Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3567
Views
2
Helpful
11
Replies

Cisco Prime - need help creating ssl certificate

Go to solution
secureB00T
Level 1
Level 1

‎03-24-2023 09:26 AM

Hi all, 

I'm currently trying to create a new SSL certificate to comply with security policies for work but I'm having a hard time following the documentation from Cisco (Prime Infrastructure 3.8 Administrator Guide)

There's a couple of issues I'm running into. I'm using the 'Import CA-Signed Host Certificates.'  

1. I generated a new CSR file (genkey) but says I shouldn't if one was already created, otherwise there'll be mismatches. Thing is, I'm not sure if there were CSR files generated in years past.  Where could i find these?  I searched in repositories and couldn't find any. 

2. After generating new CSR file, I sent it to our CA for signing. In step 5 of the documentation, it says to combine all certificates into one single file.  Which certificates are they talking about? After I get my cert from the CA, I can only download the certificate or certificate chain.  

My prime version is 3.9 and its hard finding any other documentation or walkthrough of performing this.  

Any help will be greatly appreciated, thank you in advanced. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-24-2023 09:41 AM

When CA generate cert for you can you cobine as below :

Depends on what CA you use.

 

The CA certificates , which are typically given filenames that reflect the name of the CA.

Combine all the certificates in to one single file by concatenating them. Host certificate should be the first one in the file followed by the CA certificates in the same order as in the chain.

exmaple :

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

 

For example, in linux the following command can be used to combine files:11

cat host.pem subca.pem rootca.pem > servercert.pem

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

11 Replies 11

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-24-2023 09:41 AM

When CA generate cert for you can you cobine as below :

Depends on what CA you use.

 

The CA certificates , which are typically given filenames that reflect the name of the CA.

Combine all the certificates in to one single file by concatenating them. Host certificate should be the first one in the file followed by the CA certificates in the same order as in the chain.

exmaple :

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

 

For example, in linux the following command can be used to combine files:11

cat host.pem subca.pem rootca.pem > servercert.pem

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
secureB00T
Level 1
Level 1
In response to balaji.bandi

‎03-24-2023 09:52 AM

Thank you for your response.  We are using MADCS (Microsoft Active Directory Certificate Services) to request a certificate.  I paste the crt key generated from prime into the MADCS to request a certificate, and then i can download the created certificate from MADCS.  But its the chain.  When you're saying combine all certificates, is this:

- initial .crt file created in step 4 of the documentation = host certificate?

- .p7b cert created from MADCS = CA certificate?

Sorry, I'm kinda new to certificates and they're a bit confusing.   

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to secureB00T

‎03-25-2023 12:54 AM

I know bit confused some of the Cisco document - but once you use to it you understand ( the document is more of experts - not for beginners)

Since i was not sure what files you have and what output you downloaded from MS CA

below URL help you : (have a close look at each step so you will not miss anything) - this will explain how you going to start from CSR to get Final PEM (combine all certs into one mean).

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
secureB00T
Level 1
Level 1
In response to balaji.bandi

‎03-25-2023 08:14 AM

Thank you for the info. That is actually for the WLC (which I actually also need to do).  I was asking more for Cisco Prime infrastructure.  Unlike the WLC, Prime doesn’t generate a mykey.pem file, it only generates a .csr file (WLC generates a mykey.pem and myreq.pem files).  

So I got a bit farther now:

  • generated CSR file
  • created a certificate from MSCA (downloaded .cer file)
  • converted it to PEM format (prime only takes pem files)
  • imported signed cert and activated it in prime  
  • Restarted prime
  • i also imported the cert into my mmc as part of my trusted root certificates

however, when I open up the browser, it still shows as “not trusted”.  

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to secureB00T

‎03-25-2023 08:36 AM

I was referring the document you understand how you can combine the certs.

combine the certs are same for every device.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
secureB00T
Level 1
Level 1
In response to balaji.bandi

‎03-27-2023 08:47 AM

Oh ok makes sense.  Thank you. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to secureB00T

‎03-28-2023 03:13 AM

Hope you get there and resolve the issue, let us know how it goes..

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
secureB00T
Level 1
Level 1

‎03-28-2023 10:27 AM

I ended up doing it through the GUI as it was easier.  I created a key, and it gave me a CSR file for me to input into the CA to get signed.  Once signed, i concatenated the CSR and signed CA cert into one file (pem format).  Then i imported it into the GUI, and it asks to restart.  Once it came back online, it shows the secure connection (padlock).  

0 Helpful

Go to solution
soroush keshvadi
Level 1
Level 1

‎08-15-2023 12:11 PM

How did you generate the CSR from the GUI? I can not find any document for that?

 

0 Helpful

Go to solution
soroush keshvadi
Level 1
Level 1

‎08-15-2023 03:06 PM

Thanks for sending the commands. I have found those but couldn't not get it to work. I see that the solution for this was to do this from the GUI, but can't find that on the web console of Cisco prime

0 Helpful
Customers Also Viewed These Support Documents