Posts Tagged ‘certificate’

Customer has 2012 DC’s with NPS and the Azure MFA extension for their Cisco Meraki Client VPN
All staff were not able to connect to the VPN from 8am. I have not found why it started at this time. Users before this were able to log in…
Event Viewer showed Unknown username or bad password in use.

The NPS MFA extension leads you down a path that isn’t correct (for me). Dont trust this.

Also dont trust the reason codes in the NPS logs
You may see reason code 21, <Reason-Code data_type=”0″>21</Reason-Code></Event> Further pointing to MFA extension issues.
Run with powershell and select option 1 to temporarily remove the MFA requirement and attempt a login to prove its not MFA.
New errors in NPS logs.
I was getting <Reason-Code data_type=”0″>16</Reason-Code> Not the most helpful and there are LOTS of results. But I found the below recent article which fixed it for me. 
I did apply these keys for all the domain controllers. But that might be overkill and unnecessary. The real fix is to get off server 2012.
This isn’t complete yet, after enabling MFA I now have TLS and cipher errors from the MFA plugin. 
But hopefully this will be an easy fix.

GD Star Rating
GD Star Rating

Use this to Generate a Command for Open SSL e.g the below

openssl req -new -newkey rsa:2048 -nodes -out test_test_com.csr -keyout test_test_com.key -subj "/C=US/ST=Test/L=/O=Test/" 

Now add to the end : -config “C:\Program Files\Autonomy\WorkSite\Apache\conf\openssl.cnf”

In Comand Prompt Navigate to Openssl.exe (  C:\Program Files\Autonomy\WorkSite\Apache\bin ) 

Run the full command

openssl req -new -newkey rsa:2048 -nodes -out test_test_com.csr -keyout test_test_com.key -subj "/C=US/ST=Test/L=/O=Test/" -config "C:\Program Files\Autonomy\WorkSite\Apache\conf\openssl.cnf"

It will generate a .csr and a .key file , copy these to C:\SSL

Use the CSR with your certificate Authority to Generate a .crt file and also a chain file

Download these to C:\SSL

Open the file : C:\Program Files\Autonomy\WorkSite\Apache\conf\worksite.conf

Add or Change the Lines to the below

SSLCertificateFile “C:\SSL\certs_test_test_com.crt”
SSLCertificateKeyFile “C:\SSL\test_test_com.key”
SSLCertificateChainFile “C:\SSL\certs_DigiCertCA.crt”

Restart iManage Work Server Service



Copy “C:\SSL\test_test_com.key” to “C:\SSL\test_test_comkey.pem”

Open certs_test_test_com.crt with Notepad and copy the contents into a new file

Open certs_DigiCertCA.crt with Notepad and copy the contents to the below of the new file ( directly under the other certificate on a new Line ) 

Save this as C:\SSL\test_test_comfullchain.pem

On the Worksite Service Properties  , Configure Hosted DM

Change .PEM files to your new file



Restart iManageMicroServiceHub Service

GD Star Rating
GD Star Rating

Find the current cert location

sudo vi /etc/nginx/nginx.conf

Look for lines

ssl_certificate /etc/pki/nginx/cert.pem;

Go to Digicert and download .pem with All certs

Use WINSCP to copy this to /etc/pki/nginx/and change the config to look at the new PEM file : 

sudo vi /etc/nginx/nginx.conf

Restart Nginx

sudo service nginx restart
GD Star Rating
GD Star Rating

We could not access a Gatekeeper certificate. This can occur if:
•no certificates could be found on your system;
•your certificate has expired; or
•you hit “Cancel” when asked to select a certificate.

If you know you hold a current certificate and can see it in your certificate store, contact Support to trouble-shoot. They can assist with other possible causes such as:
•A missing certificate chain (root and intermediate certificates); or
•A proxy server on your company network interferring with SSL/TLS client authentication.


In Internet Explorer go to Internet Options then Content and Certificates

Under your Personal Tab double click on the most Recent Gatekeep Cert

Go to Certification Path and make sure it does not say The issuer of this certificate could not be found.

If it does say this it means your Root Chain is broken and you need to install the Gatekeeper Root 

Navigate to

Scroll to the bottom and download all the Root CA’s

Double Click on the X509 and install these using the Automatic Wizard ( you can select Trusted Route Authority the Second one down if you want to do Manually ) 

Back where you Opened up the Certificate in Internet Explorer , if you go back to the Personal Tab and Click on Import

Choose Browse , change the Input all Files you can import the PKCS#7 Files

Now when you go to Certification Path you should see multiple files there

GD Star Rating
GD Star Rating

citrixiconRecently I went through this to update a Cert on a Gatewat:

However the SSL certificate was still not updated

If you route traffic over a different port you need to run through this as well : 

Start , All Programs , Citrix , Administraion Tools , Secure Gateway Configuration Wizard

Choose Next and Standard

Pick your new Cert

Leave the rest of the options as default

GD Star Rating
GD Star Rating

The name of the security certificate is invalid or does not match the name of the siteRecently we moved exchange certificates to a certificate with no local SAN’s inside to be in compliance . This involves creating and A record for your external domain name internally , then changing all internet and external paths to the full qualified external domain name. Digicert has a great guide to do this :

After this is done, you can reissue the certificate with the local SAN’s removed using a new CSR ( .req file ) generated from Exchange and apply to all client access servers. 

This was done , however a few ( not all )  users in our organisation where getting the prompt above linking to autodiscover.domain.local . Checking on the effected users , it seems their Outlook were referencing old Exchange accounts that didn’t exist anymore in exchange. Removing these old accounts from outlook and restarting fixed this. Reprofiling will also fix this!

GD Star Rating
GD Star Rating