Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Wildcard certificate question

Jump to Best Answer
  • 1.  Wildcard certificate question

    Posted Sep 02, 2013 04:16 AM

    Hello,

     

    I am new to this and my company has ordered a wildcard certificate (by godaddy.com) for our domain and subdomain name. Now I want to use it for my CP server but I am bit lost on how to do it.

     

    I have my domain name cert and an intermediate cert, the private key saved on a txt and the password. So what do I need to do ?

     

    On CPPM, I can see that I can import a Server Certificate and asks me for a Certificate File, Private Key File and Password. Any one can give some tips, thanks

     

    Regards

     

    Dimitri



  • 2.  RE: Wildcard certificate question

    Posted Sep 02, 2013 04:21 AM
    What are you going to use the Cert for

    SSL
    .1x

    Windows has an issue with trusting wildcard certs for 802.1x


  • 3.  RE: Wildcard certificate question

    Posted Sep 02, 2013 04:24 AM

    The cert is for SSL.

     

    Thanks

     

    Dimitri



  • 4.  RE: Wildcard certificate question

    Posted Sep 02, 2013 04:35 AM

    1. Make sure you import the Root and any Intermediate certs into the trust list

    2. Combine the Wildcard cert with the Root and Intermediate if you can

        a. Some device do not trust godaddy intermediate certs so it help to combine the full trust chain.

        b. Digicert has an easy to understand how-to " http://www.digicert.com/ssl-support/pem-ssl-creation.htm "

    3. Then you just import the newly created .pem file to CPPM

     

     

     

     

     

    Creating a .pem with the Entire SSL Certificate Trust Chain

    1. Log in to download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt) from within your DigiCert Customer Account.
    2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
      1. The Primary Certificate - your_domain_name.crt
      2. The Intermediate Certificate - DigiCertCA.crt
      3. The Root Certificate - TrustedRoot.crt

    Make sure to include the beginning and end tags on each certificate. The result should look like this:

    -----BEGIN CERTIFICATE----- 
    (Your Primary SSL certificate: your_domain_name.crt) 
    -----END CERTIFICATE----- 

    -----BEGIN CERTIFICATE----- 
    (Your Intermediate certificate: DigiCertCA.crt) 
    -----END CERTIFICATE----- 

    -----BEGIN CERTIFICATE----- 
    (Your Root certificate: TrustedRoot.crt) 
    -----END CERTIFICATE-----

    Save the combined file as your_domain_name.pem. Your .pem file is now ready for use.

    Creating a .pem with the Server and Intermediate Certificates

    1. Log in to download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt) from within your DigiCert Customer Account.
    2. With a text editor (such as wordpad), copy and paste the entire body of each certificate into one text file in the following order:
      1. The Primary Certificate - your_domain_name.crt
      2. The Intermediate Certificate - DigiCertCA.crt

    Make sure to include the beginning and end tags on each certificate. The result should look like this:

    -----BEGIN CERTIFICATE----- 
    (Your Primary SSL certificate: your_domain_name.crt) 
    -----END CERTIFICATE----- 

    -----BEGIN CERTIFICATE----- 
    (Your Intermediate certificate: DigiCertCA.crt) 
    -----END CERTIFICATE-----

    Save the combined file as your_domain_name.pem. Your .pem file should be ready for use.

     

    Ref- http://www.digicert.com/ssl-support/pem-ssl-creation.htm



  • 5.  RE: Wildcard certificate question

    Posted Sep 02, 2013 04:52 AM

     

    EDIT: meh, that'll teach me doing tons of stuff at the same time. just see above for tarnolds explanation :)

     

    Just import the certificate: /tips > Administration > Certificates - Server Certificate.

     

    Make sure your Certificate includes the server certificate itself and all of the chain upwards to the CA.

    For this just edit the server cert in a txt editor and then copy/paste all intermediate and other CA's under your server cert. It should look something like the cert chain for *.google.be below:

     

     

    -----BEGIN CERTIFICATE-----
    MIIEezCCA2OgAwIBAgIIRhUxDWF8j10wDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
    BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
    cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMwODE0MjIwMTU3WhcNMTQwODE0MjIwMTU3
    WjBlMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
    TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEUMBIGA1UEAwwLKi5n
    b29nbGUuYmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCCe0oJbEOu
    0JXsO6eHcll+PnvUehRCzFWNoKMsE6Kyzef1GshzMRk5a3R00OemcT8l90xW/A0l
    ErE/yk8Fcb9HuIYEmHXqmmqMO+uekIpkrrH7Lp/w2fbjzouRFfrxJ8I8Y1IpEMa9
    c+XI8vPG2Kz+sxwqNIl7zjRXwhAvGa05N6JnxvCgv1YXhQZxnhSyj3Xl+irQLUHZ
    VRcX8thKyvKxnVVsl0fK82kVhz1PYevzqwYGbPLxzCz6VlQmNXfjp7tvbNGB70N8
    RaTeNpo4TI/az9pUPDzNVCz9d5IeGLfUI0hDWUMxKA43LmtVXsFfbcPjH1f0qrXx
    J970aPuHwUMxAgMBAAGjggFJMIIBRTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
    BQUHAwIwIQYDVR0RBBowGIILKi5nb29nbGUuYmWCCWdvb2dsZS5iZTBoBggrBgEF
    BQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFH
    Mi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29j
    c3AwHQYDVR0OBBYEFA0opURLlQjZlxLP6O348xy9tvFsMAwGA1UdEwEB/wQCMAAw
    HwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wFwYDVR0gBBAwDjAMBgor
    BgEEAdZ5AgUBMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNv
    bS9HSUFHMi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAJqTgZ4VhHpbjsdBKNTU6I7o
    EGebjy5BggfMUCEyImvCkArGm9xWAZGOx3rZ6rCRxR+jw9wfTXnpGxnsQr+7atmr
    zcvBg0poExYlib6eKfXvvbXCazTDLuU7l/IDQjW2O5LZ5AjV6ojZimcyzII2ihe0
    K03ULes2L8Qz9aenfPP7or7HE0A9qlUJHBmyuHvnC+dX9N54aVT8IuhjXN6y6OK6
    v6yMglY5OuXdvN65DDeq9bUQCNUDlc0kIofQndyUNzVJkvkFnw7IQjXlyOQzaXvd
    mwMU+d0GQx7HAf5ozJ/g+w16ejiiWzoqxTpBh8WfrpnWxadHcner7/Drvh4k6Co=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
    EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
    bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
    VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
    h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
    ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
    EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
    DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
    qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
    VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
    K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
    KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
    ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
    BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
    /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
    zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
    HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
    WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
    yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
    EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
    R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
    9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
    fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
    iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
    1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
    bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
    MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
    ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
    uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
    Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
    tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
    PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
    hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
    5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
    -----END CERTIFICATE-----

     

    Then include your private key file and the password and you should be golden.

     



  • 6.  RE: Wildcard certificate question

    Posted Sep 02, 2013 04:54 AM

    Ok, the thing is that I have mydomain.crt file and a list of Go Daddy Certificate Chain .crt files. So I can't copy paste the entire body of the cert into a txt editor.



  • 7.  RE: Wildcard certificate question

    Posted Sep 02, 2013 04:55 AM

    Just right click on the file and open with wordpad or change the .cer to .txt



  • 8.  RE: Wildcard certificate question

    Posted Sep 02, 2013 04:59 AM

    edit: grrr, late again

     

    boxcar: don't see why you can't copy past the stuff? All the certificates in your chain (other than your private key) should be public and provided by your certificate authority.

    Can you clarify further why you can't just open every certificate in a txt editor and combine them in a new certificate-chain? You can open the .crt files in a txt-editor or open them and select the Copy to File button from the Details tab.

     



  • 9.  RE: Wildcard certificate question

    Posted Sep 02, 2013 05:08 AM

    I am so dumb, I haven't tried right click and choosed an other programm to open it.

     

    Another quick question : do I need to add the certificate on my IAPs ?



  • 10.  RE: Wildcard certificate question

    Posted Sep 02, 2013 05:25 AM

    So I have created mycertificate.pem and copy paste my rsa private key (the one I get when I have done my CSR) into a .key but I have this error : Private Key File does not match the Certificate

     

    Any idea ?



  • 11.  RE: Wildcard certificate question

    Posted Sep 02, 2013 05:28 AM
    Double and triple check the password. :) also make sure the sever cert is the first in the list when you created the pem file


  • 12.  RE: Wildcard certificate question

    Posted Sep 02, 2013 05:32 AM

    Ok thanks. But I don't have any password. I have generated my CSR with this site : https://csrgenerator.com/ and I have a RSA PRIVATE KEY only.

     



  • 13.  RE: Wildcard certificate question

    Posted Sep 02, 2013 06:00 AM
    CPPM requires you to enter a password.

    You maybe able to reset the password on the pkey, but with you being new to Certs I would recommend to just do a new CSR.

    Generate it with CPPM and make sure you download both .csr and .pkey Have Godaddy reissue the cert. They usually give you a couple day buffer to redo it, but you might have to call into their support to reissue you the cert token.


  • 14.  RE: Wildcard certificate question

    Posted Sep 02, 2013 06:03 AM

    The problem is that I can't do a CSR with CPPM because I can't have a CN with *.mydomain.ch.

     

    Thanks

     

    Dimitri



  • 15.  RE: Wildcard certificate question

    Posted Sep 03, 2013 12:18 AM

    Its been a while since Ive done this. Give this a try

     

    You will need to install OpenSSL

     

     

    > openssl pkcs12 -export -inkey <yourServerPrivateKeyFile> -in <yourServerCertificateFile> -certfile<intermediateCAFilename> -certfile <rootCAFilename> -out <newCertifcateFile>.pfx

     

    You might have to export it out as a .pem

     



  • 16.  RE: Wildcard certificate question

    Posted Sep 03, 2013 02:05 AM

    Thanks but where do I need to install it ?



  • 17.  RE: Wildcard certificate question

    Posted Sep 03, 2013 02:12 AM
    You need to install OpenSSL on your PC. On windows I use

    http://code.google.com/p/openssl-for-windows/



  • 18.  RE: Wildcard certificate question

    Posted Sep 03, 2013 02:16 AM

    Thanks, I'll try and give feedback.

     

    Dimitri



  • 19.  RE: Wildcard certificate question

    Posted Sep 03, 2013 03:09 AM

    Seems to work, thanks for the help :)



  • 20.  RE: Wildcard certificate question
    Best Answer

    Posted Sep 03, 2013 03:18 AM
    Make sure that when you combined the certs that they are in the right order and they are the correct certs.

    You don't have to always combine the certs its just recommended because not all device trust the full chain


    Server cert
    Intermediate (there might be more than one intermediate)
    Root CA

    Open the original cert they sent you and look at the last tab and it should show you the full chain