List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: Re: [ActiveDir] [OT] PKI infrastructure and webmail [SOLVED}

Prev Next

You are not authorized to post a reply.

Author

Messages

AlRose

Posts:44

05/28/2010 5:14 PM
Solved it, i had to resign from the root CAs and i was trying from the subordinate On Fri, May 28, 2010 at 3:51 PM, Al Rose <arose107@gmail.com> wrote: > Hi Ken, > > Actually i dont get the pop-up window trying to access a website i get the > pop-up window trying to sign the crl. > I am trying to resign a crl on a server, the cdp is htpp://...so the crl is > located on an IIS box that has a web folder where crl files are. I picked > the expired one and try to run certutil -sign but i dont understand why it > cant resigned it (why this box is empty) > > Thanks for the book mention i will try to get it. > > > On Fri, May 28, 2010 at 2:28 PM, Ken Schaefer <Ken@adopenstatic.com>wrote: > >> Hi, >> >> >> >> Just quickly, as on the run: >> >> >> >> Strongly recommend picking up Brian Komar’s PKI book, as that will explain >> a lot of the basics here. >> >> >> >> CDP – CRL Distribution Point. It’s not a place where you publish certs – >> it’s where you publish your CRL (cert revocation list), so that >> people/devices can check what certificates you’ve revoked. >> >> >> >> If you are bring prompted for a certificate in IE, when connecting to a >> website, then it means that IIS has been configured to require client >> authentication certs. If you don’t see one available in the pop-up, it means >> that your user profile on the machine you are using doesn’t have a user >> authN cert from a CA that IIS trusts. If this if your IIS server, you could >> issue yourself an appropriate client-authN cert to allow you to connect. >> >> >> >> Cheers >> >> Ken >> >> >> >> From: activedir-owner@mail.activedir.org [mailto: >> activedir-owner@mail.activedir.org] On Behalf Of Al Rose >> Sent: Friday, 28 May 2010 10:04 PM >> To: activedir@mail.activedir.org >> Subject: [ActiveDir] [OT] PKI infrastructure and webmail >> >> >> >> HI all, >> >> >> >> I am taking over my company's PKI management and i have a problem figuring >> out how things work. We have an online CA server that is used to issue >> certificates (only for Wireless authentication i believe) and 2 offline CA. >> >> The 2 offline CAs had to be powered on last week because we noticed that >> the WIFI clients that use certificates were not able to login. >> >> I resigned the certificates on the offline servers using certutil -resign >> and republished them using certutil -DSPublish. WIFI is working again but >> when clicking PKIview.msc our PKI shows Red crosses. One thing that >> surprises me is that a certificate is located at >> http://webmail.acme.com/CertData i dont see why certificates are stored >> on an IIS location? Is that best practice? >> >> Please see screenshot attached, i have tried to resign the certificate >> located on the IIS server but when i try to publish it it cannot find any >> certificates... >> >> >> >> certutil -sign "Policy CA.crl" "Policy CA_resigned.crl" >> ThisUpdate: 2009-05-25 12:06 >> NextUpdate: 2011-05-28 02:10 >> CRL Entries: 3 >> >> >> >> Then a windows pops-up to select a certificate but none certificates show >> up. >> >> >> >> Any help greatly appreciated, thanks. >> >> >> > >

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > Re: [ActiveDir] [OT] PKI infrastructure and webmail [SOLVED}

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads