12-07-2015 11:06 AM
I'm trying to import an SSL cert to Infoblox using the procedure in KB #3084. It's a wildcard cert signed by ssls.com and is working on everything else in our environment, but I get this error in Infoblox:
Could not find a CSR with a matching public key
Any ideas on what I can do about that?
Solved! Go to Solution.
12-10-2015 10:08 AM
You should be able to generate a CSR for a wildcard cert from the Infoblox appliance and then load the cert but unfortunately the import of a general wildcard cert is currently not supported.
01-09-2016 02:34 PM
I hesistate to ask this be a Request For Enhancement, as I believe that not supporting general wildcard certificates is a bug and should be fixed.
In anycase, please fix this. The underlying apache software that is used to drive the web facing interface can easily support it and it appears that the only limitation here is an artificial one created by engineering within Infoblox itself.
01-11-2016 01:06 PM
There is an existing Request for Enhancement, RFE-311, requesting support for the ability to import a wildcard certificate and the associated private key. You should ask your account team (sales representative and systems engineer) to add your organization as another customer requesting this feature. (If you don't know who your account team is, send me an email at email@example.com and I'll find their contact info for you.)
Incidentally, in my opinion this would really be a new feature, not a bug fix. The Infoblox NIOS software generates its own private / public key pair on the appliance; the public key is used for the Certificate Signing Request (CSR) and gets included in the resulting certificate installed into NIOS, but the private key never leaves the appliance. (It can't be exported or otherwise copied.) This is a security feature designed to minimize the possibility that someone else can use the private key and associated certificate to impersonate your Grid Master and do a man-in-the-middle attack where they could steal login credentials and snoop on other sensitive information.
By definition a wildcard certificate is (re)used on multiple systems, and that requires being able to copy both the certificate and the private key into whatever new system wants to use the wildcard certificate. So in order to support wildcard certificates NIOS would have to support import of a private key, which it does not currently do. If Infoblox were to add such a capability then anyone doing such an import would have to accept the added security risk of a possible MITM attack, as discussed in the previous paragraph.
a month ago
Is this scheduled to come out in release 8.4? I have a similiar issue but slightly different. I am using a wildcard certificate w/ SAN to populate over multiple systems thus reducing the cost for individual certs for each system. I would also like the ability to either import the wildcard cert or have a way to import the CSR and Key the wildcard certificate was created with.
a month ago - last edited a month ago
Apparently, RFE-311 above was implemented in NIOS ver 8.3.0.
You'll find this documented in the release notes as
Support of wildcards in the certificate subject (RFE-311)
NIOS now supports SSL/TLS (x509) server certificates with a ‘*’ in the subject.
Nothing should really stop you from using wildcard certificate w/ SAN to populate over multiple systems.
However, CSR/Private key generation for Infoblox systems outside Infoblox is not currently allowed and is still an active FR [RFE-3882 - Ability to import Private Keys with Certificates in NIOS].