Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
8
Replies

Cisco ACE certificate and public key mismatch

Go to solution
Ji-Won Park
Level 1
Level 1

‎01-07-2015 08:51 AM

Hello,

 

I was wondering if anyone had a similar issue....

 

What would be the possible cause of the SSL certificate and public key mismatch during the verification process? The CSR was sent to the external vendor to sign and we are trying to install it on ACE now, but the verification fails. Trying to regenerate the certificate.

 

Please let me know

Thanks in advance.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎01-07-2015 09:36 AM

Hi,

What error are you getting when trying to import certificate on the ACE? If there is a problem with the certificate itself, it is better to get it regenerated from the CA itself.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Ji-Won Park

‎01-08-2015 02:29 AM

Documentation is correct, like it is stated and as F.K.S mentioned, please import the same cert in to secondary manually (the exact same process used for active) and then sync.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎01-07-2015 09:36 AM

Hi,

What error are you getting when trying to import certificate on the ACE? If there is a problem with the certificate itself, it is better to get it regenerated from the CA itself.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Go to solution
Ji-Won Park
Level 1
Level 1
In response to Kanwaljeet Singh

‎01-07-2015 09:42 AM

Yes, I am trying to re-generate the certificate and try to import it again. However, I was just concerned about the other possibilities that could cause the issue.

 

I am getting the following error message:

Keypair in mykey.pem does not match certificate in abc.pem
0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Ji-Won Park

‎01-07-2015 09:45 AM

Hi,

This clearly indicates a mismatch. Best would be to get the cert from the CA again. May be generate the CSR again and get a new cert.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Go to solution
Ji-Won Park
Level 1
Level 1
In response to Kanwaljeet Singh

‎01-07-2015 02:00 PM

I had to generate the key-pair again and use that for CSR. Once it was signed, the cert was good to go. 

 

How do I sync this with the secondary unit?

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Ji-Won Park

‎01-07-2015 02:06 PM

Hi,

You cannot. You have to manually import those files like you did in ACTIVE unit. All configuration changes except probe scripts, crypto files and license are synced automatically to standby_hot unit.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Go to solution
Ji-Won Park
Level 1
Level 1
In response to Kanwaljeet Singh

‎01-07-2015 03:37 PM

Thanks for the response Fnu,

 

Could you quickly check if this documentation is correct?

In a redundant configuration, the ACE does not synchronize the SSL certificates and key pairs that are present in the active context with the standby context of a Fault Tolerant (FT) group. If the ACE performs a configuration synchronization and does not find the necessary certificates and keys on the standby, configuration synchronization fails and the standby context enters the STANDBY_COLD state.

To copy the certificates and keys to the standby context, you can export the certificates and keys from the active context to an FTP or TFTP server using thecrypto export command, and then import the certificates and keys to the standby context using the crypto import command. You can also import the certificates and keys directly to the standby context using the same method that you used to import the certificates to the active context. This second method is required if the certificates and keys were imported to the active context as non-exportable. For more information about importing and exporting certificates and keys, see the "Importing or Exporting Certificate and Key Pair Files" section.

To return the standby context to the STANDBY_HOT state in this case, you must import the necessary SSL certificates and keys to the standby context, and then perform a bulk synchronization of the active context configuration by entering the following commands in configuration mode in the active context of the FT group:

1. no ft auto-sync running-config

2. ft auto-sync running-config

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Ji-Won Park

‎01-08-2015 02:29 AM

Documentation is correct, like it is stated and as F.K.S mentioned, please import the same cert in to secondary manually (the exact same process used for active) and then sync.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
Ji-Won Park
Level 1
Level 1
In response to Bilal Nawaz

‎01-08-2015 01:02 PM

Thanks for the help everyone

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card