Wildcard SSL cert on ASA

Similar Messages

• Wildcard SSL Cert on ASA 5500

  What do I need to do on the ASA 5520 to be able to use a wildcard SSL cert?  I'm running 8.2.5 code.

  Make sure you get the cert in pkcs12 format and no fqdn. Other than that, just follow the config guide.
  Sent from Cisco Technical Support Android App

• Use Wildcard SSL Cert to Monitor Non-Domain COmputers

  Hello,
    I was wondering if a Wildcard SSL Cert from GoDaddy or another Provider can be used to monitor Non-Domain Computer on SCOM 2012R2?
  TIA,
  Jim

  Hi,
  The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
  certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Wildcard SSL Cert

  Is it possible to install a wildcard SSL cert in Messaging Server? I attempted to install the cert that I have and I am giving an error saying "cert was not generated for this server".
  Thanks,
  Pete

  I have managed to use pk12util to import the wildcard cert into the trust store. I have used configutil to set the appropriate parameters to enable SSL and POP over SSL. However, when I start the server I get the following error in the imta log file: General Error: SSL initialization error: ASockSSL_Init: PK11 auth failed to *.unca.edu (-8177).

• Install GoDaddy Wildcard SSL cert on GW WebAccess - ver.8

  I have followed all of the documentation regarding generating a CSR, creating the new eDirectory object from which that CSR is generated, then subsequently downloading and doing the "read from file" SSL cert installation, and it won't validate.
  I have a NetWare 6.5, SP8 server running Apache/Tomcat and it's our GroupWise WebAccess server (version 8).
  I want to encrypt the sessions as well as the authentication from the GW WebAccess login screen (right now, it's just http://).
  Our institution purchased a wildcard, unlimited subdomain, SSL certificate from GoDaddy to use for this, and other, SSL cert. needs.
  No matter what I do, it won't work.
  I am using ConsoleOne to create the new eDirectory object according to the documentation, generate the CSR, and install the certificate, but to no avail.
  Can anyone help?

  Originally Posted by AndersG
  Fmcunningham,
  > > I am looking at installing a cert as well. I have NOWS SBE 2.0
  > > upgrading to SBE 2.5 this weekend and would like to add a CA Cert. Do I
  > > need a Wild card cert to be able to accomplish this?
  >
  Only difference between a wildcard and a regular (apart from price) is that
  a wildcard covers all hosts in a domain,. Ie *.acme.com, whereas a regular
  cert only covers a named host, homer.acme.com
  - Anders Gustafsson (Sysop)
  The Aaland Islands (N60 E20)
  Novell has a new enhancement request system,
  or what is now known as the requirement portal.
  If customers would like to give input in the upcoming
  releases of Novell products then they should go to
  http://www.novell.com/rms
  I am running SBE 2.0 upgrading soon to SBE 2.5. I am not using sub domains, so I think I should be fine with just a normal cert. The real reason I want to go with a cert from a CA instead of a self signed is for webaccess.

• SSL cert on ASA 5512 from Thwate or Digitcert

  I ran into the issue when I install SSL123 cert from Thwate . I did not have issue with SSL cert from DIgitcert- their process and steps are simple and using better encryoption - SHA256. Compare to Thwate - their support did not let me use SHA2 and I had to use SHA1 - according to some organisation SHA1 will be retired soon 
  Let me explain how to install SSL123 from Thwate into ASA 5510- you can follow their instruction - but generate CSR with 2048 - with 4096 did not work .Once you apply into their portal use SHA1 ( SHA2 did not work ) . Before you get email with their CA -  install Root and Secondary intermidiate certificate - located in their website . After you get email with the new cert - you can install under Idendity certificates where still says pending .Note - there are CSR checker tools - before you apply it into CA _ google CSR checker - make sure your CSR does not have any errors
  Note - When you install each certificate - trustpoint association could be in different order - example - ASDM_trustpoint0 , ASDM_trustpoint1 , ASDM_trustpoint2   etc . If you use the same ASDM_trustpoint0 for all certs- root , intermidiate and signed certificate - Did not work and you are getting ERROR - :Failed to parse or verify imported certificate
  here is the link you can follow - https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16141&actp=search&viewlocale=en_US&searchid=1429125296765
  Finally you can check your SSL cert - google SSL checker to see if your chain as good all the way and what need to be fixed 

  First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
  When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
  If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
  Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

• Importing wildcard identity SSL cert in ASA?

  Where would I find instrutions on how to import CA certified identity SSL wildcard certficate ( like *.company.net - ) in ASA?
  The CSR for the wildcard certificate was not generated out of the ASA unit.

  Wildcard certificates gets installed like any other certificates via ASDM and PKCS12 file.
  I'm not sure if the ASA can generate a wildcard request, you should do this with an openssl installation.

• CSS11506 + wildcard ssl cert ?

  We have a need to terminate multiple SSL websites on our CSS. So name1.test.com
  name2.test.com, name3.test.com etc. The problem I have found is that I need to burn 1 public VIP per SSL connection b/c they all need to use tcp 443 inbound and point to their respective cert on the CSS. Is there anyway to possibly generate a wildcard cert that matched only the last part of our domain name ( events.test.com = *.test.com ) and then get away with using only 1 VIP for the multiple sub domains ??
  Thanks for your help.
  Cheers
  Dave

  Yes this is possible. We are currently using the same design.
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080579f6b.html
  Please rate.

• Move wildcard SSL cert from 10.7 to 10.6 server

  I purchased and configured a wildcard cert (*.example.com) on my 10.7 server. I now want to import this cert onto my 10.6 servers (all using the same domain) and I can't seem to get it to work.
  I exported both the cert and the private key file from the 10.7 server, however when trying to import the private key into the system keychain on the 10.6 server, I get this error: An error has occurred. Unable to import an item. The contents of this item cannot be retrieved.
  Any ideas?

  Check permissions on the crt and key you are trying to import, maybe change to 777
  How specifically did you export the cert/key from 10.7 ?
  I always copy them from /etc/certificates, change permissions, then I like to remove the passphrase (more on that if needed).. then I end up with a cert/key with read permissions and no pass... makes import simple to any service (OS X or other)

• Use of Wildcard SSL cert with DRM

  DRM needs a URL to be embedded in the protected PDF document(e.g., mysite.mycompany.com).  The SSL certificate for the URL must be from a trusted provider (e.g., Verisign).  My question is will Adobe Reader accept for DRM a wild card SSL certificate (e.g., *.mycompany.com) from a trusted provider?

  Hi,
  The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
  certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• CertPrincipalName forced to wrong setting on server with wildcard SSL cert

  Dears
  After testing Exchange 2013 for a couple of weeks with a limited amount of IT personnel, we have migrated the first batch of users from 2010 to 2013.
  That was the biggest mistake we've done this.. week..
  The error is identified as an autodiscover/ssl problem. No matter what I specify in CertPrincipalName on CAS, Outlook resets itself to msstd:server.domain.com
  I have tried with "none" and "msstd:*.domain.com" but it always resets to msstd:server.domain.com
  Outlook Autoconfigure test returns the correct value. Any ideas?
  All our clients are not domain members, so setting this with GPO is not an option.

  I have compared how autodiscover works for clients on 2013 and on 2010. It is definitely server related. Clients still on a 2010 mb server get's the correct value msstd:*.domain.com. 
  The only difference I see in the autodiscover xml is that on 2013 there is two extra blocks of data for protocol "EXHTTP". One of these blocks does not contain the CertPrincipalName value.
  <Protocol>
          <Type>EXHTTP</Type>
          <Server>mailbox.domain.com</Server>
          <SSL>On</SSL>
          <AuthPackage>Basic</AuthPackage>
          <ASUrl>https://ex02.domain.com/EWS/Exchange.asmx</ASUrl>
          <EwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EwsUrl>
          <EmwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EmwsUrl>
          <EcpUrl>https://ex02.domain.com/ecp/</EcpUrl>
          <EcpUrl-um>?rfr=olk&amp;p=customize/voicemail.aspx&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-um>
          <EcpUrl-aggr>?rfr=olk&amp;p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-aggr>
          <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&amp;exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;&amp;realm=domain.com</EcpUrl-mt>
          <EcpUrl-ret>?rfr=olk&amp;p=organize/retentionpolicytags.slab&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-ret>
          <EcpUrl-sms>?rfr=olk&amp;p=sms/textmessaging.slab&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-sms>
          <EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&amp;chgPhoto=1&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-photo>
          <EcpUrl-tm>?rfr=olk&amp;ftr=TeamMailbox&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-tm>
          <EcpUrl-tmCreating>?rfr=olk&amp;ftr=TeamMailboxCreating&amp;SPUrl=&lt;SPUrl&gt;&amp;Title=&lt;Title&gt;&amp;SPTMAppUrl=&lt;SPTMAppUrl&gt;&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-tmCreating>
          <EcpUrl-tmEditing>?rfr=olk&amp;ftr=TeamMailboxEditing&amp;Id=&lt;Id&gt;&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-tmEditing>
          <EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&amp;exsvurl=1&amp;realm=domain.com</EcpUrl-extinstall>
          <OOFUrl>https://ex02.domain.com/EWS/Exchange.asmx</OOFUrl>
          <UMUrl>https://ex02.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
          <OABUrl>https://mailbox.domain.com/OAB/3abb5758-f1c7-4246-9f9f-bbf390f5febb/</OABUrl>
          <ServerExclusiveConnect>On</ServerExclusiveConnect>
        </Protocol>

• Cisco ASA 5585-X SSP-20 SSL wildcard SSL certificate support ?

  Hello
  i want to verify if Cisco ASA 5585-X SSP-20 supports Wildcard SSL's.
  Cheers

  Supports them how?
  As certificates issued to the ASA and properly bound to it's interfaces to support SSL VPN or ASDM access - yes.
  You can configure a wildcard (or any other) certificate improperly and cause things not to work. However it's not a limitation of the device's operating system not supporting it.

• Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

  Hello
  I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
  Setup:
  We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR:  A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
  Configuration in regards to certificate:
  crypto key generate rsa label vpn.company.dk modulus 2048
  crypto ca trustpoint vpn.trustpoint
  keypair vpn.company.dk
  fqdn none
  subject-name CN=*.company.dk,C=DK
  !id-usage ssl-ipsec
  enrollment terminal
  crl configure
  crypto ca authenticate vpn.trustpoint
  ! <import intermediate certificate>
  crypto ca enroll vpn.trustpoint
  ! <send CSR to CA>
  crypto ca import vpn.trustpoint certificate
  ! <import SSL cert received back from CA>
  ssl trust-point vpn.trustpoint outside
  Problem:
  When I try to import the certificate I receive the following error:
  crypto ca import vpn.trustpoint certificate
  WARNING: The certificate enrollment is configured with an fqdn
  that differs from the system fqdn. If this certificate will be
  used for VPN authentication this may cause connection problems.
  Would you like to continue with this enrollment? [yes/no]: yes
  % The fully-qualified domain name will not be included in the certificate
  Enter the base 64 encoded certificate.
  End with the word "quit" on a line by itself
  -----BEGIN CERTIFICATE-----
  <certificate>
  -----END CERTIFICATE-----
  quit
  ERROR: Failed to parse or verify imported certificate
  Question:
  - Does any one of you have any pointers in regards to what is going wrong?
  - Especially in regards to fqdn and CN, I also have a question. My config
  fqdn none
  subject-name CN=*.company.dk,C=DK
  would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
  So do you have insight or pointers which might help me?
  Thank you in advance

  I also have a wildcard cert for my SSL VPN ASAs.
  When i import the cert I use ASDM instead of CLI...
  I import the wildcard as a *.pfx file and type in the password. works fine...
  Perhaps the format is incorrect?
  Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
  Not sure if this helps but give ASDM a try?

• Remote Desktop Services Single SSL Cert with multiple hosts

  I am trying to use a single SSL Cert from a third party issuer.  I have 3 servers in my deployement all are 2012R2.  One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role.  The other 2 are
  RD Session Hosts.  I have the SSL cert for the server that has the Gateway and other roles.  My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL.  It works currently with the
  exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match.  Is anyone else using a similar setup and had success with it?  I am trying
  to avoid buying an expensive wildcard cert to cover all of them.

  Hi,
  Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC.  To do this, log on to RD Web Access using IE, right-click and choose View Source.  Find the goRDP function for the icon you want to examine and copy
  the text between the ' marks.  Next paste this into the escape text box the below page:
  http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
  Click complete unescape to get the plain text version.  After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file.  Once you have the .rdp file created you can compare
  it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
  Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
  Thanks.
  -TP

• Can't install a wildcard SSL certificate

  Running ML Server. I have a GoDaddy issued wildcard SSL certificate to *.mydomain.com. The certificate is currently installed on a different (non-Mac OS) server. I am able to cut and paste the main certificate, private key and other chain certificates from that server's interface and paste into a text file using TextWrangler. On the OS X server I deleted all of the old certificates in KeyChain (this server had an old wildcard version of the certificate before), deleted the old wildcard cert in Server.app and deleted the corresponding files in /etc/certificates
  I then created a new self-signed certificate for *.mydomain.com in Server.app, then selected it, went to Manage Certificates and tried up update the self-signed certifcate with the signed certificate using the Server.app interface. The interface enables you to drag and drop certifcate and chain files to add.
  However, this is where it gets strange...
  The first time I drag the certificate file to the interface, I get the green + symbol, let go and nothing happens. If I do it again, the interface lights up green again, but this time it adds it to the Non-identify certificate list. I am able to replicate this every time!
  Why does the interface show me the first time that I can drag the file, but does nothing, and then the second time adds it as a non-identity certificate? Same behavior happens if I start with the chain certificate as well.
  I can confirm that the four certificate files show up in /etc/certificates, but they appear to be generated by the self-signed certificate creation.
  Any insights appreciated! TAA

  In fact i had the same issue last week and i could only solve it by exporting the key with the certificate in a PCKS12 file. Fortunately this is supported by the windows certificate manager where the certificate was originally installed.
  You could take your key and certificate files and merge them into a PKCS12 file using openssl (go to terminal, it is installed on an OSX box) and fire the following command (and change the filenames ;-)):
  openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt
  The openssl tool requests a passphrase for the created file that you will need to provide again when the key is imported into the keychain.
  Good luck with it