3rd party certificate on WiSM controllers

Similar Messages

• Error installing 3rd party certificate on wism

  Hi ..
     Due to expire of cert.. We got  re-get a new wildcard cert..
  I have make pem from 3rd. CA (issuer=/C=BE/O=GlobalSign)
      follow http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
     using openssl (0.9.8zc) install on wism (7.0.220.0)
     it's always show fail .  
     Old.pem is the same CA ，follow http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
    it's okay to make pem and install on it , but just expired..
    two cert from CA, there is different .
   old is sha1WithRSAEncryption
  new is sha256WithRSAEncryption
  any one has idea  to using new pem to install on WLC 
  Thanks

  HI
  After upgrade newest 7.0.251.
     install the pem  ...OKAY  ..reboot test okay
   due to using Mobility Services Engine  I need go back to 7.0.220.0
  It's show as attach ..no Certificate desc ...
  Try  Using IE /Firefox  show cert is okay!!

• Exchange Server 2010 Edge Transport Subscription Issue while moving Internal CA Certificate to 3rd Party Certificate

  My Client have a Exchange 2010 Organization with Single Domain Single Forest.
  They were using Internal CA Certificate and a TLS Cert.
  As a POC we are doing a POC for Exchange 2010 Hybrid Office 365 Environment.
  For this 3rd Party CA is Mandatory and they have bought a Geo Trust Certificate.
  Now when they have installed cert on both HUB as well as EDGE servers, he was prompted to do edge subscription again.
  HUB and CAS are combined on the server at both Main and DR Site.
  When they try to do edge subscription again they are getting the following error.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.

  I was finding out the solution and got this.
  1-Certificate will import on both EDGE and HUB Servers.
  2-Edge Sync will use Self-Sign Certificate (but I an unable to find how do I configure this)
  3-some communication between Edge and Hub will be encrypted via 3rd party Certificate.
  Could anyone suggest, which services on HUB must based in this 3rd party cert.
  All the external communication must be encrypted via 3rd party CA and communication between HUB-EDGE will set on self-sign Cert. How do I do this.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.
  Hi,
  Please run Get-ExchangeCertificate | fl to check your Exchange certificate settings. Also confirm if the 5E470560626E313646730C177FCA66728E2BAFF7 certificate is your trusted 3rd party cert.
  Please use Enable-ExchangeCertificate cmdlet to assign SMTP service to your self-signed certificate in your Edge server.
  Regards,
  Winnie Liang
  TechNet Community Support

• WLC5760 - CSR request for 3rd party certificate

  I need to generate a CSR request to obtain a 3rd party certificate for my WLC.
  i am not sure how i can do that. all document availble are for wlc 4400.
  let me know if the same process will apply to wlc5760 as well.

  Thanks Matteo,
  I managed to get it done, Yes I used OpenSSL to generate CSR.
  Here what I have learnt about it, including WebAuth Cert installation on 5760. This may be useful to someone else.
  http://mrncciew.com/2014/07/30/5760-webauth-certificates/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• PKI setup using 3rd party certificates

  I want to configure SCCM in our environment using are existing certificate creation infrastructure. I do not want to use Microsoft Certificate services. Instead I'd rather use our OpenSSL solution. However I cannot find good documentation to work with using
  3rd party certificates. Everything is related around Microsoft's certificate services.
  Has anyone had any luck implementing SCCM in this manor? Documentation available to aid?

  So we are planning to setup https across the board and going through the blogs and TechNet article - I see that internal PKI is a requirement and you just cannot do away with 3rd party/external certificate, correct ??
  I am working on a scenario where the customer does not want to implement internal PKI but use external certificate either by GoDaady or Thawte or VeriSign where possible at all times but looks like you can't use the external certificate to act as ConfigMgr
  Web Certificate or ConfigMgr DP Cert?
  given the following scenario
  https://social.technet.microsoft.com/Forums/en-US/ac34ebdf-c932-4075-b4a3-ebe572ffab0e/scenario-multi-tenant-configmgr-2012-r2-and-same-ip-address-range-for-multiple-customer?forum=configmanagerdeployment#868600a8-e8eb-471a-b767-761305636041
  for clients to communicate to DP's/Secondary Sites configured in HTTPS, we still need internal PKI ?
  I guess the answer is yes to all.. but just confirming :)

• Cisco IOS CA using 3rd Party Certificate

  Hi,
  Can I use 3rd Party certificate such as verisign, on Cisco IOS CA ? All i can see on cisco.com is self-signed certificate from router.
  Thanks
  -santo-

  Santo,
  That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.
  Private PKI is not based on self signed certificates - only the root CA might need something like it :-)
  That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.
  Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).
  M.

• Farm member not using 3rd party certificate

  I have a Microsoft server 2008 R2 RDS farm using a broker and NLB farm nodes.
  In the farm member node ( not the broker ), I open  “Remote Desktop Session Host Configuration” tool I selected “member of farm RD Connection Broker” and in the “general” tab under the “certificate” section I clicked “select” and picked the 3rd party
  Certificate.
  This is a Farm member. When I use a rdp client to go to farmName.domain.com I get a pop up with a certificate error and it shows the certificate as serverName.domain.com and not the name in the “farm” certificate.
  How can I troubleshoot this issue.

  Hi,
  Iniitally seems the certificate is not from valid trusted authority. So please check the trusted authority. Apart there is mismatch in certificate name with server name. 
  The name in the Subject line of the server certificate (certificate name, or CN) must match the FQDN, or the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates.
  If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. 
  The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.
  In addition, please check beneath article for reference.
  Configuring Remote Desktop certificates
  http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Cannot enter 3rd-party certificate into SCUP 2011 on Server 2012

  Hello all,
  I am trying to deploy SCUP 2011 on Server 2012 with a SCCM 2012R2 primary site w/WSUS onboard.
  Client is using a 3rd-party Digisign cert from a CA that is trusted through the enterprise. This cert has been imported into the private store and exported as a .pfx to be loaded into SCUP 2011. The Digisign cert is in the TrustedPublishers and Trusted Root
  stores.
  Administrator registry hack applied for Server 2012
  Options of SCUP 2011: Successfully connect to SCCM local site server and local WSUS server. However, when I browse and select the exported .pfx, I am not prompted for a password for the cert, and no certificate information is displayed. Also, there are no
  entries in the Trusted Publishers tab.
  I am stumped at this point. Any suggestions? SCUP just isn't looking at the cert (which was ordered according to the requirements in the SCUP blog.
  Thanks,
  -P

  A couple of questions...
  1. How, and where exactly, did you import the PFX to the WSUS Server (SUP)? Most notably.. the fully-signed cert needs to be in a cert store named *WSUS*, which has been notably difficult to create except when using the WSUS API to create it.
  2. You don't need to export the PFX for SCUP, only the CER (provided that the PFX is properly held on the WSUS server); but even so, if you already have the original cert from Digisign, why bother exporting from the store to import... you already *had* the
  full cert that could be imported to SCUP?
  3. If you're not prompted for the password of the PFX, that suggests that it wasn't exported with a password, or, since no cert information is available, maybe the export failed completely?
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Going from a self signed certificate to a 3rd party certificate....

  Hello all...
  I have an Apache webserver running both the GroupWise WebAccess and the
  Netware FTP server. Up until now, I have used self signed SSL certificates
  on each of them to provide security. Now, we are going to a 3rd party issued
  certificate for both of them.
  Any idea how I set up the apache server so it will use the 3rd party cert
  instead of the self signed one...?
  Also, if you know how to set it up with the FTP server as well, it would
  help.
  (And, yes I know this is not the right forum, but in the interest of not
  repeating my work, I was hoping to bend the rules some.....)
  Thanks in advance....
  Delon E. Weuve
  Senior Network Engineer
  Office of Auditor of State
  State of Iowa
  USA

  As far as the FTP goes, can you be more specific? Where is this ini file
  that I need to modify? And how do I modify it?
  Thanks.
  Delon E. Weuve
  Senior Network Engineer
  Office of Auditor of State
  State of Iowa
  USA
  >>> On 6/25/2008 at 2:34 PM, in message
  <[email protected]>, Richard Beels
  [SysOp]<[email protected]> wrote:
  > close enough on the group... :-)
  >
  > for apache, it's easy peasy, find the bit in your httpd.conf and where
  > it says:
  >>>>
  > SecureListen 443 "SSL CertificateDNS"
  >>>>
  >
  > change it to whatever you've neamed the new cert, such as:
  >>>>
  > SecureListen 443 "DigiCert"
  >>>>
  >
  > which should give you a clue as to what I recc. for 3rd party certs.
  > :-)
  >
  >
  > As to ftp, it should be the same, i.e. ini file fiddly bit...
  >
  >
  > --
  > Cheers!
  > Richard Beels
  > ~ Network Consultant
  > ~ Sysop, Novell Support Connection
  > ~ MCNE, CNE*, CNA*, CNS*, N*LS

• 3rd party Certificate and AAA Authentication

  I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
  In the connection profile i have set up that users should authenticate using both certificate and AAA.
  Due to a high security requirement, the user certificate is issued from a 3rd party.
  This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
  I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
  Problem:
  If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
  I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
  So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
  I am happy for any help that could point me in the right direction on how to accomplish this.
  Best regards,
  Kenneth

  I actually got a better idea, and i think this will work great!
  One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
  After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
  So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
  [123] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [department=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
  I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
  [138] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  Worked like a charm!
  I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
  Thank you for the input Marcin

• Installing 3rd party certificate in Cisco ASA

  Hi, 
  We have configured an CSR in Cisco ASA for 3rd party CA to generate the certificate, however, the CSR configuration was lost because of some reason.
  How can we install this certificate without the CSR in Cisco ASA.  Or we have to generate another certificate from CA, it will be chargebale for the new certificate.
  Anyone can help to advise ?
  Thanks
  Veon

  You don't need the CSR once you have received the certificate from the third party certificate vendor. Just upload the CA Root certificate and the identity certificate from the certificate vendor to the ASA.
  Here is configuration guide for your reference:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml
  Hope that helps.

• Error installation 3rd party certificate on wlc for webauth

  i,
  I would like to install a web auth certificate on a 5508. Version 7.6.130
  Every time I get an error on web gui or cli like:
  Cisco Controller) >transfer download start
  Mode............................................. TFTP
  Data Type........................................ Site Cert
  TFTP Server IP................................... 10.1.126.100
  TFTP Packet Timeout.............................. 6
  TFTP Max Retries................................. 10
  TFTP Path........................................ /wlan/
  TFTP Filename.................................... final.pem
  TFTP Webauth cert transfer starting.
  *TransferTask: Oct 07 14:33:08.162: RESULT_CODE:1
  *TransferTask: Oct 07 14:33:12.165: Locking tftp semaphore, pHost=10.1.126.100 pFilename=/wlan/final.pem
  *TransferTask: Oct 07 14:33:12.249: Semaphore locked, now unlocking, pHost=10.1.126.100 pFilename=/wlan/final.pem
  *TransferTask: Oct 07 14:33:12.249: Semaphore successfully unlocked, pHost=10.1.126.100 pFilename=/wlan/final.pem
  *TransferTask: Oct 07 14:33:12.250: TFTP: Binding to remote=10.1.126.100
  *TransferTask: Oct 07 14:33:12.266: TFP End: 7959 bytes transferred (0 retransmitted packets)
  *TransferTask: Oct 07 14:33:12.266: tftp rc=0, pHost=10.1.126.100 pFilename=/wlan/final.pem
                                                                                                  pLocalFilename=cert.p12
  *TransferTask: Oct 07 14:33:12.266: RESULT_STRING: TFTP receive complete... Installing Certificate.
  TFTP receive complete... Installing Certificate.
  *TransferTask: Oct 07 14:33:12.266: RESULT_CODE:13
  *TransferTask: Oct 07 14:33:16.269: Adding cert (7895 bytes) with certificate key password.
  *TransferTask: Oct 07 14:33:16.309: RESULT_STRING: Error installing certificate.
  *TransferTask: Oct 07 14:33:16.309: RESULT_CODE:12
  Error installing certificate.
  What's funny, when I'm on a 2106 with the same certificate (Version: 7.0.250.0) install, everything works!
  Does anyone have an idea to solve this problem?
  Regards
  Juergen

  Hello, please check these links out and see if they help:
  https://supportforums.cisco.com/discussion/11376866/error-installing-certificate-help
  https://supportforums.cisco.com/discussion/12294996/web-auth-certificate-download-failed-install-certificate
  https://supportforums.cisco.com/blog/151061/generate-csr-third-party-cert-and-download-unchained-cert-wireless-lan-controller-wlc

• Code signing with 3rd-party certificate fails

  Hello everybody !
  I'm about to sign an app written in Xojo on OS X 10.10 with a class-2 code object certificate issued by StartSSL. On Windows this is working fine, but signing on OS X leads to the "app from an unknown developer" message.
  For signing I'm using the codesign utility:
  codesign -s "Mario Hammer" -f -v "My App.app"
  or codesign -s "Mario Hammer" --deep -f -v "My App.app"
  It returns "signed bundle with Mach-O thin (i386) [com.mariohammer.testapp]".
  Signature checking with spctl --verbose=4 --assess --type execute "My App.app" returns 'My App.app: rejected'.
  And codesign -dv "My App.app" returns this:
  Executable=/Users/mario/Desktop/Test/My App.app/Contents/MacOS/My App
  Identifier=com.mariohammer.testapp
  Format=bundle with Mach-O thin (i386)
  CodeDirectory v=20100 size=67752 flags=0x0(none) hashes=3381+3 location=embedded
  Signature size=5893
  Signed Time=05.11.2014 15:51:59
  Info.plist entries=13
  TeamIdentifier=not set
  Sealed Resources version=2 rules=12 files=22
  Internal requirements count=1 size=100
  I have also tried to manually sign each file within "My App.app", but same result.
  I'm not sure where to look at fixing this. Any help is highly appreciated.
  Looking at my key chain, I have a key chain "Anmeldung" (not sure how this is labelled in English) that contains my private key and my certificate (as two separate entries, key is listed first). Clicking "Information" shows my cert with "Certificate is valid" and a green sign.
  Using the certificate assistant to verify my certificate, it shows "Checking state: No root certificate found" and "Certificate condition: Good".
  The root certificate however is there (the intermediate certificate "StartCom Class 2 Primary Intermediate Object CA" is in my "Anmeldung" keychain and the root certificate "StartCom Certification Authority" is on my "Anmeldung" key chain as well as on "System" pre-installed (cannot change anything there).
  Any help you can provide me with is highly appreciated.
  Sincerely,
  Marco.

  There is no special reason. But since I don't intend to sell over the AppStore and I already have that membership at StartSSL (server and e-mail certificates), I thought I can save $99 registration fee for the Apple Developer Program.
  So I appreciate any help. :-) Even it just means that I need to buy the Apple membership, too... but I want to get rid off this annoying and trust-stealing "app not from a certified developer" message.

• SSLVPN 3rd Party Certificate

  Hi,
  We are in the process of deploying SSLVPN for our company. We already bought two ASA5510 with SSLVPN licenses on both. I am going to install the firewalls into two seperate data centers to provide redundancy. Two different external IPs but we'll publish it with a single URL so we can load-balance. My question is, do we need to purchase two SSL Certificates? Or should we just purchase one and export then import it on the other firewall?
  Your thoughts? Thanks in advance.
  John

  Hi John,
  There are different ways to get this to work with VPN load-balancing.
  However, we need to have a good understanding of how this is supposed to work.
  When the Master receives a new SSL connection, based on the load-balancing algorithm, it makes the decision to whether redirect the session to another ASA or accept the connection.
  The SSL connection will point to the Cluster URL, so you need a certificate for the cluster including the cluster URL in the CN attribute field.
  We must keep in mind, that the cluster does not take the connection, but a specific ASA does, so we also need a valid certificate for each ASA.
  Now, to solve this issue, I would recommend to you to check on the following link and choose the best option for you:
  ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide
  Keep me posted.
  Please rate any post you find useful.

• SSLVPN 3rd Party Certificate, still get "untrusted site" with mobile device

  Hi,
  I have recently implemented an Entrust cert on my ASA for SSLVPN.  When accessing the ASA from Windows/MAC, the "untrusted site" page does NOT appear.  When accessing the ASA from an Android/iPhone, the "untrusted site" page DOES appear.  Can anyone chime in on why this is happening with mobile devices?
  Thanks,
  Eric

  Hi Portu,
  I'm not clear with your last request, what are you asking?
  I've looked at the security warning on an iPhone, and it reads the following:
  "The site's security certificate is not trusted!
  You attemped to reach blah.blah.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system.  This may mean that the server has generated is own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications."
  This does not happen when using Google Chrome on Windows/OSX.