Certificate wildcard

Similar Messages

• Does Convergence + messaging server 6.3 support wildcard cert ?

  Hi all,
  We plan to purchase a wildcard cert to support our convergence & messaging server SSL connection.
  from the messaging guide provide. it stated we need to generate individual private key & sent to vendor to verify
  what if we are using wildcard cert, do it work in this case ?
  Cheer
  ubd

  ubd wrote:
  So means i generate 1 wildcard cert, then apply to all other server ssl connection, or i need to generate individuallyTo use the same CA signed certificate (wildcard or otherwise) with multiple applications (Application Server and Messaging Server in this case) requires that the same private key be used across the applications. To this end you will need to export/import the certificate/keys between the applications using a utility such as pk12util.
  http://docs.sun.com/app/docs/doc/819-3671/ablrh?a=view
  http://docs.sun.com/app/docs/doc/819-4428/bgbbf?a=view
  Regards,
  Shane.

• Install GoDaddy wildcard SSL on WLC 2504 conroller

  I'm attempting to install a GoDaddy wildcard ssl certificate onto a WLC 2504 running version 7.4.100.0.
  I am getting the error "#SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4055 Cannot PEM decode private key" when downloading the .pem file to the controller.
  What I have attempted to do was to export the certificate from a Windows 2008 R2 server into a .pfx file. The file contained the private key and all possible root certficates (in this case a root and a intermediate cert). Now I took this .pfx file and attempted to create a .pem file with openssl using the following command: openssl pkcs12 -in myssl.pfx -out mynewssl.pem -passin pass:mypassword -passout pass:mypassword
  Now I have opened the .pem file and verified it does contain the private key and the three certificates (wildcard, intermediate and root).

  Seth,
  I had a similar problem, and saw the solution in another post on this forum.  I am cross-posting this to help anyone else out there who might be searching for this answer.
  Kudos to Robert Wells for finding this:
  "I have it fixed now. The problem was the cisco only supports openssl 0.9.8x. I was using 1.0.1c. I used 0.9.8x and it worked perfectly fine."
  The Windows version of OpenSSL I used was the 0.9.8y Light version from:
  http://slproweb.com/download/Win32OpenSSL_Light-0_9_8y.exe
  I hope this helps someone out there with this problem.
     - Ken

• ICM ADMIN username and password

  Hi frnds
  I have installed SAPNW7.0ABAPTrialSP12 on my system. I have started the application server and it works fine but when i click on ICM in MMC it is asking me to enter ICM ADMIN username and password.
  What needs to be entered please let me know?
  Thanks
  Satya

  check this  <a href="http://help.sap.com/saphelp_nw04s/helpdata/en/82/9e98d786f040209e6a9e8145153939/content.htm">Create Administration User</a>
  1.      As user <sid>adm go to the directory where the executables are kept and call up icmon &#8209;a pf=<instance profile> .
  The following appears:
  Maintain authentication file
  ============================
  File name (icmauth.txt):   .
         2.      If you are happy with the default file name, press the enter key, otherwise enter a different file name or path.
         3.      In the next menu choose a (add user to set).
         4.      Enter the user name, then the password twice, the group name, the subject of the X.509 certificate (wildcards allowed, and it can be left empty).
  User Name: icmadm
  Enter Password: *****
  Re-enter Password: *****
  Group name: admin
  Subject Value of Client Cert: CN=template,*
  new entry locally created
  The user created is in group admin, the user is therefore an administration user without administration authorization. In particular this user can create further users in the Web admin interface.
  If you select another group name other than admin, create a monitoring user that can monitor, but not administrate, the ICM/Web Dispatcher.
  If you want a user to be able to log on only with the X.509 client certificate, you can enter an x as the password (with queries), which makes the following entry (in the example) in file:
  icmadm:x:admin:CN=muster,*
         5.      Choose s (save changes of set to file), to copy your changes from the local buffer to the authorization file.
         6.      Choose q, to quit the program.

• Web Appplication Server Username

  http://<hostname>:8000/sap/bc/bsp/sap/alertinbox/index.htm?sap-client=001&sap-language=EN&sap-syscmd=nocookie
  please tell me Which USER NAME should be used to  login this url with WEB Application Server.....
  Edited by: revanthkumarkadali on Nov 18, 2009 5:16 PM

  Hi Revanth,
  If you are sure that userID 'ICMADM' does not exist in your system then please follow below procedure to create one..
  1. Logon your system as user <sid>adm go to the directory where the executables are kept and call up
  icmon ‑a pf=<instance profile>
  2. In the next menu choose a (add user to set).
  3. Enter the user name, then the password twice, the group name, the subject of the X.509 certificate (wildcards allowed, and it can be left empty).
  User Name: icmadm
  Enter Password: *****
  Re-enter Password: *****
  Group name: admin
  Subject Value of Client Cert: CN=template,*
  new entry locally created
  4.  Choose s (save changes of set to file), to copy your changes from the local buffer to the authorization file.
  5. Choose q, to quit the program
  I hope this helps you.
  Regards
  Sekhar

• Use of wildcard certificate

  Hi,
  We are going to use the UAG with a AD for the SSO of a sharepoint server and a set of 10+ web applications servers behind the UAG, the connections are supposed to be HTTPS; would like to know if the use of wild card server certificate is a mandatory
  in this kind of environment ? or a server certificate for each application server is also possible for this requirement ?
  Thanks a lot !

  Hi,
  it is not mandatory but recommended. The reason for recommendation is, that you can just use 1 trunk for publishing instead of 10 different trunks (10 IPs) if you use a single server SSL cert. E.g. if you use app01.domain.com to app10.domain.com.As an alternative
  to the wildcard cert you can use a SAN certificate which has all app host names  inlcuded. Just in case this makes a price difference.
  I would recommend to use the wildcard cert, because UAG configuration and management is much simpler as with the single server certificate and the SAN certificate is inflexible if you want add more apps because you have to request a new certificate if you
  add a new application.
  Hope that helps,
  Lutz

• URL problems with SQL Server Reporting Services 2012 with wildcard SSL certificate

  Hi,
  I have single server, domain member, with SQL Server 2012 SP1 Reporting Services.
  I am trying to get work with url: https://reports.mydomain.com
  I have valid wildcard certificate (*.mydomain.com) implemented and configured URLs in Configuration Manager.
  https://reports.mydomain.com/ReportServer - works fine
  https://reports.3pro.hr/Reports/ - I got error:
  The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
  In rsreportserver.config I have:
  <Add Key="SecureConnectionLevel" Value="2"/>
  When looking my ReportServerService_date.log file I have something like:
  configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server internal url https://localhost:443/ReportServer.
  configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server external url https://serverhostname:443/ReportServer.
  configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using url root https://reports.mydomain.com/ReportServer.
  configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server internal url https://localhost:443/ReportServer.
  configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server external url https://serverhostname:443/ReportServer.
  configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using url root https://reports.mydomain.com/ReportServer.
  Also, error shown in log file:
  appdomainmanager!ReportManager_0-2!4c50!03/10/2013-20:24:53:: e ERROR: Remote certificate error RemoteCertificateNameMismatch encountered for url https://localhost/ReportServer/ReportService2010.asmx.
  ui!ReportManager_0-2!4c50!03/10/2013-20:24:54:: e ERROR: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
  The remote certificate is invalid according to the validation procedure.
  Btw, is there a way to delete/disable access using https://localhost and/or servername (not FQDN) since SSL will not work in this way for me, and I want access only by full url - https://reports.mydomain.com , not localhost ..
  -- Hrvoje Kusulja

  I spent one of my 4 free support incidents with Microsoft (part of MSDN subscription) this year to get this investigated.  The tech support person helped me through several issues but had to leave to attend some training, and I got past the last hurdle
  before she called me back.  Here are the steps that resolved this issue for me.  I know for sure that step 5 was necessary.  Step 1 may not apply to you, and steps 2-4 may or may not have been necessary (they didn't immediately fix the issue,
  but I didn't roll them back either so they may have been necessary.)
  Step 1:
  Ensure you are editing the correct rsreportserver.config file.  I had been making changes to a file that was installed in C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\WebServices\Reporting, but that was a rsreportserver.config
  file for some sharepoint integration that I'm not using.  The correct path on my system was E:\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\rsreportserver.config, but yours may vary. If you can't figure it out, look in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
  SQL Server\MSRS11.MSSQLSERVER\Setup in the key named SQLPath, and then go to the ReportServer subdirectory of that path.
  Step 2: 
  In rsreportserver.config, ensure that SecureConnectionLevel is set to the value 3.  Was set to 0 in my configuration.  Corrected line in your rsreportserver.confiog file should look like:
  <Add Key="SecureConnectionLevel" Value="3"/>
  Step 3:
  In rsreportserver.config, add the correct value to the <URLRoot> element (which already exists in the file.)  In my configuration, this value was blank.  The value should be the fully qualified path to your report server, with a hostname that
  is valid for your certificate.  For example, if my cert matches *.mydomain.local:
  <UrlRoot>
  https://myserver.mydomain.local/ReportServer
  </UrlRoot>
  Step 4:
  Ensure that your certificate exists in Trusted Root Certification Authorities in certmgr for the local machine.  I had the certificate installed as a Personal certificate for the local machine, which I still think was correct (the certificate wasn't actually
  the problem and worked correctly for Report Server, and the failure was caused by SSRS incorrectly making a https request to a localhost URL), but she had me remove the certificate from Personal and add it to Trusted Root Certificate Authorities.  That
  broke things and the cert was no longer listed as a cert I could bind to, so we then copied it so it existed in both Personal and Trusted Root Certificate Authorities.  This is how I left it, not sure if that was necessary.
  Step 5:
  This was the fix that finally got things to work. In rsreportserver.config, add the same value to the <ReportServerUrl> element (which also already exists in the file) that you added in step 3.  In my configuration, this value was also blank.
  The corrected value should be the same as in step 3, for example:
  <ReportServerUrl>
  https://myserver.mydomain.local/ReportServer
  </ReportServerUrl>
  Then restart your report server (stop & then start in Report Server Configuration Manager), and the problem should go away.  At least it did for me.
  Good luck!

• Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

  Is it possible to install a widcard certificate for web auth in those versions?
  Is there any difference between this two versions.
  Are both of them versions supporting wildcards certificates?
  Here you have the log file resulting of installing the wildcart certificate in the wlc with v 7.0.240.
  *TransferTask: Nov 28 11:20:51.117: Memory overcommit policy changed from 0 to 1
  *TransferTask: Nov 28 11:20:51.319: Delete ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:51.432: RESULT_STRING: TFTP Webauth cert transfer starting.
  *TransferTask: Nov 28 11:20:51.432: RESULT_CODE:1
  *TransferTask: Nov 28 11:20:55.434: Locking tftp semaphore, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore locked, now unlocking, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore successfully unlocked, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.517: TFTP: Binding to local=0.0.0.0 remote=10.16.50.63
  *TransferTask: Nov 28 11:20:55.588: TFP End: 1666 bytes transferred (0 retransmitted packets)
  *TransferTask: Nov 28 11:20:55.589: tftp rc=0, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
       pLocalFilename=cert.p12
  *TransferTask: Nov 28 11:20:55.589: RESULT_STRING: TFTP receive complete... Installing Certificate.
  *TransferTask: Nov 28 11:20:55.589: RESULT_CODE:13
  *TransferTask: Nov 28 11:20:59.590: Adding cert (5 bytes) with certificate key password.
  *TransferTask: Nov 28 11:20:59.590: RESULT_STRING: Error installing certificate.
  *TransferTask: Nov 28 11:20:59.591: RESULT_CODE:12
  *TransferTask: Nov 28 11:20:59.591: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
  *TransferTask: Nov 28 11:20:59.624: finished umounting
  *TransferTask: Nov 28 11:20:59.903: Create ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:59.904: start to create c1240 primary image
  *TransferTask: Nov 28 11:21:01.322: start to create c1240 backup image
  *TransferTask: Nov 28 11:21:02.750: Success to create the c1240 image
  *TransferTask: Nov 28 11:21:02.933: Memory overcommit policy restored from 1 to 0
  (Cisco Controller) >
  Would I have the same results in wlc with  v 7.5.102?
  Thank you.

  Hi Pdero,
  Please check out these docs:
  https://supportforums.cisco.com/thread/2052662
  http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
  https://supportforums.cisco.com/thread/2067781
  https://supportforums.cisco.com/thread/2024363
  https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc
  Regards
  Dont forget to rate helpful posts.

• Can't install a wildcard SSL certificate

  Running ML Server. I have a GoDaddy issued wildcard SSL certificate to *.mydomain.com. The certificate is currently installed on a different (non-Mac OS) server. I am able to cut and paste the main certificate, private key and other chain certificates from that server's interface and paste into a text file using TextWrangler. On the OS X server I deleted all of the old certificates in KeyChain (this server had an old wildcard version of the certificate before), deleted the old wildcard cert in Server.app and deleted the corresponding files in /etc/certificates
  I then created a new self-signed certificate for *.mydomain.com in Server.app, then selected it, went to Manage Certificates and tried up update the self-signed certifcate with the signed certificate using the Server.app interface. The interface enables you to drag and drop certifcate and chain files to add.
  However, this is where it gets strange...
  The first time I drag the certificate file to the interface, I get the green + symbol, let go and nothing happens. If I do it again, the interface lights up green again, but this time it adds it to the Non-identify certificate list. I am able to replicate this every time!
  Why does the interface show me the first time that I can drag the file, but does nothing, and then the second time adds it as a non-identity certificate? Same behavior happens if I start with the chain certificate as well.
  I can confirm that the four certificate files show up in /etc/certificates, but they appear to be generated by the self-signed certificate creation.
  Any insights appreciated! TAA

  In fact i had the same issue last week and i could only solve it by exporting the key with the certificate in a PCKS12 file. Fortunately this is supported by the windows certificate manager where the certificate was originally installed.
  You could take your key and certificate files and merge them into a PKCS12 file using openssl (go to terminal, it is installed on an OSX box) and fire the following command (and change the filenames ;-)):
  openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt
  The openssl tool requests a passphrase for the created file that you will need to provide again when the key is imported into the keychain.
  Good luck with it

• Edge 2013 External Wildcard Certificate

  Hi,
  I know this has been covered a number of times but I'd like something that's been posted more recently.
  We use Lync 2013 with a wildcard certificate on our edge external interface.  Everything works as expected and that's on version 5.0.8308.556
  I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners.  They're running 5.0.8308.577
  When testing from Lync connectivity tester I get the following:
  Attempting to resolve the host name blah.co.uk in DNS.
  The host name resolved successfully.
  Additional Details
  Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 758 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 4 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
  Elapsed Time: 0 ms.
  Testing remote connectivity for user [email protected] to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
   <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
  Error Type: TlsFailureException.
  Elapsed Time: 1649 ms.
  Any help would be much appreciated!
  Thanks

  Hi,
  Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
  authority.
  More details about certificate requirements for external user access:
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  You can refer to the link below of “Wildcard Certificate Support”:
  http://technet.microsoft.com/en-us/library/hh202161.aspx
  Here is a similar case my help you:
  http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Does the iphone support the use of a wildcard certificate?

  Does the iphone support the use of a wildcard certificate?
  Our exchange infrastructure utilises a wildcard (*.companyname certificate) from Godaddy.
  - Connects fine and authenticates
  - Can manually sync and pull emails
  - Can Send and Delete emails
  However server is not establishing the activesync connection and ping so mail can be pushed to the device.
  My guess is its a problem with the wildcard certificate that is used, WM5.0 devices didnt work with it, does anyone one know if the iPhone supports this?
  - I can get to OWA fine which uses the same wildcard cert.
  - WM6.0 devices push mail fine.
  Thanks.

  kfc01,
  The iPhone Deployment Guide (linked from http://www.apple.com/support/iphone/enterprise) says it does for VPN.
  Hope this helps,
  Nathan C.

• I can't generated a CSR for a wildcard certificate

  I recently received a new Mac Mini OS X Server with the Server 2.2.1 app loaded.
  I cannot figure out how to create a CSR for a wildcard certificate.
  The wizard will not accept * in the input field.
  Can someone point me to the hard way of doing this?
  I need to secure every channel on the server with a wildcard SSL certificate.
  Thanks...

  Hi Gordon,
  You can use the command line to generate your wildcard CRS.
  1. Launch /Applications/Utilities/Terminal.app
  2. At the prompt, type the following command:
  openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
  Common Name: The fully-qualified domain name, or URL, you're securing.
  If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
  See http://support.godaddy.com/help/article/5269/generating-a-certificate-signing-re quest-csr-apache-2x?pc_split_value=3

• Wildcard SSL Certificates with MFE?

  Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
  We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
  Before doing anything I figured I'd try a website that used a wildcard certificate.
  When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
  My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
  If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
  Thanks.

  This is interesting question. I look forward testing this myself
  What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
  Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you!

• Wildcard certificates supported by ACE

  We are considering the use of wildcard certificates for our environment. Is this supported by the ACE when using SSL offloading ?
  regards,
  Sebastian

  be aware that certain mobile device do not support them I believe windows mobile 5.0 is one of them.

• Wildcard certificate in Outlook Anywhere

  I tried to fix a bit our Outlook Anywhere and set certificate for my EXPR provider to "msstd:*.domain.com" (I use *.domain.com certificate for exchange). But all Outlook clients after restart show error: "There
  is a problem with the proxy server's security certicate. The name on the security certificate is invalid or does not match the name of the target site owa.domain.com. Outlook
  is unable to connect to the proxy server. (Error Code 0)".
  I set EXPR provider to "msstd:owa.domain.com" (my exchange server address) and all works fine now.
  Why I could not switch certificate to wildcard?

  Hi,
  If you have done the following changes:
  Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com
  Please follow Ed’s suggestion to make sure the Wildcard certificate assigned with IIS service. We can run the following command to get more information about your certificates:
  Get-ExchangeCertificate | Select CertificateDomains,Services,Status
  If the Wildcard certificate is not assigned with IIS service, please
  use the Enable-ExchangeCertificate cmdlet and specify IIS services. Additionally, here is a related KB about this issue:
  http://support.microsoft.com/kb/923575
  Thanks,
  Winnie Liang
  TechNet Community Support