Prem,
I did not know about that bug so I exported the private key and re-imported
it with the cert and the root. I'm getting the same error now still.
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Prem Ananthakrishnan
(prananth)
Sent: Friday, January 05, 2007 2:48 PM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Hey Daniel,
I think you are hitting a bug. Did you export Private Key?
If so, you will need to import that back in along with cert and Root
See the following bug:- CSCsg00598
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg00598+
&Submit=Search
Thanks
Prem
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Daniel R. Sullivan
Sent: Friday, January 05, 2007 11:48 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Matthew,
Thanks for pointing out ipsca, I requested a cert from them. I'm still
having no luck getting it to work though; so any advice from the list
would be appreciated. I must be doing something wrong.
Steps this time:
- Generated a CSR
- Downloaded cert
- Downloaded Root and Intermed single file
- Uploaded Root and Intermediate single file: success
- Uploaded cert: success
- Verify and install: Error: The Uploaded CA-signed Certificate doesn't
match the Uploaded Private Key.
I've got to be missing something somewhere. Do I need to do the Root&
Intermediate as a non-standard CA?
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Matthew Farwell
Sent: Friday, January 05, 2007 10:12 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!
Daniel,
We have used certs from Ipsca successfully with CCA.
http://certs.ipsca.com/ They will provide free 2 year certs for .edu
domains. They are quick to return the cert and are compatible with all
major browsers.
Good luck,
Matthew
--
Matthew Farwell
Wentworth Institute of Technology
550 Huntington Ave
Boston, MA 02115
Daniel R. Sullivan wrote:
> For us it is the massive savings. We're a small private school with
nearly
> no budget. The DigiCert Wildcard only cost $1000 for 3 years and we
> have around 40 servers/services using wildcards on our campus (we
> moved from a GoDaddy one for more compatibility). Compare that to
> ~$290 for a single annual server cert from someone like Thawte (which
> we were using) and the cost savings alone are obvious.
>
> Labor is another issue since wildcard certs can have multiple years, I
only
> need to spend the time once to put them on the servers and services.
Until
> recently I was the only Network Admin we had and the single server
> certs took over a week of labor to install across all servers.
>
> So this brings the question, if I just go with a single server cert
> what vendor will be painless? I have students rolling in two days
> from now and any with IE7 are going to get the garish "Do not continue
to this website"
> notification, and so I'm willing to spend the money to get around the
> cert issue. If I do Thawte do I need to do the non-standard trust
stuff?
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Nick Chong
> (nchong)
> Sent: Friday, January 05, 2007 9:40 AM
> To: [log in to unmask]
> Subject: Re: Need help with DigiCert Wildcard Cert!
>
> Hello Mike, Dan,
>
> Happy new year.
>
> We currently do not support wildcard cert yet. We can look into that
> as feature future planning.
>
> What are the other benefits of using wildcard cert btw? (besides
> saving time/money to register).
> I have heard a few requests on this but wasn't sure the technical
> reasons. Thanks.
>
> Regards,
> Nick
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Mike Diggins
> Sent: Friday, January 05, 2007 5:27 AM
> To: [log in to unmask]
> Subject: Re: Need help with DigiCert Wildcard Cert!
>
> On Thu, 4 Jan 2007, Daniel R. Sullivan wrote:
>
>
>> I'm at my wits end. I looked back through the archives and tried all
>>
> the
>
>> stuff Rob Crockett was told to do with his godaddy/starfield cert.
>>
>> Here are the steps I've done:
>> - Wildcard cert lives on an IIS server
>> - Exported cert with private key as pfx
>> - Used openSSL to strip the password giving me the private and public
>>
> in the
>
>> same pem file.
>> - Upload that private file to CCA, that gives a Success message
>> - Upload the root CA cert to the "* Trust non-standard . . ." which
>>
> gives:
>
>> Success. Changes will take effect after you restart the server.
>> - Upload the intermediate CA cert to the "* Trust non-standard . . ."
>>
> which
>
>> gives: Success. Changes will take effect after you restart the
server.
>>
>> So I do the reboots and try to Verify and Install and I get: Error:
>>
> The
>
>> Uploaded CA-signed Certificate doesn't match the Uploaded Private
Key.
>>
>> Using a similar method on my proxy server (EZProxy) the cert works
>>
> just fine
>
>> so it is something with the CCA quirks that I'm butting my head
>>
> against.
>
>
> Perhaps a different problem but I attempted to use our wildcard
> certificate on our CCA last Summer and wasn't having any success. It
> would work up until I rebooted, then it would complain about the
> certificate name not matching the configured hostname (obviously). I
> opened a case with the TAC and this was there response (perhaps this
> has changed?):
>
>
>
>> ---------- Forwarded message ----------
>> Date: Thu, 11 May 2006 12:20:59 -0400
>> Cc: attach Cisco <[log in to unmask]>
>> Subject: Re: xxxxxxxx : Cisco Clean Access - Assistance Needed
>>
>> Mike,
>> CCA requires either the FQD or IP address in the CN of the
>>
> certificate.
>
>> So no there is no way to use a wildcard certificate.
>>
>
>
> -Mike
>
|
