Error installation 3rd party certificate on wlc for webauth

Similar Messages

• Error installing 3rd party certificate on wism

  Hi ..
     Due to expire of cert.. We got  re-get a new wildcard cert..
  I have make pem from 3rd. CA (issuer=/C=BE/O=GlobalSign)
      follow http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
     using openssl (0.9.8zc) install on wism (7.0.220.0)
     it's always show fail .  
     Old.pem is the same CA ，follow http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
    it's okay to make pem and install on it , but just expired..
    two cert from CA, there is different .
   old is sha1WithRSAEncryption
  new is sha256WithRSAEncryption
  any one has idea  to using new pem to install on WLC 
  Thanks

  HI
  After upgrade newest 7.0.251.
     install the pem  ...OKAY  ..reboot test okay
   due to using Mobility Services Engine  I need go back to 7.0.220.0
  It's show as attach ..no Certificate desc ...
  Try  Using IE /Firefox  show cert is okay!!

• WLC5760 - CSR request for 3rd party certificate

  I need to generate a CSR request to obtain a 3rd party certificate for my WLC.
  i am not sure how i can do that. all document availble are for wlc 4400.
  let me know if the same process will apply to wlc5760 as well.

  Thanks Matteo,
  I managed to get it done, Yes I used OpenSSL to generate CSR.
  Here what I have learnt about it, including WebAuth Cert installation on 5760. This may be useful to someone else.
  http://mrncciew.com/2014/07/30/5760-webauth-certificates/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Exchange Server 2010 Edge Transport Subscription Issue while moving Internal CA Certificate to 3rd Party Certificate

  My Client have a Exchange 2010 Organization with Single Domain Single Forest.
  They were using Internal CA Certificate and a TLS Cert.
  As a POC we are doing a POC for Exchange 2010 Hybrid Office 365 Environment.
  For this 3rd Party CA is Mandatory and they have bought a Geo Trust Certificate.
  Now when they have installed cert on both HUB as well as EDGE servers, he was prompted to do edge subscription again.
  HUB and CAS are combined on the server at both Main and DR Site.
  When they try to do edge subscription again they are getting the following error.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.

  I was finding out the solution and got this.
  1-Certificate will import on both EDGE and HUB Servers.
  2-Edge Sync will use Self-Sign Certificate (but I an unable to find how do I configure this)
  3-some communication between Edge and Hub will be encrypted via 3rd party Certificate.
  Could anyone suggest, which services on HUB must based in this 3rd party cert.
  All the external communication must be encrypted via 3rd party CA and communication between HUB-EDGE will set on self-sign Cert. How do I do this.
  SYED WASIL UDDIN Infrastructure Consultant/System Engineer Premier Systems (Pvt.) Ltd.
  Hi,
  Please run Get-ExchangeCertificate | fl to check your Exchange certificate settings. Also confirm if the 5E470560626E313646730C177FCA66728E2BAFF7 certificate is your trusted 3rd party cert.
  Please use Enable-ExchangeCertificate cmdlet to assign SMTP service to your self-signed certificate in your Edge server.
  Regards,
  Winnie Liang
  TechNet Community Support

• Farm member not using 3rd party certificate

  I have a Microsoft server 2008 R2 RDS farm using a broker and NLB farm nodes.
  In the farm member node ( not the broker ), I open  “Remote Desktop Session Host Configuration” tool I selected “member of farm RD Connection Broker” and in the “general” tab under the “certificate” section I clicked “select” and picked the 3rd party
  Certificate.
  This is a Farm member. When I use a rdp client to go to farmName.domain.com I get a pop up with a certificate error and it shows the certificate as serverName.domain.com and not the name in the “farm” certificate.
  How can I troubleshoot this issue.

  Hi,
  Iniitally seems the certificate is not from valid trusted authority. So please check the trusted authority. Apart there is mismatch in certificate name with server name. 
  The name in the Subject line of the server certificate (certificate name, or CN) must match the FQDN, or the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates.
  If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. 
  The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.
  In addition, please check beneath article for reference.
  Configuring Remote Desktop certificates
  http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 3rd party certificate on WiSM controllers

  Hi,
  On my corporate wireless net, there is an SSID to allow guests to reach the Internet. They receive a voucher with 1-day valid credentials and are asked to open a browser, which is redirected to a login page https://1.1.1.1/login.html.
  The controllers in the acnhor group have a 3rd party certificate installed. It is generated for a company URL like: guest.companyname.com
  So when the browser hits the login screen, it stops and issues a warning about receiving a valid certificate but for a different URL.
  We have an external DNS-record which resolves the company URL to 1.1.1.1.
  I see a possible solution, if the URL of the Internal (default) URL can be changed to https://guest.companyname.com/login.html because if this is keyed in manually, I receive the login page right away without warnings. This is obviously what we want the guest to see.
  The controllers run 7.0.230.0 software as well as the WLC.
  Hope someone has the simple answer to this???

  Putting 1.1.1.1 (VIP address) is a test to bypass the certificate.  It is pretty simple, if you have done it a hundred times.  But to start of from the basic, make sure that the user is being anchored to the guest wlc.  You should see an entry of the client on the guest anchor and the client should be in the WEBAUTH_REQD state until they go through the login proccess in which they will be in the RUN state.  If you don't , then I can see why the 3rd party certificate is not working.  SO you should see the client on the foreign and the anchor wlc.  Make sure of this first.
  Did you not restart the anchors when you put in the FQDN in the VIP?
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• PKI setup using 3rd party certificates

  I want to configure SCCM in our environment using are existing certificate creation infrastructure. I do not want to use Microsoft Certificate services. Instead I'd rather use our OpenSSL solution. However I cannot find good documentation to work with using
  3rd party certificates. Everything is related around Microsoft's certificate services.
  Has anyone had any luck implementing SCCM in this manor? Documentation available to aid?

  So we are planning to setup https across the board and going through the blogs and TechNet article - I see that internal PKI is a requirement and you just cannot do away with 3rd party/external certificate, correct ??
  I am working on a scenario where the customer does not want to implement internal PKI but use external certificate either by GoDaady or Thawte or VeriSign where possible at all times but looks like you can't use the external certificate to act as ConfigMgr
  Web Certificate or ConfigMgr DP Cert?
  given the following scenario
  https://social.technet.microsoft.com/Forums/en-US/ac34ebdf-c932-4075-b4a3-ebe572ffab0e/scenario-multi-tenant-configmgr-2012-r2-and-same-ip-address-range-for-multiple-customer?forum=configmanagerdeployment#868600a8-e8eb-471a-b767-761305636041
  for clients to communicate to DP's/Secondary Sites configured in HTTPS, we still need internal PKI ?
  I guess the answer is yes to all.. but just confirming :)

• Cisco IOS CA using 3rd Party Certificate

  Hi,
  Can I use 3rd Party certificate such as verisign, on Cisco IOS CA ? All i can see on cisco.com is self-signed certificate from router.
  Thanks
  -santo-

  Santo,
  That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.
  Private PKI is not based on self signed certificates - only the root CA might need something like it :-)
  That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.
  Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).
  M.

• Error in 3rd party dropship for international customer

  Hi All,
  Presntly we have a scenario in our rollout project for 3rd party drop ship.
  Sales organization/company code belongs to :- Japan
  Customer belongs to  :-  Indonesia
  Vendor belongs to  :-  Malasyia
  While saving the sales order with item category TAS material, we are getting the error "SPECIFY THE EXPORT DATA IN MATERIAL MASTER. LICENSE STATUS IS NOT OK"
  Please let me know how the error can be solved or any document available.
  Regards
  Phani

  In VA03,for the sales order, go to menu Extras->export control->log.
  Double click on the line that shows the red indicator. The system will display for which legal regulation the license is missing. You can find the legal regulation in the material master-> Foreign trade;export or import data tab-> by clicking legal control button.
  Use t.code VX01N/VX02N to maintain the license data for the customer/material. This will resolve the issue.
  Regards,

• After upgrade 3rd party apps are looking for serials

  Not wanting to jeopardize my Mavericks install, I cloned my main HD and after checking that the cloned drive did boot, I installed Yosemite to it. Despite all my apps showing up in the application folder, some won't open and some are requesting I reinstall the serial numbers. I used Carbon Copy and asked it to clone all files. Are there hidden files it missed or is this requirement to reregister all the 3rd party apps. normal?

  Same problem here too!! Here's my Log:
  AppleFairplayTextCrypterSession::fairplayOpen() failed, error -42184
  Thu Jul 30 08:20:29 unknown SpringBoard[24] <Warning>: Failed to spawn Kingdoms. Unable to obtain a task name port right for pid 321: (os/kern) failure
  Thu Jul 30 08:20:29 unknown com.apple.launchd[1] <Notice>: (UIKitApplication:com.storm8.kingdomslive35[0x2a79]) Exited: Killed
  Thu Jul 30 08:20:29 unknown com.apple.launchd[1] <Warning>: (UIKitApplication:com.storm8.kingdomslive35[0x2a79]) Throttling respawn: Will start in 2147483647 seconds
  Thu Jul 30 08:20:29 unknown SpringBoard[24] <Warning>: Application 'Kingdoms' exited abnormally with signal 9: Killed
  Thu Jul 30 08:20:31 unknown kernel[0] <Debug>: AppleFairplayTextCrypterSession::fairplayOpen() failed, error -42184
  Thu Jul 30 08:20:31 unknown SpringBoard[24] <Warning>: Failed to spawn Authenticator. Unable to obtain a task name port right for pid 322: (os/kern) failure
  Thu Jul 30 08:20:31 unknown com.apple.launchd[1] <Notice>: (UIKitApplication:com.blizzard.Authenticator[0x8488]) Exited: Killed
  Thu Jul 30 08:20:31 unknown com.apple.launchd[1] <Warning>: (UIKitApplication:com.blizzard.Authenticator[0x8488]) Throttling respawn: Will start in 2147483647 seconds
  Thu Jul 30 08:20:31 unknown SpringBoard[24] <Warning>: Application 'Authenticator' exited abnormally with signal 9: Killed

• Cannot enter 3rd-party certificate into SCUP 2011 on Server 2012

  Hello all,
  I am trying to deploy SCUP 2011 on Server 2012 with a SCCM 2012R2 primary site w/WSUS onboard.
  Client is using a 3rd-party Digisign cert from a CA that is trusted through the enterprise. This cert has been imported into the private store and exported as a .pfx to be loaded into SCUP 2011. The Digisign cert is in the TrustedPublishers and Trusted Root
  stores.
  Administrator registry hack applied for Server 2012
  Options of SCUP 2011: Successfully connect to SCCM local site server and local WSUS server. However, when I browse and select the exported .pfx, I am not prompted for a password for the cert, and no certificate information is displayed. Also, there are no
  entries in the Trusted Publishers tab.
  I am stumped at this point. Any suggestions? SCUP just isn't looking at the cert (which was ordered according to the requirements in the SCUP blog.
  Thanks,
  -P

  A couple of questions...
  1. How, and where exactly, did you import the PFX to the WSUS Server (SUP)? Most notably.. the fully-signed cert needs to be in a cert store named *WSUS*, which has been notably difficult to create except when using the WSUS API to create it.
  2. You don't need to export the PFX for SCUP, only the CER (provided that the PFX is properly held on the WSUS server); but even so, if you already have the original cert from Digisign, why bother exporting from the store to import... you already *had* the
  full cert that could be imported to SCUP?
  3. If you're not prompted for the password of the PFX, that suggests that it wasn't exported with a password, or, since no cert information is available, maybe the export failed completely?
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• APPLESCRIPT ERROR 10827-3RD PARTY BRATTOO-W/IPHOTO

  AM USING A 3RD PARTY APP BY BRATTOO---THUMBNAIL ERADICATOR AND DUPLICATE ANNIHLATOR-ALL WAS WORKING FINE UPTIL A FEW DAYS AGO-NOW WHEN I OPEN THE APP TO USE I get a applescript error-10827 and I can't use the app. Brattoo says its a very strange error message and basically don't know what to do. I put my snow leopard disc in and used the disc utility to repair sys. that seemed to work for a while, but this am. I am back to the same problem.I trashed prefs on the app and on i-photo.
  any ideas out there????
  Dickster------------

  I didn't actually read your message after I saw that you were using a capitals.
  Now after reading this time I would suggest that you send use the strange error message.
  While it might seem strange to your eye, it just might be meaningful to someone here.
  Allan

• Going from a self signed certificate to a 3rd party certificate....

  Hello all...
  I have an Apache webserver running both the GroupWise WebAccess and the
  Netware FTP server. Up until now, I have used self signed SSL certificates
  on each of them to provide security. Now, we are going to a 3rd party issued
  certificate for both of them.
  Any idea how I set up the apache server so it will use the 3rd party cert
  instead of the self signed one...?
  Also, if you know how to set it up with the FTP server as well, it would
  help.
  (And, yes I know this is not the right forum, but in the interest of not
  repeating my work, I was hoping to bend the rules some.....)
  Thanks in advance....
  Delon E. Weuve
  Senior Network Engineer
  Office of Auditor of State
  State of Iowa
  USA

  As far as the FTP goes, can you be more specific? Where is this ini file
  that I need to modify? And how do I modify it?
  Thanks.
  Delon E. Weuve
  Senior Network Engineer
  Office of Auditor of State
  State of Iowa
  USA
  >>> On 6/25/2008 at 2:34 PM, in message
  <[email protected]>, Richard Beels
  [SysOp]<[email protected]> wrote:
  > close enough on the group... :-)
  >
  > for apache, it's easy peasy, find the bit in your httpd.conf and where
  > it says:
  >>>>
  > SecureListen 443 "SSL CertificateDNS"
  >>>>
  >
  > change it to whatever you've neamed the new cert, such as:
  >>>>
  > SecureListen 443 "DigiCert"
  >>>>
  >
  > which should give you a clue as to what I recc. for 3rd party certs.
  > :-)
  >
  >
  > As to ftp, it should be the same, i.e. ini file fiddly bit...
  >
  >
  > --
  > Cheers!
  > Richard Beels
  > ~ Network Consultant
  > ~ Sysop, Novell Support Connection
  > ~ MCNE, CNE*, CNA*, CNS*, N*LS

• 3rd party Certificate and AAA Authentication

  I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
  In the connection profile i have set up that users should authenticate using both certificate and AAA.
  Due to a high security requirement, the user certificate is issued from a 3rd party.
  This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
  I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
  Problem:
  If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
  I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
  So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
  I am happy for any help that could point me in the right direction on how to accomplish this.
  Best regards,
  Kenneth

  I actually got a better idea, and i think this will work great!
  One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
  After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
  So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
  [123] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [department=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
  I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
  [138] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  Worked like a charm!
  I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
  Thank you for the input Marcin

• Installing 3rd party certificate in Cisco ASA

  Hi, 
  We have configured an CSR in Cisco ASA for 3rd party CA to generate the certificate, however, the CSR configuration was lost because of some reason.
  How can we install this certificate without the CSR in Cisco ASA.  Or we have to generate another certificate from CA, it will be chargebale for the new certificate.
  Anyone can help to advise ?
  Thanks
  Veon

  You don't need the CSR once you have received the certificate from the third party certificate vendor. Just upload the CA Root certificate and the identity certificate from the certificate vendor to the ASA.
  Here is configuration guide for your reference:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml
  Hope that helps.