Announcement

Collapse
No announcement yet.

no option for entering a certificate for authentication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • no option for entering a certificate for authentication

    I am trying to make work Authentication.
    The server is Enterprise 2003 SP2. It's not R2

    1. By MS instructions I should have a Browse button for selecting certificate.
    Instead, I have edit button. But there were no certificates before. See attach...
    How I can accomplish this.

    2. I created self signed certificate for the test with open ssl.
    It created the file .pem
    I converted it to .pfx
    When I tried to save it on TS the only option I had to save it as .p12

    Is it OK for TLS

    3. How to check that Authentication works?
    Attached Files
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    Re: no option for entering a certificate for authentication

    1. Add the root CA as trust CA on the server and clients.

    2. Add the certificate to the local certificate store.

    3. Then you can add it via edit button.
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: no option for entering a certificate for authentication

      I have a problem with importing p12 certificate.
      Tried from mmc shap-in. Than from IE. In IE I thought to save it and export as cer or crf.
      What to do with p12.
      From the screen shot it looks like p12 should be OK
      But the message saying not recognizable...
      "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

      Comment


      • #4
        Re: no option for entering a certificate for authentication

        Hi!

        1. You can install certificate to IE, then export it to .pfx, but remember you have to generate certificate with private key.
        2. You can install certificate in certificates console, choose RUN->mmc->Add snap-inn->Certificates->Local machine.
        3. Ensure that you have certificate with private key, if it so when you click on your certificate you can see string "You have a private key that corresponds to this certificate"
        4. If your don't use your centre of enterprise certification, you need to add root certificate of your centre to Trusted Root Certification Authority.
        Best regards,

        Look before you leap!

        MCSA 2003, MCDBA 2000
        IT Consultant.

        Comment


        • #5
          Re: no option for entering a certificate for authentication

          Moggy,
          I guess I am missing something.
          Again, I generated the cetrificate wih openssl. When I saved the certificate there was the only option for p12 on the server.

          Now when I choose the certificate for importing (whatever method I use) it says file not recognizible.

          I didn't see any option for creating certificate with a private key.
          May be my file missing that?

          Also I generated a cert on other machine and copied to the server.
          May be to try to create on the same server.

          Pls presize private key question.

          Thx.
          "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

          Comment


          • #6
            Re: no option for entering a certificate for authentication

            Well, generate certificate in OpenSSL isn't clear for me... Try to import this certificate .p12 into IE and look at possibility to export as .pfx.

            About generate certificate on the same server, it doesn't matter where you generate certificate, you have to input fqdn in process of generation.

            Can you try to install IIS on this server and generate request from IIS console?
            Best regards,

            Look before you leap!

            MCSA 2003, MCDBA 2000
            IT Consultant.

            Comment


            • #7
              Re: no option for entering a certificate for authentication

              I tried IE and Local security
              Message:... p12 file not recognized
              I will try other things.

              Thanks.
              "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

              Comment


              • #8
                Re: no option for entering a certificate for authentication

                The issue isnt Microsoft issue but Root CA/Certificate computability issue.

                http://home.lfms.nl/20040729/your-own-openssl-ca/
                Best Regards,

                Yuval Sinay

                LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

                Comment


                • #9
                  Re: no option for entering a certificate for authentication

                  by Moggys tip I exported an existing self signed certif from default webserver
                  by Yuvals tip I added it to root CA.
                  But still cannot add it to TS through Edit button.

                  SEE printscreen.

                  YUVAL:
                  1. Add the root CA as trust CA on the server and clients.

                  2. Add the certificate to the local certificate store.

                  3. Then you can add it via edit button.
                  Attached Files
                  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

                  Comment


                  • #10
                    Re: no option for entering a certificate for authentication

                    Originally posted by mla View Post
                    by Moggys tip I exported an existing self signed certif from default webserver
                    by Yuvals tip I added it to root CA.
                    But still cannot add it to TS through Edit button.

                    SEE printscreen.

                    YUVAL:
                    1. Add the root CA as trust CA on the server and clients.

                    2. Add the certificate to the local certificate store.

                    3. Then you can add it via edit button.
                    Did you add your new certificate into personal store?
                    You have to add certificate of root CA to Trusted Root Certificate authority, but it's only certificate for confirm your certificate which is placed in personal store...
                    Best regards,

                    Look before you leap!

                    MCSA 2003, MCDBA 2000
                    IT Consultant.

                    Comment


                    • #11
                      Re: no option for entering a certificate for authentication

                      Moggy I put it in Personal.
                      Still not visible in TS config
                      See pic.
                      What else ?
                      I have really to to read and practice this topic after solving this...

                      Thanks.
                      Attached Files
                      "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

                      Comment


                      • #12
                        Re: no option for entering a certificate for authentication

                        I solved the problem.

                        The self-signed certificate that I used was imported from existing webserver running on different machine. TS configuration didn't see it.

                        I created a new one with selfssl (from IIS6 resource kit) and in FQDN put the name of TS. Than it appeared in TS configuration.

                        Sure, that for all who tried to help me this moment could be missed from my explanation because FQDN was mentioned to me.

                        Now it's working fine.

                        In my case TS is for 5 external users and self signed cert is a perfect solution.

                        1. generate certificate with selfssl
                        2. import to Certificates Personal
                        3. enable in TS configuration
                        4 when client login he can see the IP to which he connects (I even not publish the name of the server) and accept and than install the certificate.

                        Thanks to your advices.
                        "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

                        Comment

                        Working...
                        X