CSS 11501 using wildcard certificates

Hello,
I'm about to switch to wildcard certificates in a CSS 11501, however there are some doubts that I would like to clarify:
- When generating the CSR can i use *.mycompany.com for CN ?
- Should the CSR be generated only once or every time i need to create a new content rule i need to generate it?
     - If only once can I associate multiple filenames with only one certificate?
          ssl associate cert myrsacert1 certificate.pem; ssl associate cert myrsacert2 certificate.pem...
Thanks for your help,
Best regards,
Claudio

Hello Claudio,
- When generating the CSR can i use *.mycompany.com for CN?
Yes that will take care of any subdomain you need... something that you need to consider is that this wilcard will cover site like cars.mycompany.com or shop.mycompany.com but if you have a site that looks like ftp.shop.mycompany.com then you'll need a wildcard that looks like *.*.mycompany.com.
The CSR is generated only once and from there you send it to your CA to have signed off.
Not sure I fully understood your second question, once you received the cert and key whether in PFX or PEM format from your CA, you'll upload these to your CSS using FTP and then associate the file(s) to a name that is only meaningful to the SSL proxy list within your CSS.
HTH
Pablo

Similar Messages

  • Using wildcard certificate

    hi, I have a wildcard certificate, *.contoso.com, with no SAN description. I use this certificate for all web server. It's possibile to use this certificate for connect mobile users to lync 2013?
    Thanks
    Bruno
    Bruno Ausiello

    Hi,
    Wildcard entries are supported for the Simple URLs (meet, dialin, etc) but you cannot use them for anything else including the external web services FQDNs. So the wildcard certificate can reduce the cost of certificates placed on reverse proxy servers to
    publish the various external Simple URLs, but still you need a SAN certificate to publish other SANs such as external web services FQDN.
    More details:
    https://technet.microsoft.com/en-us/library/jj205381.aspx
    Best Regards,
    Eason Huang
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Eason Huang
    TechNet Community Support

  • CSS 11501 - wildcard certificate with subject alternative names

    Hi,
    I generated a wildcard certificate for my company type *. mycompany.com in a CSS 11501.
    For the site sub-domain1.mycompany.com worked fine, for the site sub-domain2.sub-domain1.mycompany.com didn't worked.
    I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
    Thank you very much,
    Cláudio Soares

    Hi,
    The CSS is indifferent to the Common Name in an SSL certificate used for SSL termination,
    so using a wildcard certificate would be no different than using a standard certificate.
    If using the CSS to generate the Certificate Signing Request, just enter the Common
    Name with the leading asterisk for the subdomain portion of the hostname. Example:
    Common Name (your domain name) [www.mycompany.com]*.domain.com
    The only difference in configuring SSL termination would be that you could
    reuse the SSL certificate (in the ssl-proxy-list) for all the different vips that the
    subdomains resolve to without having to worry about pop-up warnings on client's browsers
    (example attached). Or, if your subdomains resolve to the same vip, the CSS configuration
    wouldn't be any different.
    Regards,
    Siva

  • Renew certificate CSS 11501

    I have a CSS 11501 running 08.10.1.06.  Is there a way to renew the existing SSL certificate on the box or must I create a new one?  All the doc I've read basically treats renewing the same as creating a new cert.  Thanks for your help.

    Hi,
    In the world of SSL certificates the concept of renewing doesn't exist. You always need to create a new certificate and import it to replace the old one.
    To generate this new certificate, you can either use the old private key or create a new one. If you use a new one, then, make sure to also import it along with the new certificate.

  • Does the iphone support the use of a wildcard certificate?

    Does the iphone support the use of a wildcard certificate?
    Our exchange infrastructure utilises a wildcard (*.companyname certificate) from Godaddy.
    - Connects fine and authenticates
    - Can manually sync and pull emails
    - Can Send and Delete emails
    However server is not establishing the activesync connection and ping so mail can be pushed to the device.
    My guess is its a problem with the wildcard certificate that is used, WM5.0 devices didnt work with it, does anyone one know if the iPhone supports this?
    - I can get to OWA fine which uses the same wildcard cert.
    - WM6.0 devices push mail fine.
    Thanks.

    kfc01,
    The iPhone Deployment Guide (linked from http://www.apple.com/support/iphone/enterprise) says it does for VPN.
    Hope this helps,
    Nathan C.

  • Wildcard Certificate use in Sun Java System Messaging Server (IMAPs/POPs)

    I'm trying to use a wildcard certificate acquired from GlobalSign and am having problems getting
    it (properly) into the cert database.
    I tried using certutil, and that didn't seem to work at all, it would list without user cert status:
    rmorneau+root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
    GlobalSign-Ext-CA CT,c,
    *.xxxxxxxxxxx.edu ,,
    I had some success using msgcert and pk12util, but after importing it in, then seeing that it did
    have user cert status, after a quick restart of Messaging (IMAP/POP), SSL quit for IMAP and kicked all
    my IMAPs users out temporarily (until I put the original cert8.db and key3.db back).
    -------- ImapProxy_20101115.log----
    20101115 135531 ImapProxyAService.cfg (id 2590) SSL negotiation failed for IP XXX.XXX.X.XXX: Cannot connect: SSL is disabled. (-12268)
    pop.xxxxxxxxx.edu u,u,u
    GlobalSign-Ext-CA CT,c,
    *.xxxxxxxxxxx.edu u,u,u
    I truly appreciate any help on this matter.
    -Bob

    2. Does the certificate nickname in NSS match the configured certificate nickname in the product?I'm not sure, but I'll try that the next time I try this... will probably be late at night were I won't be interrupting IMAPs and POPs
    Makes sense. Prior to release 7 update 4, the servers have to be shut down before modifying certificate databases. As of 7 update 4 you can do a one-time migration to the cert9.db/key4.db format that >should allow certificates to be updated without taking the servers offline.
    This was in the log just before the other log entry that I showed before.
    20101115 135440 ImapProxyAService.cfg ASockSSL_Init: couldn't find cert imap.xxxxxxxxx.edu (-8174)
    This is the key line from the log. The server is looking for a certificate with the NSS certificate nickname of 'imap.xxxxxxxxx.edu' and is not finding that certificate so issue 2 is likely the problem.Yes, this was it. Oversite on my part, forgot they had to match and could not be a form of just domainname.edu or *domainname.edu.
    You either need to modify the default:SSLCertNicknames setting to match the nickname of the new certificate, or install the new certificate using the existing certificate nickname of 'imap.xxxxxxxxx.edu'I modified the default:SSLCertNicknames setting.
    Thank you CNewman very much for all your help.
    And, for those trolling for an answer with more detail via an Internet search (that is, if Oracle doesn't screw up these forums for anon searches)::::
    With the private key in hand (not password protected), I used 'openssl' to get it into a pkcs12 type file:
    (It is best to do this as root and not as sudo root as you might run into problems if your host
    does not have root power to write to your home dir on the/a NFS share.... you will get "unable to write 'random state'".)
    root@mmp1:/var/opt/SUNWmsgsr/config/GlobalSign-certs-new# /usr/sfw/bin/openssl pkcs12 -export \
    -in ket-wildcard-cert.pem -inkey private.key -out cert.pkcs12 -name xxxxxxxxx.edu
    Enter Export Password:
    Verifying - Enter Export Password:
    Where "private.key" is the key file, and "ket-wildcard-cert.pem" is the (pem format) cert from our cert provider,
    and cert.pkcs12 is our cert file that will be imported into the database, and xxxxxxxxx.edu is whatever you (nick)name your cert
    in the database
    (I think you could use a password protected private key if you have that password.. I don't.)
    Next, I used 'msgcert' to import the pkcs12 cert file into the database (I'm sure there is a way
    to use certutil or even pk12util to do the same, but I'm on Sun Messenger 6.3 at this time, so that's what I used.
    If someone would like to elaborate for those....?):
    (It is best, when using 'msgcert', to do it where your mailsrv user has some privs.. I took my pkcs12 cert and moved into /tmp.)
    root@mmp1:/tmp# /opt/SUNWmsgsr/sbin/msgcert import-cert cert.pkcs12
    Enter the PKCS#12 file password: (blank)
    Enter the certificate database password: (token password in sslpassword.conf)
    Make sure your (wildcard) cert nickname matches what you have in
    ImapProxyAService.cfg and PopProxyAService.cfg at the "default:SSLCertNicknames" field.
    Edit if need be.
    root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
    GlobalSign-Ext-CA CT,c,
    xxxxxxxxx.edu u,u,u
    root@mmp1:/var/opt/SUNWmsgsr/config# grep default:SSLCertNicknames *AService.cfg
    ImapProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
    PopProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
    Then, of course, restart the msg service(s).
    /opt/SUNWmsgsr/sbin/stop-msg
    /opt/SUNWmsgsr/sbin/start-msg
    Edited by: 810750 on Nov 18, 2010 8:08 AM
    Edited by: 810750 on Nov 18, 2010 8:11 AM

  • Using same Wildcard certificate on multiple SAP systems with same domain name.

    Hello All,
    Need urgent help.
    I have a WILDCARD SSL certificate in pfx format. I also have individual root certificate , primary certificate in text form.
    The certificate mentioned above is already active in one of our portal.
    We want the same certificate on ECC Production.
    What are the steps to import this certificate in STRUST?
    I believe no certificate response needs to be imported.
    I have a certificate response provided by Verisign. But STRUST says- cannot import certificate response'
    Please help.

    Hi,
    This is what i did for installing wildcard certificates:
    On the OS of the sap server, log in with the sapadm account.
    Open a command prompt:
    make a backup of your sec directory in drive:\usr\sap\<SID>DVEBMGS00\  (just to be sure)
    cd to drive:\usr\sap\<SID>DVEBMGS00\exe
    >sapgenpse.exe import_p12 =p SAPSSLS.PSE location\to\the\certfile.pfx
    It will ask you for the pin, and to overwrite the file, answer yes.
    Now copy the new SAPSSLS.PSE to a desktop that has sapgui
    Login with the sapgui and run transaction strust
    Select import from the PSE menu and open the SAPSSLS.PSE
    Then again goto PSE menu  and select Save As
    I saved it twice, once in System PSE  and then again in SSL Server
    For me SSL is now working without problems on a couple of servers.
    -small update-
    You can check internal servers using the certificate utility from digicert https://www.digicert.com/util/
    It has the option to specify port numbers, usefull for internal web services.
    Regards,
    Rolf

  • W2k8R2 - Enterprise CA - Need WildCard Certificate for Internal Use

    Hi guys,
    A new client of mine has a "standalone" CA in their domain already...but I need a Wildcard Cert for some applications I'm installing in IIS.
    I'm used to setting up an "Enterprise" CA and issuing a Wildcard Cert that way, but I don't know if the "standalone" CA can do that.  I attempted to have IIS request a cert and it didn't auto-populate the CA information...but I told
    it to use CERTAUTHNAME\domaincontroller and it created one...but it doesn't appear to be working.
    My question is...if I install the Enterprise Root CA on a DC in their environment, can it interfere with the already issued certs from the standalone CA?
    I don't want to break something to move forward with my stuff.
    Thanks a lot and any help is greatly appreciated!!!

    Standalone CA can issue wildcard certificates. You just need to generate certificate request manually (without using IIS Mgmt console for that) by using INF file and certreq. Then, you submit your request to a CA server. Look at this article:
    http://social.technet.microsoft.com/wiki/contents/articles/2017.certificate-enrollment-for-system-center-operations-manager-agent.aspx
    although, this article is intended for OpsMgr, certificate enrollment process is the same for all products, just skip OpsMgr-specific stuff. There are three sections related to Standalone CAs: request generation, submission and installation. In the INF file,
    you specify your wildcard name in the Subject key.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new:
    PowerShell FCIV tool.

  • CSS 11501 redundacny using Ge port

    Hi,
    I have two CSS 11501 one in each location I want to configure Box-box redundancy between these two CSS15001, I used the Ge port e9 and connected the SM fiber directly between these two switches. The link is not comming up. Need help and suggestion to over come this.

    Hi,
    the SFP GBICs should probably be at least a 1000Base-LH (1310nm) witch shold cover approx 10Km on single mode fiber.
    Hope this helps.
    Fulvio

  • CSS 11501 and SSL

    Hi,
    I have a few questions regarding the CSS and SSL certificates.
    I have 2 CSS 11501 and 3 web servers, how many SSL certificates do I need?
    I want to configure the CSS as active - active, is this supported using the SSL accelleration module? If it is, is it configured the same way as a standalone CSS. The documentation only mentions configurations using single module and 2 modules in the same CSS.
    And a clarificacion: Does the term Backend in the CSS SSL config refer to servers on a different subnet (in our case physically separated). Our config is 2 FW -> 2 CSS -> 3 Web servers -> 2 backend FW -> 6 Backend servers (app and DB). Am I correct in assuming that Backend refer to this backend? (This might seem like a silly question but the documentation has me confused)
    Any help is much appreciated.
    Thanks,
    Niels

    Niels,
    there is currently an ASK THE EXPERT event.
    Please join us if you have more questions.
    Regarding the certificate, you could just use one.
    Get 1 certificate for your VIP and upload it on both SSL module.
    However, you might have to get 2, because certificate providers usually say it's one per physical device.
    If you plan on doing SSL on the servers as well, you need 3 more certificates. Or you coul use a single certificate if this is allowed by the company that will give it to you.
    Backend refers to server behind the CSS.
    Like a firewall defines inside and outside interfaces, the CSS define the frontend and the backend.
    The frontend is the client side and the backend the server side.
    When you say active/active, what do you want to achieve exactly ?
    You can indeed have 2 Vip and one is active on CSS1 while the other is active on CSS2.
    However, if the CSS shares the same set of servers, you need to be careful that the return traffic from the server to the client goes back to the same server. This may require client nat (group config).
    Regards,
    Gilles.

  • How to reset password on Cisco CSS 11501?

    Hi,
    I have changed the password for the Admin user (which was SuperUser) but when I changed it I forgot to add "SuperUser" at the end, now I don't have SuperUser access to the CSS 11501.
    Can anyone shade some light on this problem and explain how can I reset the password for a SuperUser?
    Thanks in Advance,
    Shai

    Hi Shai,
    You need to reboot the CSS. When prompt, hit any key to go into the Offline Diagnostic Menu.
    When you get in the menu, you will go to Administrative options and create an additional Admin user. When you do this, DO NOT use "admin", use something totally different.
    Get out of the Offline DM and reboot the CSS. When the CSS comes up, login as the new user (which will have Superuser rights) and run the "username" cli to change the password of "admin" and add the superuser part this time.
    Regards
    Pete Knoops
    Cisco Systems

  • Edge 2013 External Wildcard Certificate

    Hi,
    I know this has been covered a number of times but I'd like something that's been posted more recently.
    We use Lync 2013 with a wildcard certificate on our edge external interface.  Everything works as expected and that's on version 5.0.8308.556
    I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners.  They're running 5.0.8308.577
    When testing from Lync connectivity tester I get the following:
    Attempting to resolve the host name blah.co.uk in DNS.
    The host name resolved successfully.
    Additional Details
    Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
    The port was opened successfully.
    Additional Details
    Testing the SSL certificate to make sure it's valid.
    The certificate passed all validation requirements.
    Additional Details
    Elapsed Time: 758 ms.
    Test Steps
    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
    Additional Details
    Validating the certificate name.
    The certificate name was validated successfully.
    Additional Details
    Certificate trust is being validated.
    The certificate is trusted and all certificates are present in the chain.
    Test Steps
    The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
    One or more certificate chains were constructed successfully.
    Additional Details
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.
    Additional Details
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
    Elapsed Time: 4 ms.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn't expired.
    Additional Details
    The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
    Elapsed Time: 0 ms.
    Testing remote connectivity for user [email protected] to the Microsoft Lync server.
    Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
     <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
    me more about this issue and how to resolve it</label>
    Additional Details
    Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
    Error Type: TlsFailureException.
    Elapsed Time: 1649 ms.
    Any help would be much appreciated!
    Thanks

    Hi,
    Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
    authority.
    More details about certificate requirements for external user access:
    http://technet.microsoft.com/en-us/library/gg398920.aspx
    You can refer to the link below of “Wildcard Certificate Support”:
    http://technet.microsoft.com/en-us/library/hh202161.aspx
    Here is a similar case my help you:
    http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • I can't generated a CSR for a wildcard certificate

    I recently received a new Mac Mini OS X Server with the Server 2.2.1 app loaded.
    I cannot figure out how to create a CSR for a wildcard certificate.
    The wizard will not accept * in the input field.
    Can someone point me to the hard way of doing this?
    I need to secure every channel on the server with a wildcard SSL certificate.
    Thanks...

    Hi Gordon,
    You can use the command line to generate your wildcard CRS.
    1. Launch /Applications/Utilities/Terminal.app
    2. At the prompt, type the following command:
    openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
    Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
    Common Name: The fully-qualified domain name, or URL, you're securing.
    If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
    See http://support.godaddy.com/help/article/5269/generating-a-certificate-signing-re quest-csr-apache-2x?pc_split_value=3

  • Wildcard certificates supported by ACE

    We are considering the use of wildcard certificates for our environment. Is this supported by the ACE when using SSL offloading ?
    regards,
    Sebastian

    be aware that certain mobile device do not support them I believe windows mobile 5.0 is one of them.

  • Wildcard certificate in Outlook Anywhere

    I tried to fix a bit our Outlook Anywhere and set certificate for my EXPR provider to "msstd:*.domain.com" (I use *.domain.com certificate for exchange). But all Outlook clients after restart show error: "There
    is a problem with the proxy server's security certicate. The name on the security certificate is invalid or does not match the name of the target site owa.domain.com. Outlook
    is unable to connect to the proxy server. (Error Code 0)".
    I set EXPR provider to "msstd:owa.domain.com" (my exchange server address) and all works fine now.
    Why I could not switch certificate to wildcard?

    Hi,
    If you have done the following changes:
    Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com
    Please follow Ed’s suggestion to make sure the Wildcard certificate assigned with IIS service. We can run the following command to get more information about your certificates:
    Get-ExchangeCertificate | Select CertificateDomains,Services,Status
    If the Wildcard certificate is not assigned with IIS service, please
    use the Enable-ExchangeCertificate cmdlet and specify IIS services. Additionally, here is a related KB about this issue:
    http://support.microsoft.com/kb/923575
    Thanks,
    Winnie Liang
    TechNet Community Support

Maybe you are looking for

  • Unable to View PDF in Browser from a Servlet.

    Hi, I am facing a problem while trying to dynamically generate PDF from a Servlet and display it in the browser(IE 6.0 sp2) The scenario is as follows: i have a link which on clicking (using javascript) moves to a Servlet(say Dispatcher Servlet).This

  • Frame hangs when creating PDF

    I'm running Frame 8, unstructured, on Vista. Also running Distiller 8. I have a book file and was creating individual PDFs of the chapters doing Save As PDF on each chapter. After three weeks of doing this Frame starts to hang when creating the PDFs.

  • DNG and MESZ timestamp / sony A100 RAW conversion

    Hello, i have a question regarding the timestamp within the EXIF metadata after the RAW to DNG conversion for my A100 pictures. Today I have seen that the timestamp betwen the RAW original file and the converted DNG file differs about 3 hours. I can'

  • Nls_language

    Hi friends I was install the oracle database 10g in win2000 server. By default, the nls_language configurarion is AMERICAN. I change this parameter throught database control (c:\oracle\product\10.2.0\db_1\bin\spfileorcl10g.ora) to BRAZILIAN PORTUGUES

  • I am unable to open mail link (yahoo, gmail, and aol), and links that require a login will not open, it just continues to show "connecting" while on each home page.

    I can open web pages and click on links that don't require a login, but if I am trying to open a login for email or anything else "connecting" shows up in the tab and runs constantly with no connection taking place.