Certificate and SSL combination

Similar Messages

• SSL Certificate and SSL Authentication

  Hi-
  I'm hoping someone can shed some light on this issue.
  First off, is there a difference between SSL Certificate and SSL Authentication?
  I have a POP account. The Incoming port is set to 110. The Outgoing, 26. (This is according to Bluehost.com). The security settings for both incoming/outgoing are set to none. Everything works fine.
  But if I want extra security, I'll set the incoming to 995 and outgoing to 465.
  If I set the security settings to SSL, do I check "Use secure authentication", or do I have to purchase a SSL certificate to secure the authentication? This is where I'm confused. I tried asking the hosting company but they're not much help.
  Any advice would be appreciated.
  Thanks!

  Hi Imagine,
  You do not need to purchase your own SSL certificate to use secure authentication. The server handles this for you. You just need to make sure the port #s are correct and you simply check mark the SSL boxes and leave authentication on Password at least on most setups. Each host maybe different so you have to double check with them.
  Hope That Helps,
  Eric

• SnS Certificate and SSL

  I am trying to install a signed certificate from verisign on the SnS Show n Share box in my company, however when ever I enter the .pem and the cert files I get an error saying the certificate chain is broken. Any ideas?
  Also is there a way to stop SnS to stop forcing SSL connections? We have an internal network and do not need it to be encrypted when a user access' it from within our network.  The cert is only for the external domain we have pointing to it. (for security)                 

  You need to get the Certificate Chain from verisign.
  It's telling you that it's missing probably the root certificate.
  https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO4785&actp=LIST&viewlocale=en_US
  Save the correct one out to a file make sure it matches the one you purchased (type of SSL cert)

• SSL certificates and GWIA

  I have run up against a wall trying to install a third party SSL certificate with GWIA 7.0.3 and securing IMAP connections;
  Certificate (And SSL) works fine, but the infamous "The origin of this certificate cannot be verified" type of message comes up for all mail clients attaching, and this is particularly bad for handheld devices like iPhone connecting via IMAP using SSL.
  Has anyone ever successfully installed a 3rd party SSL cert into GWIA with chain of trust back to root CA and been able to overcome this ?
  It' basically the same problem one would run into if issuing a self-signed cert out of NDS/Edir Cert server 2.x or 3.x.
  Any suggestions would be welcome !
  Thanks !

  Hi, I very recently had a similar problem...our existing 3rd party ssl external Verisign certificate expired!!!!
  I have'nt been able to in the past configure a 3rd party ssl certificate into our current Groupwise 7 system due to lots of various methods of doing this task....i got quite confused and if you do not do things in the correct order the whole process will need to ber started over again.
  Ive managed to eventually cracked it and figure out a simple and more structured approach to setting this up.
  The following was in relation to applying the 3rd party external certificate to WEBACCESS
  This was the steps i took:
  Firstly ensure you have the registered details you completed already with your 3rd party SSL supplier, they should have provided you with a:
  OU
  O
  L
  S
  C
  the CN is the webaddress or DNS name your users will hit to access your secured page - we will add this later.
  1) Highlight the container where your server is located which will be the host application part of the webaccess that the ssl is assigned to.
  (my setup is, i have my main grpwise system in one tree, my application - webaccess component in a separate tree) - we need to re-create the SSL object in the second tree or the container where the application component is located.
  2) Right-click to create an object > from the list choose > NDSPKI:Key Material.
  3) Give a name for the certificate name object > then select the second option > Custom.
  (This will allow you to enter more specific information relating to the 3rd party ssl certificate)
  4) The next screen select "External Certificate authority" - this would be your 3rd party ssl. Click next
  5) Next screen asks for the Key size, accept the default value of "2048 bits" > tick "Allow private key to be exported", click next.
  6) Next screen asks for the Certificate Parameters, depending on the order of your, CN, OU,O,L,S,C
  I clicked the edit button and then clicked the small arrow icon to switch the SSL URL around so that my .cn=webserver url address will be read first then the - OU,O,L,S,C.
  (PLEASE NOTE: The (OU,O,L,S,C) should be identical to what was initially registered with your 3rd party SSL supplier.
  7)Once you are happy with the details click "Finish".
  8) You will immediately be asked where to save the "b64" file that will be generated which will be sent off to your 3rd party supplier for re-minting.
  choose a file name - ensure no hyphens,or special characters etc are used and keep to the 8.3 naming length just to avoid any long name issues, i do believe that by adding a hyphen may cause problems as the system automatically puts a hyphen to separate the names automatically hence that is why its advised not to use this.
  I saved my file to root of my c:\
  9)Once this has been done and you click save, send the file off to your 3rd party SSL supplier, they will re-mint the "b64" file and you should get back 2 files:
  a)file.cer
  b)Intermediate.cer
  (filenames could be anything)
  10) Select the "KMO object" you created earlier in step 2, then goto the Certificate tab > Trusted Root certificate" tab to import the Intermediate.csr file sent to you.
  Select import > then read from file and browse for the "Intermediate.csr" file - i chose root of my c:\ to save the re-minted 2 files sent back to me.
  Select the Intermediate file, you should see some encrypted characters show in the blank screen, then select Ok or finish.
  If you see a pop up window stating " Subject name mismatch error" dont worry this is merely a cosmetic issue due to the details not being in the exact naming order, it has been IMPORTED!!
  Click OK.
  Once you have done this you should see your first key pair file imported, check the subject name, Issuer name, effect date, expiration date, certificate status details, these should all show the 3rd party certificate details.
  Then next part is to import the second key pair file.
  Click Certificate>Public Key Certificate tab > import.
  Select to read from file> then browse for the file.csr
  You should see the encrypted characters, then select ok or finish.
  Now you have competed the difficult part you now need to tell you application what SSL object to point to in order to use the SSL encryption.
  For webaccess, you have to edit the apache conf files and enter the name of the SSL/KMO object you created earler.
  11) Goto your application server that will use the ssl, then browse to:
  server\sys\apache2\conf
  edit a file called "httpd.conf"
  then
  amend or add the section:
  SecureListen 443 "Verisign"
  Save theses changes - then shut down your web services on the server, apache, etc. ie, type :
  Apache shutdown commands:
  ap2webdn
  tc4stop
  admsrvdn
  Apache load commands:
  apache2
  ap2webup
  tc4stop
  admsrvup
  wait a minute or so so that the services can be unloaded.
  If you think its safer to do so, you can restart the server - that way you know for sure that everything has been unloaded and re-loaded cleanly.
  ALL done.
  SSL now in operation and working.
  I carried out this method - my own steps and this worked for me.
  Good luck!!!
  Dennis
  Originally Posted by shale999
  I have run up against a wall trying to install a third party SSL certificate with GWIA 7.0.3 and securing IMAP connections;
  Certificate (And SSL) works fine, but the infamous "The origin of this certificate cannot be verified" type of message comes up for all mail clients attaching, and this is particularly bad for handheld devices like iPhone connecting via IMAP using SSL.
  Has anyone ever successfully installed a 3rd party SSL cert into GWIA with chain of trust back to root CA and been able to overcome this ?
  It' basically the same problem one would run into if issuing a self-signed cert out of NDS/Edir Cert server 2.x or 3.x.
  Any suggestions would be welcome !
  Thanks !

• 6.1 SP 2 certificate authenticator fails with Apache plugin and SSL

  Hi,
  Does anybody have a certificate authenticator working in WebLogic 6.1
  SP 2, in combination with the Apache HTTP Server plugin and SSL?
  We implemented a certificate authenticator that works correctly in
  WebLogic 6.1 SP 2 when we configure SSL with "Client Certificate
  Required", and access it directly from a browser (the browser hits the
  SSL port of the WebLogic server, like 7002).
  This certificate authenticator also works correctly with a proxy web
  server. We set up a Stronghold server (web server based on Apache) on
  Linux with the Apache HTTP Server plugin from BEA, configured the
  plugin to use SSL, and configured our WebLogic 6.1 SP 1 server without
  "Client Certificate Required". The certificate authenticator gets the
  end user's certificate correctly.
  This same architecture with the proxy web server does not work when we
  upgrade the WebLogic Server to SP 2. WebLogic Server logs the
  "incorrect or missing client cert" error, our certificate
  authenticator is never called, and the browser gets a 401 Unauthorized
  error.
  We looked all over the WebLogic 6.1 SP 2 installation for a newer
  version of the plugin (mod_wl_ssl.so) and found the same version as SP
  1. We double-checked that it was the Linux-specific installer
  (because we'd found that some Linux libraries are missing from the
  generic installer). So it appears to us that the plugin encodes the
  certificate in the request header in such a way that a SP 1 server can
  extract it, but an SP 2 server cannot. We were wondering whether
  there might be changes to the plugin to stay in step with the SP 2
  server that never got ported to Linux, or whether an updated Linux
  plugin never got included in the installer packages.
  So: has anybody gotten a system like
  Apache/Stronghold + WebLogic Plugin <-- SSL --> WebLogic 6.1 SP 2 +
  Cert Auth
  to work?
  Thanks in advance for any help,
  Jim Doyle
  [email protected]

  A correction, I think:
  Now that I rolled back a system to 6.1 SP 1, it looks like 6.1 SP 1
  does include a different mod_wl_ssl.so from that in SP 2. I believe I
  was comparing the wrong file. In fact, trying to compare versions of
  the mod_wl_ssl.so makes things rather confusing:
  A mod_wl_ssl.so from a straight weblogic610sp2_generic.zip install has
  a cksum of "1853014778 1132467".
  A mod_wl_ssl.so from a weblogic610sp1_generic.zip install with a
  subsequent SP 2 upgrade install has a cksum of "1350917183 1147927".
  A mod_wl_ssl.so from a plain 6.1 install with subsequent SP 1 and SP 2
  upgrade installs, followed by an SP 2 uninstall and another SP 1
  upgrade install, has a cksum of "1471948065 1136501".
  I think I may be looking at three different plugin versions here: 6.1,
  6.1 SP 1, and 6.1 SP 2, assuming the upgrade installs don't actually
  change mod_wl_ssl.so. I'm not sure whether there's an easier way to
  verify what version of the plugin you have.
  In any case, we did try each plugin version, and none of them works
  against a 6.1 SP 2 WebLogic server.
  Jim
  [email protected] (Jim Doyle) wrote in message news:<[email protected]>...
  [snip]
  We looked all over the WebLogic 6.1 SP 2 installation for a newer
  version of the plugin (mod_wl_ssl.so) and found the same version as SP
  1. We double-checked that it was the Linux-specific installer
  (because we'd found that some Linux libraries are missing from the
  generic installer). [snip]

• How to erase all self signed certificates and force Server to use Signed SSL

  I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
  I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
  Can I replace those self-signed certs with the new one some how?

  Don't delete those.  However, you are on the right track.  Follow these steps to resolve.
  1:  Launch Keychain Access
  2:  Select the System Keychain
  3:  Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
  4:  In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
  5:  Press Save Changes to save.
  6:  Reboot the server or kill the servermgrd process to restart the service.
  That should resolve your issue.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store

• SSL certificates and/ or Oracle Certificate Authority

  Our Oracle infrastructure is as follows:
  1.Database server
  (a)Oracle 9i R2 database
  (b) Oracle ApEx 2.2
  2. Infrastructure server
  (a) Oracle 10g (9.0.4.x.x) Infrastructure
  (b) OID - configured as external authentication to Microsoft 2003 Active Directory LDAP version 3
  (c) SSO - configured as Windows Native authentication
  3. Application server
  (a)Oracle 10g (9.0.4.x.x) Forms and reports server
  Network traffic currently is not encrypted. All we need is to ensure that network traffic is encrypted between the the end-user PC and all servers (database or app server)
  I was reading through Oracle Certificate Authority and Secure Sockets Layer.
  1. Is there a difference between the two products?
  2. Which product would be best to ensure the encryption (authentication is provided through MS LDAP)
  Thanks,
  Mayura

  Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
  SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
  The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
  To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
  1. From the web browser to the middle tier
  2. End user to database
  3. from the middle tier to OID
  4. from the middle tier to the database
  5. From OID to active directory

• Creating SSL certificate and configuring it with JBOSS 4.0.1

  I have to post some data to a secured site from my application.
  For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
  But, while creating the stream it is showing SSLException and message is No trusted certificate found.
  For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
  Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.

  I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
  See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum.

• Certificate Based Authentication and SSL

  To whom it may concern,
  I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
  Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
  Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
  I am running my Messenger express (http) like this :
  http://testing.xyz.com:8100
  (I am using port 8100 for http access to mails). After restarting the mail server, I tried :
  https://testing.xyz.com:8100 also,
  http://testing.xyz.com:443 also,
  https://testing.xyz.com:443 also,
  but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
  And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
  Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
  Thanking you,
  Farhan Ahmed,
  System Engineer
  Dubai, UAE.

  Dear jay,
  I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
  [29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
  i got this line from the http log:
  [29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
  Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
  Thanking you,
  Farhan Ahmed,
  System Engineer,
  Dubai Internet City, Dubai, UAE.

• SSL certificates and Web Services Usage inside Oracle Database Questions!

  We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
  Service1 is already working, and we can call the service from PL/SQL without troubles.
  However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
  Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
       - SSL Certificates:
  1- Can installed certificates in the Database put in risk the stability of the database?
            2- Can installed certificates in the Database generate performance issues?
            3- Can installed certificates reloading the Databases?
            2- Can installed certificates in the Database generate security issues?
       - Web services:
  1- Can web services calling from the Database put in risk the stability of the database?
  2- Can web services calling from the Database generate performance issues?
  3- Can web services calling from the Database generate security issues in the DMZ?
  Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
  Those are the links describing the procedure mentioned above.
  1 -http://www.kotti.es/2009/11/oracle-wallet/
  DB: Oracle 9i.
  Average number of lines in file: 300
  Periodicity: Twice at day.

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• Weblogic server 9.2 and SSL server certificate for the wrong site

  I turned on SSL service for a weblogic 9.2 server and later on changed the hostname of the machine that weblogic was running on. So the hostname that my SSL server certificate was issued to has now became an invalid hostname. But my weblogic server continues to run SSL service without any exception. I can still access my web applications thru the SSL port (except of course I get a warning for the server certificate every time that it is for the "wrong site"). My question is this: should weblogic 9.2 verify the hostname in the server certificate and stop SSL service if the certificate is for the wrong site? Or is verifying the certificate strictly the job of the browser? Just want to make sure there is nothing wrong with my SSL configuration. Thanks.

  So you are saying that something is wrong with my weblogic 9.2 ssl configuration? And that given a server certificate issued to a different hostname, my weblogic server should NOT be servicing ssl request and/or it should throw some sort of exception during startup? Thanks for clarifying.

• Profiles, Certificates, Mail, and SSL

  Strictly speaking, I have an iPod Touch 32G with iPhone software 2.2 (5G77a) for this problem. Expect my problem is exactly the same as for an iPhone.
  iTunes synced my email account information just fine for a work POP3 account, work Exchange account, and gmail via IMAP. But not for my personal FreeBSD-hosted IMAP account which uses Dovecot and a self-signed certificate generated with the script provided in Dovecot.
  Have been using this configuration for years with Mail.app. Every year I generate a new certificate and prior to MacOS 10.5 used to move it into "X509 Anchors" or some similarly named place with Keychain Access.app.
  First problem resolved was my FreeBSD machine was named "opus.local" in my DNS. Tcpdump showed the iPod was trying to find it via mDNS. Reconfigured my internal DNS server to use .home rather than .local. Had to make new certificate for Dovecot and reconfigure Mail.app on my Mac Pro.
  Now dovecot complains to FreeBSD's /var/log/maillog that the iPod connected via TLS but "Aborted login (no auth attempts)". The iPod says "Cannot Get Mail: The connection to the server "opus.home" failed." Tcpdump shows dovecot sending the certificate. The console in iPhone Configuration Utility only says:
  Wed Dec 24 21:55:18 unknown MobileMail[37] <Warning>: ERROR: The connection to the server "opus.home" failed.
  So after much study I have created a profile and "Shared" it using iPhone Configuration Utility version 1.1. Put my .cer in Credentials, emailed it to a working account, then the iPod complained about not having a Mail profile and rejected the whole thing.
  Made a profile including mail with IMAP via SSL on port 143. iPod installed this one. Didn't work. Viewing the profile on the iPod showed port 993 was selected, not 143, and being a profile it was locked against change.
  Tried emailing the .cer file only. That succeeded in installing a certificate after deleting the previous profile. The iPod created a profile which only has my certificate, but is still not communicating with dovecot on opus.home.
  Watching the communication with tcpdump the two exchange a good number of small packets before the iPod gives up.
  My self-signed certificate is RSA with a 128 byte public key (1024 bits).
  What am I doing wrong?
  Message was edited by: David Kelly1

  Worked on this for weeks before posting. So after posting the above I disabled SSL on the mail account on the iPod. Enabled "PLAIN" authentication in Dovecot for non-encrypted sessions. And was able to download email.
  Then I went back and re-enabled SSL. Checked email and finally got the message about the certificate possibly not secure (its self-signed).
  Disabled the non-encrypted PLAIN in Dovecot, and everything still works!
  There is something about iPhone 2.2 software that doesn't work with a self-signed certificate until after some traffic has moved through the account.

• Mail for Exchange and SSL certificate

  I have a little problem with Mail For Exchange and my Nokia N80. I have self-signed certificate for Exchange mailserver and when I am synchronizing e-mails I got always message: "The site has sent an untrusted certificate. Continue anyway ?". I underestand that my certificate isn't verified by any root authority, but if I have synchronization schedule set at 15 minutes it means I have to confirm this message four times when I am not with my mobile one hour. So question is:
  Is possible to import self-signed SSL certificate into Nokia N80 and set it as trusted ? If yes, please describe me how, because I have tried import the certificate as CER (it was opened just as NOTE on Nokia), I tried to convert it via openssl to PEM (the file was not recognized) etc... Thanks for any help in advance.
  Reply With Quote

  Go to your outlook web access website and click on the lock and then view certificate. The details and then you can save it in DER format to your desktop.
  Then go to this site:
  http://www.redelijkheid.com/symcaimport/ and insert through the browse button and then copy the link to your phone.
  Then you should be able to download it
  You can also go to your IIS default site on the exchange server and directory security and export your certificate under edit certificate.
  I have tried everything now. I can download my certificate and the valicert from GoDaddy, but the Nokia phone is still saying "do you trust this certificate" every time the phone syncs.
  Our firm have taken the E-phones away now and went over to windows mobile and all of them worked within 10 minutes without any errors.
  The funny thing is that when you try to call nokia, they wont help you with Mail for Exchange, and it is there program
  I know my GoDaddy certificate works on windows mobile phones, so It must be something with Mail for Exchange.
  Every guy I talked to about symbian phones have told me they always gives problems with SSL. I am a bit **bleep**, but can conclude that Nokia is for the private consumer.
  Best Regards
  Morten @ Denmark
  Message Edited by asp3200 on 02-May-2008 08:37 AM

• Oracle Certificate Authority OCA and SSL Immlementation

  Hi
  Is anybody can clear that:
  1) Does OCA only work on intranet or it does work internet also.
  2) What is the difference between OCA and Verisign or any other third party CA
  3) What are the benifits for OCA
  4) What are the advantages and disadvantages for both of them
  5) what are the main steps invloved to implement OCA and SSL
  I'll be very appraciated, if anybody give me the answers as soon as possible. Please gIve me the answers whichever you knows very well.
  Thanks in Advance
  Munir Muhammad

  Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
  SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
  The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
  To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
  1. From the web browser to the middle tier
  2. End user to database
  3. from the middle tier to OID
  4. from the middle tier to the database
  5. From OID to active directory

• SA540 and SSL certificate from DigiCert

  Has anyone succeeded in installing a SSL certificate from DigiCert on a SA540 router?
  The SSL certifcate is a wildcard variant (*.example.com).

  Hello Mr. ivar,
  In order to get a new SSL certificate please follow the next instructions:
  STEP 1 : Click Administration > Authentication.
  The Authentication (Certificates) window opens.
  STEP 2 For each type of certificate, perform the following actions, as needed:
  • To add a certificate, click Upload. You can upload the certificate from the PC or the USB device. Click Browse, find and select the certificate, and then
  click Upload.
  • To delete a certificate, check the box to select the certificate, and then click
  Delete.
  • To download the router’s certificate (.pem file), click the Download button under the Download Settings area.
  STEP 3 To request a certificate from the CA, click Generate CSR.
  The Generate Certification Signing Request window opens.
  a. Enter the distinguished name information in the Generate Self Certificate
  Request fields.
  • Name: Unique name used to identify a certificate.
  • Subject: Name of the certificate holder (owner). The subject field populates the CN (Common Name) entry of the generated certificate and can contain these fields:
  - CN=Common Name
  - O=Organization
  - OU=Organizational unit
  - L= Locality
  - ST= State
  - C=Country
  For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US
  Whatever  name you choose will appear in the subject line of the generated CSR.  To include more than one subject field, enter each subject separated by a  comma. For example: CN=hostname.domain.com, ST=CA, C=USA
  • Hash Algorithm: Algorithm used by the certificate. Choose between MD5 and SHA-1
  •Signature Algorithm: Algorithm (RSA) used to sign the certificate.
  • Signature Key Length: Length of the signature, either 512 or 1024.
  • (Optional) IP Address, Domain Name, and Email Address
  b. Click Generate.
  A  new certificate request is created and added to the Certification  Signing Request (CSR) table. To view the request, click the View button  next to the certificate you just created.
  Or you could check it on the next link. please check page 191
  http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf
  If this answer was satisfactory for you, please mark the question as Answered.
  Diego Rodriguez
  Cisco network engineer
  Thank you