cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2804
Views
6
Helpful
3
Replies
Highlighted
Beginner

Certificate/Private Key validation failed. How can I progress?

Hi,

I got .p7b file from the CA which then I converted to PEM. Added the chain to the Trusted Certificates and then tried to bind it to the CSR I created initially. Comes back with the error: "Certificate/Private Key validation failed." What could be the problem? Haven't find anything in any troubleshooting documentation what could be the problem.

This is ISE 2.2.0.470.

Thank in advance.

Cheers,

Peter

3 REPLIES 3
Cisco Employee

Re: Certificate/Private Key validation failed. How can I progress?

Open the p7b file in Windows. It will look like a zip file. That file will contain the actual server cert as well as the roots. Export just the server cert and try to bind that in ISE

Cisco Employee

Re: Certificate/Private Key validation failed. How can I progress?

Yeah. Viktor's response would be a better fit for your case.

Assuming you converted the whole .p7b file to one single PEM, then it consists of a few certificates. You may open it in a text editor and copy the lines between and including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" into individual files, as they represent certificates from the root CA, intermediate CA, issuing CA, and then your server certificate. Some PEM file also include the subject info there so easier to identify which portion is which certificate. Else, you may either use OpenSSL or some other tool on your desktop OS.

When importing certificates to ISE, you should import them one certificate at a time but not using any .p7b or a PEM file that combines multiple certificates.

If you still have problem on this, perhaps consider to engage our Cisco TAC, unless you are able to share the certificate file(s) here so we may help better.

Beginner

Re: Certificate/Private Key validation failed. How can I progress?

Hello,

In our case, we have to use the correct pair of .crt and .key files (public and private key).

It didn't worded with the pfx file, we had the error "private key validation failed, incorrect password"

The support team of our SSL certificate reseller kindly help me extract my .pfx file using openssl (there is also a windows installer).

"You can extract the necessary files using this commands on any linux installation:

 

 

Get the key file:

 

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

 

 

Convert the key file to pem formate

 

openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]

 

 

Get the certificate out of the pfx

 

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]"

After that I didn't get the private key validation failed error and the certificate was imported...