SSL Certificates & Exchange 2010
Discussion
Anyone used Xilo ?
They sold me a wildcard cert which cant cope with the wildcard CSR that Exchange 2010 generates - as it contains a '*' in the CN. Personally I though the * was what made it a friggin wildcard cert !
I hate Xilo and SSL at the moment ....
The answer to my question is not 'buy a SAN UC from Godaddy'. It looks like im stuck with Xilo and this wildcard....
Anyone know what im on about before I type out my specific problem ?
They sold me a wildcard cert which cant cope with the wildcard CSR that Exchange 2010 generates - as it contains a '*' in the CN. Personally I though the * was what made it a friggin wildcard cert !
I hate Xilo and SSL at the moment ....
The answer to my question is not 'buy a SAN UC from Godaddy'. It looks like im stuck with Xilo and this wildcard....
Anyone know what im on about before I type out my specific problem ?
I don't add the * anywhere. If I select wildcard at the beginning of the Exch wizard, it adds the * by itself into the CN. That means I have a wildcard cert, but cant use the wildcard wizard.
So I tried to use SSLTools Manager to create the cert but that just gives me more problems and errors.
So I tried to use SSLTools Manager to create the cert but that just gives me more problems and errors.
I've never used Xilo, but just checking out their site, which certificate did you buy?
Because if its the misleadingly named "Domain SSL" it would appear that it isn't a wildcard, but rather signed for domain.com and www.domain.com, but not *.domain.com - which would explain why it doesn't accept the wildcard SSL you've generated.
If the above isn't the case, the only other thing I can think to ask is does your CSR contain any SANs? If so are any of those domain.local or x.domain.local? Some issuers will won't issue certificates with local domain SANs any more.
But I think you probably have the domain cert, not a full wildcard - it simply doesn't make sense that they would reject a wildcard for containing * at the start.... the fact that it is *.domain.com is what defines it as a wildcard certificate.
Because if its the misleadingly named "Domain SSL" it would appear that it isn't a wildcard, but rather signed for domain.com and www.domain.com, but not *.domain.com - which would explain why it doesn't accept the wildcard SSL you've generated.
If the above isn't the case, the only other thing I can think to ask is does your CSR contain any SANs? If so are any of those domain.local or x.domain.local? Some issuers will won't issue certificates with local domain SANs any more.
But I think you probably have the domain cert, not a full wildcard - it simply doesn't make sense that they would reject a wildcard for containing * at the start.... the fact that it is *.domain.com is what defines it as a wildcard certificate.
I've just had to renew the wildcard certs on our Exchange 2010 servers at work, and it was pretty smooth sailing. The certificates came from GoDaddy, and once you have bought the certificate it can be downloaded in several different formats - including the wildcard and intermediate certificates designed for Exchange 2010.
Nyphur said:
I've never used Xilo, but just checking out their site, which certificate did you buy?
Because if its the misleadingly named "Domain SSL" it would appear that it isn't a wildcard, but rather signed for domain.com and www.domain.com, but not *.domain.com - which would explain why it doesn't accept the wildcard SSL you've generated.
If the above isn't the case, the only other thing I can think to ask is does your CSR contain any SANs? If so are any of those domain.local or x.domain.local? Some issuers will won't issue certificates with local domain SANs any more.
But I think you probably have the domain cert, not a full wildcard - it simply doesn't make sense that they would reject a wildcard for containing * at the start.... the fact that it is *.domain.com is what defines it as a wildcard certificate.
Absolutely this - the common name in the CSR for a wildcard cert should be *.domain.comBecause if its the misleadingly named "Domain SSL" it would appear that it isn't a wildcard, but rather signed for domain.com and www.domain.com, but not *.domain.com - which would explain why it doesn't accept the wildcard SSL you've generated.
If the above isn't the case, the only other thing I can think to ask is does your CSR contain any SANs? If so are any of those domain.local or x.domain.local? Some issuers will won't issue certificates with local domain SANs any more.
But I think you probably have the domain cert, not a full wildcard - it simply doesn't make sense that they would reject a wildcard for containing * at the start.... the fact that it is *.domain.com is what defines it as a wildcard certificate.
I just bought a RapidSSL wildcard for a little over £60 for one year and it's trusted by everything I own.
OK, well at least I think I have the wildcard working on Exch2010 now.
I have asked for clarification on what exactly I have bought as latest reply by support was:
"There are no limitations on use for the UC Wildcard. It works exactly as a Wildcard SSL should do."
This implies that what I have is different but I cant find anything of use about a UC Wildcard as opposed to a Wildcard.....
Xilo have also stated "UC Wildcard is a new product". of course this means they have no support pages for it. I hate testing 'new products'....
I have asked for clarification on what exactly I have bought as latest reply by support was:
"There are no limitations on use for the UC Wildcard. It works exactly as a Wildcard SSL should do."
This implies that what I have is different but I cant find anything of use about a UC Wildcard as opposed to a Wildcard.....
Xilo have also stated "UC Wildcard is a new product". of course this means they have no support pages for it. I hate testing 'new products'....
buggalugs said:
Sounds like a bit of a mither. I think a lot of cert providers actually ignore the address in the csr and only want the private key out of it, but you'd be a bit stuck if they did issue the wrong address.
? There's no private key in a CSR, and most CA's (even cheap ones like the one I mentioned above) will re-issue if you get it wrong.Just wanted to bump this thread to find out if there are any SSL cert gurus out there.
Xilo sent me the wildcard cert in an email. It contains the following (laid out exactly as below):
Signed Certificate (PEM Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Signed Certificate (PKCS7 Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Bundle Certificate (Intermediate)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Root Certificate (CA)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
This is confusing me greatly ! Questions:
1. Is the whole thing the wildcard cert, or do I copy out the type I need and just save it as a .cer. Then should I need it in a different format, I just use a conversion tool.
2. Is the Bundle Certificate (Intermediate) both sets of DATA as laid out in the email, just saved into one .cer ?
3. what makes a cert chain ? The .cer plus the priv key combined together ?
4. I want to import my wildcard cert into my utm. Which section of data should I be importing ? the chain, the Intermediate, the root ?
I cant find any useful doc that explains what a cert looks like and what the diff is between root, intermediate, PKCS7 or PEM. The utm wants a PKCS12 ffs !
Any help appreciated...
Xilo sent me the wildcard cert in an email. It contains the following (laid out exactly as below):
Signed Certificate (PEM Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Signed Certificate (PKCS7 Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Bundle Certificate (Intermediate)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Root Certificate (CA)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
This is confusing me greatly ! Questions:
1. Is the whole thing the wildcard cert, or do I copy out the type I need and just save it as a .cer. Then should I need it in a different format, I just use a conversion tool.
2. Is the Bundle Certificate (Intermediate) both sets of DATA as laid out in the email, just saved into one .cer ?
3. what makes a cert chain ? The .cer plus the priv key combined together ?
4. I want to import my wildcard cert into my utm. Which section of data should I be importing ? the chain, the Intermediate, the root ?
I cant find any useful doc that explains what a cert looks like and what the diff is between root, intermediate, PKCS7 or PEM. The utm wants a PKCS12 ffs !
Any help appreciated...
Chimune said:
Just wanted to bump this thread to find out if there are any SSL cert gurus out there.
Xilo sent me the wildcard cert in an email. It contains the following (laid out exactly as below):
Signed Certificate (PEM Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Signed Certificate (PKCS7 Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Bundle Certificate (Intermediate)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Root Certificate (CA)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
This is confusing me greatly ! Questions:
1. Is the whole thing the wildcard cert, or do I copy out the type I need and just save it as a .cer. Then should I need it in a different format, I just use a conversion tool.
2. Is the Bundle Certificate (Intermediate) both sets of DATA as laid out in the email, just saved into one .cer ?
3. what makes a cert chain ? The .cer plus the priv key combined together ?
4. I want to import my wildcard cert into my utm. Which section of data should I be importing ? the chain, the Intermediate, the root ?
I cant find any useful doc that explains what a cert looks like and what the diff is between root, intermediate, PKCS7 or PEM. The utm wants a PKCS12 ffs !
Any help appreciated...
The signed certificate provided by the CA (which is provided in the topmost sections in PEM and PKCS#7 formats) gets combined with the private key which was generated at the same time as the CSR - constituting a public/private key pair.Xilo sent me the wildcard cert in an email. It contains the following (laid out exactly as below):
Signed Certificate (PEM Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Signed Certificate (PKCS7 Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Bundle Certificate (Intermediate)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Root Certificate (CA)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
This is confusing me greatly ! Questions:
1. Is the whole thing the wildcard cert, or do I copy out the type I need and just save it as a .cer. Then should I need it in a different format, I just use a conversion tool.
2. Is the Bundle Certificate (Intermediate) both sets of DATA as laid out in the email, just saved into one .cer ?
3. what makes a cert chain ? The .cer plus the priv key combined together ?
4. I want to import my wildcard cert into my utm. Which section of data should I be importing ? the chain, the Intermediate, the root ?
I cant find any useful doc that explains what a cert looks like and what the diff is between root, intermediate, PKCS7 or PEM. The utm wants a PKCS12 ffs !
Any help appreciated...
To get this I would copy the PEM section at the top, save in .cer or .crt format and then use this to complete the original certificate request to get the key pair. How did you create the CSR?
Once you have the key pair you can convert / export it in PCKS#12 form which is just a PFX file. This is easily done from a Windows box if you used IIS to generate the CSR and complete the request.
quick reply as its fri and i have a beer to enjoy rather than ssl.
theboss-csr created in sslmanagertools. ta for the other pointers
andy-xr - i didnt pay the £3 extra support at checkout. they wont provide any support over the phone now. the email support is vague and unhelpful. their 'knowledgebase' is s
t which makes sense if their ssl business model is to make 3 poxy quid on every purchase.
theboss-csr created in sslmanagertools. ta for the other pointers
andy-xr - i didnt pay the £3 extra support at checkout. they wont provide any support over the phone now. the email support is vague and unhelpful. their 'knowledgebase' is s
t which makes sense if their ssl business model is to make 3 poxy quid on every purchase.OK not used it but it appears its just a GUI driven tool which combines SSL operations with easy access to the various Windows certificate stores.
When you made your request the tool created a private key plus the CSR. On the PC you now have a pending request - a private key which is waiting to be combined with the signed certificate returned by the CA.
What you need to do is copy the signed cert - the first part in PEM format including the preceding "BEGIN" and the final "END" lines including all the dashes! Paste this into notepad and save as cert.cer. See if it's valid by opening the file - you should see the cert details. If you get this far and you're still with me, try importing it into your SSL tool in order to compete the pending request. This marries the signed cert with the private key already waiting on the PC and forma the key pair you can then install on your server.
If you're really stumped by it, I'd be happy to try and lend a quick hand with teamviewer or equivalent.
When you made your request the tool created a private key plus the CSR. On the PC you now have a pending request - a private key which is waiting to be combined with the signed certificate returned by the CA.
What you need to do is copy the signed cert - the first part in PEM format including the preceding "BEGIN" and the final "END" lines including all the dashes! Paste this into notepad and save as cert.cer. See if it's valid by opening the file - you should see the cert details. If you get this far and you're still with me, try importing it into your SSL tool in order to compete the pending request. This marries the signed cert with the private key already waiting on the PC and forma the key pair you can then install on your server.
If you're really stumped by it, I'd be happy to try and lend a quick hand with teamviewer or equivalent.
Chimune said:
many thanks for the offer and advice. id imported the pem into exchange 2010 and it seemed to work but i never combined it with the priv key. i suspected it was wrang.
ill have another look on monday. your instructions have cleared several things up !
It's a common mistake to think the signed certificate is all you need - but without the corresponding private key it's useless.ill have another look on monday. your instructions have cleared several things up !
if you fail to complete the pending request and subsequently lose or overwrite the private private key, then the signed cert is dead and you need to start the whole process again and create a new CSR.
Glad to help and enjoy the beer
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff