cancel
Showing results for 
Search instead for 
Did you mean: 

GO Daddy wildcard Cert on SA2500

vanskee2_
Occasional Contributor

GO Daddy wildcard Cert on SA2500

Hi,

Has anyone tried using signed wildcard cert on SA2500? we have one but I can't seem to install it. Does anyone have similar experience? does wildcard certs works with SSL VPN?

thanks,

Ivan

7 REPLIES 7
spuluka
Super Contributor

Re: GO Daddy wildcard Cert on SA2500

Godaddy is probably not already a trusted CA. You'll need t add them as a trusted CA first before you can install and use certificates from them.


For your version of software, see the Administrators Guide - Chapter 27 - Using Trusted Server CAs


http://www.juniper.net/support/products/sa/

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
vanskee2_
Occasional Contributor

Re: GO Daddy wildcard Cert on SA2500

thanks for your reply, Go daddy sent us 2 cst files and I've already added one as a trusted CA (bundled crt), however when I tried signing the pending csr *.domain.com using the issued crt, it is giving me a public key mismatch error Smiley Sad

spuluka
Super Contributor

Re: GO Daddy wildcard Cert on SA2500

I have not used these on the SSL-VPN but the process does require that you list the actual urls that you intend to use as a dn (distinguished name) in your csr. And the csr use the *.domain.com only for the common name.

From the training material, the SSL-VPN also expects that each of the subdomains used will need a separate ip and url combination on the box.

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
muttbarker_
Valued Contributor

Re: GO Daddy wildcard Cert on SA2500

Hey Ivan - I am not a "cert" guy at all, but I do use a wildcard cert with no problems. I ordered mine from Rapidssl. I generated a CSR for *.itgmeeting.com which is our primary domain name. I got back a crt file and I installed it with no problems.

Steve - I use a single IP with multiple URL's and matching DNS. So my primary domain name is xx.itgmeeting.com which maps to */ on the sign in page.

I then specify the other names yy.itgmeeting.com, zzzzzz.itgmeeting.com and place them above the defaul URL of */

zanyterp_
Respected Contributor

Re: GO Daddy wildcard Cert on SA2500

Is the CSR from the IVE the one you used for the certificate the one you sent to GoDaddy? If not, you will not be able to upload the certificate to the IVE through the CSR interface and you will have a message similar to what you are seeing now.

Are you able to upload both those files at System>Configuration>Certificates>Device Certificates>Import Certiifcate and Key using one of the options there in which you select the key file and certificate?

vanskee2_
Occasional Contributor

Re: GO Daddy wildcard Cert on SA2500

Hi Matt, thanks for confirming that wildcard certs works with SA2500. probably there was some issue with the csr file we sent to go daddy. thanks mate!

vanskee2_
Occasional Contributor

Re: GO Daddy wildcard Cert on SA2500


@zanyterp wrote:

Is the CSR from the IVE the one you used for the certificate the one you sent to GoDaddy? If not, you will not be able to upload the certificate to the IVE through the CSR interface and you will have a message similar to what you are seeing now.

Are you able to upload both those files at System>Configuration>Certificates>Device Certificates>Import Certiifcate and Key using one of the options there in which you select the key file and certificate?


Hi Zanyterp, yup as far as I am aware, it was the csr we sent is from the same IVE I'm applying the cert. Will check with Go daddy as well. thanks