Brian,
The second problem was a forehead slapper for me. When I was trying
to get the wildcard certs to take on the box I assumed that the system was
not taking them at all. So I just generated a CSR without doing another
temporary cert. So when I sent IPSCA my request it came off the manager
with *.mbc.edu as the hostname but a single server cert, so the cert I got
back was fundamentally doomed.
We've had a good relationship with DigiCert in the past and they
have helped us when a cert was messed up on our end (without charging us) so
my boss had me use them. Prem pointed out my error on the certs so I
regenerated a temp cert then generated the CSR. Then you export to the
private key and import it back when you get the signed cert.
Here is a copy/paste from my workorder from those two days (including what
did not work on the wildcard):
I started this one back with the GoDaddy cert. Then I tried the DigiCert
one. I will come back and fill in the details later but here is the outline
of what I tried:
--- NOTE THAT THIS SECTION DOES NOT WORK ---
I. Take Wildcard from Fileapps
- Export with private key which requires a password.
- Use OpenSSL to remove the password.
- Use OpenSSL to put the private key in with the cert
II. Put wildcard on Perfigo
- For PSM:
- click on Server administration
- Click Certs tab
- Click Export
- Export the private key because of a bug in the code found at:
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg00598+&Sub
mit=Search
- Click import
- Upload the private key you just exported
- Upload the cert with the private key
- Upload a combined file with the Root & Intermediate keys in it
- Click Verify and install
--- NOTE THAT THIS DOES NOT WORK!!! You will get an error because they do
not support WildCards, you will get an error that says that "The Uploaded
CA-signed Certificate doesn't match the Uploaded Private Key" ---
THE NEXT SNAFU:
I generated a CSR with all the information but it ignores the typed fields
if you have already uploaded a key previously. So I got a single server
cert from IPSCA that was for *.mbc.edu that will not work at all!
III. What worked:
- PSM (The manager)
- Click Server Administration
- Click Certs
- Click Generate a Temp key
- Fill in the fields with the right data
- Generate a CSR
- Export the private key
- Send the CSR to an online CA (We used DigiCert this time)
MAKE SURE YOU USE APACHE/ModSSL!
- Download the Certs when they are approved
- Click Import
- Upload the private key you just exported
- Upload the new cert you just downloaded
- Using Wordpad open the Root certificate and the Intermediate
certicates and put them into one file
- Click the root button and upload this combined cert
- PSS (The router)
- Open the manager
- Click on manage servers and then click the icon that looks like a
connector to make sure you are working on PSS
- Click the Network
- Click the Certs tab
- Do all the same steps as for PSM, but make sure you generate a temp
first and EXPORT and IMPORT the private key, this should be fixed in a later
version
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Brian Beausoleil
Sent: Monday, January 08, 2007 8:26 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Prem (or Dan if you get this first),
I know you requested that Dan send you the files directly to help figure out
his issue, but I am wondering what you found to be the problem. I am having
the same error message with certs from Equifax. I am waiting to get a copy
of our certs re-sent from my coworker to try importing again, but for the
time being I am just wondering what you found out for Dan.
Thanks.
Brian
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Prem Ananthakrishnan
(prananth)
Sent: Friday, January 05, 2007 3:29 PM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Can you unicast me your Private Key, Cert and the root?
You will have to load the Pkey first, followed by cert and the root.
Let me try it on my CAM. What version are you running?
-Prem
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Daniel R. Sullivan
Sent: Friday, January 05, 2007 12:21 PM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Prem,
I did not know about that bug so I exported the private key and
re-imported it with the cert and the root. I'm getting the same error
now still.
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Prem
Ananthakrishnan
(prananth)
Sent: Friday, January 05, 2007 2:48 PM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Hey Daniel,
I think you are hitting a bug. Did you export Private Key?
If so, you will need to import that back in along with cert and Root
See the following bug:- CSCsg00598
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg00598+
&Submit=Search
Thanks
Prem
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Daniel R. Sullivan
Sent: Friday, January 05, 2007 11:48 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Matthew,
Thanks for pointing out ipsca, I requested a cert from them. I'm still
having no luck getting it to work though; so any advice from the list
would be appreciated. I must be doing something wrong.
Steps this time:
- Generated a CSR
- Downloaded cert
- Downloaded Root and Intermed single file
- Uploaded Root and Intermediate single file: success
- Uploaded cert: success
- Verify and install: Error: The Uploaded CA-signed Certificate doesn't
match the Uploaded Private Key.
I've got to be missing something somewhere. Do I need to do the Root&
Intermediate as a non-standard CA?
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Matthew Farwell
Sent: Friday, January 05, 2007 10:12 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Daniel,
We have used certs from Ipsca successfully with CCA.
http://certs.ipsca.com/ They will provide free 2 year certs for .edu
domains. They are quick to return the cert and are compatible with all
major browsers.
Good luck,
Matthew
--
Matthew Farwell
Wentworth Institute of Technology
550 Huntington Ave
Boston, MA 02115
Daniel R. Sullivan wrote:
> For us it is the massive savings. We're a small private school with
nearly
> no budget. The DigiCert Wildcard only cost $1000 for 3 years and we
> have around 40 servers/services using wildcards on our campus (we
> moved from a GoDaddy one for more compatibility). Compare that to
> ~$290 for a single annual server cert from someone like Thawte (which
> we were using) and the cost savings alone are obvious.
>
> Labor is another issue since wildcard certs can have multiple years, I
only
> need to spend the time once to put them on the servers and services.
Until
> recently I was the only Network Admin we had and the single server
> certs took over a week of labor to install across all servers.
>
> So this brings the question, if I just go with a single server cert
> what vendor will be painless? I have students rolling in two days
> from now and any with IE7 are going to get the garish "Do not continue
to this website"
> notification, and so I'm willing to spend the money to get around the
> cert issue. If I do Thawte do I need to do the non-standard trust
stuff?
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Nick Chong
> (nchong)
> Sent: Friday, January 05, 2007 9:40 AM
> To: [log in to unmask]
> Subject: Re: Need help with DigiCert Wildcard Cert!
>
> Hello Mike, Dan,
>
> Happy new year.
>
> We currently do not support wildcard cert yet. We can look into that
> as feature future planning.
>
> What are the other benefits of using wildcard cert btw? (besides
> saving time/money to register).
> I have heard a few requests on this but wasn't sure the technical
> reasons. Thanks.
>
> Regards,
> Nick
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Mike Diggins
> Sent: Friday, January 05, 2007 5:27 AM
> To: [log in to unmask]
> Subject: Re: Need help with DigiCert Wildcard Cert!
>
> On Thu, 4 Jan 2007, Daniel R. Sullivan wrote:
>
>
>> I'm at my wits end. I looked back through the archives and tried all
>>
> the
>
>> stuff Rob Crockett was told to do with his godaddy/starfield cert.
>>
>> Here are the steps I've done:
>> - Wildcard cert lives on an IIS server
>> - Exported cert with private key as pfx
>> - Used openSSL to strip the password giving me the private and public
>>
> in the
>
>> same pem file.
>> - Upload that private file to CCA, that gives a Success message
>> - Upload the root CA cert to the "* Trust non-standard . . ." which
>>
> gives:
>
>> Success. Changes will take effect after you restart the server.
>> - Upload the intermediate CA cert to the "* Trust non-standard . . ."
>>
> which
>
>> gives: Success. Changes will take effect after you restart the
server.
>>
>> So I do the reboots and try to Verify and Install and I get: Error:
>>
> The
>
>> Uploaded CA-signed Certificate doesn't match the Uploaded Private
Key.
>>
>> Using a similar method on my proxy server (EZProxy) the cert works
>>
> just fine
>
>> so it is something with the CCA quirks that I'm butting my head
>>
> against.
>
>
> Perhaps a different problem but I attempted to use our wildcard
> certificate on our CCA last Summer and wasn't having any success. It
> would work up until I rebooted, then it would complain about the
> certificate name not matching the configured hostname (obviously). I
> opened a case with the TAC and this was there response (perhaps this
> has changed?):
>
>
>
>> ---------- Forwarded message ----------
>> Date: Thu, 11 May 2006 12:20:59 -0400
>> Cc: attach Cisco <[log in to unmask]>
>> Subject: Re: xxxxxxxx : Cisco Clean Access - Assistance Needed
>>
>> Mike,
>> CCA requires either the FQD or IP address in the CN of the
>>
> certificate.
>
>> So no there is no way to use a wildcard certificate.
>>
>
>
> -Mike
>
|
