Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Installing wild card certificate for ADAM SSL
Installing wild card certificate for ADAM SSL [message #159755] Thu, 06 August 2009 03:43 Go to next message
elibbis  is currently offline elibbis  United States
Messages: 2
Registered: August 2009
Junior Member
Hi,

I would greatly appreciate it if anyone could enlighten me on how to
install a wild card certificate for ADAM SSL. Wild card cert is needed
because my 2 replicas of my ADAM is hosted behind MS-Network Load
Balancing(NLB).

What is the steps to install the wild card certificate?

Failed attempt by me:
1. I uses IE to get a wild card certificate(request
cert->advance->Server authentication->MS RSA Schannel..,PKCS, enter
*.accd.com for name and friendly name). The certificate landed in "Local
User\personal" store (viewed in MMC certificate snap-in). A hash key
appear in the "C:\Documents and Settings\administrator\Application
Data\Microsoft\Crypto\RSA\S-1-5-21-1858568060-858591131-1299 147156-2293 "

2. In the mmc snap-in,I exported the wild card cert to C:. Later
import it into the "ADAM Service\personal" store. A harsh key appear in
"C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys". To this key, I grant "Network
Service"(my adam service account) with Full access.

3. Restarted ADAM

4. When using ldp to try, SSL works with the NLB-DNS
"account.accd.com". If I try to SSL with the actual host name
"dc1.partners.accd.com" (which is logically covered by the wild card
cert. The ldp connection failed !

I am very puzzled, whether I should import to adam server the machine
cert or user cert ?

Also, is there anything I am missing out? For PKI, my adam is in a
child domain whereas the CA is located in the parent domain. I had
granted the necessary right for the child domain computers(in this case
DCs) access to the CA. I discover however, using the mmc certificate
snap-in, I cannot "request cert" from the CA. It returns me with:

"The wizard cannot be started because of one or more of the following
conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the persmissions to request certificates from the
available CAs.
- The available CAs issue certificates for which you do not have
persmissions."


--
elibbis
------------------------------------------------------------ ------------
elibbis's Profile: http://forums.techarena.in/members/27586.htm
View this thread: http://forums.techarena.in/active-directory/1227326.htm

http://forums.techarena.in
Re: Installing wild card certificate for ADAM SSL [message #159760 is a reply to message #159755] Thu, 06 August 2009 09:30 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi

I think your issue is that a wildcard cert for
*.accd.com

will match a single domain component in an FQDN so
account.accd.com

will match but
*. account.accd.com

will not. If you google for wildcard cert behaviors you should find
lots of discussion, I believe the correct approach is to use a cert
that supports subjectAltName if need to specify multiple matches
but I have never used one and so cannot guarantee that would work.

Lee Flight

"elibbis" <elibbis.3whsfb@DoNotSpam.com> wrote in message
news:elibbis.3whsfb@DoNotSpam.com...
>
> Hi,
>
> I would greatly appreciate it if anyone could enlighten me on how to
> install a wild card certificate for ADAM SSL. Wild card cert is needed
> because my 2 replicas of my ADAM is hosted behind MS-Network Load
> Balancing(NLB).
>
> What is the steps to install the wild card certificate?
>
> Failed attempt by me:
> 1. I uses IE to get a wild card certificate(request
> cert->advance->Server authentication->MS RSA Schannel..,PKCS, enter
> *.accd.com for name and friendly name). The certificate landed in "Local
> User\personal" store (viewed in MMC certificate snap-in). A hash key
> appear in the "C:\Documents and Settings\administrator\Application
> Data\Microsoft\Crypto\RSA\S-1-5-21-1858568060-858591131-1299 147156-2293 "
>
> 2. In the mmc snap-in,I exported the wild card cert to C:. Later
> import it into the "ADAM Service\personal" store. A harsh key appear in
> "C:\Documents and Settings\All Users\Application
> Data\Microsoft\Crypto\RSA\MachineKeys". To this key, I grant "Network
> Service"(my adam service account) with Full access.
>
> 3. Restarted ADAM
>
> 4. When using ldp to try, SSL works with the NLB-DNS
> "account.accd.com". If I try to SSL with the actual host name
> "dc1.partners.accd.com" (which is logically covered by the wild card
> cert. The ldp connection failed !
>
> I am very puzzled, whether I should import to adam server the machine
> cert or user cert ?
>
> Also, is there anything I am missing out? For PKI, my adam is in a
> child domain whereas the CA is located in the parent domain. I had
> granted the necessary right for the child domain computers(in this case
> DCs) access to the CA. I discover however, using the mmc certificate
> snap-in, I cannot "request cert" from the CA. It returns me with:
>
> "The wizard cannot be started because of one or more of the following
> conditions:
> - There are no trusted certification authorities (CAs) available.
> - You do not have the persmissions to request certificates from the
> available CAs.
> - The available CAs issue certificates for which you do not have
> persmissions."
>
>
> --
> elibbis
> ------------------------------------------------------------ ------------
> elibbis's Profile: http://forums.techarena.in/members/27586.htm
> View this thread: http://forums.techarena.in/active-directory/1227326.htm
>
> http://forums.techarena.in
>
Re: Installing wild card certificate for ADAM SSL [message #159770 is a reply to message #159760] Fri, 07 August 2009 03:47 Go to previous messageGo to next message
elibbis  is currently offline elibbis  United States
Messages: 2
Registered: August 2009
Junior Member
The problem is solved. Solution is to use *.partners.accd.com wild
card instead of *.accd.com.


Thanks Lee Flight. May I also take this chance to clarify. Assuming
we are to burn in a normal cert(non wild card) for ADAM SSL. Do we
import a machine-cert(local machine\personal) OR user cert (from
user\personal store) to the ADAM-Service certificate store ?

The web has 2 sources of thought - via machine and via user. I had
been using user cert. Does machine cert do the trick too ?


--
elibbis
------------------------------------------------------------ ------------
elibbis's Profile: http://forums.techarena.in/members/27586.htm
View this thread: http://forums.techarena.in/active-directory/1227326.htm

http://forums.techarena.in
Re: Installing wild card certificate for ADAM SSL [message #159820 is a reply to message #159770] Mon, 10 August 2009 02:23 Go to previous message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi

ADAM needs a cert that is marked for server authentication.
If you do *not* store the cert in the ADAM-Service store then it needs to
be in the machine store [1] but if you do use the ADAM-Service
store then it does not matter how where the cert was originally
stored (machine store or user); it's really the server authentication
mark on the cert rather than original import location that's important.
See also [2].

Lee Flight

[1] assuming here the default Network Service account for the
ADAM instance service account.

[2] http://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx



"elibbis" <elibbis.3wjn3b@DoNotSpam.com> wrote in message
news:elibbis.3wjn3b@DoNotSpam.com...
>
> The problem is solved. Solution is to use *.partners.accd.com wild
> card instead of *.accd.com.
>
>
> Thanks Lee Flight. May I also take this chance to clarify. Assuming
> we are to burn in a normal cert(non wild card) for ADAM SSL. Do we
> import a machine-cert(local machine\personal) OR user cert (from
> user\personal store) to the ADAM-Service certificate store ?
>
> The web has 2 sources of thought - via machine and via user. I had
> been using user cert. Does machine cert do the trick too ?
>
>
> --
> elibbis
> ------------------------------------------------------------ ------------
> elibbis's Profile: http://forums.techarena.in/members/27586.htm
> View this thread: http://forums.techarena.in/active-directory/1227326.htm
>
> http://forums.techarena.in
>
Previous Topic:Test Domain setup, anyone?
Next Topic:Restrict User Creation - Administrators/DomainAdmins/EnterpriseAdmins
Goto Forum:
  


Current Time: Wed Jan 17 04:12:33 MST 2018

Total time taken to generate the page: 0.02243 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software