Nexus 7000 SSL wildcard SSL certificate support ?

Hello
i want to verify if Nexus 7000 supports Wildcard SSL's.
Cheers

I have the same problem on a 5515-X, and I've tried pretty much the same things. The weird thing for me is that everything worked great until I did an OS upgrade. Back on 8.6.1, my browser successfully verified the certificate on my SSL VPN login page, and AnyConnect never brought up any warning boxes. But after I upgraded to 9.1.3, the box was back to using a self-signed cert. The wildcard identity certificate seems to have just disappeared, though the GoDaddy CA cert and my local CA cert both stayed intact.
I've used OpenSSL to convert and verify my cert file in a number of different ways, but all of my supposedly valid files still get the import operation failed message. So it seems like there was some OS change that suddenly made my wildcard incompatible, but I haven't figured out what it is yet.
Hope this helps, for both our sakes.

Similar Messages

Cisco ASA 5585-X SSP-20 SSL wildcard SSL certificate support ?

Hello
i want to verify if Cisco ASA 5585-X SSP-20 supports Wildcard SSL's.
Cheers

Supports them how?
As certificates issued to the ASA and properly bound to it's interfaces to support SSL VPN or ASDM access - yes.
You can configure a wildcard (or any other) certificate improperly and cause things not to work. However it's not a limitation of the device's operating system not supporting it.

Can't install a wildcard SSL certificate

Running ML Server. I have a GoDaddy issued wildcard SSL certificate to *.mydomain.com. The certificate is currently installed on a different (non-Mac OS) server. I am able to cut and paste the main certificate, private key and other chain certificates from that server's interface and paste into a text file using TextWrangler. On the OS X server I deleted all of the old certificates in KeyChain (this server had an old wildcard version of the certificate before), deleted the old wildcard cert in Server.app and deleted the corresponding files in /etc/certificates
I then created a new self-signed certificate for *.mydomain.com in Server.app, then selected it, went to Manage Certificates and tried up update the self-signed certifcate with the signed certificate using the Server.app interface. The interface enables you to drag and drop certifcate and chain files to add.
However, this is where it gets strange...
The first time I drag the certificate file to the interface, I get the green + symbol, let go and nothing happens. If I do it again, the interface lights up green again, but this time it adds it to the Non-identify certificate list. I am able to replicate this every time!
Why does the interface show me the first time that I can drag the file, but does nothing, and then the second time adds it as a non-identity certificate? Same behavior happens if I start with the chain certificate as well.
I can confirm that the four certificate files show up in /etc/certificates, but they appear to be generated by the self-signed certificate creation.
Any insights appreciated! TAA

In fact i had the same issue last week and i could only solve it by exporting the key with the certificate in a PCKS12 file. Fortunately this is supported by the windows certificate manager where the certificate was originally installed.
You could take your key and certificate files and merge them into a PKCS12 file using openssl (go to terminal, it is installed on an OSX box) and fire the following command (and change the filenames ;-)):
openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt
The openssl tool requests a passphrase for the created file that you will need to provide again when the key is imported into the keychain.
Good luck with it

Wildcard SSL certificates

Hi, I was wondering if someone got CSS1150X with SSL accelerator working with wildcard SSL certificate. We have 10+ sites we would like to enable SSL and figured wildcard certificates are way to go based on the cost. Specially, since most of the wildcard certificates comes with limitation of being able to install it on only one physical machine. I assume CSS would be considered one physical machine if SSL traffic is terminated on the CSS, however, wanted to find out whether wildcard SSL certificate is supported on CSS. We are using CSS11503 and depending on whether it supports wildcard certificate, we are planning on purchasing SSL accelerator.

Thanks for the information, Gilles. Looking at the pricing structure of SSL certificates, I wonder why wildcard certs aren't widely used as one would expect based on the cost. Well, I guess I will find out when I implement one. Thanks again.

Wildcard * SSL Certificates for TTA??

Is there any way I can use a wildcard SSL certificate like:
*.mycompany.com
in my TTA server?
I was able to run all the cert commands successfully using the
*.mycompany.com cert:
Generated the CSR (tarantella security certrequest)
Installed the Cert File (tarantella security certuse)
Installed the Chained CA cert (tarantella security customca)
Review/validate certinfo (tarantella security certinfo)
The TTA-installed Apache webserver was fine with the wildcard certificate
since I was able to goto:
https://subdomain.mycompany.com (FYI, the subdomain is NOT "www")
But after I went to:
https://subdomain.mycompany.com/tarantella/
I got the following errors in my Java Console:
Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop
server...
Secure Global Desktop 4.10.903: Using secure connection to
Secure Global Desktop server subdomain.mycompany.com:443
Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted
for this Secure Global Desktop server (subdomain.mycompany.com) due to name
mismatch.
Secure Global Desktop 4.10.903: Client dropping connection.
Secure Global Desktop 4.10.903: Unable to connect: Certificate
(*.mycompany.com) not accepted for this Secure Global Desktop server
(subdomain.mycompany.com) due to name mismatch.
Secure Global Desktop 4.10.903: Missing negotiation feature cgi script
Is there a way that I can get the applet to do a regex-ish match on the name
for wildcard certs?
Cyrus

Hi Cyrus
I was loosely referring to PKI rules e.g.
http://www.ietf.org/proceedings/98mar/98mar-edited-110.htm
http://www.iihe.ac.be/internal-report/1997/stc-97-19.html
Wildcarding isn't supported. I understand what you are trying to do now
but it won't work because the software is looking for a certificate
matching a single server.
The certrequest command is just a wrapper script for openssl so it won't
stop you doing anything the openssl command believes may be valid. You don't
actually need to use this command it's just there for convenience, you
could do everything just using openssl.
The current documentation doesn't explictly state that you can't use
wildcards in certificates but it does say you need a certificate for a
SGD server. My understanding of the wildcard issue is that it is up to
a particular application to decide what is appropriate.
http://www.tarantella.com/support/documentation/sgd/ee/4.1/help/en-us/tsp/gettingstarted/whatare_certs.html
Regards
Barrie
On 2005-08-15, Cyrus Mehta <[email protected]> wrote:
May I inquire as to where these rules are listed regarding SSL Certs, I
didn't see anything to the effect in the documentation. Also why weren't
the rules enforced at certificate generation time. Even the validation
command (tarantella security certinfo) had no problems.
The CSR generation/signing went through flawlessly and created a wildcard
cert that Apache could use. It's one thing if the whole cert process
couldn't handle a wildcard, but it seems like everything would have worked
if only the applet accepted a wildcard regex match.
Regards,
Cyrus
barrie wrote:
Hi Cyrus
No, sorry. The rules say you can't do that. You are required to have a
certificate for a node not a network.
Regards
Barrie
On 2005-08-05, CM <[email protected]> wrote:
Is there any way I can use a wildcard SSL certificate like:
*.mycompany.com
in my TTA server?
I was able to run all the cert commands successfully using the
*.mycompany.com cert:
Generated the CSR (tarantella security certrequest)
Installed the Cert File (tarantella security certuse)
Installed the Chained CA cert (tarantella security customca)
Review/validate certinfo (tarantella security certinfo)
The TTA-installed Apache webserver was fine with the wildcard certificate
since I was able to goto:
https://subdomain.mycompany.com (FYI, the subdomain is NOT "www")
But after I went to:
https://subdomain.mycompany.com/tarantella/
I got the following errors in my Java Console:
Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop
server...
Secure Global Desktop 4.10.903: Using secure connection to
Secure Global Desktop server subdomain.mycompany.com:443
Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted
for this Secure Global Desktop server (subdomain.mycompany.com) due to
name
mismatch.
Secure Global Desktop 4.10.903: Client dropping connection.
Secure Global Desktop 4.10.903: Unable to connect: Certificate
(*.mycompany.com) not accepted for this Secure Global Desktop server
(subdomain.mycompany.com) due to name mismatch.
Secure Global Desktop 4.10.903: Missing negotiation feature cgi script
Is there a way that I can get the applet to do a regex-ish match on thename
for wildcard certs?
Cyrus

Wildcard SSL Certificates with MFE?

Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
Before doing anything I figured I'd try a website that used a wildcard certificate.
When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
Thanks.

This is interesting question. I look forward testing this myself
What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you!

SA520 Wildcard SSL Certificate?

I have a wildcard SSL certificate for our domain from RapidSSL. I installed the intermediary certificates fine but I can't get the acutal cert to install. I get the message "Can't Upload Invalid Self Certificate" message. Has anyone else ever successfully used a wildcard cert with an SA?

Hello Mr. Williamson,
In order to get a new SSL certificate please follow the next instructions:
STEP 1 : Click Administration > Authentication.
The Authentication (Certificates) window opens.
STEP 2 For each type of certificate, perform the following actions, as needed:
• To add a certificate, click Upload. You can upload the certificate from the PC
or the USB device. Click Browse, find and select the certificate, and then
click Upload.
• To delete a certificate, check the box to select the certificate, and then click
Delete.
• To download the router’s certificate (.pem file), click the Download button
under the Download Settings area.
STEP 3 To request a certificate from the CA, click Generate CSR.
The Generate Certification Signing Request window opens.
a. Enter the distinguished name information in the Generate Self Certificate
Request fields.
• Name: Unique name used to identify a certificate.
• Subject: Name of the certificate holder (owner). The subject field populates
the CN (Common Name) entry of the generated certificate and can contain
these fields:
- CN=Common Name
- O=Organization
- OU=Organizational unit
- L= Locality
- ST= State
- C=Country
For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US
Whatever name you choose will appear in the subject line of the generated
CSR. To include more than one subject field, enter each subject separated
by a comma. For example: CN=hostname.domain.com, ST=CA, C=USA
• Hash Algorithm: Algorithm used by the certificate. Choose between MD5
and SHA-1
• Signature Algorithm: Algorithm (RSA) used to sign the certificate.
• Signature Key Length: Length of the signature, either 512 or 1024.
• (Optional) IP Address, Domain Name, and Email Address
b. Click Generate.
A new certificate request is created and added to the Certification Signing
Request (CSR) table. To view the request, click the View button next to the
certificate you just created.
Or you could check it on the next link. please check page 191
http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf
hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Thank you

CSM-S SSL wildcard certificates

Can the CSM-S use wildcard SSL certs so I only need 1 SSL cert for *.test.com? I know the CSS can do it but can the module?
Thanks,
David

Yes it does.
Use CN=*.test.com while generating CSR.
Syed

Use Wildcard SSL Cert to Monitor Non-Domain COmputers

Hello,
I was wondering if a Wildcard SSL Cert from GoDaddy or another Provider can be used to monitor Non-Domain Computer on SCOM 2012R2?
TIA,
Jim

Hi,
The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Possible Safari wildcard SSL issue

I really hope this is the right venue for this sort of thing. This is my first post here, so please forgive me if this is not the place.
That said, I think that I have run into an issue with the way that wildcard SSL is handled in Safari.
I have an SSL cert for *.sld.tld (a wildcard cert) I expect the cert to operated properly with 'www.some.sld.tld' under SSL but interestingly, that won't work under Safari.
I'm sorry to be dry and cite RFPs, but I think it best illustrates the problem and perhaps why both Firefox and Opera will allow for the above as valid in SSL with a wildcard cert.
The author for RFC2818 (which is the RFC I think that most folks will probably point to regarding this issue) says "Matching is performed using the matching rules specified by [RFC2459]." and then goes on to give some examples.
RFC2459 says, "For URIs, the constraint applies to the host part of the name. The constraint may specify a host or a domain. Examples would be "foo.bar.com"; and ".xyz.com". When the the constraint begins with a period, it may be expanded with one or more subdomains. That is, the constraint ".xyz.com" is satisfied by both abc.xyz.com and abc.def.xyz.com. However, the constraint ".xyz.com" is not satisfied by "xyz.com". When the constraint does not begin with a period, it specifies a host. " - Page 35 RFC 2459
and this:
"DNS name restrictions are expressed as foo.bar.com. Any subdomain satisfies the name constraint. For example, www.foo.bar.com would satisfy the constraint but bigfoo.bar.com would not." - Same page RFC 2459
Specifically, if you substitute 'abc' with 'www' in this phrase from above -".xyz.com" is satisfied by both abc.xyz.com and abc.def.xyz.com., you pretty much get what I want to have happen in Safari. Specifically, www.sld.tld and www.def.sld.tld would be both valid for HTTPS requests using the wildcard *.sld.tld SSL certificate.
If I have DNS control of a domain and I have a wildcard cert for that domain, then really based on logic and the RFC cites above, any valid DNS sub domain under the controlled domain should be available for SSL.
Tell me where I am going wrong here. Or, if I actually found a problem, please fix the bug when you can.
I don't wish to be accused of self promotion, so I won't list my real world URL example here, however if someone at Apple would like to have it, they are welcome to contact me and I will provide a direct example of the problem.
Thanks,
CommerceCompany

I have not independently researched the RFCs, but I am running into a similar problem and require a similar solution as you request. In my case, the issue arises in Mail.app instead of Safari.
I found the following reference in another forum, which would indicate that this person's interpretation of the RFC for wildcard domains in certificates is that an asterisk (*.foo.com) is only valid at one sub level (this interpretation is opposite yours, unfortunately). This behavior seems counter-intuitive, and I, like you, would hope that it would match all sub levels under foo.com.
http://www.dreamhoststatus.com/2007/06/17/ssl-certificate-renewal-for-most-custo mers/#comment-42283
In my case, I am trying to secure mail connections using SSL in Mail.app when connecting to a mail server hosted by a hosting company (MediaTemple.net). Their hosting domain is gridserver.com, and their SSL cert is for *.gridserver.com. Their hosted mail servers are provided via machine names similar to the following:
myhosteddomain.com.myaccountnumber.gridserver.com
Even after storing the *.gridserver.com cert in my keychain appropriately, this will not match in Mail.app.
Other forums (including the one above) seem to indicate that other mail clients honor the wildcard match for all manner of subdomains, regardless of whatever the 'correct' interpretation of the RFCs are. I hope that Apple will either set us straight on an appropriate way to achieve this, set us straight on why it is a dangerous thing to do, or consider modifying their certificate matching in Mail and Safari, etc., to support these subdomain issues.

Install GoDaddy wildcard SSL on WLC 2504 conroller

I'm attempting to install a GoDaddy wildcard ssl certificate onto a WLC 2504 running version 7.4.100.0.
I am getting the error "#SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4055 Cannot PEM decode private key" when downloading the .pem file to the controller.
What I have attempted to do was to export the certificate from a Windows 2008 R2 server into a .pfx file. The file contained the private key and all possible root certficates (in this case a root and a intermediate cert). Now I took this .pfx file and attempted to create a .pem file with openssl using the following command: openssl pkcs12 -in myssl.pfx -out mynewssl.pem -passin pass:mypassword -passout pass:mypassword
Now I have opened the .pem file and verified it does contain the private key and the three certificates (wildcard, intermediate and root).

Seth,
I had a similar problem, and saw the solution in another post on this forum. I am cross-posting this to help anyone else out there who might be searching for this answer.
Kudos to Robert Wells for finding this:
"I have it fixed now. The problem was the cisco only supports openssl 0.9.8x. I was using 1.0.1c. I used 0.9.8x and it worked perfectly fine."
The Windows version of OpenSSL I used was the 0.9.8y Light version from:
http://slproweb.com/download/Win32OpenSSL_Light-0_9_8y.exe
I hope this helps someone out there with this problem.
- Ken

10.6.2 - Unable to access Wildcard SSL websites as Regular User, Admin OK

Hello,
I ran into a weird problem with Snow Leopard 10.6.2 after some of the recent updates on Snow Leopard 10.6.2:
*If using a standard user account (one that cannot administer the machine), I am unable to access any SSL enabled website that uses a wildcard certificate*
If I switch to the main account (or any account that can administer the computer) then all is OK and the wildcard SSL website comes right up!
Here is a website to test on: https://vsi.powerschool.com (it uses a *.powerschool.com wildcard certificate)
This behavior started just recently, as apple must have done some changes, but I cannot seem to find a fix, can anyone PLEASE help?
Thanks in advance!
Stefan.

I did get a "stock" response from Apple support, and I am pasting it below.
While it may help some of you, for me it is NOT a solution. It is as if Apple does not even want to acknowledge this major bug.
I temporarily got around the problem by identifying that the parental controls are actually blocking DNS resolution, and not access to the sites themselves!
Therefore, I added the wildcard SSL website to the /etc/hosts file with it's corresponding IP address as to bypass DNS lookups for it. As long as the IP address does not change all will be OK, so I still do not consider this a fix.
=========== Apple Response ==========
+Secure (HTTPS) websites need to be added to the list of allowed sites (white list). For each site that needs to be added, use the "host" command in Terminal with the domain name to obtain its IP address, then use the host command with the IP address to obtain the reverse domain name. For example:+
+$ host gmail.com+
+gmail.com has address 74.125.127.83+
+gmail.com has address 209.85.225.83+
+gmail.com has address 74.125.79.83+
+gmail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com.+
+gmail.com mail is handled by 5 gmail-smtp-in.l.google.com.+
+gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com.+
+gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com.+
+gmail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com.+
+$ host 74.125.127.83+
+83.127.125.74.in-addr.arpa domain name pointer pz-in-f83.1e100.net.+
+In this case, the result is "1e100.net" (ignoring subdomains), which is different than the domain we started with. Therefore, add both "gmail.com" and "1e100.net" to the white list.+
+Repeat these steps for each secure site that needs to be accessed in Parental Controls.+
======================================

Wildcard SSL Cert on ASA 5500

What do I need to do on the ASA 5520 to be able to use a wildcard SSL cert? I'm running 8.2.5 code.

Make sure you get the cert in pkcs12 format and no fqdn. Other than that, just follow the config guide.
Sent from Cisco Technical Support Android App

Wildcard SSL cert on ASA

Is it possible to use a wildcard SSL cert on an ASA? That is, instead of getting a specific cert with the FQDN of the ASA, we would use the wildcard cert issued?

Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.
If you need help with configuration, let me know.
You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)
Regards,
Roman

Wildcard ssl

So our company has a Wildcard SSL Certificate that we use for most of our websites, and I've just setup a new 10.8 server for the use of profile manager. I've added our Wildcard SSL certificate to the systems keychain and trusted in but for the life of me I can't get the SSL Cert to take. I see it listed in the Server manager and select it and save the changes, but then I open up the SSL Cert again and there is nothing selected.
Any ideas?
Thanks in advance.

So in server app go to
Hardware>Settings then click edit beside SSL certificate
Click manage certs and hit the + and create certificate identity
On the first page of the wizard you want to check "override defaults" step through the rest of the wizard (pretty straight forward) until you get to the Subject Alternate Name extension. in the dNSName you want to enter *.mydomain.com. Finish the wizard and allow it access to your keychain.
Then use that cert and "generate certificate signing request (CSR) and use that to create your SSL. Download your certs. Go back into server app
Hardware>Settings then click edit beside SSL certificate
Select the cert you made and click on the gear "Replace Certicate with signed or renewed Cert" and drag in your server.mydomain.com.crt cert (the one you downloaded).
Next open up keychain access app and select:
System
Certificates
then drag in the intermediate cert (need to enter your local admin password)
That should link your cert up
Let me know if that makes sense

Nexus 7000 SSL wildcard SSL certificate support ?

Similar Messages

Maybe you are looking for