Re: CA Issue

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 09/01/04

• Next message: Jamie: "Changing password when ctrl-alt-del not available"
• Previous message: Paul K: "Preventing users installing programms...?"
• In reply to: Scott25: "Re: CA Issue"
• Next in thread: Amjad.: "Re: CA Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 1 Sep 2004 21:48:44 +0200

Scott,

Sorry, but I can't seem to find a way around this... One solution would be
to migrate to Windows 2003 Enterprise CA. There you can edit templates and
change validity period.

Mike

"Scott25" <anonymous@discussions.microsoft.com> wrote in message
news:447c01c49053$98d381e0$a501280a@phx.gbl...
> CSP: eToken base Cryptographic Provider
>
> The smart cards do hold the certificates, but I am not
> quite sure from a technical perspective how VPN works.
> We set up a VPN connection that uses the smart cards
> which hold the certificate. The root certificate also
> has to be loaded on to the computer that is VPN'd in.
> The VPN is based on the smart cards though.
>
> >-----Original Message-----
> >Do you actually use Smart Cards to logon to domain -- or
> just to store
> >certificates for VPN? What CSP do you use (CSP =
> Cryptographic Service
> >Provider).
> >
> >Mike
> >
> >"Scott25" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:459e01c49050$36eaafb0$a301280a@phx.gbl...
> >> SmartCard Logon
> >>
> >> Sorry, I keep forgetting to put in my name and it shows
> >> up as anonymous. Thanks for all your help so far.
> >>
> >>
> >> >-----Original Message-----
> >> >In the web interface you can select between different
> >> Certificate Templates
> >> >(e.g. Users, Administrator, SmartCard User,
> IPSec, ...).
> >> Which one do you
> >> >select when issuing your certificates?
> >> >
> >> >http://freeweb.siol.net/mpihler/templates.jpg
> >> >
> >> >Mike
> >> >
> >> >"Scott25" <anonymous@discussions.microsoft.com> wrote
> in
> >> message
> >> >news:00a901c49045$2cda6570$a401280a@phx.gbl...
> >> >> Not quite sure what you mean when you refer
> >> >> to "Template." I am issuing certificates by going
> >> through
> >> >> a web interface for microsoft certification
> services.
> >> All
> >> >> of the issued certificates show up under
> Certification
> >> >> Authority, Under the Company Name, and then Issued
> >> >> Certificates.
> >> >>
> >> >> >-----Original Message-----
> >> >> >Which template do you use to issue certificate?
> >> >> >
> >> >> >Mike
> >> >> >
> >> >> >"Scott25" <anonymous@discussions.microsoft.com>
> wrote
> >> in
> >> >> message
> >> >> >news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
> >> >> >> Ok, I may not be able to get around it then.
> >> However, I
> >> >> >> know 2 years ago when they set this up, they
> issued
> >> VPN
> >> >> >> certificates that had a 2 year expiration period.
> >> >> >> Everyone who set this up is gone though, and we
> are
> >> not
> >> >> >> sure how they did this. Thanks for all your help
> >> >> though.
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >It looks as Paul suggested that this 1 year
> limit
> >> is
> >> >> set
> >> >> >> in certificate
> >> >> >> >template. This is not a problem if you have
> >> standalone
> >> >> >> CA setup.
> >> >> >> >
> >> >> >> >Unfortunately on Windows 2000 you can't edit
> >> >> (customize)
> >> >> >> templates. You can
> >> >> >> >create customized templates on Windows 2003.
> >> >> >> >
> >> >> >> >Mike
> >> >> >> >
> >> >> >> ><anonymous@discussions.microsoft.com> wrote in
> >> message
> >> >> >> >news:434b01c49030$f348c900$a301280a@phx.gbl...
> >> >> >> >> It says Enterprise Root CA. It is the only CA
> >> on our
> >> >> >> >> network.
> >> >> >> >>
> >> >> >> >> >-----Original Message-----
> >> >> >> >> >How do you have this CA setup? Is this an
> >> Enterprise
> >> >> >> Root
> >> >> >> >> CA or Standalone
> >> >> >> >> >Root CA?
> >> >> >> >> >
> >> >> >> >> >Mike
> >> >> >> >> >
> >> >> >> >> ><anonymous@discussions.microsoft.com> wrote
> in
> >> >> message
> >> >> >> >> >news:097801c4902d$b98389b0
> $a401280a@phx.gbl...
> >> >> >> >> >> I just doublechecked to make sure I was
> >> looking at
> >> >> >> the
> >> >> >> >> >> right values and those are the exact
> values I
> >> >> have.
> >> >> >> >> Under
> >> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
> >> >> >> v
> >> >> >> >> >> c\Configuration\"Certifcate Name"
> >> >> >> >> >>
> >> >> >> >> >> I have
> >> >> >> >> >> Validity Period REG_SZ Years
> >> >> >> >> >> Validity Period Units REG_DWORD 2
> >> >> >> >> >>
> >> >> >> >> >> Thanks for all your help, but I am still
> not
> >> sure
> >> >> >> what I
> >> >> >> >> >> am doing wrong.
> >> >> >> >> >>
> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >I think you are looking at wrong values:
> >> >> >> >> >> >
> >> >> >> >> >> >Under
> >> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
> >> >> >> S
> >> >> >> >> >> vc\Configuration\<
> >> >> >> >> >> >CAName>
> >> >> >> >> >> >
> >> >> >> >> >> >Set this values like this:
> >> >> >> >> >> >
> >> >> >> >> >> >REG_SZ ValidityPeriod
> Years
> >> >> >> >> >> >REG_DWORD ValidityPeriodUnits 2
> >> >> >> >> >> >
> >> >> >> >> >> >(default value for REG_DWORD
> >> ValidityPeriodUnits
> >> >> >> is 1 )
> >> >> >> >> >> >
> >> >> >> >> >> >Again check the posted article again! Also
> >> check
> >> >> >> Paul's
> >> >> >> >> >> post!
> >> >> >> >> >> >
> >> >> >> >> >> >Mike
> >> >> >> >> >> >
> >> >> >> >> >> ><anonymous@discussions.microsoft.com>
> wrote
> >> in
> >> >> >> message
> >> >> >> >> >> >news:425001c49027$d198c1b0
> >> $a301280a@phx.gbl...
> >> >> >> >> >> >> Years.
> >> >> >> >> >> >>
> >> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >> >Scott,
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >What value do you have
> >> >> >> under "ValidityPeriodUnits"
> >> >> >> >> >> >> Registry Key?
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >Mike
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >"Scott25"
> >> >> <anonymous@discussions.microsoft.com>
> >> >> >> >> wrote
> >> >> >> >> >> in
> >> >> >> >> >> >> message
> >> >> >> >> >> >> >news:3aa601c48f92$bc102b70
> >> $a601280a@phx.gbl...
> >> >> >> >> >> >> >> Thanks for the article. I followed
> it
> >> and
> >> >> >> >> discovered
> >> >> >> >> >> >> >> that everything in my registry was
> >> already
> >> >> set
> >> >> >> >> >> >> correctly.
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> My root certificate is correctly
> being
> >> >> issued
> >> >> >> >> with a
> >> >> >> >> >> 2
> >> >> >> >> >> >> >> year expiration date.
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> My problem is that all the
> certificates
> >> >> that I
> >> >> >> >> issue
> >> >> >> >> >> to
> >> >> >> >> >> >> >> my VPN keys that are based on that
> root
> >> >> >> >> certificate
> >> >> >> >> >> >> have
> >> >> >> >> >> >> >> an expiration date of only 1 year. I
> >> don't
> >> >> >> >> >> understand
> >> >> >> >> >> >> >> why these would have a different
> >> expiration
> >> >> >> date.
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> Any other thoughts? Thanks for all
> your
> >> >> help.
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >> >> >Hi Scott,
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >How To Change the Expiration Date of
> >> >> >> Certificates
> >> >> >> >> >> That
> >> >> >> >> >> >> >> Are Issued by a
> >> >> >> >> >> >> >> >Windows Server 2003 or a Windows
> 2000
> >> >> Server
> >> >> >> >> >> >> Certificate
> >> >> >> >> >> >> >> Authority
> >> >> >> >> >> >> >>
> >> >http://support.microsoft.com/default.aspx?
> >> >> >> >> >> scid=kb;en-
> >> >> >> >> >> >> >> us;254632&Product=win2000
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >Feel free to post back if you have
> any
> >> >> >> questions
> >> >> >> >> >> >> >> regarding this.
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >Mike
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >"Scott25"
> >> >> >> <anonymous@discussions.microsoft.com>
> >> >> >> >> >> wrote
> >> >> >> >> >> >> in
> >> >> >> >> >> >> >> message
> >> >> >> >> >> >> >> >news:01bf01c48f89$a7d80460
> >> >> >> $a401280a@phx.gbl...
> >> >> >> >> >> >> >> >> My main certificate was set to
> >> expire on
> >> >> >> >> September
> >> >> >> >> >> >> 10,
> >> >> >> >> >> >> >> >> 2004. I renewed the certificate
> >> with the
> >> >> >> same
> >> >> >> >> >> >> private
> >> >> >> >> >> >> >> >> key, and it is now set to expire
> on
> >> Sep
> >> >> 1,
> >> >> >> 2006
> >> >> >> >> >> >> >> >> (basically 2 years from today)
> This
> >> >> >> seemed to
> >> >> >> >> >> work
> >> >> >> >> >> >> >> >> correctly. When I now issue a new
> >> >> >> certificate
> >> >> >> >> to
> >> >> >> >> >> a
> >> >> >> >> >> >> >> smart
> >> >> >> >> >> >> >> >> card for VPN purposes, it gives
> the
> >> >> >> >> certificate an
> >> >> >> >> >> >> >> >> expiration date of Sep 1, 2005 (A
> >> year
> >> >> >> before
> >> >> >> >> the
> >> >> >> >> >> >> base
> >> >> >> >> >> >> >> >> certificate is set to expire).
> >> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> >> I don't want to have to renew all
> the
> >> >> >> company's
> >> >> >> >> >> VPN
> >> >> >> >> >> >> >> keys
> >> >> >> >> >> >> >> >> in a year. How can I set the
> >> expiration
> >> >> >> date
> >> >> >> >> to
> >> >> >> >> >> the
> >> >> >> >> >> >> >> same
> >> >> >> >> >> >> >> >> as the root cert?
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >.
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >.
> >> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >.
> >> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >.
> >> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

---

• Next message: Jamie: "Changing password when ctrl-alt-del not available"
• Previous message: Paul K: "Preventing users installing programms...?"
• In reply to: Scott25: "Re: CA Issue"
• Next in thread: Amjad.: "Re: CA Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Secure VPN access ... with it's security option for the client. ... After getting the VPN connection I check the Ip settings and found the ... point to the head ISP's DNS server. ... > Computer certificates for L2TP/IPSec VPN connections ... (microsoft.public.windows.server.sbs) Re: VPN Problem, PC not Authenticating with Server ... do you mean you have configured L2TP/IPSec VPN ... is the VPN server, SBS or router? ... 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000 ... Computer certificates for L2TP/IPSec VPN connections ... (microsoft.public.windows.server.sbs) Re: IAS / RRAS ... Install Certificate services ... Configure the VPN connectoid and set it for l2tp connections? ... So you may want to try to do without the IAS server until problems ... > are resolved to rule it out as a problem.As far as certificates, ... (microsoft.public.windows.server.networking) RE: vpn woes ... Being relatively new to the world of VPN and knowing how scary it can be to ... are out there to have some sort of secondary method of authentication that ... isn't easily duplicated by a hacker... ... issue any certificates if I need to. ... (Focus-Microsoft) RE: Reading Certificate Extended Properties ... I have other certificates in my personal store, ... but they all came from smart cards. ... > a ca and issue a certificate from this test machine, when I go the cert in ... (microsoft.public.platformsdk.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)