Categories

CUC (6) CUCM (28) Jabber (6) Python (2) Routing (3) Solarwinds Orion NPM (4) switching (1) Video (6) voice (3)

Sunday, 23 November 2014

Wildcard certificates, pfx files 101. This time on WebEX CWMS

Ah Yes, one of my favorite subjects; Certificates.

When dealing with a certificate issue recently, I was confronted, again, with the fact that a lot of IT engineers out there have limited skills on how certificates work. I am not sure why that is. Do people find the whole mechanism boring, complex or hard to understand?  Really, it all starts with a good understanding of the fundamentals of PKI, from there on it is smooth sailing.  So skill up folks!!

Now, I have posted on PKI in the past and have touched on the fundamentals of PKI in the following post

Back to wild card certs.  The idea behind them is "one size fits all". So rather than installing a host based cert like mail.dogtel.com.au, server2.dogtel.com.au, vpn.dogtel.com.au which means 3 separate certificates, one for each host. The wildcard cert can be applied to everything within the *.dogtel.com.au domain. And only the dogtel.com.au domain.

And no, this does not mean, certificates for dummies . (Dummies should not be allowed to touch certs in the first place).  So in the traditional host-based cert world, the host would create a public/private RSA key pair, based on that, a CSR (certificate signing request) would be generated. This CSR would contain the public key and it would need to be signed by a trusted CA. After the CA would have it signed, it would be installed onto the server on which the initial CSR had been generated. All this is PKI 101. 

With wild card certs, if you wanted to distribute them across multiple servers in your domain. You would need the private key as well. Because only 1 server in your domain would have been responsible for generating the CSR, it would be the only server that has the private key. This means if you wanted to deploy a wildcard cert to a server that did NOT generate the CSR, you would need to install the private/public key pair as well as the signed cert.  PFX files allow you to do that.  

PFX files (PKCS12 archives) are like a container with a number of objects; private key,  certificate, and potentially accompanying CA certs preferably protected with a pass phrase.


Back to Cisco WebEx, it would allow you to import a pfx file as per below.

Fig,1 PFX file upload and passphrase

As you can see it comments that the pass phrase (optional) is needed to decrypt the private key and cert out of the archive. After this upload the following screen should appear.


Fig.2. - Uploaded SSL cert WebEx

Here is a description on how to create a pfx file on a windows box:

http://technet.microsoft.com/en-us/library/dd261744.aspx

Good luck  and Namaste!

No comments:

Post a Comment