Wildcard SSL Cert

Is it possible to install a wildcard SSL cert in Messaging Server? I attempted to install the cert that I have and I am giving an error saying "cert was not generated for this server".
Thanks,
Pete

I have managed to use pk12util to import the wildcard cert into the trust store. I have used configutil to set the appropriate parameters to enable SSL and POP over SSL. However, when I start the server I get the following error in the imta log file: General Error: SSL initialization error: ASockSSL_Init: PK11 auth failed to *.unca.edu (-8177).

Similar Messages

Use Wildcard SSL Cert to Monitor Non-Domain COmputers

Hello,
I was wondering if a Wildcard SSL Cert from GoDaddy or another Provider can be used to monitor Non-Domain Computer on SCOM 2012R2?
TIA,
Jim

Hi,
The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Wildcard SSL Cert on ASA 5500

What do I need to do on the ASA 5520 to be able to use a wildcard SSL cert? I'm running 8.2.5 code.

Make sure you get the cert in pkcs12 format and no fqdn. Other than that, just follow the config guide.
Sent from Cisco Technical Support Android App

Wildcard SSL cert on ASA

Is it possible to use a wildcard SSL cert on an ASA? That is, instead of getting a specific cert with the FQDN of the ASA, we would use the wildcard cert issued?

Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.
If you need help with configuration, let me know.
You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)
Regards,
Roman

Install GoDaddy Wildcard SSL cert on GW WebAccess - ver.8

I have followed all of the documentation regarding generating a CSR, creating the new eDirectory object from which that CSR is generated, then subsequently downloading and doing the "read from file" SSL cert installation, and it won't validate.
I have a NetWare 6.5, SP8 server running Apache/Tomcat and it's our GroupWise WebAccess server (version 8).
I want to encrypt the sessions as well as the authentication from the GW WebAccess login screen (right now, it's just http://).
Our institution purchased a wildcard, unlimited subdomain, SSL certificate from GoDaddy to use for this, and other, SSL cert. needs.
No matter what I do, it won't work.
I am using ConsoleOne to create the new eDirectory object according to the documentation, generate the CSR, and install the certificate, but to no avail.
Can anyone help?

Originally Posted by AndersG
Fmcunningham,
> > I am looking at installing a cert as well. I have NOWS SBE 2.0
> > upgrading to SBE 2.5 this weekend and would like to add a CA Cert. Do I
> > need a Wild card cert to be able to accomplish this?
>
Only difference between a wildcard and a regular (apart from price) is that
a wildcard covers all hosts in a domain,. Ie *.acme.com, whereas a regular
cert only covers a named host, homer.acme.com
- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)
Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms
I am running SBE 2.0 upgrading soon to SBE 2.5. I am not using sub domains, so I think I should be fine with just a normal cert. The real reason I want to go with a cert from a CA instead of a self signed is for webaccess.

CSS11506 + wildcard ssl cert ?

We have a need to terminate multiple SSL websites on our CSS. So name1.test.com
name2.test.com, name3.test.com etc. The problem I have found is that I need to burn 1 public VIP per SSL connection b/c they all need to use tcp 443 inbound and point to their respective cert on the CSS. Is there anyway to possibly generate a wildcard cert that matched only the last part of our domain name ( events.test.com = *.test.com ) and then get away with using only 1 VIP for the multiple sub domains ??
Thanks for your help.
Cheers
Dave

Yes this is possible. We are currently using the same design.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080579f6b.html
Please rate.

Move wildcard SSL cert from 10.7 to 10.6 server

I purchased and configured a wildcard cert (*.example.com) on my 10.7 server. I now want to import this cert onto my 10.6 servers (all using the same domain) and I can't seem to get it to work.
I exported both the cert and the private key file from the 10.7 server, however when trying to import the private key into the system keychain on the 10.6 server, I get this error: An error has occurred. Unable to import an item. The contents of this item cannot be retrieved.
Any ideas?

Check permissions on the crt and key you are trying to import, maybe change to 777
How specifically did you export the cert/key from 10.7 ?
I always copy them from /etc/certificates, change permissions, then I like to remove the passphrase (more on that if needed).. then I end up with a cert/key with read permissions and no pass... makes import simple to any service (OS X or other)

Use of Wildcard SSL cert with DRM

DRM needs a URL to be embedded in the protected PDF document(e.g., mysite.mycompany.com). The SSL certificate for the URL must be from a trusted provider (e.g., Verisign). My question is will Adobe Reader accept for DRM a wild card SSL certificate (e.g., *.mycompany.com) from a trusted provider?

Hi,
The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

CertPrincipalName forced to wrong setting on server with wildcard SSL cert

Dears
After testing Exchange 2013 for a couple of weeks with a limited amount of IT personnel, we have migrated the first batch of users from 2010 to 2013.
That was the biggest mistake we've done this.. week..
The error is identified as an autodiscover/ssl problem. No matter what I specify in CertPrincipalName on CAS, Outlook resets itself to msstd:server.domain.com
I have tried with "none" and "msstd:*.domain.com" but it always resets to msstd:server.domain.com
Outlook Autoconfigure test returns the correct value. Any ideas?
All our clients are not domain members, so setting this with GPO is not an option.

I have compared how autodiscover works for clients on 2013 and on 2010. It is definitely server related. Clients still on a 2010 mb server get's the correct value msstd:*.domain.com.
The only difference I see in the autodiscover xml is that on 2013 there is two extra blocks of data for protocol "EXHTTP". One of these blocks does not contain the CertPrincipalName value.
<Protocol>
<Type>EXHTTP</Type>
<Server>mailbox.domain.com</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://ex02.domain.com/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://ex02.domain.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.com</EcpUrl-extinstall>
<OOFUrl>https://ex02.domain.com/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://ex02.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://mailbox.domain.com/OAB/3abb5758-f1c7-4246-9f9f-bbf390f5febb/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>

Remote Desktop Services Single SSL Cert with multiple hosts

I am trying to use a single SSL Cert from a third party issuer. I have 3 servers in my deployement all are 2012R2. One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role. The other 2 are
RD Session Hosts. I have the SSL cert for the server that has the Gateway and other roles. My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL. It works currently with the
exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match. Is anyone else using a similar setup and had success with it? I am trying
to avoid buying an expensive wildcard cert to cover all of them.

Hi,
Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC. To do this, log on to RD Web Access using IE, right-click and choose View Source. Find the goRDP function for the icon you want to examine and copy
the text between the ' marks. Next paste this into the escape text box the below page:
http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
Click complete unescape to get the plain text version. After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file. Once you have the .rdp file created you can compare
it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
Thanks.
-TP

Can't install a wildcard SSL certificate

Running ML Server. I have a GoDaddy issued wildcard SSL certificate to *.mydomain.com. The certificate is currently installed on a different (non-Mac OS) server. I am able to cut and paste the main certificate, private key and other chain certificates from that server's interface and paste into a text file using TextWrangler. On the OS X server I deleted all of the old certificates in KeyChain (this server had an old wildcard version of the certificate before), deleted the old wildcard cert in Server.app and deleted the corresponding files in /etc/certificates
I then created a new self-signed certificate for *.mydomain.com in Server.app, then selected it, went to Manage Certificates and tried up update the self-signed certifcate with the signed certificate using the Server.app interface. The interface enables you to drag and drop certifcate and chain files to add.
However, this is where it gets strange...
The first time I drag the certificate file to the interface, I get the green + symbol, let go and nothing happens. If I do it again, the interface lights up green again, but this time it adds it to the Non-identify certificate list. I am able to replicate this every time!
Why does the interface show me the first time that I can drag the file, but does nothing, and then the second time adds it as a non-identity certificate? Same behavior happens if I start with the chain certificate as well.
I can confirm that the four certificate files show up in /etc/certificates, but they appear to be generated by the self-signed certificate creation.
Any insights appreciated! TAA

In fact i had the same issue last week and i could only solve it by exporting the key with the certificate in a PCKS12 file. Fortunately this is supported by the windows certificate manager where the certificate was originally installed.
You could take your key and certificate files and merge them into a PKCS12 file using openssl (go to terminal, it is installed on an OSX box) and fire the following command (and change the filenames ;-)):
openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt
The openssl tool requests a passphrase for the created file that you will need to provide again when the key is imported into the keychain.
Good luck with it

Wildcard SSL Certificates with MFE?

Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
Before doing anything I figured I'd try a website that used a wildcard certificate.
When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
Thanks.

This is interesting question. I look forward testing this myself
What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you!

Wildcard ssl

So our company has a Wildcard SSL Certificate that we use for most of our websites, and I've just setup a new 10.8 server for the use of profile manager. I've added our Wildcard SSL certificate to the systems keychain and trusted in but for the life of me I can't get the SSL Cert to take. I see it listed in the Server manager and select it and save the changes, but then I open up the SSL Cert again and there is nothing selected.
Any ideas?
Thanks in advance.

So in server app go to
Hardware>Settings then click edit beside SSL certificate
Click manage certs and hit the + and create certificate identity
On the first page of the wizard you want to check "override defaults" step through the rest of the wizard (pretty straight forward) until you get to the Subject Alternate Name extension. in the dNSName you want to enter *.mydomain.com. Finish the wizard and allow it access to your keychain.
Then use that cert and "generate certificate signing request (CSR) and use that to create your SSL. Download your certs. Go back into server app
Hardware>Settings then click edit beside SSL certificate
Select the cert you made and click on the gear "Replace Certicate with signed or renewed Cert" and drag in your server.mydomain.com.crt cert (the one you downloaded).
Next open up keychain access app and select:
System
Certificates
then drag in the intermediate cert (need to enter your local admin password)
That should link your cert up
Let me know if that makes sense

Wildcard SSL certificates

Hi, I was wondering if someone got CSS1150X with SSL accelerator working with wildcard SSL certificate. We have 10+ sites we would like to enable SSL and figured wildcard certificates are way to go based on the cost. Specially, since most of the wildcard certificates comes with limitation of being able to install it on only one physical machine. I assume CSS would be considered one physical machine if SSL traffic is terminated on the CSS, however, wanted to find out whether wildcard SSL certificate is supported on CSS. We are using CSS11503 and depending on whether it supports wildcard certificate, we are planning on purchasing SSL accelerator.

Thanks for the information, Gilles. Looking at the pricing structure of SSL certificates, I wonder why wildcard certs aren't widely used as one would expect based on the cost. Well, I guess I will find out when I implement one. Thanks again.

Wildcard * SSL Certificates for TTA??

Is there any way I can use a wildcard SSL certificate like:
*.mycompany.com
in my TTA server?
I was able to run all the cert commands successfully using the
*.mycompany.com cert:
Generated the CSR (tarantella security certrequest)
Installed the Cert File (tarantella security certuse)
Installed the Chained CA cert (tarantella security customca)
Review/validate certinfo (tarantella security certinfo)
The TTA-installed Apache webserver was fine with the wildcard certificate
since I was able to goto:
https://subdomain.mycompany.com (FYI, the subdomain is NOT "www")
But after I went to:
https://subdomain.mycompany.com/tarantella/
I got the following errors in my Java Console:
Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop
server...
Secure Global Desktop 4.10.903: Using secure connection to
Secure Global Desktop server subdomain.mycompany.com:443
Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted
for this Secure Global Desktop server (subdomain.mycompany.com) due to name
mismatch.
Secure Global Desktop 4.10.903: Client dropping connection.
Secure Global Desktop 4.10.903: Unable to connect: Certificate
(*.mycompany.com) not accepted for this Secure Global Desktop server
(subdomain.mycompany.com) due to name mismatch.
Secure Global Desktop 4.10.903: Missing negotiation feature cgi script
Is there a way that I can get the applet to do a regex-ish match on the name
for wildcard certs?
Cyrus

Hi Cyrus
I was loosely referring to PKI rules e.g.
http://www.ietf.org/proceedings/98mar/98mar-edited-110.htm
http://www.iihe.ac.be/internal-report/1997/stc-97-19.html
Wildcarding isn't supported. I understand what you are trying to do now
but it won't work because the software is looking for a certificate
matching a single server.
The certrequest command is just a wrapper script for openssl so it won't
stop you doing anything the openssl command believes may be valid. You don't
actually need to use this command it's just there for convenience, you
could do everything just using openssl.
The current documentation doesn't explictly state that you can't use
wildcards in certificates but it does say you need a certificate for a
SGD server. My understanding of the wildcard issue is that it is up to
a particular application to decide what is appropriate.
http://www.tarantella.com/support/documentation/sgd/ee/4.1/help/en-us/tsp/gettingstarted/whatare_certs.html
Regards
Barrie
On 2005-08-15, Cyrus Mehta <[email protected]> wrote:
May I inquire as to where these rules are listed regarding SSL Certs, I
didn't see anything to the effect in the documentation. Also why weren't
the rules enforced at certificate generation time. Even the validation
command (tarantella security certinfo) had no problems.
The CSR generation/signing went through flawlessly and created a wildcard
cert that Apache could use. It's one thing if the whole cert process
couldn't handle a wildcard, but it seems like everything would have worked
if only the applet accepted a wildcard regex match.
Regards,
Cyrus
barrie wrote:
Hi Cyrus
No, sorry. The rules say you can't do that. You are required to have a
certificate for a node not a network.
Regards
Barrie
On 2005-08-05, CM <[email protected]> wrote:
Is there any way I can use a wildcard SSL certificate like:
*.mycompany.com
in my TTA server?
I was able to run all the cert commands successfully using the
*.mycompany.com cert:
Generated the CSR (tarantella security certrequest)
Installed the Cert File (tarantella security certuse)
Installed the Chained CA cert (tarantella security customca)
Review/validate certinfo (tarantella security certinfo)
The TTA-installed Apache webserver was fine with the wildcard certificate
since I was able to goto:
https://subdomain.mycompany.com (FYI, the subdomain is NOT "www")
But after I went to:
https://subdomain.mycompany.com/tarantella/
I got the following errors in my Java Console:
Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop
server...
Secure Global Desktop 4.10.903: Using secure connection to
Secure Global Desktop server subdomain.mycompany.com:443
Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted
for this Secure Global Desktop server (subdomain.mycompany.com) due to
name
mismatch.
Secure Global Desktop 4.10.903: Client dropping connection.
Secure Global Desktop 4.10.903: Unable to connect: Certificate
(*.mycompany.com) not accepted for this Secure Global Desktop server
(subdomain.mycompany.com) due to name mismatch.
Secure Global Desktop 4.10.903: Missing negotiation feature cgi script
Is there a way that I can get the applet to do a regex-ish match on thename
for wildcard certs?
Cyrus

Wildcard SSL Cert

Similar Messages

Maybe you are looking for