topic Re: SSL Cert error in Wireless

SSL Cert error

Starthorn — Sun, 04 Jul 2021 00:41:17 GMT

we are following this doc:http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

We are at the part that wants us to:

6. Combine the CA.pem certificate with the private key, and then convert the file to a .pem file.

Issue this command in the OpenSSL application:

openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts

-passin pass:check123 -passout pass:check123

When we type it in we get this

pass:fakepassword-1 -passout pass:fakepassword-1

Loading 'screen' into random state - done

No certificate matches private key

unable to write 'random state'

error in pkcs12

were not sure whats wrong. What password should I be using? Should it be the challenge password is step 3?

Also we picked Microsoft as our server in the enrollment tool part. Could this be part of the problem? If so what should we have picked

Re: SSL Cert error

George Stefanick — Sat, 06 Jun 2009 03:39:46 GMT

The password is the password you used when you created the request. This PW is encrypted in your "mykey.pem" file, or whatever you named it. If these dont match you will get an error.

Re: SSL Cert error

rcsu-it — Wed, 24 Jun 2009 19:02:47 GMT

I've noted on the Verisign page from another Cisco device query (ACS 3.2) that:

..step..

12. Go to Enrollment. When enrolling for the SSL Certificate you will be asked to choose a server vendor, choose Apache. This will allow a certificate that is compatible with the Cisco ACS.

I'm wondering if anyone knows what Vendor type would be appropriate for a Cisco 4400 series controller. Was about to send Verisign an email but thought this may be "vendor" specific.

Re: SSL Cert error

Starthorn — Thu, 25 Jun 2009 16:09:18 GMT

I just tried picking Apache. When I try to merge the files I get a new error message:

Loading 'screen' into random state - done

unable to write 'random state'

SSL Cert error

bgoulet00 — Fri, 25 Jan 2013 20:11:42 GMT

anyone ever come up with the solution to this? i'm stuck on the same step with the same error. i have copied the device, intermediate, and root cert files (using proper delimiters and in proper order) into and All-certs.pem and ran the command pkcs12 -export -in All-certs.pem -inkey mykey.pem -out CA.p12 -clcerts

i did not use the -pass options as no password was ever set during the private key generation step. i get the error No certificate matches private key

all files are right in the bin folder with the openssl executable. i know openssl is finding them because if i take them out of that folder i get file not found errors. i have also verified the files are a matching set by comparing the md5 hashes with the following commands

x509 -noout -modulus -in All-certs.pem | openssl md5

rsa -noout -modulus -in mykey.pem | openssl md5

SSL Cert error

Scott Fella — Fri, 25 Jan 2013 20:39:42 GMT

Well the password is mandatory.. also that error means that the private key does not match or is not found in the same directory your running the command.

Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.

Issue these commands in the OpenSSL application in order to create the All-certs.pem and final.pem files:

openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem 
       -out All-certs.p12 -clcerts -passin pass:check123 
       -passout pass:check123
  
openssl>pkcs12 -in All-certs.p12 -out final-cert.pem 
       -passin pass:check123 -passout pass:check123

Note: In this command, you must enter a password for the parameters -passin and -passout. The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123.

final.pem is the file that we need to download to the Wireless LAN Controller. The next step is to download this file to the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

SSL Cert error

bgoulet00 — Fri, 25 Jan 2013 20:51:38 GMT

can the -passin parameter be left out? we didn't set a password when generating the private key so there is no argument to supply to -passin.

if the -passin command is required and private key must have a password, is there a way to add the password after the fact or do i have to go through the generation process again? will the lack of password use cause this error or is it just a requirement for load onto the WLC at the end?

it was my understanding that the error meant the private key does not match or is not found in the same directory but as i mentioned above, when the files are not in bin, i get error that the file can't be found or cannot be opened. those errors go away when i drop the files in the bin directory so that tells me openSSL is seeing them. the only way i know to determain if the private key matches is with the md5 hash and that test passes so i'm not sure what else the problem could be.

SSL Cert error

Scott Fella — Sat, 26 Jan 2013 03:36:16 GMT

can the -passin parameter be left out? we didn't set a password when generating the private key so there is no argument to supply to -passin.

No it can't.... you don't need to setup one when your are doing the CSR.... this is just to put one in so when you upload it to the WLC the WLC will take it.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

SSL Cert error

Kayle Miller — Mon, 28 Jan 2013 16:10:01 GMT

If you follow all the steps correctly it should work, you cannot leave the password as Scott indicated because it is required.

Help out other by using the rating system and marking answered questions as "Answered"

Hi there, Did you manage to

Tim Davies — Tue, 02 Sep 2014 15:38:36 GMT

Hi there, Did you manage to resolve this?

Here is my response to the

rcsu-it — Thu, 25 Sep 2014 02:38:08 GMT

Here is my response to the TAC Engineer at the time:

Sent: Tuesday, September 01, 2009 3:08 PM

To: Vijaya Baliwada (vbaliwad)

Subject: Re: Sev3 SR 612355487 : WLC WebAuth Cert Issue

Vijaya,

I'm glad to inform you that by using the X.509 certificate response file from Verisign and after trying a combination of the entity certificate, intermediate certificate AND the proper X.509 Base-64 bit format Verisign Root certificate the commands in the documentation worked.

Our main issue was incorrectly using the PKCS#7 certificate from Verisign. The openssl commands worked instantly using x.509. We also had difficulty obtaining the correct root certificate from Verisign. We obtained the browser DER formatted root from internet explorer and exported it from IE to an x.509 Base-64 format. Then did the combination described above and added it to webauth.