https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607219#M2535 <HTML><HEAD></HEAD><BODY><P>Is there any update on this?</P></BODY></HTML> Thu, 31 Aug 2017 14:00:01 GMT Alex Pfeil 2017-08-31T14:00:01Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607210#M2526 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am trying to deploy iWAN through APIC-EM iWAN app. While deploying hub site, I am getting following error -</P><P></P><P style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">Nov 29 21:51:37.156: CRYPTO_PKI: status = 0x747(E_EOS : end of i/o stream): Imported PKCS12 file failure </P><P style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">*Nov 29 21:51:37.156: %PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.</P><P style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;"></P><P style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">Please advise</P><P style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;"></P><P style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">Thanks,</P><P style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">Vish</P></BODY></HTML> Fri, 01 Mar 2019 12:33:59 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607210#M2526 vishal-patil 2019-03-01T12:33:59Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607211#M2527 <HTML><HEAD></HEAD><BODY><P>some one else had a similar issue in this thread.</P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/thread/72808" style="font-size: 10pt;" title="https://communities.cisco.com/thread/72808">https://communities.cisco.com/thread/72808</A></P></BODY></HTML> Tue, 29 Nov 2016 20:52:52 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607211#M2527 aradford 2016-11-29T20:52:52Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607212#M2528 <HTML><HEAD></HEAD><BODY><P>What is the device details here? What platform? What release of APIC-EM is in use? Which iWAN workflow is this - the hub provisioning or branch provisioning? Details like these would help us understand and troubleshoot better.</P><P>Having said that, please refer to the link Adam has given to figure out if there's any routing that's causing this in your set-up.</P><P>Additionally, there's a known issue on device side where <SPAN style="font-size: 10pt;">if the certificate is more than 4K bytes of size, then PKCS import will fail. So please check the size of your cert.</SPAN></P></BODY></HTML> Tue, 29 Nov 2016 21:07:45 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607212#M2528 cchitnis 2016-11-29T21:07:45Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607213#M2529 <HTML><HEAD></HEAD><BODY><P>Thank you. did debug crypto messages/transaction. Looks like the devices are contacting APIC-EM by its external IP somehow while importing certificate.</P><P></P><P><SPAN style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;"><SPAN>*Nov 29 22:09:06.707: CRYPTO_PKI: Copying pkcs12 from </SPAN><A class="jive-link-external-small" href="http://xx.xx.xx.xx/api/v1/trust-point/pkcs12/7bf507b5-4566-4b55-a440-d0cfcbc7a298/3c4nlc88u5tq266glql3bfq36p" rel="nofollow" target="_blank">http://xx.xx.xx.xx/api/v1/trust-point/pkcs12/7bf507b5-4566-4b55-a440-d0cfcbc7a298/3c4nlc88u5tq266glql3bfq36p</A></SPAN></P><P><SPAN style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;"><BR /></SPAN></P><P><SPAN style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">xx- should be internal IP</SPAN></P><P><SPAN style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;"><BR /></SPAN></P><P><SPAN style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">Hopefully I will be able to fix this</SPAN></P><P><SPAN style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;"><BR /></SPAN></P><P><SPAN style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">Thanks,</SPAN></P><P><SPAN style="color: #39393b; font-family: Consolas; font-size: 14px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">Vish<BR /></SPAN></P></BODY></HTML> Tue, 29 Nov 2016 21:10:40 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607213#M2529 vishal-patil 2016-11-29T21:10:40Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607214#M2530 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the info (especially certificate size. will take a note of that)</P><P></P><P>Thanks,</P><P>Visha</P></BODY></HTML> Tue, 29 Nov 2016 21:12:06 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607214#M2530 vishal-patil 2016-11-29T21:12:06Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607215#M2531 <HTML><HEAD></HEAD><BODY><P>Hi Visha,</P><P></P><P>Regarding public/private address for PKI cert import - does that mean with EM 1.3 we can not use iWAN app provisioning over INET (in which case we have no choice but to NAT the controller)? In my case, it is a dual-router LTE branch</P><P></P><P>Thanks,</P><P>Igor</P></BODY></HTML> Fri, 23 Dec 2016 13:24:43 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607215#M2531 Igor Manassypov 2016-12-23T13:24:43Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607216#M2532 <HTML><HEAD></HEAD><BODY><P>Limitation on cert size is specific to subCA deployment. If you don't have subCA deployment, you are fine.</P></BODY></HTML> Fri, 23 Dec 2016 19:30:28 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607216#M2532 cchitnis 2016-12-23T19:30:28Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607217#M2533 <HTML><HEAD></HEAD><BODY><P>[Edited 01/23/2017: Pre release 1.4, NAT'ed controller support for iWAN is for greenfield sites only. In release 1.4, we are extending that support to brownfield sites as well]</P><P></P><P>AFAIK, we do support NAT'ed controller. As long as there's a connectivity from your branch to the controller, the PKCS12 import should be fine.</P></BODY></HTML> Fri, 23 Dec 2016 19:31:33 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607217#M2533 cchitnis 2016-12-23T19:31:33Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607218#M2534 <HTML><HEAD></HEAD><BODY><P>APIC-EM behind NAT (NAT'ed controller) support for brownfield branch sites to be released in 1.4 release.</P></BODY></HTML> Tue, 24 Jan 2017 01:25:59 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607218#M2534 cchitnis 2017-01-24T01:25:59Z https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607219#M2535 <HTML><HEAD></HEAD><BODY><P>Is there any update on this?</P></BODY></HTML> Thu, 31 Aug 2017 14:00:01 GMT https://community.cisco.com/t5/controllers/pkcs-12-import-failed/m-p/3607219#M2535 Alex Pfeil 2017-08-31T14:00:01Z