CSS 11501 - wildcard certificate with subject alternative names

Similar Messages

• Certificate signing request with subject alternative names?

  Has anyone been successful at generating a certificate signing request for a certificate that uses subject alternative names via the Server Manager GUI? It seems to skip the entire X509 section of the CSR for me.
  Command line via openssl works but I'd like to stick with the GUI for the encryption on the certificates.

  I just checked the documentation and found that your code is incorrect. IAlternativeName::StrValue contains value for an email address, a Domain Name System (DNS) name, a URL, a registered object identifier (OID), or a user principal name (UPN). It doesn't
  contain string value for directory name (and other non-mentioned types). Instead, you need to instantiate an IX500DistinguishedName interface and initialize it from an alternative name value:
  class Program {
  static void Main(string[] args) {
  String RequestString = "Base64-encoded request");
  CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
  request.InitializeDecode(RequestString, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
  Console.WriteLine("Subject: {0}", request.Subject.Name);
  foreach (IX509Extension ext in request.X509Extensions) {
  if (ext.ObjectId.Name == CERTENROLL_OBJECTID.XCN_OID_SUBJECT_ALT_NAME2) {
  CX509ExtensionAlternativeNames extensionAlternativeNames = new CX509ExtensionAlternativeNames();
  string rawData = ext.RawData[EncodingType.XCN_CRYPT_STRING_BASE64];
  extensionAlternativeNames.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData);
  foreach (CAlternativeName alternativeName in extensionAlternativeNames.AlternativeNames) {
  switch (alternativeName.Type) {
  case AlternativeNameType.XCN_CERT_ALT_NAME_DIRECTORY_NAME:
  IX500DistinguishedName DN = new CX500DistinguishedName();
  DN.Decode(alternativeName.RawData[EncodingType.XCN_CRYPT_STRING_BASE64]);
  Console.WriteLine("SAN: {0}", DN.Name);
  break;
  default:
  Console.WriteLine("SAN: {0}", alternativeName.strValue);
  break;
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Used a Subject Alternative Names certificate with an ESA IronPort C170

  Hi all,
  Is  someone know if it is possible to use a "Subject Alternative Names" Certificate (SAN / UCC SSL) for an Email Security Appliance C170.
  Is it possible to do this, with an IronPort ?
  Thank you very much, for your reply.
  Regards,
  David

  Hello RYAN,
  Thank you for your reply, It is a very good new for us.
  Have a nice day!
  David

• Nodemanager configuration with SSL and Subject Alternative Names.

  We want to configure serveral nodemanagers in serveral machines using SSL. Is possible to use only one certificate with one CN and several subject alternative names (one per machine)?
  We cannot configure the nodemanager, we always get an SSLHandShake exception.
  Thanks.

  Hi,
  Hope you found out resolution to your issue. 
  incase you havent , presuming the CN used in your certificate is not the host name and all the host servers can resolved/ identify that CN. Dont see major problem in the way you explained.
  However handshake exception only points at certain specific case
  - where the certs are not imported into keystores ( client or server side) or
  - certs mismatching at clent & server
  - too many certs with the same CN in the same keystore or CN resolving to more than 1 cert ( if its possible).
  Let me know if you need help in reolving this and also paste the error trace of 'handshake' exception you see.
  Sri

• What versions of Weblogic currently have Subject Alternative Name support?

  I would like to visit a comment I saw in an old forum thread from 2010
  Certificate hostname verification error with 10.3
  that "WebLogic currently does not support the Subject Alternative Name field." Can someone please let me know what versions of Weblogic currently have Subject Alternative Name support? We are currently on 10.3. Is there anything near that version that has support, or a patch available for it?
  Regards,
  John

  The KM number is the article number on the support site. Logon to Oracle support and paste the number into the knowledge search and you will get your answer. The article is called "How to Develop Custom Hostname Verifier for Subject Alternative Name (SAN) Certificates" and applies to WLS 10.3.3 and later.

• Error: Subject alternative name did not match site name (JavaME)

  When I try and connect to my RESTFul Web Service using SSL I get this exception:
  "Subject alternative name did not match site name".
  I did Google searches and as far as I can tell my 'Subject' matches my 'site name'. I know this because when I connect using my Browser (IE or Firefox) they say our SSL certificate is a-ok (no mismatches). Also, my Windows Mobile 5/6 REST application works fine under SSL. So, I am doubting it's a server side setting?
  Godaddy's root certificate is installed on the Java Emulator. If I disable the root cert I get a different error.
  I am using the QwertyDevice Emulator with 'identified_third_party' security. Wireless Toolkit 2.5.2 and NetBeans Mobility 6.0.1.
  My Web Server is IIS 6.0 that is hosting a WCF .NET 3.5 WebService using the webHttp binding (for those who don't know that's makes it a RESTFul Web Service).
  IIS 6.0 Settings:
  -Web Service is under Default Web Site and in Default Application Pool.
  -'Require secure channel (SSL)' is selected as well as 'Require 128-bit encryption'.
  Here is my client Code:
  InputStream is = null;
  HttpConnection conn = null;
  try
  conn = (HttpConnection)Connector.open("https://ourwebserver.ourdomain.com/RESTServer/Service.svc/REST/getmyopentasks/", Connector.READ_WRITE);
  conn.setRequestProperty("Authorization", "Basic " +
  BasicAuth.encode(userName, password));
  conn.setRequestMethod(HttpConnection.GET.toString());
  conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
  is = conn.openInputStream();
  catch (IOException ex)
  ex.printStackTrace();
  A few notes: We are using Basic HTTP Authentication, and "BasicAuth.encode" method is, a helper method, that I found code for out on the Internet. It works fine though.
  Because when I run this above code with SSL turned off, on the server, it works fine (authenticating and getting RESTFul XML back). I did try HttpsConnection as well. Did not work. Same SSL error.
  When this line is executed: "is = conn.openInputStream();" I get this exception: "Subject alternative name did not match site name". I have searched this forum and Google and can't figure this one out! Thanks!

  When I try and connect to my RESTFul Web Service using SSL I get this exception:
  "Subject alternative name did not match site name".
  I did Google searches and as far as I can tell my 'Subject' matches my 'site name'. I know this because when I connect using my Browser (IE or Firefox) they say our SSL certificate is a-ok (no mismatches). Also, my Windows Mobile 5/6 REST application works fine under SSL. So, I am doubting it's a server side setting?
  Godaddy's root certificate is installed on the Java Emulator. If I disable the root cert I get a different error.
  I am using the QwertyDevice Emulator with 'identified_third_party' security. Wireless Toolkit 2.5.2 and NetBeans Mobility 6.0.1.
  My Web Server is IIS 6.0 that is hosting a WCF .NET 3.5 WebService using the webHttp binding (for those who don't know that's makes it a RESTFul Web Service).
  IIS 6.0 Settings:
  -Web Service is under Default Web Site and in Default Application Pool.
  -'Require secure channel (SSL)' is selected as well as 'Require 128-bit encryption'.
  Here is my client Code:
  InputStream is = null;
  HttpConnection conn = null;
  try
  conn = (HttpConnection)Connector.open("https://ourwebserver.ourdomain.com/RESTServer/Service.svc/REST/getmyopentasks/", Connector.READ_WRITE);
  conn.setRequestProperty("Authorization", "Basic " +
  BasicAuth.encode(userName, password));
  conn.setRequestMethod(HttpConnection.GET.toString());
  conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
  is = conn.openInputStream();
  catch (IOException ex)
  ex.printStackTrace();
  A few notes: We are using Basic HTTP Authentication, and "BasicAuth.encode" method is, a helper method, that I found code for out on the Internet. It works fine though.
  Because when I run this above code with SSL turned off, on the server, it works fine (authenticating and getting RESTFul XML back). I did try HttpsConnection as well. Did not work. Same SSL error.
  When this line is executed: "is = conn.openInputStream();" I get this exception: "Subject alternative name did not match site name". I have searched this forum and Google and can't figure this one out! Thanks!

• ACE and SSLM support Subject Alternative Name (SAN)

  Hi
  I want to  migrate Exchange server to Exchange 2010, I would like to know if ACE and SSLM support Subject Alternative Name (SAN).
  1.   Can the current CSM (WS-SVC-SSL-1-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it.
  a.       exchange.ww.edu
  b.       legexchange.ww.edu.
  2)      Can the new ACE( ACE20-MOD-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it:
  a.       exchange.ww.edu
  b.       legexchange.ww.edu
  Thanks
  Nomi

  I dont see anything in the config guide where the ACE can generate certs with SANs. However, if you are going to generate the cert and keys offline, then it might work. Can you supply a sample pkcs12 file in PEM format that I can test in the lab ? Which s/w version ?
  Matthew

• CF10, CFHTTP and SSL subject alternative names

  I have an SSL certificate where the Common Name doesn't match the url, but the Subject Alternative Name does.  The Common Name is the actualMachineName.subnet.subnet.mynetwork.com and the SAN is www.prettyurl.com.  I understand older versions of CF don't support this, but the comments regarding Bug #3566218 say that CF10 does.  However, I am still getting connection failures telling me the name doesn't match.
  Can anyone confirm this should/shouldn't work in CF10?  I have imported all of the certs via the keytool and explored all of those issues.  The only remaining issue is that the url doesn't match the CN.
  TIA,
  Eric

  I received the message,"this site has sent an untrusted certificate", on my N95.  It would prompt me to continue or view certificate.   If I select Continue, everything worked fine.  It got annoying after a awhile.  I went thru 2 pages of google results and could not find the answer to fix my issue.  I gave up and then somehow figured it out on my own at the bar the next day.  
  The issue was that I had the incorrect date.  This was actually one of the first things I checked.  However I overlooked that the date format was ddmmyyyy.  I simply updated to mmddyyyy and fixed the date and the issue was resolved.
  Hope this helps.

• HT5012 Can I install two root certificates with the same name in iPad?

  Can I install two root certificates with the same name in iPad?

  Antaeus00 wrote:
  I tried sending a request for help,
  But did you succeeed in sending a request for help?
  Did you receive a response? How long has it been since you sent a request?
  but I need someone with more authority to talk to.
  There is no one with more authority than iTunes store support. We herem are only users.

• CSS 11501 Load Balancing with X-forwarded-for

  Hi,
  We have a pair of CSS 11501,
  Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
  However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E  based on its source IP ( REAL CLIENT IP) .
  This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
  Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
  This way we are able to also send it back to the same server when it uses SSL.
  I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
  Regards

  Hi,
  Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
  One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
  In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
  Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
    content HTTP-HTTPS
      vip address 10.198.44.70
      advanced-balance sticky-srcip
      add service server1
      add service server2
      add service server3
      add service server4
      add service server5
      protocol tcp
      active
  Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
  Thanks,
  Rodrigo

• Migration: Ex 2007 to Ex 2013 and co-exist scenario: Subject Alternative Name certificate

  We are planning the migration of Exchange 2007 to Exchange 2013. In our Existing SAN certificate for Exchange services (OWA,ActiveSync), we have a URL that we included that we no longer have a service for or anything associated with it. For
  example: mail.contoso.com.
  Can we use this URL in the new Exchange 2013 certificate (3rd Party) we request/obtain as opposed to putting an entry for legacy.contoso.com? Or will we get errors?
  Thanks for your answers!

  Hello,
  No problem. For example, currently, you have two records in SAN, the last one is not in use.
  {a.domian.com, b.domain.com}
  You can:
  a.domain.com -> Exchange 2007
  b.domain.com -> Exchange 2013
  BTW, you must have autodiscover.domain.com point it to Exchange 2013.
  Thanks,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• CSS properties are prefixed with style sheet name

  I have two sites both created with the default templates in dreamweaver. The properties of the CSS file both looked different as shown.
  What is the difference and how to I clean up the one that is prefixed?

  There is nothing to clean up. .something are classes, #something are IDs. They don#rt mutually exclude one another but can coexist. If defined in a specific stylesheet and order, they provide contextual rules, e.g. if a class rule appears inside a specific elemnet with an ID. Nothing wrong. Read up on CSS!
  Mylenium

• ISE Guest portal digital public certificate with dual deployment

  I have a deployment of ISe which has a primary and secondary node.  We are using ISE for Guest web access and it's Guest portal functionality.
  I have installed a public VeriSign certificate onto the primary node so that guest users don't certificate errors when they get redirected to the guest portal.
  We have a DNS server with an entty for the guest portal URL e.g. guest.company.com with the IP adresses of both ISE servers.
  When users are loggin onto the guest wireless it is pot luck whether or not they get the primary ISE node because of the DNS round robin of the ISE IP addresses.
  Is there anyway to make the secondary ISE node use the Verisign certificate as well or do I need to buy another certificate which is linked to the secondary ISE nodes FQDN?
  (the certificate I have currently has a CN of the FQDN of the primary ISE server with subject alternative names of the secondary ISE node and the guest web redirect URL).
  Any help would very much be appreciated.
  thanks
  Craig

  Hi Craig,
  Please check the below link with a similar prob,  might help.
  https://supportforums.cisco.com/thread/2161878

• IIS Create a Certificate with Server Name

  Dears,
  I have IIS 2012 , I want to create Non Self-signed certificate with Server FQDN Name and NetBIOS name from my Local CA.
  I have tried to create Domain Certificate from IIS (IIS Console > Open Server Certificates > Create Domain Certificate) unfortunately this certificate does not include the FQDN Server name nor NetBIOS Name.
  Thank you

  Please follow the below url  that provides details of
  Request a Certificate
  Create a Custom Certificate Request
  Save a Certificate Request in a File
  Sign Certificate Requests
  Obtain a Certificate
  http://technet.microsoft.com/en-in/library/cc754490.aspx
  For more graphical view ....http://www.petenetlive.com/KB/Article/0000840.htm
  Exchange Queries

• Ramifications of assigning a wildcard certificate to the SMTP service (needed for Exchange 2010 Hybrid Configuration - Office 365)

  Hello All:
  I am receiving an error when I run the Manage Hybrid Configuration wizard - ERROR:Updating hybrid configuration failed with error 'Subtask NeedsConfiguration execution failed: Configure Recipient Settings. I have opened a SR, but figured I'd try the forums,
  too. I have a wildcard certificate from GoDaddy (MS says they support wildcards from GoDaddy) & that cert has only the IIS service applied to it on the CAS. I've read in the Exchange Server Deployment Assistant that it should have the SMTP & IIS services
  assigned to it, but my question is - SMTP on the CAS (separate server) or on the Mailbox/Hub Transport (separate server)? And what are the ramifications of assigning the SMTP service to, let's say, the CAS? We have had multiple issues every time the servers
  get updated/changed; I do not want to disrupt services further, as the Manage Hybrid Configuration will be done during business hours.
  If anyone can provide any assistance/clarification, it would be most appreciated.
  Thank you.

  Hi,
  We can enable a Wildcard certificate with SMTP service for Exchange Hybird Deployment. The SMTP service can be assigned to multiple certificates. For some Exchange services such as OWA, Ecp, ActiveSync, Autodiscover service, OOF, it is used with Exchange
  certificate with IIS service. And there is usually only one certificate can be assigned with IIS service.
  Please just make sure your Wildcard certificate can contain all namespaces which are used for all internal URL and External URL configuration in Exchange services. About how to import an existing wildcard certificate on the Exchange 2010 Hybird servers,
  please refer to the Import & Enable Third Party Certificate on Hybrid Servers
  part in the following article:
  http://www.msexchange.org/articles-tutorials/office-365/exchange-online/configuring-exchange-hybrid-deployment-migrating-to-office-365-exchange-online-part9.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Regards,
  Winnie Liang
  TechNet Community Support