Use of wildcard certificate

Hi,
We are going to use the UAG with a AD for the SSO of a sharepoint server and a set of 10+ web applications servers behind the UAG, the connections are supposed to be HTTPS; would like to know if the use of wild card server certificate is a mandatory
in this kind of environment ? or a server certificate for each application server is also possible for this requirement ?
Thanks a lot !

Hi,
it is not mandatory but recommended. The reason for recommendation is, that you can just use 1 trunk for publishing instead of 10 different trunks (10 IPs) if you use a single server SSL cert. E.g. if you use app01.domain.com to app10.domain.com.As an alternative
to the wildcard cert you can use a SAN certificate which has all app host names inlcuded. Just in case this makes a price difference.
I would recommend to use the wildcard cert, because UAG configuration and management is much simpler as with the single server certificate and the SAN certificate is inflexible if you want add more apps because you have to request a new certificate if you
add a new application.
Hope that helps,
Lutz

Similar Messages

Using same Wildcard certificate on multiple SAP systems with same domain name.

Hello All,
Need urgent help.
I have a WILDCARD SSL certificate in pfx format. I also have individual root certificate , primary certificate in text form.
The certificate mentioned above is already active in one of our portal.
We want the same certificate on ECC Production.
What are the steps to import this certificate in STRUST?
I believe no certificate response needs to be imported.
I have a certificate response provided by Verisign. But STRUST says- cannot import certificate response'
Please help.

Hi,
This is what i did for installing wildcard certificates:
On the OS of the sap server, log in with the sapadm account.
Open a command prompt:
make a backup of your sec directory in drive:\usr\sap\<SID>DVEBMGS00\ (just to be sure)
cd to drive:\usr\sap\<SID>DVEBMGS00\exe
>sapgenpse.exe import_p12 =p SAPSSLS.PSE location\to\the\certfile.pfx
It will ask you for the pin, and to overwrite the file, answer yes.
Now copy the new SAPSSLS.PSE to a desktop that has sapgui
Login with the sapgui and run transaction strust
Select import from the PSE menu and open the SAPSSLS.PSE
Then again goto PSE menu and select Save As
I saved it twice, once in System PSE and then again in SSL Server
For me SSL is now working without problems on a couple of servers.
-small update-
You can check internal servers using the certificate utility from digicert https://www.digicert.com/util/
It has the option to specify port numbers, usefull for internal web services.
Regards,
Rolf

Wildcard Certificate use in Sun Java System Messaging Server (IMAPs/POPs)

I'm trying to use a wildcard certificate acquired from GlobalSign and am having problems getting
it (properly) into the cert database.
I tried using certutil, and that didn't seem to work at all, it would list without user cert status:
rmorneau+root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
GlobalSign-Ext-CA CT,c,
*.xxxxxxxxxxx.edu ,,
I had some success using msgcert and pk12util, but after importing it in, then seeing that it did
have user cert status, after a quick restart of Messaging (IMAP/POP), SSL quit for IMAP and kicked all
my IMAPs users out temporarily (until I put the original cert8.db and key3.db back).
-------- ImapProxy_20101115.log----
20101115 135531 ImapProxyAService.cfg (id 2590) SSL negotiation failed for IP XXX.XXX.X.XXX: Cannot connect: SSL is disabled. (-12268)
pop.xxxxxxxxx.edu u,u,u
GlobalSign-Ext-CA CT,c,
*.xxxxxxxxxxx.edu u,u,u
I truly appreciate any help on this matter.
-Bob

2. Does the certificate nickname in NSS match the configured certificate nickname in the product?I'm not sure, but I'll try that the next time I try this... will probably be late at night were I won't be interrupting IMAPs and POPs
Makes sense. Prior to release 7 update 4, the servers have to be shut down before modifying certificate databases. As of 7 update 4 you can do a one-time migration to the cert9.db/key4.db format that >should allow certificates to be updated without taking the servers offline.
This was in the log just before the other log entry that I showed before.
20101115 135440 ImapProxyAService.cfg ASockSSL_Init: couldn't find cert imap.xxxxxxxxx.edu (-8174)
This is the key line from the log. The server is looking for a certificate with the NSS certificate nickname of 'imap.xxxxxxxxx.edu' and is not finding that certificate so issue 2 is likely the problem.Yes, this was it. Oversite on my part, forgot they had to match and could not be a form of just domainname.edu or *domainname.edu.
You either need to modify the default:SSLCertNicknames setting to match the nickname of the new certificate, or install the new certificate using the existing certificate nickname of 'imap.xxxxxxxxx.edu'I modified the default:SSLCertNicknames setting.
Thank you CNewman very much for all your help.
And, for those trolling for an answer with more detail via an Internet search (that is, if Oracle doesn't screw up these forums for anon searches)::::
With the private key in hand (not password protected), I used 'openssl' to get it into a pkcs12 type file:
(It is best to do this as root and not as sudo root as you might run into problems if your host
does not have root power to write to your home dir on the/a NFS share.... you will get "unable to write 'random state'".)
root@mmp1:/var/opt/SUNWmsgsr/config/GlobalSign-certs-new# /usr/sfw/bin/openssl pkcs12 -export \
-in ket-wildcard-cert.pem -inkey private.key -out cert.pkcs12 -name xxxxxxxxx.edu
Enter Export Password:
Verifying - Enter Export Password:
Where "private.key" is the key file, and "ket-wildcard-cert.pem" is the (pem format) cert from our cert provider,
and cert.pkcs12 is our cert file that will be imported into the database, and xxxxxxxxx.edu is whatever you (nick)name your cert
in the database
(I think you could use a password protected private key if you have that password.. I don't.)
Next, I used 'msgcert' to import the pkcs12 cert file into the database (I'm sure there is a way
to use certutil or even pk12util to do the same, but I'm on Sun Messenger 6.3 at this time, so that's what I used.
If someone would like to elaborate for those....?):
(It is best, when using 'msgcert', to do it where your mailsrv user has some privs.. I took my pkcs12 cert and moved into /tmp.)
root@mmp1:/tmp# /opt/SUNWmsgsr/sbin/msgcert import-cert cert.pkcs12
Enter the PKCS#12 file password: (blank)
Enter the certificate database password: (token password in sslpassword.conf)
Make sure your (wildcard) cert nickname matches what you have in
ImapProxyAService.cfg and PopProxyAService.cfg at the "default:SSLCertNicknames" field.
Edit if need be.
root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
GlobalSign-Ext-CA CT,c,
xxxxxxxxx.edu u,u,u
root@mmp1:/var/opt/SUNWmsgsr/config# grep default:SSLCertNicknames *AService.cfg
ImapProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
PopProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
Then, of course, restart the msg service(s).
/opt/SUNWmsgsr/sbin/stop-msg
/opt/SUNWmsgsr/sbin/start-msg
Edited by: 810750 on Nov 18, 2010 8:08 AM
Edited by: 810750 on Nov 18, 2010 8:11 AM

Wildcard certificates supported by ACE

We are considering the use of wildcard certificates for our environment. Is this supported by the ACE when using SSL offloading ?
regards,
Sebastian

be aware that certain mobile device do not support them I believe windows mobile 5.0 is one of them.

Wildcard Certificate

I'm trying to find out if its possible to use a wildcard certificate on the Lync Edge server's External Interface. OR maybe a better question would be if i use the wildcard what will break? Like I've read the auto configuration will not work,
etc. Looking to get away from having so many certs....

Agreed it's not supported. From memory the Edge service's don't start. Having said that yes, you can try it and if it doesn't work - simply Assign the correct certs without issue. You shouldn't have any issues with changing certs.
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
Georg Thomas | Lync MVP
Blog www.lynced.com.au | Twitter
@georgathomas
Lync Edge Port Check (Beta)
This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Wildcard Certificate and Wireless Lan Controller

Hello,
I'm working with wlc 5508 version 7.2.111.3 and I'm looking to use a wildcard certificate, I've just checked on the forum that there was a bug-id and it seems it's been closed with a workaround of not using wildcard certs, is it resolved now?
If yes, could you indicate to me how can I proceed to install it quickly?
Regards

Hello,
The bug was about bad behavior when the wildcard certificate is used. The status of the bug now is "Terminated". That means it was found that the root cause for this bug is not really a bug (bad description, normal behavior...etc).
So, I think you can go with the wildcard certificat you have. The bug was opened on 5.2 version which is very old comparing to 7.2.
Let us know how it goes.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

Hello
I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
Setup:
We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR: A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
Configuration in regards to certificate:
crypto key generate rsa label vpn.company.dk modulus 2048
crypto ca trustpoint vpn.trustpoint
keypair vpn.company.dk
fqdn none
subject-name CN=*.company.dk,C=DK
!id-usage ssl-ipsec
enrollment terminal
crl configure
crypto ca authenticate vpn.trustpoint
! <import intermediate certificate>
crypto ca enroll vpn.trustpoint
! <send CSR to CA>
crypto ca import vpn.trustpoint certificate
! <import SSL cert received back from CA>
ssl trust-point vpn.trustpoint outside
Problem:
When I try to import the certificate I receive the following error:
crypto ca import vpn.trustpoint certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
quit
ERROR: Failed to parse or verify imported certificate
Question:
- Does any one of you have any pointers in regards to what is going wrong?
- Especially in regards to fqdn and CN, I also have a question. My config
fqdn none
subject-name CN=*.company.dk,C=DK
would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
So do you have insight or pointers which might help me?
Thank you in advance

I also have a wildcard cert for my SSL VPN ASAs.
When i import the cert I use ASDM instead of CLI...
I import the wildcard as a *.pfx file and type in the password. works fine...
Perhaps the format is incorrect?
Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
Not sure if this helps but give ASDM a try?

GoDaddy wildcard certificate on Lion

I have purchased a wildcard certificate from GoDaddy.com to cover our domain. I have the certificate along with the GoDaddy intermidiate certification installed on our Lion server. The server allows me to use the certifcate for all of the services except Web. If I choose the wildcard certificate for web, save the change and then go back it in the certificate is set to none. Does anyone know if the Lion Web server can use a wildcard certificate or is something specific to GoDaddy?
Thanks
Mark

http://support.godaddy.com/help/topic/186

CSS 11501 - wildcard certificate with subject alternative names

Hi,
I generated a wildcard certificate for my company type *. mycompany.com in a CSS 11501.
For the site sub-domain1.mycompany.com worked fine, for the site sub-domain2.sub-domain1.mycompany.com didn't worked.
I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
Thank you very much,
Cláudio Soares

Hi,
The CSS is indifferent to the Common Name in an SSL certificate used for SSL termination,
so using a wildcard certificate would be no different than using a standard certificate.
If using the CSS to generate the Certificate Signing Request, just enter the Common
Name with the leading asterisk for the subdomain portion of the hostname. Example:
Common Name (your domain name) [www.mycompany.com]*.domain.com
The only difference in configuring SSL termination would be that you could
reuse the SSL certificate (in the ssl-proxy-list) for all the different vips that the
subdomains resolve to without having to worry about pop-up warnings on client's browsers
(example attached). Or, if your subdomains resolve to the same vip, the CSS configuration
wouldn't be any different.
Regards,
Siva

VPN Cluster and Wildcard Certificate

Hi,
I am setting up a VPN cluster with three ASA boxes and i am wondering if anyone has any experience using a wildcard certificate with this kind of setup.
I am done with the setup and everything works fine, but as my initial setup (and the doc i have been reading) shows, the client first connect to:
cluster.domain.com
Then the master returns the address or fqdn (i am using fqdn) of the least busy asa in the cluster:
vpn01.domain.com
or
vpn02.domain.com
or
vpn03.domain.com
Thus i would need 4 certificates to meet my needs. The cluster.domain.com certificate also must be present on all 3 boxes, because the cluster ip is configured on all boxes, and the master role is shifted if one of the boxes fail.
Because of this i thought it would be a good idea to use 1 wildcard certificate (*.doman.com) on all boxes and avoid the hassle.
Any experience or recommendations?
BR,
/K

Hello Kenneth,
It was working for version before 9.
On ASA9 you even can not install wildcard certificate to manage ASA via ASDM, so i guess vpn loadbalancing with wildcard certificate will not work either (but i have not tested that).
And it's not a bug - it's a feature - it's a security device and wildcardard certificates are strongly discouraged
Michal

Does the iphone support the use of a wildcard certificate?

Does the iphone support the use of a wildcard certificate?
Our exchange infrastructure utilises a wildcard (*.companyname certificate) from Godaddy.
- Connects fine and authenticates
- Can manually sync and pull emails
- Can Send and Delete emails
However server is not establishing the activesync connection and ping so mail can be pushed to the device.
My guess is its a problem with the wildcard certificate that is used, WM5.0 devices didnt work with it, does anyone one know if the iPhone supports this?
- I can get to OWA fine which uses the same wildcard cert.
- WM6.0 devices push mail fine.
Thanks.

kfc01,
The iPhone Deployment Guide (linked from http://www.apple.com/support/iphone/enterprise) says it does for VPN.
Hope this helps,
Nathan C.

Using wildcard certificate

hi, I have a wildcard certificate, *.contoso.com, with no SAN description. I use this certificate for all web server. It's possibile to use this certificate for connect mobile users to lync 2013?
Thanks
Bruno
Bruno Ausiello

Hi,
Wildcard entries are supported for the Simple URLs (meet, dialin, etc) but you cannot use them for anything else including the external web services FQDNs. So the wildcard certificate can reduce the cost of certificates placed on reverse proxy servers to
publish the various external Simple URLs, but still you need a SAN certificate to publish other SANs such as external web services FQDN.
More details:
https://technet.microsoft.com/en-us/library/jj205381.aspx
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support

W2k8R2 - Enterprise CA - Need WildCard Certificate for Internal Use

Hi guys,
A new client of mine has a "standalone" CA in their domain already...but I need a Wildcard Cert for some applications I'm installing in IIS.
I'm used to setting up an "Enterprise" CA and issuing a Wildcard Cert that way, but I don't know if the "standalone" CA can do that. I attempted to have IIS request a cert and it didn't auto-populate the CA information...but I told
it to use CERTAUTHNAME\domaincontroller and it created one...but it doesn't appear to be working.
My question is...if I install the Enterprise Root CA on a DC in their environment, can it interfere with the already issued certs from the standalone CA?
I don't want to break something to move forward with my stuff.
Thanks a lot and any help is greatly appreciated!!!

Standalone CA can issue wildcard certificates. You just need to generate certificate request manually (without using IIS Mgmt console for that) by using INF file and certreq. Then, you submit your request to a CA server. Look at this article:
http://social.technet.microsoft.com/wiki/contents/articles/2017.certificate-enrollment-for-system-center-operations-manager-agent.aspx
although, this article is intended for OpsMgr, certificate enrollment process is the same for all products, just skip OpsMgr-specific stuff. There are three sections related to Standalone CAs: request generation, submission and installation. In the INF file,
you specify your wildcard name in the Subject key.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new:
PowerShell FCIV tool.

CSS 11501 using wildcard certificates

Hello,
I'm about to switch to wildcard certificates in a CSS 11501, however there are some doubts that I would like to clarify:
- When generating the CSR can i use *.mycompany.com for CN ?
- Should the CSR be generated only once or every time i need to create a new content rule i need to generate it?
- If only once can I associate multiple filenames with only one certificate?
ssl associate cert myrsacert1 certificate.pem; ssl associate cert myrsacert2 certificate.pem...
Thanks for your help,
Best regards,
Claudio

Hello Claudio,
- When generating the CSR can i use *.mycompany.com for CN?
Yes that will take care of any subdomain you need... something that you need to consider is that this wilcard will cover site like cars.mycompany.com or shop.mycompany.com but if you have a site that looks like ftp.shop.mycompany.com then you'll need a wildcard that looks like *.*.mycompany.com.
The CSR is generated only once and from there you send it to your CA to have signed off.
Not sure I fully understood your second question, once you received the cert and key whether in PFX or PEM format from your CA, you'll upload these to your CSS using FTP and then associate the file(s) to a name that is only meaningful to the SSL proxy list within your CSS.
HTH
Pablo

Is it possible to use single ssl certificate for multiple server farm with different FQDN?

Hi
We generated the CSR request for versign secure site pro certificate
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
SSL Certificate for cn=abc.com considering abc.com as our major domain. now we have servers in this domain like www.abc.com, a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
And the same message when trying to access https://www.abc.com from Google Chrome.
"This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
Now my question is
1. Is is possible to remove above errors doing some ssl configuration on ACE?
2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate for CSR generated uisng cn =abc.com to be installed on ACE and will be used for all servers like www.abc.com , a.abc.com etc..
Thanks
Waliullah

If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate. Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate. And right now it won't beause your certificate is for abc.com. You need a wildcard cert that will be for something like *.abc.com.
Hope this helps,
Sean

Use of wildcard certificate

Similar Messages

Maybe you are looking for