ISE 1.3 public wildcard cert

Similar Messages

• ISE 1.2 and WildCard Cert

  hello,
  i"ve found a great post from Aaron Woland about how to make/install/use Wildcard certificate.
  http://www.networkworld.com/community/blog/what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise
  but there is something that was not answered by his post.
  Can i use WildCard cert to register node to an ISE deployement? Aka adding a Monitor only node to a admin only node
  create CSR, receiving Cert from CA, adding CA root, binding cert to CA root then exporting key, then importin on Mon node then try to register mon node? my first test didnt go well.
  Any input would be appreciated

  Basant,
  I agree with what you are saying but it seems that your statement contradicts the write up on the Cisco user guide for 1.2, there are no limitations and one of the benefits stated by the doc is that you can use wildcard certs as a cost saving measure which will allow you to install the cert on all ISE nodes.
  I do have a corporate wildcard certificate and I will attempt to register two nodes together and see what the result is.
  Also the true benefit of a wildcard cert is where the CN is *.domain.com, you should not have to generate a CSR where the CN=iseblah.domain.com with a SAN of *.domain.com, I do not think that is a cost effective wildcard cert since the CN has the fqdn of the ISE node.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html
  Tarik Admani
  *Please rate helpful posts*

• Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

  I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate.  This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD.  The ISE policy is just to match on machine auth.
  The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
  When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball.  They were, the auth passed.
  I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities.  Retest and the client passes.
  If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed.  ISE reports that my Windows client rejected the server certificate.  Which is odd as it just accepted it.
  If I untick the validate the client passes, if i tick it again it will authenticate fine, once.  The next connection it will fail again with the client rejecting ISE.
  Anyone got any ideas?

  I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.

• Installing wildcard cert on ISE for HTTP/EAP

  I need to install a wildcard cert on ISE, but have no experience with wildcards.  I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion.  Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert?  I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...
  Any assistance would be greatly appreciated

  If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:
  1. Go to Administration > Certificates > Local Certificates >  Add > Import Server Certificate
  2. Use the "browse" buttons to point to the certificate file and private key
  3. Check "Allow Wildcard Certificates"
  4. Select the protocol that you want to use it for (EAP or HTTPS or both)
  5. Hit submit
  6. Go to Certificates Store
  7. Import the root CA certificate and Intermediate CA certificate(s) (If any)
  Thank you for rating helpful posts!

• Federation with wildcard cert

  Hi,
  We have multiple SIP domains, and I am trying to reduce the number of certificates needed.
  I use a wildcard cert for one of the domains for the Edge and reverse proxy.
  It works fine to connect from outside etc. But federation is not working.
  In the DNS SRV record _sipfederationtls._tcp.domain2.com I have put the address sip.domain2.com as hostname, but it's actually pointing to a address that have the wildcard cert for *.mydomain1.com
  Is there some way to make this work without buying many certs?

  Hi,
  It is not supported to use wildcard certificate for Edge Server external interface. You need a public SAN certificate to support federation. You can use wildcard certificate for Reverse Proxy.
  For more Server Roles which wildcard certificate can be used in Lync Server environment, you can refer to the link below:
  https://technet.microsoft.com/en-us/library/hh202161.aspx
  Best Regards,
  Eason Huang  
  Eason Huang
  TechNet Community Support

• Help! GoDaddy Wildcard Cert

  My organization has finally purchased a wildcard cert from GoDaddy to use on our servers across the board due to how newer browsers are being more vocal about using self signed certs.
  In going through the process of getting the cert issued I keep getting my CSR rejected by GoDaddy by following the instructions from what GoDaddy wants and how to create the CSR. Since I've only really used self signed certs to this point I'm not 100% sure if I am doing things correctly especially given that I'm kind of making some assumptions as my CSR export instructions are a little dated. Are there updated instructions for creating the CSR to a format that GoDaddy will like?
  Thanks!

  For creation these are helpful:
  http://www.digicert.com/csr-creation...consoleone.htm
  http://nl.globalsign.com/en/support/.../generate+csr/
  Example of a "subject name": .CN=*.domain.com.OU=IT.O=Name of your
  Organization.L=City.S=State.C=US
  You did NOT follow the proper steps to import the certificate (I know it
  from experience)
  Your only option now is to restore the certificate object that was used for
  CSR from good backup into eDirectory (I hope you have it...) and then do the
  following (exactly):
  http://www.digicert.com/ssl-certific...consoleone.htm
  Once done you can create new certificate for each NW server & replace public
  & private key with the Godaddy & your wildcard & point each instance of
  Apache to such certificate.
  The setup work beautifully, I have been using it for over 5 years now)
  As you can export .pfx from the certificate object with use of openssl you
  can use it just about anywhere else (but not in APC UPS devices!)
  Seb
  "marklar23" <[email protected]> wrote in message
  news:[email protected]...
  >
  > I made the CSR from NetWare. It looks like the last time that I tried
  > yesterday did take, I had to change the order of the CN and O in the
  > cert string. Now after I imported the certificate and try to validate
  > it, I get Invalid with Certificate Revocation List Invalid. Any
  > suggestions?
  >
  > AndersG;2014252 Wrote:
  >> Marklar23,
  >> > In going through the process of getting the cert issued I keep
  >> getting
  >> > my CSR rejected by GoDaddy by following the instructions from what
  >> > GoDaddy wants and how to create the CSR.
  >> >
  >> And do they say what is wrong wth it? Also: Is this NetWare or Linux?
  >>
  >> - Anders Gustafsson (Sysop)
  >> The Aaland Islands (N60 E20)
  >>
  >>
  >> Novell has a new enhancement request system,
  >> or what is now known as the requirement portal.
  >> If customers would like to give input in the upcoming
  >> releases of Novell products then they should go to
  >> http://www.novell.com/rms
  >
  >
  > --
  > marklar23
  > ------------------------------------------------------------------------
  > marklar23's Profile: http://forums.novell.com/member.php?userid=5123
  > View this thread: http://forums.novell.com/showthread.php?t=419035
  >

• CSS11506 - Wildcard cert ??

  We have a need to terminate multiple SSL websites on our CSS. So name1.test.com
  name2.test.com, name3.test.com etc. The problem I have found is that I need to burn 1 public VIP per SSL connection b/c they all need to use tcp 443 inbound and point to their respective cert on the CSS. Is there anyway to possibly generate a wildcard cert that matched only the last part of our domain name ( events.test.com = *.test.com ) and then get away with using only 1 VIP for the multiple sub domains ??
  Thanks for your help.
  Cheers
  Dave

  CSS can use wildcard certificate just as it uses typical server certificates.
  If you are using the CSS to create the CSR, you would use a wildcard common name
  - A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would
  match a.example.com, foo.example.com, etc. but would not match
  example.com.
  Syed

• Does Convergence + messaging server 6.3 support wildcard cert ?

  Hi all,
  We plan to purchase a wildcard cert to support our convergence & messaging server SSL connection.
  from the messaging guide provide. it stated we need to generate individual private key & sent to vendor to verify
  what if we are using wildcard cert, do it work in this case ?
  Cheer
  ubd

  ubd wrote:
  So means i generate 1 wildcard cert, then apply to all other server ssl connection, or i need to generate individuallyTo use the same CA signed certificate (wildcard or otherwise) with multiple applications (Application Server and Messaging Server in this case) requires that the same private key be used across the applications. To this end you will need to export/import the certificate/keys between the applications using a utility such as pk12util.
  http://docs.sun.com/app/docs/doc/819-3671/ablrh?a=view
  http://docs.sun.com/app/docs/doc/819-4428/bgbbf?a=view
  Regards,
  Shane.

• Ironport email appliance : can i use a wildcard cert for TLS ?

  Hi all,
  We have 2 ironport C170 email appliance. I would like to use a wildcard SSL Cert from Digicert for TLS communication. I have 2 questions about it : 
  1/ Is it possible to use wildcard certificat on ironport ?
  2/ Is there any known problem with wildcard certificat for TLS use ?
  I found 2 (old) post about that :
  https://supportforums.cisco.com/discussion/10479161/tls-support-wildcard-cert
  http://www.symantec.com/connect/forums/someone-wants-enforce-tls-us-and-use-wildcard-cert
  Does someone has experience about it ?
  Thanks.

  My experience is that it works fine.
  If you have multiple domains, you have to make sure that the MX records point to the A record of the box you have certs for.
  eg. something like this:
  mx domain1.com  smtp.domain2.com
  mx domain2.com  smtp.domain2.com
  a smtp.domain2.com  x.x.x.x

• Wildcard Cert

  Sun Java(tm) System Messaging Server 7.3-11.01 64bit (built Sep 1 2009)
  libimta.so 7.3-11.01 64bit (built 19:44:36, Sep 1 2009)
  Using /opt/sun/comms/messaging64/config/imta.cnf (compiled)
  SunOS wpg-com1 5.10 Generic_141445-09 i86pc i386 i86pc
  I have a wildcard cert that was generated for apache. How can I add this to COMs.

  shjorth wrote:
  karl.rossing wrote:
  I have a wildcard cert that was generated for apache. How can I add this to COMs.The following URL may help (section prior to pull-config):
  http://blogs.sun.com/nsegura/entry/migrating
  Regards,
  Shane.Thanks! That helped a lot
  I was able to run openssl pkcs12 -export -out server.pk12 -in server.crt -inkey server.key -nodes -name "ALIAS" and then msgcert import-cert server.pk12
  This would be usefull information on http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication . Should I add it myself?

• Wildcard cert on WLC 4404 running 5.2

  Hi all
  I have a WLC with a cert on at the moment, it runs out in a few weeks.
  I want to replace the current cert with a wildcard cert.
  Will this be OK ?
  is it a cas     

  Hi,
  As per my exp.: yes it is supported.
  However, it seems there is still a problem with wildcards certificates if they are chained :
  Check this links:
  http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
  Third part cert:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
  Regards
  Dont forget to rate helpful posts

• Importing Wildcard Cert into Messaging Server and Comms Express???

  Hi all, does anyone know how I can import a wildcard certificate, private key, & CA cert into Messaging Server 6.3 and Comms Express 6.3?
  We have 3 files from DigiCert that I think need to be imported:
  1) A wildcard cert from DigiCert
  2) The DigiCert CA cert
  3) The private key
  Thanks in advance,
  Stewart

  Hi, we are upgrading from iMS5.2 to SJMS6.3 later this year but in the mean time i'm trying to work out how to import the wildcard certs, key, etc from DigiCert into our current iMS5.2. I've heard it can be done.
  We're currently using a cert from Verisign in our iMS5.2 environment.
  Stewart

• Importing Wildcard Cert into Web Server???

  Hi all, does anyone know how I can import a wildcard certificate, private key, & CA cert into the Sun Java Web Server ?
  We have a wildcard certificate from DigiCert that I want import into the web server. There are 3 files in total:
  The files are:
  1) The wildcard cert
  2) The DigiCert CA cert
  3) The private key
  I've been playing around with tools like certutil, pk12util, and the web server admin GUI but so far no success.
  Thanks in advance,
  Stewart

  The private key and cert files are in PEM format. The two certs were supplied to us by DigiCert. We are currently using these files with Apache without any problems.
  Now we want to use them with the Sun Java web server.
  I think i've successfully imported them as show below.....
  # /opt/SUNWwbsvr7/bin/certutil -d /var/opt/SUNWwbsvr7/<instance-name>/config -L
  DigiCert Global CA - Entrust.net CT,,
  my-wildcard u,u,u
  # /opt/SUNWwbsvr7/bin/certutil -d /var/opt/SUNWwbsvr7/<instance-name>/config -K
  <0> my-wildcard
  In the web server admin gui, however, no certs are displayed.
  Stewart

• 7925g plus EAP-TLS plus wildcard cert

  Hi folks,
   Has anyone managed to put a wildcard cert on a 7925G (or 9971) to use for client authentication with EAP-TLS?  It seems like one is forced to use the MIC or a cert from a csr generated by the phone... but I'd really rather not keep track of a zillion certs.
  Thanks for any help.

  Hi,
  have you read the infos from the deployment guide (page 72 - install certificates) already
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

• Exchange Public CA cert is disappearing after it completes installation

  Hi,
  I am attempting to add a public wildcard certificate on our exchange server and each time that I complete a pending request the job completes and as soon as I click finish the certificate disappears. 
  Any attempts to re-add via the shell tell me that the certificate already exists, but the certificate does not show in the EMC.
  I am attempting to add this to an Exchange 2010 SP1 rollup 4 server.
  Any help would be appreciated as it is driving me a little nuts.
  Thanks
  Mike

  If you do a Get-ExchangeCertificate from PowerShell can you see it? Does it show up in the Certificate Store of the server?
  Program Manager, Exchange Customer Advisory Team
  MCSA 2000/2003
  MCTS: Win Server 2008 AD, Configuration MCTS: Win Server 2008 Network Infrastructure, Configuration
  MCITP: Enterprise Messaging Administrator 2010
  Former Microsoft MVP, Exchange Server
  NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.