Re: Client-Cert doesn't shown in selection when SSL-login

---

• From: "Brian Komar \(MVP\)" <brian.komar@xxxxxxxxxxxxxxxxx>
• Date: Tue, 1 Jul 2008 19:34:05 -0500

---

The root CA of the private certificate chain must be designated as a trusted root cert in the enterprise.
It sounds like it is not a know root CA.
Try running
certutil -dspublish -f <rootcert.cer> RootCA
as a member of the enterprise admins
Brian
"Patrick Sona" <sona@xxxxxxxxxxxxx> wrote in message news:uMDbax32IHA.2064@xxxxxxxxxxxxxxxxxxxxxxx

Hi all!
I have a client-certificate created with our CA on a windows2003 server standard edition with the "user-template".
The problem is, that this certificate is not shown in the certificate-selection when i try to establish an SSL connection with client-auth.
The certificate is installed in the local user-certificate-store.
Other certificates, such as my private Thawte-Certificates are shown.
This problem occurs also with Firefox.
What do I have to configure, that I can use certificats of our CA with SSL-client-auth?

Have anyone an idea or solution for this problem?

Thanx
Pat

Following there is a dump of this certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1e:d4:20:a4:00:00:00:00:01:c6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=de, O=xxx, OU=test, CN=CA 0
Validity
Not Before: Jun 30 12:13:20 2008 GMT
Not After : Jun 30 12:13:20 2009 GMT
Subject: DC=de, DC=xxx, DC=test, CN=Users, CN=Administ
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a6:22:cd:73:47:94:a0:67:67:48:ea:2b:35:02
bd:a4:2e:aa:7c:e6:95:2d:fc:48:af:97:f7:e1:cf
46:9b:eb:7c:28:94:d0:aa:f9:7c:7c:4a:fd:05:3f
e4:95:1d:9e:7a:be:db:00:58:70:55:5e:54:38:f5
1c:b1:7c:ce:2a:25:c8:14:b4:67:d1:4b:8a:24:63
26:e6:87:ca:0d:03:6c:72:24:9e:5f:d5:79:de:f6
97:20:cc:44:11:87:6f:5e:d0:ca:bb:d7:0f:b0:9e
64:9c:f2:fa:f0:65:e7:bf:8b:0a:6d:7c:c4:5b:97
20:ea:18:99:eb:b9:64:1b:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
......0...+....0050...*.H..
..*.H..
X509v3 Subject Key Identifier:
EE:F0:5F:EF:E0:2C:14:01:30:8C:17:83:22:AE:54:E4:
1.3.6.1.4.1.311.20.2:
...U.s.e.r
X509v3 Authority Key Identifier:
keyid:55:10:1A:80:D2:25:10:04:04:22:13:1B:5B:FE:
1

X509v3 CRL Distribution Points:
URI:ldap:///CN=CA%200,CN=xxx-7zjm60,CN=CDP,
20Services,CN=Services,CN=Configuration,DC=test,DC=xxx,DC=de?c
tionList?base?objectClass=cRLDistributionPoint
URI:http://xxx.test.xxx.de/CertEnr

Authority Information Access:
CA Issuers - URI:ldap:///CN=CA%200,CN=AIA,CN=Pub
ices,CN=Services,CN=Configuration,DC=test,DC=xxx,DC=de?cACerti
ctClass=certificationAuthority
CA Issuers - URI:http://xxx.test.xxx
/xxx.test.xxx.de_CA%200.crt

X509v3 Extended Key Usage:
Microsoft Encrypted File System, E-mail Protecti
nt Authentication
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
0d:f1:58:49:f3:33:8c:a5:9d:c6:5c:9d:7c:89:9f:f4:66:3e:
72:cf:3e:f5:18:74:1f:1b:b9:23:1f:a1:01:dc:83:82:74:4f:
c5:fc:54:e4:ad:73:38:01:f7:ad:39:d2:9c:d3:53:75:0e:8f:
c8:64:27:24:34:ee:6a:60:2e:8a:7c:8b:d6:e0:21:6a:92:13:
7f:0e:71:8c:e1:e6:76:36:ef:35:8e:24:a7:42:96:ad:51:8b:
ef:24:e4:19:28:4b:a2:0c:69:ab:47:a8:eb:8e:e5:c9:a9:32:
eb:68:d5:0b:72:19:e9:21:b5:aa:32:62:e0:c3:6e:41:ef:31:
54:8b:55:cd:10:da:27:ba:a0:a3:a0:73:35:d0:3c:93:58:82:
ea:3d:52:18:c7:06:c5:40:ef:77:8d:33:54:78:b5:0c:6f:31:
ea:4e:81:42:ba:40:e9:bb:4e:52:42:6e:d5:cd:35:6b:e5:1a:
f4:1a:89:3a:ca:b0:8e:9e:56:a3:78:53:52:76:3d:45:5a:f6:
d5:aa:38:d5:7e:12:df:02:93:0a:0f:3b:34:6c:34:7b:50:8b:
b2:6d:74:f2:6f:63:82:6a:6f:7f:7d:d2:c3:56:7b:dc:11:e9:
dd:5c:3a:1c:84:65:4c:2b:a8:22:a9:7c:ff:d7:02:87:cd:a8:
62:01:12:37
-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgIKHtQgpAAAAAABxjANBgkqhkiG9w0BAQUFADA7MQswCQYD
VQQGEwJkZTEOMAwGA1UEChMFa3RtYW4xDTALBgNVBAsTBHRlc3QxDTALBgNVBAMT
BENBIDAwHhcNMDgwNjMwMTIxMzIwWhcNMDkwNjMwMTIxMzIwWjBuMRIwEAYKCZIm
iZPyLGQBGRYCZGUxFTATBgoJkiaJk/IsZAEZFgVrdG1hbjEUMBIGCgmSJomT8ixk
ARkWBHRlc3QxDjAMBgNVBAMTBVVzZXJzMRswGQYDVQQDExJBZG1pbmlzdHJhdG9y
IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKYizXNHlKBnZ0jqKzUC
vaQuqnzmlS38SK+X9+HPRpvrfCiU0Kr5fHxK/QU/5JUdnnq+2wBYcFVeVDj1HLF8
ziolyBS0Z9FLiiRjJuaHyg0DbHIknl/Ved72lyDMRBGHb17QyrvXD7CeZJzy+vBl
57+LCm18xFuXIOoYmeu5ZBsdAgMBAAGjggNTMIIDTzALBgNVHQ8EBAMCBaAwRAYJ
KoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcG
BSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBTu8F/v4CwUATCMF4MirlTkCtJM
RTAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwHwYDVR0jBBgwFoAUVRAagNIlEAQE
IhMbW/7nx9yVyqEwggEPBgNVHR8EggEGMIIBAjCB/6CB/KCB+YaBumxkYXA6Ly8v
Q049Q0ElMjAwLENOPXRva2VubWFuLTd6am02MCxDTj1DRFAsQ049UHVibGljJTIw
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10
ZXN0LERDPWt0bWFuLERDPWRlP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY6aHR0cDovL3Rva2Vu
bWFuLTd6am02MC50ZXN0Lmt0bWFuLmRlL0NlcnRFbnJvbGwvQ0ElMjAwLmNybDCC
ASUGCCsGAQUFBwEBBIIBFzCCARMwgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1D
QSUyMDAsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp
Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9dGVzdCxEQz1rdG1hbixEQz1kZT9jQUNl
cnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0
eTBkBggrBgEFBQcwAoZYaHR0cDovL3Rva2VubWFuLTd6am02MC50ZXN0Lmt0bWFu
LmRlL0NlcnRFbnJvbGwvdG9rZW5tYW4tN3pqbTYwLnRlc3Qua3RtYW4uZGVfQ0El
MjAwLmNydDApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUH
AwIwOgYDVR0RBDMwMaAvBgorBgEEAYI3FAIDoCEMH0FkbWluaXN0cmF0b3JDZXJ0
QHRlc3Qua3RtYW4uZGUwDQYJKoZIhvcNAQEFBQADggEBAA3xWEnzM4ylncZcnXyJ
n/RmPnLPPvUYdB8buSMfoQHcg4J0T8X8VOStczgB96050pzTU3UOj8hkJyQ07mpg
Lop8i9bgIWqSE38OcYzh5nY27zWOJKdClq1Ri+8k5BkoS6IMaatHqOuO5cmpMuto
1QtyGekhtaoyYuDDbkHvMVSLVc0Q2ie6oKOgczXQPJNYguo9UhjHBsVA73eNM1R4
tQxvMepOgUK6QOm7TlJCbtXNNWvlGvQaiTrKsI6eVqN4U1J2PUVa9tWqONV+Et8C
kwoPOzRsNHtQi7JtdPJvY4Jqb3990sNWe9wR6d1cOhyEZUwrqCKpfP/XAofNqGIB
Ejc=
-----END CERTIFICATE-----

.

---

• References:
  • Client-Cert doesn't shown in selection when SSL-login
    • From: Patrick Sona

• Prev by Date: Re: Opening ports
• Next by Date: Re: the credentials cannot be verified
• Previous by thread: Client-Cert doesn't shown in selection when SSL-login
• Next by thread: Re: Terminal server rdp, tls certificates & subject alternative names?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How to determine Role on a installed CA? ... If you do you can be 100% sure you have Enterprise ... To see if it is subordinate or root, check your CA certificate... ... (microsoft.public.windows.server.networking) Re: W2K3 3-tier CA Implementation ... No matter what environment you are in, install a standalone ROOT CA. ... based on the standalone subordinate CA. ... I agree with issuing CAs being enterprise CAs. ... You do not use a certificate tempalte for the ... (microsoft.public.security) Re: Need advice for CA Model ... The root CA must be trusted on all the clients that will enroll to the ... certificates, each certificate must correspond to a user in AD with a UPN ... The enterprise CA automatically creates ... The second CA was a standalone ... (microsoft.public.win2000.security) Re: W2K3 3-tier CA Implementation ... for a W2K3 Enterprise CA solution. ... How do you intend to change an online CA to an offline CA? ... *standalone* CAs for the root and policy tier. ... You do not use a certificate tempalte for the ... (microsoft.public.security) Re: Signtool doesnt add entire chain when signing files ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ... (microsoft.public.platformsdk.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2008-07