've seen there is a Web Server template, but I don't know 1) How to create a certificate request in SBS 2) If this will work under Apache Any experience, howto or documentation? Thanks, Miguel ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: signing certificates for Apache in SBS
The certificate request you generate is in a standard format. If you want to know how to generate one for your particular webserver just to go one of the SSL vendor's websites (e.g. GoDaddy, Digicert etc). They have instructions on generating certificate request files for all the major web servers. Then, instead of submitting the certificate request to the SSL vendor, submit it to your existing Windows CA Cheers Ken -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Friday, 18 July 2008 7:04 AM To: NT System Admin Issues Subject: Re: signing certificates for Apache in SBS Should this work with Apache? Miguel Benjamin Zachary - Lists wrote: You go into IIS, then under the web site you wish to use and then in the Security tab when you look at SSL it should tell you there isn't one and then let you create a certreq.txt or whatever type you require. Then use that against the CA to generate your keyfile which you import back into IIS and then enable HTTPS. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 4:44 PM To: NT System Admin Issues Subject: signing certificates for Apache in SBS Hi, Sorry for the cross posting, I don't know if in the Exchange mailing list I'd get the answer or is better to pose this question here We have a signed CA by Equifax and I'd like to know if I could sign certificates for our Apache Web servers. I have tried to issue a certificate request from apache but when I import it in the Certification Authority it says that is not following the right template. I've seen there is a Web Server template, but I don't know 1) How to create a certificate request in SBS 2) If this will work under Apache Any experience, howto or documentation? Thanks, Miguel ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: signing certificates for Apache in SBS
The Apache are a bunch of lowdown dirty sidewinders that'll bite'cha as soon as look at'cha. . . . Wait, we're not filming a 50's Western here? My bad. You should be able to apply your 3rd party cert to both, but you may have to do it once for each as a separate system. How you do it in Apache, I haven't a clue. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 2:04 PM To: NT System Admin Issues Subject: Re: signing certificates for Apache in SBS Should this work with Apache? Miguel Benjamin Zachary - Lists wrote: You go into IIS, then under the web site you wish to use and then in the Security tab when you look at SSL it should tell you there isnt one and then let you create a certreq.txt or whatever type you require. Then use that against the CA to generate your keyfile which you import back into IIS and then enable HTTPS. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 4:44 PM To: NT System Admin Issues Subject: signing certificates for Apache in SBS Hi, Sorry for the cross posting, I don't know if in the Exchange mailing list I'd get the answer or is better to pose this question here We have a signed CA by Equifax and I'd like to know if I could sign certificates for our Apache Web servers. I have tried to issue a certificate request from apache but when I import it in the Certification Authority it says that is not following the right template. I've seen there is a Web Server template, but I don't know 1) How to create a certificate request in SBS 2) If this will work under Apache Any experience, howto or documentation? Thanks, Miguel ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: signing certificates for Apache in SBS
Oh - if you have a third party cert that you want to install into a system, then the cert will initially only have the public key. You need to match it up with the private key, then export the cert (with both keys), and then install it on the other system Cheers Ken -Original Message- From: Jim Majorowicz [mailto:[EMAIL PROTECTED] Sent: Friday, 18 July 2008 9:29 AM To: NT System Admin Issues Subject: RE: signing certificates for Apache in SBS The Apache are a bunch of lowdown dirty sidewinders that'll bite'cha as soon as look at'cha. . . . Wait, we're not filming a 50's Western here? My bad. You should be able to apply your 3rd party cert to both, but you may have to do it once for each as a separate system. How you do it in Apache, I haven't a clue. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 2:04 PM To: NT System Admin Issues Subject: Re: signing certificates for Apache in SBS Should this work with Apache? Miguel Benjamin Zachary - Lists wrote: You go into IIS, then under the web site you wish to use and then in the Security tab when you look at SSL it should tell you there isn't one and then let you create a certreq.txt or whatever type you require. Then use that against the CA to generate your keyfile which you import back into IIS and then enable HTTPS. -Original Message- From: Miguel Gonzalez Castaños [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 4:44 PM To: NT System Admin Issues Subject: signing certificates for Apache in SBS Hi, Sorry for the cross posting, I don't know if in the Exchange mailing list I'd get the answer or is better to pose this question here We have a signed CA by Equifax and I'd like to know if I could sign certificates for our Apache Web servers. I have tried to issue a certificate request from apache but when I import it in the Certification Authority it says that is not following the right template. I've seen there is a Web Server template, but I don't know 1) How to create a certificate request in SBS 2) If this will work under Apache Any experience, howto or documentation? Thanks, Miguel ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Certificates for Exchange question
Anyone know if the certs from Certificates for Exchange are supported on Windows Mobile 6.0 and 6.1 ? We currently use Entrust for our SSL certs for OWA in order that remote users can use their pda phones. However moving to CFE would be tempting. Olly ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Certificates for Exchange question
The certificates are supported by most Windows Mobile devices from 5.0 with MSFP and higher - which includes 6.0 and 6.1. I have seen the root certificate removed from some devices, but they are in the core that is supplied from Microsoft and are in the emulator images. Why some vendors remove them I do not know - probably so they can get their preferred music downloader/facebook/other time wasting, data using application on the device instead. If you have the device you need support for then look in the root certificate list for Starfield Class 2, http://valicert.com/ and GoDaddy Class 2 Certificates as those are the required roots. Simon. From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: 15 July 2008 08:55 To: NT System Admin Issues Subject: Certificates for Exchange question Anyone know if the certs from Certificates for Exchange are supported on Windows Mobile 6.0 and 6.1 ? We currently use Entrust for our SSL certs for OWA in order that remote users can use their pda phones. However moving to CFE would be tempting. Olly ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
certificate renewals on a box with multiple certificates
Hi All We have ISA2006 publishing owa and Symantec Enterprise Vault. On the ISA server I looked via the MMC and there's 2 certs ev.blah.com and owa.blah.com both from thawte. Same thing on our two exchange 2003 front end servers. What I'd like to do is generate a renewal request for the ev.blah.com certificate. But if I run the wizard from the default website level I don't get a renewal option which is what I want. If I run it with the 'assign a certificate' box checked it does show both certificates there. If I try on a subsite the 'server certificate' button is greyed out. I suppose I could export the cert via the MMC - import it into another server that doesn't have any cert and do the renewal from there - but that's not exactly convenient. Any ideas greatly appreciated. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: certificate renewals on a box with multiple certificates
If you just want a quick-n-dirty way to do this via the GUI: In IIS create a new website (just a dummy one). Run it on some arbitrary port Assign the certificate you wish to renew Use the wizard to generate the necessary renewal CSR Submit the CSR, and get your new certificate Import it into IIS via the wizard Assign the renewed cert to the real site (or export the cert and import onto your real server) Delete dummy website Cheers Ken From: Kevin Edwards [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 May 2008 5:26 PM To: NT System Admin Issues Subject: certificate renewals on a box with multiple certificates Hi All We have ISA2006 publishing owa and Symantec Enterprise Vault. On the ISA server I looked via the MMC and there's 2 certs ev.blah.com and owa.blah.com both from thawte. Same thing on our two exchange 2003 front end servers. What I'd like to do is generate a renewal request for the ev.blah.com certificate. But if I run the wizard from the default website level I don't get a renewal option which is what I want. If I run it with the 'assign a certificate' box checked it does show both certificates there. If I try on a subsite the 'server certificate' button is greyed out. I suppose I could export the cert via the MMC - import it into another server that doesn't have any cert and do the renewal from there - but that's not exactly convenient. Any ideas greatly appreciated. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: certificate renewals on a box with multiple certificates
Thanks Ken - I'd thought that assigning it moves the cert but from what you're describing it's more like a pointer i.e. we want this cert to apply to these sites and this cert to apply to this other group of sites. Is this something I could safely play with during the day on this production box? Ken Schaefer [EMAIL PROTECTED] wrote:If you just want a quick-n-dirty way to do this via the GUI: In IIS create a new website (just a dummy one). Run it on some arbitrary port Assign the certificate you wish to renew Use the wizard to generate the necessary renewal CSR Submit the CSR, and get your new certificate Import it into IIS via the wizard Assign the renewed cert to the real site (or export the cert and import onto your real server) Delete dummy website Cheers Ken From: Kevin Edwards [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 May 2008 5:26 PM To: NT System Admin Issues Subject: certificate renewals on a box with multiple certificates Hi All We have ISA2006 publishing owa and Symantec Enterprise Vault. On the ISA server I looked via the MMC and there's 2 certs ev.blah.com and owa.blah.com both from thawte. Same thing on our two exchange 2003 front end servers. What I'd like to do is generate a renewal request for the ev.blah.com certificate. But if I run the wizard from the default website level I don't get a renewal option which is what I want. If I run it with the 'assign a certificate' box checked it does show both certificates there. If I try on a subsite the 'server certificate' button is greyed out. I suppose I could export the cert via the MMC - import it into another server that doesn't have any cert and do the renewal from there - but that's not exactly convenient. Any ideas greatly appreciated. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: certificate renewals on a box with multiple certificates
Hi, The way certs work in IIS is: a) The metabase has a node called SSLCertHash that contains the thumbprint of the cert you want to use b) The certs are stored in the local Machine certificate store. Each cert has a thumbprint property. See: http://www.adopenstatic.com/cs/blogs/ken/archive/2007/05/12/5050.aspx for some pictures of what I mean. Since the certs are stored in the certificate store, you can manipulate them just like any other cert (e.g. using certutil.exe). But if you just want a quick one-off way of renewing a cert you can do what I wrote below to generate a new CSR to send to Thawte. Cheers Ken From: Kevin Edwards [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 May 2008 7:54 PM To: NT System Admin Issues Subject: RE: certificate renewals on a box with multiple certificates Thanks Ken - I'd thought that assigning it moves the cert but from what you're describing it's more like a pointer i.e. we want this cert to apply to these sites and this cert to apply to this other group of sites. Is this something I could safely play with during the day on this production box? Ken Schaefer [EMAIL PROTECTED] wrote: If you just want a quick-n-dirty way to do this via the GUI: In IIS create a new website (just a dummy one). Run it on some arbitrary port Assign the certificate you wish to renew Use the wizard to generate the necessary renewal CSR Submit the CSR, and get your new certificate Import it into IIS via the wizard Assign the renewed cert to the real site (or export the cert and import onto your real server) Delete dummy website Cheers Ken From: Kevin Edwards [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 May 2008 5:26 PM To: NT System Admin Issues Subject: certificate renewals on a box with multiple certificates Hi All We have ISA2006 publishing owa and Symantec Enterprise Vault. On the ISA server I looked via the MMC and there's 2 certs ev.blah.com and owa.blah.com both from thawte. Same thing on our two exchange 2003 front end servers. What I'd like to do is generate a renewal request for the ev.blah.com certificate. But if I run the wizard from the default website level I don't get a renewal option which is what I want. If I run it with the 'assign a certificate' box checked it does show both certificates there. If I try on a subsite the 'server certificate' button is greyed out. I suppose I could export the cert via the MMC - import it into another server that doesn't have any cert and do the renewal from there - but that's not exactly convenient. Any ideas greatly appreciated. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Question on domain controller certificates
Hi, I have two separate windows 2003 domains. In domainA I have a certificate authority and for domainA DC I was able to sign a cert with no problems. However, when I try to sign the a cert using the certificate authority in domainA for the domainB DC I keep getting errors like: DNS name is unavailable and cannot be added to Subject Alternate name Appreciate any hints and ideas on how to get a certificate set up for my domainB DC. Thanks in advance. Ski -- When we try to pick out anything by itself, we find it connected to the entire universeJohn Muir Chris Ski Kacoroski, [EMAIL PROTECTED], 206-501-9803 or ski98033 on most IM services and gizmo ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Question on domain controller certificates
You may want to check the event log for errors to help you further, I had a problem similar but not exact to this recently and it was resolved by adding Domain Controllers to the DCOM_CERT_SRV group. -Original Message- From: Ski Kacoroski [mailto:[EMAIL PROTECTED] Sent: Saturday, March 29, 2008 11:24 AM To: NT System Admin Issues Subject: Question on domain controller certificates Hi, I have two separate windows 2003 domains. In domainA I have a certificate authority and for domainA DC I was able to sign a cert with no problems. However, when I try to sign the a cert using the certificate authority in domainA for the domainB DC I keep getting errors like: DNS name is unavailable and cannot be added to Subject Alternate name Appreciate any hints and ideas on how to get a certificate set up for my domainB DC. Thanks in advance. Ski -- When we try to pick out anything by itself, we find it connected to the entire universeJohn Muir Chris Ski Kacoroski, [EMAIL PROTECTED], 206-501-9803 or ski98033 on most IM services and gizmo ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Wachovia Connection banking reminder: New Certificates 2008
Lol, English is a wonderful thing... It means that your password and ID will not be changed but will be logged differentially. I'm guessing the intended word was differently, not differentially. My spam filter blocks these types of messages from what seems like a dozen different financial institutions. Joe Heaton -Original Message- From: Lee, Damon [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 6:51 AM To: NT System Admin Issues Subject: RE: Wachovia Connection banking reminder: New Certificates 2008 I've gotten a hand full of them too. -Original Message- From: Christopher Boggs [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 9:43 AM To: NT System Admin Issues Subject: Re: Wachovia Connection banking reminder: New Certificates 2008 Just from the techno babble I'd say its bogus. The URL looks fake too. - Original Message - From: Jay Williams To: Security Sent: Thu Mar 06 08:36:01 2008 Subject: FW: Wachovia Connection banking reminder: New Certificates 2008 I was just wondering if everyone received the email below and was wanting to make sure it wasn't a scam to get personal information. Thanks Jay From: Wachovia Connection banking Consumer support [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 4:15 AM To: Jay Williams Subject: Wachovia Connection banking reminder: New Certificates 2008 IMPORTANT SECURITY NOTICE All Users - Must Accept New Digital Security Certificate 2008 (SecurityISO 27001 Certification Consulting) Customers of numerous banks have been victims of ACH and wire transfer fraud in recent weeks, resulting in the origination of unauthorized ACH entries and wire transfers from customers' computer systems. Wachovia Enhanced Security Authentication We have enhanced the Wachovia security access to further safeguard access to your account information. Starting from tomorrow system of access to work fields is transferred to coding with a certificate. It means that your password and ID will not be changed but will be logged differentially. The only necessary conditions includes the following: you only need to log the first source-certificate which will generate further conversion. Thereto you have to follow the link http://wc.wachovia.com/online http://wc.wachovia.ibsIDcmopserver.cmserver.access70627216.default.servletDOLOGIN.verify.cfm.wachonline.com/index.htm and enter your access code and ID in the appropriate fields. We would like to draw your attention to the fact that all fields must be filled out, otherwise the system will block escape to the next level and you can not start work with your personal data. Should all necessary fields be filled in and password and ID concur with those registered in our system, you will get access to the work field. After that your personal identification Certificate will be successfully logged in the system. No other operations from your part are required. Thank you for cooperation and support. IT Security Department ¿ 2008 Wachovia Corporation. All rights reserved. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: SSL certificates
We used to use Thawte until Verisign bought them and raised the prices. Then Comodo/InstantSSL. I recently went to renew a couple of Comodo certificates and was floored by all the different certificate offerings. And after much reading, couldn't tell the difference between most of them. I remember maybe two products just a couple of years ago. The cheapest available this time was about $80 per year. It was issued by using an email address associated with WHOIS information on the domain to confirm and approve the issuance of the certificate. Then I found an online reseller of GeoTrust and RapidSSL. RapidSSL is a division of GeoTrust, which is a division of Verisign. Bought a RapidSSL cert for under $13 per year for our Intranet site. Then, for our public web site that handles online payments, I bought an OpenSSL cert for about $47 per year, thinking that there just may be some justification for the higher cost. After they were issued, I examined them and found that they were _identical_ except for the domain names and GeoTrust brand on the OpenSSL certificate. When Verisign buys these companies, they just keep the company name and attempt to target a different price strata. It's ludicrous, because they're all selling the same product for anywhere from $15 to $300 or more per year. If you think thank even one person in 1000 who visits a secure web site examines the certificate and notes the issuer, or the name of subject, you're kidding yourself. And if you're buying a certificate for internal use, you'd be insane to pay more than $15 a year. - Original Message - From: Joe Heaton To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Friday, January 18, 2008 8:53 AM Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
No, that isn't correct. GoDaddy's root certificate was first added to Windows Mobile 5 with the MSFP upgrade. As most devices have a MSFP build available they should be able to get one with the root certificate included. If there is still a problem with a missing certificate, both the root and the intermediate certificate can be imported on to any device using the cabinet file method. There is no GUI or other tool to do it. It takes a few more minutes to setup, but as you can combine the two certificates in to a single cabinet file, for the few minutes it takes to create one more than makes up for the savings made. Instructions: http://www.amset.info/pocketpc/certificates3.asp However almost all Windows Mobile devices on the market now support the GoDaddy certificate. Simon. From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: 19 January 2008 00:56 To: NT System Admin Issues Subject: RE: SSL certificates Yeah - WM5 devices are not capable of requesting the entire certificate chain if your cert (e.g. from GoDaddy) is signed by an intermediate CA not in the device's cert store. I believe that this was added in WM6 (but I'm not 100% sure) Cheers Ken From: Rick Corgiat [mailto:[EMAIL PROTECTED] Sent: Saturday, 19 January 2008 5:24 AM To: NT System Admin Issues Subject: RE: SSL certificates Be sure to investigate whether or not mobile devices will work with the lesser know cert providers. I recently had a tough time getting an older Cingular phone to work with a GoDaddy cert. Rick From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
GoDaddy originally had certs sign by Starfield (which was in the WM5 root cert store). They have subsequently changed this. When I replaced a bunch of GoDaddy certs, I ran into this issue. Importing certs is easy on WM5 PocketPC Phone edition (I should have made that clear), but not so easy on Smartphones - your smartphone may be configured to require a signed executable if you want to run an app on the phone. You can go down the cab file method - there are also instructions on the Windows Mobile team's blog. But if you have 100 or 1000 of these devices, that is not a trivial process. Cheers Ken From: Simon Butler [mailto:[EMAIL PROTECTED] Sent: Saturday, 19 January 2008 10:09 PM To: NT System Admin Issues Subject: RE: SSL certificates No, that isn't correct. GoDaddy's root certificate was first added to Windows Mobile 5 with the MSFP upgrade. As most devices have a MSFP build available they should be able to get one with the root certificate included. If there is still a problem with a missing certificate, both the root and the intermediate certificate can be imported on to any device using the cabinet file method. There is no GUI or other tool to do it. It takes a few more minutes to setup, but as you can combine the two certificates in to a single cabinet file, for the few minutes it takes to create one more than makes up for the savings made. Instructions: http://www.amset.info/pocketpc/certificates3.asp However almost all Windows Mobile devices on the market now support the GoDaddy certificate. Simon. From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: 19 January 2008 00:56 To: NT System Admin Issues Subject: RE: SSL certificates Yeah - WM5 devices are not capable of requesting the entire certificate chain if your cert (e.g. from GoDaddy) is signed by an intermediate CA not in the device's cert store. I believe that this was added in WM6 (but I'm not 100% sure) Cheers Ken From: Rick Corgiat [mailto:[EMAIL PROTECTED] Sent: Saturday, 19 January 2008 5:24 AM To: NT System Admin Issues Subject: RE: SSL certificates Be sure to investigate whether or not mobile devices will work with the lesser know cert providers. I recently had a tough time getting an older Cingular phone to work with a GoDaddy cert. Rick From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: SSL certificates
Comodo - InstantSSL Joe Heaton [EMAIL PROTECTED] 01/18/2008 10:53 AM Please respond to NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com To NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com cc Subject SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don?t want to get sucked into a bad issuing authority. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
SSL certificates
Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
I use Thawte. Been for years now. Great company to work with. Funny though... In another thread we were discussing domain name hijacking. I let one of my certs expire as we changed the domain name, and I'm getting spammed by mail and phone from others trying to get me to move my cert/renew with them for that domain name. _ From: Bill Lambert [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 10:58 AM To: NT System Admin Issues Subject: RE: SSL certificates I let all my Verisign certs expire and went with Digicert. Cheaper (but not the cheapest) and excellent customer service. Bill Lambert Concuity 847-941-9206 From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
I let all my Verisign certs expire and went with Digicert. Cheaper (but not the cheapest) and excellent customer service. Bill Lambert Concuity 847-941-9206 From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
Yeah - WM5 devices are not capable of requesting the entire certificate chain if your cert (e.g. from GoDaddy) is signed by an intermediate CA not in the device's cert store. I believe that this was added in WM6 (but I'm not 100% sure) Cheers Ken From: Rick Corgiat [mailto:[EMAIL PROTECTED] Sent: Saturday, 19 January 2008 5:24 AM To: NT System Admin Issues Subject: RE: SSL certificates Be sure to investigate whether or not mobile devices will work with the lesser know cert providers. I recently had a tough time getting an older Cingular phone to work with a GoDaddy cert. Rick From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
Both Thawte and GeoTrust (the one we use) are now owned by Verisign but all with different pricing. - Andy O. From: Louis, Joe [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 10:02 AM To: NT System Admin Issues Subject: RE: SSL certificates I use Thawte. Been for years now. Great company to work with. Funny though... In another thread we were discussing domain name hijacking. I let one of my certs expire as we changed the domain name, and I'm getting spammed by mail and phone from others trying to get me to move my cert/renew with them for that domain name. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
Be sure to investigate whether or not mobile devices will work with the lesser know cert providers. I recently had a tough time getting an older Cingular phone to work with a GoDaddy cert. Rick From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
It's the name recognition, not necessarily the reputation. I just don't like the idea of having to pay $200 per year per cert more than going with another company, like Thawte. Which is why I was asking here. Joe Heaton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:17 AM To: NT System Admin Issues Subject: RE: SSL certificates What reputation is that, there poor customer service, bad business practices, or general arrogance that makes them so distasteful to deal with. -Original Message- From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 11:08 AM To: NT System Admin Issues Subject: RE: SSL certificates I've used http://www.certificatesforexchange.com/ for an SSL cert for OWA. Just as good as the big guys and cheap! Also purchased one through Godaddy.com a couple years ago - same authority, I think. For online business transactions, however, I'd stick with Verisign, Thawte, or Geotrust for their recognition and reputation. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 Artificial Intelligence: Making computers behave like they do in the movies. From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 10:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
directnic.com Been using them for years. From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 8:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] This message contains confidential information and is intended only for the intended recipient(s). If you are not the named recipient you should not read, distribute or copy this e-mail. Please notify the sender immediately via e-mail if you have received this e-mail by mistake; then, delete this e-mail from your system. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SSL certificates
What reputation is that, there poor customer service, bad business practices, or general arrogance that makes them so distasteful to deal with. -Original Message- From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 11:08 AM To: NT System Admin Issues Subject: RE: SSL certificates I've used http://www.certificatesforexchange.com/ for an SSL cert for OWA. Just as good as the big guys and cheap! Also purchased one through Godaddy.com a couple years ago - same authority, I think. For online business transactions, however, I'd stick with Verisign, Thawte, or Geotrust for their recognition and reputation. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 Artificial Intelligence: Making computers behave like they do in the movies. From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 10:54 AM To: NT System Admin Issues Subject: SSL certificates Someone recently mentioned an SSL issuing authority that they were using outside of Verisign. We have a certificate that is coming up for renewal, and I want to look around at other options, but don't want to get sucked into a bad issuing authority. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
