Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1110
Views
0
Helpful
2
Replies

Install ACS certificate failure. Help!

adipop777
Level 1
Level 1

‎02-16-2005 08:41 AM - edited ‎03-10-2019 02:01 PM

hello,

I have following configuration:

Catalyst 2950G-proximity switches with IOS 12.1(19)EA1c.

Cisco Secure ACS Appliance 3.2.3.11

SunONE Directory Server ldap server version 5.2_Patch_2

I am trying to setup 802.1x authentication for wired and wireless clients, with VLAN parameter provided by using group mapping with ldap groups.

I understand that the best for that will be EAP-GTC version of PEAP.

I tried (for a week now!!!) to install the certificate in order to activate PEAP on ACS.

I carefully read and re-read following documents:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp32/user/sau.htm

and this one

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

I setup three times a CA using "Microsoft Certificate Services" and OpenSSL. I am positive that I’ve done it correctly since each time CA certificate installation worked and each time I found the the CA in the "Certificate Trust List"

The procedure to install the certificate:

1. Install the CA certificate on ACS server (through ftp)

2. Create the Certificate Signing Request and paste in Notepad to make the private key file

3. Paste the Certificate Signing Request into the "base64 encoded PKCS#10..."

4. Get the Server Certificate after issuing and put along with private key file on the ftp server.

When trying to install I get that

"Unsupported private key file format."

message.

The private key file IS the Certificate Signing Request past-ed in a file, Isn’t it?!?

I have done that many times. I tried many names and extensions for files. I tried to overcome the UNIX and DOS representation for CR and LF in text files.

Each time the same error message.

same problem like in this thread:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd61919

Everybody, please help, !!!!

Labels:
0 Helpful
2 Replies 2

mike.iacovacci
Level 1
Level 1

‎02-16-2005 12:11 PM

"Create the Certificate Signing Request and paste in Notepad to make the private key file "

The CSR and Private Key are two different things, on the ACS appliance, when you generate the CSR, the private key info is auto-populated into the private key form fields. When I enrolled my 3.2 appliance, I didn't change the info in those fields. Send the CSR (copy to notepad is fine) to your CA; once the cert is issued, upload it via ftp. Make sure you "submit" the info after the upload is finished, this is on the Install Certificate Page. The private key doesn't ever get sent to the CA.

0 Helpful

adipop777
Level 1
Level 1
In response to mike.iacovacci

‎02-17-2005 06:43 AM

Thanks for your answer.

That helped me to find that in fact there is a bug in the ACS appliance. If you try (by mistake or not, like I did, following the documentation which does not treat separately the appliance and the software version of the ACS ) to download your private key then the mechanism to self fill the private key (after the CSR) the private key will not work anymore.

The solution was to restore the appliance from the ghost image provided by cisco with the appliance.

After that worked.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents