Reply
Highlighted
Accepted Solution

Wildcard SSL cert error

Authority
Posts: 31
11488     0

I'm trying to import an SSL cert to Infoblox using the procedure in KB #3084.  It's a wildcard cert signed by ssls.com and is working on everything else in our environment, but I get this error in Infoblox:

 

Could not find a CSR with a matching public key

 

 

 

Any ideas on what I can do about that?

 

Thanks!

Blair

Re: Wildcard SSL cert error

Adviser
Posts: 147
11489     0

Hi Blair,

 

You should be able to generate a CSR for a wildcard cert from the Infoblox appliance and then load the cert but unfortunately the import of a general wildcard cert is currently not supported.

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products

Re: Wildcard SSL cert error

colbygk
Techie
Posts: 1
11489     0

I hesistate to ask this be a Request For Enhancement, as I believe that not supporting general wildcard certificates is a bug and should be fixed.

 

In anycase, please fix this. The underlying apache software that is used to drive the web facing interface can easily support it and it appears that the only limitation here is an artificial one created by engineering within Infoblox itself.

Re: Wildcard SSL cert error

Adviser
Posts: 132
11489     0

There is an existing Request for Enhancement, RFE-311, requesting support for the ability to import a wildcard certificate and the associated private key. You should ask your account team (sales representative and systems engineer) to add your organization as another customer requesting this feature. (If you don't know who your account team is, send me an email at fhecker@infobloxfederal.com and I'll find their contact info for you.)

 

Incidentally, in my opinion this would really be a new feature, not a bug fix. The Infoblox NIOS software generates its own private / public key pair on the appliance; the public key is used for the Certificate Signing Request (CSR) and gets included in the resulting certificate installed into NIOS, but the private key never leaves the appliance. (It can't be exported or otherwise copied.) This is a security feature designed to minimize the possibility that someone else can use the private key and associated certificate to impersonate your Grid Master and do a man-in-the-middle attack where they could steal login credentials and snoop on other sensitive information.

 

By definition a wildcard certificate is (re)used on multiple systems, and that requires being able to copy both the certificate and the private key into whatever new system wants to use the wildcard certificate. So in order to support wildcard certificates NIOS would have to support import of a private key, which it does not currently do. If Infoblox were to add such a capability then anyone doing such an import would have to accept the added security risk of a possible MITM attack, as discussed in the previous paragraph.

 

Frank

 

Re: Wildcard SSL cert error

Adviser
Posts: 56
11489     0

"Old" thread, but if you're looking for this, it's scheduled in v8.4...

Re: Wildcard SSL cert error

bwolfe
Techie
Posts: 1
11489     0

Is this scheduled to come out in release 8.4?  I have a similiar issue but slightly different.  I am using a wildcard certificate w/ SAN to populate over multiple systems thus reducing the cost for individual certs for each system.  I would also like the ability to either import the wildcard cert or have a way to import the CSR and Key the wildcard certificate was created with.

Re: Wildcard SSL cert error

[ Edited ]
Adviser
Posts: 105
11489     0

Apparently, RFE-311 above was implemented in NIOS ver 8.3.0.

You'll find this documented in the release notes as

Support of wildcards in the certificate subject (RFE-311)
NIOS now supports SSL/TLS (x509) server certificates with a ‘*’ in the subject.

Nothing should really stop you from using wildcard certificate w/ SAN to populate over multiple systems.

However, CSR/Private key generation for Infoblox systems outside Infoblox is not currently allowed and is still an active FR [RFE-3882 - Ability to import Private Keys with Certificates in NIOS].


Best Regards,

Bibin Thomas

Showing results for 
Search instead for 
Do you mean 

Recommended for You