cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3076
Views
0
Helpful
5
Replies

CSM-SSL, can't import certificate

bshellrude
Level 1
Level 1

All:

This is driving me bloody crazy...

So we have a number of certificates that we have exported from an ACE module and need to have imported to these CSM-SSL modules.  Problem is, I can't for the life of me get it to accept the keys.  It continually gives me "Invalid PEM Header"...

Has anyone encountered this?

2 Accepted Solutions

Accepted Solutions

Pablo
Cisco Employee
Cisco Employee

Hey Buddy,

My best guess according to your description is that the keys on your ACE modules were uploaded in the decrypted format, CSM-S or SSLM will only accept encrypted keys.

You can encrypt the key using OpenSSL, just copy the text into a notepad and put it into the bin folder (C:/OpenSSL/bin) and encrypt it using this command:

OpenSSL> rsa -in decrypted_key.pem -out encrypted_key.pem -des3

New encrypted key should be found within  the same folder.

HTH

__ __

Pablo

View solution in original post

Hmmm weird,

Are you using the quit command after copying/pasting public and private key?

SSLM-1(config)#crypto key import rsa Mykey general-purpose exportable terminal


% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.


-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEdkj*ajknJKLD+-FS
IVqL+K2woD9VI+XX97fOrAvJdESj/o9VpUhuRSKm3CQAVTec8ymJPcv+6tjuOgf2
1/uGnNKV4xsIV/3GUQIDAQAB
-----END PUBLIC KEY-----


quit


% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.


-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B4E43A7E35A05EBD
qARvas9eklaxZhmlBTWNr86GM+w3+DSrnJP5ZsEMR9tvSX76LKUXL8hJjeXeL+Xu
NZacCeGgFs8jZdTZSrUxi7F+W+ruMyp3cfInp5jkg38PsqgcEeQNYEL570ya5jji
EQyiN+KygjRU0ZmFbRgxHkxJUdhyl0xMLOuNQYFZs2WTBBxoqQSa+A==
-----END RSA PRIVATE KEY-----


quit


% Key pair import succeeded.

View solution in original post

5 Replies 5

Pablo
Cisco Employee
Cisco Employee

Hey Buddy,

My best guess according to your description is that the keys on your ACE modules were uploaded in the decrypted format, CSM-S or SSLM will only accept encrypted keys.

You can encrypt the key using OpenSSL, just copy the text into a notepad and put it into the bin folder (C:/OpenSSL/bin) and encrypt it using this command:

OpenSSL> rsa -in decrypted_key.pem -out encrypted_key.pem -des3

New encrypted key should be found within  the same folder.

HTH

__ __

Pablo

Thanks... that's what I'd kind of thought before, and had used openssl to encrypt (3des) the key and tried it before, and then it gave me "Invalid PEM Boundary"....

Any thoughts?

Hmmm weird,

Are you using the quit command after copying/pasting public and private key?

SSLM-1(config)#crypto key import rsa Mykey general-purpose exportable terminal


% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.


-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEdkj*ajknJKLD+-FS
IVqL+K2woD9VI+XX97fOrAvJdESj/o9VpUhuRSKm3CQAVTec8ymJPcv+6tjuOgf2
1/uGnNKV4xsIV/3GUQIDAQAB
-----END PUBLIC KEY-----


quit


% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.


-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B4E43A7E35A05EBD
qARvas9eklaxZhmlBTWNr86GM+w3+DSrnJP5ZsEMR9tvSX76LKUXL8hJjeXeL+Xu
NZacCeGgFs8jZdTZSrUxi7F+W+ruMyp3cfInp5jkg38PsqgcEeQNYEL570ya5jji
EQyiN+KygjRU0ZmFbRgxHkxJUdhyl0xMLOuNQYFZs2WTBBxoqQSa+A==
-----END RSA PRIVATE KEY-----


quit


% Key pair import succeeded.

bshellrude
Level 1
Level 1

Hey... thanks... you know, I was just doing it incorrectly.

Was trying to import via:

crypto ca import MyCert pem terminal "password"

Thanks for all your help... you know even CISCO TAC case has been open for about 2 weeks (was just escalated to me today)... they should've caught this... but I'm used to it, which is why I posted here..

THANKS AGAIN!!!

Awesome! Glad to be of help =)

Have a good one!

__ __

Pablo

Review Cisco Networking for a $25 gift card