SSL Certificates & Exchange 2010
Discussion
Anyone used Xilo ?
They sold me a wildcard cert which cant cope with the wildcard CSR that Exchange 2010 generates - as it contains a '*' in the CN. Personally I though the * was what made it a friggin wildcard cert !
I hate Xilo and SSL at the moment ....
The answer to my question is not 'buy a SAN UC from Godaddy'. It looks like im stuck with Xilo and this wildcard....
Anyone know what im on about before I type out my specific problem ?
They sold me a wildcard cert which cant cope with the wildcard CSR that Exchange 2010 generates - as it contains a '*' in the CN. Personally I though the * was what made it a friggin wildcard cert !
I hate Xilo and SSL at the moment ....
The answer to my question is not 'buy a SAN UC from Godaddy'. It looks like im stuck with Xilo and this wildcard....
Anyone know what im on about before I type out my specific problem ?
I don't add the * anywhere. If I select wildcard at the beginning of the Exch wizard, it adds the * by itself into the CN. That means I have a wildcard cert, but cant use the wildcard wizard.
So I tried to use SSLTools Manager to create the cert but that just gives me more problems and errors.
So I tried to use SSLTools Manager to create the cert but that just gives me more problems and errors.
OK, well at least I think I have the wildcard working on Exch2010 now.
I have asked for clarification on what exactly I have bought as latest reply by support was:
"There are no limitations on use for the UC Wildcard. It works exactly as a Wildcard SSL should do."
This implies that what I have is different but I cant find anything of use about a UC Wildcard as opposed to a Wildcard.....
Xilo have also stated "UC Wildcard is a new product". of course this means they have no support pages for it. I hate testing 'new products'....
I have asked for clarification on what exactly I have bought as latest reply by support was:
"There are no limitations on use for the UC Wildcard. It works exactly as a Wildcard SSL should do."
This implies that what I have is different but I cant find anything of use about a UC Wildcard as opposed to a Wildcard.....
Xilo have also stated "UC Wildcard is a new product". of course this means they have no support pages for it. I hate testing 'new products'....
Just wanted to bump this thread to find out if there are any SSL cert gurus out there.
Xilo sent me the wildcard cert in an email. It contains the following (laid out exactly as below):
Signed Certificate (PEM Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Signed Certificate (PKCS7 Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Bundle Certificate (Intermediate)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Root Certificate (CA)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
This is confusing me greatly ! Questions:
1. Is the whole thing the wildcard cert, or do I copy out the type I need and just save it as a .cer. Then should I need it in a different format, I just use a conversion tool.
2. Is the Bundle Certificate (Intermediate) both sets of DATA as laid out in the email, just saved into one .cer ?
3. what makes a cert chain ? The .cer plus the priv key combined together ?
4. I want to import my wildcard cert into my utm. Which section of data should I be importing ? the chain, the Intermediate, the root ?
I cant find any useful doc that explains what a cert looks like and what the diff is between root, intermediate, PKCS7 or PEM. The utm wants a PKCS12 ffs !
Any help appreciated...
Xilo sent me the wildcard cert in an email. It contains the following (laid out exactly as below):
Signed Certificate (PEM Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Signed Certificate (PKCS7 Format)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Bundle Certificate (Intermediate)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
Root Certificate (CA)
BEGIN CERTIFICATE-----
DATA
END CERTIFICATE-----
This is confusing me greatly ! Questions:
1. Is the whole thing the wildcard cert, or do I copy out the type I need and just save it as a .cer. Then should I need it in a different format, I just use a conversion tool.
2. Is the Bundle Certificate (Intermediate) both sets of DATA as laid out in the email, just saved into one .cer ?
3. what makes a cert chain ? The .cer plus the priv key combined together ?
4. I want to import my wildcard cert into my utm. Which section of data should I be importing ? the chain, the Intermediate, the root ?
I cant find any useful doc that explains what a cert looks like and what the diff is between root, intermediate, PKCS7 or PEM. The utm wants a PKCS12 ffs !
Any help appreciated...
quick reply as its fri and i have a beer to enjoy rather than ssl.
theboss-csr created in sslmanagertools. ta for the other pointers
andy-xr - i didnt pay the £3 extra support at checkout. they wont provide any support over the phone now. the email support is vague and unhelpful. their 'knowledgebase' is st which makes sense if their ssl business model is to make 3 poxy quid on every purchase.
theboss-csr created in sslmanagertools. ta for the other pointers
andy-xr - i didnt pay the £3 extra support at checkout. they wont provide any support over the phone now. the email support is vague and unhelpful. their 'knowledgebase' is st which makes sense if their ssl business model is to make 3 poxy quid on every purchase.
Right , I just had another crack at this and I stuck again !
I started from scratch this morning. Deleted the old keys and csr etc. Went to SSLTools Manager, generated a new CSR and saved the corresponding priv key into a txt file. Sent CSR to Xilo, received the email back with the new data.
1. I save the PEM data into notepad (including the ----begin / ----end bits) and save it as 'cert pem.cer'
2. I can see 1 pending cert request inside SSLTools. This must be looking at the priv key that was generated when I created the CSR. So I go to 'complete pending request' and it asks for a file, so I point it at 'cert pem.cer'. Error - cannot complete pending request'
3. OK so I try with the PKSC7 data. Copy it out of the email into notepad, save as 'cert pksc7.cer' and try to complete. Error - please use a valid certificate'
Loosing will to live again .....
I started from scratch this morning. Deleted the old keys and csr etc. Went to SSLTools Manager, generated a new CSR and saved the corresponding priv key into a txt file. Sent CSR to Xilo, received the email back with the new data.
1. I save the PEM data into notepad (including the ----begin / ----end bits) and save it as 'cert pem.cer'
2. I can see 1 pending cert request inside SSLTools. This must be looking at the priv key that was generated when I created the CSR. So I go to 'complete pending request' and it asks for a file, so I point it at 'cert pem.cer'. Error - cannot complete pending request'
3. OK so I try with the PKSC7 data. Copy it out of the email into notepad, save as 'cert pksc7.cer' and try to complete. Error - please use a valid certificate'
Loosing will to live again .....
Nyphur said:
Seems to me this is being made far more complicated than it should be.
Generate your CSR via the exchange management console.
There's no need to use any third party tools. Send your CSR off, get your info back.
As described in the OP, Exchange 2010 wildcard CSR creation makes the CN: *.domain.com. Xilo cant accept the '*' in the CN. So I cant use the MS wizard.Generate your CSR via the exchange management console.
There's no need to use any third party tools. Send your CSR off, get your info back.
If I had used any other CA reseller, I presume it would be as simple as you suggest.
Nyphur said:
In fact, follow my steps above and try to complete the CSR using your third party tool instead of EMC.
I see no reason why you shouldn't expect that to work (remember, don't use PEM). If that still fails, GoDaddy
I'm cracking on at it again now using this:I see no reason why you shouldn't expect that to work (remember, don't use PEM). If that still fails, GoDaddy
www.trustico.co.uk/ssltools/convert/pem-to-pkcs12/...
to merge the cert, intermediate and priv keys. Looks ok so far.
Now I need to figure out how I import the PKCS12 file into Exchange 2010, and after that how I use Exch Shell to import, complete and assign the services, or if something will appear in the Man Console.
Pointing browser at the HTTPS listener results in IIS8 holding page which I have never seen before, but no cert warning so that's progress !
Am going to export / backup and re-import the key as per your link too.
I am slightly uneasy about having posted my priv key into a web page (even if its run by a CA). is this ok ?
Am going to export / backup and re-import the key as per your link too.
I am slightly uneasy about having posted my priv key into a web page (even if its run by a CA). is this ok ?
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff