Wildcard * SSL Certificates for TTA?

Hi Cyrus

No, sorry. The rules say you can't do that. You are required to have a

certificate for a node not a network.

Regards

Barrie

On 2005-08-05, CM <noreply@fnx.com> wrote:

> Is there any way I can use a wildcard SSL certificate like:

>*.mycompany.com

> in my TTA server?

>

> I was able to run all the cert commands successfully using the

> *.mycompany.com cert:

>Generated the CSR(tarantella security certrequest)

>Installed the Cert File(tarantella security certuse)

>Installed the Chained CA cert(tarantella security customca)

>Review/validate certinfo(tarantella security certinfo)

>

> The TTA-installed Apache webserver was fine with the wildcard certificate

> since I was able to goto:

>https://subdomain.mycompany.com(FYI, the subdomain is NOT "www")

>

> But after I went to:

>https://subdomain.mycompany.com/tarantella/

>

> I got the following errors in my Java Console:

> Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop

> server...

> Secure Global Desktop 4.10.903: Using secure connection to

>

> Secure Global Desktop server subdomain.mycompany.com:443

> Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted

> for this Secure Global Desktop server (subdomain.mycompany.com) due to name

> mismatch.

> Secure Global Desktop 4.10.903: Client dropping connection.

> Secure Global Desktop 4.10.903: Unable to connect: Certificate

> (*.mycompany.com) not accepted for this Secure Global Desktop server

> (subdomain.mycompany.com) due to name mismatch.

> Secure Global Desktop 4.10.903: Missing negotiation feature cgi script

>

> Is there a way that I can get the applet to do a regex-ish match on the name

> for wildcard certs?

>

> Cyrus

>

>

barrie at 2007-7-4 19:03:43 >

Hi Cyrus

I was loosely referring to PKI rules e.g.

http://www.ietf.org/proceedings/98mar/98mar-edited-110.htm

http://www.iihe.ac.be/internal-report/1997/stc-97-19.html

Wildcarding isn't supported. I understand what you are trying to do now

but it won't work because the software is looking for a certificate

matching a single server.

The certrequest command is just a wrapper script for openssl so it won't

stop you doing anything the openssl command believes may be valid. You don't

actually need to use this command it's just there for convenience, you

could do everything just using openssl.

The current documentation doesn't explictly state that you can't use

wildcards in certificates but it does say you need a certificate for a

SGD server. My understanding of the wildcard issue is that it is up to

a particular application to decide what is appropriate.

http://www.tarantella.com/support/documentation/sgd/ee/4.1/help/en-us/tsp/getti ngstarted/whatare_certs.html

Regards

Barrie

On 2005-08-15, Cyrus Mehta <noreply@fnx.com> wrote:

> May I inquire as to where these rules are listed regarding SSL Certs, I

> didn't see anything to the effect in the documentation. Also why weren't

> the rules enforced at certificate generation time. Even the validation

> command (tarantella security certinfo) had no problems.

>

> The CSR generation/signing went through flawlessly and created a wildcard

> cert that Apache could use. It's one thing if the whole cert process

> couldn't handle a wildcard, but it seems like everything would have worked

> if only the applet accepted a wildcard regex match.

>

> Regards,

> Cyrus

>

> barrie wrote:

>

>> Hi Cyrus

>

>> No, sorry. The rules say you can't do that. You are required to have a

>> certificate for a node not a network.

>

>> Regards

>>Barrie

>

>

>

>> On 2005-08-05, CM <noreply@fnx.com> wrote:

>> > Is there any way I can use a wildcard SSL certificate like:

>> >*.mycompany.com

>> > in my TTA server?

>> >

>> > I was able to run all the cert commands successfully using the

>> > *.mycompany.com cert:

>> >Generated the CSR(tarantella security certrequest)

>> >Installed the Cert File(tarantella security certuse)

>> >Installed the Chained CA cert(tarantella security customca)

>> >Review/validate certinfo(tarantella security certinfo)

>> >

>> > The TTA-installed Apache webserver was fine with the wildcard certificate

>> > since I was able to goto:

>> >https://subdomain.mycompany.com(FYI, the subdomain is NOT "www")

>> >

>> > But after I went to:

>> >https://subdomain.mycompany.com/tarantella/

>> >

>> > I got the following errors in my Java Console:

>> > Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop

>> > server...

>> > Secure Global Desktop 4.10.903: Using secure connection to

>> >

>> > Secure Global Desktop server subdomain.mycompany.com:443

>> > Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted

>> > for this Secure Global Desktop server (subdomain.mycompany.com) due to

> name

>> > mismatch.

>> > Secure Global Desktop 4.10.903: Client dropping connection.

>> > Secure Global Desktop 4.10.903: Unable to connect: Certificate

>> > (*.mycompany.com) not accepted for this Secure Global Desktop server

>> > (subdomain.mycompany.com) due to name mismatch.

>> > Secure Global Desktop 4.10.903: Missing negotiation feature cgi script

>> >

>> > Is there a way that I can get the applet to do a regex-ish match on the

> name

>> > for wildcard certs?

>> >

>> > Cyrus

>> >

>> >

>

>

>

barrie at 2007-7-4 19:03:43 >