Installing wild card certificate for ADAM SSL

[elibbis]

Hi,

I would greatly appreciate it if anyone could enlighten me on how to install a wild card certificate for ADAM SSL. Wild card cert is needed because my 2 replicas of my ADAM is hosted behind MS-Network Load Balancing(NLB).

What is the steps to install the wild card certificate?

Failed attempt by me:
1. I uses IE to get a wild card certificate(request cert->advance->Server authentication->MS RSA Schannel..,PKCS, enter *.accd.com for name and friendly name). The certificate landed in "Local User\personal" store (viewed in MMC certificate snap-in). A hash key appear in the "C:\Documents and Settings\administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1858568060-858591131-1299147156-2293"

2. In the mmc snap-in,I exported the wild card cert to C:. Later import it into the "ADAM Service\personal" store. A harsh key appear in "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys". To this key, I grant "Network Service"(my adam service account) with Full access.

3. Restarted ADAM

4. When using ldp to try, SSL works with the NLB-DNS "account.accd.com". If I try to SSL with the actual host name "dc1.partners.accd.com" (which is logically covered by the wild card cert. The ldp connection failed !

I am very puzzled, whether I should first get the certificate as a user cert(ie in the user\personal store) or machine cert (local machine\personal). Previously before the NLB, I could sucessfully get a user certificate, export and then import it into the adam service store. SSL works.

For NLB, again it works for the NLB-DNS but not the host-dns name.

Is there anything I am missing out? And For PKI, my adam is in a child domain(installed as a different forest from its parent domain) whereas the CA is located in the parent domain. I had granted the necessary right for the child domain computers(in this case DCs) access to the CA. I discover however, using the mmc certificate snap-in, I cannot "request cert" from the CA. It returns me with:

"The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the persmissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have persmissions."

Hi

I think your issue is that a wildcard cert for
*.accd.com

will match a single domain component in an FQDN so
account.accd.com

will match but
*. account.accd.com

will not. If you google for wildcard cert behaviors you should find
lots of discussion, I believe the correct approach is to use a cert
that supports subjectAltName if need to specify multiple matches
but I have never used one and so cannot guarantee that would work.

Lee Flight

"elibbis" <elibbis.3whsfb@DoNotSpam.com> wrote in message
news:elibbis.3whsfb@DoNotSpam.com...
>
> Hi,
>
> I would greatly appreciate it if anyone could enlighten me on how to
> install a wild card certificate for ADAM SSL. Wild card cert is needed
> because my 2 replicas of my ADAM is hosted behind MS-Network Load
> Balancing(NLB).
>
> What is the steps to install the wild card certificate?
>
> Failed attempt by me:
> 1. I uses IE to get a wild card certificate(request
> cert->advance->Server authentication->MS RSA Schannel..,PKCS, enter
> *.accd.com for name and friendly name). The certificate landed in "Local
> User\personal" store (viewed in MMC certificate snap-in). A hash key
> appear in the "C:\Documents and Settings\administrator\Application
> Data\Microsoft\Crypto\RSA\S-1-5-21-1858568060-858591131-1299147156-2293"
>
> 2. In the mmc snap-in,I exported the wild card cert to C:. Later
> import it into the "ADAM Service\personal" store. A harsh key appear in
> "C:\Documents and Settings\All Users\Application
> Data\Microsoft\Crypto\RSA\MachineKeys". To this key, I grant "Network
> Service"(my adam service account) with Full access.
>
> 3. Restarted ADAM
>
> 4. When using ldp to try, SSL works with the NLB-DNS
> "account.accd.com". If I try to SSL with the actual host name
> "dc1.partners.accd.com" (which is logically covered by the wild card
> cert. The ldp connection failed !
>
> I am very puzzled, whether I should import to adam server the machine
> cert or user cert ?
>
> Also, is there anything I am missing out? For PKI, my adam is in a
> child domain whereas the CA is located in the parent domain. I had
> granted the necessary right for the child domain computers(in this case
> DCs) access to the CA. I discover however, using the mmc certificate
> snap-in, I cannot "request cert" from the CA. It returns me with:
>
> "The wizard cannot be started because of one or more of the following
> conditions:
> - There are no trusted certification authorities (CAs) available.
> - You do not have the persmissions to request certificates from the
> available CAs.
> - The available CAs issue certificates for which you do not have
> persmissions."
>
>
> --
> elibbis
> ------------------------------------------------------------------------
> elibbis's Profile: http://forums.techarena.in/members/27586.htm
> View this thread: Installing wild card certificate for ADAM SSL
>
> http://forums.techarena.in
>

[elibbis]

The problem is solved. Solution is to use *.partners.accd.com wild card instead of *.accd.com.


Thanks Lee Flight. May I also take this chance to clarify. Assuming we are to burn in a normal cert(non wild card) for ADAM SSL. Do we import a machine-cert(local machine\personal) OR user cert (from user\personal store) to the ADAM-Service certificate store ?

The web has 2 sources of thought - via machine and via user. I had been using user cert. Does machine cert do the trick too ?

Hi

ADAM needs a cert that is marked for server authentication.
If you do *not* store the cert in the ADAM-Service store then it needs to
be in the machine store [1] but if you do use the ADAM-Service
store then it does not matter how where the cert was originally
stored (machine store or user); it's really the server authentication
mark on the cert rather than original import location that's important.
See also [2].

Lee Flight

[1] assuming here the default Network Service account for the
ADAM instance service account.

[2] http://technet.microsoft.com/en-us/l...67(WS.10).aspx



"elibbis" <elibbis.3wjn3b@DoNotSpam.com> wrote in message
news:elibbis.3wjn3b@DoNotSpam.com...
>
> The problem is solved. Solution is to use *.partners.accd.com wild
> card instead of *.accd.com.
>
>
> Thanks Lee Flight. May I also take this chance to clarify. Assuming
> we are to burn in a normal cert(non wild card) for ADAM SSL. Do we
> import a machine-cert(local machine\personal) OR user cert (from
> user\personal store) to the ADAM-Service certificate store ?
>
> The web has 2 sources of thought - via machine and via user. I had
> been using user cert. Does machine cert do the trick too ?
>
>
> --
> elibbis
> ------------------------------------------------------------------------
> elibbis's Profile: http://forums.techarena.in/members/27586.htm
> View this thread: Installing wild card certificate for ADAM SSL
>
> http://forums.techarena.in
>