Cisco NAC SSL certificate replacement

Similar Questions

• Impossible to import a private key RSA 2048 bits for Cisco SG500 SSL certificate,

  On a Cisco SG500 - 52 Small Business switch, I generated a new 2048-bit RSA private key and generated a Certificate Signing Request to submit to a certification authority. I received the new certificate of the certification authority and tried to import it to the switch SG500-52. (1.2.7.76, boot 1.2.0.12 firmware version)

  It is not possible to paste the text obtained certificate in the import box. the area of importation is limited to less than characters than the length of a certificate for a 2048-bit key...

  Catch-22, anyone? (Or maybe better to say, wrestling-2048?)

  Is there a solution to do this, perhaps in a more recent version of the firmware? It is possible to the CLI instead of the web interface?

  Thank you

  Hi Jay Libove,.

  You can also try with cli. Telnet or ssh to the switch, then

  terminal #configure

  Crypto (config) # certificate import<1-2>

  It gives you a prompt

  Please copy - paste the entry... etc.

  copy and paste the certificate and at the end add a point (.) at the end.

  See if this work. You must have the certificate and the private key, but the copy of the certificate request does not work.

  Let me know if I can help you further.

  Thank you

  Prithvi

• replace the SSL certificate in Dell OMSA 7.2

  My University is compels me to replace the Dell's SSL certificate in OMSA with a certificate from a certification authority.  We use InCommon.

  I generated a certificate using Microsoft IIS request.  InCommon generated the certificate and got sent back links to a variety of formats.

   as PKCS#7 Base64 encoded:
      Other available formats:
         as PKCS#7 Bin encoded:
         as X509, Base64 encoded:
         as X509 Certificate only, Base64 encoded:
         as X509 Intermediates/root only, Base64 encoded:
         as X509 Intermediates/root only Reverse, Base64 encoded
  
  Does anyone know what kind of certificate I need, and exactly how to install it in the apache server that runs Dell OMSA.
  

  Ok.  I have an answer.

  As far as I know, the interface Dell OMSA itself does not have to import the intermediate certificates (returns an error) and cannot be used to create a useful CSR (signature request) because you can't specify your own institutional settings. Our CA would not authenticate the CSR request generated by the Dell OMSA interface, even if it would incorporate new certificates (which she seems to fail at the).

  The simplest approach is to generate a CSR in Windows IIS, the authenticated certificate back from your CA, and then to export to a .pfx file (private, final, intermediate entity certificate and certificates root key, extended attributes).

  Use IBM tool called keyman (download www.ibm.com/developerworks).  Use the version of Windows.

  It can convert a .pfx file in a keystore apache in 3 easy steps.  1. create a new key file

  2 import the .pfx file 3. Save the key file.

  Tips on the internet suggest keeping all the passwords the same - pfx export, keystore, key, etc.

  Edit the server.xml file in the apache server to use your new password.

  Only downside is that your password will be readable text in the server.xml file.  In the original file server.xml file Dell used system tools or java to hide passwords.

• Internal and external customers see certificate of Cisco router, NOT Exchange SSL certificate

  Cisco 876 Integrated Services router (ISR)
  Exchange Server 2010 SP1

  Customer: 2013 Outlook, OWA, ActiveSync WP7/WP8 (?)

  Put us in place a new Cisco ISR. Almost everything works fine, with a few exceptions. Exchange e-mail stopped altogether for several days until I realized that I needed to redirect the ports, SMTP, HTTP, and HTTPS, by external to the Exchange Server. Now, mail flow is fine, but...

  Every time I start Outlook, I get a certificate error. When I look at the certificate in the error popup, it points actually to certificate self-signed Cisco router. When we try to use the Windows phones, they get a "certificate error" and direct the user to the network administrator. Even with OWA: a certificate error, even if it can be "accepted" / overridden.

  Each customer can still work, with the exception of Windows phones. In Outlook and OWA, mail is always be sent and received, but must be accepted manually that the certificate is wrong before the customer takes care, and then it takes a little longer to load.

  Any ideas?

  I did "" port forwarding on the pots of 25, 80 and 443. Again, I did it yesterday and now mail seems to flow, whereas before, even if we could enter the client with Certificate error, message not be received. (There was also a problem with mail however not passed, but that was due to our mail relay provider and was set yesterday as well...)

  Everything worked fine with the previous router (obviously). It was a high-end, the level of consumption Fritz! Box commonly used in Germany. I also had to allow ports through this box is not unlike using the nat ip inside static commands on the 876, but I don't know what he could have let his own or why SRI is the Exchange Server application SSL certificate hijacking.

  Thanks in advance for any help.

  jeremyNLSO
  CCNA Routing & Switching, CCNA security
  MCITP, MCTS
  Berlin, Germany

  If we have actually figured this out today. The internal DHCP Server distributing the a DNS Server public as well as the internal DNS. The internal DNS was time and the customer became the external IP address of the public DNS and it received an unexpected cert of the router. Once we removed the public DNS servers from the DHCP server and used only DNS servers in-house, that the issue went away. Logical after we realized what was going on.

• [Q] how to build and install an SSL certificate signed for the management of a Cisco 5508 WLC?

  Our security policy requires that all web pages admin must be signed by our CA business. I have successfully implemented a SSL certificate 3rd party Auth Web our WLAN of comments, but I need to install a self-signed certificate for the management of the WLC himself. I followed the instructions here:

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

  but it was more useful for Web auth. I can't find a specific document explaining how it should be done for the management interface.

  Any help much appreciated.

  (1) Please use a password. Empty passwords regularly give problems.

  (2) you don't recombine the key with the certificate before you download to the WLC:

  Combine the CA.pem certificate with the private key, and then convert the file to a .pem file.

  Type this command in the OpenSSL application:

  openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts
  
      -passin pass:check123 -passout pass:check123
  
      
  
      !--- This command should be on one line.
  
  
      openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123
  
      

  Note: In this command, you must enter a password for the parameters -passin' and -passout . The password is set to the setting -passout must match the setting SubscriptionId is configured on the WLC. In this example, the password is configured at the time the -passin' and settings -passout is check123. Step 4 of the procedure in the section download the WLC third certificate of this document deals with the configuration of the SubscriptionId parameter.

  The final.pem is the file that is transferred via TFTP to the Cisco WLC.

  Now that you have the certificate of the third-party CA, you must download the certificate to the WLC.

• Cisco ASA 5505 and comodo SSL certificate

  Hey all,.

  I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green.

  Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com.

  On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.

  What I'm missing here? I can post config if anyone needs.

  (My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2))

  Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out.

  Thank you

  Bad Boy

• VUM 6.0, replacement of SSL certificates

  Hello

  VCSA device (6.0) external PSC

  VCenter VCSA device (6.0)

  VUM 6.0 (1 x R2 Windows 2012 running SQL 2014 and 1 x R2 Windows 2012 with VUM installed)

  Open root SSL and subordinate CA

  I replaced the certificates for the PSC with no problems, the VC and the hosts are all good :-)

  To replace the VUM SSL certificates, I followed KB 1023011 and replaced the self CERT signed with certificates signed by a subordinate CA OpenSSL. When I open the VI client and activate the VUM plugin I get a certificate error. If I open the PFX and import it into my personal cert store the complete chain, subordinate and root is here, and all are approved. If I navigate over https to another server where I replaced the SSL certificate with the one that was signed by the same CA browser isn't moaning.

  Issues related to the:

  1. the error indicates that my PC does not trust the cert or vCenter does not support the cert?

  2. If it is likely that the vCenter is not to trust the cert how to install the CA certificate root in the keystore on the vCenter? The PSC has already he is and trust her, otherwise she would not distribute certs kindly signed to esxi hosts.

  3. the cert that was issued for MUV has the VUM server's dns name in the part of the cert SAN but not in the issued to. Who is likely to be a problem?

  4. the CSR that has been generated for MUV did not come from the VUM server, instead, it was made from the workstation where he has installed OpenSSL. Who is likely to be a problem?

  As a side note KB 1023011 has no mention of being the right process for 5.5, 6.0 let alone!

  Thank you very much

  Girardot

  Hello

  I managed to solve this problem by adding intermediate CA on the end of the rui.crt.

  See you soon,.

  Girardot

• Cannot save vSphere Web Client after the replacement of the SSL certificate

  Hi all

  I have followed the Articles of Derek Seaman on the replacement of all the certificates in vSphere 5.1 and have since turned to the VMware KB Articles. I replaced the certificates for the SSO, the inventory Service and vCenter Server with no problems (other than having to use OpenSSL-Win64 for vCenter certificate that I could not get the x 86 version certificate of work, makes no sense, but I'll take the small victory).

  If you follow the guide of vmware to replace the web service certificate, http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC & docType = kc & docTypeID = DT_KB_1_1 & externalId = 2035010, I get to step 12, enter the VMware vSphere Client Web back to vCenter Single Sign On and the following error:

  ##########################

  D:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool > regTool.cmd registerService - cert "C:\ProgramData\VMware\vSphere Web Client\ssl" - ls - url ( https://(Server URL): 7444/lookupservice/sdk - username admin@system-domain - password (password) - dir 'D:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\sso_conf' - ip "*." ' * ' - serviceId-file 'D:\Program Files\VMware\Infrastructure\vSphereWebClient\serviceId'

  No file properties not found
  Initialization of provider of record...
  SSL certificates for https://vsphere.au.ray.com:7444/lookupservice/sdk
  SSL certificates for https://vsphere.au.ray.com:7444 / sso-adminserver/sdk
  Unhandled exception trying to escape: null
  Return code is: OperationFailed
  100

  ##########################

  VMware technical support suggested I uninstall all components, delete all databases and try again. I have done this and have exactly the same result.

  Has anyone seen elsewhere or managed to solve?

  Chris

  So, I managed to solve this problem. Not sure that this applies to everyone, but my problem was caused by registering using among other names of the subject in the SSL certificate for the SSO rather than the common name of the certificate.

  For example, the server name is server1.company.com. It is the common name of the certificate. But one of SAN of the certificate has been "vSphere.company.com".  If I used this other name in one of the component records that they would fail. I found that I have to use the common name. Even if the alternative names of job access to via your browser web, there is no certificate warning, if the registration of components using these names, it would fail.

  It seems crazy that you can use any of the San... then why allow us to make?

  Initially, I tried to replace the authentication certificate ONLY when the town was called vsphere.company.com, rather than the hostname of the server, and which is installed. However, try to install the Web Client would fail. When you come to the step where you have to accept the certificate of SSO, the installation fails because the common name of the certificate does not have the host name of the SSO server. It seems insane to me... why the host name of the server running the SSO should still come in when all calls are over HTTPS is simply absurd!

  I confirmed this with VMware Technical Support and they checked my conclusions.

• Cisco ACS 5.4 Support Wildcard SSL certificates?

  Greetings,

  Is getting ready to order a SSL certificate for my ACS 5.4 newly installed, and before I did that I want to check if 5.4 ACS supports Wildcard SSL.

  Someone help me with this?

  Thank you!!!

  Chris B.

  Hi Chris,

  ACS 5.4 still does not support wildcard certificates.

  Regrads

  Anubhav Gupta

• Replacement of the SSL certificate in vCenter Server Heartbeat with a new certificate

  Realized the SSL certificates on my vsphere vCenter Server 5.5 environment change, but now I'm looking to deploy vmware vCenter Server HeartBeat service, but I have the following doubts.

  1. it is necessary to perform the exchange of currently used SSL certificate in my environment. ()http://kb.vmware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 2013041( )

  KB article talking about amendment of the certificate of a vCenter Server Heartbeat deployed... If the vCSHB are not deployed and yet, you don't need to worry... just go ahead with the installation and the new vCenter server certificate will be recognized by vCSHB.

• ACS 3.3 invalid or corrupted SSL certificate installed

  Hello

  I installed a new SSL certificate to replace the old one which was about to expire. After this update of cert, I can access is no longer the ACS server for admin purposes. I get the error "cannot establish connection cifered because the certificate presented by is invalid or damaged. Error code:-8101 "or something similar that the message is in Spanish.

  I tried to restart the CSAdmin service without success. I also watched ath the different CS tools but none of them does this nor is the Guide to GBA.

  Is there a way to remove the certificate from the command line or other?

  AY help would be appreciated because I don't want to reinstall/rebuild the server.

  Thank you

  Niels

  If the EC is 3.3.4 or below then it can be disabled through the registry. 4.x do not have registry settings to tweak.

  For 4.x

  A possible workaround we have is that if a GBA backup taken prior to activation of the HTTPS is there, we can restore the same and work around the problem.

  For 3.3.x

  To restore access using http on your server, you must change the registry setting

  to disable the https. Here's the location of the key "reg":

  HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

  Change this value from 2 to 1.

  Kind regards

  ~ JG

  Note the useful messages

• Invalid SSL certificate

  My company uses Citrix Receiver to allow us to connect to the House to work.

  I installed the latest version of the plug of the receiver in and all have El Capitan, I don't go through safari but rather connect by Miss this step and launch citrix directly, pop in my user name, password and rsa token details.

  At this point, I see a message invalid SSL certificate.

  Any ideas how I can check whats wrong, are the certificates stored in the keychain?

  Howdy John!

  Looks like you have a SSL certificate, which plays well with El Capitan. I would use the troubleshooting for this in the following article to help you here:

  OS X El Capitan: If your certificate isn't being accepted

  If a certificate is not accepted, it may have expired or it may be invalid for the way in which it is used. For example, some certificates may be used to establish a secure connection to a server, but not for the signing of a document.

  The most common reason that a certificate is not accepted, is that the root CA certificate is not approved by your computer. To have your computer trust a certification authority, you must add the certificate authority to a keychain and set the certificate of trust setting.

  1. If an application (e.g. Safari) displays the root certificate of the CA as part of the CA message, drag the icon of the certificate root on the desktop.

  2. Drag the certificate on the Keychain Access file, or double-click the certificate file.

  3. Click menu Keychain, choose a set of keys, and then click OK.

     If you are prompted, enter the name and password for an administrator on this computer user.

  4. Select the certificate, and then choose file > read the information.

  5. Click the trust triangle to display the certificate trust policies .

  6. To override the trust policies, choose trust settings that you want to replace in the pop-up menus.

     For more information, see certificate trust policies.

  CLOS

• LabVIEW and SSL certificate

  So I come back on an interesting question that can cause significant problems, unless I can find a reasonable solution.

  Until yesterday a number of software programs that run in a number of remote sites were running all fortunately accessing a database.  This database is accessible via the HTTPS POST and screw HTTPCLIENT, and for the past two years, everything worked fine while having the true flag to check server, the database is part of a site that is all signed and certified.

  However, as of yesterday, they all decide to stop, investigate the server itself it seems that the SSL certificate has switched from the previous period. While browsing the forums of LAVA, I managed to find the reference to the problem with which a LabVIEW ca - bundle.crt file making the obsolete object so not check the validity of the new certificate.

  Now, while there is here a workaround which the server verify the Pavilion from true to FALSE switching, I can do all programs work again, there's the issue of having to update and rebuild several years worth of programs. So I was expecting something that I could do outside of LabVIEW to try to solve the problem, I had considered to replace ca - bundle.crt, but I'm not sure of the validity of this idea.

  So, any ideas are likely to be accepted if they mean that I don't have to go to several versions of LabVIEW.

  TLDR:

  

  I can do something with it to solve the problem?

  

  Welll the good news is that I found a solution. The problem is that I don't know to what extent this solution will get me, it should mean at least I can reach the single database I'm targeting.

  Subsequently to the rear since the database certificate (COMODO) provider I found they provide CA bundle which when used to replace the LabVIEW supplied ca - bundle.crt allows the system HTTP access the database without problem.

  For remote computers, it's probably fine as it is guaranteed to have the only secure site SSL they will try to access the database that I know the data are compatible with. For my development system however it may still remain a problem that I don't know when I'll have to try to access another site certified and whether or not the new authority will work. Although in all fairness for the moment I don't know if the LabVIEW provided one or the other will work.

  I might have to come back to this thread at a later date and to make the point about how everything worked.

• How to install the ssl certificate in windows server 2008?

  Hello

  Can someone give me the steps to install the SSL certificate on my application hosted on windows server 2008 R2?

  Hello

  Although technet.microsoft.com should be the best forum for the problems of server below is a guide on how to install an SSL certificate.

  It will be useful.

  To install your newly acquired in IIS 7 SSL certificate, first copy the file somewhere on the server and then follow these instructions:

  1. Click on the start menu, go to administrativetools and click on Manager of Services Internet (IIS).
  2. Click the server name in the links on the left column. Double-click server certificates.

     

  3. In the Actions column to the right, click Complète Certificate Request...

     

  4. Click on the button with the three points, and then select the server certificate that you received from the certificate authority. If the certificate does not have a .cer file extension, select this option to display all types. Enter a friendly name that you can keep track of certificate on this server. Click OK.

     

  5. If successful, you will see your newly installed in the list certificate. If you receive an error indicating that the request or the private key is not found, make sure that you use the correct certificate and you install it on the same server that you generated the CSR on. If you are sure these two things, you just create a new certificate and reissue or replace the certificate. If you have problems with this, contact your certification authority.

     

  Bind the certificate to a Web site

  1. In the column of links on the left, expand the sites folder, and click the Web site that you want to bind the certificate to click links... in the right column.

     

  2. Click the Add... button.

     

  3. Change the Type to https , and then select the SSL certificate that you just installed. Click OK.

     

  4. You will now see the listed link for port 443. Click close.

     

  Install all the intermediate certificates

  Most of the SSL providers issue certificates of server out of an intermediate certificate so you will need to install the intermediate certificate on the server as well or your visitors will receive a certificate error not approved. You can install each intermediate certificate (sometimes there are more than one) by following these instructions:

  1. Download the intermediate certificate in a folder on the server.
  2. Double-click the certificate to open the certificate information.
  3. At the bottom of the general tab, click the install Certificate button to start the Certificate Import Wizard. Click Next.

     

  4. Select place all certificates in the following store , and then click Browse.

     

  5. Select the Show physical stores checkbox, then expand the Intermediate certificate authorities folder, select the below folder on the Local computer . Click OK. Click Next, and then click Finish to complete the installation of the intermediate certificate.

     

  You may need to restart IIS so that it starts the new certificate to give. You can verify that the certificate is installed correctly by visiting the site in your web browser using https rather than http.

  Links

  • Move or copy an SSL certificate on a Windows Server to another Windows Server
  • How to disable SSL 2.0 in IIS 7
  • How to configure the SSL in IIS 7.0
  • Video tutorials to install an SSL certificate in IIS 7 to NetoMeter

  Kind regards

  Joel

• SSL certificate for access to the administration of a WSA

  Can someone point me to a guide on how to install an ssl certificate for access to the administration of a WSA?

  Curiously, all the documents that I could find so far talk of SSL certificate for HTTPS decryption...

  Page 367 of this doc.  http://www.Cisco.com/c/dam/en/us/TD/docs/security/WSA/wsa8-0/wsa8-0-6/WSA_8-0-6_User_Guide.PDF