- FIM 2010 R2 Book
- The Story in this book
- Overview of FIM 2010 R2
- Basic Configuration
- User Management
- Group Management
- Self-Service Password Reset
- Using FIM to manage Office365 and other Cloud Identities
- FIM Portal Customization
- Customizing Data transformations
- Issuing Smart Cards
Posts Tagged PKI
When using a Nokia E7 to synchronize with your Exchange server you might get into trouble if your certificates contains the Issuance Policies (Certificate Policies) extension.
Sniffing the traffic I found that when trying to connect the Nokia device sent an TLS Layer-1 Encrypted Alert (Hex 02 0A) and killed the TLS negotiation. Initially I was pretty sure I made some mistake when I installed my root CA certificate in the device, but after double-checking that, I was still unable to get the TLS handshake to work.
After a few hours of troubleshooting I found that the problem was that the certificate I used on my Exchange CAS server had an Issuance Policy referring to my CPS. In order for the Nokia E7 device to be able to consume any of my internal https sites I needed to change the certificate template and remove the Issuance Policy extension and renew my certificates used by my Exchange CAS and other internal websites.
After that the Nokia E7 was able to synchronize and access other internal https sites.
Since I work a lot with PKI design, I can’t help wondering how someone like Comodo/Usertrust can still be considered trustworthy. In my opinion the update should be to remove them from the list of trusted issuers! I think that the fact that VeriSign got away with it in 2001, has set a standard that we can continue to trust issuers even if they have proven not being trustworthy.
I think that this is a very dangerous path, since this will lower the trust in certificates as a secure identity.
After the attack on Comodo late last week please make sure to install the update Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing.