WebAuth Cert signed by CA on WLC

Hello guys,
i have some Problems with IOS6 Device when using the WebAuth on WLC.
I think that the Problem is that i have an self signed Cert on the WebAuth of the WLCs which is untrustworthy for the Safari.
So i think the only solution is to install an Cert which is signed by an Root CA.
i had found this instruction how to generate an Cert Request for the WLC
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
Regarding that i have some question:
Have anyone the same Problems generally with Untrusted Certs on IOS 6?
When i have 2 WLCs can i use the same certificat for both WLC ( Virtual IP and DNS Name is the same)?
Did anyone did that with a 5508 respectively 4400 Controller?
Thanks
Greetings Philip

Exactly. You are getting this accept cert becuase the controller cert being presented to the device browser doesnt have the wlc cert in its trusted store.
Yea, you would need to purchase a signed CA to over come this .. If you go this route I blogged this step by step process from CSR to install. It might help ...
http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Similar Messages

Guest Cert problems ISE and Anchor WLC

I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
1.1.1.1 is the Virtual interface of the Anchor WLC.
How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
This is when the problems started happening, I was using the default ISE Authorization profile
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
The next step I tried was to change the Authorization Profile to
(wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

Icons cause cert signing to fail

I hope someone can help with this. I have an Air application for windows desktop. After publishing the exe I am using an advanced cert signing tool (because of the security of the cert no .p12 or other export options are available.). When I publish the app from flash CC on windows 8 without icons, my cert signing works great. If I add icons then the cert fails stating "the file C:\Users\... could not be signed (0x800700c1)." I have tried re-saving the icons with different setting but nothing seems to work. It does however work if I publish it from flash cs6 on windows 7 with icons. Anyone know of to resolve this?

Hi J-H,
I am facing the same issue, Exchange 2010 sp3, adrms cryptographic mode 2 i am using. Please help.
Following error I am getting.Results
: Checking Exchange Server ...
              - PASS: Exchange Server is running in Enterprise.
          Loading IRM configuration ...
              - PASS: IRM configuration loaded successfully.
          Retrieving RMS Certification Uri ...
              - PASS: RMS Certification Uri: https://rms.easeblr.com/_wmcs/certification.
          Verifying RMS version for https://rms.easeblr.com/_wmcs/certification
              - PASS: RMS Version verified successfully.
          Retrieving RMS Publishing Uri ...
              - PASS: RMS Publishing Uri: https://rms.easeblr.com/_wmcs/licensing.
          Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate
(CLC) ...
              - FAIL: Failed to acquire a Rights Account
Certificate (RAC) and/or a Client Licensor Certificate (CLC).
          This failure may cause features such as Transport Decryption, Transport
Protection Rules, Journal Report Decr
          yption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM
Search to not work. Make sure that the Ex
          change Servers Group is granted "Read" and "Read & Execute" rights
on the ServerCertification.asmx and Publis
          h.asmx pipelines on your AD RMS server. For details, see "Set Permissions
on the AD RMS Certification Pipelin
          e" at http://go.microsoft.com/fwlink/?LinkId=186951.
Please help.
Manish Kumar MCSA, MCITP Enterprise Admin. MCTS Exchange server 2007, MCITP Virtualization Admin.

Iphone 5 Email client fails when connecting to server with certs signed by personal CA

My mail resides on my own server with its own private CA that was used to sign the email server cert.
I used sendmail and CA and certs were created with below commands:
CA -newca
openssl req -newkey rsa:1024 -nodes -keyout sendmail_req.pem -out sendmail_req.pem
openssl ca -out sendmail_cert.pem -infiles sendmail_req.pem
Before I switched to iphone 5 I had Iphone 3s and all worked fine.
I would get a notification: cannot verify server identity, but after clicking continue all would work fine.
The client would connect on port 993 to receive email and on port 587 to send.
Now on iphone 5 I get error: Cannot verify Server Identity with no prompt to accept the cert.
Is there any work around for it?
I tried to export the cert from I mac and import to iphone but still no luck.
It looks like since iphone 4 the certs not issues by legal CA's don't work?
thx

I fixed that by getting certs from: https://www.startssl.com/?app=1.
The certs are free and work fine.
Since Iphone 4 apple does not accept unknown CA Authorities.

GoDaddy SSL Cert Signed by Unknown Authority

At my school we have one Apple server which we recently upgraded to 10.5. We're using it to run a blog for teachers. We switched the site to use SSL and purchased a GoDaddy SSL cert (the wildcard type). The common name on the certificate I created in Server Admin is for *.e-lcds.org, this is the same common name I gave to GoDaddy in the CSR.
I received both the certificate and the intermediate certificate from GoDaddy and installed both. Server Admin now says that the site is signed correctly by GoDaddy. The intermediate certificate (looking at Keychain Access) is not signed correctly though according to the server. The error is "This certificate was signed by an unknown authority"
In the process of originally trying to figure out SSL certs I deleted all of the GoDaddy ones which I (thought) had added to start with a new one and have it re-keyed (which worked). I unfortunately may have deleted whatever certs need to be installed to verify the intermediate cert from GoDaddy. Is there a way to re-add these? Or is this another issue altogether?
Thanks in advance,
-MRCUR

I ended up wiping the server since we switched it's roles with a Linux box. I'm now using the GoDaddy SSL cert on the Linux box and the XServe.

WLC AireOS 8.0 - how to set font-color for integrated webauth/weblogin?

Hello,
up to AireOS 7.6 I was able to set the font-color of the internal webauth/weblogin page using html-codes, for example like this:
Headline: Welcome to our <font color="red">guest</font>-network!
Message: You need a valid <font color="blue">user</font> to login.
Now with AireOS 8.0 this doesn't work anymore. When I try to set a headline or message with font-tags I get "Error while setting headline." (or "...message.") when I hit apply. I have to remove the font-tag to save the weblogin page.
#CLIWEB-6-CLIWEB_INVALID_HTML_TAGS_USED: [PA] cli_web_api.c:1748 The Customization message field has invalid html tags
#CLIWEB-6-CLIWEB_INVALID_HTML_TAGS_USED: [PA] cli_web_api.c:1663 The Headline field has invalid html tags
So, how can we now set different font colors/styles like in previous releases? Using external or uploading selfmade pages is not an option.
Thanks,
Chris

Since your using code to change the default internal portal page look, its better for you just to create a custom webauth and upload that to the WLC. That is how I do my implementations as its easier for me to create a new page than trying to mess around with the internal page. As you can see, Cisco can change the way things work in every version. It might just be the fact that they no longer are allowing html code to be inserted in the default webauth/passthrough page.
Scott

WLC Virtual Interface config for a public SSL cert for Web Authentication

I'm trying to get a cert loaded on my 5508 WLC running 7.6.130.0 so when a Web-Auth users tries to authenticate they don't get the SSL cert error.
In the document "Generate CSR for Third−Party Certificates and
Download Chained Certificates to the WLC"
Document ID: 109597 it states the following
"Note: It is important that you provide the correct Common Name. Ensure that the host name that is
used to create the certificate (Common Name) matches the Domain Name System (DNS) host name
entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after
you make the change to the VIP interface, you must reboot the system in order for this change to take
effect.
Here are my questions.
1. I have always had 1.1.1.1 as the address of the Virtual interface, should that change or can I leave it as 1.1.1.1?
2. In the "DNS Host Name" Field do I simply put the domain or the FQDN? Example. Company.com or hostname.company.com

Hi,
1) You can change that if you want. Normally it is non-Public and non-routable in your network.
2) Put the Host name for which you are going to give in your company DNS server where that Host name would be mapped to the Virtual ip address.
Regards
Dhiresh
** Please rate helpful posts**

Custom WebAuth WLC 5760

I want to setup a custom webauth for my WLC 5760. I already downloaded the webauth bundle and put it in WLC via Command Download in WLC GUI. According to Guide, after the download completed, the custom page will appear in custom page dropdown for web parameter map.
But in my case it shows nothing. So where did I miss ?
Thank You

Hi
Pls refer this document
http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117728-configure-wlc-00.html
HTH
Rasika
**** Pls rate all useful responses ****

Error installation 3rd party certificate on wlc for webauth

i,
I would like to install a web auth certificate on a 5508. Version 7.6.130
Every time I get an error on web gui or cli like:
Cisco Controller) >transfer download start
Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.1.126.100
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /wlan/
TFTP Filename.................................... final.pem
TFTP Webauth cert transfer starting.
*TransferTask: Oct 07 14:33:08.162: RESULT_CODE:1
*TransferTask: Oct 07 14:33:12.165: Locking tftp semaphore, pHost=10.1.126.100 pFilename=/wlan/final.pem
*TransferTask: Oct 07 14:33:12.249: Semaphore locked, now unlocking, pHost=10.1.126.100 pFilename=/wlan/final.pem
*TransferTask: Oct 07 14:33:12.249: Semaphore successfully unlocked, pHost=10.1.126.100 pFilename=/wlan/final.pem
*TransferTask: Oct 07 14:33:12.250: TFTP: Binding to remote=10.1.126.100
*TransferTask: Oct 07 14:33:12.266: TFP End: 7959 bytes transferred (0 retransmitted packets)
*TransferTask: Oct 07 14:33:12.266: tftp rc=0, pHost=10.1.126.100 pFilename=/wlan/final.pem
pLocalFilename=cert.p12
*TransferTask: Oct 07 14:33:12.266: RESULT_STRING: TFTP receive complete... Installing Certificate.
TFTP receive complete... Installing Certificate.
*TransferTask: Oct 07 14:33:12.266: RESULT_CODE:13
*TransferTask: Oct 07 14:33:16.269: Adding cert (7895 bytes) with certificate key password.
*TransferTask: Oct 07 14:33:16.309: RESULT_STRING: Error installing certificate.
*TransferTask: Oct 07 14:33:16.309: RESULT_CODE:12
Error installing certificate.
What's funny, when I'm on a 2106 with the same certificate (Version: 7.0.250.0) install, everything works!
Does anyone have an idea to solve this problem?
Regards
Juergen

Hello, please check these links out and see if they help:
https://supportforums.cisco.com/discussion/11376866/error-installing-certificate-help
https://supportforums.cisco.com/discussion/12294996/web-auth-certificate-download-failed-install-certificate
https://supportforums.cisco.com/blog/151061/generate-csr-third-party-cert-and-download-unchained-cert-wireless-lan-controller-wlc

Certificate error using webauth on guest wifi

I am trying to setup a guest wifi. We have our custom page package loaded and it looks great with our graphics, logo. Basically you have to check a box and click accept to the terms of service, and then it forwards you through to VLAN 12 in this case, which is directed to an untangle software based firewall / router with its own outside IP address.
The issue is that when you initially join the wireless network, the page at 1.1.1.1/login.htm throws a certificate error and you have to continue anyway (Internet Explorers language).
Does this mean we need to put our wildcard certificate on it for our *.domain.com (GoDaddy signed) or does it need another kind of certificate? What format would it need to be in (I have a pfx but can convert it if need be).
We are not passing any credentials, so it doesn't NEED to be https, so under Management > HTTP-HTTPS I changed WebAuth SecureWeb to Disabled. However when doing this, WebAuth is still putting https://1.1.1.1 and I get a page cannot be displayed. I take the s out of https and then the webauth page works.
So two things here, how could I just use it in http, or if preferred, what format and what kind of certificate needs to make https work in webauth? This is primarily for vendors that visit, or guests in our waiting lobby with their tablets or smartphones.
The WLC is a 5508 running 7.4.121.0.

I also tried this site as well:
http://www.packethead.net/2013/08/05/cisco-wlc-wireless-lan-controller-certificate-install-mac-os-x/
I tried it command line, and it tftp's fine in all instances above but I get:
TFTP Webauth cert transfer starting.
TFTP receive complete... Installing Certificate.
Error installing certificate.
Might have to open a case with tac if this doesn't work.
I have openssl 1.0.1j is that maybe a bad version? also every time I run it it says WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Well of course not, that is a *nix based bath and this is the 64-bit windows version.
What I can get is a download from go daddy and the wildcard cert is already generated. I cannot submit a new cert request. We have this key and I've tried different ways of converting it with OpenSSL, I've imported it to windows and in the mmc for certificates exported in various formats. Nothing will work with this WLC.

Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

Is it possible to install a widcard certificate for web auth in those versions?
Is there any difference between this two versions.
Are both of them versions supporting wildcards certificates?
Here you have the log file resulting of installing the wildcart certificate in the wlc with v 7.0.240.
*TransferTask: Nov 28 11:20:51.117: Memory overcommit policy changed from 0 to 1
*TransferTask: Nov 28 11:20:51.319: Delete ramdisk for ap bunble
*TransferTask: Nov 28 11:20:51.432: RESULT_STRING: TFTP Webauth cert transfer starting.
*TransferTask: Nov 28 11:20:51.432: RESULT_CODE:1
*TransferTask: Nov 28 11:20:55.434: Locking tftp semaphore, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
*TransferTask: Nov 28 11:20:55.516: Semaphore locked, now unlocking, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
*TransferTask: Nov 28 11:20:55.516: Semaphore successfully unlocked, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
*TransferTask: Nov 28 11:20:55.517: TFTP: Binding to local=0.0.0.0 remote=10.16.50.63
*TransferTask: Nov 28 11:20:55.588: TFP End: 1666 bytes transferred (0 retransmitted packets)
*TransferTask: Nov 28 11:20:55.589: tftp rc=0, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
pLocalFilename=cert.p12
*TransferTask: Nov 28 11:20:55.589: RESULT_STRING: TFTP receive complete... Installing Certificate.
*TransferTask: Nov 28 11:20:55.589: RESULT_CODE:13
*TransferTask: Nov 28 11:20:59.590: Adding cert (5 bytes) with certificate key password.
*TransferTask: Nov 28 11:20:59.590: RESULT_STRING: Error installing certificate.
*TransferTask: Nov 28 11:20:59.591: RESULT_CODE:12
*TransferTask: Nov 28 11:20:59.591: ummounting: <umount /mnt/download/ >/dev/null 2>&1> cwd = /mnt/application
*TransferTask: Nov 28 11:20:59.624: finished umounting
*TransferTask: Nov 28 11:20:59.903: Create ramdisk for ap bunble
*TransferTask: Nov 28 11:20:59.904: start to create c1240 primary image
*TransferTask: Nov 28 11:21:01.322: start to create c1240 backup image
*TransferTask: Nov 28 11:21:02.750: Success to create the c1240 image
*TransferTask: Nov 28 11:21:02.933: Memory overcommit policy restored from 1 to 0
(Cisco Controller) >
Would I have the same results in wlc with v 7.5.102?
Thank you.

Hi Pdero,
Please check out these docs:
https://supportforums.cisco.com/thread/2052662
http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
https://supportforums.cisco.com/thread/2067781
https://supportforums.cisco.com/thread/2024363
https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc
Regards
Dont forget to rate helpful posts.

Third-Party Cert problem

WLC 4402 - 4.2.130.0
I have generated a CSR and received a certificate from GlobalSign. Has followed the instructions in "certificate signing Request Generation for a Third-Party ......"(DOcID 70584) , and uploaded the certificate to the WLC.
But still, when a user tries to log on to the portal(https://1.1.1.1/login.html), they get a sertificate error: "The adress does not match....."
The dnsname for our controller is: wlan-controller-1.xxxxxxxxx.xx
Any tips on how I can solve this ?
Regards
JF

had the same problem with a globalsign cert - problem is with your WLC software rev. the doc you referred to states:
WLC software versions prior to 5.1.151.0 do not support chained certificates. The workaround is to use one of these options:
Acquire an unchained certificate from the CA (which means that the signing root is trusted).
Have all valid intermediate CA root certificates (trusted or untrusted) installed on the client.
with WLC v5.1 we installed chained globalsign cert and the cert works fine.
cheers
andy

Error when installing webauth certificate virtual wireless LAN controller

Hi there
I am having issues installing web auth certificate for our virtual wirelesss LAN controller.
I am issuing a certificate from our own PKI in following format
device cert for WLC > Intermediate > our root cert.
I have followed the discussion here
https://supportforums.cisco.com/discussion/10890871/generating-csr-wlc-5508
and the document here
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html#support
However I am still getting the following errors
*sshpmLscTask: Jun 30 17:18:26.443: sshpmLscTask: LSC Task received a message 4
*TransferTask: Jun 30 17:18:28.785: Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 30 17:18:28.785: RESULT_STRING: FTP Webauth cert transfer starting.
*TransferTask: Jun 30 17:18:28.785: RESULT_CODE:1
FTP Webauth cert transfer starting.
*TransferTask: Jun 30 17:18:33.154: ftp operation returns 0
*TransferTask: Jun 30 17:18:33.154: RESULT_STRING: FTP receive complete... Installing Certificate.
FTP receive complete... Installing Certificate.
*TransferTask: Jun 30 17:18:33.154: RESULT_CODE:13
*TransferTask: Jun 30 17:18:37.159: Adding cert (8217 bytes) with certificate key password.
*TransferTask: Jun 30 17:18:37.169: sshpmCheckWebauthCert: Verification return code: 1
*TransferTask: Jun 30 17:18:37.169: Verification result text: ok
*TransferTask: Jun 30 17:18:37.171: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.
*TransferTask: Jun 30 17:18:37.361: sshpmDecodePrivateKey: calling ssh_skb_decode()...
*TransferTask: Jun 30 17:18:37.493: sshpmDecodePrivateKey: SshPrivateKeyPtr after skb_decode: 0x2aaaacb51628
*TransferTask: Jun 30 17:18:37.493: sshpmAddWebauthCert: got private key; extracting certificate...
*TransferTask: Jun 30 17:18:37.494: sshpmAddWebauthCert: extracted binary cert; doing x509 decode
*TransferTask: Jun 30 17:18:37.494: sshpmAddWebauthCert: doing x509 decode for 1594 byte certificate...
*TransferTask: Jun 30 17:18:37.494: sshpmAddWebauthCert: failed to validate certificate...
*TransferTask: Jun 30 17:18:37.494: RESULT_STRING: Error installing certificate.
*TransferTask: Jun 30 17:18:37.495: RESULT_CODE:12
*TransferTask: Jun 30 17:18:37.495: Memory overcommit policy restored from 1 to 0
Error installing certificate.
Any help is much appreciated

Similar issue:
https://supportforums.cisco.com/discussion/11043836/wism-42112-and-web-auth-certificate

How to delete the x509 certificate on WLC

Hi Forumers'
I had install third party CA cert and device cert into the WLC. I would like to ask is there any command can delete these certificate?
thanks

Yong,
I don't believe that you can 'delete' the certificate per se. Which cert are you referring to? The one that comes up when you browse to the webpage of the WLC, the eap device cert, or the webauth cert?
config certificate generate webadmin
config certificate generate webauth
will tell the WLC to generate it's own certificate for the webadmin, and webauth.
I'm not sure that the webadmin will clear the eapdevcert or not
HTH,
Steve
Please remember to rate helpful posts or to mark the quesiton as answered so that it can be found later.

How to replace an expiring self-signed certificate?

Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
http://screencast.com/t/zlVyR2Hsc
Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
http://screencast.com/t/54c2BUJuXO2
Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
Be aware that creating certificates starts to populate your server Keychain.
http://screencast.com/t/JjLb4YkAM
It appears that when you start to delete certificates, it leaves behind private keys.
http://screencast.com/t/XD9zO3n16z
If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
Bypass "Introduction".
In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
(OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
Pant, pant...
The next window asks for an email address and location information - this appears to be optional.
Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
Key Usage Extension window
Here's where it gets interesting...
I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
Extended Key Usage Extension...
Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
Sorry, folks, I just HAVE to show you the help for this window...
+*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible. EKU is defined with object identifiers called OIDs. If the EKU extension is omitted, all operations are potentially valid.*+
KILL ME NOW!!!
OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
Basic Constraints Extension...
Well, there is no mention of that on the original certificate, so leave it unchecked.
Subject Alternate Name Extension...
Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
DONE!!!! Let's see what the heck we got!
http://screencast.com/t/QgU86suCiQH
Well, I don't know about you but that looks pretty close for Jazz?
I got some extra crap in there but the stuff from the original cert is all there.
Think we're OK??
Out with the old certificate (delete).
Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
http://screencast.com/t/bydMfhXcBFDH
Oh yeah...one more thing in KeyChain Access...
See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
http://screencast.com/t/GdZfxBkHrea
Select "Always Trust".
I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
If you want to see my rant on Apple's worthless documentation, it's here.
http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

to add to countryschool and john orban's experiences:
using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
maybe that's hopeful to somebody. but i stopped there since things seem to be working.
last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
now, we'll see how everything works once people start really using it...

WebAuth Cert signed by CA on WLC

Similar Messages

Maybe you are looking for