|
Posted by S. Pidgorny on October 13, 2005, 9:09 pm
Please log in for more thread options
The message does make sense: the DC certificate doesn't have the Certificate
Signing key usage attribute. Only CA certificates have that attribute. Why
would SiteMinder require using a CA certificate?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
> HELP!!!
>
> We are trying to convert a certificate from .CER format to OpenSSL format,
> for Active Directory domain controllers so that Siteminder can use them.
In
> Windows everything looks fine (the certificate chain up through the
> intermediate CA to the root CA is fine) but when we try to verify the
> certificates generated via autoenrollment for the DC's we get this
message:
>
> "Not certified for Certificate Signing"
>
> Here's the really strange part: as an experiment I exported additional
> copies of rht .CER versions of the two certificates which were
successfully
> converted to OpenSSL back in December of last year. We have to use
Netscape
> 4.x in order to do this. They are obviously working because Siteminder is
> successfully using them right now. But even THEY gave the same "Not
> certified for Certificate Signing" when I took them through the process
> again. I'm thinking there must be something in the process I'm not doing
> right. I know they're not really for signing other certificates, they're
> just for client/server authentication and for LDAP over SSL, but I don't
> know what I need to do to get them verified.
>
> Any suggestions appreciated
>
>
| 
XML Sitemap