Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16170
Views
26
Helpful
5
Replies

How to generate/export a private key in ISE 2.0: Any idea?

Go to solution
Supercell292929
Level 1
Level 1

‎02-01-2018 10:39 AM - edited ‎02-21-2020 10:44 AM

Hello,

 

     Curious to know the process mentioned in the title of this discussion. I'm looking everywhere for this, but cannot find it so far. Any detailed explanation on how this can be achieved would be greatly appreciated.

 

Thank you in advance.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to Ricky S

‎12-05-2018 03:11 PM

Extract Private Key from .pfx

-----------------------------------

openssl pkcs12 -in Client-cert.pfx -nocerts -out key.pem -nodes

 

Extract Cert from .pfx

-----------------------------------

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

View solution in original post

5 Replies 5

Go to solution
Flavio Miranda
VIP
VIP

‎02-01-2018 02:07 PM

Hi

"

Cisco does not recommend exporting the private key associated with the certificate because its value may be exposed. If you must export the private key, you must specify an encryption password for the private key. You will need to specify this password while importing this certificate into another Cisco ISE server to decrypt the private key."

 

Anyway, you can do this on the Administration / System / Certificate.

 

-If I helped you somehow, please, rate it as useful.-

Go to solution
Supercell292929
Level 1
Level 1
In response to Flavio Miranda

‎02-01-2018 02:30 PM

Thank you for the response. 

 

I'm honing in on exactly what is required now. My apologies for shifting off my previous predicament (not too tangential to what was initially stated).

 

We are looking to import the server certificate into our ISE PSN node.

 

It looks as if we:

 

A) Need to generate a private key via ISE web GUI (not sure where this is done via ISE web GUI. We already purchased and installed the public key)

 

Then go to Administration > System > Certificates > System Certificates and:

 

  1. Select Node (we can do this w/o issue)
  2. Choose our Certificate File (it sees our crt file w/o issue)
  3. *Choose our Private Key File (no idea where this is. When we select the "Choose File" button nothing comes to view).
  4. Go from there

(where "*" (3.) = actual issue at hand)

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Supercell292929

‎02-01-2018 05:40 PM

How did you purchase the certificate? To have a certificate issued to you in the first place, you need to have a private/public key generated on the server that you want the cert on. Out of that you send the public key to the CA (along with other attributes) and get it signed. You then import the certificate to the server, which then logically binds the private and public key together.

 

If I understand your question correctly, you already have a certificate issued to another server. You want to be able to export that cert and import that into ISE, like you would do for a Wildcard cert. If so, what you would need to do is export the certificate and key from that server as a pkcs12 file (or pfx for windows). This file has to be then split into private and public key using openssl. How to do this is given here:

https://www.sslshopper.com/article-most-common-openssl-commands.html

 

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.cr

You can then import this separately on ISE. 

Go to solution
Ricky S
Level 3
Level 3
In response to Rahul Govindan

‎12-05-2018 12:22 PM - edited ‎12-05-2018 12:25 PM

Hi Rahul,  we are trying to do exactly what you explained in your post.  We have a newly deployed ISE appliance for which I need to use our domain's wildcard certificate.  We have exported the certificates from another server as a .pfx file.

When I go into ISE (2.4) and try to import the cert,  it's asking for a certificate file and a private key file. 

I already have a .pfx file.  I can't figure out how to split it into a public and private key using OpenSSL as you suggested.

Can you help me?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Ricky S

‎12-05-2018 03:11 PM

Extract Private Key from .pfx

-----------------------------------

openssl pkcs12 -in Client-cert.pfx -nocerts -out key.pem -nodes

 

Extract Cert from .pfx

-----------------------------------

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents