CSS SSL Certificate Upgrade

Similar Messages

• How many CSS SSL certificates needed?

  From reading the CSS SSL Configuration Guide, it seems that one certificate is needed for each virtual SSL server (or VIP), regardless of how many servers are being load-balanced behind that VIP, but that is not made very clear. Also, it appears that a separate certificate is required for each virtual SSL server. Can someone please confirm or correct this for me? Thank You.

  A quick (I hope) follow-up question on this...
  Given multiple domain names being load-balanced by a CSS with a single SSL module, would I need different key and cert associations? I am thinking of something like this:
  ssl associate rsakey prodkey prodkey.pem
  ssl associate cert prodcert prodcert.pem
  ssl associate dhparam proddh proddh.pem
  ssl associate rsakey intkey intkey.pem
  ssl associate cert intcert intcert.pem
  ssl associate dhparam intdh intdh.pem

• CSS - SSL Certificates

  We have two 11503's each with an SSL module, in a redundant VIP configuration. Can we load the same certificate on both CSS's? Or must we obtain a separate certificate?
  Thanks!

  you can use the same certificate in both CSS.
  Gilles.

• Upgrade SSL Certificate for Exchange Server

  Hi Folks,
  I need to upgrade the SSL certificate on my Exchange Server, so he can negotiate encryption and authorization to an upstream SMTP Smart Host.  This means that the certificate I need is not necessarily a server certificate, because in this scenario Exchange
  Server is acting as a client to the upstream SMTP Smart Host.  I have openssl at my disposal, so making the certificate in not a problem but installing it in the correct location and testing that I've done what I think I've done is.
  Thanks for the help,
  Chris.
  Thanks for the help,
  Chris.

  Hi,
  Please just make sure the primary certificate in your Exchange server with
  SMTP service is valid, trusted by your SMTP smart host.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Installing an SSL certificate for a CSS 11503

  I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
  I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!

  Allen,
  The portion of the configuration guide related to SSL certificates and keys can be found here:
  http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
  To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
  ~Zach

• SSL Certificate Export Password

  Hi ,
  I am trying to export certificate and Key from CSS, Unforunately i do not have password from them.
  Is their anyway to recover password or can i export keys and certificate without password.
  Thanks in Advance
  Aniruddha

  I think the only way to export the key is to use the password issues when importing the key. The SSL Certificate and Key are stored in DES encryption. There is no way to get the key without the password for the certificate and key except to break DES or guess the password.

• A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

  We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
  Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

  cookies.squite answer is Today at 5:15 PM .
  New profile, same problem.
  We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
  Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
  (3) different virus scanners, no hard core problems.
  Suspect how I have something in Windows setup that no one else is using?

• CF7 and JDK 1.4.2 - EV SSL Certificate Issue

  Let me start off by telling the group that we do not use CF for any of our applications.  We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use.  We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API.  About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy.  I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck.  Here are the details:
  EV Certificate issued by DigiCert (4096-bit).
  Customer is on CF7 and JDK 1.4.2.
  When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application.  He is using cfhttp to post his requests.  We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates.  Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
  Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
  Thanks in advance to those gurus that reply.  I have attached a sample post from our customers logs with non-essential data removed.
  I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
  - Dave

  Dave,
  I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
  I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
  so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
  to either CF 8 or CF 9 to get the issue quickly resolved.
  I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
  if I do find a solution, I'll definitely post it there for you.
  Cheers

• Wildcard SSL certificates

  Hi, I was wondering if someone got CSS1150X with SSL accelerator working with wildcard SSL certificate. We have 10+ sites we would like to enable SSL and figured wildcard certificates are way to go based on the cost. Specially, since most of the wildcard certificates comes with limitation of being able to install it on only one physical machine. I assume CSS would be considered one physical machine if SSL traffic is terminated on the CSS, however, wanted to find out whether wildcard SSL certificate is supported on CSS. We are using CSS11503 and depending on whether it supports wildcard certificate, we are planning on purchasing SSL accelerator.

  Thanks for the information, Gilles. Looking at the pricing structure of SSL certificates, I wonder why wildcard certs aren't widely used as one would expect based on the cost. Well, I guess I will find out when I implement one. Thanks again.

• SSL certificate migration.

  Hi all,
  I had to upgrade my production server from 4.1 to 6.0sp4. The server was also different as we can't afford any big down-time. I couldn't find any iWS related proper documentation for SSL certificate migration between different servers, so I did a hack and copied the cert7.db and key3 db manually and renamed it as expected...
  I was never sure if I was doing right.... BUT IT WORKED :-)
  Now after setting up live server for a months, I am getting complains about certificate errors and/or warnings from various customers. In all cases there is a problem coz of 'ancient' browsers (like lesser than IE5 or NS4.7). Any mordern browser is working perfectly (including my favorite Opera). And customers are happy again coz site is working fine after browser upgrade. But my concern is:
  HAVE I DONE ANYTHING WRONG IN SSL MIGRATION OR ITZ JUST iWS 6.0's PROBLEM?
  Any info / suggestion will be highly appreciated.
  Thanx.

  There isn't enough information for me to be certain, but I suspect the errors are unrelated to anything on the server side. The most likely explanation is that the ancient browsers have an expired root CA cert for the CA that signed your certificate. Upgrading either the browser or the browser's root CA certs would address the problem.
  Copying the trust database files from iWS 4.1 to iWS 6.0 is safe.

• SSL Certificate button

  Hi
  I have just upgraded to Lion and then installed Lion Server. I am stuck on quite a few things buton of them is that the "Edit" button to the right of the SSL Certificate option in the Server Settings pane is greyed out. I would like to create a self-sgned certificate (this is just for home use so don't need anything else) but I can't as this button is inactive. Any ideas please?
  Many thanks,
  Matt

  ...I love posting a question just before I come across the answer...
  Apparently my httpd.conf had some issues. I restored it to the default by entering the following in a terminal window:
  cd /etc/apache2
  sudo mv httpd.conf.default httpd.conf
  sudo apachectl graceful
  The edit box is now active on my iMac. Now I just hope I didn't blow anything away I needed that I forgot about when I was last in the httpd.conf file (-;

• WILL MAC OS 10.4 server SUPPORT SHA-2 SSL CERTIFICATES

  Am running Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) and currently have SHA-1 SSL certificate from GoDaddy.
  They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
  Is Mac OS Server 10.4.11 capable of serving up a SHA-2 SSL certificate?  (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.

  Hi, I do not know, but I doubt it.
  Here's the 10.4 Server forum if you want to ask over there...
  Mac OS X Server v10.4 and earlier

• UNIFIED MANAGER ALERT : on EXPIRING SSL certificates in clustered Data ONTAP systems

  The default ssl certificates on clustered Data ONTAP systems are valid for 1 year.
  Since we have cDOT clusters monitored via Oncommand Unified Manager 6.2, we would like Unified Manager to alert on expiring Certificates.
  Is this possible in OCUM 6.2?
  Thanks

  Thanks Saravanan, Initially i had it on RHEL 6.6, and i see some of the existing packages were of a older version and created some issues while rrdtool and sql installation. but i managed to do the installation and faced the same issue. I Didnt know that this is a user account issue not a package dependency issue.and thats the reason i got my server upgraded to RHEL 7.1 and the installation went fine but the same issue. But its working for now, thanks again :-)

• CSS 11500 Certificate Signing Request (CSR)

  Would any of you know if and how to configure / general a wildcard or multi-domain SSL certificate on a CSS 11500 appliance? The "SSL gencsr ..." command doesn't seem to allow me to add more than one domain name during the information gathering.
  Any help or input would be greatly appreciated.
  Thanks,

  WildCard certs are supported on CSS.
  The only thing that makes it a CSR for a wildcard certificate would be that the common name would be something like "*.yourdomain.com".
  Since a wildcard certificate represents multiple domains, it can be re-used on the
  multiple https content rules of different IPs.
  The CSR procedure for a wildcard certificate on the CSS is not different than the CSR
  procedure for a regular certificate (You just need to put something like "*.yourdomain.com" in front of common name):
  CSS11506(config)# ssl gencsr app1key
  Country Name (2 letter code) [US]US
  State or Province (full name) [SomeState]CA
  Locality Name (city) [SomeCity]San Jose
  Organization Name (company name) [Acme Inc]Yourdomain Inc.
  Organizational Unit Name (section) [Web Administration]SSL Admin
  Common Name (your domain name) [www.acme.com]*.yourdomain.com
  Syed

• SHA-2 SSL certificates supported on Server v10.5?

  Am upgrading Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) to Server 10.5  and currently have SHA-1 SSL certificate from GoDaddy.
  They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
  Is Mac OS Server 10.5 capable of serving up a SHA-2 SSL certificate?  (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.
  Mac mini, Mac OS X Server (10.4.11, upgrading to 10.5.x), Power PC 1.42GHz

  Hi, I do not know, but I doubt it.
  Here's the 10.4 Server forum if you want to ask over there...
  Mac OS X Server v10.4 and earlier