Not certified for Certificate Signing
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
Not certified for Certificate Signing

 
Post new topic   Reply to topic    Windows Server Forum Index -> Security
Author Message
Guest
Posted: Thu Oct 13, 2005 12:51 am    Post subject: Not certified for Certificate Signing Reply with quote
HELP!!!

We are trying to convert a certificate from .CER format to OpenSSL format,
for Active Directory domain controllers so that Siteminder can use them. In
Windows everything looks fine (the certificate chain up through the
intermediate CA to the root CA is fine) but when we try to verify the
certificates generated via autoenrollment for the DC's we get this message:

"Not certified for Certificate Signing"

Here's the really strange part: as an experiment I exported additional
copies of rht .CER versions of the two certificates which were successfully
converted to OpenSSL back in December of last year. We have to use Netscape
4.x in order to do this. They are obviously working because Siteminder is
successfully using them right now. But even THEY gave the same "Not
certified for Certificate Signing" when I took them through the process
again. I'm thinking there must be something in the process I'm not doing
right. I know they're not really for signing other certificates, they're
just for client/server authentication and for LDAP over SSL, but I don't
know what I need to do to get them verified.

Any suggestions appreciated
Back to top
S. Pidgorny
Guest
Posted: Thu Oct 13, 2005 12:50 pm    Post subject: Re: Not certified for Certificate Signing Reply with quote
The message does make sense: the DC certificate doesn't have the Certificate
Signing key usage attribute. Only CA certificates have that attribute. Why
would SiteMinder require using a CA certificate?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

<-> wrote in message news:ezcs5d4zFHA.3188@TK2MSFTNGP14.phx.gbl...
Quote:
HELP!!!

We are trying to convert a certificate from .CER format to OpenSSL format,
for Active Directory domain controllers so that Siteminder can use them.
In
Windows everything looks fine (the certificate chain up through the
intermediate CA to the root CA is fine) but when we try to verify the
certificates generated via autoenrollment for the DC's we get this
message:

"Not certified for Certificate Signing"

Here's the really strange part: as an experiment I exported additional
copies of rht .CER versions of the two certificates which were
successfully
converted to OpenSSL back in December of last year. We have to use
Netscape
4.x in order to do this. They are obviously working because Siteminder is
successfully using them right now. But even THEY gave the same "Not
certified for Certificate Signing" when I took them through the process
again. I'm thinking there must be something in the process I'm not doing
right. I know they're not really for signing other certificates, they're
just for client/server authentication and for LDAP over SSL, but I don't
know what I need to do to get them verified.

Any suggestions appreciated

Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Security All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB