Solved: Importing pfx file wildcard certificate to ISE 2.4

colossus1611 · ‎05-06-2020

Hi All,

Have a certificate that expires in 1 day (yes, our alert system failed us).

So I was trying to import a wildcard certificate, that was already generate for Netscalers using CSR, onto ISE without generating a CSR on ISE itself. However, since pfx file wouldn't work with ISE appliance, I converted it to pem format, both for Certificate as well as keys using Open SSL as per below:

https://community.cisco.com/t5/network-access-control/how-to-generate-export-a-private-key-in-ise-2-0-any-idea/td-p/3323619

Weirdly though, as I try and import this to ISE and click Submit, it just does not go anywhere and neither gives any error messages. I have tried various combinations since then, by trying to Import without defining it's role/usage, by not ticking the Verify certificate extensions, but none has worked.

I do not think I would need a separate CSR for same wildcard certificate to be migrated across to ISE, but please enlighten me if that's a wrong assumption. Also, does the private key file needs to be in any different format than .pem for it to be imported? I have also tried .key format, but that did not make a difference.

It's a Portal certificate.

Thanks.

Arne Bier · ‎05-06-2020

Hi @colossus1611

You're right - you do not need to create a CSR on ISE for any System Certificate, if (and only if) you are in possession of the cert AND private key. The main job of the CSR is to allow you to create the public and private keys and to store the private key on the host that generated the CSR.

I am surprised that this process didn't work. If you have a .pfx file, and you wish to extract the certificate and private key, then the following commands achieve that effect, and the output by default is PEM (BASE64) which ISE understands:

Extract Private Key from .pfx

openssl pkcs12 -in Client-cert.pfx -nocerts -out key.pem -nodes

Extract Cert from .pfx

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

I have also used the workaround you mentioned (not validating the cert) in cases where ISE just plain refuses. As for the role, you don't have to assign a role right away, but whether you do or not, has no impact. It should work.

I would check the output of the certificate in PEM format with the command - it should be a legible certificate

openssl x509 -in cert.pem -text

And the private key should be in BASE64 format

-----BEGIN PRIVATE KEY-----
.
.
.
.
-----END PRIVATE KEY-----

If all else fails ... restart ISE, reboot, call TAC ...

View solution in original post

Arne Bier · ‎05-06-2020

Hi @colossus1611

You're right - you do not need to create a CSR on ISE for any System Certificate, if (and only if) you are in possession of the cert AND private key. The main job of the CSR is to allow you to create the public and private keys and to store the private key on the host that generated the CSR.

I am surprised that this process didn't work. If you have a .pfx file, and you wish to extract the certificate and private key, then the following commands achieve that effect, and the output by default is PEM (BASE64) which ISE understands:

Extract Private Key from .pfx

openssl pkcs12 -in Client-cert.pfx -nocerts -out key.pem -nodes

Extract Cert from .pfx

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

I have also used the workaround you mentioned (not validating the cert) in cases where ISE just plain refuses. As for the role, you don't have to assign a role right away, but whether you do or not, has no impact. It should work.

I would check the output of the certificate in PEM format with the command - it should be a legible certificate

openssl x509 -in cert.pem -text

And the private key should be in BASE64 format

-----BEGIN PRIVATE KEY-----
.
.
.
.
-----END PRIVATE KEY-----

If all else fails ... restart ISE, reboot, call TAC ...

colossus1611 · ‎05-06-2020

Hi Arne,

So those are the exact commands I used to extract the certificate in .pem format from .pfx.

I also used the other two commands you mentioned to validate certificate and the key and they both came good.

Have no TAC support on these ones unfortunately (yes that's right). I am hearing that the newer version of OpenSSL has had some compatibility with Cisco kits, so might try with version 0.9x and see how that goes.

Thanks.

poongarg · ‎05-07-2020

I extracted the .pfx file on macOS Catalina with openssl version LibreSSL 2.8.3 and faced no issue in importing the wild card certificate on ISE 2.4 and 2.6. It worked fine.

colossus1611 · ‎05-07-2020

Thanks @poongarg . So you extracted two .pem format files (cert.pem and key.pem) from .pfx file, to confirm?

Our ISE appliance is on version 2.4.0.357.

poongarg · ‎05-07-2020

Yes

colossus1611 · ‎05-13-2020

Hello,

So the certificate has now expired and we haven't been able to renew yet. Cisco TAC contract is an issue for further support on this.

Since the offices are still closed as such, we do not know what exact impact would we have. So what exact impact wil this have? Will guest users not be able to authenticate at all when they try and connect, or will they simply receive an expired warning error message?

T

colossus1611 · ‎05-13-2020

Hello,

So the certificate has now expired and we haven't been able to renew yet. Cisco TAC contract is an issue for further support on this.

Since the offices are still closed as such, we do not know what exact impact would we have. So what exact impact wil this have? Will guest users not be able to authenticate at all when they try and connect, or will they simply receive an expired warning error message?

Arne Bier · ‎05-13-2020

I have not had the misfortune of testing this scenario with ISE, but if you want to see what it looks like, then try this web site https://badssl.com/ - use different browsers to see how they handle an expired certificate.

The only concern I have with the above simulation, is that ISE implements HSTS (Strict Transport Security) and this means that your browser error messages may vary - in fact, with HSTS you often don't get the on-screen option to override the "security issue" by clicking on "Accept and proceed". There are always ways around this. If guests are brave enough to accept all the warnings then they will get to the ISE portal.

poongarg · ‎05-13-2020

With the expired certificate also, Guest users will be able to connect to the Guest portal but yes, browser will give warning about cert expiration and Guest user will need to "Continue to the Website". Here is the example from IE browser with self-signed certificate used for portal:

The security certificate presented by this website was not issued by a trusted certificate authority.

The security certificate presented by this website has expired or is not yet valid.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

Recommended iconClick here to close this webpage.
Not recommended iconContinue to this website (not recommended).

More information More information