Cisco ACS 5.4 Support Wildcard SSL certificates?

Greetings,

Is getting ready to order a SSL certificate for my ACS 5.4 newly installed, and before I did that I want to check if 5.4 ACS supports Wildcard SSL.

Someone help me with this?

Thank you!!!

Chris B.

Hi Chris,

ACS 5.4 still does not support wildcard certificates.

Regrads

Anubhav Gupta

Tags: Cisco Security

Similar Questions

  • I have a customer requesting a "wildcard SSL certificate.  How can I get one and how do I do?

    I have a site that will be us set up the home for and one of their partners said they need a wildcard SSL certificate.  can someone point me in the right direction for this please.  Thanks in advance.

    -Shawn

    Hi clover,

    If your customer needs absolutely their own certificate... something like https://yourdomain.com, then Yes, you will need switch to another solution. However, as I said, catalyst provides a free certificate and for the most part it is more than acceptable. You will need to provide us with more information... Why your customers need a Wildcard SSL certificate, are looking for secure and subdomains? Are they worried about security when ordering, it is an e-commerce site, you need to do?

    -Ryan

  • Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password

    Hello

    Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?

    PS.

    I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password

    Thank you

    The default password is marked as disabled after expiry

    I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

    CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

    After you install this hotfix, you get an option to the user authentication settings is:

    -Disable the user account

    -Expire the password

    When the expiration period is exceeded

    If password is expired then user will be asked to change password next authentication

    Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

  • Windows 2000 SSL certificate export

    Hi all

    I am trying to export the certificate SSL in Windows 2000 server that is running Cisco ACS 3.3. This SSL certificate is issued by a third-party CA. This certificate is issued by CA bound our server host name. Thus, this certificate can be reused on another server with a different host name.

    I followed under the installation program to export the certificate since 2000 planter

    [1] start > run > Type "mmc" and press ENTER.

    [2], click on Console > Add/Remove Snap-in...

    [3], click Add > certificate > add > computer account > next > Local computer > finish > close > Ok

    [4] expand Certificates > expand Trusted Root Certificate Authority and select certificates

    [5] select the certificate CA ACS, right click > all tasks > export > next > select ' encoded in Base 64 X.509 (.) REB)' > next > Browse

    Choose the storage location and give it a name.

    Press next > finish

    We should get a message "export was successful."

    After the export of the certificate in the CERTIFICATION AUTHORITY folder ROOT of TRUST based on the name of the seller. I could see that the certifcates are self-signed certificate. This certificate is not valid certificate approved in the sound emitted by the CA.

    My Question is: If this certifcate issued by 3 third party trust will be located in a different folder outside the ROOT of TRUST certificate folder. If the folder in which this certifcate trust will be so now.

    I'm checking the certificates of

    published by:

    issued to:

    SE signed certifcate times issued to and issued by is even

    SETTING SNAP SHOT of certifcate MMC window.

    Hello

    ACSCertStore is a record of the certificate created in the MMC - folder of the server certificate.

    I hope this helps.

    Kind regards

    Anisha.

    P.S.: Please mark this message as answered if you feel that your query is resolved. Note the useful messages.

  • Replaced the SSL appliance - VMware vCenter Support Assistant device certificate

    Hello

    I need replace the certificate in the device wizard helps VMware vCenter but get the error below aa.


    Key file is empty, it does contain a private key or contained an unsupported key type. Supported key types are PCKS #1 and PKCS #8.


    However, the official documentation of the product on page 19 is 20 below the procedure.



    Replace your vCenter Support Assistant SSL certificate uses a self-signed certificate. You can change your SSL certificate in accordance with the policy of your company for SSL certificates. Procedure

    1 in a Web browser, go to the IP address of the device.

    2. connect the unit to Support Assistant vCenter.

    3 click the tab settings of VA.

    4 under the SSL Configuration, in the private key (.pem) text box, click on choose a file.

    5 in the file browser window, navigate to the directory that contains your certificate, select the private key (*.pem) that corresponds to the certificate chain and click Open.

    VMware, Inc. 19 if your private key is protected by a password in the password key text box, type the password.

    7 in the certificate (.pem, .p7b) string text box, click on choose a file to select your certificate chain file.

    8 in the file browser window, navigate to the directory that contains your certificate chain, select your Certificate SSL (*.pem, *.p7b) chain and click Open. NOTE If you try to add an expired certificate, a warning message indicates that you are not allowed to add the certificate.

    9. click on apply to apply the changes.

    Could someone help me.


    Hi, peaple.

    After several tries, I had success in the process of exchange of certificate VSA.

    1 - the DNS configuration was wrong.

    2 - certified should be the key (RSA private key format) published the .pem file must be trained using the service certificate + certificate of certification authorities.

  • Does anyone know if the version of Cisco Clean Access Server supports the 4.1 (8) SHA - 256 signed SSL certificates?

    Yes, I know they are very old servers and technically, we should move away from CASES in total. But unfortunately, it's an environment I inherited, and I am now dealing with issues.  Because of the requirement to move away from sha - 1 signed certificates that I need to replace my existing certs, certs signature sha-256.  But before I do that I would like to know if anyone knows if CASE version 4.1 (8) supports SHA - 256 certificates?  I did check the release notes, but there is no mention of the supported versions of SHA, etc..  I tried TACS but no joy there either, etc..

    Hello Rafael,.

    SHA - 2 signed the certificate of support was added in 4.7.2 for SCS and CAM.

    We have filed a default document to have it documented in the release notes.
    CSCud99946    Note of support for the NAC should say we support certs of SHA - 2

    Kind regards

    Jousset

  • ACS 3.3 invalid or corrupted SSL certificate installed

    Hello

    I installed a new SSL certificate to replace the old one which was about to expire. After this update of cert, I can access is no longer the ACS server for admin purposes. I get the error "cannot establish connection cifered because the certificate presented by is invalid or damaged. Error code:-8101 "or something similar that the message is in Spanish.

    I tried to restart the CSAdmin service without success. I also watched ath the different CS tools but none of them does this nor is the Guide to GBA.

    Is there a way to remove the certificate from the command line or other?

    AY help would be appreciated because I don't want to reinstall/rebuild the server.

    Thank you

    Niels

    If the EC is 3.3.4 or below then it can be disabled through the registry. 4.x do not have registry settings to tweak.

    For 4.x

    A possible workaround we have is that if a GBA backup taken prior to activation of the HTTPS is there, we can restore the same and work around the problem.

    For 3.3.x

    To restore access using http on your server, you must change the registry setting

    to disable the https. Here's the location of the key "reg":

    HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

    Change this value from 2 to 1.

    Kind regards

    ~ JG

    Note the useful messages

  • ISE supports wildcard certificates?

    Hello guys,.

    My client is not a certification authority, but has rather wildcard certificates.

    I implémenterai ISE in 3 locations (each location independent and with all the services of the ise). don't have look in the dept of wildcard certificates, but ISE supports this type of certificates? The certs I need is only for corporate users of not shown with the ssl certificate error when accessing the ise portals content.

    If wild certificates supported, then each independent site will have to create a separate CSR for each of them?

    Thank you!

    Emilio

    Version 1.2 that comes out seems to, but not the old version.

  • Internal and external customers see certificate of Cisco router, NOT Exchange SSL certificate

    Cisco 876 Integrated Services router (ISR)
    Exchange Server 2010 SP1

    Customer: 2013 Outlook, OWA, ActiveSync WP7/WP8 (?)

    Put us in place a new Cisco ISR. Almost everything works fine, with a few exceptions. Exchange e-mail stopped altogether for several days until I realized that I needed to redirect the ports, SMTP, HTTP, and HTTPS, by external to the Exchange Server. Now, mail flow is fine, but...

    Every time I start Outlook, I get a certificate error. When I look at the certificate in the error popup, it points actually to certificate self-signed Cisco router. When we try to use the Windows phones, they get a "certificate error" and direct the user to the network administrator. Even with OWA: a certificate error, even if it can be "accepted" / overridden.

    Each customer can still work, with the exception of Windows phones. In Outlook and OWA, mail is always be sent and received, but must be accepted manually that the certificate is wrong before the customer takes care, and then it takes a little longer to load.

    Any ideas?

    I did "" port forwarding on the pots of 25, 80 and 443. Again, I did it yesterday and now mail seems to flow, whereas before, even if we could enter the client with Certificate error, message not be received. (There was also a problem with mail however not passed, but that was due to our mail relay provider and was set yesterday as well...)

    Everything worked fine with the previous router (obviously). It was a high-end, the level of consumption Fritz! Box commonly used in Germany. I also had to allow ports through this box is not unlike using the nat ip inside static commands on the 876, but I don't know what he could have let his own or why SRI is the Exchange Server application SSL certificate hijacking.

    Thanks in advance for any help.

    jeremyNLSO
    CCNA Routing & Switching, CCNA security
    MCITP, MCTS
    Berlin, Germany

    If we have actually figured this out today. The internal DHCP Server distributing the a DNS Server public as well as the internal DNS. The internal DNS was time and the customer became the external IP address of the public DNS and it received an unexpected cert of the router. Once we removed the public DNS servers from the DHCP server and used only DNS servers in-house, that the issue went away. Logical after we realized what was going on.

  • 5.4 double certificate option Cisco ACS

    Hello Experts

    I wonder if anyone knows if I can get two certificates on my Cisco ACS 5.4 server. The documentation says I can have it as long they have different 'from' and 'to' dates with a same name CN. However, this is a production server and wanted to if sure before I make changes. I currently have a certificate installed and everything works well but need to add a second for migration purposes.

    Hovsep Armeni
    LAN, UK

    A certificate can be linked to these two services (HTTP and EAP), however, each service can only be associated with a single certificate. Thus, for example, you cannot have two certificates that are related to the EAP process.

    Thank you for evaluating useful messages!

  • The existing migration ssl certificate win 4.2 device acs acs 3.2

    Hello

    We have the acs server that has the ssl running certficate(certifcate authority) in the acs 3.2 for eap - tls user authentication windows version.

    We want the same be migrated to application 4.2 (appliance) acs. I tried in different ways to push the certificate but I couldn't.

    I tried the System Configuration Thru--> ACS certificate--> certificate installation to install ACS--> download the certificate file

    As I mentioned the FTP server IP address, identification information, name and path

    But if I submit the application sound giving the directory not found or incorrect credentials.

    In FTP records its showing like this

    April 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 PASS welcome2acs
    April 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 230 user logged
    April 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 FTP: successful connection
    April 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 CWD D:\FTP-ACS-AU
    April 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 D:\FTP-ACS-AU 550: no such file or directory.
    April 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 FTP: connection is closed.
    April 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 Session closed by peer
    April 15, 2011 19:44:47 Session 5, Peer 10.190.249.40 the FTP Server session
    April 15, 2011 19:44:47 Session 5, Peer 10.190.249.40 the FTP Server session
    April 15, 2011 19:44:47 Session 5, Peer 10.190.249.40 USER ftpadmin
    April 15, 2011 19:44:47 Session 5, Peer 10.249.40 331 ok, need password username
    April 15, 2011 19:44:47 Session 5, Peer 10.190.249.40 FTP: connection attempt by: ftpadmin
    April 15, 2011 19:44:48 Session 5, Peer 10.190.249.40 PASS welcome2acs
    April 15, 2011 19:44:48 Session 5, Peer 10.190.249.40 230 user logged
    April 15, 2011 19:44:48 Session 5, Peer 10.190.249.40 FTP: successful connection
    April 15, 2011 19:44:48 Session 5, Peer 10.190.249.40 DLG FTP - ACS - to THE
    April 15, 2011 19:44:48 Session 5, Peer 10.190.249.40 550 FTP - ACS - to THE: no such file or directory.
    April 15, 2011 19:44:48 Session 5, Peer 10.190.249.40 FTP: connection is closed.
    April 15, 2011 19:44:48 Session 5, Peer 10.190.249.40 Session closed by peer

    Can anyone please suggest me what could be the problem in this... is my method won't?

    Hello

    Directory just enter ' / '.

    Just browse for the file field, and shared folder opens automatically.

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • [Q] how to build and install an SSL certificate signed for the management of a Cisco 5508 WLC?

    Our security policy requires that all web pages admin must be signed by our CA business. I have successfully implemented a SSL certificate 3rd party Auth Web our WLAN of comments, but I need to install a self-signed certificate for the management of the WLC himself. I followed the instructions here:

    http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

    but it was more useful for Web auth. I can't find a specific document explaining how it should be done for the management interface.

    Any help much appreciated.

    (1) Please use a password. Empty passwords regularly give problems.

    (2) you don't recombine the key with the certificate before you download to the WLC:

    Combine the CA.pem certificate with the private key, and then convert the file to a .pem file.

    Type this command in the OpenSSL application:

    openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts
    
    -passin pass:check123 -passout pass:check123
    
    
    
    !--- This command should be on one line.

    
    openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123

    Note: In this command, you must enter a password for the parameters -passin' and -passout . The password is set to the setting -passout must match the setting SubscriptionId is configured on the WLC. In this example, the password is configured at the time the -passin' and settings -passout is check123. Step 4 of the procedure in the section download the WLC third certificate of this document deals with the configuration of the SubscriptionId parameter.

    The final.pem is the file that is transferred via TFTP to the Cisco WLC.

    Now that you have the certificate of the third-party CA, you must download the certificate to the WLC.

  • Renew the certificate in Cisco ACS for PEAP authentication

    Hi, we installed in laptops wireless customer a certificate created by Cisco ACS to authenticate, but its about to expire.

    How can I do to renew the certificate whithout affecting users.

    (1) Yes, we can generate a new cert but install the latter.

    (2) install generated new cert on the client.

    (3) install the new cert in ACS.

    Good plan and will probably work.

    Kind regards

    ~ JG

    Note the useful messages

  • Cisco ACS 5.4 is supported on ESXi 5.5?

    Hello

    We modernize Cisco ACS to version 5.4, but the only available platform VMWare's ESXi version 5.5. The docs to install ACS indicates that version 5.0 and 5.1 are the only supported versions. Does anyone know if version 5.5 is supported too?

    Thank you :-)

    It is supported in 5.6 ACS:

    http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_control_system/5-6/release/notes/acs_56_rn.html#78689

    Support for virtual environments

    5.6 ACS supports the following versions of VMware:

    • VMware ESXi 5.0
    • VMware ESXi 5.0 Update 2
    • VMware ESXi 5.1
    • VMware ESXi 5.5
    • VMware ESXi 5.5 Update 1

  • Cisco ASA 5505 and comodo SSL certificate

    Hey all,.

    I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green.

    Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com.

    On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.

    What I'm missing here? I can post config if anyone needs.

    (My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2))

    Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out.

    Thank you

    Bad Boy

Maybe you are looking for