Wildcard certificates and portal gateway

Similar Messages

• Wildcard Certificate and Wireless Lan Controller

  Hello,
  I'm working with wlc 5508 version 7.2.111.3 and I'm looking to use a wildcard certificate, I've just checked on the forum that there was a bug-id and it seems it's been closed with a workaround of not using wildcard certs, is it resolved now?
  If yes, could you indicate to me how can I proceed to install it quickly?
  Regards

  Hello,
  The bug was about bad behavior when the wildcard certificate is used. The status of the bug now is "Terminated". That means it was found that the root cause for this bug is not really a bug (bad description, normal behavior...etc).
  So, I think you can go with the wildcard certificat you have. The bug was opened on 5.2 version which is very old comparing to 7.2.
  Let us know how it goes.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Wildcard Certificats and 4400 WLC

  First, I know the 4400 has been EOS. I am planning on replacing this with a new controller next year as part of a larger project. In the meantime, the certificate we have setup on our guest network is due to expire soon.
  I am pretty familiar with how to get a new certificate setup, but was wondering if anyone has had any experience at using a "wildcard" type certificate, instead of the standard webserver style cert?  (http://www.digicert.com/wildcard-ssl-certificates.htm)
  Its my understanding that a wildcard certificate can be used for any type of server, but the server needs to support it.
  Thanks.

  All my recent install using a 3rd party certificate has been with installing a chained certificate.
  Here is a doc that shows you how to combine a chained certificate and install it on a wlc.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  Sent from Cisco Technical Support iPhone App

• Problem: Mixed Exchange 2007 / 2013 CAS Servers with wildcard certificates in Europe and non-wildcard Certficate in China

  Hi,
  we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 SP3 (RU15) and 2013 (CU8) in europe and one 2007 SP3 (RU15) CAS Server
  in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate *.xyz.com and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:*.xyz.com, so the wildcard certificate is accepted. Everything in
  Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this
  server has a different non-wildcard certificate and a different domain name (cas-server.xyz-china.com instead xyz.com). Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As
  I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
  If not the other solution would be to register the chinese cas server in our xyz.com domain and use the same wildcard certificate on this system right ?
  Any help would be appreciate….

  Yes setting the EXPR value is most likely the cause of your issue.  When you set this value you are telling Outlook to only accept connections from connections that have the cert with the subject name you specify here.
  Unfortunately, based on my experience I believe this is an organization wide setting and cannot be configured on a CAS by CAS basis (If I'm wrong someone please keep me honest :)).  
  So the only option would you have is to change all the URLs to be on *.xyz.com domain.  There's no need to change the domain the server actually resides on.  The other option would be to purchase a UCC Cert with all the names you need and apply
  to all your CAS servers and reset the EXPR value. 
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

• ISE 1.3 - wildcard certificate

  How to install an external wildcard certificate for SSL on ISE 1.3 and get it running for a guest portal ?
  Follow this links for guidance:
  Cisco Identity Services Engine Admin Guide, Release 1.3
  http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html
  https://supportforums.cisco.com/discussion/12305836/installing-wildcard-cert-ise-httpeap
  see Recording of Tech Talk Security: BYOD, Integrated CA, Multi-AD WebSession from November 6, 2014 of Aaron Woland
  and now.....     RESTART your ISE engine !
   ISE need to get restarted to bind the intermediate and the wildcard certificate which will
  send to the client for SSL. The client can now validate the certificates in the chain.
  Currently the restart is not documented by Cisco and there is no warning message to restart the ISE engine.

  Hi,
  You would have to restart the services, there is a note in the Cisco ISE document. Please refer it below:
  If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate on a node, existing browser sessions connected to that node do not automatically switch over to the new certificate. You must restart your browser to see the new certificate.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html#pgfId-1183856
  Regards,
  Tushar Bangia
  Note : Please do rate post if you find it helpful!!

• Implementing Wildcard Certificate on SQL Server

  Hi,
  I've been trying to configure WildCard Certificate and no matter what I do, the certificates I create and import into local store do not show up in the "Protocols for ...." window.
  In my opinion what is missing is a complete guide or document to show how to configure and implement
  wildcard certificates for SQL Server
  regards

  Hi ArashMasroor,
  According to your description, you need to install a  certificate on a computer that is running Microsoft SQL Server by using Microsoft Management Console (MMC), then you can request certificates for a SQL Server stand-alone server, and
  then use the certificate for Secure Sockets Layer (SSL) encryption.
  After you successfully install the certificate, the certificate does not appear in the Certificate list on the Certificate tab, the error occurs because you may have installed an invalid certificate. You must ensure the certificate meets the following requirements.
  1. You have a private key that corresponds to this certificate.
  2. On the Details tab, the value for the Subject field must be server name.
  3. The value for the Enhanced Key Usage field must be Server Authentication (<number>).
  4. On the Certification Path tab, the server name must appear under Certification path.
  For using the MMC snap-in to install the certificate on the server, you can review the following articles.
  http://support.microsoft.com/kb/316898
  http://technet.microsoft.com/en-us/library/dd851419.aspx
  Regards,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• Certificate for Portal and BackendSystems. What do I have to take careAbout

  Hello,
  I would like to buy a certificate for the secured HTTP but I don't know what I have to take care about?
  Where do you buy your certificates? Can I use "wildcards"-certificates for the portal and the backend-systems.
  Is there a good shop for buying a certificate in Germany?
  Thanks, Vanessa

  Vanessa,
  You can approach both Verisign and Thawte and collect information.
  In case of Thawte, you can just go their site and there is an option for an online free chat with a Thawte associate. He/she will then guide you further.
  They will also share the details required for the certificate to get authorized.
  Plus before ordering, you can also check the correctness of ur certificate for free on their site.
  Hope this helps.
  Regards,
  Ritu

• 2012 RDS + Gateway Certificate and and .local domains

  Can someone verify this is the correct process to stop all certificate errors. 
  RDS 2012 R2 deployment that is the following. 
  1 server with broker web and gateway roles installed. 
  3 session hosts. 
  Domain is a .local
  I want to stop all certificate errors. I have a certificate for the gateway/broker/web server gateway.xxx.com 
  I have had a look at the Change published FQDN for Server 2012 or 2012 R2 RDS Deployment script
  https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  Do i just need to run this script on the gateway/broker/web server and will this stop the mismatch errors fro the session hosts?
  Thanks

  Does SSO not work on less than this as I have some XP clients and 8.1 is not available for them. 
  Hi,
  To support older clients you need to have the wildcard certificate set on the RDP-Tcp listener on all RDSH servers.  To do this you must import the certificate and its private key into the Local Computer\Personal store on each RDSH server, and then
  use WMI to set the certificate.  The below command should be run on each RDSH in an elevated command prompt after you have imported the certificate and its private key:
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"
  Substitute your certificate's thumbprint for the one shown above.
  Please note that you will not get the best experience with clients that are not at least RDP 8.0 capable, many features will not be available, and you may run into certain issues.  For XP you will want to install the RDP 7.0 client and make the registry
  changes on each client to enable CredSSP.
  Thanks.
  -TP

• Rdpsign and wildcard certificate

  Hi,
  All is working fine with rdp sign and I can sign file with thumbprint of our wildcard certificate, but when running file I still have a message "Do you trust the publisher of this remote connection?". It's not yellow with warning, but a warning
  anyway. I can see a message:
  Publisher: *.domain.com (our wildcard certificate)
  Remote computer: rds.domain.com
  Gateway server: rdg.domain.com
  Is this normal for rdg files signed with wildcard cert used for RDS deployment?
  Best,
  Marcin

  Hi Marcin,
  Do you need any other assistance?
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

  Is it possible to install a widcard certificate for web auth in those versions?
  Is there any difference between this two versions.
  Are both of them versions supporting wildcards certificates?
  Here you have the log file resulting of installing the wildcart certificate in the wlc with v 7.0.240.
  *TransferTask: Nov 28 11:20:51.117: Memory overcommit policy changed from 0 to 1
  *TransferTask: Nov 28 11:20:51.319: Delete ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:51.432: RESULT_STRING: TFTP Webauth cert transfer starting.
  *TransferTask: Nov 28 11:20:51.432: RESULT_CODE:1
  *TransferTask: Nov 28 11:20:55.434: Locking tftp semaphore, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore locked, now unlocking, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore successfully unlocked, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.517: TFTP: Binding to local=0.0.0.0 remote=10.16.50.63
  *TransferTask: Nov 28 11:20:55.588: TFP End: 1666 bytes transferred (0 retransmitted packets)
  *TransferTask: Nov 28 11:20:55.589: tftp rc=0, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
       pLocalFilename=cert.p12
  *TransferTask: Nov 28 11:20:55.589: RESULT_STRING: TFTP receive complete... Installing Certificate.
  *TransferTask: Nov 28 11:20:55.589: RESULT_CODE:13
  *TransferTask: Nov 28 11:20:59.590: Adding cert (5 bytes) with certificate key password.
  *TransferTask: Nov 28 11:20:59.590: RESULT_STRING: Error installing certificate.
  *TransferTask: Nov 28 11:20:59.591: RESULT_CODE:12
  *TransferTask: Nov 28 11:20:59.591: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
  *TransferTask: Nov 28 11:20:59.624: finished umounting
  *TransferTask: Nov 28 11:20:59.903: Create ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:59.904: start to create c1240 primary image
  *TransferTask: Nov 28 11:21:01.322: start to create c1240 backup image
  *TransferTask: Nov 28 11:21:02.750: Success to create the c1240 image
  *TransferTask: Nov 28 11:21:02.933: Memory overcommit policy restored from 1 to 0
  (Cisco Controller) >
  Would I have the same results in wlc with  v 7.5.102?
  Thank you.

  Hi Pdero,
  Please check out these docs:
  https://supportforums.cisco.com/thread/2052662
  http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
  https://supportforums.cisco.com/thread/2067781
  https://supportforums.cisco.com/thread/2024363
  https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc
  Regards
  Dont forget to rate helpful posts.

• VPN Cluster and Wildcard Certificate

  Hi,
  I am setting up a VPN cluster with three ASA boxes and i am wondering if anyone has any experience using a wildcard certificate with this kind of setup.
  I am done with the setup and everything works fine, but as my initial setup (and the doc i have been reading) shows, the client first connect to:
  cluster.domain.com
  Then the master returns the address or fqdn (i am using fqdn) of the least busy asa in the cluster:
  vpn01.domain.com
  or
  vpn02.domain.com
  or
  vpn03.domain.com
  Thus i would need 4 certificates to meet my needs. The cluster.domain.com certificate also must be present on all 3 boxes, because the cluster ip is configured on all boxes, and the master role is shifted if one of the boxes fail.
  Because of this i thought it would be a good idea to use 1 wildcard certificate (*.doman.com) on all boxes and avoid the hassle.
  Any experience or recommendations?
  BR,
  /K

  Hello Kenneth,
  It was working for version before 9.
  On ASA9 you even can not install wildcard certificate to manage ASA via ASDM, so i guess vpn loadbalancing with wildcard certificate will not work either (but i have not tested that).
  And it's not a bug - it's a feature - it's a security device and wildcardard certificates are strongly discouraged
  Michal

• HTTP adapter, SSL and wildcard certificate

  Hi,
  I am developing a B2B integration solution using BizTalk Server. The protocol used to communicate with the partner’s server is HTTPS and so it uses SSL.
  The certificate the partner is using to establish SSL connections is provided by GeoTrust but it is a wildcard certificate, issued to *.*.*.company.com
  The server I am trying to contact to is on a domain of the form: a.b.c.company.com (which seems to match the wildcard).
  When I try to open an HTTPS connection to the server (either through Internet Explorer, a .Net Windows Application or BizTalk), the connection cannot be established because the certificate is said to not be trusted. For example, Internet Explorer shows a pop-up message saying that:
  - The certificate is issued from a valid CA
  - The certificate date is valid
  - The name of the certificate is NOT matching the name of the site. This means that the certificate is issued for a domain different that the one we are accessing to. So it seems that the wildcard system is not working for this certificate? Is that possible if they aquire a wrong type of certificate by mistake? or is multipart wildcard certificate (*.*.*) not supported?
  Anyway even if their certificate is not 100% valid, they refuse to change it as their other partners work with that and they won't change to a proper certificate just for us...
  In .Net 2.0 code, it is easy to circumvent any certificate validation by setting the delegate ServicePointManager.ServerCertificateValidationCallback to a callback method with something like:
  ServicePointManager.ServerCertificateValidationCallback = delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)  { return true; };
  Nevertheless, I need to achieve this sort of circumvention with BizTalk Server 2006 and I would like to know if anyone ever did that.
  I am aware that I can write my own custom HTTP Adapter but I need this urgently so I thought of asking this forum's community first. Maybe someone as a quicker way than writing a custom adapter such as some "hack" (registry keys, custom class... ) or knows of an existing custom adapter already doing the job.
  Thanks in advance,
  Best regards,
  Francois Malgreve

  The certificate needs to be installed as a explicitly trusted certificate in the store under the computer a/c on the BzTalk machine and then it'll work. Refer
  https://thinkintegration.wordpress.com/2011/12/02/biztalk-https-adapter-and-certificate-configurations/ for the steps.
  Regards.

• RDS 2012 - No Wildcard Certificate

  Hi all,
  I will be using indivisual certificates per component so I will have a certificate for broker.domain.com, gateway.domain.com and [email protected] These will be used from within the RDS console to deploy the certificates to the componenets.
  My question is, do I need to do anything else for the RDS Session Host servers (or will the use the certificates above)? Will i need a certificate per server and if so does it need to be in the format SessionHost1.domain.com?
  Thanks.

  Hi,
  Thank you for posting in Windows Server Forum.
  As per my research, I can say that if you have less server than you can follow the same procedure of certificate and can use that. But personally if you have more server then suggest you to purchase wildcard certificate for your environment. Because with wildcard
  certificate you just need to purchase one certificate and can use for your installed roles.
  Please check below article for more details.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• RDS 2012 R2 best design possible with wildcard certificate

  Hi!
  I am looking for some guidance for my RDS 2012 R2 design flaw. 
  What I would like to achieve?
  *I would like my users either internal or external to be able to connect to RDWeb via one single webaddress ( remote.mydomain.com)
  What I have in place?
  1x Broker
  1x WebAccess
  1x Gateway (also license server)
  1x SessionHost
  1x Wildcard Certificate
  my internal domain is mydomain.local and external is mydomain.com
  I have tried ( http://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/) without success.
  Any guidence here will be very helpfull.
  cheers
  Elton

  Hi Elton
  I have a similar configuration working with 2012 R2. However, my config is slightly different, namely:
  2 x RDSH servers
  1 x all other roles (web, gateway etc).
  However, I am using a valid single URL cert on the gateway/web server, which is accessible using remote.domain.com. I did NOT replace the cert on the RDSH servers (using WMI), because you end up with 0x607authentication errors if the certificate is not fully
  valid - corrrect name, trusted, and recovation information available. If you have purchased a  commercial wildcard cert, this should work.
  I did some testing and concluded the following, may be of interest:
  If you are just using the farm for internal connections, you can use an internal CA, and create self signed certs for the gateway, and the RDSH servers. You could use individual
  certificates for the servers, wildcard or SAN certificates. Then you will have no errors when connecting from internal clients. This will not work from external clients however, even if you trust your root or issuing CA  manually on the external client,
  because the revocation information will not be available to clients outside the domain or network, and you will get 0x607 authentication errors.
  If you are connecting from outside your network, you have 3 options:
  Use self signed certs created during the role installation, don't change any RDP certs on RDSH servers. Then manually place the gateway certificate in trusted root authorities on the external
  client.
  Purchase commercial certificates for the gateway, and optionally all of the RDSH servers. This will avoid any warnings. You could either use separate certs, wildcard or SAN. If you replace
  the certificates on the RDSH servers, they must be valid and match the names.
  Purchase just one certificate for the external URL for accessing the gateway, leaving the default self-signed certificates on the RDSH servers. This will mean that there is no warning
  when connecting to RDWeb, but there may be warnings when the connection establishes. I use this option with one free StartSSL certificate.
  To summarise, you can use either commercial or self signed for the RDWeb page. However, if you replace the certificate on the RDSH servers, this MUST be valid commercial for external clients to be able to connect. Otherwise
  just leave it as self signed.
  In my case, I can use remote.domain.com from either outside or inside the network. So, I configure the deployment to use the external URL, and that URL works from inside too. This is because it resolves to the external
  address, so requests go out to the firewall and then back in again. This way you do not have to worry about the internal connections not using a matching URL as on the certs. Or, create an internal DNS record, so that remote.domain.com points to your internal
  address of the RDweb server. This should work as well.

• Using same Wildcard certificate on multiple SAP systems with same domain name.

  Hello All,
  Need urgent help.
  I have a WILDCARD SSL certificate in pfx format. I also have individual root certificate , primary certificate in text form.
  The certificate mentioned above is already active in one of our portal.
  We want the same certificate on ECC Production.
  What are the steps to import this certificate in STRUST?
  I believe no certificate response needs to be imported.
  I have a certificate response provided by Verisign. But STRUST says- cannot import certificate response'
  Please help.

  Hi,
  This is what i did for installing wildcard certificates:
  On the OS of the sap server, log in with the sapadm account.
  Open a command prompt:
  make a backup of your sec directory in drive:\usr\sap\<SID>DVEBMGS00\  (just to be sure)
  cd to drive:\usr\sap\<SID>DVEBMGS00\exe
  >sapgenpse.exe import_p12 =p SAPSSLS.PSE location\to\the\certfile.pfx
  It will ask you for the pin, and to overwrite the file, answer yes.
  Now copy the new SAPSSLS.PSE to a desktop that has sapgui
  Login with the sapgui and run transaction strust
  Select import from the PSE menu and open the SAPSSLS.PSE
  Then again goto PSE menu  and select Save As
  I saved it twice, once in System PSE  and then again in SSL Server
  For me SSL is now working without problems on a couple of servers.
  -small update-
  You can check internal servers using the certificate utility from digicert https://www.digicert.com/util/
  It has the option to specify port numbers, usefull for internal web services.
  Regards,
  Rolf