Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1222161

Summary: Need better instructions about how to get Windows CA cert
Product: Red Hat Enterprise Linux 7 Reporter: Rich Megginson <rmeggins>
Component: doc-Windows_Integration_GuideAssignee: Marc Muehlfeld <mmuehlfe>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.1CC: apetrova, mmuehlfe, mreynolds, nathan, nhosoi, nkinder, rmeggins
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 11:55:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rich Megginson 2015-05-15 23:12:17 UTC 
Description of problem:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html

These instructions do not work for all versions of windows.  The user reported that he had to do the following:

* Run mmc.exe and add the certificates snap-in.
* Go to personal certificates store for the machine account
* Export the certificate that has -CA at the end of it in the "issued to" column.

We need to make sure we emphasize that it is the Certificate Authority (CA) certificate that is needed for export, not the server certificate or other certificate.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 nathan 2015-05-16 20:49:52 UTC 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html

Section 7.5.1 (3) States to Open My Network Places.  My Network Places only exists in Windows Server 2003 and has been removed in Server 2008 and above.  Given that the AD sync is only configured to work with 2008r2 and above, it makes no sense to give instructions for an incompatible version of windows.

In server 2008r2 and server 2012r2 the following steps must be taken to export the CA certificate.  

Both of these 2 ways will work

using mmc snap-in
-----------------
1) Go to the start menu and search for (and run) 'mmc.exe'
2) When it opens go to the file menu and choose 'Add/Remove Snap-in...'
3) Click on 'certificates' and then click the 'Add >' button.
4) In the popup that appears choose 'Computer Account' and click 'Next' then choose 'Local Computer' and click Finish
5) Click OK and you will be back at the console root with the certificates snap-in showing.
6) Open 'Certificates (Local Computer)' then open 'Personal' and then click on 'Certificates'
7)Right click on the certicate with the following name : <ntdomain>-<servername>-CA and choose 'open'
*This replaces step 1 and 2.  Step 3 and above are still correct*

using Certification Authority applet
----------------------------------
1)Go to the start menu and then 'Administrative Tools' and open 'Certification Authority'
2)Open 'Certification Authority (Local)' and right click on the CA below it and choose 'Properties'
3)On the popup that appears on the 'General' tab, you should see a list of CA certifices with a single entry 'Certificate #0'.  Highlight this certificate and click the 'View Certificate' button.
*This replaces step 1 and 2 of the incorrect manual entry.  Step 3 and above are still correct*
Comment 3 Marc Muehlfeld 2016-05-02 15:51:29 UTC 
I updated the steps in a way that it is usable on Windows Server 2008 and 2012.
Comment 9 Aneta Šteflová Petrová 2016-06-10 11:55:52 UTC 
Published in an asynchronous update.