none
Workplace join SSL Certificate

Answers

  • Hi Mickey,

    the error indicates that the certificate cannot pass the revocation checking. Each certificate in the certificate chain is verified to ensure that none of the certificates are revoked. The certificate revocation list (CRL)can be got from the CDP which we defined in the certificate.

    More information: http://social.technet.microsoft.com/wiki/contents/articles/3147.aspx

    according to the screenshot, it seems we don't publish the CRL to the HTTP path, this is the reason why it cannot pass the revocation checking. please past the new crl to the HTTP path.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, September 18, 2013 9:39 AM

All replies

  • Hi,

    Thanks for posting here.

    Have you check the following articles?

    Configure SSL/TLS on a Web Site in the Domain with an Enterprise CA

    http://social.technet.microsoft.com/wiki/contents/articles/12485.configure-ssltls-on-a-web-site-in-the-domain-with-an-enterprise-ca.aspx

    http://technet.microsoft.com/en-us/library/dn383662.aspx

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang
    TechNet Community Support

    Thursday, September 12, 2013 3:26 AM
  • Hi Vivian,

    I use Web Server template for create my SSL certificate, and setting like this.

    but when I request a certificate and set the SAN(DNS) its only appear one of SAN

    adfs1.contoso.com

    Friday, September 13, 2013 5:52 PM
  • On my client Windows 8.1 Pro RTM

    I can see this page correctly using roberth@contoso.com

    the certificate is correct, but still can't workplace join.

    Friday, September 13, 2013 6:29 PM
  • Friday, September 13, 2013 7:17 PM
  • HI Mickey,

    Thanks for your posting here,.

    If we want to make the cert have SAN what we want, we may need to check the checkbox of "Supply in request" under subject name tab.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, September 16, 2013 10:59 AM
  • Hi Jason,

    Thanks!!!!!

    I think you give me a big hand.

    haha :)

    by the way, I use one certificate for 3 server roles AD FS/WAP/Web Server

    is it correct?

    the subject name I set "adfs1.contoso.com" & "*.contoso.com"

    and the DNS I set "adfs1.contoso.com" & "adfs1.contoso.com" & "enterpriseregistration.contoso.com" & "*.contoso.com"

    Monday, September 16, 2013 4:07 PM
  • Hi Jason,

    My client appear error code in event log :  0x80072F19

    and I have read this http://blog.auth360.net/2013/09/13/first-impressions-ad-fs-and-windows-server-2012-r2-part-i/#comment-791

    he say "Ensure the Certificate Revocation List (CRL) on the Certificate Distribution Point (CDP) and your Authority Information Awareness (AIA) URLs are setup correctly and reachable from the Win 8.1 client."

    I setting my CA Property is it correct?

    remove two extension form CRL ldap&file also in AIA 

    Tuesday, September 17, 2013 5:43 AM
  • Hi Mickey,

    the error indicates that the certificate cannot pass the revocation checking. Each certificate in the certificate chain is verified to ensure that none of the certificates are revoked. The certificate revocation list (CRL)can be got from the CDP which we defined in the certificate.

    More information: http://social.technet.microsoft.com/wiki/contents/articles/3147.aspx

    according to the screenshot, it seems we don't publish the CRL to the HTTP path, this is the reason why it cannot pass the revocation checking. please past the new crl to the HTTP path.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, September 18, 2013 9:39 AM
  • HI Mickey,

    please let me know if my answer properly address your concerns, if so, please mark this as answer.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Jason Mei Friday, September 27, 2013 9:09 AM
    Monday, September 23, 2013 7:01 AM
  • Mickey,

    I created a step by step blog how to configure the PKI for Workplace Join at http://invendows.wordpress.com/2013/11/03/building-the-pki-for-the-workplace-join-lab/

    I hope this helps.


    Ray - Author of Windows 7 for XP Professionals

    Monday, November 04, 2013 7:25 AM