Upload
lyliem
View
276
Download
1
Embed Size (px)
Citation preview
Page 1 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Marriott Enrollment Server for Web
User Guide V1.6 10/17/2017
Page 2 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Table of Contents
TABLE OF CONTENTS ................................................................... 2
OVERVIEW ............................................................................... 3 INTRODUCTION ................................................................................................ 3 HIGH LEVEL STEPS: WHAT TO EXPECT .................................................................... 3
PREREQUISITES ....................................................................... 5 ADMINISTRATIVE ACCESS .................................................................................... 5 RNACS ......................................................................................................... 5 SUPPORTED BROWSERS ...................................................................................... 5
DOWNLOADING USING INTERNET EXPLORER .......................... 6 SSL BROWSER CERTIFICATE REQUEST – IE .............................................................. 6 SSL PKCS#10 CERTIFICATE REQUEST - IE ........................................................... 10
DOWNLOADING USING FIREFOX ............................................ 13 SSL BROWSER CERTIFICATE REQUEST – USING FIREFOX ............................................ 13 SSL PKCS#10 CERTIFICATE REQUEST - USING FIREFOX ........................................... 16
DOWNLOADING CA SIGNER CERTIFICATES ............................ 19 DOWNLOAD SUBORDINATE CA CERTIFICATE ............................................................ 19
EXPORTING CERTIFICATES VIA INTERNET EXPLORER ........... 21
EXPORTING CERTIFICATES VIA FIREFOX ............................... 24
TROUBLESHOOTING FAQ ........................................................ 27
COMMON SSL CONVERSION COMMANDS ................................ 31 CONVERT PFX/P12 TO PEM .............................................................................. 31 CONVERT PEM TO DER .................................................................................... 31 IMPORT P12 INTO JKS USING KEYTOOL ................................................................. 31
Page 3 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Overview
Introduction
This document was created to help guide users through the ESWEB site with respect
to activating, downloading and exporting unmanaged certificates issued by a Marriott
CA.
High Level Steps: What to Expect
1. REQUEST CERTIFICATE FROM REQUEST CENTER - You must have first
requested the certificate to be created using our PKI RC service. If you have not
done that yet, please do so by click on this link:
https://extranet.marriott.com/sdm/RequestCenter/myservices/navigate.do?query
=serviceid&sid=302&
2. RETRIEVE RNACs FROM REQUEST CENTER - Once your PKI RC request has
been submitted, approved and completed, the PKI Admin will enter the RNACs
into your request and close the ticket. A completion email will be sent to the
requestor that will instruct the requestor to log back into the original ticket to
gather the RNACs.
3. CHOOSE CORRECT ESWEB SITE - With RNACs now in hand, you will go to one
of the websites below to download and activate your MI signed certificate.
IMPORTANT NOTES:
- It’s important to use the correct website as using the wrong one will result in
an error.
- You must use either Internet Explorer or Firefox browsers when accessing
these sites
- You must ensure that you are NOT using a terminal server browser session
- Lastly, you must ensure that you are logged into the session with an ID which
can write to the user keystore
a. https://eswebdev.marriott.com - For all DEV / TEST / PERF (ETC) SHA1
certificates issued by MarriottDevSubCA1
b. https://enrollmitest.managed.entrust.com/cda-
cgi/clientcgi.exe?action=start - For all DEV / TEST / PERF (ETC) SHA2
certificates issued by MarriottTestSubCA1
c. https://enrollmi.managed.entrust.com/cda-cgi/clientcgi.exe?action=start -
For all PRODUCTION SHA1 certificates issued by MarriottSubCA1
Page 4 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
4. CHOOSE CORRECT DOWNLOAD PATH - Once the correct site is chosen, you
have two options for certificate download and activation:
a. SSL Browser link – this link is used when no CSR is required and will
download the certificate directly to the user/browser keystore.
b. SSL PKCS10 link – this link is used when you are submitting a CSR to be
signed. This produces a .bin file that can then be download and saved.
5. EXPORT AND/OR COPY BIN FILE TO SERVER
a. If you chose SSL Browser in step #4, you will need to export the
certificate and private key out of the browser keystore. This automatically
saves the certificate in P12/PFX format.
b. If you chose SSL PKCS10 in step #4, you now have a downloaded .bin file
that can be safely renamed to .cer, .crt, or .der.
c. With either approach, should you need to convert the certificate into a
different format that your keystore supports, please use a tool such as
openssl or keytool to perform the conversions.
6. IMPORT CERTIFICATE (AND CA SIGNER CERTS) INTO YOUR KEYSTORE –
The last task is to import the certificate along with the respective Marriott Root
CA and Subordinate CA’s certificates into your keystore. Please follow your
vendors recommended procedures to do so.
Page 5 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Prerequisites
Administrative access
The user who will be downloading the certificates must be logged into a machine
with an account that has administrative privileges on that machine.
NOTE: Please do not attempt to download certificates while logged into a Terminal Server session. The default group policies on the terminal server do NOT allow you to download certificates.
RNACs
All Marriott issued certificates are downloaded using RNACs (Reference Number and
Authorization Codes). These are one time use codes, are provided by a PKI
Administrator and are valid for 30 days after issuance. Should the RNACs expire
before you have attempted to download your certificate, new RNACs will need to be
requested.
All RNACs are requested through Marriott’s Request Center PKI Certificate Request
service.
Supported Browsers
Entrust Authority Enrollment Server for Web is supported on the following Web
browsers.
• Microsoft Internet Explorer
• Mozilla® Firefox
Page 6 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Downloading using Internet Explorer
SSL Browser Certificate Request – IE
This section goes over how to download and activate your (Unmanaged) SSL
Browser certificate using Internet Explorer. Should you need to download a
(Unmanaged) SSL PKCS#10 certificate using Internet Explorer, please proceed to
the next section, PKCS#10 Certificate Request - IE.
Please ensure that you use the correct ESWeb site based on the environment,
otherwise your request will fail.
a. https://eswebdev.marriott.com - For all DEV / TEST / PERF (ETC) SHA1
certificates issued by MarriottDevSubCA1
b. https://enrollmitest.managed.entrust.com/cda-
cgi/clientcgi.exe?action=start - For all DEV / TEST / PERF (ETC) SHA2
certificates issued by MarriottTestSubCA1
c. https://enrollmi.managed.entrust.com/cda-cgi/clientcgi.exe?action=start -
For all PRODUCTION SHA1 certificates issued by MarriottSubCA1
Follow the steps below to activate and download your SSL certificate:
• Click Create SSL Browser Certificate (unmanaged)
• Enter your Reference number and your Authorization Code provided from
Request Center
NOTE: If you do not have the option to choose the key size in Internet Explorer
you will have to enable Compatibility View Settings in Internet Explorer for
Marriott.com. Press ALT to bring up the toolbar and then go to Tool->
Compatibility View Settings.
Page 7 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• Add Marriott.com to Compatibility View.
• After you add Marriott.com to Compatibility View you will have to resubmit
the certificate request. When alerted that the browser is trying to perform a
digital certificate operation select YES
Page 8 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• Leave the next two fields at its defaults values
o CSP Type: RSA full
o CSP: Microsoft Enhanced Cryptographic Provider v1.0
• Choose Submit Request
• Choose OK
• Choose YES
Page 9 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• Choose YES
• “You have successfully retrieved your browser certificate into Internet
Explorer. This certificate can be used to securely identify yourself to our
web servers, and to conduct private, encrypted communication over the
internet.”
• Exit out of your browser session
Page 10 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
SSL PKCS#10 Certificate Request - IE
This section goes over how to download and activate your (Unmanaged) SSL
PKCS#10 certificate. Should you need to download a (Unmanaged) SSL Browser
certificate, please proceed to the previous section, SSL Browser Certificate Request –
IE.
Please ensure that you use the correct ESWeb site based on the environment,
otherwise your request will fail.
a. https://eswebdev.marriott.com - For all DEV / TEST / PERF (ETC) SHA1
certificates issued by MarriottDevSubCA1
b. https://enrollmitest.managed.entrust.com/cda-
cgi/clientcgi.exe?action=start - For all DEV / TEST / PERF (ETC) SHA2
certificates issued by MarriottTestSubCA1
c. https://enrollmi.managed.entrust.com/cda-cgi/clientcgi.exe?action=start -
For all PRODUCTION SHA1 certificates issued by MarriottSubCA1
Follow the steps below to activate and download your SSL PKCS#10 SERVER
certificate. This is a two part process.
• Part 1 • Click "Create a SSL Certificate from a PKCS#10 Request"
• Enter your Reference number and your Authorization Code
provided or noted from Request Center
• Minimize this window for now (you will need to copy the actual CSR
request into the bottom half of this screen to complete the request).
• Part 2 • Generate your CSR (Certificate Signing Request) on your web server
NOTE: When you create your CSR, you will need to put your
REFERENCE NUMBER given to you in Request Center, in the CN
(Common Name) field when prompted. Failure to do this will result in
the certificate download failure.
• Once the CSR is completed, open the CSR file and copy the actual
CSR request, including the BEGIN and END lines (see below) and
paste into the bottom half of the original request form.
It should look similar to this:
----BEGIN CERTIFICATE REQUEST-----
MIIC0TCCAbkCAQAwgYsxEzARBgoJkiaJk/IsZAEZFgNjb20xGDAWBgoJkiaJk/Is
ZAEZFghtYXJyaW90dDEVMBMGA1UECwwMYXBwbGljYXRpb25zMRswGQYDVQQLDBJN
SVBLSV9DZXJ0aWZpY2F0ZXMxETAPBgNVBAsMCGFyY3NpZ2h0MRMwEQYDVQQDDAp
l
c3dlYnRlc3QzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t/PcUYW
b0k6rYfvFpVVwBxr1DsWdLJUy8L1qFWNSPiiFS5ucb8OSF+nD1Z1CJvH58I8wsWC
JBAOkh4jIviwMjJp8eKR6OBBTyirhHa9WoLXUlwowPgrDuxzV/7KRWOD2HK/GkER
Page 11 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
BEgMFePLDf6v0bAkDcC3mWMaTMmb44UiaNSUfUOm5TUNR58/hOKf376sPqiXZKN5
id0MHWtitQAvsl9eMBm1fkLiCaR2DEOw98Zj2QYGJ/phBv1SUJoUcjPqD+ZkAYXJ
4PESICex2Iz0TwXX45KyjZ1FpRVDUw4nW+QJp3XTIGgklb1RhUrBHHqBzQ+3d2b7
tlhaE7xiIqu49QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGtRTf/+HDqcG41O
wl/VxZAG9WLS4Oh3PW4e9JFKThPw7gTy9AHPc1ZiyAuhVAI+y9yEwmm0zA9byOX3
dxW/vqWRFxOJB8SAFzBh1+5UjUjwPjxMMhmovlq0TUbb/KbVTGZmHhzEWUEDbwRu
nc6OebU9xp4cFa9jzEbLv7diOzbA6xvnlTvUuFsuQ46NTQ764WweXDjuFlhehC26
tlWhMSP6I3Ae97Wd+SSvWMQRRl7k8eO2aERiFnsDX/6zTJTgC58eLNoDzdQdI9m+
c1XxiejxqhDu/mvYspGXRm1M6g41uQ5hv2SfRfILWF2gbFceQlX1YndseEwFLGPO
6kzX9Rw=
-----END CERTIFICATE REQUEST-----
• Your request should look similar to (below):
• Proceed to leave your OPTIONS to be displayed in raw DER. Then
choose SUBMIT REQUEST to complete your activation and retrieval of
your SSL WEB SERVER certificate.
Page 12 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• At this point you have two options:
1. Save the .bin/.cer file and then copy it your webserver. You can then
rename the file (can be safely renamed to .der, .cer, or .crt) and
install the certificate on your web server, and/or
2. Your certificate will be displayed on the web page in PEM format. You
can then copy this into notepad and save as .PEM then copy this to
your server to be installed.
Page 13 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Downloading using Firefox
SSL Browser Certificate Request – Using Firefox
This section goes over how to download and activate your (Unmanaged) SSL
Browser certificate using Fire Fox.
Please ensure that you use the correct ESWeb site based on the environment,
otherwise your request will fail.
a. https://eswebdev.marriott.com - For all DEV / TEST / PERF (ETC) SHA1
certificates issued by MarriottDevSubCA1
b. https://enrollmitest.managed.entrust.com/cda-
cgi/clientcgi.exe?action=start - For all DEV / TEST / PERF (ETC) SHA2
certificates issued by MarriottTestSubCA1
c. https://enrollmi.managed.entrust.com/cda-cgi/clientcgi.exe?action=start -
For all PRODUCTION SHA1 certificates issued by MarriottSubCA1
Follow the steps below to activate and download your SSL certificate:
• Click Create SSL Browser Certificate
• Enter your Reference number and your Authorization Code provided
or noted from Request Center
• Choose Submit Request
• Choose desired Key Length
• 2048 (High Grade) is the default
• Should you desire, you can choose 1024 (Medium Grade)
• Lastly, choose Submit Request
Page 14 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
NOTE: If this is the first time you’ve downloaded certificates from this website to
your terminal server session or local profile, you will need to enter a new Software
Security Device password.
• Once you’ve entered your designated password, choose OK to continue.
Please keep this password somewhere safe but accessible.
• A Generating A Private Key window will appear temporarily
• Within the Downloading Certificate window, please check all three
boxes and then choose OK to continue.
Page 15 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• Choose OK below
• You will now be presented with the successfully retrieval message below.
Your client certificate and the MarriottSubCA1 signer certificate are now in
your Firefox certificate/browser store.
Page 16 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
SSL PKCS#10 Certificate Request - Using Firefox
This section goes over how to download and activate your (Unmanaged) SSL
PKCS#10 certificate using Firefox
Please ensure that you use the correct ESWeb site based on the environment,
otherwise your request will fail.
a. https://eswebdev.marriott.com - For all DEV / TEST / PERF (ETC) SHA1
certificates issued by MarriottDevSubCA1
b. https://enrollmitest.managed.entrust.com/cda-
cgi/clientcgi.exe?action=start - For all DEV / TEST / PERF (ETC) SHA2
certificates issued by MarriottTestSubCA1
c. https://enrollmi.managed.entrust.com/cda-cgi/clientcgi.exe?action=start -
For all PRODUCTION SHA1 certificates issued by MarriottSubCA1
Follow the steps below to activate and download your SSL WEB SERVER certificate.
This is a two part process.
• Part 1
• Click "Create a SSL Certificate from a PKCS#10 Request"
• Enter your Reference number and your Authorization Code
provided or noted from Request Center
• Minimize this window for now (you will need to copy the actual CSR
request into the bottom half of this screen to complete the request).
• Part 2
• Generate your CSR (Certificate Signing Request) on your web server
• NOTE: When you create your CSR, you will need to put your
REFERENCE NUMBER given to you in Request Center, in the CN
(Common Name) field when prompted. Failure to do this will
result in the certificate download failure.
• Once the CSR is completed, open the CSR file and copy the actual CSR
request, including the BEGIN and END lines (see below) and paste into
the bottom half of the original request form.
It should look similar to this:
-----BEGIN CERTIFICATE REQUEST----- MIIC0TCCAbkCAQAwgYsxEzARBgoJkiaJk/IsZAEZFgNjb20xGDAWBgoJkiaJk/Is ZAEZFghtYXJyaW90dDEVMBMGA1UECwwMYXBwbGljYXRpb25zMRswGQYDVQQLDBJN SVBLSV9DZXJ0aWZpY2F0ZXMxETAPBgNVBAsMCGFyY3NpZ2h0MRMwEQYDVQQDDApl c3dlYnRlc3Q0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmQmTH9zF 0KWgheZrtz1V5X6qXdyI8yYOXuEmiobbrkGnnko+mC2kzgat6KmaFMyKMAq8Uwki nrSdqg0u+TI0H5pWUzeB22JbnFhrKbsYWZuPpK5nzGLQCWowtBQk/bYKUcYML+KI V5A60l8Il/e221ig8S9jFUFstt87Z7bAjhCX3f7PYiEHZaW2LhrGucs/DVEj34DI Vouhun4cHrW1jVCGStvmx01wIAWagtB3NsBYTMgkuphIdr9iezqBI8Gw8fkJ6PCu VayKcc9jGoDMs0Qw5UmWXpNdI7bquUzqdWxAYh55cWM9fYD/n8T8/Oh7phx06jM0 yzFnVM9iaq7kLQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBABhZGHKmGR77M4r5 lyZem4aKS775cgxfYye0CjvgDDEP61e/L3vL+xTTNmeFag5TBUu2szvnIbogy5Vv ay6KIkC14d8dpP5m5nd5dz9hinautHNRcJ1vTdtmmRRWCCEMFro6V/6XJ1W8F2xh cceNuADO66UxYY8qCDllhj9hLUu2mhJpZAIdUuS6W5T74sk3p16wsaLTdgNy5vW2 sNgZdURyiWpgInKepqjLxAKLnQmvyHZOeqCyUr1rsW8LNt6ysT4SHmvb+E3LXRSb /I5Woo1wQUHHVLWjSosHX8GQYZMkxTx2wvgSseuvUELauWts+BDBk4iVc4YlZ3Ve wWryVKw=
Page 17 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
-----END CERTIFICATE REQUEST-----
• Your request should look similar to (below):
• Proceed to leave your OPTIONS to be displayed in raw DER. Then
choose SUBMIT REQUEST.
• You will now see a screen that contains your web server certificate in PEM
format.
Page 18 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• At this point you have two options:
1. Copy this PEM certificate (including BEGIN and END CERTIFICATE
LINES) into notepad and save as .PEM. This can then be copied to
your server to be installed, OR
2. Choose the DOWNLOAD button
a. Choose Save File, then OK
• Your servercert.bin/servercert.cer file is now on your desktop and ready for you
to transfer to your web server
NOTE: You can safely rename to .der, .cer, or .crt then install the certificate to your
web server.
Congratulations!! You’re done…
Page 19 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Downloading CA Signer Certificates
Download Subordinate CA Certificate
Since our environment is set up with an online Subordinate CA with offline Root CA,
you will need to also download the Subordinate CA’s certificate. To do this, on the
left hand side of the website, under CA Certificates, click on Install SubCA x509.
NOTE: During the certificate download process, the Root CA Signer certificate
should automatically be downloaded into your browser store. If you don’t see it
there, then you can manually download it by choosing Install RootCA x509.
• Choose Open
Page 20 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• Choose Install Certificate
• Choose Next and Next
• Choose Finish
• Choose OK
Page 21 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Exporting Certificates via Internet Explorer ONLY APPLIES TO UNMANAGED CERTIFICATES
Go to TOOLS > INTERNET OPTIONS in your Internet Explorer browser
Select the CONTENT tab, and then the CERTIFICATES
Select the appropriate certificate, and then EXPORT.
Page 22 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Choose NEXT and YES, export the private key
Select Include all certificates in the certification path if possible and Enable
strong protection
Enter a password for the private key twice and choose NEXT to continue.
NOTE: Please make sure to remember this password, otherwise, you will have to
repeat the export process out of Internet Explorer again.
Type in a file name or browse to a specific directory on your system.
Page 23 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Confirm the information is correct, and select Finish (or Back if changes are
necessary) and select OK
Finally a successful export message should appear.
Page 24 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Exporting Certificates via Firefox ONLY APPLIES TO UNMANAGED CERTIFICATES
• Open your Firefox Browser, then go to TOOLS > OPTIONS >
ADVANCED
• Then choose VIEW CERTIFICATES to open your Certificate Manager
• Then under CERTIFICATE NAME, locate the certificate you wish to
export, highlight it, then choose BACKUP
• Then choose a file name and location to save your exported .pkcs12 file,
then choose SAVE
Page 25 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• You will now be prompted for the Software Security Device password
that you created in the previous step. Enter the password and choose OK
to continue.
• You will now need to assign a new password for your private key that you
are backing up or exporting. Please enter the password twice and choose
OK to continue. Please keep this password somewhere safe but
accessible as you will need this in order to IMPORT this into your
respective end key store on your server
NOTE: The password quality meter will tell you how strong your
password is. The fuller the bar, the stronger the password and less
likely it will be compromised. Therefore, please take this into
consideration when choosing a password.
Page 26 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
• You have now successfully exported your certificate. Choose OK to exit.
Page 27 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Troubleshooting FAQ
Problem:
When attempting to download the certificate, you get the following error:
“The error ‘80090024’ occurred. Your certificate request could not be generated”
No key pair has been created by the CSP. Please make sure that you have the latest patches for this browser. See your administrator for details.
Please contact your administrator for details.
Reason(s):
• You are logged into a machine that does not have administrative access
• You are logged into a terminal server that does not allow certificate downloads
Solution:
• Log into a local machine with an administrator account and retry your download
Problem:
When attempting to download the certificate, you get the following error:
“CMS-API call failure. Please contact your administrator for details”
Reason(s):
• You are using the wrong ESWeb site
• You’ve entered your RNACs incorrectly
• Your RNACs have expired or have already been used
Solution:
• For production certificates, go to: https://esweb.marriott.com
• For dev, test and perf certificates, go to: https://eswebdev.marriott.com
• Confirm that your RNACs are correct (make sure there are no extra spaces
before or after the codes)
• Check to ensure you RNACs are still valid. If not, request some new RNACs
Page 28 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Problem:
When attempting to download the certificate, you get the following error:
“An error has occurred: (-3274) Security protocol failure. Please contact your administrator for details”
Reason:
• The RNACs issued to you have become corrupted
Solution:
• Request new RNACs
Problem:
When attempting to download the certificate, you get the following error:
“An error has occurred: Invalid reference number was provided. Please contact your administrator for details”
Reason:
• The Reference Number you have entered is not valid or has already been used
Solution:
• Verify you are going to the correct URL to enroll
• Verify that your RNACs are correct
• Request new RNACs in the event your previous RNACs were already used
Problem:
When attempting to download the certificate, you observe the following scenario:
Instead of seeing a certificate in your browser keystore (client certificate)
or being prompted to save a bin/cer file (server certificate), you instead are
prompted to save a client.cgi/client.exe file.
Reason:
• You have attempted to download your certificate using an unsupported
browser.
Page 29 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Solution:
• Request new RNACs via the PKI Request Center service and download your
certificate using a supported browser.
Problem:
When attempting to download the certificate, you observe the following scenario:
“Server certificate request not specified or invalid. Please contact your
administrator for details”.
Reason:
• You have attempted to download your certificate using an unsupported
browser.
• You have to enable Compatibility View Settings for Marriott.com in Internet
Explorer 11
Solution:
• Request new RNACs via the PKI Request Center service and download your
certificate using a supported browser.
Problem:
When attempting to download the certificate, you observe the following scenario:
“Server certificate request not specified or invalid. Please contact your
administrator for details”.
Page 30 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Reason:
• You have attempted to download your certificate using an unsupported
browser.
Solution:
• You have to enable Compatibility View Settings for Marriott.com in Internet
Explorer 11
• In IE11, go to the OPTIONS menu, select F12 Developer Tools > Select
Emulation Tab (at bottom), Set Document Mode to 5, and set User Agent String
to Internet Explorer 9
Page 31 of 31
MARRIOTT ENROLLMENT SERVER FOR WEB
Common SSL Conversion Commands
Convert PFX/P12 to PEM
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates
to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only
output the certificates.
openssl pkcs12 -in keyStore.pfx -out privatekey.pem -nodes -nocerts
openssl pkcs12 -in keyStore.pfx -out cert.pem -nodes –nokeys
Convert PEM to DER
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Import P12 into JKS using Keytool
The command keytool -pkcs12 lists options to import a PKCS12 key. The keystore
password for the (*.jks) file should be the one used for the J2EE keystore. The
command for the conversion is:
keytool -pkcs12 -pkcsFile fileName -pkcsKeyStorePass password - pkcsKeyPass
password -jksFile outputFileName -jksKeyStorePass password
This will result in a JKS file that has the key (the private key and the certificate
chain) in the file
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates
to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output
the certificates.