LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

January 2007

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS January 2007

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Need help with DigiCert Wildcard Cert!
From:	Brian Beausoleil <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Mon, 8 Jan 2007 08:26:03 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (243 lines)
Prem (or Dan if you get this first),

I know you requested that Dan send you the files directly to help figure out
his issue, but I am wondering what you found to be the problem.  I am having
the same error message with certs from Equifax.  I am waiting to get a copy
of our certs re-sent from my coworker to try importing again, but for the
time being I am just wondering what you found out for Dan.

Thanks.

Brian

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Prem Ananthakrishnan
(prananth)
Sent: Friday, January 05, 2007 3:29 PM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!

Can you unicast me your Private Key, Cert and the root? 
You will have to load the Pkey first, followed by cert and the root.

Let me try it on my CAM. What version are you running?

-Prem

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Daniel R. Sullivan
Sent: Friday, January 05, 2007 12:21 PM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!

Prem,

I did not know about that bug so I exported the private key and
re-imported it with the cert and the root.  I'm getting the same error
now still.  

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Prem
Ananthakrishnan
(prananth)
Sent: Friday, January 05, 2007 2:48 PM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!

Hey Daniel,

I think you are hitting a bug. Did you export Private  Key?
If so, you will need to import that back in along with cert and Root

See the following bug:- CSCsg00598 

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg00598+
&Submit=Search

Thanks
Prem

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Daniel R. Sullivan
Sent: Friday, January 05, 2007 11:48 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!

Matthew,

Thanks for pointing out ipsca, I requested a cert from them.  I'm still
having no luck getting it to work though; so any advice from the list
would be appreciated. I must be doing something wrong.

Steps this time:
 - Generated a CSR
 - Downloaded cert
 - Downloaded Root and Intermed single file
 - Uploaded Root and Intermediate single file: success
 - Uploaded cert: success
 - Verify and install: Error: The Uploaded CA-signed Certificate doesn't
match the Uploaded Private Key.

I've got to be missing something somewhere.  Do I need to do the Root&
Intermediate as a non-standard CA?

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Matthew Farwell
Sent: Friday, January 05, 2007 10:12 AM
To: [log in to unmask]
Subject: Re: Need help with DigiCert Wildcard Cert!

Daniel,

We have used certs from Ipsca successfully with CCA.  
http://certs.ipsca.com/   They will provide free 2 year certs for .edu 
domains.  They are quick to return the cert and are compatible with all
major browsers.

Good luck,
Matthew

--
Matthew Farwell

Wentworth Institute of Technology
550 Huntington Ave
Boston, MA 02115





Daniel R. Sullivan wrote:
> For us it is the massive savings.  We're a small private school with
nearly
> no budget.  The DigiCert Wildcard only cost $1000 for 3 years and we 
> have around 40 servers/services using wildcards on our campus (we 
> moved from a GoDaddy one for more compatibility). Compare that to 
> ~$290 for a single annual server cert from someone like Thawte (which 
> we were using) and the cost savings alone are obvious.
>
> Labor is another issue since wildcard certs can have multiple years, I
only
> need to spend the time once to put them on the servers and services.
Until
> recently I was the only Network Admin we had and the single server 
> certs took over a week of labor to install across all servers.
>
> So this brings the question, if I just go with a single server cert 
> what vendor will be painless?  I have students rolling in two days 
> from now and any with IE7 are going to get the garish "Do not continue
to this website"
> notification, and so I'm willing to spend the money to get around the 
> cert issue.  If I do Thawte do I need to do the non-standard trust
stuff?
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators 
> [mailto:[log in to unmask]] On Behalf Of Nick Chong
> (nchong)
> Sent: Friday, January 05, 2007 9:40 AM
> To: [log in to unmask]
> Subject: Re: Need help with DigiCert Wildcard Cert!
>
> Hello Mike, Dan,
>
> Happy new year. 
>
> We currently do not support wildcard cert yet. We can look into that 
> as feature future planning.
>
> What are the other benefits of using wildcard cert btw? (besides 
> saving time/money to register).
> I have heard a few requests on this but wasn't sure the technical 
> reasons. Thanks.
>
> Regards,
> Nick
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators 
> [mailto:[log in to unmask]] On Behalf Of Mike Diggins
> Sent: Friday, January 05, 2007 5:27 AM
> To: [log in to unmask]
> Subject: Re: Need help with DigiCert Wildcard Cert!
>
> On Thu, 4 Jan 2007, Daniel R. Sullivan wrote:
>
>   
>> I'm at my wits end.  I looked back through the archives and tried all
>>     
> the
>   
>> stuff Rob Crockett was told to do with his godaddy/starfield cert.
>>
>> Here are the steps I've done:
>> - Wildcard cert lives on an IIS server
>>  - Exported cert with private key as pfx
>> - Used openSSL to strip the password giving me the private and public
>>     
> in the
>   
>> same pem file.
>> - Upload that private file to CCA, that gives a Success message
>> - Upload the root CA cert to the "* Trust non-standard . . ." which
>>     
> gives:
>   
>> Success. Changes will take effect after you restart the server.
>> - Upload the intermediate CA cert to the "* Trust non-standard . . ."
>>     
> which
>   
>> gives: Success. Changes will take effect after you restart the
server.
>>
>> So I do the reboots and try to Verify and Install and I get: Error:
>>     
> The
>   
>> Uploaded CA-signed Certificate doesn't match the Uploaded Private
Key.
>>
>> Using a similar method on my proxy server (EZProxy) the cert works
>>     
> just fine
>   
>> so it is something with the CCA quirks that I'm butting my head
>>     
> against.
>
>
> Perhaps a different problem but I attempted to use our wildcard 
> certificate on our CCA last Summer and wasn't having any success. It 
> would work up until I rebooted, then it would complain about the 
> certificate name not matching the configured hostname (obviously). I 
> opened a case with the TAC and this was there response (perhaps this 
> has changed?):
>
>
>   
>> ---------- Forwarded message ----------
>> Date: Thu, 11 May 2006 12:20:59 -0400
>> Cc: attach Cisco <[log in to unmask]>
>> Subject: Re: xxxxxxxx : Cisco Clean Access - Assistance Needed
>>
>> Mike,
>>     CCA requires either the FQD or IP address in the CN of the
>>     
> certificate.
>   
>>     So no there is no way to use a wildcard certificate.
>>     
>
>
> -Mike
>
ATOM RSS1 RSS2
LISTSERV.MIAMIOH.EDU