http://www.rapidssl.com

Rapidssl.com (used to be freessl.com) offers SSL certs for a reasonable
price. 

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Daniel R. Sullivan
Sent: Friday, January 05, 2007 10:08 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!

For us it is the massive savings.  We're a small private school with
nearly no budget.  The DigiCert Wildcard only cost $1000 for 3 years and
we have around 40 servers/services using wildcards on our campus (we
moved from a GoDaddy one for more compatibility). Compare that to ~$290
for a single annual server cert from someone like Thawte (which we were
using) and the cost savings alone are obvious.  

Labor is another issue since wildcard certs can have multiple years, I
only need to spend the time once to put them on the servers and
services.  Until recently I was the only Network Admin we had and the
single server certs took over a week of labor to install across all
servers.  

So this brings the question, if I just go with a single server cert what
vendor will be painless?  I have students rolling in two days from now
and any with IE7 are going to get the garish "Do not continue to this
website"
notification, and so I'm willing to spend the money to get around the
cert issue.  If I do Thawte do I need to do the non-standard trust
stuff?


-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Nick Chong
(nchong)
Sent: Friday, January 05, 2007 9:40 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!

Hello Mike, Dan,

Happy new year. 

We currently do not support wildcard cert yet. We can look into that as
feature future planning.

What are the other benefits of using wildcard cert btw? (besides saving
time/money to register).
I have heard a few requests on this but wasn't sure the technical
reasons. Thanks.

Regards,
Nick 


-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Mike Diggins
Sent: Friday, January 05, 2007 5:27 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!

On Thu, 4 Jan 2007, Daniel R. Sullivan wrote:

> I'm at my wits end.  I looked back through the archives and tried all
the
> stuff Rob Crockett was told to do with his godaddy/starfield cert.
>
> Here are the steps I've done:
> - Wildcard cert lives on an IIS server
>  - Exported cert with private key as pfx
> - Used openSSL to strip the password giving me the private and public
in the
> same pem file.
> - Upload that private file to CCA, that gives a Success message
> - Upload the root CA cert to the "* Trust non-standard . . ." which
gives:
> Success. Changes will take effect after you restart the server.
> - Upload the intermediate CA cert to the "* Trust non-standard . . ."
which
> gives: Success. Changes will take effect after you restart the server.
>
> So I do the reboots and try to Verify and Install and I get: Error:
The
> Uploaded CA-signed Certificate doesn't match the Uploaded Private Key.
>
> Using a similar method on my proxy server (EZProxy) the cert works
just fine
> so it is something with the CCA quirks that I'm butting my head
against.


Perhaps a different problem but I attempted to use our wildcard
certificate on our CCA last Summer and wasn't having any success. It
would work up until I rebooted, then it would complain about the
certificate name not matching the configured hostname (obviously). I
opened a case with the TAC and this was there response (perhaps this has
changed?):


> ---------- Forwarded message ----------
> Date: Thu, 11 May 2006 12:20:59 -0400
> Cc: attach Cisco <[log in to unmask]>
> Subject: Re: xxxxxxxx : Cisco Clean Access - Assistance Needed
>
> Mike,
>     CCA requires either the FQD or IP address in the CN of the
certificate.
>     So no there is no way to use a wildcard certificate.


-Mike