VeriSign cert and IE5 on WLCS

Similar Messages

• ACS SE w/ Verisign Cert

  I am using the CAS as an authenication server against AD for my wireless network. I have a WISM as my WLC and some of my users are getting a certifate error when I enable WPA. The error is coming from the ACS. I get an invalid cert error or cert not verified from the Iphone. The certificate is valid and I installed a intemediate CA. No matter what I try i can't get the error to go away.
  Could some please assist?
  Thanks
  mike

  I am using PEAP with MSCHAP. From the IPhone I am getting the cert is not verified, When I use the IntelPro supplicant on a Laptop, it refuses to log on even though I select use "any trusted CA". I called Cisco TAC and they say I have to install the cert on all my computer, I don't believe that is correct. I am using a Verisign cert and so should already be on my computers.
  Internet explorer is not having an issue with the cert, the dell wireless WLAN client does not have a problem either.
  Mike

• Non-Verisign certs in WS7

  Hello,
  I have a mix of server certificates from Verisign and Network Solutions CAs. Both types are stored in my Crypto accelerator (hardware token), from where I've been using them for WS6 and AS7 instances.
  In WS7, the Certificates tab in the admin interface shows certs of both types and the token that they are contained within. When I attempt to configure a listener with SSL enabled, the Certificate field has two types, "RSA Certificates" and "ECC Certificates". The latter says "No ECC Certificates Available", and the pick-list for the RSA Certificates only lists the Verisign certificates.
  For a server that I migrated from an older version (WS6.1), the server.xml lists the correct server-cert-nickname value for a NetSol cert, and indeed, the cert is properly loaded and the listener starts up fine using that certificate.
  Why is it that my NetSol certs don't show up in the admin interface? I can hack the server.xml file in vi to use the correct certs, but I'm thinking there should be a way that I can access these other certs with the admin interface.
  Thanks,
  Bill

  Output of wadm list-certs --verbose -all:
  nickname        issuer-name     expiry-date
  [email protected]:Server-Cert      Network Solutions Certificate Authority May 19, 2007 6:59:59 PMThere is no -h option to certutil -L:
  certutil -L [-n cert-name] [-X] [-d certdir] [-P dbprefix] [-r] [-a]However, if I export it from the hardware token using pk12util then import it into the internal token, I can view the details:
  # pk12util -o xxx -d . -n [email protected]:Server-Cert  
  Enter Password or Pin for "NSS Certificate DB":
  Enter Password or Pin for "[email protected]":
  Enter password for PKCS12 file:
  Re-enter password:
  pk12util: PKCS12 EXPORT SUCCESSFUL
  # pk12util -i xxx -d $PWD
  Enter Password or Pin for "NSS Certificate DB":
  Enter password for PKCS12 file:
  pk12util: PKCS12 IMPORT SUCCESSFUL
  # certutil -L -d .   
  Network Solutions Certificate Authority - GTE Corporation    c,, 
  Server-Cert                                                  u,u,u
  # certutil -L -d . -n Server-Cert
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              28:f5:87:82:b0:65:ff:58:08:63:b5:0e:69:07:ea:6d
          Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
          Issuer: "CN=Network Solutions Certificate Authority,O=Network Solutio
              ns L.L.C.,C=US"
          Validity:
              Not Before: Fri May 19 00:00:00 2006
              Not After : Sat May 19 23:59:59 2007
          Subject: "CN=*.qisc.com,OU=Secure Link SSL Wildcard,O="Quixote Intern
              et Services & Consulting, Inc.",L=Chippewa Falls,ST=Wisconsin,C=U
              S"
          Subject Public Key Info:
              Public Key Algorithm: PKCS #1 RSA Encryption
              RSA Public Key:
                  Modulus:
                      c4:87:81:66:77:99:c5:8e:f1:59:ff:59:c6:38:63:5a:
                      46:31:8e:13:38:5e:2e:71:d7:22:38:5b:df:c4:47:e9:
                      d3:c3:ff:52:3a:5b:21:c1:b5:01:0a:ec:81:3d:80:b4:
                      39:74:6a:7d:39:63:e1:06:a4:f1:45:cf:43:8d:6a:79:
                      49:4e:d9:22:d2:8f:08:6e:23:87:e3:14:7f:aa:c7:8f:
                      df:d7:d0:e1:e0:7e:1c:d7:64:d0:43:94:19:06:7d:48:
                      82:6f:e3:e1:05:69:cc:42:67:9f:db:e5:c7:6e:11:7a:
                      10:94:6c:95:f0:1e:5c:36:93:37:09:ea:b4:0d:4e:6f
                  Exponent: 65537 (0x10001)
  (stuff deleted for brevity - let me know if you need to see all of this output)Hmmm...this is interesting...after importing the cert from the hardware token into the internal certificate database, it now shows up as "Server-Cert" in the RSA Certificates list of the SSL->Edit HTTP Listener admin page. So it only shows certs from the hardware token when they are Verisign certs, even though the NetSol certs work just fine when they are stored in the internal database. This is NOT a work-around, however, as this defeats the purpose of having the crypto accelerator.
  BTW, I also sent a note to NetSol's support people, and they had this thought:
  As we use an intermediate, that could be the reason why they are not listed.
  Without the intermediate it will not find a chain to the trusted root.
  We would recommend contacting the software provider for details on
  importing the intermediate into the application server.I have already tried importing their certificates into the internal token, but that had no effect on this problem. Do I need to import their intermediate certs into the hardware token, rather than the internal one? If so, how do I do that? Or do I need to install these intermediate certs in the admin server's internal database, rather than my server instance's database?
  On the assumption that these intermediate certs were needed in the admin server's internal database, I used certutil to load them to see if that would help:
  # certutil -A -n 'AddTrust External Root' -t 'CT,C,C' \
  -d . -a -i /tmp/certs/AddTrustExternalCARoot.crt
  # certutil -A -n 'UTN-USERFirst-Hardware - AddTrust AB' -t 'c,,' \
  -d . -a -i /tmp/certs/UTNAddTrustServer_CA.crt
  # certutil -A -n 'Network Solutions Certificate Authority - GTE Corporation' -t 'c,,' \
  -d . -a -i /tmp/certs/NetworkSolutions_CA.crt
  # certutil -L -d .                                                                                     
  Admin-Server-Cert                                            u,u,u
  Admin-Client-Cert                                            u,u,u
  AddTrust External Root                                       CT,C,C
  UTN-USERFirst-Hardware - AddTrust AB                         c,, 
  Network Solutions Certificate Authority - GTE Corporation    c,, 
  Admin-CA-Cert                                                CTu,u,uHowever, after stopping and restarting the admin server, I still do not see my token-resident certs in the admin interface.
  Let me know what you'd like to see next.
  Thanks,
  Bill

• FYI. Verisign Cert & ACS

  for those who have troubles getting verisign cert working on the ACS box, i just spoke to a verisign tech support after facing issues with certs. He mentioned that when generating a CSR on ACS, it generates extra info that are not compatible with verisign. Verisign is working on the issue, it is expected to be rectified soon (in a day or two). The tech support refused to give me further info about what version of ACS causing the issue or so... I'm using ACS3.3 at the moment.

  I've installed a Verisign cert on the ACS with minimal difficulty, but it does take a couple of extra steps.
  When generating the cert request on the ACS, you have to enter the complete identification path in the Common Name field of the form. i.e., instead of just cn=Ciscoacs, you have to enter c=US,s=Florida,l=KeyWest,o=TheShirtShack,ou=Accounting,cn=Ciscoacs all on the same line.
  Also, if the certificate file format that Verisign sends back is not recognized by the ACS, you can import it into your web browser and then re-export it in the correct format (DER .509 if I recall correctly) and then upload the reformatted cert to the ACS.
  It works fine after all that =)

• Is verisign cert "multi purpose"?

  If i get a certificate from thawte, I can get the multi-purpose authenticode cert, export it from IE, import it into netscape and be able to sign netscape objects as well as CAB files.
  Can I do the same thing with the verisign cert? Verisign doesn't talk about this on their website, but maybe they just want people to pay $800 instead of $400? Just curious if anyone has tried this. If you have tried it, let me know.
  (before anyone asks, yes, I would love to go with thawte, and have in the past, but my organization has recently made the decision that thawte is no longer an option, so I have to go with verisign)
  Thanks!
  Kirby

  To fully answer my own question,
  I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
  I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
  Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

• What are the recommended methods to keep CA Certs and CRLs updated in Account Forests for a Cross Forest Enrollment implementation?

  Hello,
  We have 1 resource Forest and multiple account Forests. We've reviewed the Cross-Forest Cert Enrollment with Windows Server 2008 R2 doc and followed steps 8 and 9 under the 'Deploying AD CS for Cross Forest Cert enrollment' regarding publishing
  the root CA Cert and Enterprise CA certs.  We run PKISync.psi to copy objects from the resource to the account Forest, and understand Certs and CRLs are not copied from the resource to the account Forests.  We are trying to figure out the best way
  of keeping the Root and SubCA Certs and CRLs updated in the account Forests.
  1. Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
  2. Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
  3. Any other suggestions/references regarding best practices on how to do this?
  Thanks for your help! SdeDot

  > Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
  yes. Though, we do not bother with CRL copy as it published to HTTP location only.
  > Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
  I would suggest to not use LDAP URLs in favor to HTTP.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• Cisco 3850 and Licences for WLC??

  Hello
  We have a client who needs a new switch which is capable of intervlan routing and also a WLC.
  I am thinking a 48 port 3850 with IP Base which gives intervlan routing and WLC support.
  However I am not sure if we need to purchase additional AP licences or whether they are built in?
  Cheers

  In 3850 WLC functionality, your switch stack could act as MA (Mobiity Agengt) or MC (Mobility Controller). AP license required for your 3850, only if it is acting as MC. (for MA you do not require any AP licenses). Max 50 AP can handle by given 3850 switch stack. For MC functionality minimum you required IPbase image. (not LANbase)
  So it is based on your design you need to purchase 3850 AP license. In your case if it is for a single switch where client want WLC functionality (with no other controller available) then you have to go with AP license depend on how many AP they want to deploy.
  BRKCRS-2889 CiscoLive material will give you good overview of this new Converged Access Deployment model & MA/MC functionalilty & few design options.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• What is the Best Practice for publishing Offline Root CA Cert and CRL to Active Directory?

  Hi,
  I've read and seen in a few labs different approaches to what is published in Active Directory for a Offline Root CA.  I've seen just the Root Cert published to AD as well as the Root Cert and the Root CRL published to AD. 
  I can understand why the Root Cert is published to AD, but why would the Root CRL need to be published to AD, especially if my Offline Root CA just issues the Cert for my Subordinate Issuing CA?  So looking for Best Practices here.
  Thanks for your help! SdeDot

  On Sun, 22 Feb 2015 18:44:25 +0000, Andrzej Kazmierczak wrote:
  Best practice is to publish CRL to 2 alternative paths - LDAP for your internal users to access them on the first place and HTTP as an alternative option to LDAP and as the only option for your external users.
  No, the current recommended best practice is to publish to a highly
  available HTTP location first (and possibly the only CDP) that is available
  both internally and externally. This covers Windows and non-Windows
  devices, domain joined and non-domain joined devices and internal and
  external devices as well as multi-forest scenarios with no trust between
  forests.
  Paul Adare - FIM CM MVP

• ACE SSL - Modifying certs and keys

  I'm having a problem updating the certs and keys I have in my ssl-proxy service.
  My cert is about to expire and I've purchased a new cert. I've uploaded the new cert and key, but I still see the old cert when I go to the VIP with my browser. I thought that by deleting the proxy-service and re-adding I could get the ACE to recognize that it's got new certs but that didn't seem to work.
  Is there a trick to make the ACE see the new certs? Does it cache the certs instead of reading them from flash? What's going on here.
  Thanks!

  I changed my certs hot while the application was still running worked like a charm.
  What i did was.
  - import the new certificate into the crypto store (pkcs12)
  - prepare a textfile with the necessary commands
  no key old
  key new
  no cert old
  cert new
  - paste the commands into the running config.
  I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.
  And yes the ACE caches the certs if i am not mistaken.
  If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.
  Hope it helps.
  Roble

• CUP. Replaced cert and now services diag page shows issues

  Hey all,
  i used the os page to generate a CSR, had it signed, uploaded the cert to the server and rebooted.  I also uploaded the cert to the cucm publisher.  the following lines are showing on the CUP diag page.  the docs i have found thus far are not very clear on what all needs to be replaced.
  Verify Cisco XCP Connection Manager's service status
  Cisco XCP Connection Manager service is currently down.service state=[UNKNOWN] reason=[null]
  To start the Cisco XCP Connection Manager service, please use the Serviceability application 
  Verify Cisco XCP Authentication's service status
  Cisco XCP Authentication service is currently down.service state=[UNKNOWN] reason=[null] 
  Verify Cisco IM and Presence Data Monitor service is running on all nodes.
  Could not determine the status of the Cisco IM and Presence Data Monitor service on the following nodes192.168.10.3
  On all impacted nodes verify that no other services are currently starting, stopping or restarting. Wait until all service operations have completed and retry the test. Check System > Notifications and verify that communication between IM and Presence and the CUCM publisher node is working. If the CUCM publisher node has been upgraded to a Maintenance Release or Service Update and the IM and Presence nodes in the cluster are not being upgraded, you must reboot them.

  bump.   
  has anyone replaced the certs and ran into this issue?  if not, what process did you follow?
  jabber is working fine...  would like to clear up the errors.

• Nagios, certs, and NRM/ Remote Manager

  We just created a brand new xen guest OES11sp2/SLES11sp3 server, and already the certs for the NRM are no good, they're still using the ones created in YAST during the SLES install portion.
  (eDirectory certs were created and all four validate just fine)
  For now, I just made an exception in my browser, but when I go to the NRM and go to check Health status, I get a nagios login window. that's new.. and if I try to log in with my eDir credentials, it fails, and now I just see a 500 error. The rest of NRM works okay though.
  If I export the eDir certs and use keytool to export them to server.pem and server.key and overwrite the ones at
  /etc/opt/novell/httpstkd (well, actually, /etc/ssl/servercerts) will that fix nagios or is there another issue here?
  And I'm wondering why the eDirectory certs didn't overwrite the YAST certs.. we always have the install do that.

  This gets weirder.
  I used "openssl x509 -in servercert.pem -text" on the new server to check the servercert.pem cert under /etc/ssl/servercerts, and it turns out it IS the eDirectory cert.
  I've restarted both nagios and httpstkd, but the httpstkd configure page claims it's using the old Yast cert; it is configured to use the /etc/ssl/servercerts (through a softlink).
  Firefox accepts the cert fine, Chrome complains that the certificate doesn't match the URL, which is ridiculous. It's absolutely the same.
  I hate certs.
  Anyway, in either case, I still get the 500 error with nagios. It asks for a login, I have no idea what it wants. My edir user doesn't work, and neither does root.

• Chained Certs and CSS

  I've followed the docs found regarding concatinating an intermediary CA cert and the server cert. So I now have a text file containing the CA first, a new line, and the server cert. It's in PEM format and trasferred to the CSS. My ssl-proxy-list and ssl-server have been configured and SSL works. It all works, the problem is that I get that annoying "untrusted SSL cert" window all the time. I know the original server worked.
  Help?

  Ensure the sequence of the certification chain.
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a00801de89b.shtml

• [solved] Renewing a verisign cert

  Sorry, this isnt Arch related, but I'm having a tough time googling the correct answer.  I've got a customer using red hat linux and wanting to renew their verisign ssl cert for a webpage.  I'm following the instructions listed at https://knowledge.verisign.com/support/ … t&id=AR142
  My question is, do I need to generate a new key pair if i'm renewing the certificate?
  Thanks,
  MP
  Last edited by murffatksig (2009-09-15 20:17:40)

  you don't have to.
  generally they either:
  a) just re-sign the original cert request they have on hand, (new certificate lifetime)
  b) ask for a new csr to sign
  c) ask you to generate a new key, and then a new csr to sign
  I think which operation they prefer depends on the vendor.
  https://knowledge.verisign.com/support/ … 3035718053
  For the sake of security though, it certainly wouldn't hurt to generate a new private key and csr, and then have that csr signed. (option c above)
  another relevant link: http://serverfault.com/questions/42993/ … ith-apache
  apparently verisign does allow option a (see last comment on serverfault page)

• Zebra QL420 Printer using PEAP (Verisign Certs)

  Hi,
  Has anybody been able to successfully get a Zebra printer QL420 Plus connected to Cisco LWAPP/CAPWAP APs ?
  We are using WPA2 - PEAP with Verisign Signed Server Certificate.

  Yes I have the QL420 + printers working with 5508 WLC and 3502E CAPWAP APs and PEAP
  Fotis - You will most likely find the reason for the slow ping resonce is down to the setting for "Power Mode". You likely have it set to "best". This setting controls how long the device "sleeps" before it awakens and downloads queued traffic from and AP. Setting it to "off" will put the device in to CAM (Constantly Awake Mode). This means that the device never switches its radio card off and never allows traffic to be queued on an AP. However this will mean that the drain on the devices battery will be much greater, I believe there is a slidding scale of settings for this device that go in order of highest battery drain as follows:
  Best
  1
  2
  3
  4
  off
  Off will give you the best performance with maximum battery drain. play with the settings and see which gives best performance/batery drain balance.
  Regards
  Simon

• Enabling CLIENT-CERT and FORM authentication in same web-app

  Hi!
  I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
  My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
  1. If client does not send tokens in request, then set response header:
  response.setHeader("WWW-Authenticate", "Negotiate");
  response.sendError(response.SC_UNAUTHORIZED);
  This works fine and client starts to send his tokens
  2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
  RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
  dispatcher.forward(request, response);
  3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
  log-in page is as defined in edocs:
  <form method="POST" action="j_security_check">
       <table border=1>
            <tr>
                 <td>Username:</td>
                 <td><input type="text" name="j_username"></td>
            </tr>
            <tr>
                 <td>Password:</td>
                 <td><input type="password" name="j_password"></td>
            </tr>
            <tr>
                 <td colspan=2 align=right><input type=submit value="Submit"></td>
            </tr>
       </table>
  </form>
  Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
  I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
  Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works