A fatal error occurred when attempting to access the SSL server credential private key: 0x8009030d
First published on MSDN on Apr 28, 2017 Recently, I have assisted a Premier customer who installed a new certificate on Windows Server 2008 R2 but was unable to bind the certificate to the Website hosted on IIS.
API Management – Validate API requests through Client Certificate.
Azure APIM – Validate API requests through Client Certificate using Portal, C# code and Http Clients Client certificates can be used to authenticate API requests made to APIs hosted using Azure APIM service. Detailed instructions for uploading client certificates to the portal can be found documented in the following article - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients Steps to authenticate the request – Via Azure portal Once we have setup the certificate authentication using the above article, we can test an operation for a sample API (Echo API in this case). Here, we have chosen a GET operation and selected the “Bypass CORS proxy” option. Once you click on the “Send” option, you would be asked to select the certificate that you would have already installed on your machine. Note – This is the same certificate that you would have uploaded for your APIM service and added to the trusted list in the certificate store of your workstation. After successful authentication and request processing, you would receive the 200 OK response code. Upon maneuvering to the trace logs, you can also see the certificate thumbprint that was passed for authentication. The inbound policy definition used for this setup is as below: (Kindly update the certificate thumbprint with your client certificate thumbprint) <choose> <when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "BF3D644C46099A9D7C073EC002312878B8F9B847")"> <return-response> <set-status code="403" reason="Invalid client certificate" /> </return-response> </when> </choose> Through C# or any other language that supports SDKs- We can use the below sample C# code block to authenticate API calls and perform API operations. Kindly update the below highlighted values with your custom values before executing the sample code attached below Client certificate Thumbprint: BF3D644C46099A9D7C073EC002312878B8F9B847 Request URL: https://testapicert.azure-api.net/echo/resource?param1=sample Ocp-Apim-Subscription-Key: 4916bbaf0ab943d9a61e0b6cc21364d2 Sample Code: using System; using System.IO; using System.Net; using System.Security.Cryptography.X509Certificates; namespace CallRestAPIWithCert { class Program { static void Main() { // EDIT THIS TO MATCH YOUR CLIENT CERTIFICATE: the subject key identifier in hexadecimal. string thumbprint = "BF3D644C46099A9D7C073EC002312878B8F9B847"; X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false); X509Certificate2 certificate = certificates[0]; System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(AcceptAllCertifications); HttpWebRequest req = (HttpWebRequest)WebRequest.Create("https://testapicert.azure-api.net/echo/resource?param1=sample"); req.ClientCertificates.Add(certificate); req.Method = WebRequestMethods.Http.Get; req.Headers.Add("Ocp-Apim-Subscription-Key", "4916bbaf0ab943d9a61e0b6cc21364d2"); req.Headers.Add("Ocp-Apim-Trace", "true"); Console.WriteLine(Program.CallAPIEmployee(req).ToString()); Console.WriteLine(certificates[0].ToString()); Console.Read(); } public static string CallAPIEmployee(HttpWebRequest req) { var httpResponse = (HttpWebResponse)req.GetResponse(); using (var streamReader = new StreamReader(httpResponse.GetResponseStream())) { return streamReader.ReadToEnd(); } } public static bool AcceptAllCertifications(object sender, X509Certificate certification, X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; } } } Through Postman or any other Http Client To use client certificate for authentication, the certificate has to be added under PostMan first. Maneuver to Settings >> Certificates option on PostMan and configure the below values: Host: testapicert.azure-api.net (## Host name of your Request API) PFX file: C:\Users\praskuma\Downloads\abc.pfx (## Upload the same client certificate that was uploaded to APIM instance) Passphrase: (## Password of the client certificate) Once the certificate is uploaded on PostMan, you can go ahead and invoke the API operation. You need to add the Request URL in the address bar and also add the below 2 mandatory headers: Ocp-Apim-Subscription-Key : 4916bbaf0a43d9a61e0bsssccc21364d2 (##Add your subscription key) Ocp-Apim-Trace : true Once updated, you can send the API request and receive a 200 OK response upon successful authentication and request processing. For detailed trace logs, you can check the value for the output header - Ocp-Apim-Trace-Location and retrieve the trace logs from the generated URL.External email not received with NDR '550 5.4.317 Message expired, cannot connect to remote server(C
Hi all, we are getting some problem from one of the external domain not getting through. there is a NDR to the sender '550 5.4.317 Message expired, cannot connect to remote server(CertificateExpired)' I also run some test using checktls and it also report [001.696] Connection converted to SSL SSLVersion in use: TLSv1_3 Cipher in use: TLS_AES_256_GCM_SHA384 Perfect Forward Secrecy: yes Session Algorithm in use: Curve P-256 DHE(256 bits) Certificate #1 of 3 (sent by MX): EXPIRED Cert VALIDATION ERROR(S): certificate has expired So email is encrypted but the recipient domain is not verified ssl : scheme=smtp cert=94220930177 : identity=mail.domain.com cn=*.domain.com alt=2 *.domain2 domain.com Cert Hostname VERIFIED (mail.domain.com = *.domain.com | DNS:*.domain.com | DNS:domain.com) cert not revoked by OCSP Data: Version: 3 (0x2) Serial Number: 0e:cd:b7:0b:82:c2:46:0b::5c:0b:b4:29:5f:e2 Validity: Not Before: Oct 26 00:00:00 2021 GMT Not After: Nov 26 23:59:59 2022 GMT I have check all exchange server and mail security gateway, all using new ssl certificate. can anyone shed some light on this matter. Thank you allIntune Certificate Connector and OID 1.3.6.1.4.1.311.25.2
Hi, Way back in May when update KB5014754 broke cert auth for so many orgs it was identified that whilst RPC auto-enrolled certificates will get the new required OID the Intune certificate connector can't do the same. As the timeline on the KB (https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16) states that enforcement will happen from updates released on February 14th 2023 is there any indication that a fix will be deployed for the intune certificate connector ahead of that time? We have many customers using intune enrolled certificates to authenticate for AOVPN, WiFi and more which will stop working once this change is enforced. February doesn't seem like a long time away when a solution likely means needing to get the connectors updated and other possible changes.
Android PKCS
Hello. We have a problem with PKCS deployment to Android devices from Intune Standalone. It looks like Intune only pushes the ROOT certificate to the device. The pkcs policy is marked green and the certificate is generated on the CA server and the logs/files on the NDESConnector server is saying that upload and everything worked ok. i tried an older android os in the NOX emulator, on this device i get notices that i have security credentials to import. one for the ROOT and one for the USER certs. Is it even possibleto deploy a pkcs cert to android devices? How did you configure the policys in order to get it to work? i have tried to change almost everything in the policy but cant get it to work. And all internet guides aint giving me any good suggestions.
Kaspersky asking for certificate
After the last update of Kaspersky (20.0.14.1085(c)), a window of Kaspersky shows up when I initiate Microsoft Edge Beta or Dev asking me to select a certificate. The window appears randomly since Edge still running sometimes I'm playing Overwatch then the game is minimized because of this window.
