none
Unable to assign public certificate to Access Edge Public Interface

    Dotaz

  • Hi,

    I have ocs2007. Recently there was problem in my public certificate and i was getting 14397,14359 Events in my Log. After that i regenerate certificate and get it issued from local CA. That event ID was no more. But after that my federation was not working.

    I came to know that as LOCAL Certificate is assigned to access edge public interface thats why i am having problem. Then i treid to assign certificate to my public interface, but i am not getting my public certificate listed over there. It is there but it doesn't have private key. And without private key i m unable to assign it to interface. What to do now? how i can assign public certificate to interface.

    Also tell me from where ASSSIGN CERTIFICATE FROM EXISTING STORE option fetch certificates? So that i can check if certificate is there.


    Hasan

    17. února 2012 9:55

Odpovědi

    • Double click old and new certificates and verify the certificate path. It should show , intermediate and root certificate on the chain.
    • You need to assign the certificate which got the private key, it may be the repaired certificate.
    • I am not sure why are using internal certificate on edge external interface . Ideally you need a public certificate on external interface.

    Thanks

    Saleesh

    17. února 2012 17:34

Všechny reakce

  • Hi Hasan,

    You need check personal certificates under MMC certificate snap-in; http://msdn.microsoft.com/en-us/library/ms788967.aspx.

    • Do you have a backup of edge server certificate with public key ?
    • You would have received an email during initial certificate request from external CA, you can download the certificate using the link which is mentioned on the email.Also possible to generate the private key.

    Thanks

    Saleesh

    17. února 2012 10:36
  • Hi Hasan,

    You need check personal certificates under MMC certificate snap-in; http://msdn.microsoft.com/en-us/library/ms788967.aspx.

    • Do you have a backup of edge server certificate with public key ?
    • You would have received an email during initial certificate request from external CA, you can download the certificate using the link which is mentioned on the email.Also possible to generate the private key.

    Thanks

    Saleesh

    HI Saleesh,

    Under Personal Certificates, there is a public certificate but it doesn't have PVT KEY. Where it is gone, i dont know.

    I can see edge public certifciate with public key not private key in personal store.

    It was provided to me by vendor in 2010. But how i will make it private ??? i need private key certificate for assigning on public certificate as u know.


    Hasan

    17. února 2012 11:19
  • Can you try to recover the private key using following steps ? http://support.microsoft.com/kb/889651

    If recovery wasn't sucessfull , you need to generate a new request or contact the vendor to have a copy of old certificate.

    Thanks

    Saleesh

    17. února 2012 11:46
  • Can you try to recover the private key using following steps ? http://support.microsoft.com/kb/889651

    If recovery wasn't sucessfull , you need to generate a new request or contact the vendor to have a copy of old certificate.

    Thanks

    Saleesh

    Saleesh, are you sure that this wil help. and are you sure that the certificate which i can c in personal store should have private key associated and it is lost for some reason??

    I am reading dffierent articale on it and i found this somewhere

    Do not repair certificates that appear to be working. Be sure to have a reason for running the utility.

    http://www.ehow.com/how_5071448_recreate-ssl-certificate-private-key.html



    Do not repair certificates that appear to be working. Be sure to have a reason for running the utility.


    Hasan

    17. února 2012 12:08
  • Few points here;

    • I would like to highlight that , recover willn't work always. It depends on private key availability on your machine. I can't guarantee the recoverability. You have an option to run the recover aganist a copy.
    • You can reach out to certificate vendor incase none of the option works.

    Thanks

    Saleesh

    17. února 2012 12:23
  • Few points here;

    • I would like to highlight that , recover willn't work always. It depends on private key availability on your machine. I can't guarantee the recoverability. You have an option to run the recover aganist a copy.
    • You can reach out to certificate vendor incase none of the option works.

    Thanks

    Saleesh

    You have an option to run the recover aganist a copy.

    How?? I always have to type serial number and it is same for copy as well

    17. února 2012 12:35
  • I hope you are running this command on the same server where in you generated the certificate request. If it is still failing, plan-B is the only option :).

    Thanks

    Saleesh

    17. února 2012 12:40
  • I hope you are running this command on the same server where in you generated the certificate request. If it is still failing, plan-B is the only option :).

    Thanks

    Saleesh


    You have an option to run the recover aganist a copy.

    How?? I always have to type serial number and it is same for copy as well


    Hasan

    17. února 2012 12:53
  • I got the following error

    C:\Users\comadmin\Desktop>certutil -repairstore my "12 bc ee"
    my
    ================ Certificate 2 ================
    Serial Number: 12bcee
    Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    NotBefore: 5/7/2010 1:55 AM
    NotAfter: 5/9/2013 8:20 AM
    Subject: CN=com01.abc.com, OU=Domain Control Validated - RapidSSL(R), OU=See
    www.rapidssl.com/resources/cps (c)10, OU=GT05801157, O=com01.abc.com, C=PK, S
    ERIALNUMBER=xUXPCYmdgEa2P-XpunXVDFJqWujOosQt
    Non-root Certificate
    Cert Hash(sha1): 55 d1 36 0e 3f c4 bf 1b 10 cb 90 cd 03 10 7b 87 1f db 38 22
    No key provider information
    Encryption test FAILED
    CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
    CertUtil: Access denied.

    But i can see certificate has private key mark now. But i am unable to assign it, how to do it now. hould i have have to unassign the old one first??


    Hasan


    17. února 2012 13:10
  • When selecting new certificate i am getting......

    A certificate with valid chain certificate is required.

    Now i have 2 certificates of same name, one is issued by local CA and another one is public. is that making problem>???


    Hasan


    17. února 2012 13:15
  • If you rapaired the certificate from edge server , you should be able to see that under personal strore

    Make sure that you backup the old certificate and delete the same. Once it is done, you can import the repaired certificate with private key and assign the certificate.

    It is recommended to use public certificate on edge server external interface. Please make sure that you have root CA installed  for public certificate on edge box.

    http://www.ocspedia.com/Certificates/AccessEdge/InternalCA/AssignCertPublic_AccessEdge.htm


    17. února 2012 13:36
  • If you rapaired the certificate from edge server , you should be able to see that under personal strore

    Make sure that you backup the old certificate and delete the same. Once it is done, you can import the repaired certificate with private key and assign the certificate.

    It is recommended to use public certificate on edge server external interface. Please make sure that you have root CA installed  for public certificate on edge box.

    http://www.ocspedia.com/Certificates/AccessEdge/InternalCA/AssignCertPublic_AccessEdge.htm


    I am able to see the repaired certificate iwth private key now. But wen i run the command it showed me error which i pasted above i.e. access is denied, failed...........but i can see pvt key on certificate now. I did backup the old certificate but serial number of old and backed up certificate is same , so it repaired the original one............Do you mean i should delete the old one which is issued by LOCAL CA??? and then assign this one, otherwise it will give error of chain????

    I didnt get "Please make sure that you have root CA installed for public certificate". I have local CA server in my organization. What does this mean?


    Hasan

    17. února 2012 17:21
    • Double click old and new certificates and verify the certificate path. It should show , intermediate and root certificate on the chain.
    • You need to assign the certificate which got the private key, it may be the repaired certificate.
    • I am not sure why are using internal certificate on edge external interface . Ideally you need a public certificate on external interface.

    Thanks

    Saleesh

    17. února 2012 17:34
    • Double click old and new certificates and verify the certificate path. It should show , intermediate and root certificate on the chain.
    • You need to assign the certificate which got the private key, it may be the repaired certificate.
    • I am not sure why are using internal certificate on edge external interface . Ideally you need a public certificate on external interface.

    Thanks

    Saleesh

    • There is no old certificate............the public certificate which was without private key is with private key now after repair. But i am unable to export it with private key, that option is disabled while exporting. Certificate path is GeoTrust-->com01.. and all 3 public certificates has this path.............
    • i am unable to assign the repaired certificate, though it is showing private key, but during repair it gave error of:
      C:\Users\comadmin\Desktop>certutil -repairstore my "12 bc ee"
      my
      ================ Certificate 2 ================
      Serial Number: 12bcee
      Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
      NotBefore: 5/7/2010 1:55 AM
      NotAfter: 5/9/2013 8:20 AM
      Subject: CN=com01.abc.com, OU=Domain Control Validated - RapidSSL(R), OU=See
      www.rapidssl.com/resources/cps (c)10, OU=GT05801157, O=com01.abc.com, C=PK, S
      ERIALNUMBER=xUXPCYmdgEa2P-XpunXVDFJqWujOosQt
      Non-root Certificate
      Cert Hash(sha1): 55 d1 36 0e 3f c4 bf 1b 10 cb 90 cd 03 10 7b 87 1f db 38 22
      No key provider information
      Encryption test FAILED
      CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
      CertUtil: Access denied.

    • I unintentionally assigned the internal certificate because my access edge server service was not starting and i was getting 14397,14359 Events in my Log.

    Event 14397
    A configured certificate could not be loaded from store. The serial number is attached for reference.

    Extended Error Code: 0x80092004.

    Event 14359
    Unable to use the default outgoing certificate.

    Error 0x0x80092004 (Cannot find object or property.).
    Cause: The certificate may have been deleted or may be invalid. It could also happen due to insufficient permissions.
    Resolution:

    After that i have to use the internal certificate coz my public certificate was without private key.


    Hasan

    17. února 2012 18:04

  • I have solved it. The issue was certificate related. Due to some reason my public certificate was corrupted. So it was not allowing to start access edge service. So at that time i assigned it local certificate from local CA, which was not working for federation and external clients unless they install my ROOT CA. I found out my public certificate and re-import it in personal store and then assign it again to public interface of access edge. Things are working perfect by the grace of God. Thanks Saleesh for all your support as this lead me to troubleshoot real cause.

    Hasan

    18. února 2012 11:46
  • You are welcome..!!, good to know it is working ..!!

    Thanks

    Saleesh

    19. února 2012 9:09