Solved: Re: Cisco Prime - need help creating ssl certificate

secureB00T · ‎03-24-2023

Hi all,

I'm currently trying to create a new SSL certificate to comply with security policies for work but I'm having a hard time following the documentation from Cisco (Prime Infrastructure 3.8 Administrator Guide)

There's a couple of issues I'm running into. I'm using the 'Import CA-Signed Host Certificates.'

1. I generated a new CSR file (genkey) but says I shouldn't if one was already created, otherwise there'll be mismatches. Thing is, I'm not sure if there were CSR files generated in years past. Where could i find these? I searched in repositories and couldn't find any.

2. After generating new CSR file, I sent it to our CA for signing. In step 5 of the documentation, it says to combine all certificates into one single file. Which certificates are they talking about? After I get my cert from the CA, I can only download the certificate or certificate chain.

My prime version is 3.9 and its hard finding any other documentation or walkthrough of performing this.

Any help will be greatly appreciated, thank you in advanced.

balaji.bandi · ‎03-24-2023

When CA generate cert for you can you cobine as below :

Depends on what CA you use.

The CA certificates , which are typically given filenames that reflect the name of the CA.

Combine all the certificates in to one single file by concatenating them. Host certificate should be the first one in the file followed by the CA certificates in the same order as in the chain.

exmaple :

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

For example, in linux the following command can be used to combine files:11

cat host.pem subca.pem rootca.pem > servercert.pem

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎03-24-2023

When CA generate cert for you can you cobine as below :

Depends on what CA you use.

The CA certificates , which are typically given filenames that reflect the name of the CA.

Combine all the certificates in to one single file by concatenating them. Host certificate should be the first one in the file followed by the CA certificates in the same order as in the chain.

exmaple :

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

For example, in linux the following command can be used to combine files:11

cat host.pem subca.pem rootca.pem > servercert.pem

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

secureB00T · ‎03-24-2023

Thank you for your response. We are using MADCS (Microsoft Active Directory Certificate Services) to request a certificate. I paste the crt key generated from prime into the MADCS to request a certificate, and then i can download the created certificate from MADCS. But its the chain. When you're saying combine all certificates, is this:

- initial .crt file created in step 4 of the documentation = host certificate?

- .p7b cert created from MADCS = CA certificate?

Sorry, I'm kinda new to certificates and they're a bit confusing.

balaji.bandi · ‎03-25-2023

I know bit confused some of the Cisco document - but once you use to it you understand ( the document is more of experts - not for beginners)

Since i was not sure what files you have and what output you downloaded from MS CA

below URL help you : (have a close look at each step so you will not miss anything) - this will explain how you going to start from CSR to get Final PEM (combine all certs into one mean).

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

secureB00T · ‎03-25-2023

Thank you for the info. That is actually for the WLC (which I actually also need to do). I was asking more for Cisco Prime infrastructure. Unlike the WLC, Prime doesn’t generate a mykey.pem file, it only generates a .csr file (WLC generates a mykey.pem and myreq.pem files).

So I got a bit farther now:

generated CSR file
created a certificate from MSCA (downloaded .cer file)
converted it to PEM format (prime only takes pem files)
imported signed cert and activated it in prime
Restarted prime
i also imported the cert into my mmc as part of my trusted root certificates

however, when I open up the browser, it still shows as “not trusted”.

balaji.bandi · ‎03-25-2023

I was referring the document you understand how you can combine the certs.

combine the certs are same for every device.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

secureB00T · ‎03-27-2023

Oh ok makes sense. Thank you.

balaji.bandi · ‎03-28-2023

Hope you get there and resolve the issue, let us know how it goes..

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

secureB00T · ‎03-28-2023

I ended up doing it through the GUI as it was easier. I created a key, and it gave me a CSR file for me to input into the CA to get signed. Once signed, i concatenated the CSR and signed CA cert into one file (pem format). Then i imported it into the GUI, and it asks to restart. Once it came back online, it shows the secure connection (padlock).

soroush keshvadi · ‎08-15-2023

How did you generate the CSR from the GUI? I can not find any document for that?

balaji.bandi · ‎08-15-2023

follow admin guide :

https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-10/admin/cisco_prime_infrastructure_3_10_admin_guide/configure_PI_server.html?bookSearch=true

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

soroush keshvadi · ‎08-15-2023

Thanks for sending the commands. I have found those but couldn't not get it to work. I see that the solution for this was to do this from the GUI, but can't find that on the web console of Cisco prime