I have moved to Windows Vista Business recently and am facing an issue with
installng my networks cetiicate in the trusted root authority. on clicking on
install certificate, i select the store where the certificat should be
stored, which is Trusted Root Authorities-->Local Computer In XP. but in
Vista i am not getting the Option to store on Local Computer. instead i only
get Registry and Smart Card.
Anyone who can help me to add the certificate in the Local computer Store?
i have just found the solition for my problem,may be someone needs it.
Vista-Accessories-Command prompt -right click and select "Run as
administrator"
2 From the command prompt type "c:\temp\testroot.cer"
Click on the Install Certificate button, Next
Select Place all certificates in the following store, Browse
Select Show physical stores, scroll up, expand Trusted Root
Certification Authorities, select Local Computer, OK, Next,
Finish
Related
To the people that close vote this post: it doesn't help if you don't comment why. We're all trying to learn here.
I want to have wildcard certificates for 2 domains of mine using Let's Encrypt. Here's what I did:
In Chrome it all works. In Firefox I get the error below:
So I tested here: https://www.ssllabs.com/ssltest/analyze.html?d=gamegorilla.net
I also checked this other post.
There's talk on making sure that "the server supplies a certificate chain to the client, only the domain certificate". I found validating the certificate chain here.
I then took these steps found here:
Open the Certificates Microsoft Management Console (MMC) snap-in.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and
then click OK.
In the Certificates snap-in dialog box, click Computer account, and then click Next.
In the Select computer dialog box, click Finish.
I already see "Let's Encrypt Authority X3" in the Intermediate Certification Authorities. So that should already be handling things correctly I'd presume.
How can I ensure the Let's Encrypt certificate chain is supplied to the client so it works in Firefox too?
UPDATE 1
Based on #rfkortekaas' suggestion I used "all binding identifiers" instead of supplying the search pattern. When Win-acme asked Please pick the main host, which will be presented as the subject of the certificate, I selected gamegorilla.net. After this gamegorilla.net now works in Firefox, however, on www.karo-elektrogroothandel.nl I now get an insecure certificate.
UPDATE 2
Alright, that seems to fix it. I do see that bindings for smtp/mail (e.g. smtp.gamegorilla.net) are now also added to IIS automatically:
Should I leave those or delete those mail+smtp records here?
Also, the certificate is now [Manual], does that mean I need to renew manually (which woud be weird since nowhere during the certificate creation steps did I see an option for auto-renewal):
The issue is that you only generate the certificate for www.gamegorilla.net and not gamegorilla.net if you select all binding identifiers instead of supplying the search pattern I think it should work.
To also get certificates for other names that are not hosted by IIS you cannot use the import from IIS function. You need to supply them all, starting with the common name.
After starting wacs select M for a new request and select option 2 for manual input. After that enter the comma separated list with the common name first: gamegorilla.net,www.gamegorilla.net,smtp.gamegorilla.net,karo-elektrogroothandel.nl,www.karo-elektrogroothandel.nl,smtpkaro-elektrogroothandel.nl (without any spaces). Or when you want to generate a wildcard certificate you can use: gamegorilla.net,*.gamegorilla.net,karo-elektrogroothandel.nl,*.karo-elektrogroothandel.nl.
Please be aware that for generating wildcard certificates you need to be able to use the DNS-01 challenge. The HTTP-01 challange doesn't support wildcard certificates.
For the certificate renewal you should run wacs --renew from time to time (for example via a schedules task).
I need the certificate from my smart card to be in the Windows service local sotre. I opened the store with mmc -> snap-in -> certificates.
I used different little tools to see informations(ATR etc.) about my smartcard and they all worked out.
I can see a lot of certificates there, but the one from my smartcard is missing in the store. The folder 'Smartcard trusted Roots' is empty. Windows gets the .cer/.pfx-data from smart cards automatically, right?
Or is there no chance, i can do it without using low-level programming(APDU-commands etc.)
First read this:
http://technet.microsoft.com/en-us/library/ff404288(v=WS.10).aspx
As it's written
A logged-on user inserts a smart card.
CertPropSvc is notified that a smart card was inserted.
CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store
So yes, gnerally certificates should pop up in User Personal Certificate Store automatically.
First thing to check is that you have CertPropSvc service runnig.
Another thing that I saw that some smart cards drivers doesn't work with Windows API. One example I know was old RSA tokens. We have changed them to Gemalto .NET cards and USB readers because of this
Note: In the artcle I linked it's written that this is valid for Windows 7 and 2008 but it worked for me on XP and Vista.
We have purchased Thawte code signing certificate and am able to sign scripts with that. In all signed execution policy mode, powershell still asks for confirmation on servers before running the code. I need to run this code as scheduled job on many servers and was wondering if their is any workaround this.
In my search it seems like that the certificate needs to be in trusted publisher before execution of scripts. I could not find any scripts that can place certificate in TrustedPublisher on a remote server.
Thank you for all the help you can provide.
PowerShell Help about execution policies easily found by PS C:\>help about_Execution_Policies shows that in AllSigned mode it will Prompt you before running scripts from Publishers that you have not yet classified as trusted or untrusted. You can try RemoteSigned or try this wonderfully explainedby Scott Hanselman http://www.hanselman.com/blog/SigningPowerShellScripts.aspx
Signed scripts can be transported by exporting (from original
computer) and importing (to the new computer) the Powershell
certificates found in the Trusted Root Certification Authorities
container. Optionally, the Trusted Publishers can also be moved to
prevent the first-time prompt.
Final note on the blog
Note that Powershell will prompt you the first time it’s run unless
you also import the Trusted Publishers certificate.
I need to disable the following group policy in Windows 7 programatically, for example by modifying a registry key using Powershell:
"Turn Off Automatic Root Certificates Update"
Does anybody know which registry key needs to be set or unset in order to make this work?
I had a similar issue when i was creating an application that communicated with a server over HTTPS using two-way SSL.
This was causing a delay of a full minute when the initial request was made
It ran in WinPE where hand clicking through the local group policy editor was not an option.
There also is no way I am aware of to register a root authority in this environment and it is running in an incredibly restricted environment so it can not access windows update (not that it would find our corporate CA there anyway).
The registry value you are looking for is
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot
DWORD DisableRootAutoUpdate = 1
Source: http://www.group-policy.com/ref/policy/452/Turn_off_Automatic_Root_Certificates_Update
To turn off Automatic Root Certificates Update via Local Group Policy Editor:
Click Start, and then click Run.
Type gpedit.msc, and then click OK.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
Close the Local Group Policy Editor.
Domain policies override local settings. That's how they're supposed to work (they'd be rather useless otherwise). If you want the policy disabled, disable or remove the policy in Group Policy Management or remove the computer from the domain.
I'm trying to sign an XPI on linux (no gui) using the NSS cert db (cert8.db and key3.db) i copied from another server of mine, on which I can sign XPI's just fine.
On the new box I can sign with a brand new test certificate ok, but when i try to use the old cert db, it complains with:
signtool: PROBLEM signing data (Unknown issuer)
Certutil lists the cert im trying to use with a * and the CA is present in there as well.
Is this cert db transferable between computers like this? Or are there any other files I have to setup?
TIA
Mike
im not sure if this is what you need, but here it is: http://www.mercille.org/snippets/xpiSigning.php
If the certificate chain has an intermediate CA that also needs to be there.
NSS is rather picky when it comes to the chain and also needs the certs to have been marked as trusted.