Generating a new SSL cert for Murmurd in light of Heartbleed

Similar Messages

• How do you generate a new SSL cert in CSA

  None of my hosts can poll because the SSL Cert has expired. I am running CSA 4.0-1 540 and need to generate a new cert. Anyone know how?

  It looks like I found something here:
  http://www.cisco.com/en/US/docs/security/csa/csa45/install_guide/Chap3.html#wpmkr985044
  From within CiscoWorks click: VPN Security Management Solution -> Administration -> Import Root Certificate.

• Using internal SSL Certs for Webview and Reskill (ICM 7.2.X)

  Hi,
  I would like to use corporate ssl certs for webview and reskill to avoid the user having to install the self signed certificate on the local machine. Has anyone any experience of this? Can it cause any unforseen problems?
  My plan for webview is to create the certificate request in IIS for the default website, use this csr to generate the cert, then complete it by uploading the certificate.
  For reskilling, I will assume I will have to do some command line stuff here ...
  eg: keytool -genkey -keyalg RSA -keystore hostname.key
  to create the key,
  keytool -certreq -keyalg RSA -keystore hostname.key -file hostname.csr
  to create the csr, and
  keytool -import -trustcacerts -alias tomcat -file hostname.cer -keystore hostname.key
  to import the new cert
  Suggestions or comments for anyone who has tried this before would be appreciated.
  Regards,
  Brian

  I've never done it on a version so old, but at the end of the day it's just IIS and Tomcat and importing an SSL cert is very standard.
  david

• How to setup SSL cert for SharePoint apps in a three tier farm with nlb

  I am having trouble understanding how to setup the SSL certificate on SharePoint apps or in general its configuration

  Please check the below thread..
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/53465d30-10b2-48c9-9541-5ade738156b4/how-to-setup-ssl-cert-for-apps
  Don't forget to mark it as an Answer if it resolves your issue and Vote Me as helpful if it useful.
  Mahesh

• How to generate a NEW #Mat No for comb made in"Charc & Charc Values" in S O

  Hi Gurus !
  I' m working on VC, What should I do to generate a new material num for Characterstic and characterstic values combination made in sales order screen
  Here is the problem
  My Super BOM is Config Material -- CAR
  10. ENGINE 70 HP WITH 4 SEAT
  20. ENGINE 70 HP WITH 6 SEAT
  30. ENGINE 85 HP WITH 6 SEAT
  40. ENGINE 85 HP WITH 8 SEAT
  My Characterstic and Char Values are
  1. ENGINEPOWER --- 70HP and 85HP
  2. SEATINGCAPACITY -- 4, 6, 8
  In SALES ORDER when I enter CONFIG MATERIAL -- CAR, it takes me to screen
  characterstic and characterstic values screen. I made selection of "ENGINE 70HP WITH 4 SEAT"
  Now my issue is, when I go back to sales order it should generate a new finished material Number "xxx" under Config Material - CAR.

  Hi Gurus !
  I' m working on VC, What should I do to generate a new material num for Characterstic and characterstic values combination made in sales order screen
  Here is the problem
  My Super BOM is Config Material -- CAR
  10. ENGINE 70 HP WITH 4 SEAT
  20. ENGINE 70 HP WITH 6 SEAT
  30. ENGINE 85 HP WITH 6 SEAT
  40. ENGINE 85 HP WITH 8 SEAT
  My Characterstic and Char Values are
  1. ENGINEPOWER --- 70HP and 85HP
  2. SEATINGCAPACITY -- 4, 6, 8
  In SALES ORDER when I enter CONFIG MATERIAL -- CAR, it takes me to screen
  characterstic and characterstic values screen. I made selection of "ENGINE 70HP WITH 4 SEAT"
  Now my issue is, when I go back to sales order it should generate a new finished material Number "xxx" under Config Material - CAR.

• SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

  I utilized the idea from
  http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance.  In short, create the new Clustered SQL instance on Node1,
  installing Reporting Services with it.  Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
  feature on Node2.  It points out using the SQL Cluster Network name for connecting to Reporting Services.
  I verified upon failover that I could still access the Reports and ReportServer URLs.  However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
  this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
  I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert.  The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
  cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
  What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• WLC Virtual Interface config for a public SSL cert for Web Authentication

  I'm trying to get a cert loaded on my 5508 WLC running 7.6.130.0 so when a Web-Auth users tries to authenticate they don't get the SSL cert error.
  In the document "Generate CSR for Third−Party Certificates and
  Download Chained Certificates to the WLC"
  Document ID: 109597 it states the following
  "Note: It is important that you provide the correct Common Name. Ensure that the host name that is
  used to create the certificate (Common Name) matches the Domain Name System (DNS) host name
  entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after
  you make the change to the VIP interface, you must reboot the system in order for this change to take
  effect.
  Here are my questions.
  1. I have always had 1.1.1.1 as the address of the Virtual interface, should that change or can I leave it as 1.1.1.1?
  2. In the "DNS Host Name" Field do I simply put the domain or the FQDN?  Example. Company.com or hostname.company.com

  Hi,
  1) You can change that if you want. Normally it is non-Public and non-routable in your network.
  2) Put the Host name for which you are going to give in your company DNS server where that Host name would be mapped to the Virtual ip address.
  Regards
  Dhiresh
  ** Please rate helpful posts**

• Exchange 2007 - Outlook Anywhere problems after installing new SSL cert

  *** Original thread posted on wrong forum ***
  Hi all,
  Exchange 2007 environment (2x CAS, ISA2006). Not much familiar with Exchange.
  Problem: 20-odd machines off the domain use Outlook Anywhere (XP with Outlook 2010). AUthentication pop-up and not able to connect.
  Company has recently changed its name and we have to renewed the SSL cert. Previous SSL cert. was issued to: webmail.oldcompname.co.uk (several SANs on that cert., including internal server names).
  Applied for a new UCC SSL cert issued to: newcompanyname.com (also includes webmail.newcompanyname.com ; autodiscover.newcompanyname.com + old SANs).
  The setting on those machines point the proxy to the following:
  Https://webmail.oldcompname.co.uk (which is fine since it is in the cert and can be accessed)
  Only connect to proxy servers that have this principal name in their cert.: 
  msstd:webmail.oldcompname.co.uk (I believe this is the problem since the new UCC SSL cert. was issued to newcompanyname.com).
  Browsing technet + internet it seems that I need to look into OutlookProvider EXPR.
  When I run Get-OutlookProvider everything is blank (I believe I should be concerned to EXPR only for Outlook Anywhere).
  I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com
  My only concern is whether this might break something else in the Exchange environment, especially as we have 100+ users on smartphones connecting via SSL on webmail.oldcompname.co.uk
  Is it save to run this command? Do I need to re-start IIS? Do I need to look into any settings on ISA2006?
  Comments/help are much appreciated.
  Regards 

  Hi,
  According to the description, I found that we re-new a SSL certificate.
  "I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com"
  Just do it. Then remove the old certificate on ISA server and install a new one.
  Found a similar thread for your reference:
  Renewal of SSL certificate in exchange 2007 with ISA 2006
  http://social.technet.microsoft.com/Forums/exchange/en-US/25770038-8491-470a-92fa-8ae50674b7a6/renewal-of-ssl-certificate-in-exchange-2007-with-isa-2006
  Hope it is helpful
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Oracle SSL Cert for downloads has errors

  Not sure if this is a cause or effect?
  Owner: This web site does not supply ownership information.
  Verified by: Not specified
  I get this after clicking download link and failure of user/pass prompt.
  Edited by: user6774993 on Jan 18, 2010 9:26 PM

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• ACE: Single SSL Cert for two domains with same VIP

  At present I have a design that will use individual SSL cert per domain and link both certs to (two or one) serverfarm.
  policy-map multi-match popvip_01
  class POP_VIP01
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or popPMT1
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  class POP3_VIP02
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or POPPMT2
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP3_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  however,
  if I can get one single certificate to process both pop and pop3 domains, that use the same VIP/port, and if this will work with ACE, i'm inclined to design using this alternative.
  ie,
  pop.mydomain.com = 10.10.10.1 995
  pop3.mydomain.com = 10.10.10.1 995
  Any suggestions would be appriciated.

  Hello,
  In order to achieve this then you will need to order a wildcard certifictae ie
  *.mydomain.com
  These certificates are more expensive and so you will probably find it cheaper to buy two certificates than one wildcard certificate.
  Regards

• New SSL certificate for M670 process?

  Can someone help me with the current process for installing a new certificate on an M670 running 8.1.0-476?  Do I still use OPENSSL to generate the private key, and then get the certificate signed and import the certificate via CLI, pem format?
  Can I install a SAN certificate?  I have one DNS name spam.domain.com for the two (internal and external) SPAM quarantine interfaces and another name mspam.domain.com for the management interface.
  Appreciate the input, I only do this every three years and the process has changed the last two times and I find nothing in the documentation. 
  Jason

  Jason -
  You can use a SAN certificate - as long as the machine names are specified and signed off in the cert by your signer.
  Had previous saved notes for similar questions in the past --- see if this helps:
  For full create and install:
  http://tools.cisco.com/squish/39054
  Starting with AsyncOS version 7.1 it is possible to generate a self-signing request on the ESA appliance. This can be used as a workaround to create certificates for SMAs.
  On an ESA, create a self-signed certificate that will be used for the SMA. This can be done under GUI: Network > Certificates
  Detailed description how to generate a certificate can be found within the knowledge base article 1634.
  It is important, when creating a certificate, for common name to use the hostname of the SMA (M-Series) and not of the ESA (C-Series), so that the certificate can be properly used. Submit and commit changes.
  Use GUI: Network > Certificates > Export Certificates to export certificate.
  Give it a file name (e.g. mycert) and password that will be used when converting the certificate. Exported certificate will be in .pfx format. The M-Series only supports .pem format for importing, so this certificate needs to be converted.
  To convert certificate from .pfx format to .pem format, please use the following OpenSSL syntax:
  openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
  Windows version of OpenSSL can be downloaded from:http://www.slproweb.com/products/Win32OpenSSL.html  Make sure Visual C++ 2008 Redistributable is installed first before the OpenSSL Win32.
  Versions for Mac, Linux, and other operation systems can be downloaded from http://www.openssl.org/source/
  After converting the certificate to the correct format, one should now have available both - the certificate and the corresponding key in .pem format. It is recommended to sign it by a trusted Certification Authority (CA). Cisco doesn't recommend a specific CA, this is up to the choice of the customer.
  To have this signed, simply select "Download certificate signing request" in the GUI of the ESA (Network > Certificates >select the corresponding certificate created for the SMA) and submit it to the trusted CA of choice.
  The signed certificate or the self-signed certificate, and the key in .pem format, can be imported now in the SMA. To learn how to do it, please use the corresponding Installing Certificates on an IronPort Email Security Appliance.
  Let me know!
  -Robert

• New SSL certificate for Exchange, iPhones won't accept without delete/recreate of account on phone.

  Our Network Solutions security certificate was about to expire so we renewed it, however once it was installed on the Exchange 2007 server the phones would no longer connect.  How do you get the iPhones that are already connected to your Exchange server to recognize the new certificate?

  Hi bb9193, this will not be no short-term solution, but you might consider using a MDM-solution. With MDM it is possible to deinstall and reinstall the Exchange profile over the air, so your users will not need to do more than just reenter their Exchange password.
  Best regards,
  Detlev

• Changing hostname on Callmanager 6.1 and generate new SSL

  I'm looking to change the hostname of our Callmanager because of a change in the naming convention for all our servers.
  Is it as easy as it seems or are there any precautions I need to be aware of?
  My thoughts were to just Change hostname under Cisco Unified CM Configuration for both PUB and SUB
  Since I use mostly IP address for most of my configuration, are there anything else I need to be concerned about?
  Also, how do I generate a new SSL cert based on this change so admins and users won't get a certificate mismatch prompt?
  Thanks!

  Hi Ken,
  Thought you might want to see this
  CSCtf23432 Bug Details Bug #11 of 38 | < Previous | Next >
  CUCM Hostname change does not update self-signed certificates
  None
  Symptom:
  After a hostname change, self-signed certificates are not regenerated.  Web browser may indicate
  that the CUCM certificate is not valid.
  Conditions:
  hostname change procedure.
  Workaround:
  From the os admin page:
  1) security->certificate management
  2) select "find"
  3) for all the self-signed certs (identified by the description field),
  select regenerate.
  Further Problem Description:
  n/a
  Status
  Fixed             
  Severity
  3 - moderate
  Last Modified
  In Last Year        
  Product
  Cisco Unified Communications Manager (CallManager)         
  Technology
  1st Found-In
  7.1(2)       
  Fixed-In
  8.0(2.98000.25)
  8.0(2.10000.4)
  7.1(4.98000.167)
  8.0(2.98000.31)
  8.0(2.10000.24)
  7.1(5.10000.12)
  Cheers!
  Rob

• Changing SSL Cert, how do you update the trust profile for devices.

  I am in the process of changing out the ssl cert for the trust profile (going from a self-signed to a signed cert).  How do you update the trust profile on the devices already paired with the server.

  Yes, the linked smart object can be either raster or vector, but they will be placed as raster images, just as the embedded SO are.  SO can be embedded or linked to an outside file.  Edits to the original will not update in the original until you select "Update modified content from the menu" when you reopen the file that has the place SO in it.  otherwise it will update when you save the linked file.  Yes, there still is an advantage to having an embedded SO.  You may not want to maintain the links - send a file off and forget to include the linked files.  You may want to alter the SO, but not the original file.
  Ah, thanks. But does this mean that raster and vector smart objects can EITHER be located within the Photoshop file (as they have been since their advent) OR linked to an external file?
  And if so,
  1. Can this linked file be either raster or vector?
  2. Do edits to it automatically update the Photoshop file?
  3. Is ther any longer any advantage to having the smart object data stored within the Photoshop file when it can be linked?

• Update gateway SSL Cert

  Hey all we got our SSL Cert for our gateway server but we can't figure out how to update the current cert with our new one.
  the orginal was put in by a 3rd party "integrator" adn it's self signed. We have a real cert now which we need to get installed.
  any help would be appreciated.

  That depends on where you generated the cert request from.
  If you did this on the portal server then you can use the web server GUI to import the cert into the database then use pk12util to export to a p12 file (run pk12util -help). On the gateway use certadmin or pk12util to import the cert and key from the p12 file.
  If you generated the cert request on the gateway then use certutil to import the cert (certutil -h).