ACS Wildcard Certificate Install for PEAP

Similar Messages

• AS2 Certificate Install for B2B Use

  Oracle Team -
  Is there a comprehensive set of instructions available on the FULL process necessary to get an AS2 connection up and running ?
  I am looking for something that starts with the installation of the certificate in to the Oracle Wallet all the way thru setting up the Delivery Channel in B2B.
  I have already looked at the tutorial in the B2B tech notes -- that starts after the certificate has already been installed.
  Thanks,
  Alice Raia

  Hello,
  We have sent the white paper on security to you.
  As a summary,
  10.1.2.0.2 B2B engine uses the certificate from the repository for both signing and encryption and also a lookup to the wallet for Private key, however this architecture has a significant change in subsequent releases.
  Signing and Encryption for Host : Store the certificate in both wallet and repository
  Signing and Encryption for TP : Store the certificate in repository. Please see the details of the same in the security document.
  Rgds,Ramesh

• Wildcard certificate in mssql 2008R2

  Hello, 
  I have installed wildcard certificate in Certificates(Local Computer)\Personal in  sql server. We are using Windows 2008R2 server and 2008 R2 SQL server. Certificate is issued by StartCom. With certificate everything is ok (I have used it in IIS), but
  it didnt appeared in sql configuration manager protocols dropdown list. So i followed microsoft article:
  http://support2.microsoft.com/kb/316898
  and added certificate thumbrint in registry. Restarted SQL service.
  Then I am trying to connect to sql server using SMSS I am getting error:
  "A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate's CN name does not match the passed value.) (Microsoft SQL Server, Error: -2146762481)"
  So obviously problem is wildcard certificate, because it is issued to *.domain.com and server name is server.domain.com.
  By this article, microsoft sais that "SQL Server 2008 R2 and the SQL Server 2008 R2 Native Client support wildcard certificates.
  http://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
  So question would be: Sql 2008 r2 supports or does not support wildcard certificates. If supports, so there is problem? Why i am getting this error?
  Mantas

  Hi Mantas,
  As is mentioned in the Book Online Document from your post, SQL Server 2008 R2 and the SQL Server 2008 R2 Native Client support wildcard certificates. Other clients might not support wildcard certificates. For more details, please review this article:
  Accepted wildcards used by server certificates for server authentication.
  Based on my research, the error message “provider: SSL Provider, error: 0 - The certificate's CN name does not match the passed value” could be caused by that  the certificates are not installed properly. I recommend you follow the steps in this
  article to enable SSL encryption for SQL Server.
  In addition, there is a blog  about the error for your reference.
  http://blogs.msdn.com/b/sqljourney/archive/2012/03/16/implementing-ssl-encryption-for-sql-server-in-a-dns-forwarding-environment.aspx
  Thanks,
  Lydia Zhang

• Unable to install WildCard Certificate for ASA 5512-x

  Have a customer who we manage an ASA 5512-X for.  I am configuring a Wildcard Certificate for AnyConnect. They have a wildcard certificate purchased through Godaddy.com.  I am utilizing ASDM 7.3 for the installation of the certificate.  I added the Identity Certificate ASDM_TrustPoint0.  Checked the radio button "Add a new identity certificate:"  Named the Key Pair WildCard, and set the size to 2048.  I also changed the "Certificate Subject DN: to CN=cityvpn.wirapids.org.  There were no other attributes to add.  I also changed the FQDN under the advanced tab to the same cityvpn.wirapids.org.  Then clicked Add Certificate.  Successful
  Under CA Certificates I added the certificate from file.  Which I added the bundle.crt from Godaddy.  Certificate was added successfully.
  Going back to Identity Certificates.  I click on install.  Install from a file.  Which I tried the other crt file and the bundle file from Godaddy.  I get an Error: Failed to parse or verify imported certificate.  With the other .crt file from Godaddy I get the same error, but "Certificate does not contain device's General Purpose Public Key."
  Not sure what to think.  Any suggestions or help would be great.  Thanks
  Paul

  You should never ever get a wildcard certificate. Because if that certificates private key gets stolen, the thief can impersonate all ssl-protected services. The clients view them as valid resources, because the certificate is correct. The only thing to do then, is to revocate the certificate, which will cause you to get a new certificate installed on ALL services that you had protected with the wildcard one.
  Even worse, most broswers (besides IE) ignore certificate revocation lists in various cases!

• PEAP, ACS and certificates

  We recently purchase a Cisco 4200 LAN Controller and 1131ag access points. We also have a Cisco ACS with 3.3.3 installed. I have been researching what is the best security option and PEAP MSCHAPv2 with WPA2 seems to make the most sense for us since it is highly secure and does not require client side certificates. I am running into a bit of trouble with this implementation because we do not have an in house CA. Can I install a certificate from a third party, such as versign on the ACS? What type of certificate do I need? Do I need to use the Cisco client utility or can I just use windows with the builtin laptop wireless adapters?
  thanks

  The windows clients will trust them if they trust the root CA. A trusts B, B trusts C so therefore A trusts C. 1. Install Root Cert on ACS box. 2. Install Identity Cert on ACS. 3. Make sure your windows clients trust the root from where you received the indentity cert for your ACS box.
  BTW: The self signed cert from ACS is only good for 1 year.
  Where you aware that Cert services are offered with Windows 2000/2003 server? It's fairly easy to setup. One drawback with 2003 is that you have to create a web template for the cert for ACS but's there are plenty of doc's out there. Search for "ACS Certificate Windows PEAP". Just post again if you have any questions...

• Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

  Is it possible to install a widcard certificate for web auth in those versions?
  Is there any difference between this two versions.
  Are both of them versions supporting wildcards certificates?
  Here you have the log file resulting of installing the wildcart certificate in the wlc with v 7.0.240.
  *TransferTask: Nov 28 11:20:51.117: Memory overcommit policy changed from 0 to 1
  *TransferTask: Nov 28 11:20:51.319: Delete ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:51.432: RESULT_STRING: TFTP Webauth cert transfer starting.
  *TransferTask: Nov 28 11:20:51.432: RESULT_CODE:1
  *TransferTask: Nov 28 11:20:55.434: Locking tftp semaphore, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore locked, now unlocking, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore successfully unlocked, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.517: TFTP: Binding to local=0.0.0.0 remote=10.16.50.63
  *TransferTask: Nov 28 11:20:55.588: TFP End: 1666 bytes transferred (0 retransmitted packets)
  *TransferTask: Nov 28 11:20:55.589: tftp rc=0, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
       pLocalFilename=cert.p12
  *TransferTask: Nov 28 11:20:55.589: RESULT_STRING: TFTP receive complete... Installing Certificate.
  *TransferTask: Nov 28 11:20:55.589: RESULT_CODE:13
  *TransferTask: Nov 28 11:20:59.590: Adding cert (5 bytes) with certificate key password.
  *TransferTask: Nov 28 11:20:59.590: RESULT_STRING: Error installing certificate.
  *TransferTask: Nov 28 11:20:59.591: RESULT_CODE:12
  *TransferTask: Nov 28 11:20:59.591: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
  *TransferTask: Nov 28 11:20:59.624: finished umounting
  *TransferTask: Nov 28 11:20:59.903: Create ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:59.904: start to create c1240 primary image
  *TransferTask: Nov 28 11:21:01.322: start to create c1240 backup image
  *TransferTask: Nov 28 11:21:02.750: Success to create the c1240 image
  *TransferTask: Nov 28 11:21:02.933: Memory overcommit policy restored from 1 to 0
  (Cisco Controller) >
  Would I have the same results in wlc with  v 7.5.102?
  Thank you.

  Hi Pdero,
  Please check out these docs:
  https://supportforums.cisco.com/thread/2052662
  http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
  https://supportforums.cisco.com/thread/2067781
  https://supportforums.cisco.com/thread/2024363
  https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc
  Regards
  Dont forget to rate helpful posts.

• Sun One Web Server 6.1 | Install wildcard certificate

  Hello everyone. I am new to this forum. I'll start off by saying that I am very "green" with the Sun One Web Server as well.
  My question/problem pertains to installing a wildcard certificate on our server. I am not able to find good documentation on this, so I am hoping that some of you could provide some guidance or, better yet, a link to documentation specifically for the Sun One Web Server 6.1.

  There is no difference with installing a wildcard or any other certificate. You simply create a CSR and specify an asterix instead of the hostname followed by a . and your domainname for the subject, send it to a CA and get back a certificate that you import.

• Install digicert wildcard certificate on 2012 RDSH Servers

  Hi Everyone
  I would like to find out is it possible to install a digicert wildcard certificate on 2012 RDSH Server
  My current RDSH deployment has 2 connection broker and SQL backend, bunch of RDSH 2012 servers in a collection. wildcard certificate is configured in the deployment properties. All servers are part of the domain.
  We already have a RASS servers. So we didn't install RDSH Gateway. External users RDP to the RDSH servers via RASS
  When users connect via RDP it prompt an certificate warning message.
  Please advice
  Thanks

  Hi,
  Thank you for posting in Windows Server Forum.
  Can you please provide the error\warning\event ID you are facing?
  Basic requirements for Remote Desktop certificates:
  1. The certificate is installed into computer’s “Personal” certificate store. 
  2. The certificate has a corresponding private key. 
  3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well. 
  The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers
  in the collection.
  More information.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Not able to install or generate acs server certificate

  Hi,
  I have one test set-up with one layer 3 switch and one autonomous AP 1131. I have configured one SSID and without any authentication and it was not able to connect successfully.
  But now i want to try enable WPA2 enterprise ( Actually , after checking with the test set up , i am going to implement in live set-up where i have to configure WPA2 enterprise so that i would like to go for testing wpa2 enterprise not wpa2 personal ).
  I have ACS server 3.0 trial version and installed on windows server 2000 and
  on AP 1131 i have configured radius server commands
  ( aaa- new model  and radius server host ... ip address ... key ..... shared secret ... password .. ).
  I am confused with certificate which is required to install on acs server but i am not able to generate the certificate or not able to get the certificate from anywhere in acs server option.
  how to generate acs server certificate in trial version 3.0 and after generating how to install in acs server and what about client ... will it be same certificate which i need to install in cllient PC's and if yes how to add in client pc's and if not , where will i get cllient certificate ,..
  if i buy ACS software which i will be installed windows platform , i will get two certificate ,,,,,,,,, what about acs trial version software .... will i be able to get certificate .......
  i am trying to refer so many documents but it could not help me ..
  Your help will be appreciative.
  Looking for proper information.

  Hi,
  Thanks for your response ....
  obivously , This ACS 3.0 is end of supprt but when i tried to install the acs 4.0 or later , I am not getting an error saying " basic platform should be installed first , that is ACS 3.0 ".
  That is the reason i have gone for this edition .
  Should i go for upgrading the acs 3.0 to 4.1 or later version ?
  if so , will it be possible on trail version ?
  please give me your suggestion.

• W2k8R2 - Enterprise CA - Need WildCard Certificate for Internal Use

  Hi guys,
  A new client of mine has a "standalone" CA in their domain already...but I need a Wildcard Cert for some applications I'm installing in IIS.
  I'm used to setting up an "Enterprise" CA and issuing a Wildcard Cert that way, but I don't know if the "standalone" CA can do that.  I attempted to have IIS request a cert and it didn't auto-populate the CA information...but I told
  it to use CERTAUTHNAME\domaincontroller and it created one...but it doesn't appear to be working.
  My question is...if I install the Enterprise Root CA on a DC in their environment, can it interfere with the already issued certs from the standalone CA?
  I don't want to break something to move forward with my stuff.
  Thanks a lot and any help is greatly appreciated!!!

  Standalone CA can issue wildcard certificates. You just need to generate certificate request manually (without using IIS Mgmt console for that) by using INF file and certreq. Then, you submit your request to a CA server. Look at this article:
  http://social.technet.microsoft.com/wiki/contents/articles/2017.certificate-enrollment-for-system-center-operations-manager-agent.aspx
  although, this article is intended for OpsMgr, certificate enrollment process is the same for all products, just skip OpsMgr-specific stuff. There are three sections related to Standalone CAs: request generation, submission and installation. In the INF file,
  you specify your wildcard name in the Subject key.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.

• Wildcard certificate for Exchange 2010

  Hi
  I have single exchange 2010 installed. I have installed single domain name on exchange certificate , it expire next month March 2014. I have a plan to buy new Wildcard certificate for the exchange. I access OWA by  ns1.xyz.com/owa  without any
  problem but in my local network my outlook giving certificate error because of single domain name on certificate.
  My question is what name should be on wildcard CSR? Just put the    " *.xyz.com  " or somting else ? That will work in my local area as well OWA and Outlook anywhere ?

  Hi,
  According to your description, your internal URLs have the different host name with the external ones.
  If you don’t want to change the URLs, we need add the following host names in the certificate:
  All the host names in the external and internal URLs including autodiscoverserviceinternalurl;
  Autodiscover.smtpaddresssuffix
  In this case, SAN certificate is more suitable for your environment than wildcard certificate.
  If I misunderstand your meaning, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Wildcard certificate for Exchange 2013

  Hello!
  I have a testing network with Exchange 2013SP1 and Windows Server 2012R2 domain controller with CA installed.
  For testing purposes I issued a wildcard certificate for my Exch2013 from my local CA using Web server template and installed it on the Exchange server.
  Now when I open, for example, ecp or owa page I'm getting the error stating my certificate is wrong:
  Q1) Is Windows CA capable of issuing a wildcard certificates?
  Q2) If Q1=yes then what can be the cause of the problem?
  Thank you in advance,
  Michael

  Hi Michael,
  Please click Certificate error in IE to view the details about the error. If the error is related to untrusted certificate, please open Internet Explorer, click Settings > Internet Option > Content option > Certificate. In the
  Certificates dialog box, click the Trusted Root Certification Authorities
  tab and check if your certificate is in the list.
  If the certificate is not in the list, we can install the certificate in Trusted root certificate store by the following KB:
  http://support2.microsoft.com/kb/2006728
  If the error certificate is related to mismatch issue, please confirm if this certificate is assigned with IIS service. If not, please enable it with IIS service and restart IIS service to have a try. To double check about the Exchange certificate, we can
  run the following command to check it:
  Get-ExchangeCertificate | FL
  Regards,
  Winnie Liang
  TechNet Community Support

• Installing wildcard certificate - error

  Hello guys,
  I'm not quite sure do I post within the right thread so please correct me if I'm wrong.
  Anyway, the problem is as subject says - Problem with installation of wildcard certificate on Cisco ASA 5520 (VPN Plus license). Software version is  8.2(2).
  I noticed two issues. We've bought a wildcard certificate for our domains example.com, example.org. Certificate provider is Geo Trust.
  The first problem is that I'm unable to install the complete certificate chain. If I install the Root CA of GeoTrust, I'm unable to install the sub-ordinate CA, which has actually signed my cert, within the same trustpoint. The warning message says that "WARNING: Trustpoint GeoTrustRA is already authenticated." (this happens when I try to install the sub-ordinate CA, which stays in between Root CA and my certificate, within the same trustpoint as RootCA certificate.
  The second problem is the actuall problem however. When I try to install the wildcard certificate, using ASDM, i got the following error: (actually I did intentionally type the wrong password and I receive absolutely the same error)
  Here is the setup of CA. As you can see, both certificates which must relay on the same trustpoint as chain, are divided in two trustpoint configurations:
  I tried to debug crypto ca 255 but there is nothing interesting within the log file.
  If I try to add the Sub-ordinate certificate within the trustpoint where Root CA is installed, I got the following error:
  When I try to manually install the wildcard certificate from CLI (It's in BASE-64 format), I do receive the following error:
  CLI Issue
  vpngw2(config)# crypto ca import GeoTrust pkcs12 password_here
  Enter the base 64 encoded pkcs12.
  End with the word "quit" on a line by itself:
  -----BEGIN CERTIFICATE-----
  MIIEhjCCA26gAwIBAgICekswDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
  [cut]
  RPg4gnOGlySGVA==
  -----END CERTIFICATE-----
  quit
  ERROR: Import PKCS12 operation failed
  Any thoughts, ideas, questions or whetever are more than welcome!

  Hi there,
  I just wanted to tell you that I have found the solution for this case. It appears that the wildcard certificate had been enrolled without State ("ST") attribute of x509.3 certificate. The issuer (GeoTrust) refused to enroll it again evethough we have supplied that information and it was completely their fault. Anyway, we changed the issuer and now everything is just fine.
  Sent from Cisco Technical Support iPad App

• I can't generated a CSR for a wildcard certificate

  I recently received a new Mac Mini OS X Server with the Server 2.2.1 app loaded.
  I cannot figure out how to create a CSR for a wildcard certificate.
  The wizard will not accept * in the input field.
  Can someone point me to the hard way of doing this?
  I need to secure every channel on the server with a wildcard SSL certificate.
  Thanks...

  Hi Gordon,
  You can use the command line to generate your wildcard CRS.
  1. Launch /Applications/Utilities/Terminal.app
  2. At the prompt, type the following command:
  openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
  Common Name: The fully-qualified domain name, or URL, you're securing.
  If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
  See http://support.godaddy.com/help/article/5269/generating-a-certificate-signing-re quest-csr-apache-2x?pc_split_value=3

• Ramifications of assigning a wildcard certificate to the SMTP service (needed for Exchange 2010 Hybrid Configuration - Office 365)

  Hello All:
  I am receiving an error when I run the Manage Hybrid Configuration wizard - ERROR:Updating hybrid configuration failed with error 'Subtask NeedsConfiguration execution failed: Configure Recipient Settings. I have opened a SR, but figured I'd try the forums,
  too. I have a wildcard certificate from GoDaddy (MS says they support wildcards from GoDaddy) & that cert has only the IIS service applied to it on the CAS. I've read in the Exchange Server Deployment Assistant that it should have the SMTP & IIS services
  assigned to it, but my question is - SMTP on the CAS (separate server) or on the Mailbox/Hub Transport (separate server)? And what are the ramifications of assigning the SMTP service to, let's say, the CAS? We have had multiple issues every time the servers
  get updated/changed; I do not want to disrupt services further, as the Manage Hybrid Configuration will be done during business hours.
  If anyone can provide any assistance/clarification, it would be most appreciated.
  Thank you.

  Hi,
  We can enable a Wildcard certificate with SMTP service for Exchange Hybird Deployment. The SMTP service can be assigned to multiple certificates. For some Exchange services such as OWA, Ecp, ActiveSync, Autodiscover service, OOF, it is used with Exchange
  certificate with IIS service. And there is usually only one certificate can be assigned with IIS service.
  Please just make sure your Wildcard certificate can contain all namespaces which are used for all internal URL and External URL configuration in Exchange services. About how to import an existing wildcard certificate on the Exchange 2010 Hybird servers,
  please refer to the Import & Enable Third Party Certificate on Hybrid Servers
  part in the following article:
  http://www.msexchange.org/articles-tutorials/office-365/exchange-online/configuring-exchange-hybrid-deployment-migrating-to-office-365-exchange-online-part9.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Regards,
  Winnie Liang
  TechNet Community Support