Solved: CSS/SSL import a .pfx cert PKCS12 for association

jcmattos1 · ‎08-11-2006

Hello All,

I have been working to import and associate a .pfx cert with PKCS12 into our CSS11503 v8.10 and have little success. I was finally able to import it but have trouble associating it I keep getting this error:

CSS11503# copy ssl ftp SSL import ProdCert.com.pfx PKCS12 "cisco" "cisco"

Connecting (|)

Completed successfully.

CSS11503(config)# ssl associate cert ProdCert ProdCert.com.pfx

%% Not a valid key or certificate file

Any ideas???

Gilles Dufour · ‎08-14-2006

the certificates and keys need to be imported manually on both devices.

The config, including the ssl-proxy-list, will be copied via config-sync.

Gilles.

View solution in original post

Gilles Dufour · ‎08-14-2006

CSCek42725

Basically we can not handle a pkcs12 file that has mutliple cert bags if those bags each have a different localKeyId. We need the server cert (the one that matches the key bad) to show up first, or we need any intermeditate or root cert to not contain a localKeyId. This is the way that openssl code generates pkcs12 files.

So, use openssl to convert the file into 2 PEM files and import them separately.

This should work.

Gilles.

jcmattos1 · ‎08-14-2006

Thx Giles,

That seemed to do the trick...Also we are running box-to-box redundancy on this will I need to import the cert to both boxes seperately? If so, will the config sync work with the ssl commands as well or will that have to be added manually to the 2nd box? Thx!

Gilles Dufour · ‎08-14-2006

the certificates and keys need to be imported manually on both devices.

The config, including the ssl-proxy-list, will be copied via config-sync.

Gilles.