Getting sec_error_inadequate_cert_type with Private SSL Cert

Howdy,
I run a Private Certificate Authority for my personal use and just to learn about SSL Certs. However, with the current build of FireFox I'm on ( 31 ) I can no longer visit sites I've secured with SSL Certs signed by this certificate authority, even though these SSL certs work just perfectly fine in Chrome and Internet Explorer. I keep getting a "sec_error_inadequate_cert_type" error. I can only assume that the certs I've been issuing are incorrect in some way, but the error is so vague and the error page doesn't specify more.
I only discovered this when I realized some of my SSL certs had expired, and I went to re-issue them.
One of the certs that hasn't expired yet but is experiencing problems can be found here:
* https://forums.silicateillusion.org
One of the Certs I've tried re-issuing, matching fields included as closely as I can to a Google SSL cert that I looked up is here:
* https://phpmyadmin.endofevolution.com
These certificates were generated using the application called SimpleAuthority, found here: http://simpleauthority.com/
A Site like Networking4All.com seems to believe the Certs are valid, excepting the CA that is Self Signed: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=phpmyadmin.endofevolution.com&protocol=https
Interestingly enough, using a different site like SSLShopper shows an error similar to FF31: http://www.sslshopper.com/ssl-checker.html#hostname=https://phpmyadmin.endofevolution.com
The certs are running on an Apache Web server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.10
The CA Cert is in FireFox's store as trusted.
If needed, I can provide certs.

''SniperFodder [[#answer-626818|said]]''
<blockquote>
I however, do not. It's something specific to Firefox I seem to be having. Maybe I'm running an outdated version of Chrome? Which would be hard seeing as chrome itself says it's up to date: Version 37.0.2062.120 m
I appreciate the link to Bug 1034124, However the SSL certificate itself IS NOT self signed. Only the CA is, which signed the SSL Cert. I guess what I mean to be asking is... Is Firefox Rejecting my SSL Cert, because my CA Is Self Signed?
I also offer the CA Cert for download since no one would have the cert in their stores. Would this also affect it?
I've attached a screen shot of the error I'm getting so that it's available for the ticket. The following is also the "plaintext" verison of the error I'm getting:
"Certificate type not approved for application."
</blockquote>

Similar Messages

NAC with EV SSL certs

Does anyone know if the NAC appliance supports EV SSL certs; especially version v4.7.x.
Any insight into older versions (4.1.3 and higher) for compatibility would be appreciated. Thanks!
ben

Hello! The higher key length is a problem on an older version (4.1.3), not 4.7.x; etc where you can specify it. 4.1.3 you cannot specify it and it's not strong enough.
Ben

CertPrincipalName forced to wrong setting on server with wildcard SSL cert

Dears
After testing Exchange 2013 for a couple of weeks with a limited amount of IT personnel, we have migrated the first batch of users from 2010 to 2013.
That was the biggest mistake we've done this.. week..
The error is identified as an autodiscover/ssl problem. No matter what I specify in CertPrincipalName on CAS, Outlook resets itself to msstd:server.domain.com
I have tried with "none" and "msstd:*.domain.com" but it always resets to msstd:server.domain.com
Outlook Autoconfigure test returns the correct value. Any ideas?
All our clients are not domain members, so setting this with GPO is not an option.

I have compared how autodiscover works for clients on 2013 and on 2010. It is definitely server related. Clients still on a 2010 mb server get's the correct value msstd:*.domain.com.
The only difference I see in the autodiscover xml is that on 2013 there is two extra blocks of data for protocol "EXHTTP". One of these blocks does not contain the CertPrincipalName value.
<Protocol>
<Type>EXHTTP</Type>
<Server>mailbox.domain.com</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://ex02.domain.com/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://ex02.domain.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.com</EcpUrl-extinstall>
<OOFUrl>https://ex02.domain.com/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://ex02.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://mailbox.domain.com/OAB/3abb5758-f1c7-4246-9f9f-bbf390f5febb/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>

SSL cert on ASA 5512 from Thwate or Digitcert

I ran into the issue when I install SSL123 cert from Thwate . I did not have issue with SSL cert from DIgitcert- their process and steps are simple and using better encryoption - SHA256. Compare to Thwate - their support did not let me use SHA2 and I had to use SHA1 - according to some organisation SHA1 will be retired soon
Let me explain how to install SSL123 from Thwate into ASA 5510- you can follow their instruction - but generate CSR with 2048 - with 4096 did not work .Once you apply into their portal use SHA1 ( SHA2 did not work ) . Before you get email with their CA - install Root and Secondary intermidiate certificate - located in their website . After you get email with the new cert - you can install under Idendity certificates where still says pending .Note - there are CSR checker tools - before you apply it into CA _ google CSR checker - make sure your CSR does not have any errors
Note - When you install each certificate - trustpoint association could be in different order - example - ASDM_trustpoint0 , ASDM_trustpoint1 , ASDM_trustpoint2 etc . If you use the same ASDM_trustpoint0 for all certs- root , intermidiate and signed certificate - Did not work and you are getting ERROR - :Failed to parse or verify imported certificate
here is the link you can follow - https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16141&actp=search&viewlocale=en_US&searchid=1429125296765
Finally you can check your SSL cert - google SSL checker to see if your chain as good all the way and what need to be fixed

First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

Remote Desktop Services Single SSL Cert with multiple hosts

I am trying to use a single SSL Cert from a third party issuer. I have 3 servers in my deployement all are 2012R2. One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role. The other 2 are
RD Session Hosts. I have the SSL cert for the server that has the Gateway and other roles. My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL. It works currently with the
exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match. Is anyone else using a similar setup and had success with it? I am trying
to avoid buying an expensive wildcard cert to cover all of them.

Hi,
Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC. To do this, log on to RD Web Access using IE, right-click and choose View Source. Find the goRDP function for the icon you want to examine and copy
the text between the ' marks. Next paste this into the escape text box the below page:
http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
Click complete unescape to get the plain text version. After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file. Once you have the .rdp file created you can compare
it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
Thanks.
-TP

ACE: Single SSL Cert for two domains with same VIP

At present I have a design that will use individual SSL cert per domain and link both certs to (two or one) serverfarm.
policy-map multi-match popvip_01
class POP_VIP01
loadbalance vip inservice
loadbalance policy POP-POp3_PMT or popPMT1
loadbalance vip icmp-reply
ssl-proxy server GINPOP_SSLPROXY
connection advanced-options TCP_PARAM_Y
class POP3_VIP02
loadbalance vip inservice
loadbalance policy POP-POp3_PMT or POPPMT2
loadbalance vip icmp-reply
ssl-proxy server GINPOP3_SSLPROXY
connection advanced-options TCP_PARAM_Y
however,
if I can get one single certificate to process both pop and pop3 domains, that use the same VIP/port, and if this will work with ACE, i'm inclined to design using this alternative.
ie,
pop.mydomain.com = 10.10.10.1 995
pop3.mydomain.com = 10.10.10.1 995
Any suggestions would be appriciated.

Hello,
In order to achieve this then you will need to order a wildcard certifictae ie
*.mydomain.com
These certificates are more expensive and so you will probably find it cheaper to buy two certificates than one wildcard certificate.
Regards

Http Analyzer connecting to server with self-signed SSL cert

When making webservice calls using Axis 1.3 to our development site that uses a self-signed SSL cert I am getting the following error when running the Http Analyzer:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Works fine if I turn off proxy in run configuration for project or when used against a site with a purchased cert. I assume the problem is with Http Analyzer not being able to find the server cert in a local keystore, is there a way to import the cert so that I can run Http Analyzer against the site?
Tried adding server cert to <jdkhome>/jre/lib/security/cacerts keystore but still have the problem.
Am using JDeveloper 10.1.3.
Thanks,
John

I fixed that by getting certs from: https://www.startssl.com/?app=1.
The certs are free and work fine.
Since Iphone 4 apple does not accept unknown CA Authorities.

How to get OS X to accept an SSL Cert the way other UNIX clients do?

I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
Any suggestions would be appreciated.
Thanks in advance--
=N=

when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
what unix apps are you using to connect to this server?

ITunes U cannot fetch HTTPS feeds with current generation of SSL certs

I've outlined this problem previously with no resolution, but given that public iTunes U sites are about to rely even more on feeds it's even more important that a solution be found.
Here's the summary of the unresolved thread http://discussions.apple.com/thread.jspa?messageID=11012798
iTunes U will no longer update valid feeds from our LMS. Our LMS is entirely SSL/TLS and recently had its certificate updated. The DigiCert certificate and feed are working at https://lms.brocku.ca/podcasts/site/BuildaPodcast . However iTunes U sends an E-Mail to the owner once it is changed to this URL that reads:
"iTunes U could not update the content because iTunes U could not download the specified feed (https://lms.brocku.ca/podcasts/site/BuildaPodcast). Until the issue is resolved, iTunes U continues to display the last downloadable version of the content. Verify that the feed specified in the feed URL field and the resource are available, and then try again"
In the interim we've been fetching the exact same RSS feed and hosting it at http://ctlet.brocku.ca/~mclare/podcast/BuildaPodcast so that iTunes U can fetch it with out SSL/TLS - but we can not do this for all podcasts.
Older versions of the command line tools like cURL (and its library) and wget have a similar problem. In their situation their root certificates are not fully updated. Could this be the case for the iTunes U feed fetcher?
Thanks for looking into this.
.\.\att

Hi Mark,
Thanks, it is indeed now updating.
When I updated it yesterday (a little before 2:04 EST) I did not get the previous Error prompt - but I didn't know if that was an iTunes 9 change in interface or the problem being solved. I did get an E-Mail from iTunes U <[email protected]> subject "iTunes U unable to update Course page group Brock University > Brock Community > Sakai > Help for Instructors" - full E-Mail below.
I edited the feed/section again today (10:12 EST) and the status appears to indicate that it was updated. BUT, I again received this E-Mail:
E-Mail :"Dear iTunes U administrator, instructor, or course manager,
Your 'Sakai' course in your brocku.ca iTunes U site populates its 'Help for Instructors' group track list automatically from an RSS feed, based on the podcast RSS feed URL and details you specified. iTunes U encountered the following error while trying to access the podcast RSS feed:
iTunes U could not update the content because iTunes U could not download the specified feed (https://lms.brocku.ca/podcasts/site/BuildaPodcast). Until the issue is resolved, iTunes U continues to display the last downloadable version of the content. Verify that the feed specified in the feed URL field and the resource are available, and then try again.
To check your iTunes U podcast RSS feed URL and details, edit your Course page group located at Brock University > Brock Community > Sakai > Help for Instructors.
Sincerely,
The iTunes U Team"
It is great that content will start moving now, but can anything be done about the spurious E-Mails?

IMAP Mail Setup with self-signed SSL certs

I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

We have a Certificate Authority (Version: 5.2.3790.3959) configured on Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
Currently i am only able to generate SSL cert with md5RSA.

Hi,
Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
Therefore, you need to build a new CA to use a new algorithm.
More information for you:
Is it possible to change the hash algorithm when I renew the Root CA
http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
Changing public key algorithm of a CA certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
modify CA configuration after Migration
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
Best Regards,
Amy Wang

Need to check tls/ssl but getting stuck with "You must provide a value expression on the right-hand side of the '-' operator."

I would like to disable ssl 3 but need to test what sites only support ssl 3. I keep getting stuck with an error that is over my head. I've tried manipulating the string a dozen different ways and keep getting the same error. I am not familiar with -notin
or how to specify which part of the property its checking: thanks a ton
http://blog.whatsupduck.net/2014/10/checking-ssl-and-tls-versions-with-powershell.html
line with issues:
$ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | where-object{$_.Name -notin @("Default","None") | %{$_.Name}
You must provide a value expression on the right-hand side of the '-' operator.
At S:\scripts\test23.ps1:50 char:126
+ $ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | where-object{$_.Name - <<<< noti
n @("Default","None") | %{$_.Name}
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : ExpectedValueExpression
<#
.DESCRIPTION
Outputs the SSL protocols that the client is able to successfully use to connect to a server.
.NOTES
Copyright 2014 Chris Duck
http://blog.whatsupduck.net
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.PARAMETER ComputerName
The name of the remote computer to connect to.
.PARAMETER Port
The remote port to connect to. The default is 443.
.EXAMPLE
Test-SslProtocols -ComputerName "www.google.com"
ComputerName : www.google.com
Port : 443
KeyLength : 2048
SignatureAlgorithm : rsa-sha1
Ssl2 : False
Ssl3 : True
Tls : True
Tls11 : True
Tls12 : True
#>
function Test-SslProtocols {
param(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
$ComputerName,
[Parameter(ValueFromPipelineByPropertyName=$true)]
[int]$Port = 443
begin {
$ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | where-object{$_.Name -notin @("Default","None") | %{$_.Name}
process {
$ProtocolStatus = [Ordered]@{}
$ProtocolStatus.Add("ComputerName", $ComputerName)
$ProtocolStatus.Add("Port", $Port)
$ProtocolStatus.Add("KeyLength", $null)
$ProtocolStatus.Add("SignatureAlgorithm", $null)
$ProtocolNames | %{
$ProtocolName = $_
$Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.PublicKey.Key.SignatureAlgorithm.Split("#")[1]
$ProtocolStatus.Add($ProtocolName, $true)
} catch {
$ProtocolStatus.Add($ProtocolName, $false)
} finally {
$SslStream.Close()
[PSCustomObject]$ProtocolStatus
Test-SslProtocols -ComputerName "www.google.com"

V2 version:
function Test-SslProtocols {
param(
[Parameter(
Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromPipeline=$true
)]$ComputerName,
[Parameter(
ValueFromPipelineByPropertyName=$true
)][int]$Port = 443
begin {
$protocols=[enum]::GetNames([System.Security.Authentication.SslProtocols])|?{$_ -notmatch 'none|default'}
process {
foreach($protocol in $protocols){
$ProtocolStatus = @{
ComputerName=$ComputerName
Port=$Port
KeyLength=$null
SignatureAlgorithm=$null
Protocol=$protocol
Active=$false
$Socket = New-Object System.Net.Sockets.Socket('Internetwork','Stream', 'Tcp')
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $protocol, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$protocolstatus.Active=$true
$ProtocolStatus.KeyLength = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus.SignatureAlgorithm = $RemoteCertificate.PublicKey.Key.SignatureAlgorithm.Split("#")[1]
catch {
Write-Host 'Failed'
finally {
New-Object PsObject -Property $ProtocolStatus
$SslStream.Close()
Test-SslProtocols -ComputerName www.google.com
¯\_(ツ)_/¯

How to setup SSL cert for SharePoint apps in a three tier farm with nlb

I am having trouble understanding how to setup the SSL certificate on SharePoint apps or in general its configuration

Please check the below thread..
https://social.technet.microsoft.com/Forums/sharepoint/en-US/53465d30-10b2-48c9-9541-5ade738156b4/how-to-setup-ssl-cert-for-apps
Don't forget to mark it as an Answer if it resolves your issue and Vote Me as helpful if it useful.
Mahesh

FTP with SSL cert on ACNS via WCCP

I have a client using an SSL cert to connect to an ftp server. The user is being redirected to a CE-511 via WCCP v2 but the FTP connection does not work. If I bypass the user (in my wccp acl) it works fine - following a default route to my PIX.
Any info, good or bad will be greatly appreciated.
- Matt

What is the software version running on the CE-511. Did you try upgrading to the latest version of the firmware. This should solve the issue.

Wildcard SSL cert on ASA

Is it possible to use a wildcard SSL cert on an ASA? That is, instead of getting a specific cert with the FQDN of the ASA, we would use the wildcard cert issued?

Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.
If you need help with configuration, let me know.
You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)
Regards,
Roman

Getting sec_error_inadequate_cert_type with Private SSL Cert

Similar Messages

Maybe you are looking for