none
How to create a certificate for DPM 2010 Tape encryption using Microsoft Certificate Server RRS feed

  • Question

  • I am trying to encrypt tapes in DPM 2010.  I have a Microsoft Certificate authority in my environment and I am trying to figure out how to create a template for this process.  In the past, I used the default computer certificate for the DPM computer.  I would not recommend this approach unless you are certain that the certificate private key can be exported.  Otherwise, you will not be able to use the tapes on any other server.  This was a hard lesson learned.

    I have tried copying the Computer template on the certificate authority (enabling the ability to export the cert) and using a cert based on this template to encrypt DPM tape jobs.  At best, DPM gives an error saying valid certificates do not exist in the DPM certificate folders, at best DPM crashes when trying to use the certificates.

    Are there any instructions or guidelins for this?

     

    • Moved by Praveen D [MSFT] Monday, July 19, 2010 7:03 AM Moving to DPM Tape Protection Forum (From:Data Protection Manager)
    Tuesday, July 6, 2010 6:35 PM

Answers

  • Hi,

    Sorry this thread got "lost-in-space"

    People who have to have deal with Real Certificate Authorities can use the following information to assist with their requests:
     
    If you are dealing with an organization that uses a Windows CA, have them issue a certificate based on the "Web Server" Template.  If you are dealing with an organization that uses another vendors CA, request that they issue you a certificate with the following:
     
    Key Usages = Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment
    Extended Key Usage = Server Authentication
     
    The above match the values of your self generated certificate.

     


    Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Saturday, February 12, 2011 4:25 PM
    Moderator

All replies

  • Hey,

    Please find the information needed here:

    How to install and remove certificates from a certification authority: http://technet.microsoft.com/en-us/library/ff399773.aspx

    How to import Certificates into DPMBackupStore: http://technet.microsoft.com/en-us/library/ff399563.aspx

    How did you request and import the certificate from the CA?

    Cheers,

    Mike Resseler


    Visit System Center User Group Belgium @ http://scug.be and http://scug.be/blogs/scdpm
    Wednesday, July 7, 2010 6:53 AM
    Moderator
  • Thanks, but neither of these help.

    I was able to create a certificate from my Microsoft Certificate authority that met my needs, I just used trial and error until I got acceptable properties.

    It is easy to request a certificate from the certificate authority directly through the Certificates MMC Snap-in which can then be moved or copied to the DPMBackupStore and DPMRecoveryStore folders.  No need to do any of the import steps.

    The part that is unclear is what properties the certificate needs to include to be used for DPM encryption.  The Microsoft Certificate authority allows you to create a template for the certificate, then you use the Certificats MMC snap-in to request a certificate based on the template that you have created.  Other System Center products give you the certificate requirements when the product requires/allows the use of certificates.  That is what I'm looking for here.  I might be able to figure it out based on the makecert.exe command line switches, or by creating te self signed certificate and looking at the properties, but I was hoping someone would know the answer.

    Wednesday, July 7, 2010 4:42 PM
  • I'd also appreciate some guidance as to how to do this. The documentation is lacking and searching doesn't come up with much. The closest I've come is: http://www.eggheadcafe.com/software/aspnet/30377478/how-to-do-tape-encryption-using-dpm.aspx and the previously provided links but nothing on what kind of a template is needed if using a CA.
    Tuesday, November 30, 2010 8:21 AM
  • I read plenty of questions, no real answers:

    • ...nothing on what kind of a template is needed if using a CA...
    • ...The part that is unclear is what properties the certificate needs to include to be used for DPM encryption...
    • ...I have tried copying the Computer template on the certificate authority...DPM crashes...

     

    I am evaluating this software and the documentation for this feature isn't very clear/detail oriented.

    Any assistance to the above questions?

    Friday, December 17, 2010 10:40 PM
  • I hate bumping this thread, but really don't have many other options since the documentation isn't all that clear about this.

    Can't someone from the DPM team assist us with these questions?

    Wednesday, December 22, 2010 3:17 PM
  • Hi,

    Sorry this thread got "lost-in-space"

    People who have to have deal with Real Certificate Authorities can use the following information to assist with their requests:
     
    If you are dealing with an organization that uses a Windows CA, have them issue a certificate based on the "Web Server" Template.  If you are dealing with an organization that uses another vendors CA, request that they issue you a certificate with the following:
     
    Key Usages = Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment
    Extended Key Usage = Server Authentication
     
    The above match the values of your self generated certificate.

     


    Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Saturday, February 12, 2011 4:25 PM
    Moderator
  • Hi Guys,

    I have followed the following steps to create certificate for DPM.

    On DPM Server

    1 - I used IIS Console - Under Server Name - Server Certificates - Create Certificate Request (the wizard will ask you the basis information and rest of the options you leave default)

    

    the wizard will prompt you to save the certificate request - save as xyz.txt 

    2 - Open the Certificate Request Web Console http://servername/certsrv 

    Click on request certificate - Advance Certificate Request - Copy the contents from certificate request file and paste it in Saved Request and select Web Server click Submit - on the next page you can download the certificate.

    3 - Complete the pending certificate request from IIS and select the certificate which you download.

    4 - you can see the certificate under IIS - Server Certificates - Select certificate and export

    5 - Open MMC - Add Certificates snapin - Coputer Account - Expand the Certificates - DPMBackupStore - Right Click select import and select the certificate which you exported from IIS.

    That's it really now you can modify the protection group and select encryption option for long term backups.

    Regards,

    maqsood


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

    Sunday, April 15, 2012 12:14 PM
  • Shane,

    I have been trying to access that video for weeks and it has been unavailable.  Several post send you there but no much help if it is temporarily unavailable.  Can someone please put it back up?


    Peter Jam

    Friday, October 12, 2012 1:22 PM
  • I can't find it either.


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

    Sunday, October 14, 2012 5:36 AM
  • Hi,

    The video was accidently deleted, it will be reposted soon.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, October 15, 2012 6:15 PM
    Moderator
  • Thanks Mike,

    I finally asked in the right place.  I had sent that site an email a couple of weeks ago.  LOL


    Peter Jam

    Monday, October 15, 2012 6:17 PM
  • Could you please upload the video again? I want it to use for verification of the encryption in the SQL database because i cannot find any other documentation of verifing that the tapes are encrypted. Thanks!
    Wednesday, December 12, 2012 2:54 PM
  • Hi,

    Sorry for the delay, it has been reposted.  Suggest you use headphones as the audio is kind of low.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, December 12, 2012 5:32 PM
    Moderator