Peter Van Eeckhoutte's Blog

Posts Tagged ‘certificate’

In an older blog post on Certificate Authorities, I have provided some information about the process to generate Exchange 2007 certificates.  This process has slightly changed in Exchange 2010, and Johan Delimon (pro-exchange.be) has written an excellent article about this : Generating Exchange 2010 Certificates (Exchange Management Shell)

The 2 most important changes are :

the new-exchangecertificate cmd-let no longer supports the -path variable (so requests cannot be written directly to disk)
the 2007 GUI at Digicert still uses the -path parameter, so a new GUI was created to support 2010 certificate requests

In short, the updated procedure is :

generate the powershell command using an updated gui at Digicert : https://www.digicert.com/easy-csr/exchange2010.htm
Save the exchange certificate request into a $Data variable
Write the contents of the $Data variable to a file  (Set-Content -path “c:\request.req” -Value $Data)

Then, …

In one of my earlier posts, I have talked about setting up a Windows 2008 based Certificate Authority/PKI. Once your Windows 2008 CA setup is in place and configured, you can go ahead and starting issuing certificates. But at the same time, you need to put a maintenance/management procedure in place so you can stay on top of certain tasks, such as processing pending certificate requests or identify certificates that will expire and need manual renewal.  Unfortunately there is no easy way to get notified when new requests are pending, or certificates will expire somewhere in the future. I wrote a small script that will help you putting in place this maintenance process. This free utility requires .Net framework and requires proper permissions to connect to the CA admin interface.  It uses the Windows Server 2003, …

Before looking at the various configuration steps, we’ll have to take the following assumptions into account : – We don’t want to use the Netscreen Remote client, but we want to use the Windows XP built-in dialup VPN technology that allows us to build PPTP or L2TP/IPSec connections.  Juniper screenOS does not support PPTP (which is not as safe as IPSec anyway) – The XP clients will have dynamic IP’s. They are either directly connected to the internet, or connected behind a firewall/router that is capable of forwarding ESP packets. Keep in mind that nat-traversal cannot be used.  (So if the client is behind a NAT router, it will not work out of the box (because it will try to send fqdn as peer ID instead of IP address).  There is a fix, but it requires you to …