Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

Similar Messages

• Sun One Web Server 6.1 | Install wildcard certificate

  Hello everyone. I am new to this forum. I'll start off by saying that I am very "green" with the Sun One Web Server as well.
  My question/problem pertains to installing a wildcard certificate on our server. I am not able to find good documentation on this, so I am hoping that some of you could provide some guidance or, better yet, a link to documentation specifically for the Sun One Web Server 6.1.

  There is no difference with installing a wildcard or any other certificate. You simply create a CSR and specify an asterix instead of the hostname followed by a . and your domainname for the subject, send it to a CA and get back a certificate that you import.

• Unable to install WildCard Certificate for ASA 5512-x

  Have a customer who we manage an ASA 5512-X for.  I am configuring a Wildcard Certificate for AnyConnect. They have a wildcard certificate purchased through Godaddy.com.  I am utilizing ASDM 7.3 for the installation of the certificate.  I added the Identity Certificate ASDM_TrustPoint0.  Checked the radio button "Add a new identity certificate:"  Named the Key Pair WildCard, and set the size to 2048.  I also changed the "Certificate Subject DN: to CN=cityvpn.wirapids.org.  There were no other attributes to add.  I also changed the FQDN under the advanced tab to the same cityvpn.wirapids.org.  Then clicked Add Certificate.  Successful
  Under CA Certificates I added the certificate from file.  Which I added the bundle.crt from Godaddy.  Certificate was added successfully.
  Going back to Identity Certificates.  I click on install.  Install from a file.  Which I tried the other crt file and the bundle file from Godaddy.  I get an Error: Failed to parse or verify imported certificate.  With the other .crt file from Godaddy I get the same error, but "Certificate does not contain device's General Purpose Public Key."
  Not sure what to think.  Any suggestions or help would be great.  Thanks
  Paul

  You should never ever get a wildcard certificate. Because if that certificates private key gets stolen, the thief can impersonate all ssl-protected services. The clients view them as valid resources, because the certificate is correct. The only thing to do then, is to revocate the certificate, which will cause you to get a new certificate installed on ALL services that you had protected with the wildcard one.
  Even worse, most broswers (besides IE) ignore certificate revocation lists in various cases!

• Installing wildcard certificate - error

  Hello guys,
  I'm not quite sure do I post within the right thread so please correct me if I'm wrong.
  Anyway, the problem is as subject says - Problem with installation of wildcard certificate on Cisco ASA 5520 (VPN Plus license). Software version is  8.2(2).
  I noticed two issues. We've bought a wildcard certificate for our domains example.com, example.org. Certificate provider is Geo Trust.
  The first problem is that I'm unable to install the complete certificate chain. If I install the Root CA of GeoTrust, I'm unable to install the sub-ordinate CA, which has actually signed my cert, within the same trustpoint. The warning message says that "WARNING: Trustpoint GeoTrustRA is already authenticated." (this happens when I try to install the sub-ordinate CA, which stays in between Root CA and my certificate, within the same trustpoint as RootCA certificate.
  The second problem is the actuall problem however. When I try to install the wildcard certificate, using ASDM, i got the following error: (actually I did intentionally type the wrong password and I receive absolutely the same error)
  Here is the setup of CA. As you can see, both certificates which must relay on the same trustpoint as chain, are divided in two trustpoint configurations:
  I tried to debug crypto ca 255 but there is nothing interesting within the log file.
  If I try to add the Sub-ordinate certificate within the trustpoint where Root CA is installed, I got the following error:
  When I try to manually install the wildcard certificate from CLI (It's in BASE-64 format), I do receive the following error:
  CLI Issue
  vpngw2(config)# crypto ca import GeoTrust pkcs12 password_here
  Enter the base 64 encoded pkcs12.
  End with the word "quit" on a line by itself:
  -----BEGIN CERTIFICATE-----
  MIIEhjCCA26gAwIBAgICekswDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
  [cut]
  RPg4gnOGlySGVA==
  -----END CERTIFICATE-----
  quit
  ERROR: Import PKCS12 operation failed
  Any thoughts, ideas, questions or whetever are more than welcome!

  Hi there,
  I just wanted to tell you that I have found the solution for this case. It appears that the wildcard certificate had been enrolled without State ("ST") attribute of x509.3 certificate. The issuer (GeoTrust) refused to enroll it again evethough we have supplied that information and it was completely their fault. Anyway, we changed the issuer and now everything is just fine.
  Sent from Cisco Technical Support iPad App

• Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

  Hello
  I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
  Setup:
  We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR:  A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
  Configuration in regards to certificate:
  crypto key generate rsa label vpn.company.dk modulus 2048
  crypto ca trustpoint vpn.trustpoint
  keypair vpn.company.dk
  fqdn none
  subject-name CN=*.company.dk,C=DK
  !id-usage ssl-ipsec
  enrollment terminal
  crl configure
  crypto ca authenticate vpn.trustpoint
  ! <import intermediate certificate>
  crypto ca enroll vpn.trustpoint
  ! <send CSR to CA>
  crypto ca import vpn.trustpoint certificate
  ! <import SSL cert received back from CA>
  ssl trust-point vpn.trustpoint outside
  Problem:
  When I try to import the certificate I receive the following error:
  crypto ca import vpn.trustpoint certificate
  WARNING: The certificate enrollment is configured with an fqdn
  that differs from the system fqdn. If this certificate will be
  used for VPN authentication this may cause connection problems.
  Would you like to continue with this enrollment? [yes/no]: yes
  % The fully-qualified domain name will not be included in the certificate
  Enter the base 64 encoded certificate.
  End with the word "quit" on a line by itself
  -----BEGIN CERTIFICATE-----
  <certificate>
  -----END CERTIFICATE-----
  quit
  ERROR: Failed to parse or verify imported certificate
  Question:
  - Does any one of you have any pointers in regards to what is going wrong?
  - Especially in regards to fqdn and CN, I also have a question. My config
  fqdn none
  subject-name CN=*.company.dk,C=DK
  would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
  So do you have insight or pointers which might help me?
  Thank you in advance

  I also have a wildcard cert for my SSL VPN ASAs.
  When i import the cert I use ASDM instead of CLI...
  I import the wildcard as a *.pfx file and type in the password. works fine...
  Perhaps the format is incorrect?
  Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
  Not sure if this helps but give ASDM a try?

• Using same Wildcard certificate on multiple SAP systems with same domain name.

  Hello All,
  Need urgent help.
  I have a WILDCARD SSL certificate in pfx format. I also have individual root certificate , primary certificate in text form.
  The certificate mentioned above is already active in one of our portal.
  We want the same certificate on ECC Production.
  What are the steps to import this certificate in STRUST?
  I believe no certificate response needs to be imported.
  I have a certificate response provided by Verisign. But STRUST says- cannot import certificate response'
  Please help.

  Hi,
  This is what i did for installing wildcard certificates:
  On the OS of the sap server, log in with the sapadm account.
  Open a command prompt:
  make a backup of your sec directory in drive:\usr\sap\<SID>DVEBMGS00\  (just to be sure)
  cd to drive:\usr\sap\<SID>DVEBMGS00\exe
  >sapgenpse.exe import_p12 =p SAPSSLS.PSE location\to\the\certfile.pfx
  It will ask you for the pin, and to overwrite the file, answer yes.
  Now copy the new SAPSSLS.PSE to a desktop that has sapgui
  Login with the sapgui and run transaction strust
  Select import from the PSE menu and open the SAPSSLS.PSE
  Then again goto PSE menu  and select Save As
  I saved it twice, once in System PSE  and then again in SSL Server
  For me SSL is now working without problems on a couple of servers.
  -small update-
  You can check internal servers using the certificate utility from digicert https://www.digicert.com/util/
  It has the option to specify port numbers, usefull for internal web services.
  Regards,
  Rolf

• Cisco NCS install signed certificate

  Hello!
  I have difficulties to install wildcard certificate(*.domain.com) into Cisco NCS Prime.
  admin#ncs key importkey key.pem cert.perm repository ftpRepo
  INFO: no staging url defined, using local space.        rval:2
  INFO: no staging url defined, using local space.        rval:2
  The WCS server is running
  Changes will take affect on the next server restart
  Importing RSA key and matching certificate
  Everything looks good! But after server restart I see old, self-signed certificate.
  Please help me with this issue.

  restore.log:
  Mon Mar  4 15:37:29 NOVT 2013: dowload of 2015_02_16.crt from repository ftpRepo: success.
  Mon Mar  4 15:37:29 NOVT 2013: dowload of 2015_02_16.key from repository ftpRepo: success.
  ADE.log:
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[125] [admin]: full url is ftp://10.54.111.20/2015_02_16.key
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released backup lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[252] [admin]: running date
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[52] [admin]: created backup history lock file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[76] [admin]: obtained backup history lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[160] [admin]: loaded history file /var/log/restore.log
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[90] [admin]: released backup history lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[310] [admin]: added record to history
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[371] [admin]: obtained backup lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: config:backup: br_stage.c[72] [admin]: staging config set to default settings
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[371] [admin]: obtained repos-mgr lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: config:repository: rm_repos_cfg.c[173] [admin]: loaded repository ftpRepo
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released repos-mgr lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer.c[54] [admin]: ftp copy in of 2015_02_16.crt requested
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[92] [admin]: ftp get source - 2015_02_16.crt
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[93] [admin]: ftp get destination - /opt/CSCOncs/migrate/restore/2015_02_16.crt
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[112] [admin]: initializing curl
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[125] [admin]: full url is ftp://10.54.111.20/2015_02_16.crt
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released backup lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[252] [admin]: running date
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[76] [admin]: obtained backup history lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[160] [admin]: loaded history file /var/log/restore.log
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[90] [admin]: released backup history lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[310] [admin]: added record to history
  keyadmin-0-1.log:
  03/01/13 16:00:14.962 INFO  [system] [main] Setting management interface address to 10.54.11.108
  03/01/13 16:00:14.968 INFO  [system] [main] Setting peer server interface address to 10.54.11.108
  03/01/13 16:00:14.968 INFO  [system] [main] Setting client interface address to 10.54.11.108
  03/01/13 16:00:14.968 INFO  [system] [main] Setting local host name to sib-ncs01
  03/01/13 16:00:17.647 INFO  [admin] [main] The WCS server is running
  03/01/13 16:00:17.647 INFO  [admin] [main] Changes will take affect on the next server restart
  03/01/13 16:00:17.647 INFO  [admin] [main] Importing RSA key and matching certificate
  Other logs dont show issues.

• Wildcard certificate in mssql 2008R2

  Hello, 
  I have installed wildcard certificate in Certificates(Local Computer)\Personal in  sql server. We are using Windows 2008R2 server and 2008 R2 SQL server. Certificate is issued by StartCom. With certificate everything is ok (I have used it in IIS), but
  it didnt appeared in sql configuration manager protocols dropdown list. So i followed microsoft article:
  http://support2.microsoft.com/kb/316898
  and added certificate thumbrint in registry. Restarted SQL service.
  Then I am trying to connect to sql server using SMSS I am getting error:
  "A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate's CN name does not match the passed value.) (Microsoft SQL Server, Error: -2146762481)"
  So obviously problem is wildcard certificate, because it is issued to *.domain.com and server name is server.domain.com.
  By this article, microsoft sais that "SQL Server 2008 R2 and the SQL Server 2008 R2 Native Client support wildcard certificates.
  http://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
  So question would be: Sql 2008 r2 supports or does not support wildcard certificates. If supports, so there is problem? Why i am getting this error?
  Mantas

  Hi Mantas,
  As is mentioned in the Book Online Document from your post, SQL Server 2008 R2 and the SQL Server 2008 R2 Native Client support wildcard certificates. Other clients might not support wildcard certificates. For more details, please review this article:
  Accepted wildcards used by server certificates for server authentication.
  Based on my research, the error message “provider: SSL Provider, error: 0 - The certificate's CN name does not match the passed value” could be caused by that  the certificates are not installed properly. I recommend you follow the steps in this
  article to enable SSL encryption for SQL Server.
  In addition, there is a blog  about the error for your reference.
  http://blogs.msdn.com/b/sqljourney/archive/2012/03/16/implementing-ssl-encryption-for-sql-server-in-a-dns-forwarding-environment.aspx
  Thanks,
  Lydia Zhang

• VPN Cluster and Wildcard Certificate

  Hi,
  I am setting up a VPN cluster with three ASA boxes and i am wondering if anyone has any experience using a wildcard certificate with this kind of setup.
  I am done with the setup and everything works fine, but as my initial setup (and the doc i have been reading) shows, the client first connect to:
  cluster.domain.com
  Then the master returns the address or fqdn (i am using fqdn) of the least busy asa in the cluster:
  vpn01.domain.com
  or
  vpn02.domain.com
  or
  vpn03.domain.com
  Thus i would need 4 certificates to meet my needs. The cluster.domain.com certificate also must be present on all 3 boxes, because the cluster ip is configured on all boxes, and the master role is shifted if one of the boxes fail.
  Because of this i thought it would be a good idea to use 1 wildcard certificate (*.doman.com) on all boxes and avoid the hassle.
  Any experience or recommendations?
  BR,
  /K

  Hello Kenneth,
  It was working for version before 9.
  On ASA9 you even can not install wildcard certificate to manage ASA via ASDM, so i guess vpn loadbalancing with wildcard certificate will not work either (but i have not tested that).
  And it's not a bug - it's a feature - it's a security device and wildcardard certificates are strongly discouraged
  Michal

• Wildcard Certificats and 4400 WLC

  First, I know the 4400 has been EOS. I am planning on replacing this with a new controller next year as part of a larger project. In the meantime, the certificate we have setup on our guest network is due to expire soon.
  I am pretty familiar with how to get a new certificate setup, but was wondering if anyone has had any experience at using a "wildcard" type certificate, instead of the standard webserver style cert?  (http://www.digicert.com/wildcard-ssl-certificates.htm)
  Its my understanding that a wildcard certificate can be used for any type of server, but the server needs to support it.
  Thanks.

  All my recent install using a 3rd party certificate has been with installing a chained certificate.
  Here is a doc that shows you how to combine a chained certificate and install it on a wlc.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  Sent from Cisco Technical Support iPhone App

• WLC 5508 - 7.5.102.0 - Wildcard Certificates

  Does this controller/firmware support the use of a wildcard certificate? I'm using GoDaddy as our public CA.

  Yes, it does support.
  You may visit the below listed URL while generating the CSR or installing the certificates.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Install digicert wildcard certificate on 2012 RDSH Servers

  Hi Everyone
  I would like to find out is it possible to install a digicert wildcard certificate on 2012 RDSH Server
  My current RDSH deployment has 2 connection broker and SQL backend, bunch of RDSH 2012 servers in a collection. wildcard certificate is configured in the deployment properties. All servers are part of the domain.
  We already have a RASS servers. So we didn't install RDSH Gateway. External users RDP to the RDSH servers via RASS
  When users connect via RDP it prompt an certificate warning message.
  Please advice
  Thanks

  Hi,
  Thank you for posting in Windows Server Forum.
  Can you please provide the error\warning\event ID you are facing?
  Basic requirements for Remote Desktop certificates:
  1. The certificate is installed into computer’s “Personal” certificate store. 
  2. The certificate has a corresponding private key. 
  3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well. 
  The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers
  in the collection.
  More information.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• ACS Wildcard Certificate Install for PEAP

  Does ACS support Wildcard certificate authentication, such as *.domain.com?  We installed the certificate through ACS using CA, but when using wireless devices, the certificate is still not verified.  Any information would be helpful before we go and purchase another certificate.  Thank you.

  Can someone validate whether wildcard certs are supported with ACS and PEAP, please.  I'm running into the same issue that Jason outlines above.  It seems that Windows clients specifically don't like the wildcard cert. I have tried with Mac and iPhone and they seem to work if you accept the cert into the keychain on first connect.

• Installing a Wildcard Certificate in STRUST

  Hi,
  I am trying to install a wildcard SSL certificate using STRUST on our ABAP system.
  If I try to import it using the "Import Cert. Response" button, I get an error message saying the certificate cannot be installed. I presume this is because my private key does not match the public key of the certificate.
  How can I get a wildcard certificate working with my ABAP system? Do I need to somehow change the private key of my system?
  Thanks in advance

  Hi Stuart,
  Please check below thread it may help in your case.
  Problem importing a certificate using Strust
  https://scn.sap.com/thread/1587251
  BR
  Atul

• Wildcard Certificate and Wireless Lan Controller

  Hello,
  I'm working with wlc 5508 version 7.2.111.3 and I'm looking to use a wildcard certificate, I've just checked on the forum that there was a bug-id and it seems it's been closed with a workaround of not using wildcard certs, is it resolved now?
  If yes, could you indicate to me how can I proceed to install it quickly?
  Regards

  Hello,
  The bug was about bad behavior when the wildcard certificate is used. The status of the bug now is "Terminated". That means it was found that the root cause for this bug is not really a bug (bad description, normal behavior...etc).
  So, I think you can go with the wildcard certificat you have. The bug was opened on 5.2 version which is very old comparing to 7.2.
  Let us know how it goes.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"