From 033bc4de1470e4fc3a5487da5ce3e90cb55fbefa Mon Sep 17 00:00:00 2001 From: "ivan.zamkovyi" Date: Thu, 12 Mar 2026 15:56:18 +0200 Subject: [PATCH 01/10] update information about sll certificate --- .../11.1/install/upgrade/upgrade.md | 35 ++++++ .../11.1/requirements/permissions/overview.md | 2 +- .../11.1/requirements/sslcertificate.md | 48 +++++++ .../ssl_certificate_connection_failures.md | 119 ++++++++++++++++++ .../2-1-check_certificate_validity.webp | Bin 0 -> 7152 bytes .../upgrade/2-1-verify_certificate_chain.webp | Bin 0 -> 3382 bytes 6 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 docs/directorymanager/11.1/requirements/sslcertificate.md create mode 100644 docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md create mode 100644 static/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp create mode 100644 static/images/directorymanager/11.1/install/upgrade/2-1-verify_certificate_chain.webp diff --git a/docs/directorymanager/11.1/install/upgrade/upgrade.md b/docs/directorymanager/11.1/install/upgrade/upgrade.md index 43be80f613..466938805c 100644 --- a/docs/directorymanager/11.1/install/upgrade/upgrade.md +++ b/docs/directorymanager/11.1/install/upgrade/upgrade.md @@ -23,6 +23,41 @@ Step 2 – Read the welcome message and click **Next**. ![2-select_source_version](/images/directorymanager/11.1/install/upgrade/2-select_source_version.webp) +Step 2.1: Verify SSL/TLS Certificates + +**CRITICAL PRE-UPGRADE STEP** + +Before proceeding with the upgrade, verify that all SSL/TLS certificates used for LDAP connections and authentication services are properly configured: + +**Verification Steps:** + +1. **Verify certificate installation:** + - Open Certificate Manager: `certlm.msc` + - Navigate to: **Trusted Root Certification Authorities** → **Certificates** + - Confirm all required certificates are present in this store + +2. **Check certificate validity:** + - Double-click each certificate + - Verify "Valid from" and "Valid to" dates + - Ensure certificates are not expired +![2-1-check_certificate_validity](/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp) + +3. **Verify certificate chain:** + - In certificate details, go to **Certification Path** tab + - Ensure all certificates in the chain show "This certificate is OK" + - Verify no revocation errors +![2-1-verify_certificate_chain](/images/directorymanager/11.1/install/upgrade/2-1-verify_certificate_chain.webp) + +:::warning +- Connections using self-signed certificates NOT in the Trusted Root CA store will FAIL after upgrade +- Authentication and LDAP operations will be blocked if certificates are invalid +::: + +**If any certificates are missing or invalid:** +- STOP the upgrade process +- Install/update certificates +- Re-verify all certificates before continuing + Step 3 – From the Select the previous version to upgrade list, select the Directory Manager version to upgrade from. diff --git a/docs/directorymanager/11.1/requirements/permissions/overview.md b/docs/directorymanager/11.1/requirements/permissions/overview.md index a6f82d6a3a..df08edd688 100644 --- a/docs/directorymanager/11.1/requirements/permissions/overview.md +++ b/docs/directorymanager/11.1/requirements/permissions/overview.md @@ -1,7 +1,7 @@ --- title: "Service Account Permissions" description: "Service Account Permissions" -sidebar_position: 60 +sidebar_position: 70 --- # Service Account Permissions diff --git a/docs/directorymanager/11.1/requirements/sslcertificate.md b/docs/directorymanager/11.1/requirements/sslcertificate.md new file mode 100644 index 0000000000..fcb5518dec --- /dev/null +++ b/docs/directorymanager/11.1/requirements/sslcertificate.md @@ -0,0 +1,48 @@ +--- +title: "SSL Certificate for LDAP/Authentication" +description: "SSL Certificate for LDAP/Authentication" +sidebar_position: 60 +--- + +# SQL Certificate for Windows Authentication + +Before installing or configuring GroupID Admin Center, ensure all SSL/TLS certificates used for +LDAP and authentication services meet the following requirements: + +#### Certificate Installation Location +- **Self-signed certificates MUST be installed in the Trusted Root Certification Authorities store** + - Store Location: `LocalMachine` (Computer account) + - Store Name: `Root` (Trusted Root Certification Authorities) + - Access via: `certlm.msc` → Trusted Root Certification Authorities → Certificates + +#### Certificate Validity Requirements +Certificates are validated against these criteria: + +1. **Certificate must not be null** - A valid certificate must be presented +2. **Certificate must be within validity period** +3. **Certificate must not be revoked** +4. **Certificate chain must be complete and trusted** + - Chain must build successfully using system trust mode + - All intermediate certificates must be available + - Root certificate must exist in the Trusted Root CA store +5. **Root certificate thumbprint must match** + +#### Installation Steps for Self-Signed Certificates + +1. Open Certificate Manager for Local Machine: + ``` + certlm.msc + ``` + +2. Navigate to: **Trusted Root Certification Authorities** → **Certificates** + +3. Right-click **Certificates** → **All Tasks** → **Import** + +4. Follow the Certificate Import Wizard: + - Select your certificate file (.cer, .crt, or .pfx) + - Ensure "Place all certificates in the following store" is set to **Trusted Root Certification Authorities** + - Complete the import + +5. Verify the certificate appears in the Trusted Root CA store + +6. Restart the GroupID Admin Center service/application pool \ No newline at end of file diff --git a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md new file mode 100644 index 0000000000..e992aa1e22 --- /dev/null +++ b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md @@ -0,0 +1,119 @@ +--- +description: >- + This article addresses the issues of SSL Certificate due to expired or revoked certificate, incorrect location. +keywords: + - SSL Certificate + - certificate is invalid +sidebar_label: SSL Certificate Issue +tags: + - troubleshooting-and-errors +title: "SSL Certificate Connection Failures" +knowledge_article_id: ??? +products: + - directorymanager +--- + +### SSL Certificate Connection Failures + +#### Symptom +- Authentication failures when accessing GroupID Admin Center +- LDAP connection errors +- "The remote certificate is invalid" errors +- HTTP 401 Unauthorized responses +- Service fails to start or authenticate users + +#### Root Cause +The upgraded version implements strict SSL/TLS certificate validation that enforces: +- Certificate validity period checking +- Certificate chain validation with system trust mod +- Root certificate must exist in Trusted Root CA store +- Online revocation checking + +Self-signed certificates or certificates with incomplete chains that were previously accepted may now fail validation. + +#### Diagnostic Steps + +1. **Check Application Logs:** + - Review GroupID Admin Center logs for SSL/certificate errors + - Look for exceptions related to `X509Certificate2` or `SslPolicyErrors` + +2. **Verify Certificate Installation:** + ``` + certlm.msc + ``` + - Navigate to: **Trusted Root Certification Authorities** → **Certificates** + - Confirm the certificate is present + +3. **Check Certificate Validity:** + - Double-click the certificate + - Verify it's not expired (check "Valid from" and "Valid to" dates) + - Check "Certificate Status" - should show "This certificate is OK" + +4. **Verify Certificate Chain:** + - In certificate properties, go to **Certification Path** tab + - All certificates in the chain should show as valid + - No red X marks should appear + +5. **Test Certificate Thumbprint:** + - Note the certificate thumbprint from certificate details + - Verify it matches the expected certificate + +#### Resolution Steps + +**For Self-Signed Certificates:** + +1. **Install certificate in Trusted Root CA store:** + ``` + certlm.msc + ``` + - Navigate to: **Trusted Root Certification Authorities** → **Certificates** + - Right-click **Certificates** → **All Tasks** → **Import** + - Select your certificate file + - Complete the import wizard + +2. **Verify installation:** + - Confirm certificate appears in Trusted Root CA store + - Check thumbprint matches expected value + +3. **Restart services:** + - Restart IIS Application Pool (if using IIS) + - Or restart GroupID Admin Center service + - Or restart the web application + +**For Expired Certificates:** + +1. Obtain new certificate with valid dates +2. Install new certificate in Trusted Root CA store +3. Update service configuration to use new certificate +4. Remove old expired certificate from store +5. Restart services + +**For Revoked Certificates:** + +1. Obtain new non-revoked certificate +2. Install in Trusted Root CA store +3. Update configuration +4. Restart services + +**For Incomplete Certificate Chains:** + +1. Obtain all intermediate certificates +2. Install intermediate certificates in Intermediate Certification Authorities store +3. Ensure root certificate is in Trusted Root CA store +4. Verify chain builds correctly +5. Restart services + +#### Verification After Resolution + +1. **Test authentication:** + - Access GroupID Admin Center login page + - Attempt to authenticate + - Verify successful login + +2. **Check logs:** + - Confirm no SSL/certificate errors + - Verify successful LDAP connections + +3. **Monitor services:** + - Ensure services remain running + - Check for any recurring certificate errors \ No newline at end of file diff --git a/static/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp b/static/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp new file mode 100644 index 0000000000000000000000000000000000000000..591f3f8c841e261646075f8dc8527cd1d31881dc GIT binary patch literal 7152 zcmVn@PP^wzjPos4SsQp@`cxyzrO4=nmHtD1uy+VQRzX*;rx+w>WEH`n=M>LJK& zO4GI-bEcm*+}gHn+Y{S%(x}*Wx;yCDPNwY+T5naH)Ynz-J9@{qw_nZrtE|Vicb?hW zf56kbdB)z^TzV$;Z1N9!m3qcDR#PKe006ULh9B_WZQHhO+uO6f{eo?)cDt@->a0o` z*2*<^k%evB*+}2ow!M35+jgemj+yaG z=i0VKl2ZR^<;QH)DZj$j(oV-GoO3Fj5bJcOPiMH3y1Tyb^SxEG*!$s7xVyW%)+t;+ z++kf(TrziecbCE=cc&xx1@3M&G2TvWYfqzpPld%q#m*|IWMj*fIp?>LL-9HP5{8*= zah%xJo<{$k3X6$~omEiD#+EB{&Tk`!8Gk#jpoe)}`tMMZq&gW4N+e{g6Y$9g*p0UB zZFC29u?d;fW|XOBt5E2r@c06L6u=n{WHZ%(>|+FQL-cS! zxmc;gjB0=^17^QDxxB;~6e0J`Ae7k#Gy^vRBu7z4h3J49or4CqqiGYB1*J9kc;bKE zMv^2cWmn&)B7Y{(e6|oVKAaD206OTz7_Ah&*_`L1t4lr6Ar@`>*1cP$#hUVS7p`{yIRnVe> zHWjp8DHg*Y+kZ^!=k(`P6C&`pU3*}XPR zb~joIhF9;&qulyzQb)@w%D?ALf* zh5cDJ+B{8K755ML_xWMxm{J-xF8_UgVk&P-(-K}O@-ULF`0cQpkYz|^UG!7fCESMi z&7MOrQAoybZlmjG?*V)FSZ*t)@2>cGl*0<~k=_-0-3qfszG@zp@X7|f-)QNZjc@ zZ=#%F;snnyP$)=Fo<=~+BO2qhMVl2;IE>msLKar=V|w?xn?Qy96xootMYCwH`b?w6 zIj?nJu642uS?#iTi?fvtwftj`ZKxF-d+Y%_eA_3ch2YcaJ2ey6{HgB+5^3vkOU;q zSRa=rgl9AaLjvDqOd%yOl~f4M^%A3F3X~`aK#I7_0R}~rN|XN3<8~>!)6*t|PGI1l zaLxlhDc&Wq;uL!MrX-QeSRb#qm5?qzQ{3NdBN*JzutZGFf1?=nlDcE-vhHMaBy-5K z;O_N^=khFEuMXq#Tt^7Lm|NzwFbU|-2}zsK;W~9})7J_HXs;=gEsV<(&I3D{^hX^d zaIU*cKRYsjj0`USLZ)M6Cq^d&vs?uCOo~LFIhX%1DWS)~v0!B@=X(9@4E;6Wq1=;^ zo^!nnDjw&VBnCi5S*efc?6eJ93<))+9A2tiG%4amnb=*PyM^ihXGYyn276!y9Q!}f z3woGYnv`g%UdC{G3+lYSRj*BczJ+={cSz*t%fArB2&fnrN%bfZ9mr;AQ!Y=HFyM3C zlMyh23iFLi%-|Dl^o=z6N0|d+%z?3%;5bX@|B3eSBu8Yj zGdk53lje!b@FZmV60`hCIao?=Ff}ij#t3Dw!ddx|?80bHVJw%8=dqch7GbJS>Q5U zJ_u6$hKB2&KkvMrId#|G)wXuFtetI(vSB{EyJLO+`JNqd-Sa&&jBo}>utni;PlG`D zFL)gs@9B1pV6TcW6(PDh%A8ggS5<^5maC^Nr_n;J6}X-q0(A%*AS0AsNt9F6Zn%8l zFZ&5GBxoTX9|z-5S~WE!R25;miBQ+z%%$~lWo4MIi77gomYZQu69$+YOsyo!lk71# z-21>^`U4^i;`4eg9iM;xW*y|tJMX;bdpfTt1BQ45{282&%Ll%a?+_E6hyC$~kU`Rl z>B}SjkZ@)Jjf5QHkp@mtw=F5FXTn&88yVRHd8DYe{GH2o-~TTrI$)+R2_!pWM$FY# zbOXsuG1WqvI~Mp#zCmESKD@UN6Vt^Iwa*jmZ!4F*UBlP7D7{(sY=47oBbTH z{!iFS4_oSBOD!a1Hw#;3<1fPd0A1@ju$z)Zgb*r=B!SB~g=W8f@orO7Xrj#|1a~+J zealE>5CT7gidbcdQs5)`3gL^&CgM;ENmbX;GRkTOc^yF=62=S~gc!w(tG@v=BRB=% zT1p-qBe0GNA`+X_h#7Q>o zD}+}zrsX+~+VW^mOIB49>d3R#wHGvsrcDKSBmha9ejjL}14;@kO{1J`Gc625?J(HD z3~R}ut>N*n4&qdIEC|(m4RZO`phuyN)d}gJ+4`^)?yiK-#9;|7)IX?Y~eDd^jC zx~8^f{#&M{4$I`43kqz%Y6zS9u;7Vdp}TA1DF8W%$<^=*nzn9dT1pXyLf z$Po#e3?e$>Ezklg%hpVZmveFQ?Wts2O~Bu6B8X9%FJ1n2wIReMX448@Qv;eGV$K=^flL!Xm|MoZ+|6=(rl zQ!4L=2~2-=VYI$H(OwX)d39_IvDrIoeFa-DY^WOS=$mIB8N0q3Z0!)71*Zr^2M=fw zuY)+j9uCso34_h3cLL}63S27GxIeF^zSRQgV%O_^XapYij|+mgv<_SK7p$j*O-!)0 z8JwIDL4tP{{D=Xyt=C#;hw-*h5MlBg%1VZCD24ngOA{Kow>y-ktctBUG+vcrEqGk- z9{uu_eD{-l_m}<%ko^dd{|r?8qUt_ae%`Q#7B+W5U>2wu2rUAo0F)|N{}~sccp3FK zFy>!StRcg!d8B9FFVw;;O_m`Xf3;5T|^Yw3Ml#MYjnjYSGo zj}}IYI1B*>$?H@|1 zWL|QLe6~S~4Y#V*yc4NAF6J|r-5zeXfojhihVHhLAW(IjTOU@>KY~g7W#3Pcg9~xjT>EVZaJ3d{@^El&BOg*M%^)wR&qn5O2}x~=0aw!$ zn*23{Mq07{#S|L$WLp+uz_l*m((^;98E%DeumN9O8bYJSJmfXmAa#l9CLU8SMDq$sFC4A0nj~I`E)MBOaDk6o@h~wC;66_u-RGuRrgaL*$oF#(s zR^Mt#&Xu&^K1!r(=YA<2%52oPQfj5qDgxnZ1c=)vJU)xcGh631@_`MoB;b_jihF{Y zLgQ1hB{}^o=<@z%+n1mnZdpa6!jwFAr`5nKz2Wl~`15V7^sQPXuaOVJ07Dv%bh_XH z9$|n2B!^3ogxPTxoDAr*NJ)EMHE?DZ zr%JUVq^Xr<2{jH0G^X|lzCBxZx^&E46J1If2Z+WG%~RnL#zK(Xvw>R=rHXS8w-NY4 zSyW_Df@Ng9qmEcm$+>y%*r>abgl(B<5SU2Mg0EJVwal&Q_V>@Ygpq>1AS#yNyD=&d zL|nvT2v@okvfGODGs-tgQxwM_3xR!vmSrSytSp#C$ir9acv@J0yelctz&!>Z=wL=X z84y7UvL4-!adP`Osk;(ihhG626{4GU^ zu}Qs~)Z&H;dov%x=XKGg3B8LyfRFD^Kvf?f$*$1NOwOtM`w_(*n|sl_DL?%an$h97 zzyBk3aGk}LB)UR3wF(Z-Xw)L`7umZ>K~3A|8>>img=(vc>^2;F^rPt5w0buuDzLKc zl!pG1M@4ppY7A^>u7Rma2+dygZnn?~DMOv^M3*M?E{a7Q6)d8*asN z7~k+;r2k0&k^Uq7NBWQS-z%pgiTm$7r2jJ09J&XPh7h`<(i}qQ+tuYAQ=1A-Hq&UU z@ZoO!O~A(u>a@p0W$|+ucdZr7RdE#X=uCMi4<}@hB3K#Kv4}8wa>o9rG>jAxfESu( zewZiq=tn~c`q`NP;85}twKSIZMBv>b3`b@V!FC^85#73s+513I9G@XdN0RWX2oYFB z=6#cfpuit(VWmKvk6@h&^}8U1j-}UmKADsGkU<{ekh)bEj>MpX?FI=K*P)}(mPrt$ zV~N7(9iwW2Dl%^!_4LCFwckO9`dt_bp~2UgPuetxPKugr<*|PgHJ>z^5|PyDqT*$) z??h1AuF*>A%|=A#jWSHZ$l6t?-^Ea&LpHw7YJ3?>hvCQ!Lb_5PSC+kFMVI@j-i<2y z{{mS=JhM|B;5omHCv)RB0tN0ZpJQSz!BX_t3tRNwC z*}_lJdbr+KkT4dhfONfY8GBek;&cgpY+?lo>M5}M6(mUik^UpIm;Gq@S z80D(k>9RPq=zH&KB+`UX3)#(Qyex)^dYLP8bMB2(J*D8r+yIdq0p&eNhfE8PCPYt}g10rB^F+kw>&kT(#tV(W1;O}Dk`~&CL zdzWKZ*69*LutbS+wWQKXH8ld^ba4z41kR8JlpOOusYP-#qS;`22+&42)(fX zM(F{vW=0T@2Q^7~DSePzu@T=cZG{?O+4 zAs^*?VVxlk65{{defwI#vn`$HzXmsW^(YNk<*sSG2X<}%3avG|SZJv_wwq-shWi(@x-l-}U zZ)IB<-xjCy(ir~G=fAHHzYcF}Y}fa%{1R|(@^3f~D0w0K&e){qP+=-#E9=VC%6TR_ z@yY%9?XB%IhYy=h`NEWw9WUSpkz8Uh#!7kdS!bYA{5 zJ!6x8X@;V#bjC@HP7C`73za$))BvL;*gPgZa&SMZB2r)iib>kA6~w@hp-ykLkPqWk zL||Z6)-yKg7jOTLkIZ*N=A=hT#}+WAA2miQI2GH_qdS02PI{y%=LRTrF8J?CGE9J) z751^pFXtbP40N_4*~Mp>4`ZyDmLV9MmFbL4CtSF{9$^dn-#3#!p)n^tl9d@SaFvK@ zj1UGu`22&}>`9O4h(Z)_>8h2wVg+g>msl*J^2=#uptBXpE|&Q)rbP_P&IHD0WjbS% ze(}P#ePq6`%ZI^Rm4M><*cMs0|Eu}J-XGpl&0XA76i;~1bba~r>%0W{V(bn7wZn9S zRh))P=ZW;+4vMAd^YkKZ!E#mWK?@{A!N|_S>Fhb3y|k$Ip%KiYCNU|;c_E8>j~;9g z&Qh|{TPDV}brg;2oQs0om$SNDshcJ(qA2gl8@XOV%ZG1dk@%XZvnRfcAFh+ms!I}` z^OQSo(M#*dRl(&O&^-{S9AkzqX{g{n|GwG0QsV4s}7O7Xy`R zq9|JRd?BRUM-YCP#URwNA;u1}CTXZ~w|V1y1cE7q6l!sdSNzflH7FSlf~G2ooAOEd zth^M>QbIjC=#RBuTeeLit`o`}PGOc?n+>vM+e8FSW7ySTLq(;QrB?tM*W;HJbt2`V z(0E~Cw12~we2)8W11UBz#dwFP8Kaejydj;R2^R8QzJ>hSWkLTT{YUzb^q);b3_6B< zF50)4Nhd|pMD$K7EwB?qYQs4$mMfQLvv)MKnrwcA++ZI;1{Lyj4ZnU+yFb5JKJ mPB_6bs*Javv>U_97SYggbS7xdLf(+h9|jxwE`I@i(Uct*qofXYng zk*d`J7L+pCsjGfgyNe{X!IZ3aHex0K3O0Ga&ITm^|9`$sZu^6B8~+M#XWeYuyVs?E1`M5;(SPEl(Z}ox8&X+?j^{H9CjL6wNx!RWjRdYTJz?p%NZ(nMLg<@Ov-q zC!k)(SOh^$WUCRX(1Vv8v>5n(j`ka%XQCw%`tQJPBt^>Ma-`ZG*e67Xt@-pOGN@Zf zHkABZNzOtup)_;YoXeVNCX{3jTS&%Cvu2X9&}|n;@Ky<4?-3KFHNhAO~8_O@Uv4V{i!&o7VmBLu@_JIT8tn_rd zL{d444&CX8;9!{H`D9{oo(PLb4v(Q-%wG*I$cJ=Ay&uR(M!b^VDS(R{lQ~oLwUdr4 z`8!woak|NQr7*CzMa3UR9Qj3JK=SLv)(9*HBWJtW-Kl57GX-*8+dfa0J1wI(w+;Kj z6+w2hx>N5I5&%Ap3hVwvZb;u)1L8ap%L;VPD?N{1Z#kb#f+eu5_j4ntWlq%lMIy0< zkSSH-VH#~@UehvF2y65M*kE<1-f8cO=&(NW`?A)4TZ4OOaM$mdd8J4`i4{32eJLmU zr{&@?cX-T{brrRNUQb5aJw#YbREQrC`J~Ybf1<3j+t%TEzUSv|)pO|fu^$~ampCRO z#Fr>?=ZVuC>v1qby!sFlpdo%hT=C9e5#$+?x3!O;>~0@A+nL(D8jKDr}&nx-yQ< zm~TtaYBvjz?@M>w#5aSt+k!x)t)bdC(CQt!0T?Mz6d{BHxu&8>?j1x9rp7@mgTBot zp9r9${M>OM|4cvxg(}5Vzgbv%e7o^^Pmzv;YE3G2;$zPqb>ef+9ueZp6&23RW2fmycB|gLz7Vv!yR7 zdX?cLr)|ptVV~vV* z2GUzZEg^~nk=&M}f)>@h)*PC`=9@G-u~ZNSfE8t|8gH#4<1)zfA;*~hdzYn z`0-tILHZEF+LTNc>3-KPnshi3t{+f!>~mrcL2W$ep1hCLLC=D0(21OvrLnkdnvHRd zjZ5Fg0;c?wh|2!zO5{RB{qZfr&pNf|R*VBJu>=gho5vEEHy=Wni(S4*Y$1d;LdWYA zl+q4#BAmja^g?I|bz+vB7zh<0-JE&jW->2MZ`2cMk$s#r731K(p#F3=#dnK2oPgIw z8s$rR23WsFotvtWY3)O!%MqE{$cPc4;v)*J<;N61MkbNzaMp=ah$amVky&zom!yFO zkU7XD^KvOf;~)oLU7}YFGhJlPVM*Yk-bDkKU8G&(jEI^+wVv-H?I&l&K&Sx0kdwJl zSWr!!thfHLSIN5u2le_E+qFPxCij9|Lpq_HVkUA6H{)x;%zj}1S=oRm4ExRo@<7E3 zmJLhj)yzjCTB==FZD7aX0M#m;?05unL88e?en%lo!ETqlQ8fsR&j!q7sC1ZshZjQ% zF>v)JAnP>J93t1@n_0&OO$O~WIWXC~vy}2BlO71?I-D2hHF&`Qk+y06g7M`qW)maA zi6Mo!iQVrzlR&ydLweb;cV|*A0owuP6f@;`H*e%phxhB}0!2EI)*@o|rq(gOLKM5D ze|;qSFswD94QVzGa=1V=e&q4o?D%=^b312(L?UrKbZ{WVe;>AitEKRe!%``{yIX*V zrBZm%;zlX_Oq|)YfUy-GXcWI5G_01wlP=&sfu&6={9RatDU=(f@LiO8KUlQF10&2~ zx)k0mhjD0y2O!Rr!uRbZ(+Uqf94LjSr+%`n@UX*$*ysEM1VrQ`$kZ6%fHf?lKn(|_ zoO5V-Uyo)BjJWdbJ?{aS{PL*QtqR2~5lk}CtdK2g)xK7(IyAaVqq|KA`*=aMVLZzm zFd_#%Zh%rXxjs)`E)8UKK1qI)`WyopyYH7=1U7uM;nj>TONLm^-VWb~02gkWwEU(|SOsN-X-qa$?>RBpk zsSmLip3$7}m~Zrv=LASZjqCGdL>`8?+$<|OXe}eDbkXIvs$^b7LLI0PP1Mh?H<-7t zwL>@t|a1je? zhuKg5NhfH+F%p~;Pcvg@fG&=FyIFm)S$Unk)srqO>OhS$HNa$8tNmP7)5R0v_sz80 zraqLP^UgR;wEjRtyXk6GW;9Awccgk(Pg)1%Qk|kjET~+cCyAhD;G%pIft)iA#E2!O z?ie+d=&u0n@$>5qi|MElk*zXB47&n*M|WAaW8o6{-x#oD?K5lbJ!7HN=xVDhc2wVk z?FZul%8MkGIxuj7Ha#-tSrs#GhpKzdrHEJmjAG3|r{M2p1N|(em%542Zp0l)OT}06jIyZAUT?yc}RHpKvln^*`j6pOh=u zyGiLh;*43eAR_mqaC7ZB4gUIweV9 zW;Lg)AcE3RJlK`aK0qO$s`38SSr2bG5%^%$ay7>R zSgBdA%{wLH=V2Fj^&x(IFOV7@e$-LmN1f4pkO4YwfP0AlKD-Z;?IwgW7TZmzu{7~r zbUGMqH=!fLV!H`5CCHIWTG!@FZNguQLOt9R0{n71+zp1?O^9+4i}t_Lcagmmg}@~U zIU20An-Jwnk-GZ6#M#k!r3r78kh29WwVN;sEck~uF<)syI7A$66IR+y$ozs?eCCwh zIQZ{N_EHq8ai;bXgd8nkquqqCNobW?U8&JTn{ZAOefbeZ@!sQefsZq#^|%bsVN8LB zD=n|JK`w&^Rw24?6Pf>e2Wdl%etpONS|hkSX!{&xXdm9^7e@E#u`C z+`WzZm&ZfCDswgdA3WI5RtOP+9twubD@@Y$9z8C*OLccN@X{Awl2!9bgaf zAMqdYAMszxHh7SY#JH5??A*!w*l1*$8~MmI6^_;p9z0kf_IYWH%;v|~nj`vBYneLO zny10cy^+tcuV2#0G9C{r?KbdYYh!xpOBmn{k6&}#_#4iSIbxsPVjpq9hO^fl2j%h9 zm~l2gwq_sk!ix&M)Q{_z@M7h9g`>4xob1viyx5CI{^a+ Date: Thu, 19 Mar 2026 13:23:40 +0200 Subject: [PATCH 02/10] update ssl_certificate_connection_failures.md file --- .../ssl_certificate_connection_failures.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md index e992aa1e22..a2925b15ed 100644 --- a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md +++ b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md @@ -8,7 +8,6 @@ sidebar_label: SSL Certificate Issue tags: - troubleshooting-and-errors title: "SSL Certificate Connection Failures" -knowledge_article_id: ??? products: - directorymanager --- From 2267ab9beb91e4ce693fd9d0dd7cfa5753130de9 Mon Sep 17 00:00:00 2001 From: "ivan.zamkovyi" Date: Thu, 19 Mar 2026 13:48:38 +0200 Subject: [PATCH 03/10] change 'may' to might --- .../ssl_certificate_connection_failures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md index a2925b15ed..b6ba198e87 100644 --- a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md +++ b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md @@ -28,7 +28,7 @@ The upgraded version implements strict SSL/TLS certificate validation that enfor - Root certificate must exist in Trusted Root CA store - Online revocation checking -Self-signed certificates or certificates with incomplete chains that were previously accepted may now fail validation. +Self-signed certificates or certificates with incomplete chains that were previously accepted might now fail validation. #### Diagnostic Steps From d5f79ca61a745815c59ad75fd42d86c7cb24274f Mon Sep 17 00:00:00 2001 From: "ivan.zamkovyi" Date: Wed, 15 Apr 2026 09:59:41 +0300 Subject: [PATCH 04/10] update knowledge_article_id attribute --- .../ssl_certificate_connection_failures.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md index b6ba198e87..6619224a14 100644 --- a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md +++ b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md @@ -8,6 +8,7 @@ sidebar_label: SSL Certificate Issue tags: - troubleshooting-and-errors title: "SSL Certificate Connection Failures" +knowledge_article_id: kA0Qk000000XXXXKAA products: - directorymanager --- From 3d1451034e2ae2a1225f0491ea7c5965d35c61aa Mon Sep 17 00:00:00 2001 From: "ivan.zamkovyi" Date: Wed, 15 Apr 2026 10:21:35 +0300 Subject: [PATCH 05/10] change groupId name to directory manager --- docs/directorymanager/11.1/requirements/sslcertificate.md | 4 ++-- .../ssl_certificate_connection_failures.md | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/directorymanager/11.1/requirements/sslcertificate.md b/docs/directorymanager/11.1/requirements/sslcertificate.md index fcb5518dec..a90cee644a 100644 --- a/docs/directorymanager/11.1/requirements/sslcertificate.md +++ b/docs/directorymanager/11.1/requirements/sslcertificate.md @@ -6,7 +6,7 @@ sidebar_position: 60 # SQL Certificate for Windows Authentication -Before installing or configuring GroupID Admin Center, ensure all SSL/TLS certificates used for +Before installing or configuring Directory Manager Admin Center, ensure all SSL/TLS certificates used for LDAP and authentication services meet the following requirements: #### Certificate Installation Location @@ -45,4 +45,4 @@ Certificates are validated against these criteria: 5. Verify the certificate appears in the Trusted Root CA store -6. Restart the GroupID Admin Center service/application pool \ No newline at end of file +6. Restart the Directory Manager Admin Center service/application pool \ No newline at end of file diff --git a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md index 6619224a14..71f56b0faa 100644 --- a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md +++ b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md @@ -16,7 +16,7 @@ products: ### SSL Certificate Connection Failures #### Symptom -- Authentication failures when accessing GroupID Admin Center +- Authentication failures when accessing Directory Manager Admin Center - LDAP connection errors - "The remote certificate is invalid" errors - HTTP 401 Unauthorized responses @@ -34,7 +34,7 @@ Self-signed certificates or certificates with incomplete chains that were previo #### Diagnostic Steps 1. **Check Application Logs:** - - Review GroupID Admin Center logs for SSL/certificate errors + - Review Directory Manager Admin Center logs for SSL/certificate errors - Look for exceptions related to `X509Certificate2` or `SslPolicyErrors` 2. **Verify Certificate Installation:** @@ -77,7 +77,7 @@ Self-signed certificates or certificates with incomplete chains that were previo 3. **Restart services:** - Restart IIS Application Pool (if using IIS) - - Or restart GroupID Admin Center service + - Or restart Directory Manager Admin Center service - Or restart the web application **For Expired Certificates:** @@ -106,7 +106,7 @@ Self-signed certificates or certificates with incomplete chains that were previo #### Verification After Resolution 1. **Test authentication:** - - Access GroupID Admin Center login page + - Access Directory Manager Admin Center login page - Attempt to authenticate - Verify successful login From f826e017c633d163a31c26e7c4b03309461e0caf Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 15 Apr 2026 07:43:21 +0000 Subject: [PATCH 06/10] fix(vale): auto-fix substitutions and removals --- .../11.1/install/upgrade/upgrade.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/directorymanager/11.1/install/upgrade/upgrade.md b/docs/directorymanager/11.1/install/upgrade/upgrade.md index 466938805c..4b455f04be 100644 --- a/docs/directorymanager/11.1/install/upgrade/upgrade.md +++ b/docs/directorymanager/11.1/install/upgrade/upgrade.md @@ -39,7 +39,7 @@ Before proceeding with the upgrade, verify that all SSL/TLS certificates used fo 2. **Check certificate validity:** - Double-click each certificate - Verify "Valid from" and "Valid to" dates - - Ensure certificates are not expired + - Ensure certificates aren't expired ![2-1-check_certificate_validity](/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp) 3. **Verify certificate chain:** @@ -81,7 +81,7 @@ can choose to upgrade all or selective data of the previous version. Options are ![3-select_modules-custom](/images/directorymanager/11.1/install/upgrade/3-select_modules-custom.webp) :::note - If later on, you wish to upgrade specific groups and their history via the Upgrade-Group + If later on, you want to upgrade specific groups and their history via the Upgrade-Group commandlet, then you must upgrade the Configuration and History in the first upgrade run. This will upgrade the history in the database as per Directory Manager 11.1 format and replicates it to Elasticsearch. Later on, when you upgrade specific groups and their history using the @@ -150,8 +150,8 @@ messaging providers. ::: - The wizard does not create a separate identity store for each child domain in the same forest. - In case it cannot determine a forest structure, it creates separate identity stores for each + The wizard doesn't create a separate identity store for each child domain in the same forest. + In case it can't determine a forest structure, it creates separate identity stores for each domain. Step 10 – For Synchronize jobs that use Office 365 as messaging provider in Directory Manager 10, @@ -178,7 +178,7 @@ for that domain exists or not. - If an identity store for that domain exists or if it being created for a Synchronize job in this upgrade process, Directory Manager will bind the reports to it. -- If an identity store for that domain does not exist, then you have to create an identity store for +- If an identity store for that domain doesn't exist, then you have to create an identity store for it. It must essentially be an Active Directory identity store. The wizard will bind the reports generated in Directory Manager 10 to the identity store, so you will be able to view them in Directory Manager 11.1. @@ -196,7 +196,7 @@ directory provider, it will automatically move the schedule to the respective id :::tip Remember, during upgrade, identity stores are created for destination directory providers of -Synchronize jobs (i.e., for providers that do not have an identity store in the source version). +Synchronize jobs (i.e., for providers that don't have an identity store in the source version). ::: @@ -221,8 +221,8 @@ This page displays a complete summary of the data to be copied/upgraded for your These options were selected on the Select modules to upgrade page.. :::note -If there are any disabled identity store(s) in the source Directory Manager version, Directory -Manager will not upgrade those identity store(s). However, data of those identity store(s) will +If there are any disabled identity stores in the source Directory Manager version, Directory +Manager will not upgrade those identity stores. However, data of those identity stores will remain intact in the source Directory Manager version. ::: From f6e4e044122a8d68a3d54ee684f1c230ab58533d Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 07:44:07 +0000 Subject: [PATCH 07/10] fix(vale): auto-fix rewrites (AI-assisted) --- docs/directorymanager/11.1/install/upgrade/upgrade.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/directorymanager/11.1/install/upgrade/upgrade.md b/docs/directorymanager/11.1/install/upgrade/upgrade.md index 4b455f04be..84914ae4c0 100644 --- a/docs/directorymanager/11.1/install/upgrade/upgrade.md +++ b/docs/directorymanager/11.1/install/upgrade/upgrade.md @@ -8,8 +8,6 @@ sidebar_position: 10 The topic guides you to upgrade to Directory Manager 11.1 from Directory Manager 10. -Follow the steps to upgrade. - Step 1 – To launch the Upgrade wizard, click **Next** on the GroupID Successfully Configured page of the Configuration Tool. @@ -91,7 +89,7 @@ can choose to upgrade all or selective data of the previous version. Options are ::: - If you want to upgrade configurations, history and all groups using the Directory Manager + If you want to upgrade configurations, history, and all groups using the Directory Manager Upgrade wizard , then you must select the Configurations, History, and Groups checkboxes. Step 5 – Click **Next**. From ca80f82544d3d69e8c9b5c8cd2861c4b31377b38 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 07:47:35 +0000 Subject: [PATCH 08/10] fix(dale): auto-fix documentation issues (AI-assisted) Co-Authored-By: Claude Sonnet 4.6 --- .../11.1/install/upgrade/upgrade.md | 16 ++++++++-------- .../11.1/requirements/sslcertificate.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/directorymanager/11.1/install/upgrade/upgrade.md b/docs/directorymanager/11.1/install/upgrade/upgrade.md index 84914ae4c0..f9b35d6805 100644 --- a/docs/directorymanager/11.1/install/upgrade/upgrade.md +++ b/docs/directorymanager/11.1/install/upgrade/upgrade.md @@ -48,7 +48,7 @@ Before proceeding with the upgrade, verify that all SSL/TLS certificates used fo :::warning - Connections using self-signed certificates NOT in the Trusted Root CA store will FAIL after upgrade -- Authentication and LDAP operations will be blocked if certificates are invalid +- Invalid certificates will block authentication and LDAP operations ::: **If any certificates are missing or invalid:** @@ -79,10 +79,10 @@ can choose to upgrade all or selective data of the previous version. Options are ![3-select_modules-custom](/images/directorymanager/11.1/install/upgrade/3-select_modules-custom.webp) :::note - If later on, you want to upgrade specific groups and their history via the Upgrade-Group + If you later want to upgrade specific groups and their history via the Upgrade-Group commandlet, then you must upgrade the Configuration and History in the first upgrade run. This will upgrade the history in the database as per Directory Manager 11.1 format and replicates it - to Elasticsearch. Later on, when you upgrade specific groups and their history using the + to Elasticsearch. Later, when you upgrade specific groups and their history using the Upgrade-Group commandlet, that will be done successfully. See the [Upgrade-Group](/docs/directorymanager/11.1/managementshell/smartgroup/upgradegroup.md) commandlet for additional information. @@ -132,7 +132,7 @@ connect to different child domains in a forest with different service accounts a messaging providers. - If an identity store already exists in Directory Manager 10 for the destination domains that the - jobs connect to, then jobs are moved to the respective identity stores in Directory Manager 11.1. + jobs connect to, the Upgrade wizard moves the jobs to the respective identity stores in Directory Manager 11.1. - When there is no identity store in Directory Manager 10 for the destination domain that the jobs connect to, the Upgrade wizard reads the FQDN of the destination domains used in the jobs and tries to create a forest structure. On identifying one, it proceeds to create an identity store @@ -188,12 +188,12 @@ will not be displayed. ::: -Step 13 – During upgrade, Synchronize schedules are also moved to identity stores. +Step 13 – During upgrade, the Upgrade wizard also moves Synchronize schedules to identity stores. The Upgrade wizard will check the jobs added to a schedule. If the destination in a job is a directory provider, it will automatically move the schedule to the respective identity store. :::tip -Remember, during upgrade, identity stores are created for destination directory providers of +Remember, during upgrade, the Upgrade wizard creates identity stores for destination directory providers of Synchronize jobs (i.e., for providers that don't have an identity store in the source version). ::: @@ -229,8 +229,8 @@ Step 15 – Review the summary and click **Next**. ![Upgrade Progress page](/images/directorymanager/11.1/install/upgrade/6-upgrade_process_complete.webp) -Directory Manager is upgraded while the Upgrade Process displays the upgrade progress. On successful -upgrade, the Upgradce Completed message above the progress bar is displayed. +The Upgrade Process upgrades Directory Manager while displaying the upgrade progress. On successful +upgrade, Directory Manager displays the Upgrade Completed message above the progress bar. Step 16 – Click **Next**. diff --git a/docs/directorymanager/11.1/requirements/sslcertificate.md b/docs/directorymanager/11.1/requirements/sslcertificate.md index a90cee644a..222ae8e64f 100644 --- a/docs/directorymanager/11.1/requirements/sslcertificate.md +++ b/docs/directorymanager/11.1/requirements/sslcertificate.md @@ -16,7 +16,7 @@ LDAP and authentication services meet the following requirements: - Access via: `certlm.msc` → Trusted Root Certification Authorities → Certificates #### Certificate Validity Requirements -Certificates are validated against these criteria: +Directory Manager validates certificates against these criteria: 1. **Certificate must not be null** - A valid certificate must be presented 2. **Certificate must be within validity period** From 27e47269900b86b19596c2abf5748dcd0c3504bc Mon Sep 17 00:00:00 2001 From: hilram7 <212961752+hilram7@users.noreply.github.com> Date: Tue, 5 May 2026 16:56:58 -0400 Subject: [PATCH 09/10] fix: review fixes for ssl_certificate_connection_failures KB article (directorymanager) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Promoted title from H3 to H1; restructured all section headings from H4 to H2 - Renamed "Root Cause" to "Cause" and "Resolution Steps" to "Resolution" per KB structure - Folded Diagnostic Steps and Verification after Resolution into ## Resolution as H3 subsections - Added kb tag to frontmatter - Expanded keywords from 2 to 12 - Fixed sidebar_label to match title - Rewrote description for clarity and SEO - Fixed passive voice on line 32 - Fixed contraction on line 49 - Fixed product name on first use (Netwrix Directory Manager Admin Center) - Fixed typo: "system trust mod" → "system trust store" - Added Symptom intro sentence - Added ending punctuation to complete-sentence bullets in Resolution section - Formatted UI field names as bold; replaced double quotes - Replaced → with > in navigation paths - Clarified restart step to indicate choose one option Reviewed with Vale, Dale, and Derek. Tested locally via npm run start. --- .../ssl_certificate_connection_failures.md | 127 ++++++++++-------- 1 file changed, 73 insertions(+), 54 deletions(-) diff --git a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md index 71f56b0faa..9fa0bbee72 100644 --- a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md +++ b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md @@ -1,64 +1,83 @@ --- description: >- - This article addresses the issues of SSL Certificate due to expired or revoked certificate, incorrect location. + Resolves SSL/TLS certificate validation failures in Netwrix Directory Manager + Admin Center after an upgrade, including expired, revoked, self-signed, and + incomplete-chain certificate scenarios. keywords: - SSL Certificate - certificate is invalid -sidebar_label: SSL Certificate Issue + - TLS certificate validation + - SSL connection failure + - expired certificate + - self-signed certificate + - certificate chain + - Trusted Root CA + - Directory Manager + - X509Certificate2 + - SslPolicyErrors + - certificate revocation +sidebar_label: SSL Certificate Connection Failures tags: - troubleshooting-and-errors + - kb title: "SSL Certificate Connection Failures" knowledge_article_id: kA0Qk000000XXXXKAA products: - directorymanager --- -### SSL Certificate Connection Failures +# SSL Certificate Connection Failures -#### Symptom -- Authentication failures when accessing Directory Manager Admin Center +## Symptom + +One or more of the following symptoms may be present in your environment: + +- Authentication failures when accessing Netwrix Directory Manager Admin Center - LDAP connection errors - "The remote certificate is invalid" errors - HTTP 401 Unauthorized responses - Service fails to start or authenticate users -#### Root Cause +## Cause + The upgraded version implements strict SSL/TLS certificate validation that enforces: - Certificate validity period checking -- Certificate chain validation with system trust mod +- Certificate chain validation with system trust store - Root certificate must exist in Trusted Root CA store - Online revocation checking -Self-signed certificates or certificates with incomplete chains that were previously accepted might now fail validation. +The upgrade may reject self-signed certificates or certificates with incomplete chains that the previous version accepted. + +## Resolution -#### Diagnostic Steps +### Diagnostic Steps 1. **Check Application Logs:** - - Review Directory Manager Admin Center logs for SSL/certificate errors - - Look for exceptions related to `X509Certificate2` or `SslPolicyErrors` + - Review Directory Manager Admin Center logs for SSL/certificate errors. + - Look for exceptions related to `X509Certificate2` or `SslPolicyErrors`. 2. **Verify Certificate Installation:** ``` certlm.msc ``` - - Navigate to: **Trusted Root Certification Authorities** → **Certificates** - - Confirm the certificate is present + - Navigate to: **Trusted Root Certification Authorities** > **Certificates**. + - Confirm the certificate is present. 3. **Check Certificate Validity:** - - Double-click the certificate - - Verify it's not expired (check "Valid from" and "Valid to" dates) - - Check "Certificate Status" - should show "This certificate is OK" + - Double-click the certificate. + - Verify it is not expired (check **Valid from** and **Valid to** dates). + - Check **Certificate Status** — should show **This certificate is OK**. 4. **Verify Certificate Chain:** - - In certificate properties, go to **Certification Path** tab - - All certificates in the chain should show as valid - - No red X marks should appear + - In certificate properties, go to the **Certification Path** tab. + - All certificates in the chain should show as valid. + - No red X marks should appear. 5. **Test Certificate Thumbprint:** - - Note the certificate thumbprint from certificate details - - Verify it matches the expected certificate + - Note the certificate thumbprint from certificate details. + - Verify it matches the expected certificate. -#### Resolution Steps +### Resolution Steps **For Self-Signed Certificates:** @@ -66,54 +85,54 @@ Self-signed certificates or certificates with incomplete chains that were previo ``` certlm.msc ``` - - Navigate to: **Trusted Root Certification Authorities** → **Certificates** - - Right-click **Certificates** → **All Tasks** → **Import** - - Select your certificate file - - Complete the import wizard + - Navigate to: **Trusted Root Certification Authorities** > **Certificates**. + - Right-click **Certificates** > **All Tasks** > **Import**. + - Select your certificate file. + - Complete the import wizard. 2. **Verify installation:** - - Confirm certificate appears in Trusted Root CA store - - Check thumbprint matches expected value + - Confirm certificate appears in Trusted Root CA store. + - Check thumbprint matches expected value. -3. **Restart services:** - - Restart IIS Application Pool (if using IIS) - - Or restart Directory Manager Admin Center service - - Or restart the web application +3. **Restart services** — restart whichever applies to your environment: + - IIS Application Pool (if using IIS) + - Directory Manager Admin Center service + - The web application **For Expired Certificates:** -1. Obtain new certificate with valid dates -2. Install new certificate in Trusted Root CA store -3. Update service configuration to use new certificate -4. Remove old expired certificate from store -5. Restart services +1. Obtain new certificate with valid dates. +2. Install new certificate in Trusted Root CA store. +3. Update service configuration to use new certificate. +4. Remove old expired certificate from store. +5. Restart services. **For Revoked Certificates:** -1. Obtain new non-revoked certificate -2. Install in Trusted Root CA store -3. Update configuration -4. Restart services +1. Obtain new non-revoked certificate. +2. Install in Trusted Root CA store. +3. Update configuration. +4. Restart services. **For Incomplete Certificate Chains:** -1. Obtain all intermediate certificates -2. Install intermediate certificates in Intermediate Certification Authorities store -3. Ensure root certificate is in Trusted Root CA store -4. Verify chain builds correctly -5. Restart services +1. Obtain all intermediate certificates. +2. Install intermediate certificates in Intermediate Certification Authorities store. +3. Ensure root certificate is in Trusted Root CA store. +4. Verify chain builds correctly. +5. Restart services. -#### Verification After Resolution +### Verification after Resolution 1. **Test authentication:** - - Access Directory Manager Admin Center login page - - Attempt to authenticate - - Verify successful login + - Access Directory Manager Admin Center login page. + - Attempt to authenticate. + - Verify successful login. 2. **Check logs:** - - Confirm no SSL/certificate errors - - Verify successful LDAP connections + - Confirm no SSL/certificate errors. + - Verify successful LDAP connections. 3. **Monitor services:** - - Ensure services remain running - - Check for any recurring certificate errors \ No newline at end of file + - Ensure services remain running. + - Check for any recurring certificate errors. From 929d8a6ae42aef1b94819d1151b13e426c3ad55c Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Tue, 5 May 2026 21:02:52 +0000 Subject: [PATCH 10/10] fix(vale): auto-fix style issues (Vale + Dale) --- .../11.1/install/upgrade/upgrade.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/directorymanager/11.1/install/upgrade/upgrade.md b/docs/directorymanager/11.1/install/upgrade/upgrade.md index f9b35d6805..80ce3c6bbe 100644 --- a/docs/directorymanager/11.1/install/upgrade/upgrade.md +++ b/docs/directorymanager/11.1/install/upgrade/upgrade.md @@ -153,8 +153,8 @@ messaging providers. domain. Step 10 – For Synchronize jobs that use Office 365 as messaging provider in Directory Manager 10, -the wizard would require you to provide the PFX certificate. All Synchronize jobs that use Office -365 as messaging provider will be listed on the wizard page. Expand each job and provide the PFX +the wizard would require you to provide the PFX certificate. The wizard page lists all Synchronize jobs that use Office +365 as messaging provider. Expand each job and provide the PFX certificate along with its password. ![Upgrade wizard Synchronize Messaging System page](/images/directorymanager/11.1/install/upgrade/entraidsynmessagingsystem.webp) @@ -170,12 +170,12 @@ Provide the following information: Step 11 – Click **Next**. -Step 12 – In Directory Manager 10 and earlier versions, reports were generated for the domain that -the Directory Manager server was joined to. During upgrade, the wizard checks if an identity store -for that domain exists or not. +Step 12 – In Directory Manager 10 and earlier versions, Directory Manager generated reports for the domain that +the Directory Manager server was joined to. During upgrade, the wizard checks whether an identity store +for that domain exists. -- If an identity store for that domain exists or if it being created for a Synchronize job in this - upgrade process, Directory Manager will bind the reports to it. +- If an identity store for that domain exists or if the upgrade process is creating one for a Synchronize job in this + upgrade, Directory Manager will bind the reports to it. - If an identity store for that domain doesn't exist, then you have to create an identity store for it. It must essentially be an Active Directory identity store. The wizard will bind the reports generated in Directory Manager 10 to the identity store, so you will be able to view them in