CSS 11501 using wildcard certificates
Hello,
I'm about to switch to wildcard certificates in a CSS 11501, however there are some doubts that I would like to clarify:
- When generating the CSR can i use *.mycompany.com for CN ?
- Should the CSR be generated only once or every time i need to create a new content rule i need to generate it?
- If only once can I associate multiple filenames with only one certificate?
ssl associate cert myrsacert1 certificate.pem; ssl associate cert myrsacert2 certificate.pem...
Thanks for your help,
Best regards,
Claudio
Hello Claudio,
- When generating the CSR can i use *.mycompany.com for CN?
Yes that will take care of any subdomain you need... something that you need to consider is that this wilcard will cover site like cars.mycompany.com or shop.mycompany.com but if you have a site that looks like ftp.shop.mycompany.com then you'll need a wildcard that looks like *.*.mycompany.com.
The CSR is generated only once and from there you send it to your CA to have signed off.
Not sure I fully understood your second question, once you received the cert and key whether in PFX or PEM format from your CA, you'll upload these to your CSS using FTP and then associate the file(s) to a name that is only meaningful to the SSL proxy list within your CSS.
HTH
Pablo
Similar Messages
-
hi, I have a wildcard certificate, *.contoso.com, with no SAN description. I use this certificate for all web server. It's possibile to use this certificate for connect mobile users to lync 2013?
Thanks
Bruno
Bruno AusielloHi,
Wildcard entries are supported for the Simple URLs (meet, dialin, etc) but you cannot use them for anything else including the external web services FQDNs. So the wildcard certificate can reduce the cost of certificates placed on reverse proxy servers to
publish the various external Simple URLs, but still you need a SAN certificate to publish other SANs such as external web services FQDN.
More details:
https://technet.microsoft.com/en-us/library/jj205381.aspx
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support -
CSS 11501 - wildcard certificate with subject alternative names
Hi,
I generated a wildcard certificate for my company type *. mycompany.com in a CSS 11501.
For the site sub-domain1.mycompany.com worked fine, for the site sub-domain2.sub-domain1.mycompany.com didn't worked.
I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
Thank you very much,
Cláudio SoaresHi,
The CSS is indifferent to the Common Name in an SSL certificate used for SSL termination,
so using a wildcard certificate would be no different than using a standard certificate.
If using the CSS to generate the Certificate Signing Request, just enter the Common
Name with the leading asterisk for the subdomain portion of the hostname. Example:
Common Name (your domain name) [www.mycompany.com]*.domain.com
The only difference in configuring SSL termination would be that you could
reuse the SSL certificate (in the ssl-proxy-list) for all the different vips that the
subdomains resolve to without having to worry about pop-up warnings on client's browsers
(example attached). Or, if your subdomains resolve to the same vip, the CSS configuration
wouldn't be any different.
Regards,
Siva -
I have a CSS 11501 running 08.10.1.06. Is there a way to renew the existing SSL certificate on the box or must I create a new one? All the doc I've read basically treats renewing the same as creating a new cert. Thanks for your help.
Hi,
In the world of SSL certificates the concept of renewing doesn't exist. You always need to create a new certificate and import it to replace the old one.
To generate this new certificate, you can either use the old private key or create a new one. If you use a new one, then, make sure to also import it along with the new certificate. -
Does the iphone support the use of a wildcard certificate?
Does the iphone support the use of a wildcard certificate?
Our exchange infrastructure utilises a wildcard (*.companyname certificate) from Godaddy.
- Connects fine and authenticates
- Can manually sync and pull emails
- Can Send and Delete emails
However server is not establishing the activesync connection and ping so mail can be pushed to the device.
My guess is its a problem with the wildcard certificate that is used, WM5.0 devices didnt work with it, does anyone one know if the iPhone supports this?
- I can get to OWA fine which uses the same wildcard cert.
- WM6.0 devices push mail fine.
Thanks.kfc01,
The iPhone Deployment Guide (linked from http://www.apple.com/support/iphone/enterprise) says it does for VPN.
Hope this helps,
Nathan C. -
Wildcard Certificate use in Sun Java System Messaging Server (IMAPs/POPs)
I'm trying to use a wildcard certificate acquired from GlobalSign and am having problems getting
it (properly) into the cert database.
I tried using certutil, and that didn't seem to work at all, it would list without user cert status:
rmorneau+root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
GlobalSign-Ext-CA CT,c,
*.xxxxxxxxxxx.edu ,,
I had some success using msgcert and pk12util, but after importing it in, then seeing that it did
have user cert status, after a quick restart of Messaging (IMAP/POP), SSL quit for IMAP and kicked all
my IMAPs users out temporarily (until I put the original cert8.db and key3.db back).
-------- ImapProxy_20101115.log----
20101115 135531 ImapProxyAService.cfg (id 2590) SSL negotiation failed for IP XXX.XXX.X.XXX: Cannot connect: SSL is disabled. (-12268)
pop.xxxxxxxxx.edu u,u,u
GlobalSign-Ext-CA CT,c,
*.xxxxxxxxxxx.edu u,u,u
I truly appreciate any help on this matter.
-Bob2. Does the certificate nickname in NSS match the configured certificate nickname in the product?I'm not sure, but I'll try that the next time I try this... will probably be late at night were I won't be interrupting IMAPs and POPs
Makes sense. Prior to release 7 update 4, the servers have to be shut down before modifying certificate databases. As of 7 update 4 you can do a one-time migration to the cert9.db/key4.db format that >should allow certificates to be updated without taking the servers offline.
This was in the log just before the other log entry that I showed before.
20101115 135440 ImapProxyAService.cfg ASockSSL_Init: couldn't find cert imap.xxxxxxxxx.edu (-8174)
This is the key line from the log. The server is looking for a certificate with the NSS certificate nickname of 'imap.xxxxxxxxx.edu' and is not finding that certificate so issue 2 is likely the problem.Yes, this was it. Oversite on my part, forgot they had to match and could not be a form of just domainname.edu or *domainname.edu.
You either need to modify the default:SSLCertNicknames setting to match the nickname of the new certificate, or install the new certificate using the existing certificate nickname of 'imap.xxxxxxxxx.edu'I modified the default:SSLCertNicknames setting.
Thank you CNewman very much for all your help.
And, for those trolling for an answer with more detail via an Internet search (that is, if Oracle doesn't screw up these forums for anon searches)::::
With the private key in hand (not password protected), I used 'openssl' to get it into a pkcs12 type file:
(It is best to do this as root and not as sudo root as you might run into problems if your host
does not have root power to write to your home dir on the/a NFS share.... you will get "unable to write 'random state'".)
root@mmp1:/var/opt/SUNWmsgsr/config/GlobalSign-certs-new# /usr/sfw/bin/openssl pkcs12 -export \
-in ket-wildcard-cert.pem -inkey private.key -out cert.pkcs12 -name xxxxxxxxx.edu
Enter Export Password:
Verifying - Enter Export Password:
Where "private.key" is the key file, and "ket-wildcard-cert.pem" is the (pem format) cert from our cert provider,
and cert.pkcs12 is our cert file that will be imported into the database, and xxxxxxxxx.edu is whatever you (nick)name your cert
in the database
(I think you could use a password protected private key if you have that password.. I don't.)
Next, I used 'msgcert' to import the pkcs12 cert file into the database (I'm sure there is a way
to use certutil or even pk12util to do the same, but I'm on Sun Messenger 6.3 at this time, so that's what I used.
If someone would like to elaborate for those....?):
(It is best, when using 'msgcert', to do it where your mailsrv user has some privs.. I took my pkcs12 cert and moved into /tmp.)
root@mmp1:/tmp# /opt/SUNWmsgsr/sbin/msgcert import-cert cert.pkcs12
Enter the PKCS#12 file password: (blank)
Enter the certificate database password: (token password in sslpassword.conf)
Make sure your (wildcard) cert nickname matches what you have in
ImapProxyAService.cfg and PopProxyAService.cfg at the "default:SSLCertNicknames" field.
Edit if need be.
root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
GlobalSign-Ext-CA CT,c,
xxxxxxxxx.edu u,u,u
root@mmp1:/var/opt/SUNWmsgsr/config# grep default:SSLCertNicknames *AService.cfg
ImapProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
PopProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
Then, of course, restart the msg service(s).
/opt/SUNWmsgsr/sbin/stop-msg
/opt/SUNWmsgsr/sbin/start-msg
Edited by: 810750 on Nov 18, 2010 8:08 AM
Edited by: 810750 on Nov 18, 2010 8:11 AM -
Using same Wildcard certificate on multiple SAP systems with same domain name.
Hello All,
Need urgent help.
I have a WILDCARD SSL certificate in pfx format. I also have individual root certificate , primary certificate in text form.
The certificate mentioned above is already active in one of our portal.
We want the same certificate on ECC Production.
What are the steps to import this certificate in STRUST?
I believe no certificate response needs to be imported.
I have a certificate response provided by Verisign. But STRUST says- cannot import certificate response'
Please help.Hi,
This is what i did for installing wildcard certificates:
On the OS of the sap server, log in with the sapadm account.
Open a command prompt:
make a backup of your sec directory in drive:\usr\sap\<SID>DVEBMGS00\ (just to be sure)
cd to drive:\usr\sap\<SID>DVEBMGS00\exe
>sapgenpse.exe import_p12 =p SAPSSLS.PSE location\to\the\certfile.pfx
It will ask you for the pin, and to overwrite the file, answer yes.
Now copy the new SAPSSLS.PSE to a desktop that has sapgui
Login with the sapgui and run transaction strust
Select import from the PSE menu and open the SAPSSLS.PSE
Then again goto PSE menu and select Save As
I saved it twice, once in System PSE and then again in SSL Server
For me SSL is now working without problems on a couple of servers.
-small update-
You can check internal servers using the certificate utility from digicert https://www.digicert.com/util/
It has the option to specify port numbers, usefull for internal web services.
Regards,
Rolf -
W2k8R2 - Enterprise CA - Need WildCard Certificate for Internal Use
Hi guys,
A new client of mine has a "standalone" CA in their domain already...but I need a Wildcard Cert for some applications I'm installing in IIS.
I'm used to setting up an "Enterprise" CA and issuing a Wildcard Cert that way, but I don't know if the "standalone" CA can do that. I attempted to have IIS request a cert and it didn't auto-populate the CA information...but I told
it to use CERTAUTHNAME\domaincontroller and it created one...but it doesn't appear to be working.
My question is...if I install the Enterprise Root CA on a DC in their environment, can it interfere with the already issued certs from the standalone CA?
I don't want to break something to move forward with my stuff.
Thanks a lot and any help is greatly appreciated!!!Standalone CA can issue wildcard certificates. You just need to generate certificate request manually (without using IIS Mgmt console for that) by using INF file and certreq. Then, you submit your request to a CA server. Look at this article:
http://social.technet.microsoft.com/wiki/contents/articles/2017.certificate-enrollment-for-system-center-operations-manager-agent.aspx
although, this article is intended for OpsMgr, certificate enrollment process is the same for all products, just skip OpsMgr-specific stuff. There are three sections related to Standalone CAs: request generation, submission and installation. In the INF file,
you specify your wildcard name in the Subject key.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new:
PowerShell FCIV tool. -
CSS 11501 redundacny using Ge port
Hi,
I have two CSS 11501 one in each location I want to configure Box-box redundancy between these two CSS15001, I used the Ge port e9 and connected the SM fiber directly between these two switches. The link is not comming up. Need help and suggestion to over come this.Hi,
the SFP GBICs should probably be at least a 1000Base-LH (1310nm) witch shold cover approx 10Km on single mode fiber.
Hope this helps.
Fulvio -
Hi,
I have a few questions regarding the CSS and SSL certificates.
I have 2 CSS 11501 and 3 web servers, how many SSL certificates do I need?
I want to configure the CSS as active - active, is this supported using the SSL accelleration module? If it is, is it configured the same way as a standalone CSS. The documentation only mentions configurations using single module and 2 modules in the same CSS.
And a clarificacion: Does the term Backend in the CSS SSL config refer to servers on a different subnet (in our case physically separated). Our config is 2 FW -> 2 CSS -> 3 Web servers -> 2 backend FW -> 6 Backend servers (app and DB). Am I correct in assuming that Backend refer to this backend? (This might seem like a silly question but the documentation has me confused)
Any help is much appreciated.
Thanks,
NielsNiels,
there is currently an ASK THE EXPERT event.
Please join us if you have more questions.
Regarding the certificate, you could just use one.
Get 1 certificate for your VIP and upload it on both SSL module.
However, you might have to get 2, because certificate providers usually say it's one per physical device.
If you plan on doing SSL on the servers as well, you need 3 more certificates. Or you coul use a single certificate if this is allowed by the company that will give it to you.
Backend refers to server behind the CSS.
Like a firewall defines inside and outside interfaces, the CSS define the frontend and the backend.
The frontend is the client side and the backend the server side.
When you say active/active, what do you want to achieve exactly ?
You can indeed have 2 Vip and one is active on CSS1 while the other is active on CSS2.
However, if the CSS shares the same set of servers, you need to be careful that the return traffic from the server to the client goes back to the same server. This may require client nat (group config).
Regards,
Gilles. -
How to reset password on Cisco CSS 11501?
Hi,
I have changed the password for the Admin user (which was SuperUser) but when I changed it I forgot to add "SuperUser" at the end, now I don't have SuperUser access to the CSS 11501.
Can anyone shade some light on this problem and explain how can I reset the password for a SuperUser?
Thanks in Advance,
ShaiHi Shai,
You need to reboot the CSS. When prompt, hit any key to go into the Offline Diagnostic Menu.
When you get in the menu, you will go to Administrative options and create an additional Admin user. When you do this, DO NOT use "admin", use something totally different.
Get out of the Offline DM and reboot the CSS. When the CSS comes up, login as the new user (which will have Superuser rights) and run the "username" cli to change the password of "admin" and add the superuser part this time.
Regards
Pete Knoops
Cisco Systems -
Edge 2013 External Wildcard Certificate
Hi,
I know this has been covered a number of times but I'd like something that's been posted more recently.
We use Lync 2013 with a wildcard certificate on our edge external interface. Everything works as expected and that's on version 5.0.8308.556
I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners. They're running 5.0.8308.577
When testing from Lync connectivity tester I get the following:
Attempting to resolve the host name blah.co.uk in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
The port was opened successfully.
Additional Details
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 758 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
One or more certificate chains were constructed successfully.
Additional Details
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 4 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
Elapsed Time: 0 ms.
Testing remote connectivity for user [email protected] to the Microsoft Lync server.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
<label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
me more about this issue and how to resolve it</label>
Additional Details
Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
Error Type: TlsFailureException.
Elapsed Time: 1649 ms.
Any help would be much appreciated!
ThanksHi,
Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
authority.
More details about certificate requirements for external user access:
http://technet.microsoft.com/en-us/library/gg398920.aspx
You can refer to the link below of “Wildcard Certificate Support”:
http://technet.microsoft.com/en-us/library/hh202161.aspx
Here is a similar case my help you:
http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
I can't generated a CSR for a wildcard certificate
I recently received a new Mac Mini OS X Server with the Server 2.2.1 app loaded.
I cannot figure out how to create a CSR for a wildcard certificate.
The wizard will not accept * in the input field.
Can someone point me to the hard way of doing this?
I need to secure every channel on the server with a wildcard SSL certificate.
Thanks...Hi Gordon,
You can use the command line to generate your wildcard CRS.
1. Launch /Applications/Utilities/Terminal.app
2. At the prompt, type the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
Common Name: The fully-qualified domain name, or URL, you're securing.
If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
See http://support.godaddy.com/help/article/5269/generating-a-certificate-signing-re quest-csr-apache-2x?pc_split_value=3 -
Wildcard certificates supported by ACE
We are considering the use of wildcard certificates for our environment. Is this supported by the ACE when using SSL offloading ?
regards,
Sebastianbe aware that certain mobile device do not support them I believe windows mobile 5.0 is one of them.
-
Wildcard certificate in Outlook Anywhere
I tried to fix a bit our Outlook Anywhere and set certificate for my EXPR provider to "msstd:*.domain.com" (I use *.domain.com certificate for exchange). But all Outlook clients after restart show error: "There
is a problem with the proxy server's security certicate. The name on the security certificate is invalid or does not match the name of the target site owa.domain.com. Outlook
is unable to connect to the proxy server. (Error Code 0)".
I set EXPR provider to "msstd:owa.domain.com" (my exchange server address) and all works fine now.
Why I could not switch certificate to wildcard?Hi,
If you have done the following changes:
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com
Please follow Ed’s suggestion to make sure the Wildcard certificate assigned with IIS service. We can run the following command to get more information about your certificates:
Get-ExchangeCertificate | Select CertificateDomains,Services,Status
If the Wildcard certificate is not assigned with IIS service, please
use the Enable-ExchangeCertificate cmdlet and specify IIS services. Additionally, here is a related KB about this issue:
http://support.microsoft.com/kb/923575
Thanks,
Winnie Liang
TechNet Community Support
Maybe you are looking for
-
Unable to View PDF in Browser from a Servlet.
Hi, I am facing a problem while trying to dynamically generate PDF from a Servlet and display it in the browser(IE 6.0 sp2) The scenario is as follows: i have a link which on clicking (using javascript) moves to a Servlet(say Dispatcher Servlet).This
-
I'm running Frame 8, unstructured, on Vista. Also running Distiller 8. I have a book file and was creating individual PDFs of the chapters doing Save As PDF on each chapter. After three weeks of doing this Frame starts to hang when creating the PDFs.
-
DNG and MESZ timestamp / sony A100 RAW conversion
Hello, i have a question regarding the timestamp within the EXIF metadata after the RAW to DNG conversion for my A100 pictures. Today I have seen that the timestamp betwen the RAW original file and the converted DNG file differs about 3 hours. I can'
-
Hi friends I was install the oracle database 10g in win2000 server. By default, the nls_language configurarion is AMERICAN. I change this parameter throught database control (c:\oracle\product\10.2.0\db_1\bin\spfileorcl10g.ora) to BRAZILIAN PORTUGUES
-
I can open web pages and click on links that don't require a login, but if I am trying to open a login for email or anything else "connecting" shows up in the tab and runs constantly with no connection taking place.