Kojo
Kojo 25.08.2011 05:10 (GMT+2) Certificate Enrollment for System Center Operations Manager Agent

Hi, I need to request a certificate for computer which is not a domain member. Certificate is needed for L2TP VPN. When I run certreq -new based on inf file, i got an error that template is not found.(Template not found. Do you wish to continue anyway?) Where should I run "certreq -new req.inf req.req"? On issuing CA or nonDomain computer? I've used "Prepare certificate request template" and "Create a request file to use with an Enterprise CA" from SCENARIO 2. I have two tier PKI (Offline ROOT CA and Enterprise Issuing subordinate CA). Tnx

RandyFranklinSmith
RandyFranklinSmith 01.08.2011 10:01 (GMT+2) How Applocker rules are rpocessed

Awesome post and flow chart - thanks!

Andy Arismendi
Andy Arismendi 03.07.2011 12:51 (GMT+2) How to add FQDN to HP iLO request

After a bit more experimentation I was able to get it using this: $ip = [Convert]::ToBase64String(([System.Net.IPAddress] "10.0.1.2").GetAddressBytes()) (New-Object -ComObject X509Enrollment.CAlternativeName).InitializeFromRawData(8, 0x1, $ip) -Andy Arismendi

Andy Arismendi
Andy Arismendi 03.07.2011 12:40 (GMT+2) How to add FQDN to HP iLO request

I stumbled upon your article while researching how to create a alternative name that is an IP address using the CertEnroll API. From the MSDN documentation: http://msdn.microsoft.com/en-us/library/aa374981%28v=vs.85%29.aspx Here's what i've got: (New-Object -ComObject X509Enrollment.CAlternativeName).InitializeFromRawData(8, 0x1, $rawData) What i'm having trouble with is $rawData... I'm not sure how to convert "10.0.1.2" to "A BSTR variable that contains the DER-encoded data." as the documentation says... Can you help?

Vadims Podans
Vadims Podans 29.06.2011 23:20 (GMT+2) Root Certification Authority (CA) CDP and AIA extension question

> If a client has certificate, on smart card used for logon, signed by SubCa revoked certificate, and he tries to log on and has old (cached) CRL, does that mean it will be able to log on? Possible yes. If a cleint is Windows Vista and newer then it will attempt to check if CA server has issued new CRL prior to planned publication date. This really depends from several factors. For more information please sheck this article: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=361c4644-9b1b-41fd-aaf9-370717edcbbc