Certificate signing request with subject alternative names?

Similar Messages

• CSS 11501 - wildcard certificate with subject alternative names

  Hi,
  I generated a wildcard certificate for my company type *. mycompany.com in a CSS 11501.
  For the site sub-domain1.mycompany.com worked fine, for the site sub-domain2.sub-domain1.mycompany.com didn't worked.
  I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
  Thank you very much,
  Cláudio Soares

  Hi,
  The CSS is indifferent to the Common Name in an SSL certificate used for SSL termination,
  so using a wildcard certificate would be no different than using a standard certificate.
  If using the CSS to generate the Certificate Signing Request, just enter the Common
  Name with the leading asterisk for the subdomain portion of the hostname. Example:
  Common Name (your domain name) [www.mycompany.com]*.domain.com
  The only difference in configuring SSL termination would be that you could
  reuse the SSL certificate (in the ssl-proxy-list) for all the different vips that the
  subdomains resolve to without having to worry about pop-up warnings on client's browsers
  (example attached). Or, if your subdomains resolve to the same vip, the CSS configuration
  wouldn't be any different.
  Regards,
  Siva

• Used a Subject Alternative Names certificate with an ESA IronPort C170

  Hi all,
  Is  someone know if it is possible to use a "Subject Alternative Names" Certificate (SAN / UCC SSL) for an Email Security Appliance C170.
  Is it possible to do this, with an IronPort ?
  Thank you very much, for your reply.
  Regards,
  David

  Hello RYAN,
  Thank you for your reply, It is a very good new for us.
  Have a nice day!
  David

• Nodemanager configuration with SSL and Subject Alternative Names.

  We want to configure serveral nodemanagers in serveral machines using SSL. Is possible to use only one certificate with one CN and several subject alternative names (one per machine)?
  We cannot configure the nodemanager, we always get an SSLHandShake exception.
  Thanks.

  Hi,
  Hope you found out resolution to your issue. 
  incase you havent , presuming the CN used in your certificate is not the host name and all the host servers can resolved/ identify that CN. Dont see major problem in the way you explained.
  However handshake exception only points at certain specific case
  - where the certs are not imported into keystores ( client or server side) or
  - certs mismatching at clent & server
  - too many certs with the same CN in the same keystore or CN resolving to more than 1 cert ( if its possible).
  Let me know if you need help in reolving this and also paste the error trace of 'handshake' exception you see.
  Sri

• Certificate Signing Request file (CSR) with PIX

  Hi everybody
  Does anyone knows how to create a Certificate Signing Request from a PIX 515. I want to make a VPN tunnel between 2 PIX with certificates and the Onsite Verisign ask me for a CSR file witch must contain the public key and the name in an encrypted form.
  Thank for your help

  Check out http://www.esign.com.au/custsupport/server/certsignreq/

• How to create a certificate signing request that works with Microsoft CA

  Hi, I have created a certificate signing request file with keytool. When I try to create a certificate from it with CertReq (I use a Microsoft CA) I get the following error message:
  Certificate not issued (Denied) Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute. (The request contains no certificate template information. 0x80094801 (-214687 5391)) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute.
  How do I create a certificate signing request file so that a Microsoft CA will accept it and create a certificate from it. Thanks, Linh.

  I'm writing a applecation about x509 to deal with certificate and certificate request.
  I found that DER format certificate request create by sun's software with no extensions.
  I think this cause your error.My be MS CA can't identify such a request!So it's difficult to solve this problem unless MS or Sun change their codes.
  JStranger

• What versions of Weblogic currently have Subject Alternative Name support?

  I would like to visit a comment I saw in an old forum thread from 2010
  Certificate hostname verification error with 10.3
  that "WebLogic currently does not support the Subject Alternative Name field." Can someone please let me know what versions of Weblogic currently have Subject Alternative Name support? We are currently on 10.3. Is there anything near that version that has support, or a patch available for it?
  Regards,
  John

  The KM number is the article number on the support site. Logon to Oracle support and paste the number into the knowledge search and you will get your answer. The article is called "How to Develop Custom Hostname Verifier for Subject Alternative Name (SAN) Certificates" and applies to WLS 10.3.3 and later.

• Error: Subject alternative name did not match site name (JavaME)

  When I try and connect to my RESTFul Web Service using SSL I get this exception:
  "Subject alternative name did not match site name".
  I did Google searches and as far as I can tell my 'Subject' matches my 'site name'. I know this because when I connect using my Browser (IE or Firefox) they say our SSL certificate is a-ok (no mismatches). Also, my Windows Mobile 5/6 REST application works fine under SSL. So, I am doubting it's a server side setting?
  Godaddy's root certificate is installed on the Java Emulator. If I disable the root cert I get a different error.
  I am using the QwertyDevice Emulator with 'identified_third_party' security. Wireless Toolkit 2.5.2 and NetBeans Mobility 6.0.1.
  My Web Server is IIS 6.0 that is hosting a WCF .NET 3.5 WebService using the webHttp binding (for those who don't know that's makes it a RESTFul Web Service).
  IIS 6.0 Settings:
  -Web Service is under Default Web Site and in Default Application Pool.
  -'Require secure channel (SSL)' is selected as well as 'Require 128-bit encryption'.
  Here is my client Code:
  InputStream is = null;
  HttpConnection conn = null;
  try
  conn = (HttpConnection)Connector.open("https://ourwebserver.ourdomain.com/RESTServer/Service.svc/REST/getmyopentasks/", Connector.READ_WRITE);
  conn.setRequestProperty("Authorization", "Basic " +
  BasicAuth.encode(userName, password));
  conn.setRequestMethod(HttpConnection.GET.toString());
  conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
  is = conn.openInputStream();
  catch (IOException ex)
  ex.printStackTrace();
  A few notes: We are using Basic HTTP Authentication, and "BasicAuth.encode" method is, a helper method, that I found code for out on the Internet. It works fine though.
  Because when I run this above code with SSL turned off, on the server, it works fine (authenticating and getting RESTFul XML back). I did try HttpsConnection as well. Did not work. Same SSL error.
  When this line is executed: "is = conn.openInputStream();" I get this exception: "Subject alternative name did not match site name". I have searched this forum and Google and can't figure this one out! Thanks!

  When I try and connect to my RESTFul Web Service using SSL I get this exception:
  "Subject alternative name did not match site name".
  I did Google searches and as far as I can tell my 'Subject' matches my 'site name'. I know this because when I connect using my Browser (IE or Firefox) they say our SSL certificate is a-ok (no mismatches). Also, my Windows Mobile 5/6 REST application works fine under SSL. So, I am doubting it's a server side setting?
  Godaddy's root certificate is installed on the Java Emulator. If I disable the root cert I get a different error.
  I am using the QwertyDevice Emulator with 'identified_third_party' security. Wireless Toolkit 2.5.2 and NetBeans Mobility 6.0.1.
  My Web Server is IIS 6.0 that is hosting a WCF .NET 3.5 WebService using the webHttp binding (for those who don't know that's makes it a RESTFul Web Service).
  IIS 6.0 Settings:
  -Web Service is under Default Web Site and in Default Application Pool.
  -'Require secure channel (SSL)' is selected as well as 'Require 128-bit encryption'.
  Here is my client Code:
  InputStream is = null;
  HttpConnection conn = null;
  try
  conn = (HttpConnection)Connector.open("https://ourwebserver.ourdomain.com/RESTServer/Service.svc/REST/getmyopentasks/", Connector.READ_WRITE);
  conn.setRequestProperty("Authorization", "Basic " +
  BasicAuth.encode(userName, password));
  conn.setRequestMethod(HttpConnection.GET.toString());
  conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
  is = conn.openInputStream();
  catch (IOException ex)
  ex.printStackTrace();
  A few notes: We are using Basic HTTP Authentication, and "BasicAuth.encode" method is, a helper method, that I found code for out on the Internet. It works fine though.
  Because when I run this above code with SSL turned off, on the server, it works fine (authenticating and getting RESTFul XML back). I did try HttpsConnection as well. Did not work. Same SSL error.
  When this line is executed: "is = conn.openInputStream();" I get this exception: "Subject alternative name did not match site name". I have searched this forum and Google and can't figure this one out! Thanks!

• ACE and SSLM support Subject Alternative Name (SAN)

  Hi
  I want to  migrate Exchange server to Exchange 2010, I would like to know if ACE and SSLM support Subject Alternative Name (SAN).
  1.   Can the current CSM (WS-SVC-SSL-1-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it.
  a.       exchange.ww.edu
  b.       legexchange.ww.edu.
  2)      Can the new ACE( ACE20-MOD-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it:
  a.       exchange.ww.edu
  b.       legexchange.ww.edu
  Thanks
  Nomi

  I dont see anything in the config guide where the ACE can generate certs with SANs. However, if you are going to generate the cert and keys offline, then it might work. Can you supply a sample pkcs12 file in PEM format that I can test in the lab ? Which s/w version ?
  Matthew

• How to sign a certificate signing request

  Hi all,
  In the PKI process, a client generates a PKCS#10 [certificate signing request|http://en.wikipedia.org/wiki/Certificate_signing_request] (CSR see [sun.security.pkcs.PKCS10|http://www.docjar.com/docs/api/sun/security/pkcs/PKCS10.html] ), sends it to the certification authority (CA), & once the identity has been checked by the CA, the client retrieves his X.509 certificate (signed by the CA), sometimes along with the CA X.509 self-signed certificate.
  I am acting as a CA, the current only way I know to transform a CSR to a X.509 certificate is by using OpenSSL :
  openssl ca -config X509CA/openssl.cnf -days 365 -in CertName_csr.pem -out CertName.pem (see here ).
  Is there any keytool way or even better any sun.security.* way to do that operation programmatically using Java code ?
  Thanks for your feedback.
  Edited by: Le_Sage on 19 avr. 2010 12:12

  That's right, found the doc here : [keytool -gencert|http://download.java.net/jdk7/docs/technotes/tools/windows/keytool.html#gencertCmd] .
  I guess the underlying code must be found under sun.security.* or com.sun.* code. I'll try to have a look.
  Thanks for your feedback.

• Generate a Certificate Signing Request

  Hey guys, I'm new to the Safari developer program and I'm having problems with the Generate a Certificate Signing Request for my PC. It worked fine on my Mac but not on my windows 7 PC. I follow the steps, saving the file then opening "CMD.exe" and type in the request and place "" with  the path of the file saved in step one but once I hit enter it gives me a

  Requires a Mac and your keychain.

• Generation of 1024 bits key certificate signing request-sun one app srvr 7

  Kindly help to generate 1024 bits key certificate signing request in sun one application server 7. The problem faced by me is that during csr generation the key lengh is 512 as this is the default value.Now i would like to change this default value and would like to generate a key with length 1024.Kindly help me.
  Thanks in advance
  Vishnu Priyan

  OK, post a new Topic, title it Need help with self-signed certificate
  Before you post, search the forums for the problem. Do the footwork.
  Then, take your time, post exactly which of these steps you have taken, what the results were, and exactly where you are having problems, what the exact problem is (error message, whatever).
  You are going to have much better response if someone can easily figure out what the problem you are having is. If you look at this thread, you will see "I have tried these 10 steps and they don't work". You are going to get nowhere with that.
  I have to sleep now, good luck.

• Certificate Signing Request never arrives

  I have created a CA using Certificate Assistant and have managed to create two certificates for myself locally and get Mail to recognise the keys and certificates for those email accounts. Everything works as expected.
  However, when I send a CSR (Certificate Signing Request) from Certificate Assistant on another computer, nothing ever shows up in my inbox for me to sign.
  What happened to the CSR? I'm pretty sure it left because I locked the keychain with my email password on first and Certificate Assistant asked me to unlock it, presumably to send the message as there's nothing else on that keychain (I've been trying to debug this for a couple of hours now). Regular email sent from the second computer arrives almost instantaneously at the first.
  Any ideas / similar experiences?

  tried the same thing, same issue. there is not even anything about sending mail in the logs. I wonder ... is this actually implemented?
  Apple help!

• CF10, CFHTTP and SSL subject alternative names

  I have an SSL certificate where the Common Name doesn't match the url, but the Subject Alternative Name does.  The Common Name is the actualMachineName.subnet.subnet.mynetwork.com and the SAN is www.prettyurl.com.  I understand older versions of CF don't support this, but the comments regarding Bug #3566218 say that CF10 does.  However, I am still getting connection failures telling me the name doesn't match.
  Can anyone confirm this should/shouldn't work in CF10?  I have imported all of the certs via the keytool and explored all of those issues.  The only remaining issue is that the url doesn't match the CN.
  TIA,
  Eric

  I received the message,"this site has sent an untrusted certificate", on my N95.  It would prompt me to continue or view certificate.   If I select Continue, everything worked fine.  It got annoying after a awhile.  I went thru 2 pages of google results and could not find the answer to fix my issue.  I gave up and then somehow figured it out on my own at the bar the next day.  
  The issue was that I had the incorrect date.  This was actually one of the first things I checked.  However I overlooked that the date format was ddmmyyyy.  I simply updated to mmddyyyy and fixed the date and the issue was resolved.
  Hope this helps.

• Submit Certificate Signing Request - INVALID?

  Okay, I'm at the stage of the Flash-to-iOS process of submitting my Certificate Signing Request (CSR) thru the "Developing Provision Assistant" ("Wizard") in the Provisioning Portal of the Apple iOS developer site.  I've followed the instructions, made the CSR, yet when an attempt is made to upload and process it, I get this error:
  "The Certificate file selected is invalid. Please check the file and try again."
  What might be wrong?

  i've reviewed the file, and it looks fine to me.  the file name is:
  thenamechosen1.certSigningRequest
  and has this general content (the key identity here, of course, is fake and not included from my actual CSR file):
  -----BEGIN CERTIFICATE REQUEST-----
  dhdFj47dFKbyrFUS7dUD&$HD/djdOS4@jd77s99d8dhfjs2873hdydp74hdlndgdDDshs
  d8dhfjs2873hdydp74hdlndgdDDshsrFUS7dUD&$HD/djdOSAAsjsjdbdTTjj63hdodk
  bcCf8d/djsAAEd8jfndKDhiuRTY79dhdVDjrys%kdndrFUS7dUD&$HD/djdOS
  dUD&$HD/djdOSAAsjsjdbdTTjj63hdodkydp74hdlndgdDDsUD&$HD/djdOS4@jd7
  7s99d8dhfjs2873hdydp74hdl3hdydp74hdlndgdDDshsrFUS7dFUS7dUD&$HD/djd
  S7dUD&$HD/djdOS4@jd77s99d8Ed8jfndKDhiuRTY79dhdVDjrys%kdndrFUS7dUD
  873hdydp74hdlndgdDDshsrFUS7US7dUD&$HD/djdOSAAsjbcCf8d/djsAAEd8jfndKD
  dp74hdl3hdydp74hdlndgdDDshsrFUS7dFUS7dUD&lndgdDDshsrFUS7dUD&$HD/Fss4
  DhiuRTY79dhdVDjrys%kdndrFUS7dUD&$HD/djdp74hdlndgdDDshsrFUS7d
  dTTjj63hdodkydp74hdlndgdDDsUD&$H7dUD&$HD/djdOKDhiuRTY79dhdlndgdDDsUD2hi
  bcCf8d/djsAAEdfjs2873hdydp79dhdVDjrys%kddp74hdlndgdDDshs
  -----END CERTIFICATE REQUEST-----