02-01-2018 10:39 AM - edited 02-21-2020 10:44 AM
Hello,
Curious to know the process mentioned in the title of this discussion. I'm looking everywhere for this, but cannot find it so far. Any detailed explanation on how this can be achieved would be greatly appreciated.
Thank you in advance.
Solved! Go to Solution.
12-05-2018 03:11 PM
Extract Private Key from .pfx
-----------------------------------
openssl pkcs12 -in Client-cert.pfx -nocerts -out key.pem -nodes
Extract Cert from .pfx
-----------------------------------
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
02-01-2018 02:07 PM
Hi
"
Cisco does not recommend exporting the private key associated with the certificate because its value may be exposed. If you must export the private key, you must specify an encryption password for the private key. You will need to specify this password while importing this certificate into another Cisco ISE server to decrypt the private key."
Anyway, you can do this on the Administration / System / Certificate.
-If I helped you somehow, please, rate it as useful.-
02-01-2018 02:30 PM
Thank you for the response.
I'm honing in on exactly what is required now. My apologies for shifting off my previous predicament (not too tangential to what was initially stated).
We are looking to import the server certificate into our ISE PSN node.
It looks as if we:
A) Need to generate a private key via ISE web GUI (not sure where this is done via ISE web GUI. We already purchased and installed the public key)
Then go to Administration > System > Certificates > System Certificates and:
(where "*" (3.) = actual issue at hand)
02-01-2018 05:40 PM
How did you purchase the certificate? To have a certificate issued to you in the first place, you need to have a private/public key generated on the server that you want the cert on. Out of that you send the public key to the CA (along with other attributes) and get it signed. You then import the certificate to the server, which then logically binds the private and public key together.
If I understand your question correctly, you already have a certificate issued to another server. You want to be able to export that cert and import that into ISE, like you would do for a Wildcard cert. If so, what you would need to do is export the certificate and key from that server as a pkcs12 file (or pfx for windows). This file has to be then split into private and public key using openssl. How to do this is given here:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.cr
You can then import this separately on ISE.
12-05-2018 12:22 PM - edited 12-05-2018 12:25 PM
Hi Rahul, we are trying to do exactly what you explained in your post. We have a newly deployed ISE appliance for which I need to use our domain's wildcard certificate. We have exported the certificates from another server as a .pfx file.
When I go into ISE (2.4) and try to import the cert, it's asking for a certificate file and a private key file.
I already have a .pfx file. I can't figure out how to split it into a public and private key using OpenSSL as you suggested.
Can you help me?
12-05-2018 03:11 PM
Extract Private Key from .pfx
-----------------------------------
openssl pkcs12 -in Client-cert.pfx -nocerts -out key.pem -nodes
Extract Cert from .pfx
-----------------------------------
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide