So when you go to a site via internet explorer/chrome that requires a certificate (such as from a smart card), is there any way to change the order of the certificates displayed?
I've found it's based on expiration date, however all 3 expire at the same time.
Mostly this is to force users to select the correct cert which is not displayed right away but instead forces them to go to more choices...
Related
I have over 20 applications utilizing ADFS SSO authentication. Last year the token signing certificate expired and I went through the whole sky is falling - chasing down 3rd party vendors to schedule the refreshing of the metadata files to try to make the transition to the new cert as seamless as possible. I have already added calendar reminders 3+ months before their next expiration but I would like to be a little bit more prepared and have a job/script that runs and send me an email when the certificate is 90+ days from expiration. Does anyone know of or have a script that could do accomplish that? Also, is there a way I could do the same per RPT signature certs? I currently have most if not all set to automatically update but would like the notification anyway if possible.
There are a few around e.g. this.
"This script will query AD FS certificates (via Get-AdfsCertficate) and Relying Party Trust certificates (via Get-AdfsRelyingPartyTrust) and check if the certificates expire within a user-defined threshold (or the default 30 days if not specified). It will then output details about expiring certificates, and, optionally, send an alert email."
I need help with sign in with a smart card on google chrome.
First: When I go to the page that requires the certificate, this window appears where you can choose the
certificate:
select certificate image.
Is there any way this window can be edited so that I can see whose certificate is, and not just from whom it was issued, under the subject and the issuer is the same (from whom it was issued). I need to see here name of user.
Second: I have problem with loading certificates from smart cards on some computers. I installed software for smart card reader, insert smart card to reader, and windows doesn't load it. This is happening on some computers, all installed as it is on others, but does not want to load certificate. Certificates are all valid because this card work on other computer without problems
If there is someone who can help, it would be great. tnx
I need help with sign in with a smart card on google chrome
Your question is about login with smart card on web site" You can use a smartcard to prompt a certificate for authentication purposes during the handshake phase of the SSL/TLS protocol using client authentication, but you can not make digital signatures
Note: There is a workaround to do it, but this is a separate discussion: http://www.sslsignature.com/
Is there any way this window can be edited so that I can see whose certificate is, and not just from whom it was issued, under the subject and the issuer is the same (from whom it was issued).
No, this window it is not customizable. You only can filter by issuer (stablishing in server side the accepted Certificate Authorities)
I have problem with loading certificates from smart cards on some computers. I installed software for smart card reader, insert smart card to reader, and windows doesn't load it.
Check the installed drivers to fix it. I do not think it's a code problem
On Windows, you can use the certificate manager screen to aid in diagnosing your certificate propagation issue.
First: install the drivers for the smart card reader.
Second: Run 'services.msc'. Make sure the following services are started: Smart Card, Certificate Propagation.
Third: Run 'certmgr.msc'. Drill down to Personal->Certificate store, and insert the smart card. Hit F5 to refresh the certificate store. See if the certs from the card have been propagated to the personal cert store.
If this is working, then IE (and other browsers) should begin allowing smart card authentication for most smart cards.
For some special smart cards or features, you may need additional software installed in addition to the smart card reader driver.
We are building iOS OTA Enrollment system in our IT.
After reading Apple docs, i would not find reference how to set an expiration date on the Configuration Profile installed on the device.
My motivation is to create expiration date on profiles that i am going to install based on the device owner (they have to login before i install it)
Is there a way to control how long the Configuration Profile is valid for?
The configuration Profile has 2 keys:
RemovalDate
DurationUntilRemoval
Which takes a date or duration in seconds respectively, which when satisfied, will remove the profile. But maybe that wasn't what you're looking for?
The Configuration Profile supports the key "PayloadExpirationDate".
You can set the expiration date in the profile, and after the expiration, a new button inside the profile will appear to update the profile manually.
You can see the documentation in the following link:
https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
Also, the Apple documentation "Over-the-Air Profile Delivery Concepts" says
Upon receiving the final encrypted profile, the device installs it.
Reconfiguration occurs automatically if the profile expires or if
a VPN connection attempt fails.
However, I wasn't able to update the profile, not manually and not automatically.
As far as I know, there is no way to control the expiration date.
My iphone distribution certificate was due to expire. I clicked the button next to the error message on the distribution certificate tab to recreate it, and followed the instructions to create a new certificate. (Note I used a new CSR - might this be a problem?).
The certificate was created sucessfully, and I want to move my existing provisioning profiles to use this new certificate. I've done some reading around on line, and it sounds like I should just have to click the "modify" button next to the prov profile and save it again with no changes. However, the modify button hasn't appeared. I've done the obvious web pages refreshes etc. But I'm out of ideas and can't find any info on this anywhere.
Does anyone know anything about this?
After you have got the new Distribution Certificate (you can revoke the old one and follow the steps in Apple's page to recreate CSR - using your Certificate Assistance in XCode), now in
Provisioning>> Distribution, you will see all your profiles as INVALID.
There should be a Modify button next to INVALID status, once clicked, you may go inside and find out that the Submit button is disabled. Please click anywhere, recommended in the textbox of the App Name and the Submit button will be enabled. Just Submit and the Profile will becomes Active.
Hope this helps.
I was having a problem where my Dev cert didn't expand (was not linked) to my private key.
I tracked the issue down to a discrepancy in the email used to create my Dev Cert and the one keychain was auto-selecting when I installed my CSR that I created to make my Dev cert.
I verified this by examining the contents of my CSR as follows.
1) Double click on the existing CSR file to start the 'install' process in Keychain.
2) Select the 'Let me override defaults for this request' checkbox.
3) Press Continue twice to get to the 'Create your certificate' page.
4) Select the 'Let me override defaults' checkbox.
5) Press Continue twice to get to the 'Certificate Information' page.
Here I found the email listed in the 'Email Address' field was different from the one I used to create the Dev Cert.
I tried to select the correct email and install the CSR, but I couldn't get the certs linked.
The only fix I could find was to recreate my Dev cert using that old email address so that when I installed the CSR in the normal way, everything was linked.
Has anyone else had this issue?
Does anyone know where keychain is getting that list of alternate email addresses, so I can clear it out?
Getting the certificates to work right used to be a complete mess. I tried to follow Apple's original instructions last year and was never able to get it to work. Fortunately, there's a new way of doing it that is much simpler and more reliable:
log into the Apple iPhone Dev Center (http://developer.apple.com/iphone/)
click the link (right side of screen) to the iPhone Developer Program Portal
right in the middle of the page there is a new tool. The title text says "Get your application on an iPhone with the Development Provisioning Assistant" and there is a button marked "launch assistant". Click the button marked "launch assistant" and follow the instructions.
Result: Apple will lead you by the hand through the whole certification process, and it's completely different than it was before - your current issue might not even come up.