topic Re: WLC C9800 - Unable to import pfx Certificate in Wireless

WLC C9800 - Unable to import pfx Certificate

stephendrkw — Tue, 25 Oct 2022 09:16:43 GMT

Hi all,

I'm unable to import a PCKS12 Device Mgmt certificate into my Wireless Controller C9800, unlike my previous 5508 WLC's there are now Trustpoints etc involved.

The way we generate Certificates is we do not generate a CSR from the Device, rather input device details manually on a Cert Server GUI and this generates a.pfx file we download. We would import this .pfx onto the device and bang! Cert installs successfully just like on my 5508's!

C9800 log:

Oct 25 08:23:37.190: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): Imported PKCS12 file failure
Oct 25 08:23:37.192: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: C9800.hello.com.pfx. Reason: Failed to import pkcs12 context

I don't want to connect to our CA Server as there are so many hurdles internally to use SCEP. Is there a way to import a .pfx into C9800 directly without a Trustpoint. Every time I create a Trustpoint, C9800 forces me to authenticate to a CA Server. Also, I am surprised the logs are complaining about invalid encoding format, aren't p12 and pfx are the same (PCKS#12) depending how your server generates them.

Re: WLC C9800 - Unable to import pfx Certificate

stephendrkw — Tue, 25 Oct 2022 09:29:56 GMT

"debug pki transaction" ouput below, to me this indicates that the import pfx is trying to use the Cisco Self-Signed Trustpoint and failing?

Oct 25 09:24:56.260: CRYPTO_PKI: Rcvd request to end PKI session A3FE3.
Oct 25 09:24:56.260: CRYPTO_PKI: PKI session A3FE3 has ended. Freeing all resources.TP-self-signed-146588143:unlocked trustpoint TP-self-signed-146588143, refcount is 0
Oct 25 09:24:56.309: CRYPTO_PKI: Initializing renewal timers
Oct 25 09:24:56.312: CRYPTO_PKI: (A3FE5) Session started - identity selected (TP-self-signed-146588143)xTP-self-signed-146588143:refcount after increment = 1
Oct 25 09:24:56.312: CRYPTO_PKI: Begin local cert chain retrieval.
Oct 25 09:24:56.313: CRYPTO_PKI: Done with local cert chain fetch 0.
Oct 25 09:24:56.313: CRYPTO_PKI: Begin trustpoint info get.
Oct 25 09:24:56.313: CRYPTO_PKI: Successfully got trustpoint info.
Oct 25 09:24:56.313: CRYPTO_PKI: (93FE6) Session started - identity selected (TP-self-signed-146588143)TP-self-signed-146588143:refcount after increment = 2
Oct 25 09:24:56.313: CRYPTO_PKI: Begin local cert chain retrieval.
Oct 25 09:24:56.313: CRYPTO_PKI: Done with local cert chain fetch 0.
Oct 25 09:24:56.313: CRYPTO_PKI: Rcvd request to end PKI session 93FE6.
Oct 25 09:24:56.313: CRYPTO_PKI: PKI session 93FE6 has ended. Freeing all resources.TP-self-signed-146588143:unlocked trustpoint TP-self-signed-146588143, refcount is 1
Oct 25 09:24:56.313: CRYPTO_PKI: Rcvd request to end PKI session A3FE5.
Oct 25 09:24:56.313: CRYPTO_PKI: PKI session A3FE5 has ended. Freeing all resources.TP-self-signed-146588143:unlocked trustpoint TP-self-signed-146588143, refcount is 0
Oct 25 09:24:56.738: CRYPTO_PKI: Copying pkcs12 from bootflash:C9800.hello.com.pfx

Oct 25 09:24:56.849: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): Imported PKCS12 file failure C9800.hello.com.pfx:PKCS #12 Import into trustpoint failed.
Reason - Failed to import pkcs12 context
Oct 25 09:24:56.850: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: C9800.hello.com.pfx. Reason: Failed to import pkcs12 context
Oct 25 09:24:56.894: CRYPTO_PKI: (A3FE7) Session started - identity selected (TP-self-signed-146588143)xTP-self-signed-146588143:refcount after increment = 1
Oct 25 09:24:56.894: CRYPTO_PKI: Begin local cert chain retrieval.
Oct 25 09:24:56.894: CRYPTO_PKI: Done with local cert chain fetch 0.
Oct 25 09:24:56.894: CRYPTO_PKI: Begin trustpoint info get.
Oct 25 09:24:56.894: CRYPTO_PKI: Successfully got trustpoint info.
Oct 25 09:24:56.894: CRYPTO_PKI: (93FE8) Session started - identity selected (TP-self-signed-146588143)TP-self-signed-146588143:refcount after increment = 2
Oct 25 09:24:56.894: CRYPTO_PKI: Begin local cert chain retrieval.
Oct 25 09:24:56.894: CRYPTO_PKI: Done with local cert chain fetch 0.
Oct 25 09:24:56.894: CRYPTO_PKI: Rcvd request to end PKI session 93FE8.
Oct 25 09:24:56.894: CRYPTO_PKI: PKI session 93FE8 has ended. Freeing all resources.TP-self-signed-146588143:unlocked trustpoint TP-self-signed-146588143, refcount is 1
Oct 25 09:24:56.894: CRYPTO_PKI: Rcvd request to end PKI session A3FE7.
Oct 25 09:24:56.894: CRYPTO_PKI: PKI session A3FE7 has ended. Freeing all resources.TP-self-signed-146588143:unlocked trustpoint TP-self-signed-146588143, refcount is 0

Re: WLC C9800 - Unable to import pfx Certificate

Karsten Iwen — Tue, 25 Oct 2022 09:44:38 GMT

PKCS12 and PFX is practically the same.

How did you do it? I just imported a PFX and it worked as expected:

Under PKI -> Security -> PKI Management -> Add Certificate -> Import PKCS12 the PFX is imported.
Under Administration -> Management -> HTTP/HTTPS/Netconf/VTY the new HTTP Trust Point is selected.
You get logged out and the new certificate is used.

You can check the PFX with openssl and you shouldn't have any errors there:

openssl pkcs12 -info -in cert.pfx

Re: WLC C9800 - Unable to import pfx Certificate

stephendrkw — Tue, 25 Oct 2022 11:09:41 GMT

openssl check - all ok

I tried via SCP rather than HTTPS still the same issue. I'm carrying out the same steps as yourself.....wondering if this is a bug?

Re: WLC C9800 - Unable to import pfx Certificate

Karsten Iwen — Tue, 25 Oct 2022 11:32:01 GMT

Are you running at least a Cisco suggested version like 17.6.4? When running into problems, upgrading to a suggested version is typically a good idea.

Re: WLC C9800 - Unable to import pfx Certificate

Arshad Safrulla — Tue, 25 Oct 2022 11:49:53 GMT

Refer to the below document, Generate and Download CSR Certificates on Catalyst 9800 WLCs - Cisco

Re: WLC C9800 - Unable to import pfx Certificate

stephendrkw — Tue, 25 Oct 2022 12:39:36 GMT

I'm running:

Cisco IOS XE Software, Version 17.06.04
Cisco IOS Software [Bengaluru], C9800 Software (C9800_IOSXE-K9), Version 17.6.4, RELEASE SOFTWARE (fc1)

Re: WLC C9800 - Unable to import pfx Certificate

Karsten Iwen — Tue, 25 Oct 2022 12:44:43 GMT

Ok, that is the suggested release. I would open a TAC case then.

Re: WLC C9800 - Unable to import pfx Certificate

Rich R — Wed, 26 Oct 2022 08:54:23 GMT

This is almost definitely because your cert package is not as specified in the guidelines @Arshad Safrulla linked to.
Have you included the full certificate chain? (Root + intermediate + WLC cert and key)
See the section starting "If you run the command openssl pkcs12 -info -in <path to cert> and only one certificate with one private key displays, it means the CA is not present. As a rule of thumb, this command ideally lists your whole chain of certificate. It is not required to include the top root CA if it is known by the client browsers already."

Re: WLC C9800 - Unable to import pfx Certificate

stephendrkw — Wed, 26 Oct 2022 13:31:32 GMT

We only have the certificate and the private key in the pfx

I imported the RootCA and SubCA into PKI Management/Trustpools on the GUI which imported fine. shouldn't this be enough so when the pfx is uploaded C9800 can see the RootCA and SubCA and process the certificate?

Re: WLC C9800 - Unable to import pfx Certificate

stephendrkw — Wed, 26 Oct 2022 14:26:32 GMT

I have opened a TAC

Re: WLC C9800 - Unable to import pfx Certificate

Rich R — Wed, 26 Oct 2022 16:28:13 GMT

No I don't think so. We've only ever had it work with the full chain (no problems with that) and the documentation is clear that at the minimum it should include the intermediate.

Re: WLC C9800 - Unable to import pfx Certificate

stephendrkw — Fri, 28 Oct 2022 12:42:47 GMT

I combined the RootCA and SubCA, pfx into one pfx. So I now have a full chained Certificate.

After I was able to import the pfx file successfully, this also added the Chain to the Trustpools, created a new Trustpoint and a new Key Label. However, when I configured HTTP to use my new Trustpoint, HTTP Service restarted and my browser showed "does not have a Certificate-SSL error"!!!! Then had to go to the CLI remove new Trustpoint and configure Cisco Self-signed Trustpoint to regain GUI access............seem to be getting close! Awaiting on TAC response.............

Oct 28 08:19:21.833: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: C9800new.pfx created succesfully
Oct 28 08:19:21.836: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named C9800new.pfx has been generated or imported by pki-pkcs12
Oct 28 08:19:21.862: %PKI-6-PKCS12_IMPORT_SUCCESS: PKCS #12 import in to trustpoint C9800new.pfx successfully imported.
Oct 28 08:19:21.899: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as * on vty1
Oct 28 08:19:49.509: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as * on vty1

Re: WLC C9800 - Unable to import pfx Certificate

stephendrkw — Mon, 31 Oct 2022 13:36:50 GMT

Ok, with the TAC Engineer, we tried numerous things, same problem, no cert, like remove Trustpoint, Key label and re-applied etc. We rebooted the wlc and noticed upon reboot, the WLC used the old software version, so I upgraded again to 17.6.4 and rebooted and applied "Commit" after the reboot which I didn't do last time hence the fall back to the old version 17.6.3 (you cannot change the boot statement like on a router/switch rather install same package again, a pain). After all this, we performed a clean on the Trustpools, saved and rebooted the WLC again. Then imported the PKCS12 full chain certificate again, and suddenly everything worked after the HTTPS restart, certificate valid. Surprising, yes! Then on the other new C9800 WLC we did the same, but no reboot. All we did on this WLC was cleaned the Trustpoints, without even importing anything. So what was the problem, a possible bug the TAC thinks............well your guess as good as mine! At least I now have validated Certificates! But getting back to previous posts, yes you should just be able to import the .pfx full chain without any issues at all. My only thinking was that possibly when I imported the 1st time, something with the Trustpools was screwed. Who knows!

Re: WLC C9800 - Unable to import pfx Certificate

Rich R — Mon, 31 Oct 2022 13:45:40 GMT

Agreed. I suspect that when you imported the certificates separately that got it into some sort of state. Did TAC confirm that the certificate should be full chain or did they say the separate cert approach was supported? If it's not supported that means it's never been tested and therefore could have unpredictable results.

Re: WLC C9800 - Unable to import pfx Certificate

stephendrkw — Mon, 31 Oct 2022 15:45:25 GMT

Wasn't clear from the TAC Engineer when I asked, I suppose they are checking their knowledge database for answers. I think you might be correct, perhaps this has never been tested and they presume that every customer should have a full chain Cert. Maybe the lab engineers @cisco didn't communicate well enough with their own Security Engineers. Happens more regularly than we think I would envisage.

Re: WLC C9800 - Unable to import pfx Certificate

Scott Plank — Mon, 05 Dec 2022 14:37:57 GMT

I had similar issues with importing a PKCS12 cert and the fix for me was to switch from using OpenSSL v3.1.0 to OpenSSL v1.1.1 on Windows to combine the cert chain PEM file with the private key.

For OpenSSL v3.1.0, I was getting the following log/debug messages when trying to import the cert (the top two messages are "debug crypto pki transaction" logs, the bottom message is just a normal syslog message):

Dec 2 16:50:39.393 CST: CRYPTO_PKI: Copying pkcs12 from bootflash:Anchor-2022.p12 Dec 2 16:50:39.414 CST: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): Imported PKCS12 file failure Dec 2 16:50:39.415 CST: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: Anchor-2022.p12. Reason: Failed to import pkcs12 context

Using OpenSSL v1.1.1 to combine the cert chain and private key into a PKCS12 file allowed me to import the cert with no issues.

Re: WLC C9800 - Unable to import pfx Certificate

Scott Fella — Tue, 06 Dec 2022 06:08:37 GMT

I’m also using OpenSSL 1.x on my Mac and windows VM. So far no issues converting pem to pfx or pfx to encrypted pfx on a bunch of 9800’s. I didn’t have to reboot or even clean up the trustpool. Just had to login once I applied the new trustpoint to https.

Re: WLC C9800 - Unable to import pfx Certificate

uniemeyer — Mon, 20 Mar 2023 13:24:27 GMT

Hi,

I had the same issue with openssl 3.0.8 for Windows. Once I used openssl v1.1.1 I could import the .pfx-file without errors.

Thanks for sharing this post.

Re: WLC C9800 - Unable to import pfx Certificate

Paul Chapman — Wed, 26 Apr 2023 13:19:40 GMT

Hi -

This is possible in OpenSSL 3.x. You must use the -legacy parameter in your command. If you are running OpenSSL on Windows, then you will also need to use -provider-path <path to legacy.dll>. For OpenSSL 3 for Win64, the command would look like this:

openssl pkcs12 -export -in <cert-chain>.pem -inkey <key-pair>.key -out <hostname>.pfx -macalg SHA1 -legacy -provider-path "c:\Program Files\OpenSSL-Win64\bin"

It appears that Cisco hasn't updated the underlying OpenSSL code in IOS-XE, which is ridiculous. The notes section of the OpenSSL docs indicate why -legacy exists. https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html

Good Luck!

PSC

NOTE: Minor edit. Added `-macalg SHA1` which fixes the first error you would get (BugID CSCvz41428). The 0x705 error which you will get after solving the first will bring you here.

crypto_pki: status = 0x760(e_digest_alg_not_supported : message digest algorithms not supported): imported pkcs12 file failure