I am understanding that a DAG is recommended but not required for an ON-prem deployment of exchange 2016. This I presume because if the 1 and only exchange server goes down no email can route.  
When a person puts in there email and password into Outlook program its supposed to automatically get the data needed to setup the email however it fails, because the exchange server has been setup incorrectly.
If we deploy a DAG will that in a step fix this issue/resolve the Auto config settings problem.

Thank you for your help in advance

What is the best way to create a CA Sign Cert Request with multiple SAN's in Powershell?

I need to request a cert with about 120 SAN's in it. Obviously, I know that can be done in the GUI but I'd rather not go through the pain of that.

I know Powershell has the cmdlet: New-SelfSignedCertificate. I am not creating or attempting to create a selfassigned. I need to create a CA signed request so that I can send to the CA..

Any information on this would be greatly appreciated. If possible, an example with SAN creations would be great.

Thanks!

I am running Server 2012 datacenter, IIS 8.  SSLabs.com says that I have SSL 3.0 enabled on the server and i do not believe i do. I have used IIS Crypto to disable it. I also followed https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html and verified registry. I rebooted as well.

Any thoughts?

I have a development nginx system that is requiring https to login. Is there a switch or variable that will make admin to default to http instead?

This site isn't propagated so no ssl on site.

Google Chrome Browser: 75.0.3770.142 (Official Build) (32-bit)
Windows OS (10 & 8.1)

BACKGROUND
The speed of loading web pages in my Google Chrome Browser had become slow. While looking through the advanced settings of the Google Chrome Browser, I clicked on the selection titled: "Manage Certificates". I noticed there are a large number of certificates.

QUESTION
(see Title of this post)
When, if ever, does it become (a) necessary or (b) advisable to remove (delete) one or more SSL certificates?
Is there a method that allows you to easily find "expired" certificates?
What would be the expected result if one were to remove ALL certificates? Could this cause problems, or would they simply reinstall themselves as needed, when those sites were visited again?

I  am running my site on IIS 6.  Have installed SSL and when I call it on https I get the following error.


Tried clearing the cookies on browser but no luck.
Untitled.png

Hello Experts,

I'm seeing a strange issue on some of our PCs.  Basically users are certificate related errors when they are browsing to different sites.  When I look at the certificates on their computers via the Certificates MMC, I see the root certificate authorities folder is populated as expected.  However when I look at the intermediate certificate authorities folder, the only intermediate CA in there is our internal intermediate CA.  Does anyone have any ideas on what may have caused this?  I have read that MS maintains a list of root CAs.  Does it maintain a list of intermediate CAs?  If so, how can I use this list to update the intermediate CA folder on the PCs having issues?

As always, thanks for your help.

Nick

Site certificate says "Not Secure / Invalid" when I have already applied certificate settings matching it.

I'm current using port 443 (default port) and using Starfield certification. Applied the certificates to the local computer and user certificate registry generated from the keystore file. I couldn't seem to grasp what is still missing? Please help.

Can somebody please explain on the IIS SSL with the creation of the port 443 with the cert making the https for the web site yet there is on the SSL Settings a "Require SSL" checkbox.

What is the significance of the "Require SSL" when the there is already the port 443 (https)?

Any information on this would be greatly appreciated.

This is under Windows 2016 Server with IIS 10.

Thanks

Regarding VMware Advisory ID |VMSA-2019-0008
https://www.vmware.com/in/security/advisories/VMSA-2019-0008.html

Did checked the KB article -have few queries in mind to confirm with experts so that Fix can be applied if required
For Sequential and Concurrent Attack- Fix to be applied....

[1] Do We need to First Upgrade VC/VCSA  to Fixed Version -which is yet showing as Pending OR if we simply can make changes @Esxi -Advanced Setting - for Value  known as

VMkernel.Boot.hyperthreadingMitigation

?

[2] What all are precautions /prerequisites  if We need to verify for running applications /certificates/SSL in use @VM on different host under VC?

[3] There are Few Host  showing warning with

esx.problem.hyperthreading.unmitigate

-So Can We simply update the Value to fix the issue or nay more prerequisites  required ?

[4] There are Host in VC where we are not able to locate the value to be updated ? while there are host where we can locate n update the value ?
Is It limited to specific version/Patch @VC /Esxi ?
Please help if we can plan for fix if it is required  ?

We have an Exagrid server (de-duplicating storage device which is running some flavor of linux) on our internal network.

Its IP address is 10.1.1.40

It issued its own self-signed certificate:  Certificate Path = "Exagrid Local Root CA \ Exagrid Local Site CA \ dev1.ourdomain.com"

When I browse to:  httpS://10.1.1.40  (or to httpS://exagrid.mydomain.com),  I get the error: "Certificate cannot be verified up to trusted certification authority"

Question: what's the best practice so that any client on our internal network can talk httpS to this internal exagrid linux server?

Should the exagrid folks provide me a certificate that I'm supposed to distribute to all the clients on our internal windows network?

Or, am I supposed to get a public certificate for exagrid.mydomain.com which would resolve to an internal 10.1.1.40 address?

Exagrid provided me a file names: cacert.pem ;  I'm not sure what to do with this.

Thanks and sorry if this is a really dumb question.

Mike

Hello,

Clients in the company send me CSRs to generate certificates from.  I use the Entrust CSR Viewer to look at the look contents before approving them.  

Under Properties I sometimes see Signature Type as sha1WithRSAEncryption and sometimes as sha256WithRSAEncryption.   Why is that ?  Is it because the users are submitting the CSRs from different Windows Server OSs ? or are the users selecting sha1WithRSAEncryption by mistake ?  Are the ones that are sha1WithRSAEncryption going to cause issues down the road ?

Please see the attachments.

Thanks,  Mona.

I have a multi tenant web app

Users can create trials, and I assign they url like so
123.mydomain.com
124.mydomain.com
125.mydimain.com

123 = db Id of that trial.

This all works great
However its not on https

I use certify the web for iis https certificates
I would like to have a wildcard cert
*. Mydomain.Com

So that all these trials are on https
Ideally I don't want to pay for certificate or have to enter the bindings for every site for the trials

What options do I have? Is this possible
Entering bindings is a bigger head ache than buying a wildcard
But ideally let's encrypt /certify the web would do it all

I use 123-reg to manage domain dns