Re: PEAP-MS-CHAP v2 Certificate Problem

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 01/04/05 

Date: Tue, 04 Jan 2005 00:31:56 GMT

A .cer file only contains the public key and not the private key which is
why it is not working. Your web browser must have cookies enabled to
retrieve the pending request I believe and it may help to include the
certificate "website" in your trusted web content zone and also retrieve it
from the same computer as the same user that you made the request from. If
all that fails you can request the certificate from another machine where it
does work. When you do the request make sure to enter then name of the
computer you are using for IAS and check to make the private keys
exportable. Then you would have to go into the personal computer store on
the computer where the request/issuance was successful and export it and the
private keys to a .pfx file which you will have to password protect. Move
the .pfx file to your IAS server, open the mmc snapin for computer store and
from the personal folder select import and browse to the .pfx file you
created to import it. I would then delete the certificate on the original
computer where it was installed. --- Steve

"Taylor Sbicca" <taylors@allstardirectories.com> wrote in message
news:1104788499.252200.325900@z14g2000cwz.googlegroups.com...
> Hi Gary,
>
> All the certificates that I have been using in the past were configured
> like you suggested. None the less I tried it again but was
> unsuccessful. From everything I've read on Usenet and the web it seems
> that I have the certificates configured correctly. Perhaps the problem
> lies in how I'm moving my issued certificates into the local machine's
> personal certificate store. I'll explain how I've been doing it and
> maybe you can tell me if I'm going about this all wrong.
>
> After I request a certificate using the web interface I go to the
> certificate authority in the console. I issue the certificate and then
> double click on the issued certificate. I then click on the details
> tab, and the copy to file button. I have the option to save the
> certificate as a DER encoded binary (.CER), a Base 64 encoded binary
> (.CER), or a .P7B. The option to save the certificate as a PFX is
> grayed out so I can't choose it. I then save the certificate to my
> certificate folder. Next in the console I go to personal folder in my
> local certificate store and import the certificate which I just
> exported.
>
> Is this the correct method for getting the certificates I've created
> into the personal folder? I've tried using the web interface to do it
> but when I check my pending requests from the server it says I have no
> requests pending. (The strangest part is that when I request a
> certificate from another machine it will show me pending requests and I
> can install the certificate through the web interface) Any thoughts
> you have that might help would be greatly appreciated.
>
>
>
> Gary Fose [MSFT] wrote:
>> Taylor,
>>
>> Try the following:
>>
>> Make sure that the correct key option parameters are configured in
> the server authentication
>> certificate. To do this, follow these steps:
>>
>>
>>
>> 1. Start Microsoft Internet Explorer.
>>
>> 2. On the Address bar, type "http:// Host>/CertSrv" (without
> the quotation marks). Click
>> "Go".
>>
>> 3. On the Welcome page, click "Request a certificate" under "Select a
> task".
>>
>> 4. On the Request a Certificate page, click "Advanced certificate
> request".
>>
>> 5. On the Advanced Certificate Request page, click "Create and submit
> a request to this CA".
>>
>> 6. Make sure that the correct parameters are configured under "Key
> Options". To do this,
>> follow these steps:
>>
>> a. Click "Create New key set".
>> b. In the "CSP" box, click "Microsoft RSA SChannel Cryptographic
> Provider".
>> c. In the "Key Size" box, type "1024" (without the quotation
> marks).
>> d. Click "Automatic key container name".
>> e. Click to select the "Store Certificate in the local computer
> certificate store" check box.
>> f. Click "Submit".
>>
>> HTH,
>> Gary
>

Relevant Pages

  • Re: Computer and User Certificates Issues
    ... Enrollment of User Certificates using the custom v2 User Certificate Template ... I can NOT request the custom v2 Computer Cert nor the included v1 no ... Concerning permissions, these are the exact permissions I am using now: ...
    (microsoft.public.security)
  • Re: Cannot request computer certificate.
    ... request a computer certificate for about 9 months. ... and verify that you can get a computer/server certificate from it. ... List of NetBt transports currently bound to the Redir ... DNS Host Name: srvr3.domain.com ...
    (microsoft.public.windows.server.security)
  • RE: SIMple SSL question ??
    ... OK - i would also delete a cert request file lying around. ... But a certificate is a pub key + extra info. ... That said - if someone compromises the server he will also find a way to retrieve the private key. ... traffic between the initial web server and the client. ...
    (microsoft.public.dotnet.security)
  • Re: how can we restrict what certificate WSE will use?
    ... the valid x509 certificate which is used to identify him'. ... X509SecurityTokenManager to verify the request is from a trusted client. ... the problem is that he can not passed the authentication (suppose we ... > decrypte and signature validation process. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Web Certificate Enrollment security problem
    ... Enrollment works only with the NetBIOS Name and not with the FQDN. ... Svyatoslav Pidgorny, MS MVP - Security, MCSE ... access auditing and logging "issue and manage certificate requests" on ... Have seen that there is a component "Certsrv Request" when launching ...
    (microsoft.public.security)