07-06-2015 10:45 AM
Does NetMRI yet support wildcard certificates? I generated a CSR and submitted it to our in-house team. Since they strongly encourage using wildcard certificates (*.example.com), I specified that as the hostname for the CSR. In return, I received two cert files in PEM format -- one for the CA Digikey and one for the wildcarded name. The first imported with no problem but the second is rejected as "not a valid CA". I can view the file content just fine.
A KB search didn't turn up anything other than the change in default key length to 2048. There is a NIOS article from 2013 that says wildcard support was an RFE at that time.
07-06-2015 01:45 PM
Marty: There are actually three different RFEs I found requesting support of wildcard SSL certificates, but they were all relating to NIOS. I have no objection to submitting a similar RFE for NetMRI, but... Do you really need true wildcard SSL certificates? The way they work is that if you get a wildcard SSL certificate for, say, example.com, then your SSL server can have any name whatsoever as long as it's under example.com: foo.example.com, www.example.com, xyz.example.com, etc.
However the typical case I see is where someone just needs to have one or more alternative names for an SSL server. For example, the normal name of the server might be sys1.example.com, but it might also end up being accessed as sys2.example.com or just sys.example.com. In that case you can get a certificate with a Subject Alternative Name (subjectAltName or SAN) extension containing the other names you want to use for the server. (The base name would go into the Common Name or CN attribute.) Some CAs refer to these as Unified Communications Certificates or UCC certificates.
If I recall correctly I have a UCC/SAN certificate installed on my NIOS lab system, and it works just fine. I have not tested this with NetMRI, so will have to defer to Infoblox support on that question. However the chances of having a UCC/SAN certificate work are I think higher than having a wildcard certificate work, because a UCC certificate is just like a "normal" certificate in terms of having a standard Common Name attribute referencing the actual server name. In contrast, in a wildcard certificate the Common Name attribute is "*.example.com" or whatever, and won't match the name of the server it's installed on -- which is no doubt why this throws an error when installing such a certificate.
07-07-2015 01:04 PM
Thanks for the very detailed tip, Frank. This is my first experience with this but the in-house team that issues the certs prefers the wildcard ones because they are supposedly much cheaper. If NetMRI doesn't support that, I will make use of the alternate name option.
Since no one from the NA side has responded, I'm going to open a TAC case to get a definitive answer.
07-07-2015 01:23 PM
"supposedly much cheaper"? That's odd, in my experience wildcard certificates are significant more expensive than standard "one name per cert" certificates; UCC/SAN certificates are typically somewhere in between. Wildcard certificates also have one other disadvantage, especially for general-purpose servers: If a server is hacked and someone steals the associated private key, they can then impersonate (from an SSL perspective) any other host in the domain. With a UCC/SAN certificate, on the other hand, the risk is limited to the list of names included in the certificate.
07-08-2015 09:16 AM
I would also like to see wildcard cert support in NetMRI. We use them because getting one and using it on several servers is cheaper and easier to manage than getting several and tracking all of them and their expiration dates, etc.
07-08-2015 09:56 AM
"We use [wildcard certificates] because getting one and using it on several servers is cheaper and easier to manage ..." I presume you're using wildcard certificates on general-purpose servers: You generate private and public keys on a given server, get a wildcard certificate embedding the public key, and then take a copy of the private key and certificate from the original server and install them on multiple other servers.
However as far as I'm aware there is no supported way to upload a private key into a NIOS or NetMRI appliance, and no way to download a private key from a NIOS or NetMRI appliance either. Private keys are generated on the appliance and stay on the appliance. You can generate and download a certificate signing request (which contains the public key matching the appliance's private key) and use that to get a certificate. However that certificate can be uploaded only into the appliance that has the corresponding private key (i.e., the appliance on which the CSR was generated). If you try to upload the certificate into any other appliance you will get an error, because that appliance will have a different private key.
So you cannot take a private key and wildcard certificate from a general-purpose seerver and load them into an Infoblox appliance. Also, even if you got a wildcard certificate for one appliance you would not be able to use that certificate with any other appliance. I recommend you stick with non-wildcard SSL certificates, and get a UCC/SAN certificate for the case where you'd like one appliance to be able to respond to multiple hostnames.
07-08-2015 10:36 AM
We use wildcard certificates on Web servers, SSL VPNs, etc. Those devices allow the private key import along with the cert. I would like to see NetMRI support this as well so I do not have a different cert process for it versus my other devices. It is not about multiple names for us, it is about the number of certs we have to support. I do not know of any other appliances or servers I have that do not support wildcard certs. It is something very common now.
07-08-2015 12:39 PM
I think the capability you want here for NetMRI is not wildcard certificates per se, it's to be able to import externally-generated private keys into NetMRI along with an associated certificate. (Supporting wildcard certificates per se would not help you -- that would simply allow you to create a CSR for a wildcard certificate for a given appliance and then install the issued certificate into that same appliance; it would not let you use the certificate with other appliances. Also, strictly speaking you don't need the capability to export private keys from NetMRI, since you could just generate it externally.)
I recommend that you talk to your account team and have them file a request for enhancement on your behalf. Feel free to have them contact me if they have questions.