ISE 1.3 - wildcard certificate

Similar Messages

• Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

  I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate.  This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD.  The ISE policy is just to match on machine auth.
  The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
  When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball.  They were, the auth passed.
  I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities.  Retest and the client passes.
  If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed.  ISE reports that my Windows client rejected the server certificate.  Which is odd as it just accepted it.
  If I untick the validate the client passes, if i tick it again it will authenticate fine, once.  The next connection it will fail again with the client rejecting ISE.
  Anyone got any ideas?

  I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.

• Does ISE support wildcard certificates?

  Hello guys,
  My customer doesnt have a CA, but instead has wildcard certificates.
  I will implement ISE in 3 different locations (each location independent and with all ise services). Havent look in dept about wildcard certs, but does ISE support this type of certificates? The certs i need is only for corporate users not to be shown with the ssl cert error when accesing ise portals.
  If wild certificates supported, then will every independent site need to create a separate CSR for each one of them?
  Thanks!
  Emilio

  Support for Universal Certificates:
  Cisco ISE, Release 1.2 supports the use of wildcard server certificates for HTTPS (web-based services)
  and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have
  to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN
  field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field
  allows you to share a single certificate across multiple nodes in a deployment and helps prevent
  certificate-name mismatch warnings.
  For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Kindly find the attached PDF for your clarification ISE 1.2 supports wildcard certificates. Even I had highlighted the same on page 14.
  Support for Universal Certificates:
  Cisco ISE, Release 1.2 supports the use of wildcard server certificates for HTTPS (web-based services)
  and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have
  to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN
  field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field
  allows you to share a single certificate across multiple nodes in a deployment and helps prevent
  certificate-name mismatch warnings.
  For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

• Cisco ise 1.2 install certificates for ise cluster question

  hello all i have an ise cluster of 4 devices. 1 primary admin/secondary monitor, 1 secondary admin/primary admin and 2 policy nodes
  i need to install public CA certs on them. can I generate 1 CSR on one of the nodes, that includes a SAN with the DNS names of all the nodes?
  Therefore get only 1 cert from the CA, and export and import the same cert into all the other nodes?
  or do i have to generate 1 CSR for each node and purchase 4 certs? Wild card certs is not an option. tHANKS,

  ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.
  The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html
  Cisco ISE checks for a matching subject name as follows:
  1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.
  2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
  3. If no match is found, the certificate is rejected.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• ISE - Installing the same certificate in every PSN in a node group

  Hi,
  to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously  they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".
  How can I import the same certificate (with the same private key) in every PSN in a node group?
  We have ISE 1.1.2
  Thanks in advance!!
  Luis

  Hello All,
  ISE software also uses openssl. Though upto ISE 1.1.x interface does not provide with a field for SAN (Subject Alternative Name), but it should support wildcard certificates. It is just the interface that does not facilitate certificate and CSR generation. So we need to generate the certificate and CSR by explicit use of openssl. Tarik has already provided the link which can be of valuable assistance.
  As far as wildcard certificate support is concerned, ISE 1.2 would definitely support this feature. This is confirmed

• Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

  Is it possible to install a widcard certificate for web auth in those versions?
  Is there any difference between this two versions.
  Are both of them versions supporting wildcards certificates?
  Here you have the log file resulting of installing the wildcart certificate in the wlc with v 7.0.240.
  *TransferTask: Nov 28 11:20:51.117: Memory overcommit policy changed from 0 to 1
  *TransferTask: Nov 28 11:20:51.319: Delete ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:51.432: RESULT_STRING: TFTP Webauth cert transfer starting.
  *TransferTask: Nov 28 11:20:51.432: RESULT_CODE:1
  *TransferTask: Nov 28 11:20:55.434: Locking tftp semaphore, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore locked, now unlocking, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore successfully unlocked, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.517: TFTP: Binding to local=0.0.0.0 remote=10.16.50.63
  *TransferTask: Nov 28 11:20:55.588: TFP End: 1666 bytes transferred (0 retransmitted packets)
  *TransferTask: Nov 28 11:20:55.589: tftp rc=0, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
       pLocalFilename=cert.p12
  *TransferTask: Nov 28 11:20:55.589: RESULT_STRING: TFTP receive complete... Installing Certificate.
  *TransferTask: Nov 28 11:20:55.589: RESULT_CODE:13
  *TransferTask: Nov 28 11:20:59.590: Adding cert (5 bytes) with certificate key password.
  *TransferTask: Nov 28 11:20:59.590: RESULT_STRING: Error installing certificate.
  *TransferTask: Nov 28 11:20:59.591: RESULT_CODE:12
  *TransferTask: Nov 28 11:20:59.591: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
  *TransferTask: Nov 28 11:20:59.624: finished umounting
  *TransferTask: Nov 28 11:20:59.903: Create ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:59.904: start to create c1240 primary image
  *TransferTask: Nov 28 11:21:01.322: start to create c1240 backup image
  *TransferTask: Nov 28 11:21:02.750: Success to create the c1240 image
  *TransferTask: Nov 28 11:21:02.933: Memory overcommit policy restored from 1 to 0
  (Cisco Controller) >
  Would I have the same results in wlc with  v 7.5.102?
  Thank you.

  Hi Pdero,
  Please check out these docs:
  https://supportforums.cisco.com/thread/2052662
  http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
  https://supportforums.cisco.com/thread/2067781
  https://supportforums.cisco.com/thread/2024363
  https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc
  Regards
  Dont forget to rate helpful posts.

• Edge 2013 External Wildcard Certificate

  Hi,
  I know this has been covered a number of times but I'd like something that's been posted more recently.
  We use Lync 2013 with a wildcard certificate on our edge external interface.  Everything works as expected and that's on version 5.0.8308.556
  I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners.  They're running 5.0.8308.577
  When testing from Lync connectivity tester I get the following:
  Attempting to resolve the host name blah.co.uk in DNS.
  The host name resolved successfully.
  Additional Details
  Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 758 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 4 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
  Elapsed Time: 0 ms.
  Testing remote connectivity for user [email protected] to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
   <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
  Error Type: TlsFailureException.
  Elapsed Time: 1649 ms.
  Any help would be much appreciated!
  Thanks

  Hi,
  Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
  authority.
  More details about certificate requirements for external user access:
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  You can refer to the link below of “Wildcard Certificate Support”:
  http://technet.microsoft.com/en-us/library/hh202161.aspx
  Here is a similar case my help you:
  http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Does the iphone support the use of a wildcard certificate?

  Does the iphone support the use of a wildcard certificate?
  Our exchange infrastructure utilises a wildcard (*.companyname certificate) from Godaddy.
  - Connects fine and authenticates
  - Can manually sync and pull emails
  - Can Send and Delete emails
  However server is not establishing the activesync connection and ping so mail can be pushed to the device.
  My guess is its a problem with the wildcard certificate that is used, WM5.0 devices didnt work with it, does anyone one know if the iPhone supports this?
  - I can get to OWA fine which uses the same wildcard cert.
  - WM6.0 devices push mail fine.
  Thanks.

  kfc01,
  The iPhone Deployment Guide (linked from http://www.apple.com/support/iphone/enterprise) says it does for VPN.
  Hope this helps,
  Nathan C.

• I can't generated a CSR for a wildcard certificate

  I recently received a new Mac Mini OS X Server with the Server 2.2.1 app loaded.
  I cannot figure out how to create a CSR for a wildcard certificate.
  The wizard will not accept * in the input field.
  Can someone point me to the hard way of doing this?
  I need to secure every channel on the server with a wildcard SSL certificate.
  Thanks...

  Hi Gordon,
  You can use the command line to generate your wildcard CRS.
  1. Launch /Applications/Utilities/Terminal.app
  2. At the prompt, type the following command:
  openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
  Common Name: The fully-qualified domain name, or URL, you're securing.
  If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
  See http://support.godaddy.com/help/article/5269/generating-a-certificate-signing-re quest-csr-apache-2x?pc_split_value=3

• Wildcard certificates supported by ACE

  We are considering the use of wildcard certificates for our environment. Is this supported by the ACE when using SSL offloading ?
  regards,
  Sebastian

  be aware that certain mobile device do not support them I believe windows mobile 5.0 is one of them.

• Wildcard certificate in Outlook Anywhere

  I tried to fix a bit our Outlook Anywhere and set certificate for my EXPR provider to "msstd:*.domain.com" (I use *.domain.com certificate for exchange). But all Outlook clients after restart show error: "There
  is a problem with the proxy server's security certicate. The name on the security certificate is invalid or does not match the name of the target site owa.domain.com. Outlook
  is unable to connect to the proxy server. (Error Code 0)".
  I set EXPR provider to "msstd:owa.domain.com" (my exchange server address) and all works fine now.
  Why I could not switch certificate to wildcard?

  Hi,
  If you have done the following changes:
  Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com
  Please follow Ed’s suggestion to make sure the Wildcard certificate assigned with IIS service. We can run the following command to get more information about your certificates:
  Get-ExchangeCertificate | Select CertificateDomains,Services,Status
  If the Wildcard certificate is not assigned with IIS service, please
  use the Enable-ExchangeCertificate cmdlet and specify IIS services. Additionally, here is a related KB about this issue:
  http://support.microsoft.com/kb/923575
  Thanks,
  Winnie Liang
  TechNet Community Support

• Wildcard Certificate

  I'm trying to find out if its possible to use a wildcard certificate on the Lync Edge server's External Interface.   OR maybe a better question would be if i use the wildcard what will break?  Like I've read the auto configuration will not work,
  etc.  Looking to get away from having so many certs....

  Agreed it's not supported. From memory the Edge service's don't start. Having said that yes, you can try it and if it doesn't work - simply Assign the correct certs without issue. You shouldn't have any issues with changing certs.
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
  Georg Thomas | Lync MVP
  Blog www.lynced.com.au | Twitter
  @georgathomas
  Lync Edge Port Check (Beta)
  This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Wildcard Certificate and Wireless Lan Controller

  Hello,
  I'm working with wlc 5508 version 7.2.111.3 and I'm looking to use a wildcard certificate, I've just checked on the forum that there was a bug-id and it seems it's been closed with a workaround of not using wildcard certs, is it resolved now?
  If yes, could you indicate to me how can I proceed to install it quickly?
  Regards

  Hello,
  The bug was about bad behavior when the wildcard certificate is used. The status of the bug now is "Terminated". That means it was found that the root cause for this bug is not really a bug (bad description, normal behavior...etc).
  So, I think you can go with the wildcard certificat you have. The bug was opened on 5.2 version which is very old comparing to 7.2.
  Let us know how it goes.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Wildcard Certificate use in Sun Java System Messaging Server (IMAPs/POPs)

  I'm trying to use a wildcard certificate acquired from GlobalSign and am having problems getting
  it (properly) into the cert database.
  I tried using certutil, and that didn't seem to work at all, it would list without user cert status:
  rmorneau+root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
  GlobalSign-Ext-CA CT,c,
  *.xxxxxxxxxxx.edu ,,
  I had some success using msgcert and pk12util, but after importing it in, then seeing that it did
  have user cert status, after a quick restart of Messaging (IMAP/POP), SSL quit for IMAP and kicked all
  my IMAPs users out temporarily (until I put the original cert8.db and key3.db back).
  -------- ImapProxy_20101115.log----
  20101115 135531 ImapProxyAService.cfg (id 2590) SSL negotiation failed for IP XXX.XXX.X.XXX: Cannot connect: SSL is disabled. (-12268)
  pop.xxxxxxxxx.edu u,u,u
  GlobalSign-Ext-CA CT,c,
  *.xxxxxxxxxxx.edu u,u,u
  I truly appreciate any help on this matter.
  -Bob

  2. Does the certificate nickname in NSS match the configured certificate nickname in the product?I'm not sure, but I'll try that the next time I try this... will probably be late at night were I won't be interrupting IMAPs and POPs
  Makes sense. Prior to release 7 update 4, the servers have to be shut down before modifying certificate databases. As of 7 update 4 you can do a one-time migration to the cert9.db/key4.db format that >should allow certificates to be updated without taking the servers offline.
  This was in the log just before the other log entry that I showed before.
  20101115 135440 ImapProxyAService.cfg ASockSSL_Init: couldn't find cert imap.xxxxxxxxx.edu (-8174)
  This is the key line from the log. The server is looking for a certificate with the NSS certificate nickname of 'imap.xxxxxxxxx.edu' and is not finding that certificate so issue 2 is likely the problem.Yes, this was it. Oversite on my part, forgot they had to match and could not be a form of just domainname.edu or *domainname.edu.
  You either need to modify the default:SSLCertNicknames setting to match the nickname of the new certificate, or install the new certificate using the existing certificate nickname of 'imap.xxxxxxxxx.edu'I modified the default:SSLCertNicknames setting.
  Thank you CNewman very much for all your help.
  And, for those trolling for an answer with more detail via an Internet search (that is, if Oracle doesn't screw up these forums for anon searches)::::
  With the private key in hand (not password protected), I used 'openssl' to get it into a pkcs12 type file:
  (It is best to do this as root and not as sudo root as you might run into problems if your host
  does not have root power to write to your home dir on the/a NFS share.... you will get "unable to write 'random state'".)
  root@mmp1:/var/opt/SUNWmsgsr/config/GlobalSign-certs-new# /usr/sfw/bin/openssl pkcs12 -export \
  -in ket-wildcard-cert.pem -inkey private.key -out cert.pkcs12 -name xxxxxxxxx.edu
  Enter Export Password:
  Verifying - Enter Export Password:
  Where "private.key" is the key file, and "ket-wildcard-cert.pem" is the (pem format) cert from our cert provider,
  and cert.pkcs12 is our cert file that will be imported into the database, and xxxxxxxxx.edu is whatever you (nick)name your cert
  in the database
  (I think you could use a password protected private key if you have that password.. I don't.)
  Next, I used 'msgcert' to import the pkcs12 cert file into the database (I'm sure there is a way
  to use certutil or even pk12util to do the same, but I'm on Sun Messenger 6.3 at this time, so that's what I used.
  If someone would like to elaborate for those....?):
  (It is best, when using 'msgcert', to do it where your mailsrv user has some privs.. I took my pkcs12 cert and moved into /tmp.)
  root@mmp1:/tmp# /opt/SUNWmsgsr/sbin/msgcert import-cert cert.pkcs12
  Enter the PKCS#12 file password: (blank)
  Enter the certificate database password: (token password in sslpassword.conf)
  Make sure your (wildcard) cert nickname matches what you have in
  ImapProxyAService.cfg and PopProxyAService.cfg at the "default:SSLCertNicknames" field.
  Edit if need be.
  root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
  GlobalSign-Ext-CA CT,c,
  xxxxxxxxx.edu u,u,u
  root@mmp1:/var/opt/SUNWmsgsr/config# grep default:SSLCertNicknames *AService.cfg
  ImapProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
  PopProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
  Then, of course, restart the msg service(s).
  /opt/SUNWmsgsr/sbin/stop-msg
  /opt/SUNWmsgsr/sbin/start-msg
  Edited by: 810750 on Nov 18, 2010 8:08 AM
  Edited by: 810750 on Nov 18, 2010 8:11 AM

• Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

  Hello
  I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
  Setup:
  We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR:  A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
  Configuration in regards to certificate:
  crypto key generate rsa label vpn.company.dk modulus 2048
  crypto ca trustpoint vpn.trustpoint
  keypair vpn.company.dk
  fqdn none
  subject-name CN=*.company.dk,C=DK
  !id-usage ssl-ipsec
  enrollment terminal
  crl configure
  crypto ca authenticate vpn.trustpoint
  ! <import intermediate certificate>
  crypto ca enroll vpn.trustpoint
  ! <send CSR to CA>
  crypto ca import vpn.trustpoint certificate
  ! <import SSL cert received back from CA>
  ssl trust-point vpn.trustpoint outside
  Problem:
  When I try to import the certificate I receive the following error:
  crypto ca import vpn.trustpoint certificate
  WARNING: The certificate enrollment is configured with an fqdn
  that differs from the system fqdn. If this certificate will be
  used for VPN authentication this may cause connection problems.
  Would you like to continue with this enrollment? [yes/no]: yes
  % The fully-qualified domain name will not be included in the certificate
  Enter the base 64 encoded certificate.
  End with the word "quit" on a line by itself
  -----BEGIN CERTIFICATE-----
  <certificate>
  -----END CERTIFICATE-----
  quit
  ERROR: Failed to parse or verify imported certificate
  Question:
  - Does any one of you have any pointers in regards to what is going wrong?
  - Especially in regards to fqdn and CN, I also have a question. My config
  fqdn none
  subject-name CN=*.company.dk,C=DK
  would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
  So do you have insight or pointers which might help me?
  Thank you in advance

  I also have a wildcard cert for my SSL VPN ASAs.
  When i import the cert I use ASDM instead of CLI...
  I import the wildcard as a *.pfx file and type in the password. works fine...
  Perhaps the format is incorrect?
  Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
  Not sure if this helps but give ASDM a try?