Public Certificate for ACS

Similar Messages

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• Public certificate for lync/exchange

  Hi guys,
  I need to buy public certificate for lync 2013. Shall I include SAN name for my Office web apps(OWA) too ? which currently included in my Exchange SAN certificate.
  anyone has good links on configure lync with existing exchange 2013 ? and also link to configure lync edge in order for external access. our plan to use windows 2012 R2.
  this is 1st time for me to configure lync and I need help. thx

  Hi Developer_75,
  Agree with Thamaraw, You can include all SAN records in to a single certificate.
  And there are some links for your reference.
  Integrating Microsoft Lync Server 2013 and Microsoft Outlook Web App 2013
  Configuring Microsoft Exchange Server 2013 Unified Messaging for Microsoft Lync Server 2013 voice mail
  Configuring the use of high-resolution photos in Microsoft Lync Server 2013
  Lync External Access
  Best regards,
  Eric

• Edge Public Certificate for Single Edge Pool + Reverse Proxy

  I have a public certificate that was ordered prematurely and the SN does not match the current set up of the access URL.  The company that the certificate was ordered from does not allow editing of the SN or what they call domain name without paying
  for an entirely new certificate.  I do, however, have ample SANs that I can play with.  I do not have a whole lot of experience with public certificates and am definitely not use to this "set in stone" deal.  I've also included my
  reverse proxy urls in the SAN portion but that, last time I checked, is still "Ok" to use one cert for Edge and RP to reduce costs.
  Current Cert Example:
  SN access.domain
  SAN access1.domain
  conf1.domain
  lyncdiscover.domain
  ...etc.
  Edited Certificate
  SN access.domain
  SAN newaccess.domain
  newconf.domain
  Lyncdiscover.domain
  ..etc
  So, my question is as follows:
  Can I save my public cert and myself some heartache by either adding the new entries in the SAN area or using DNS in a way, or did I just learn a costly lesson?

  You're fine if I understand the question.  If the question is: Am I screwed if the common name doesn't match the access edge name? Then the answer is "You're fine".
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  "The subject name of the certificate is the Access Edge service external interface fully qualified domain name (FQDN) or hardware load balancer VIP (for example, access.contoso.com).  Note: For Lync Server 2013, this is no longer a requirement,
  but it is still recommended for compatibility with Office Communications Server. "
  So, recommended and considered good practice, but not required.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Using PowerShell to request a public certificate for webconf. What type should I specify

  Using the PowerShell command below to request a certificate for webconf.domain.com on the Edge. There are at least a dozen "types" I can specify. I was thinking WebServicesExternal but maybe AccessEdgeExternal?? Not sure what to use or if it even
  makes a difference.
  Request-CsCertificate -New –Type WebServicesExternal -ComputerFqdn "edgeserver.domain.com" 
  -FriendlyName "Web Conferencing" –Organization etc......-PrivateKeyExportable $True –DomainName webconf.domain.com –output c:\webconf.txt

  Type will be AccessEdgeExternal and command will be as followingRequest-CsCertificate -New -Type AccessEdgeExternal -Output C:\ <certfilename.txt or certfilename.csr> -ClientEku $true -Template <template name>
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg398409.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Self Signed Certificate For ACS

  Hi,
  I am running version 4.1 of the ACS appliance and was wondering if anyone knew of a way to get around the limitation of the 1 year self signed certificate? We had no external CA infrastructure.
  Is there a way of creating the CA certificate on an external (temporary) Windows/Linux box and then importing this onto the ACS for use?

  This will be on an isolated network and will only authenticate/authorize a few switches and routers. No MS/Linux on this LAN will use ACS, you still have to create the CER? I could only find where that is needed for EAP, PEAP, HTTPS, Positure Validation, etc. I'm just trying to get the basics working so I can get this started, tested, then move to other things. If you think this is still needed, I'll create the self-signed one but I'm not sure if it will do any good. Thanks for the reply.

• CWMS hostnames are not treated as valid subject alternate names for a public certificate

  Hi,
  I have a problem to get s public certificate for my CWMS Server 2.0
  fqdn for public vip is "meet.company.de"
  But the fqdn hostnames for admin and media vm are "admin.company.corp"
  The public certification authority does not accept our CSR because the Subject Alternate Name xxxx.company.corp ist not valid
  Any ideas how we can proceed? Wildcard certificate is not an option.

  Hello,
  There are couple of things you can try to do:
  1. Change the Certification Authority. At least until November 2015, CAs should accept internal company domains and provide SSL certs for them. Not sure what CA you are trying to use, but I've seen Verisign, GoDaddy, Entrust, etc. providing SSL certs for internal domain names (using SAN certs)
  2. Change the FQDNs of your internal VMs. You would need to ensure you configure "company.de" zone in your internal DNS, create DNS entries for all the internal VMs, Private VIP and Admin and WebEx Site for "company.de" domain, and then perform the hostname change on CWMS for all the VMs and Admin site. You can change the VMs hostnames if you go to CWMS Dashboard > System > View More, and by clicking on each VM you will get an option to change the hostname. If the hostname is defined in DNS and resolves to the same IP address as the original hostname, the entry will be properly updated. (NOTE: don't change the IP addresses if not really needed. If needed, take a look at the instructions here) . Once you modified all the hostnames, you can generate new CSR (SAN) and you will get valid internal VM hostnames and your CA will be able to issue you a certificate.
  3. If you end up using the same domain name on all the VMs and VIPs, you may consider wildcard certs (not sure why the are not the option in your case).
  This is all that you can do when it comes to this issue.
  I hope any of this will help.
  -Dejan

• Public certificate DV, OV, EV

  Hi,
  I would like to know if there is a difference between the public certificate for Lync Edge and Reverse Proxy between the type of DV (Domain Validation), OV (Organization Validation) and EV (Extended Validation)?
  Can I use any of these types and are supported?

  Hi Mike-WWW,
  Agree with others.
  In addition, please refer to the following KB to choose the Unified Communications certificate partners.
  https://support.microsoft.com/en-us/kb/929395
  Best regards,
  Eric
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Installing Certificates on ACS 3.3 for Windows

  We have Microsoft CA and we have installed the certificates on ACS but the certificate dosen't show up in the trust list. Anyone have any ideas? ACS will allow me to turn on PEAP but authentication fails.

  Configuring for PEAP or EAP-TLS can be tricky and there are lots of caveats. This EAP-TLS deployment guide has some info on cert setup that should be equally applicable for PEAP as well.
  http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_white_paper09186a008009256b.shtml#wp39247

• Certificate for the Diffie-Hellman Public Key

  Hi all
  Hey guys I have run out of ideas.I 'm trying to generate a self signed certificate for the Diffie-Hellman public key.Can anyone tell me how to do this plz.
  Thanks inadvance
  LundiE

  Does this even make sense? What would you sign it
  with? The choices provided by Sun are RSA and DSA.So you trying to tell me that its not possible to generate a self-signed certificate for the Diffie-Hellman.Becoz the way I think a certificate incorporates a public key and the certificate is signed using another keys.
  Thanx once for your input
  Cracker

• How many Public Certificate do I need for Edge federation with Skype

  Hi All,
  I am trying to setup Lync 2013 with Edge to federate with Skype.
  Now how many Public CA do i need to be able to setup Lync Edge to federate with Skype,.
  Thank you,

  Hi,
  You need to have to add the CA where you're getting the public certificate from. By default, most common Trusted CA's are included in to the Windows OS it self and does not need to be added manually.
  Z-Hire -- Automate Lync User Account creation process ( AD / Exchange / Lync )

• ACS Not installing renewed SSL Certificate for PEAP/EAP-TLS?

  We recently renewed our SSL certificate through RapidSSL. While attempting to install the new certificate into ACS, I was given the prompt to showing the updated dates, confirmed and installed the new certificate, deleting the old. I restarted ACS, as required, but when trying to enable PEAP or EAP-TLS, I am getting the error "Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."
  The worst part, is that I when I tried to reinstall the old certificate, I am now getting the same problem.
  Any suggestions?

  Matt,
  How did you perform the CSR.... did you use ACS or OpenSSL? Also, did you verify that the certificate is in the trusted personal folder on the server?
  Scott

• Multiple Certificates for the same WLS

  Hi,
  IHAC who asks the following:
  Background
  Bigshop Limited carried out a soft launch of our e-tailing website under
  the
  url fonzie.bigshop.com.au
  We have a verisign certificate setup up for 128 bit ssl under the
  knownname
  fonzie.bigshop.com.au
  All ssl connections that connect to the site with this url are able to
  establish an SSL session.
  Current Issue
  Bigshop is now in the process of carrying out the public launch of the
  website. The public url for the website will be www.bigshop.com.au
  We have generated new public/private key pair and a Certificate Signing
  Request (CSR) and have ordered a new certificate from verisign
  Could you please advise if it is possible to operate two certificates
  for
  the one server. This will allow our www.bigshop.com.au and
  fonzie.bigshop.com.au url's to operate concurrently and enable both to
  establish SSL session with valid certificates.
  Is what they want to do possible ?? any suggestions
  appreciated,
  regards,
       Patrick.

  Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
  In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
  one certificate per server.
  -utpal

• How to set up Windows with Reader and certificate for all users

  Good afternoon (GMT),
  we're dealing with a Win XP (SP3) system that is set up by an Administrator. One task is to set up the system in a way that all users (w/o admin rights) become able to read a certified-protected PDF. Currently we know a way to install the "public key" for this certificate only for one known user. But how to proceed when not all users are known? The users shall later on never be asked to confirm the certification installation/registration.
  If it helps, here is the software version:
  Acrobat 8.12 to encrypt the PDF via certification. In near future I will switch to Acrobat 9.x
  Reader 7.x and/or 8.x on customer PCs.
  Thank you for ideas and hints.
  BTW: Next time we want to provide a solution for Win7 systems, too.
  Carsten

  Check
  Time Zone Specification from http://docs.oracle.com/cd/E12844_01/doc/bip.1013/e12187/T421739T481157.htm#4535403
  just in case https://blogs.oracle.com/xmlpublisher/entry/how_to_keep_your_dates_from_go

• Standard or UUC/SAN certificate for RDS

  I successfully deployed RemoteApp using self-assigned certificate.
  Now is the time to replace it with Trusted one.
  From what I found UUC/SAN certificate will allow to secure subdomains, unique domains and websites.
  My RDS deployment is limited to one domain only.
  Does wildcard certificate means that during certificate creation on Trusted site (ex GoDaddy) I will have an option to enter:
  *.my_domain.com for a subject and then use it for any RDS server?
  So it will be just a standard certificate with wildcard.
  &quot;When you hit a wrong note it's the next note that makes it good or bad&quot;. Miles Davis

  Hi,
  If you plan to have RD Connection Broker, RD Gateway, RD Web Access all on the
  same server you can purchase a single-name certificate, which is much cheaper than a wildcard. 
  If you need a wildcard then you would purchase a wildcard certificate from the public authority, create your certificate request with a Common Name of *.domain.com, submit this to the authority, and then complete the request with the response.
  For example, on your RD Web Access server you could open IIS Manager, select the server name in the left pane, double-click on Server Certificates in the middle, click Create Certificate Request.  Fill out the information, select 2048 bits, etc., save
  as a file.  Open the file in Notepad, copy the request, then paste it into the appropriate box in the trusted authorities web site.
  The public certificate providers have step by step instructions for creating a request for an IIS website and installing the resulting response.  You can usually follow those if you are unsure.
  Once you have your certificate installed on your RD Web server, open up certlm.msc, navigate to Personal store, right-click on the certificate and export it and its Private key as a .pfx file.  This is what you will use to apply the certificate in Server
  Manager -- RDS -- Overview -- Tasks -- Deployment Properties -- Certificates tab.  You apply the certificate to 1 purpose at a time until you have all four purposes set to your new wildcard certificate.
  -TP