https://community.cisco.com/t5/network-access-control/pem-or-der-format-certificate-chain/m-p/2384240#M134300 <P>I have installe an ISE 1.2.0.899. It is used for Guest Services only, the customer require all its employees be able to access the sponsor portal and validated their credentials using LDAPS. Not LDAP, not AD feature in ISE. The problem is because in order to enable LDAPS I must upload to ISE the root CA certificate, the customer is not providing the root CA certificate for security reasons (?); they said the certificate chain should be enough. Even the ISE user guide indicates root CA or certificate chain. So, the customer downloaded the certificate chain from its PKI (Microsoft 2008) and give it to me, but it is in .p7b (PKCS#7) format (they said there is no choice to select another format). This format is not supported by ISE, so I needed to use third party tools to convert the file (<A href="http://www.sslshopper.com" target="_blank">www.sslshopper.com</A> and openssl). It appears the convertion is successfull but when I try to upload on ISE Certificate Store always I get the same errror: <SPAN style="font-size: 10pt;">"Unable to read certificate file - please be sure file is in PEM or DER format".</SPAN></P><P></P><P>So the questions are:</P><P>1. Is the file provided by the PKI in p7b format always?</P><P>2. What should be the most proper way to convert the file to something the ISE can understand?</P><P>3. Should be the root CA certificate a vey best option?</P><P></P><P>Even the conversion problems indicated above, I tried to open and convert the file using the mmc. I know the certificate chain has three files, I recovered them and uploaded to ISE. Whit two of these three files selected on LDAPS security configuration I can run the "Test bind to Server" successfully but everytime an user try with its own credentials always the access is denied with "invalid username or password" error.</P><P>Locking in the ISE log I found this messages:</P><P></P><P>ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): error message = SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally",LdapSslConnectionContext.cpp:226</P><P></P><P>ERROR,0x2b263618c940,LdapConnectionBindingState::onInput(id = 634): bind ended with an error: 117,LdapConnectionStates.cpp:396</P><P></P><P>631,WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvClientInfoCB - Alert raised: code=0x230=560, where=0x4008=16392, source=local,SSLConnection.cpp:2765</P><P></P><P>WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=102, Crypto.SSLConnection.writeData - failed write the data,SSLConnection.cpp:970</P><P></P><P>ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): crypto result = 102,LdapSslConnectionContext.cpp:202</P><P></P><P>ERROR,0x2b263618c940,cntx=0000005789,user=tmxedscalcan,LdapServer::onAcquireConnectionResponse: failed to acquire connection,LdapServer.cpp:461</P><P></P><P>ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::openCdcConnection] Can't open CDC session due to error 32: ADClient is not running,ActiveDirectoryClient.cpp:1328</P><P></P><P>ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::connectClient] AD CDC client connection failed!,ActiveDirectoryClient.cpp:117</P><P></P><P>ERROR,0x2b263436e940,NIL-CONTEXT,ActiveDirectoryIDStore::performConnection - Connecting client failed,ActiveDirectoryIDStore.cpp:608</P><P></P><P></P><P>I don't have idea what do they mean.</P><P></P><P>Someone told me the convertion made with mmc on my pc was an error and I need to repeat the same process using administrative tools on a server</P><P></P><P>I'm really confused and I don't know how continue with a troubleshoot process.</P><P>How can I know the original file is correct?</P><P>How can I know the conversion is correct?</P><P>As the original chain includes three certificates, I should upload them to ISE separately or as one file?</P><P></P><P>Attached is the Sponsor policy screenshoot. I have two rules with the same conditions one por AD (just for test), one for LDAPS.</P><P></P><P>I will appreciate your help</P><P>Regards.</P><P>Daniel Escalante</P> Mon, 11 Mar 2019 04:04:53 GMT descalante2007 2019-03-11T04:04:53Z https://community.cisco.com/t5/network-access-control/pem-or-der-format-certificate-chain/m-p/2384240#M134300 <P>I have installe an ISE 1.2.0.899. It is used for Guest Services only, the customer require all its employees be able to access the sponsor portal and validated their credentials using LDAPS. Not LDAP, not AD feature in ISE. The problem is because in order to enable LDAPS I must upload to ISE the root CA certificate, the customer is not providing the root CA certificate for security reasons (?); they said the certificate chain should be enough. Even the ISE user guide indicates root CA or certificate chain. So, the customer downloaded the certificate chain from its PKI (Microsoft 2008) and give it to me, but it is in .p7b (PKCS#7) format (they said there is no choice to select another format). This format is not supported by ISE, so I needed to use third party tools to convert the file (<A href="http://www.sslshopper.com" target="_blank">www.sslshopper.com</A> and openssl). It appears the convertion is successfull but when I try to upload on ISE Certificate Store always I get the same errror: <SPAN style="font-size: 10pt;">"Unable to read certificate file - please be sure file is in PEM or DER format".</SPAN></P><P></P><P>So the questions are:</P><P>1. Is the file provided by the PKI in p7b format always?</P><P>2. What should be the most proper way to convert the file to something the ISE can understand?</P><P>3. Should be the root CA certificate a vey best option?</P><P></P><P>Even the conversion problems indicated above, I tried to open and convert the file using the mmc. I know the certificate chain has three files, I recovered them and uploaded to ISE. Whit two of these three files selected on LDAPS security configuration I can run the "Test bind to Server" successfully but everytime an user try with its own credentials always the access is denied with "invalid username or password" error.</P><P>Locking in the ISE log I found this messages:</P><P></P><P>ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): error message = SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally",LdapSslConnectionContext.cpp:226</P><P></P><P>ERROR,0x2b263618c940,LdapConnectionBindingState::onInput(id = 634): bind ended with an error: 117,LdapConnectionStates.cpp:396</P><P></P><P>631,WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvClientInfoCB - Alert raised: code=0x230=560, where=0x4008=16392, source=local,SSLConnection.cpp:2765</P><P></P><P>WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=102, Crypto.SSLConnection.writeData - failed write the data,SSLConnection.cpp:970</P><P></P><P>ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): crypto result = 102,LdapSslConnectionContext.cpp:202</P><P></P><P>ERROR,0x2b263618c940,cntx=0000005789,user=tmxedscalcan,LdapServer::onAcquireConnectionResponse: failed to acquire connection,LdapServer.cpp:461</P><P></P><P>ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::openCdcConnection] Can't open CDC session due to error 32: ADClient is not running,ActiveDirectoryClient.cpp:1328</P><P></P><P>ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::connectClient] AD CDC client connection failed!,ActiveDirectoryClient.cpp:117</P><P></P><P>ERROR,0x2b263436e940,NIL-CONTEXT,ActiveDirectoryIDStore::performConnection - Connecting client failed,ActiveDirectoryIDStore.cpp:608</P><P></P><P></P><P>I don't have idea what do they mean.</P><P></P><P>Someone told me the convertion made with mmc on my pc was an error and I need to repeat the same process using administrative tools on a server</P><P></P><P>I'm really confused and I don't know how continue with a troubleshoot process.</P><P>How can I know the original file is correct?</P><P>How can I know the conversion is correct?</P><P>As the original chain includes three certificates, I should upload them to ISE separately or as one file?</P><P></P><P>Attached is the Sponsor policy screenshoot. I have two rules with the same conditions one por AD (just for test), one for LDAPS.</P><P></P><P>I will appreciate your help</P><P>Regards.</P><P>Daniel Escalante</P> Mon, 11 Mar 2019 04:04:53 GMT https://community.cisco.com/t5/network-access-control/pem-or-der-format-certificate-chain/m-p/2384240#M134300 descalante2007 2019-03-11T04:04:53Z https://community.cisco.com/t5/network-access-control/pem-or-der-format-certificate-chain/m-p/2384241#M134303 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you open the .p7b file on a Windows machine. (Open not install)</P><P>Go to the Certification Path and click on the root certificate, click View Certificate.</P><P>Now you have the root certificate. </P><P>Go to Details and click Copy to File. This give you the option to exprot the root cert.</P><P>Click next, here you can select to save as Base-64 encoded (DER) that you can import in ISE.</P><P>Click next and save. Then try to import under Server certifiactes on ISE</P><P></P><P>You can do this for sub-CA cert in the chain as well.</P><P></P><P></P><P>HTH</P></BODY></HTML> Sun, 10 Nov 2013 11:27:27 GMT https://community.cisco.com/t5/network-access-control/pem-or-der-format-certificate-chain/m-p/2384241#M134303 Mikael Gustafsson 2013-11-10T11:27:27Z https://community.cisco.com/t5/network-access-control/pem-or-der-format-certificate-chain/m-p/2384242#M134326 <HTML><HEAD></HEAD><BODY><P>Hi Mikael:</P><P></P><P>Up to now all my test are being satisfactory.</P><P>Thank you so much.</P><P></P><P>Regards</P></BODY></HTML> Mon, 11 Nov 2013 22:42:48 GMT https://community.cisco.com/t5/network-access-control/pem-or-der-format-certificate-chain/m-p/2384242#M134326 descalante2007 2013-11-11T22:42:48Z