Bug 1222161 - Need better instructions about how to get Windows CA cert
Summary: Need better instructions about how to get Windows CA cert
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Windows_Integration_Guide
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Marc Muehlfeld
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-15 23:12 UTC by Rich Megginson
Modified: 2019-03-06 00:44 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-10 11:55:52 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Rich Megginson 2015-05-15 23:12:17 UTC
Description of problem:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html

These instructions do not work for all versions of windows.  The user reported that he had to do the following:

* Run mmc.exe and add the certificates snap-in.
* Go to personal certificates store for the machine account
* Export the certificate that has -CA at the end of it in the "issued to" column.

We need to make sure we emphasize that it is the Certificate Authority (CA) certificate that is needed for export, not the server certificate or other certificate.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 nathan 2015-05-16 20:49:52 UTC
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html

Section 7.5.1 (3) States to Open My Network Places.  My Network Places only exists in Windows Server 2003 and has been removed in Server 2008 and above.  Given that the AD sync is only configured to work with 2008r2 and above, it makes no sense to give instructions for an incompatible version of windows.

In server 2008r2 and server 2012r2 the following steps must be taken to export the CA certificate.  

Both of these 2 ways will work

using mmc snap-in
-----------------
1) Go to the start menu and search for (and run) 'mmc.exe'
2) When it opens go to the file menu and choose 'Add/Remove Snap-in...'
3) Click on 'certificates' and then click the 'Add >' button.
4) In the popup that appears choose 'Computer Account' and click 'Next' then choose 'Local Computer' and click Finish
5) Click OK and you will be back at the console root with the certificates snap-in showing.
6) Open 'Certificates (Local Computer)' then open 'Personal' and then click on 'Certificates'
7)Right click on the certicate with the following name : <ntdomain>-<servername>-CA and choose 'open'
*This replaces step 1 and 2.  Step 3 and above are still correct*

using Certification Authority applet
----------------------------------
1)Go to the start menu and then 'Administrative Tools' and open 'Certification Authority'
2)Open 'Certification Authority (Local)' and right click on the CA below it and choose 'Properties'
3)On the popup that appears on the 'General' tab, you should see a list of CA certifices with a single entry 'Certificate #0'.  Highlight this certificate and click the 'View Certificate' button.
*This replaces step 1 and 2 of the incorrect manual entry.  Step 3 and above are still correct*

Comment 3 Marc Muehlfeld 2016-05-02 15:51:29 UTC
I updated the steps in a way that it is usable on Windows Server 2008 and 2012.

Comment 9 Aneta Šteflová Petrová 2016-06-10 11:55:52 UTC
Published in an asynchronous update.


Note You need to log in before you can comment on or make changes to this bug.