Solved: Re: Certificate Import Issues

keithcclark71 · ‎08-18-2022

I cannot seem to get a 3rd party wildcard certificate imported manually or using PKCS12 format for SAN names. I have generated a CSR using openssl based on the following and I can get the CA & ID in without error with PKCS12 but the SAN names do not come over so I get security warnings with anyconnect and invalid certificate still in browser. The CSR generated is verified using openssl and no issues with the CSR from t3rd party authority who issues the cert but no matter what I do the SAN names do not show up in the cert. In viewing the ID cert after the FMC PKCS12 import it shows no SAN names. Im at a loss here as i need one cerificate for DNS names of anyconnect client for multiple tail site locations. Any ideas what I am doing wrong here???

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = domain.com
emailAddress = admin@domain.com
O = Org Name
OU = IT Services
L = Buffalo
ST = NY
C = US
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = alias1.domain.com
DNS.2 = alias2.domain.com
DNS.3 = alias3.domain.com
DNS.4 = alias4.domain.com

Rob Ingram · ‎08-18-2022

@keithcclark71 I've used several previously.

Did you choose a multi-domain certificate? I've never used namecheap, but the "PositiveSSL Multi-domain" certificate seems like it fits the bill. https://www.namecheap.com/security/ssl-certificates/

View solution in original post

Marvin Rhoads · ‎08-18-2022

As noted by the other responders, the issue most likely is with the certificate issued by the CA. It must definitely be purchased as a multi-SAN (sometimes known as UC since the Unified communications systems typically relied on this type heavily) certificate type. Commercial CAs charge extra for these (even though their incremental cost over a single name certificate is zero - it's all to generate extra revenue).

You can certainly just open the issued certificate natively in a Windows desktop and look at the details tab.

View solution in original post

Rob Ingram · ‎08-18-2022

@keithcclark71 slightly different configuration to you, but the following works for me when using the san.conf file

[ req_ext ]
subjectAltName = DNS: vpn-lb.lab.local, DNS: dc1vpn.lab.local, DNS: dc2vpn.lab.local

From the following guide...https://integratingit.wordpress.com/2021/06/13/ftd-vpn-load-balancing/

If you verify the CSR before sending off to the CA to be signed, does it have the SAN entries? If it does then could it be the CA that is ignoring them?

keithcclark71 · ‎08-18-2022

yep openssl verifies the SAN entries in the CSR. In fact your format above was the first way I did it which I got cert through namecheap but no SAN names n the cert. I have to assume then if it worked for you then it has to be an issue with the 3rd party authority namecheap who's CA is ignoring the SAN portion like you stated. Can I ask who you used to put your CSR through?

Rob Ingram · ‎08-18-2022

@keithcclark71 I've used several previously.

Did you choose a multi-domain certificate? I've never used namecheap, but the "PositiveSSL Multi-domain" certificate seems like it fits the bill. https://www.namecheap.com/security/ssl-certificates/

keithcclark71 · ‎08-19-2022

I have a ticket open with namecheap on this and will report back what happens here. We ordered the wildcard cert for which I had put the CSR against and was accepted but again no SAN names came through. I am wondering now that maybe I should have did *.domain.com for the DNS parameter rather than SAN names for this particular cert. I will hopefully report back here with a solution. Thank again all

Comodo PremiumSSL Wildcard Certificate

The PremiumSSL Wildcard SSL certificate allows site administrators to secure an unlimited number of subdomains of a single domain. It's a perfect solution for websites hosting a single domain with various subdomains, such as mail.domain.com and products.domain.com. PremiumSSL Wildcard is a full business-validated certificate, providing validation of the organization behind the website, making it ideal for business sites that collect sensitive customer data.

Great for E-commerce, corporate, NGO, or governmental websites
Organization Validation
Wildcard
Encryption (up to 256-bit)

Jonatan Jonasson · ‎08-18-2022

As far as I know, and in my experience, the firewall that you're importing the certificate into doesn't modify the certificate.

So like Rob mentions, start by verifying if the certificate that you get from the CA includes the SAN names, before importing into the firewall.
If it doesn't have the SAN names, and assuming they are in the CSR that you say you've already verified, you might be purchasing a non-SAN certificate from the CA. (Some commercial CAs charge extra for SAN certs and ignore the SAN extension in the CSR if you're purchasing a single "webserver" certificate.)
If however, the certificate does have the SAN names, verify the firewall/VPN headend configuration that you're actually referencing the newly imported certificate in the VPN configuration and not whatever cert it had previously.

Marvin Rhoads · ‎08-18-2022

As noted by the other responders, the issue most likely is with the certificate issued by the CA. It must definitely be purchased as a multi-SAN (sometimes known as UC since the Unified communications systems typically relied on this type heavily) certificate type. Commercial CAs charge extra for these (even though their incremental cost over a single name certificate is zero - it's all to generate extra revenue).

You can certainly just open the issued certificate natively in a Windows desktop and look at the details tab.