| Author |
Message |
Matt
Guest
|
 Posted:
Wed Oct 19, 2005 8:51 am Post subject:
Certificate Services Issues |
|
|
I am working in an environment where we have installed Certficiate Services
on our Windows 2003 standard machine with Active Directory. We followed
Mark Minasi's book on Windows Server 2003 but do not see the same template
he uses in his client example. The drop down in his example has Server
Authentication Cetificate as the type but that is not in the list nor can I
find it in any of the templates.
We generated a Web Server type since we believed that had the attributes we
are looking for but have found an issue. We worked up a test where we
signed a document with the new certfiicate without any issues but when we
try to decrypt the payload we get "Key not valid for use in specified
state". We are not sure what is going on and I am pretty sure the
certfiicate we generated is the culprit. The application has been working
fine for a year now in another environment where we generated our own key
but that was under Windows 2000.
Can anyone point me in a direction to resolve this? I am not really an
administrator but a developer and I need to figure out how to generate
certificates for signing and decrypting payloads. The certificate that
works has the property of Server Authentication just as the new one so I am
confused.
Thanks for your help,
Matt |
|
| Back to top |
|
 |
Paul Adare
Guest
|
| Posted:
Wed Oct 19, 2005 8:51 am Post subject:
Re: Certificate Services Issues |
|
|
In article <#joXTBH1FHA.736@tk2msftngp13.phx.gbl>, in the
microsoft.public.windows.server.security news group, Matt
<mdframe@sorvive.DONT-SEND-SPAM.com> says...
| Quote: | I am working in an environment where we have installed Certficiate Services
on our Windows 2003 standard machine with Active Directory. We followed
Mark Minasi's book on Windows Server 2003 but do not see the same template
he uses in his client example. The drop down in his example has Server
Authentication Cetificate as the type but that is not in the list nor can I
find it in any of the templates.
|
Certificate templates are only supported when the CA is installed on a
Windows Server 2003 Enterprise Edition computer, not on Standard. That
would explain the disconnect.
| Quote: |
We generated a Web Server type since we believed that had the attributes we
are looking for but have found an issue. We worked up a test where we
signed a document with the new certfiicate without any issues but when we
try to decrypt the payload we get "Key not valid for use in specified
state". We are not sure what is going on and I am pretty sure the
certfiicate we generated is the culprit. The application has been working
fine for a year now in another environment where we generated our own key
but that was under Windows 2000.
|
I don't understand what you're trying to do here. First you mention that
you're signing a document and then you're saying that you're trying to
decrypt the document. What exactly are you trying to do here, sign or
encrypt?
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea |
|
| Back to top |
|
|
Matt
Guest
|
| Posted:
Wed Oct 19, 2005 4:51 pm Post subject:
Re: Certificate Services Issues |
|
|
Paul,
Sorry for the confusion but I was working on the problem very late in the
night.
What we are doing is using S/MIME to encrypt the payload with the public
key, transmit the document to another system, then decrypt using the private
key. This process is done by components we purchased from IP*Works for
SMIME. I just received an e-mail from them stating the error message I am
getting means when the private key was generated it was not enabled for
encryption. How do I do this then and with which available option since I
can't use the templates to get what I need. I assume then the only options
I have for certificates are the ones available in the drop down on the web
enrollment page, so which is the one I need?
Thanks for your help.
Matt
"Paul Adare" <padare@newsguy.com> wrote in message
news:MPG.1dbfc8de5c6ce47989ee3@msnews.microsoft.com...
| Quote: | In article <#joXTBH1FHA.736@tk2msftngp13.phx.gbl>, in the
microsoft.public.windows.server.security news group, Matt
mdframe@sorvive.DONT-SEND-SPAM.com> says...
I am working in an environment where we have installed Certficiate
Services
on our Windows 2003 standard machine with Active Directory. We followed
Mark Minasi's book on Windows Server 2003 but do not see the same
template
he uses in his client example. The drop down in his example has Server
Authentication Cetificate as the type but that is not in the list nor can
I
find it in any of the templates.
Certificate templates are only supported when the CA is installed on a
Windows Server 2003 Enterprise Edition computer, not on Standard. That
would explain the disconnect.
We generated a Web Server type since we believed that had the attributes
we
are looking for but have found an issue. We worked up a test where we
signed a document with the new certfiicate without any issues but when we
try to decrypt the payload we get "Key not valid for use in specified
state". We are not sure what is going on and I am pretty sure the
certfiicate we generated is the culprit. The application has been
working
fine for a year now in another environment where we generated our own key
but that was under Windows 2000.
I don't understand what you're trying to do here. First you mention that
you're signing a document and then you're saying that you're trying to
decrypt the document. What exactly are you trying to do here, sign or
encrypt?
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea |
|
|
| Back to top |
|
|
Matt
Guest
|
| Posted:
Wed Oct 19, 2005 4:51 pm Post subject:
Re: Certificate Services Issues |
|
|
Paul,
I was just told that the reason this is failing is that the private key is
not marked as exportable. How do I set the web enrollment feature to allow
this?
Thanks,
Matt
"Paul Adare" <padare@newsguy.com> wrote in message
news:MPG.1dbfc8de5c6ce47989ee3@msnews.microsoft.com...
| Quote: | In article <#joXTBH1FHA.736@tk2msftngp13.phx.gbl>, in the
microsoft.public.windows.server.security news group, Matt
mdframe@sorvive.DONT-SEND-SPAM.com> says...
I am working in an environment where we have installed Certficiate
Services
on our Windows 2003 standard machine with Active Directory. We followed
Mark Minasi's book on Windows Server 2003 but do not see the same
template
he uses in his client example. The drop down in his example has Server
Authentication Cetificate as the type but that is not in the list nor can
I
find it in any of the templates.
Certificate templates are only supported when the CA is installed on a
Windows Server 2003 Enterprise Edition computer, not on Standard. That
would explain the disconnect.
We generated a Web Server type since we believed that had the attributes
we
are looking for but have found an issue. We worked up a test where we
signed a document with the new certfiicate without any issues but when we
try to decrypt the payload we get "Key not valid for use in specified
state". We are not sure what is going on and I am pretty sure the
certfiicate we generated is the culprit. The application has been
working
fine for a year now in another environment where we generated our own key
but that was under Windows 2000.
I don't understand what you're trying to do here. First you mention that
you're signing a document and then you're saying that you're trying to
decrypt the document. What exactly are you trying to do here, sign or
encrypt?
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in