TLS support wildcard cert?

Similar Messages

• Does Convergence + messaging server 6.3 support wildcard cert ?

  Hi all,
  We plan to purchase a wildcard cert to support our convergence & messaging server SSL connection.
  from the messaging guide provide. it stated we need to generate individual private key & sent to vendor to verify
  what if we are using wildcard cert, do it work in this case ?
  Cheer
  ubd

  ubd wrote:
  So means i generate 1 wildcard cert, then apply to all other server ssl connection, or i need to generate individuallyTo use the same CA signed certificate (wildcard or otherwise) with multiple applications (Application Server and Messaging Server in this case) requires that the same private key be used across the applications. To this end you will need to export/import the certificate/keys between the applications using a utility such as pk12util.
  http://docs.sun.com/app/docs/doc/819-3671/ablrh?a=view
  http://docs.sun.com/app/docs/doc/819-4428/bgbbf?a=view
  Regards,
  Shane.

• 7925g plus EAP-TLS plus wildcard cert

  Hi folks,
   Has anyone managed to put a wildcard cert on a 7925G (or 9971) to use for client authentication with EAP-TLS?  It seems like one is forced to use the MIC or a cert from a csr generated by the phone... but I'd really rather not keep track of a zillion certs.
  Thanks for any help.

  Hi,
  have you read the infos from the deployment guide (page 72 - install certificates) already
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

• Ironport email appliance : can i use a wildcard cert for TLS ?

  Hi all,
  We have 2 ironport C170 email appliance. I would like to use a wildcard SSL Cert from Digicert for TLS communication. I have 2 questions about it : 
  1/ Is it possible to use wildcard certificat on ironport ?
  2/ Is there any known problem with wildcard certificat for TLS use ?
  I found 2 (old) post about that :
  https://supportforums.cisco.com/discussion/10479161/tls-support-wildcard-cert
  http://www.symantec.com/connect/forums/someone-wants-enforce-tls-us-and-use-wildcard-cert
  Does someone has experience about it ?
  Thanks.

  My experience is that it works fine.
  If you have multiple domains, you have to make sure that the MX records point to the A record of the box you have certs for.
  eg. something like this:
  mx domain1.com  smtp.domain2.com
  mx domain2.com  smtp.domain2.com
  a smtp.domain2.com  x.x.x.x

• Does ISE support wildcard certificates?

  Hello guys,
  My customer doesnt have a CA, but instead has wildcard certificates.
  I will implement ISE in 3 different locations (each location independent and with all ise services). Havent look in dept about wildcard certs, but does ISE support this type of certificates? The certs i need is only for corporate users not to be shown with the ssl cert error when accesing ise portals.
  If wild certificates supported, then will every independent site need to create a separate CSR for each one of them?
  Thanks!
  Emilio

  Support for Universal Certificates:
  Cisco ISE, Release 1.2 supports the use of wildcard server certificates for HTTPS (web-based services)
  and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have
  to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN
  field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field
  allows you to share a single certificate across multiple nodes in a deployment and helps prevent
  certificate-name mismatch warnings.
  For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Kindly find the attached PDF for your clarification ISE 1.2 supports wildcard certificates. Even I had highlighted the same on page 14.
  Support for Universal Certificates:
  Cisco ISE, Release 1.2 supports the use of wildcard server certificates for HTTPS (web-based services)
  and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have
  to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN
  field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field
  allows you to share a single certificate across multiple nodes in a deployment and helps prevent
  certificate-name mismatch warnings.
  For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

• Federation with wildcard cert

  Hi,
  We have multiple SIP domains, and I am trying to reduce the number of certificates needed.
  I use a wildcard cert for one of the domains for the Edge and reverse proxy.
  It works fine to connect from outside etc. But federation is not working.
  In the DNS SRV record _sipfederationtls._tcp.domain2.com I have put the address sip.domain2.com as hostname, but it's actually pointing to a address that have the wildcard cert for *.mydomain1.com
  Is there some way to make this work without buying many certs?

  Hi,
  It is not supported to use wildcard certificate for Edge Server external interface. You need a public SAN certificate to support federation. You can use wildcard certificate for Reverse Proxy.
  For more Server Roles which wildcard certificate can be used in Lync Server environment, you can refer to the link below:
  https://technet.microsoft.com/en-us/library/hh202161.aspx
  Best Regards,
  Eason Huang  
  Eason Huang
  TechNet Community Support

• Configuring TLS support in a clustered environment

  Hi folks !
  I couldn't find a definitive guide to TLS support in a clustered environment... So I'll give it a shout :)
  Has anyone managed to configure TLS support in his/her cluster ?
  My setup is as follows :
  - we have two Ironports, clustered, who are addressed using a common name through a hardware loadbalancer (mxfarm)
  - Each ironport is seen as a unique host when sending outbound emails (ironport-1 and ironport-2)
  - I have installed a certificate in MACHINE mode on each of them (i.e. one certificate for ironport-1, another for ironport-2)
  Now, when I want to enable TLS (in cluster mode), I get the message that a security/key certificate hasn't been installed....
  Sooooooooo how should I do it ??
  Thanks !!
  Frédéric Lens

  Hello,
  We have four machines in a cluster, using TLS as default for inbound and outbound traffic.
  Since we do not use load balancers we have individual certs for each machine. Besides that we have (company signed) certificates for each machine. These are used for systems management (HTTPS). (By the way... the certificate management is a terrible job if you have to maintain four machines with two certs each (and thus two certification paths). Hey Ironport: some major enhancements are possible on this field.....)
  Since we use individual certs we have to install them in machine mode. The TLS policies are cluster based and this is configured and functioning without any problems.
  I have a few attention points:
  The certs that are installed before a machines has joined the cluster are removed on the moment you add this machine to the cluster. This in normally not done very frequently so I think this will not be the problem in this case, but it’s good to know that after joining the cluster you have the initial demo certs active again.
  Even if you buy certificates from commercial vendors you must be sure you install the complete certification path. We have Verisign certs and had to install the intermediate certificate to get the chain complete.
  You mention you have connected your MGA's to an incoming load balancer and send out mail via the individual hosts. I expect you to utilize three IP addresses for that (one incoming that is assigned to the load balancer and two others for the MGA's outgoing traffic). This means you must have three individual forward and reversed DNS entries. Since the CN of the cert must match the (public) DNS name of your system you should have individual certs for inbound and outbound traffic. The inbound cert (and intermediate certs) must be the same on both machines since these are is presented to the outside world as if they where one and should match the forward DNS name of the load balancer IP address. The outbound certs must be unique for each machine, matching the reversed DNS name of that machine.
  I have two points that I'm not sure of, maybe someone else can clear this up:
  The SMTP greeting normally contains the public systems hostname. I do not know if you can configure individual SMTP greetings for in and outbound mail and, if this is possible, if the inbound greeting can be the same on two clustered machines. Since you have two machines combined behind a loadbalancer I would expect the to present them selves to the public identically, for the outbound traffic is the individual machine IP address used, I would expect the system to identify it selves by the hostname that is in the PTR for the used IP address. Finally: I am not sure if this has any impact on TLS or not.
  I always import the all intermediate certs for each cert I import. That means I install the two public intermediate certs twice and install the internal root and intermediate cert also twice. It might be sufficient to install both sets only once but I have never tested this. Who can tell if I am forcing myself into too much work or not?
  I hope you solve your problem. My experience is that starting with certificates is most of the time a PITA (Pain In The Ass) but if you have figured out how to do it for a particular system it becomes quite simple.
  Best regards
  Steven

• ISE 1.3 public wildcard cert

  Is it a good idea and common practice to just use public CA for wildcard certificate on each ISE node to avoid any certificate warnings on non-corporate devices? 
  is it ok then to use it also for EAP-TLS authentication? Clients will still have internal CA certs.
  Or should we have a separate internal wildcard cert just for EAP-TLS. In this case, will ISE 1.3 allow me to have to wildcard certs with the same SAN (*.domain.com), one is public, the other is internal. The public one would apply to Web portals, and internal one would apply to EAP-TLS/

  Hi Trevor-
  The use of Wildcard cert is perfectly acceptable for the guest portals. As you said, this will ensure that guest users don't get the certificate trust error. 
  However, for the EAP side of the house, you will need to get a non-wildcard certificate. Many supplicants (including Windows) will NOT accept a wildcard certificate when building an EAP tunnel.
  I hope this helps!
  Thank you for rating helpful posts! 

• Help! GoDaddy Wildcard Cert

  My organization has finally purchased a wildcard cert from GoDaddy to use on our servers across the board due to how newer browsers are being more vocal about using self signed certs.
  In going through the process of getting the cert issued I keep getting my CSR rejected by GoDaddy by following the instructions from what GoDaddy wants and how to create the CSR. Since I've only really used self signed certs to this point I'm not 100% sure if I am doing things correctly especially given that I'm kind of making some assumptions as my CSR export instructions are a little dated. Are there updated instructions for creating the CSR to a format that GoDaddy will like?
  Thanks!

  For creation these are helpful:
  http://www.digicert.com/csr-creation...consoleone.htm
  http://nl.globalsign.com/en/support/.../generate+csr/
  Example of a "subject name": .CN=*.domain.com.OU=IT.O=Name of your
  Organization.L=City.S=State.C=US
  You did NOT follow the proper steps to import the certificate (I know it
  from experience)
  Your only option now is to restore the certificate object that was used for
  CSR from good backup into eDirectory (I hope you have it...) and then do the
  following (exactly):
  http://www.digicert.com/ssl-certific...consoleone.htm
  Once done you can create new certificate for each NW server & replace public
  & private key with the Godaddy & your wildcard & point each instance of
  Apache to such certificate.
  The setup work beautifully, I have been using it for over 5 years now)
  As you can export .pfx from the certificate object with use of openssl you
  can use it just about anywhere else (but not in APC UPS devices!)
  Seb
  "marklar23" <[email protected]> wrote in message
  news:[email protected]...
  >
  > I made the CSR from NetWare. It looks like the last time that I tried
  > yesterday did take, I had to change the order of the CN and O in the
  > cert string. Now after I imported the certificate and try to validate
  > it, I get Invalid with Certificate Revocation List Invalid. Any
  > suggestions?
  >
  > AndersG;2014252 Wrote:
  >> Marklar23,
  >> > In going through the process of getting the cert issued I keep
  >> getting
  >> > my CSR rejected by GoDaddy by following the instructions from what
  >> > GoDaddy wants and how to create the CSR.
  >> >
  >> And do they say what is wrong wth it? Also: Is this NetWare or Linux?
  >>
  >> - Anders Gustafsson (Sysop)
  >> The Aaland Islands (N60 E20)
  >>
  >>
  >> Novell has a new enhancement request system,
  >> or what is now known as the requirement portal.
  >> If customers would like to give input in the upcoming
  >> releases of Novell products then they should go to
  >> http://www.novell.com/rms
  >
  >
  > --
  > marklar23
  > ------------------------------------------------------------------------
  > marklar23's Profile: http://forums.novell.com/member.php?userid=5123
  > View this thread: http://forums.novell.com/showthread.php?t=419035
  >

• Wildcard cert on WLC 4404 running 5.2

  Hi all
  I have a WLC with a cert on at the moment, it runs out in a few weeks.
  I want to replace the current cert with a wildcard cert.
  Will this be OK ?
  is it a cas     

  Hi,
  As per my exp.: yes it is supported.
  However, it seems there is still a problem with wildcards certificates if they are chained :
  Check this links:
  http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
  Third part cert:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
  Regards
  Dont forget to rate helpful posts

• TLS support in C API's, follow-up

  Hello,
  In September 2013 I started a thread "SSL/TLS version in pre-built C api's" asking about the TLS support. I just want to share
  the info as a follow-up.
  The first approach was to change the current code for the Novell libraries but since the openSSL implementation was more of a
  "copy/paste" solution and the fact that the current source code available didn't match the binaries available I changed to
  openLDAP instead.
  Today we have built openLDAP libraries and openSSL libraries for Win32 and Win64 and changed the application code to use
  openLDAP instead of Novell's API's. Apart from the initialization and binding that switch was quite straight forward.
  The application now binds to LDAP directories requiring TLS and specific key exchange algorithms and cipher suites without any
  problem.
  I hope that Novell will update the openSSL part in their own libraries (and add features to eDirectory that let us set the
  SSL/TLS requirements).
  Best regards,
  Tobias

  These are some great comments; thanks for posting your experiences.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• ISE 1.2 and WildCard Cert

  hello,
  i"ve found a great post from Aaron Woland about how to make/install/use Wildcard certificate.
  http://www.networkworld.com/community/blog/what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise
  but there is something that was not answered by his post.
  Can i use WildCard cert to register node to an ISE deployement? Aka adding a Monitor only node to a admin only node
  create CSR, receiving Cert from CA, adding CA root, binding cert to CA root then exporting key, then importin on Mon node then try to register mon node? my first test didnt go well.
  Any input would be appreciated

  Basant,
  I agree with what you are saying but it seems that your statement contradicts the write up on the Cisco user guide for 1.2, there are no limitations and one of the benefits stated by the doc is that you can use wildcard certs as a cost saving measure which will allow you to install the cert on all ISE nodes.
  I do have a corporate wildcard certificate and I will attempt to register two nodes together and see what the result is.
  Also the true benefit of a wildcard cert is where the CN is *.domain.com, you should not have to generate a CSR where the CN=iseblah.domain.com with a SAN of *.domain.com, I do not think that is a cost effective wildcard cert since the CN has the fqdn of the ISE node.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html
  Tarik Admani
  *Please rate helpful posts*

• Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

  I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate.  This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD.  The ISE policy is just to match on machine auth.
  The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
  When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball.  They were, the auth passed.
  I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities.  Retest and the client passes.
  If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed.  ISE reports that my Windows client rejected the server certificate.  Which is odd as it just accepted it.
  If I untick the validate the client passes, if i tick it again it will authenticate fine, once.  The next connection it will fail again with the client rejecting ISE.
  Anyone got any ideas?

  I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.

• Does Automator Support Wildcards?

  I have a workflow already in Automator and all I want to do is rename a group of PDFs but ask it to ignore 3 characters, ie. ipagexxx090929 - the 3 x's being where I want the numbers ignored. I though Automator would support 'wildcards' but am having no luck.
  Any help appreciated.

  Not sure if this would come under wildcards, but a *Run AppleScript* action can be used to swap parts of text around. Are there multiple divider characters, or are you just looking for the first one?
  You should post your specific questions to a new topic so that it doesn't get lost in an existing one - I almost missed your question here since this topic is answered. Tiger's Automator is also a bit different than the Leopard ones, if your profile is correct.

• Wildcard Cert

  Sun Java(tm) System Messaging Server 7.3-11.01 64bit (built Sep 1 2009)
  libimta.so 7.3-11.01 64bit (built 19:44:36, Sep 1 2009)
  Using /opt/sun/comms/messaging64/config/imta.cnf (compiled)
  SunOS wpg-com1 5.10 Generic_141445-09 i86pc i386 i86pc
  I have a wildcard cert that was generated for apache. How can I add this to COMs.

  shjorth wrote:
  karl.rossing wrote:
  I have a wildcard cert that was generated for apache. How can I add this to COMs.The following URL may help (section prior to pull-config):
  http://blogs.sun.com/nsegura/entry/migrating
  Regards,
  Shane.Thanks! That helped a lot
  I was able to run openssl pkcs12 -export -out server.pk12 -in server.crt -inkey server.key -nodes -name "ALIAS" and then msgcert import-cert server.pk12
  This would be usefull information on http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication . Should I add it myself?