ACS SE w/ Verisign Cert

Similar Messages

• FYI. Verisign Cert & ACS

  for those who have troubles getting verisign cert working on the ACS box, i just spoke to a verisign tech support after facing issues with certs. He mentioned that when generating a CSR on ACS, it generates extra info that are not compatible with verisign. Verisign is working on the issue, it is expected to be rectified soon (in a day or two). The tech support refused to give me further info about what version of ACS causing the issue or so... I'm using ACS3.3 at the moment.

  I've installed a Verisign cert on the ACS with minimal difficulty, but it does take a couple of extra steps.
  When generating the cert request on the ACS, you have to enter the complete identification path in the Common Name field of the form. i.e., instead of just cn=Ciscoacs, you have to enter c=US,s=Florida,l=KeyWest,o=TheShirtShack,ou=Accounting,cn=Ciscoacs all on the same line.
  Also, if the certificate file format that Verisign sends back is not recognized by the ACS, you can import it into your web browser and then re-export it in the correct format (DER .509 if I recall correctly) and then upload the reformatted cert to the ACS.
  It works fine after all that =)

• Non-Verisign certs in WS7

  Hello,
  I have a mix of server certificates from Verisign and Network Solutions CAs. Both types are stored in my Crypto accelerator (hardware token), from where I've been using them for WS6 and AS7 instances.
  In WS7, the Certificates tab in the admin interface shows certs of both types and the token that they are contained within. When I attempt to configure a listener with SSL enabled, the Certificate field has two types, "RSA Certificates" and "ECC Certificates". The latter says "No ECC Certificates Available", and the pick-list for the RSA Certificates only lists the Verisign certificates.
  For a server that I migrated from an older version (WS6.1), the server.xml lists the correct server-cert-nickname value for a NetSol cert, and indeed, the cert is properly loaded and the listener starts up fine using that certificate.
  Why is it that my NetSol certs don't show up in the admin interface? I can hack the server.xml file in vi to use the correct certs, but I'm thinking there should be a way that I can access these other certs with the admin interface.
  Thanks,
  Bill

  Output of wadm list-certs --verbose -all:
  nickname        issuer-name     expiry-date
  [email protected]:Server-Cert      Network Solutions Certificate Authority May 19, 2007 6:59:59 PMThere is no -h option to certutil -L:
  certutil -L [-n cert-name] [-X] [-d certdir] [-P dbprefix] [-r] [-a]However, if I export it from the hardware token using pk12util then import it into the internal token, I can view the details:
  # pk12util -o xxx -d . -n [email protected]:Server-Cert  
  Enter Password or Pin for "NSS Certificate DB":
  Enter Password or Pin for "[email protected]":
  Enter password for PKCS12 file:
  Re-enter password:
  pk12util: PKCS12 EXPORT SUCCESSFUL
  # pk12util -i xxx -d $PWD
  Enter Password or Pin for "NSS Certificate DB":
  Enter password for PKCS12 file:
  pk12util: PKCS12 IMPORT SUCCESSFUL
  # certutil -L -d .   
  Network Solutions Certificate Authority - GTE Corporation    c,, 
  Server-Cert                                                  u,u,u
  # certutil -L -d . -n Server-Cert
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              28:f5:87:82:b0:65:ff:58:08:63:b5:0e:69:07:ea:6d
          Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
          Issuer: "CN=Network Solutions Certificate Authority,O=Network Solutio
              ns L.L.C.,C=US"
          Validity:
              Not Before: Fri May 19 00:00:00 2006
              Not After : Sat May 19 23:59:59 2007
          Subject: "CN=*.qisc.com,OU=Secure Link SSL Wildcard,O="Quixote Intern
              et Services & Consulting, Inc.",L=Chippewa Falls,ST=Wisconsin,C=U
              S"
          Subject Public Key Info:
              Public Key Algorithm: PKCS #1 RSA Encryption
              RSA Public Key:
                  Modulus:
                      c4:87:81:66:77:99:c5:8e:f1:59:ff:59:c6:38:63:5a:
                      46:31:8e:13:38:5e:2e:71:d7:22:38:5b:df:c4:47:e9:
                      d3:c3:ff:52:3a:5b:21:c1:b5:01:0a:ec:81:3d:80:b4:
                      39:74:6a:7d:39:63:e1:06:a4:f1:45:cf:43:8d:6a:79:
                      49:4e:d9:22:d2:8f:08:6e:23:87:e3:14:7f:aa:c7:8f:
                      df:d7:d0:e1:e0:7e:1c:d7:64:d0:43:94:19:06:7d:48:
                      82:6f:e3:e1:05:69:cc:42:67:9f:db:e5:c7:6e:11:7a:
                      10:94:6c:95:f0:1e:5c:36:93:37:09:ea:b4:0d:4e:6f
                  Exponent: 65537 (0x10001)
  (stuff deleted for brevity - let me know if you need to see all of this output)Hmmm...this is interesting...after importing the cert from the hardware token into the internal certificate database, it now shows up as "Server-Cert" in the RSA Certificates list of the SSL->Edit HTTP Listener admin page. So it only shows certs from the hardware token when they are Verisign certs, even though the NetSol certs work just fine when they are stored in the internal database. This is NOT a work-around, however, as this defeats the purpose of having the crypto accelerator.
  BTW, I also sent a note to NetSol's support people, and they had this thought:
  As we use an intermediate, that could be the reason why they are not listed.
  Without the intermediate it will not find a chain to the trusted root.
  We would recommend contacting the software provider for details on
  importing the intermediate into the application server.I have already tried importing their certificates into the internal token, but that had no effect on this problem. Do I need to import their intermediate certs into the hardware token, rather than the internal one? If so, how do I do that? Or do I need to install these intermediate certs in the admin server's internal database, rather than my server instance's database?
  On the assumption that these intermediate certs were needed in the admin server's internal database, I used certutil to load them to see if that would help:
  # certutil -A -n 'AddTrust External Root' -t 'CT,C,C' \
  -d . -a -i /tmp/certs/AddTrustExternalCARoot.crt
  # certutil -A -n 'UTN-USERFirst-Hardware - AddTrust AB' -t 'c,,' \
  -d . -a -i /tmp/certs/UTNAddTrustServer_CA.crt
  # certutil -A -n 'Network Solutions Certificate Authority - GTE Corporation' -t 'c,,' \
  -d . -a -i /tmp/certs/NetworkSolutions_CA.crt
  # certutil -L -d .                                                                                     
  Admin-Server-Cert                                            u,u,u
  Admin-Client-Cert                                            u,u,u
  AddTrust External Root                                       CT,C,C
  UTN-USERFirst-Hardware - AddTrust AB                         c,, 
  Network Solutions Certificate Authority - GTE Corporation    c,, 
  Admin-CA-Cert                                                CTu,u,uHowever, after stopping and restarting the admin server, I still do not see my token-resident certs in the admin interface.
  Let me know what you'd like to see next.
  Thanks,
  Bill

• Is verisign cert "multi purpose"?

  If i get a certificate from thawte, I can get the multi-purpose authenticode cert, export it from IE, import it into netscape and be able to sign netscape objects as well as CAB files.
  Can I do the same thing with the verisign cert? Verisign doesn't talk about this on their website, but maybe they just want people to pay $800 instead of $400? Just curious if anyone has tried this. If you have tried it, let me know.
  (before anyone asks, yes, I would love to go with thawte, and have in the past, but my organization has recently made the decision that thawte is no longer an option, so I have to go with verisign)
  Thanks!
  Kirby

  To fully answer my own question,
  I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
  I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
  Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

• ACS - Verisign Cert - PEAP Auth - XP Clients

  Hi
  I am hoping to implement PEAP using a server certificate on ACS generated from a real CA like Verisign/Thawte etc to prevent having to distribute an internal root CA certificate to all clients.
  I have discovered that Verisign provide a WLAN Auth certificate product , but this appears to be specificlly for IAS.
  Does anybody know whether I can just generate a certificate reest from the ACS box and use any certificate , or is there a particular type I need?
  Any help would be much appreciated!
  Thanks
  Leon

  CTA can be configured to perform machine authentication using certificates provided that the 802.1x Wired Client has been installed.Refer http://cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870ac.html for more information.

• Verisign CERT Root Changw

  Verisign as of Oct. 10th has change the root ca they sign CERTS with. Our 802.1x supplicants are configured to trust only the older Class 3 Public Primary root that is part of widows. Is there any way to configure the ACS box to support the older root as reconfiguring all the supplicants is a non-trivial task. I wondered if there was a way to create a self-signed CERT to act as the root? Has anyone had this problem? Thanks

  Bruce,
  ACS can genrate self sign certificate but this will only work when client do not validate server certificate. If validation is required in your setup then self sign cert wont help.
  If installing cert on each client is feasable then configured not to validate server cert then your current set up will work fine.
  Regards,
  ~JG
  Do rate helpful posts

• [solved] Renewing a verisign cert

  Sorry, this isnt Arch related, but I'm having a tough time googling the correct answer.  I've got a customer using red hat linux and wanting to renew their verisign ssl cert for a webpage.  I'm following the instructions listed at https://knowledge.verisign.com/support/ … t&id=AR142
  My question is, do I need to generate a new key pair if i'm renewing the certificate?
  Thanks,
  MP
  Last edited by murffatksig (2009-09-15 20:17:40)

  you don't have to.
  generally they either:
  a) just re-sign the original cert request they have on hand, (new certificate lifetime)
  b) ask for a new csr to sign
  c) ask you to generate a new key, and then a new csr to sign
  I think which operation they prefer depends on the vendor.
  https://knowledge.verisign.com/support/ … 3035718053
  For the sake of security though, it certainly wouldn't hurt to generate a new private key and csr, and then have that csr signed. (option c above)
  another relevant link: http://serverfault.com/questions/42993/ … ith-apache
  apparently verisign does allow option a (see last comment on serverfault page)

• VeriSign cert and IE5 on WLCS

  Hi.
  We installed the purchased certificate (from VeriSign) on our server
  WebLogicCommerceServer( weblogic.security.certificate.server &
  weblogic.security.key.server ).
  When the client accesses this host with IE5.5 browser, everything is OK.
  When the client uses IE5, however, he gets an error "the security
  certificate was issued by a company you have not choosen to trust".
  If we're adding weblogic.security.certificate.authority to point to a
  VeriSign root certificate (which we took from their site), then sometimes
  the client gets a "can't display page", and sometimes the same error as
  above.
  Any hints?

  To fully answer my own question,
  I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
  I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
  Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

• Automatically accept VeriSign certs?

  Hi all. I'm pretty new to SSL so any help with this question would be appreciated.
  I have a web service app running on a WebLogic 10.3 server (let's call it ServerA). This web service app also contains a web service client to make calls to another web service app running on another server somewhere (let's call it ServerB).
  ServerB is beyond my control, but happens to be behind the same firewall as ServerA. For my app on ServerA, I've been asked to "auto-accept the connection (trust VeriSign)" when making a web service call to ServerB. I believe this is to avoid certificates expiring, but I may be wrong.
  Can anyone tell me how (either in the WebLogic console or in my Java code) to automatically trust VeriSign certificates?
  Forgive my ignorance on this subject. It's my first time working with SSL.

  You probably want to also try the security forum:
  WebLogic Server - Security
  Specify whether you are using just 1-way SSL (where this should work without intervention I believe using the CA list with the JVM). If you're using 2-way SSL, then I think you'll need to do some key importing.
  You should really consult someone who understands security requirements in your environment on what they want, as this is something you really want to get right and not misconfigure.

• Installing Verisign Cert failure

  I have a certificate from verisign and it asks me for the private key file? Verisign didn't give me a private key file, where would I find this file?
  Thanks
  mike

  Hello Michael,
  VeriSign does provide you with the certificate which is the signed public key. For security reasons, the private key is not something that you would provide to VeriSign as this needs to remain on your server or device. It should not be shared with another party. Depending on what was used to generate the key pair, the private key may simply be a file located in a certain path or it could possibly be hidden.
  Please feel free to contact us for further assistance.
  Phone: 1-877-438-8776 Option 1, 2
  Email: [email protected]
  Regards,
  Frank
  VeriSign Technical Support
  VeriSign, Inc.

• ACS 5.5 wildcard cert

  i have question about ACS5.5 wildcard certificate.
  from this bug id CSCtr60378 it says that it was fixed on March 2014
  I thought it was fixed too for ACS 5.5.
  i have ACS 5.5 with patch 5.5.0.46.2 with date of 17 March 2014, but still encountered the same problem, it won't "Trusted" when i insert the certificate.
  anyone have idea about this ?

  CSCun46199    ACS5.X does not support wildcard certificates, documentation needed 
  ACS 5.5 doesn't support wild card certificate. Cisco has filed a doc bug on this.
  Please add the not under configuring local certificates on ACS since all CCO engineers are looking for this feature/capability there:
  For example, looking at ACS5.5 docs here:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/admin_config.html#wp1052640
  it would be nice to have a simple note like this:
  "ACS5.5 does not support wildcard certificates"
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Zebra QL420 Printer using PEAP (Verisign Certs)

  Hi,
  Has anybody been able to successfully get a Zebra printer QL420 Plus connected to Cisco LWAPP/CAPWAP APs ?
  We are using WPA2 - PEAP with Verisign Signed Server Certificate.

  Yes I have the QL420 + printers working with 5508 WLC and 3502E CAPWAP APs and PEAP
  Fotis - You will most likely find the reason for the slow ping resonce is down to the setting for "Power Mode". You likely have it set to "best". This setting controls how long the device "sleeps" before it awakens and downloads queued traffic from and AP. Setting it to "off" will put the device in to CAM (Constantly Awake Mode). This means that the device never switches its radio card off and never allows traffic to be queued on an AP. However this will mean that the drain on the devices battery will be much greater, I believe there is a slidding scale of settings for this device that go in order of highest battery drain as follows:
  Best
  1
  2
  3
  4
  off
  Off will give you the best performance with maximum battery drain. play with the settings and see which gives best performance/batery drain balance.
  Regards
  Simon

• Certificate on acs

  Hello Folks
  wifi users are authenticated via single sign on on ms AD  using acs(802.1X)
  question is. is it mandatory to generates a certificate in the acs than export it to the contoller in order to let the authentication works

  Hi Ibrahim,
  How are you?
  First, what 802.1X EAP are you using?What ACS rev are you on?
  I will assume PEAP.
  1) ACS Cert is requried. You have 2 options for a certifciate.
       a. You can do a self generated certifciate which is  created on and by the ACS server. This cert last 12 months from the time  you create      it. Here is further reading on the ACS self cert.
       Personally, Im not a fan of the self signed ACS  certiciate. Becuase if you vaildate the cert on the client you will need  to push this cert to      each client. I will explain that later.
  Self-signed Certificate Setup (only if you do not use an external CA)
  Note: When you test in the lab with self-signed certificates,  it results in a longer authentication time the first time a client  authenticates with the Microsoft supplicant. All subsequent  authentications are fine.
  Complete these steps:
  On the Cisco Secure ACS server, click System Configuration.
  Click ACS Certificate Setup.
  Click Generate Self-signed Certificate.
  Type something into the Certificate subject field preceded by cn=, for example, cn=ACS33.
  Type the full path and name of the certificate that you want to create, for example, c:\acscert \acs33.cer.
  Type the full path and name of the private key file that you want to create, for example, c:\acscert \acs33.pvk.
  Enter and confirm the private key password.
  Choose 1024 from the key length drop-down menu.
  Note: While Cisco Secure ACS can generate key sizes greater  than 1024, the use of a key larger than 1024 does not work with PEAP.  Authentication might appear to pass in ACS, but the client hangs while  authentication is attempted.
  Check Install generated certificate.
  Click Submit.
       b. You can get a CA signed certifciate. If you are  using 4.x ACS you can generate what is called a CSR. Certifciate Signing  Request. You           then send the CSR to a CA and they generate a cert for you.
  Here is a link to read up on the CA certifciate.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t14
  How and where to install the certs and how it works...
  1) The cert is installed on the ACS server and the  client IF a) you are vaildating the cert on the client b) you are using  an acs self signed cert
  So the ACS server has a cert  installed on it. This cert is used to building a secure tunnel between  the ACS server and the wireless client so that when the wireless client  passes its credentials they can not be seen as they are passed in the  tunnel created by the cerifciate (think HTTPS).
  When a  wireless client connects. The WLC / WLAN is configured with 802.1X. So  the WLC passes all the authentication traffic directly to the ACS. So  the WLC DOESNT NEED TO KNOW ABOUT THE CERT. This chatter is just between  the ACS and the wireless client and the WLC acts as the middle man.
  So  the wireless client connects. The ACS server sends the cert (the one  you added) to the wireless client. The wireless client has 2  configurable options. 1) Vaildate the certifciate 2) Not Vaildate the  certifciate. If you Vaildate the certifciate then that cert needs to be  on the client, becuase the client is going to look at the cert presented  by the acs server and see if it has it in its root store, thus  vaildating it. Or you can not vaildate it. If you dont vaildate it, it a  BIG security boo boo.
  Make sense?

• Unstable PIX - migrate to new with public cert?

  Hi ppl!
  I have a unstable PIX, running 7.2.2 - with a public Verisign cert on it.
  Now I need to restore this PIX's conf onto a new PIX hardware, but when pasting the conf in, the part with the Verisign Cert is failing. This is probably due to the self-signed keys on the new pix I assume.
  Now - does anyone have a good idea/way or walkthrough how to do this?
  Kind regards
  Kdam

  it look like bug to me, check this bug-id:CSCsi70522

• Unable to install Cert

  I am running a brand new installation of Web Server 7.0.9 and trying to install a VeriSign cert. When I do this I am getting the message: "An error has occurred, ADMIN4118: Only one server certificate can be installed at a time"
  This is the only cert I have tried installing. I am unable to find any other documentation on this issue. My support team was able to successfully install a self-signed cert but that will not cut it. If anyone can provide any information regarding this issue please let me know. If I need to provide more information I can do so.

  Look at the certificate file you are trying to install does it have more than one certificate? Is it in PEM or binary DER format?
  More information about about PEM format is in ;
  http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions
  To convert certificate from PEM to DER use openssl as given in :
  http://support.citrix.com/article/CTX106631
  If its in PEM format can you check how many ---- BEGIN does it have?