Non-Verisign certs in WS7

Similar Messages

• FYI. Verisign Cert & ACS

  for those who have troubles getting verisign cert working on the ACS box, i just spoke to a verisign tech support after facing issues with certs. He mentioned that when generating a CSR on ACS, it generates extra info that are not compatible with verisign. Verisign is working on the issue, it is expected to be rectified soon (in a day or two). The tech support refused to give me further info about what version of ACS causing the issue or so... I'm using ACS3.3 at the moment.

  I've installed a Verisign cert on the ACS with minimal difficulty, but it does take a couple of extra steps.
  When generating the cert request on the ACS, you have to enter the complete identification path in the Common Name field of the form. i.e., instead of just cn=Ciscoacs, you have to enter c=US,s=Florida,l=KeyWest,o=TheShirtShack,ou=Accounting,cn=Ciscoacs all on the same line.
  Also, if the certificate file format that Verisign sends back is not recognized by the ACS, you can import it into your web browser and then re-export it in the correct format (DER .509 if I recall correctly) and then upload the reformatted cert to the ACS.
  It works fine after all that =)

• ACS SE w/ Verisign Cert

  I am using the CAS as an authenication server against AD for my wireless network. I have a WISM as my WLC and some of my users are getting a certifate error when I enable WPA. The error is coming from the ACS. I get an invalid cert error or cert not verified from the Iphone. The certificate is valid and I installed a intemediate CA. No matter what I try i can't get the error to go away.
  Could some please assist?
  Thanks
  mike

  I am using PEAP with MSCHAP. From the IPhone I am getting the cert is not verified, When I use the IntelPro supplicant on a Laptop, it refuses to log on even though I select use "any trusted CA". I called Cisco TAC and they say I have to install the cert on all my computer, I don't believe that is correct. I am using a Verisign cert and so should already be on my computers.
  Internet explorer is not having an issue with the cert, the dell wireless WLAN client does not have a problem either.
  Mike

• Is verisign cert "multi purpose"?

  If i get a certificate from thawte, I can get the multi-purpose authenticode cert, export it from IE, import it into netscape and be able to sign netscape objects as well as CAB files.
  Can I do the same thing with the verisign cert? Verisign doesn't talk about this on their website, but maybe they just want people to pay $800 instead of $400? Just curious if anyone has tried this. If you have tried it, let me know.
  (before anyone asks, yes, I would love to go with thawte, and have in the past, but my organization has recently made the decision that thawte is no longer an option, so I have to go with verisign)
  Thanks!
  Kirby

  To fully answer my own question,
  I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
  I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
  Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

• Verisign CERT Root Changw

  Verisign as of Oct. 10th has change the root ca they sign CERTS with. Our 802.1x supplicants are configured to trust only the older Class 3 Public Primary root that is part of widows. Is there any way to configure the ACS box to support the older root as reconfiguring all the supplicants is a non-trivial task. I wondered if there was a way to create a self-signed CERT to act as the root? Has anyone had this problem? Thanks

  Bruce,
  ACS can genrate self sign certificate but this will only work when client do not validate server certificate. If validation is required in your setup then self sign cert wont help.
  If installing cert on each client is feasable then configured not to validate server cert then your current set up will work fine.
  Regards,
  ~JG
  Do rate helpful posts

• [solved] Renewing a verisign cert

  Sorry, this isnt Arch related, but I'm having a tough time googling the correct answer.  I've got a customer using red hat linux and wanting to renew their verisign ssl cert for a webpage.  I'm following the instructions listed at https://knowledge.verisign.com/support/ … t&id=AR142
  My question is, do I need to generate a new key pair if i'm renewing the certificate?
  Thanks,
  MP
  Last edited by murffatksig (2009-09-15 20:17:40)

  you don't have to.
  generally they either:
  a) just re-sign the original cert request they have on hand, (new certificate lifetime)
  b) ask for a new csr to sign
  c) ask you to generate a new key, and then a new csr to sign
  I think which operation they prefer depends on the vendor.
  https://knowledge.verisign.com/support/ … 3035718053
  For the sake of security though, it certainly wouldn't hurt to generate a new private key and csr, and then have that csr signed. (option c above)
  another relevant link: http://serverfault.com/questions/42993/ … ith-apache
  apparently verisign does allow option a (see last comment on serverfault page)

• VeriSign cert and IE5 on WLCS

  Hi.
  We installed the purchased certificate (from VeriSign) on our server
  WebLogicCommerceServer( weblogic.security.certificate.server &
  weblogic.security.key.server ).
  When the client accesses this host with IE5.5 browser, everything is OK.
  When the client uses IE5, however, he gets an error "the security
  certificate was issued by a company you have not choosen to trust".
  If we're adding weblogic.security.certificate.authority to point to a
  VeriSign root certificate (which we took from their site), then sometimes
  the client gets a "can't display page", and sometimes the same error as
  above.
  Any hints?

  To fully answer my own question,
  I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
  I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
  Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

• Automatically accept VeriSign certs?

  Hi all. I'm pretty new to SSL so any help with this question would be appreciated.
  I have a web service app running on a WebLogic 10.3 server (let's call it ServerA). This web service app also contains a web service client to make calls to another web service app running on another server somewhere (let's call it ServerB).
  ServerB is beyond my control, but happens to be behind the same firewall as ServerA. For my app on ServerA, I've been asked to "auto-accept the connection (trust VeriSign)" when making a web service call to ServerB. I believe this is to avoid certificates expiring, but I may be wrong.
  Can anyone tell me how (either in the WebLogic console or in my Java code) to automatically trust VeriSign certificates?
  Forgive my ignorance on this subject. It's my first time working with SSL.

  You probably want to also try the security forum:
  WebLogic Server - Security
  Specify whether you are using just 1-way SSL (where this should work without intervention I believe using the CA list with the JVM). If you're using 2-way SSL, then I think you'll need to do some key importing.
  You should really consult someone who understands security requirements in your environment on what they want, as this is something you really want to get right and not misconfigure.

• Installing Verisign Cert failure

  I have a certificate from verisign and it asks me for the private key file? Verisign didn't give me a private key file, where would I find this file?
  Thanks
  mike

  Hello Michael,
  VeriSign does provide you with the certificate which is the signed public key. For security reasons, the private key is not something that you would provide to VeriSign as this needs to remain on your server or device. It should not be shared with another party. Depending on what was used to generate the key pair, the private key may simply be a file located in a certain path or it could possibly be hidden.
  Please feel free to contact us for further assistance.
  Phone: 1-877-438-8776 Option 1, 2
  Email: [email protected]
  Regards,
  Frank
  VeriSign Technical Support
  VeriSign, Inc.

• ACS - Verisign Cert - PEAP Auth - XP Clients

  Hi
  I am hoping to implement PEAP using a server certificate on ACS generated from a real CA like Verisign/Thawte etc to prevent having to distribute an internal root CA certificate to all clients.
  I have discovered that Verisign provide a WLAN Auth certificate product , but this appears to be specificlly for IAS.
  Does anybody know whether I can just generate a certificate reest from the ACS box and use any certificate , or is there a particular type I need?
  Any help would be much appreciated!
  Thanks
  Leon

  CTA can be configured to perform machine authentication using certificates provided that the 802.1x Wired Client has been installed.Refer http://cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870ac.html for more information.

• Zebra QL420 Printer using PEAP (Verisign Certs)

  Hi,
  Has anybody been able to successfully get a Zebra printer QL420 Plus connected to Cisco LWAPP/CAPWAP APs ?
  We are using WPA2 - PEAP with Verisign Signed Server Certificate.

  Yes I have the QL420 + printers working with 5508 WLC and 3502E CAPWAP APs and PEAP
  Fotis - You will most likely find the reason for the slow ping resonce is down to the setting for "Power Mode". You likely have it set to "best". This setting controls how long the device "sleeps" before it awakens and downloads queued traffic from and AP. Setting it to "off" will put the device in to CAM (Constantly Awake Mode). This means that the device never switches its radio card off and never allows traffic to be queued on an AP. However this will mean that the drain on the devices battery will be much greater, I believe there is a slidding scale of settings for this device that go in order of highest battery drain as follows:
  Best
  1
  2
  3
  4
  off
  Off will give you the best performance with maximum battery drain. play with the settings and see which gives best performance/batery drain balance.
  Regards
  Simon

• Separate cert for internal and external exchange 2013

  Here is a Microsoft TechNet article that will give you some background: http://social.technet.microsoft.com/wiki/contents/articles/17974.active-directory-domain-naming-cons...
  This article gives you more info: https://technet.microsoft.com/en-us/library/cc781575(v=ws.10).aspx
  It also links to the following tool: http://go.microsoft.com/fwlink/?linkid=5585
  I've never used it or attempted a domain rename myself, so can't really help other than saying it's time to Google. :)

  every time outlook starts up the security message pops up saying Tiger.domain.local does not match anything on the SSL cert (from global sign).
  so i changed it back to the default one and its all working fine, however outside connection are now using the local cert.
  is it possible to have the outlook (local) use the non SSL Cert that the server made. and then for the outside connection use the SSl from global sign
  This topic first appeared in the Spiceworks Community

• Certs

  Just a question about Linux certs.  Is Linux+ a good one or is there a better one that is not a Red Hat cert.  I am going to get my Linux+ but just seeing if there is a non-RH cert that is a good one to have also.

  cactus wrote:I don't know anyone that hires linux admins based on 'linux certs'.
  If they do..do you really want to be working for them?
  Hmm...  You haven't worked for much staffing companies if you believe so.
  Those ties, who knows nothing about theirs own windows box, need to hire someone.  How do they check you up if they have -nobody- in this field in the company, to gauge your knowledge?
  Over that, certified personnel is often asked for in submissions.  You may have the best staff around, if the client specifies he wants people with papers you must feed them with it or pass on it.
  I'm stuck in this kind of world right now and I'll be taking a couple certs (LPI's) soon.
  Mind you, I worked in the field before even without certs, but now it's just different.

• Type of cert needed for anyconnect ikeV2

  Hi Everyone,
  I have created CSR for anyconnect IkeV2.
  When i ask the cert vendor what should i ask them that which type of cert i needed for IkeV2?
  We do not want users to use ssl like https://xyz.com and connect and download the client.
  We want users machine pre installed with anyconnect and profile and connect using IkeV2.
  Regards
  Mahesh

  Hi Marvin,
  I got cert from Entrust.
  it has 3 options server cert,root cert and chain cert.
  i installed the server cert on the ASA and now  status of cert has changed from pending.
  When i connect to anyconnect ikev2 it still gives me cert warning line non trusted cert.Do i need to do any config change in anyconnect ikev2?
  Regards
  Mahesh

• Unstable PIX - migrate to new with public cert?

  Hi ppl!
  I have a unstable PIX, running 7.2.2 - with a public Verisign cert on it.
  Now I need to restore this PIX's conf onto a new PIX hardware, but when pasting the conf in, the part with the Verisign Cert is failing. This is probably due to the self-signed keys on the new pix I assume.
  Now - does anyone have a good idea/way or walkthrough how to do this?
  Kind regards
  Kdam

  it look like bug to me, check this bug-id:CSCsi70522