NAC with EV SSL certs

Does anyone know if the NAC appliance supports EV SSL certs; especially version v4.7.x.
Any insight into older versions (4.1.3 and higher) for compatibility would be appreciated. Thanks!
ben

Hello! The higher key length is a problem on an older version (4.1.3), not 4.7.x; etc where you can specify it. 4.1.3 you cannot specify it and it's not strong enough.
Ben

Similar Messages

Getting sec_error_inadequate_cert_type with Private SSL Cert

Howdy,
I run a Private Certificate Authority for my personal use and just to learn about SSL Certs. However, with the current build of FireFox I'm on ( 31 ) I can no longer visit sites I've secured with SSL Certs signed by this certificate authority, even though these SSL certs work just perfectly fine in Chrome and Internet Explorer. I keep getting a "sec_error_inadequate_cert_type" error. I can only assume that the certs I've been issuing are incorrect in some way, but the error is so vague and the error page doesn't specify more.
I only discovered this when I realized some of my SSL certs had expired, and I went to re-issue them.
One of the certs that hasn't expired yet but is experiencing problems can be found here:
* https://forums.silicateillusion.org
One of the Certs I've tried re-issuing, matching fields included as closely as I can to a Google SSL cert that I looked up is here:
* https://phpmyadmin.endofevolution.com
These certificates were generated using the application called SimpleAuthority, found here: http://simpleauthority.com/
A Site like Networking4All.com seems to believe the Certs are valid, excepting the CA that is Self Signed: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=phpmyadmin.endofevolution.com&protocol=https
Interestingly enough, using a different site like SSLShopper shows an error similar to FF31: http://www.sslshopper.com/ssl-checker.html#hostname=https://phpmyadmin.endofevolution.com
The certs are running on an Apache Web server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.10
The CA Cert is in FireFox's store as trusted.
If needed, I can provide certs.

''SniperFodder [[#answer-626818|said]]''
<blockquote>
I however, do not. It's something specific to Firefox I seem to be having. Maybe I'm running an outdated version of Chrome? Which would be hard seeing as chrome itself says it's up to date: Version 37.0.2062.120 m
I appreciate the link to Bug 1034124, However the SSL certificate itself IS NOT self signed. Only the CA is, which signed the SSL Cert. I guess what I mean to be asking is... Is Firefox Rejecting my SSL Cert, because my CA Is Self Signed?
I also offer the CA Cert for download since no one would have the cert in their stores. Would this also affect it?
I've attached a screen shot of the error I'm getting so that it's available for the ticket. The following is also the "plaintext" verison of the error I'm getting:
"Certificate type not approved for application."
</blockquote>

CertPrincipalName forced to wrong setting on server with wildcard SSL cert

Dears
After testing Exchange 2013 for a couple of weeks with a limited amount of IT personnel, we have migrated the first batch of users from 2010 to 2013.
That was the biggest mistake we've done this.. week..
The error is identified as an autodiscover/ssl problem. No matter what I specify in CertPrincipalName on CAS, Outlook resets itself to msstd:server.domain.com
I have tried with "none" and "msstd:*.domain.com" but it always resets to msstd:server.domain.com
Outlook Autoconfigure test returns the correct value. Any ideas?
All our clients are not domain members, so setting this with GPO is not an option.

I have compared how autodiscover works for clients on 2013 and on 2010. It is definitely server related. Clients still on a 2010 mb server get's the correct value msstd:*.domain.com.
The only difference I see in the autodiscover xml is that on 2013 there is two extra blocks of data for protocol "EXHTTP". One of these blocks does not contain the CertPrincipalName value.
<Protocol>
<Type>EXHTTP</Type>
<Server>mailbox.domain.com</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://ex02.domain.com/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://ex02.domain.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.com</EcpUrl-extinstall>
<OOFUrl>https://ex02.domain.com/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://ex02.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://mailbox.domain.com/OAB/3abb5758-f1c7-4246-9f9f-bbf390f5febb/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>

Remote Desktop Services Single SSL Cert with multiple hosts

I am trying to use a single SSL Cert from a third party issuer. I have 3 servers in my deployement all are 2012R2. One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role. The other 2 are
RD Session Hosts. I have the SSL cert for the server that has the Gateway and other roles. My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL. It works currently with the
exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match. Is anyone else using a similar setup and had success with it? I am trying
to avoid buying an expensive wildcard cert to cover all of them.

Hi,
Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC. To do this, log on to RD Web Access using IE, right-click and choose View Source. Find the goRDP function for the icon you want to examine and copy
the text between the ' marks. Next paste this into the escape text box the below page:
http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
Click complete unescape to get the plain text version. After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file. Once you have the .rdp file created you can compare
it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
Thanks.
-TP

IMAP Mail Setup with self-signed SSL certs

I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

We have a Certificate Authority (Version: 5.2.3790.3959) configured on Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
Currently i am only able to generate SSL cert with md5RSA.

Hi,
Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
Therefore, you need to build a new CA to use a new algorithm.
More information for you:
Is it possible to change the hash algorithm when I renew the Root CA
http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
Changing public key algorithm of a CA certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
modify CA configuration after Migration
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
Best Regards,
Amy Wang

ACE: Single SSL Cert for two domains with same VIP

At present I have a design that will use individual SSL cert per domain and link both certs to (two or one) serverfarm.
policy-map multi-match popvip_01
class POP_VIP01
loadbalance vip inservice
loadbalance policy POP-POp3_PMT or popPMT1
loadbalance vip icmp-reply
ssl-proxy server GINPOP_SSLPROXY
connection advanced-options TCP_PARAM_Y
class POP3_VIP02
loadbalance vip inservice
loadbalance policy POP-POp3_PMT or POPPMT2
loadbalance vip icmp-reply
ssl-proxy server GINPOP3_SSLPROXY
connection advanced-options TCP_PARAM_Y
however,
if I can get one single certificate to process both pop and pop3 domains, that use the same VIP/port, and if this will work with ACE, i'm inclined to design using this alternative.
ie,
pop.mydomain.com = 10.10.10.1 995
pop3.mydomain.com = 10.10.10.1 995
Any suggestions would be appriciated.

Hello,
In order to achieve this then you will need to order a wildcard certifictae ie
*.mydomain.com
These certificates are more expensive and so you will probably find it cheaper to buy two certificates than one wildcard certificate.
Regards

Http Analyzer connecting to server with self-signed SSL cert

When making webservice calls using Axis 1.3 to our development site that uses a self-signed SSL cert I am getting the following error when running the Http Analyzer:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Works fine if I turn off proxy in run configuration for project or when used against a site with a purchased cert. I assume the problem is with Http Analyzer not being able to find the server cert in a local keystore, is there a way to import the cert so that I can run Http Analyzer against the site?
Tried adding server cert to <jdkhome>/jre/lib/security/cacerts keystore but still have the problem.
Am using JDeveloper 10.1.3.
Thanks,
John

I fixed that by getting certs from: https://www.startssl.com/?app=1.
The certs are free and work fine.
Since Iphone 4 apple does not accept unknown CA Authorities.

ITunes U cannot fetch HTTPS feeds with current generation of SSL certs

I've outlined this problem previously with no resolution, but given that public iTunes U sites are about to rely even more on feeds it's even more important that a solution be found.
Here's the summary of the unresolved thread http://discussions.apple.com/thread.jspa?messageID=11012798
iTunes U will no longer update valid feeds from our LMS. Our LMS is entirely SSL/TLS and recently had its certificate updated. The DigiCert certificate and feed are working at https://lms.brocku.ca/podcasts/site/BuildaPodcast . However iTunes U sends an E-Mail to the owner once it is changed to this URL that reads:
"iTunes U could not update the content because iTunes U could not download the specified feed (https://lms.brocku.ca/podcasts/site/BuildaPodcast). Until the issue is resolved, iTunes U continues to display the last downloadable version of the content. Verify that the feed specified in the feed URL field and the resource are available, and then try again"
In the interim we've been fetching the exact same RSS feed and hosting it at http://ctlet.brocku.ca/~mclare/podcast/BuildaPodcast so that iTunes U can fetch it with out SSL/TLS - but we can not do this for all podcasts.
Older versions of the command line tools like cURL (and its library) and wget have a similar problem. In their situation their root certificates are not fully updated. Could this be the case for the iTunes U feed fetcher?
Thanks for looking into this.
.\.\att

Hi Mark,
Thanks, it is indeed now updating.
When I updated it yesterday (a little before 2:04 EST) I did not get the previous Error prompt - but I didn't know if that was an iTunes 9 change in interface or the problem being solved. I did get an E-Mail from iTunes U <[email protected]> subject "iTunes U unable to update Course page group Brock University > Brock Community > Sakai > Help for Instructors" - full E-Mail below.
I edited the feed/section again today (10:12 EST) and the status appears to indicate that it was updated. BUT, I again received this E-Mail:
E-Mail :"Dear iTunes U administrator, instructor, or course manager,
Your 'Sakai' course in your brocku.ca iTunes U site populates its 'Help for Instructors' group track list automatically from an RSS feed, based on the podcast RSS feed URL and details you specified. iTunes U encountered the following error while trying to access the podcast RSS feed:
iTunes U could not update the content because iTunes U could not download the specified feed (https://lms.brocku.ca/podcasts/site/BuildaPodcast). Until the issue is resolved, iTunes U continues to display the last downloadable version of the content. Verify that the feed specified in the feed URL field and the resource are available, and then try again.
To check your iTunes U podcast RSS feed URL and details, edit your Course page group located at Brock University > Brock Community > Sakai > Help for Instructors.
Sincerely,
The iTunes U Team"
It is great that content will start moving now, but can anything be done about the spurious E-Mails?

How to setup SSL cert for SharePoint apps in a three tier farm with nlb

I am having trouble understanding how to setup the SSL certificate on SharePoint apps or in general its configuration

Please check the below thread..
https://social.technet.microsoft.com/Forums/sharepoint/en-US/53465d30-10b2-48c9-9541-5ade738156b4/how-to-setup-ssl-cert-for-apps
Don't forget to mark it as an Answer if it resolves your issue and Vote Me as helpful if it useful.
Mahesh

FTP with SSL cert on ACNS via WCCP

I have a client using an SSL cert to connect to an ftp server. The user is being redirected to a CE-511 via WCCP v2 but the FTP connection does not work. If I bypass the user (in my wccp acl) it works fine - following a default route to my PIX.
Any info, good or bad will be greatly appreciated.
- Matt

What is the software version running on the CE-511. Did you try upgrading to the latest version of the firmware. This should solve the issue.

EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
Andrew

Hard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub

Site with self-signed cert no longer loads in FF 4

When attempting to load a page with aself-signed cert, one that previously loaded in 3.x, I now get the following error:
Renegotiation is not allowed on this SSL socket.
(Error code: ssl_error_renegotiation_not_allowed)
I was accessing via https.

See:
* http://wiki.mozilla.org/Security:Renegotiation

Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

Coldfusion 11
Windows Server 2012 R2
Both the Coldfusion admin and additonal site work fine on HTTP.
As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
Coldfusion 11 - Web Sockets via SSL
The Coldfusion-error.log shows
Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
Any assistance welcome - I can't allow this site to made publicly available with using SSL.
SM

@Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release. And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
Finally, when you say that if you “comment out the SSL sections it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
/charlie

SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

I utilized the idea from
http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance. In short, create the new Clustered SQL instance on Node1,
installing Reporting Services with it. Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
feature on Node2. It points out using the SQL Cluster Network name for connecting to Reporting Services.
I verified upon failover that I could still access the Reports and ReportServer URLs. However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert. The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

NAC with EV SSL certs

Similar Messages

Maybe you are looking for