Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7072
Views
6
Helpful
5
Replies

Certificate/Private Key validation failed. How can I progress?

petertotok
Level 1
Level 1

‎07-04-2017 07:15 AM

Hi,

I got .p7b file from the CA which then I converted to PEM. Added the chain to the Trusted Certificates and then tried to bind it to the CSR I created initially. Comes back with the error: "Certificate/Private Key validation failed." What could be the problem? Haven't find anything in any troubleshooting documentation what could be the problem.

This is ISE 2.2.0.470.

Thank in advance.

Cheers,

Peter

5 Replies 5

vibobrov
Cisco Employee
Cisco Employee

‎07-05-2017 08:14 AM

Open the p7b file in Windows. It will look like a zip file. That file will contain the actual server cert as well as the roots. Export just the server cert and try to bind that in ISE

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎07-06-2017 01:52 PM

Yeah. Viktor's response would be a better fit for your case.

Assuming you converted the whole .p7b file to one single PEM, then it consists of a few certificates. You may open it in a text editor and copy the lines between and including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" into individual files, as they represent certificates from the root CA, intermediate CA, issuing CA, and then your server certificate. Some PEM file also include the subject info there so easier to identify which portion is which certificate. Else, you may either use OpenSSL or some other tool on your desktop OS.

When importing certificates to ISE, you should import them one certificate at a time but not using any .p7b or a PEM file that combines multiple certificates.

If you still have problem on this, perhaps consider to engage our Cisco TAC, unless you are able to share the certificate file(s) here so we may help better.

0 Helpful

flevie
Level 1
Level 1

‎10-27-2017 10:43 AM

Hello,

In our case, we have to use the correct pair of .crt and .key files (public and private key).

It didn't worded with the pfx file, we had the error "private key validation failed, incorrect password"

The support team of our SSL certificate reseller kindly help me extract my .pfx file using openssl (there is also a windows installer).

"You can extract the necessary files using this commands on any linux installation:

 

 

Get the key file:

 

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

 

 

Convert the key file to pem formate

 

openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]

 

 

Get the certificate out of the pfx

 

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]"

After that I didn't get the private key validation failed error and the certificate was imported...

 

0 Helpful

Ruelb2214
Level 1
Level 1

‎06-15-2023 11:37 PM

hello, were you able to resolve your issue? I have the same issue now, can you share how did you resolve?

0 Helpful

ammahend
VIP
VIP
In response to Ruelb2214

‎06-15-2023 11:52 PM

did you generate the Certificate Signing request on ISE ? when you sent the CSR to your public CA in what format did they send the file back to you ?

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents