cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8838
Views
15
Helpful
6
Replies

Install wildcard SSL on Cisco Prime Infrastructure 1.4

Jurgens L
Level 3
Level 3

I'm trying to install a wildcard SSL on a Cisco Prime Infrastrucure 1.4.

I've manage to install this certificate on the Cisco 5508 WLC, however not so much success with the Cisco Prime.

There are alot of documentation regarding the installtion of CSR certificates however I could not find anything related to wildcard or public key certificates from Cisco.

I did find the following from a NetBoyers, I've tried this process however this seems to apply for NCS versions prior to 1.4 as it was unsuccessful

 

Any assistance would be creatly appreciated.

 

 

1 Accepted Solution

Accepted Solutions

I was able to follow the procedure in the Admin Guide to successfully import and use a CA-issued wildcard certificate (from GoDaddy) with unencrypted private key where the original CSR was not generated by the Prime Infrastructure server.

Prime needs to be defined with a record in your DNS serving the domain in the wildcard certificate. In my case I am using both an A record and cname alias.

Following a server restart the wildcard certificate appears fine in Chrome, Firefox and IE when I browse to https://prime.<my_customer's_domain>.

Below are the commands I used. You would need to have your own certificate and keyfile. My certificate includes the full chain - server certificate, intermediate certificate and root certificate in that order.

 

PI01/admin# copy ftp://192.168.254.7/privatekeyplaintext.pem disk:
Username: admin
Password: 
PI01/admin# copy ftp://192.168.254.7/gd_bundle-g2-g1.crt disk:
Username: admin
Password: 
PI01/admin#
PI01/admin# root
Enter root password : 
Starting root bash shell ... 
ade # pwd
/root
ade #
ade # cd ..
ade #
ade # cd localdisk
ade # ls -al
total 68
drwxr-xr-x  8 root root    4096 Nov  2 09:51 .
drwxr-xr-x 28 root root    4096 Oct 28 11:22 ..
lrwxrwxrwx  1 root root      20 Jul 14 13:11 crash -> /opt/CSCOlumos/crash
drwxr-xr-x  2 root root    4096 Jul 15 23:31 defaultRepo
drwxr-xr-x  2 root root    4096 Jul 14 13:10 ftp
-rw-rw-rw-  1 root gadmin  6710 Nov  2 09:51 gd_bundle-g2-g1.crt
drwx------  2 root root   16384 Apr 17  2014 lost+found
-rw-rw-rw-  1 root gadmin  1679 Nov  2 09:50 privatekeyplaintext.pem
drwxr-xr-x  2 root root    4096 Jul 14 13:10 ssh
drwxr-xr-x  2 root root    4096 Jul 14 13:10 telnet
drwxr-xr-x  2 root root   12288 Nov  2 09:57 tftp
ade #

ade # mv ./gd_bundle-g2-g1.crt ./defaultRepo
ade # mv ./privatekeyplaintext.pem ./defaultRepo
ade #

ade # exit
exit
PI01/admin# show repository defaultRepo
PI01-140715-0330.tar.gpg
PI01-140716-0330.tar.gpg
gd_bundle-g2-g1.crt
privatekeyplaintext.pem
PI01/admin# 

PI01/admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo
INFO: no staging url defined, using local space.        rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing certificate to trust store
PI01/admin# 

PI01/admin# ncs key importkey privatekeyplaintext.pem gd_bundle-g2-g1.crt repository defaultRepo
INFO: no staging url defined, using local space.        rval:2
INFO: no staging url defined, using local space.        rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing RSA key and matching certificate
PI01/admin# 
PI01/admin# ncs stop

Stopping Network Control System...

This may take a few minutes...

Network Control System successfully shutdown.

Plug and Play Gateway is being shut down..... Please wait!!!

Stop of Plug and Play Gateway Completed!!
SAM daemon process id does not exist
DA daemon process id does not exist
DA syslog daemon process id does not exist

PI01/admin# ncs start

Starting Network Control System...

This may take a few minutes...

Network Control System started successfully.

PI01/admin#

 

View solution in original post

6 Replies 6

Vinod Arya
Cisco Employee
Cisco Employee

Officially PI don’t support Wildcard certificates. We only support CSR. Also, Though some of our customer has been able to install wildcard after hit and trials.

This is the general procedure :
1.  Generate the certificate signing request:
http://www.cisco.com/en/US/customer/docs/wireless/prime_infrastructure/1.3/configuration/guide/csr.html#wp1042823

2.  Get the CA to generate the certificate:

The file should be in the PEM format created by combining all three certificates using a text editor in this format

-----BEGIN CERTIFICATE-----

server ( WCS/NCS/PI ) SSL server certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

intermediate CA1 certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

intermediate CA2 certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

intermediate CAx certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

root CA certificate

-----END CERTIFICATE-----

3.  Import the signed certificate:
http://www.cisco.com/en/US/customer/docs/wireless/prime_infrastructure/1.3/configuration/guide/csr.html#wp1047574


Also, there are browser issues where it doesn't works on Chrome and works on FF, which is also doubtful. There is an enhancement request to support wildcard.

You can try to perform.

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

-Thanks Vinod **Rating Encourages contributors, and its really free. **

I was able to follow the procedure in the Admin Guide to successfully import and use a CA-issued wildcard certificate (from GoDaddy) with unencrypted private key where the original CSR was not generated by the Prime Infrastructure server.

Prime needs to be defined with a record in your DNS serving the domain in the wildcard certificate. In my case I am using both an A record and cname alias.

Following a server restart the wildcard certificate appears fine in Chrome, Firefox and IE when I browse to https://prime.<my_customer's_domain>.

Below are the commands I used. You would need to have your own certificate and keyfile. My certificate includes the full chain - server certificate, intermediate certificate and root certificate in that order.

 

PI01/admin# copy ftp://192.168.254.7/privatekeyplaintext.pem disk:
Username: admin
Password: 
PI01/admin# copy ftp://192.168.254.7/gd_bundle-g2-g1.crt disk:
Username: admin
Password: 
PI01/admin#
PI01/admin# root
Enter root password : 
Starting root bash shell ... 
ade # pwd
/root
ade #
ade # cd ..
ade #
ade # cd localdisk
ade # ls -al
total 68
drwxr-xr-x  8 root root    4096 Nov  2 09:51 .
drwxr-xr-x 28 root root    4096 Oct 28 11:22 ..
lrwxrwxrwx  1 root root      20 Jul 14 13:11 crash -> /opt/CSCOlumos/crash
drwxr-xr-x  2 root root    4096 Jul 15 23:31 defaultRepo
drwxr-xr-x  2 root root    4096 Jul 14 13:10 ftp
-rw-rw-rw-  1 root gadmin  6710 Nov  2 09:51 gd_bundle-g2-g1.crt
drwx------  2 root root   16384 Apr 17  2014 lost+found
-rw-rw-rw-  1 root gadmin  1679 Nov  2 09:50 privatekeyplaintext.pem
drwxr-xr-x  2 root root    4096 Jul 14 13:10 ssh
drwxr-xr-x  2 root root    4096 Jul 14 13:10 telnet
drwxr-xr-x  2 root root   12288 Nov  2 09:57 tftp
ade #

ade # mv ./gd_bundle-g2-g1.crt ./defaultRepo
ade # mv ./privatekeyplaintext.pem ./defaultRepo
ade #

ade # exit
exit
PI01/admin# show repository defaultRepo
PI01-140715-0330.tar.gpg
PI01-140716-0330.tar.gpg
gd_bundle-g2-g1.crt
privatekeyplaintext.pem
PI01/admin# 

PI01/admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo
INFO: no staging url defined, using local space.        rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing certificate to trust store
PI01/admin# 

PI01/admin# ncs key importkey privatekeyplaintext.pem gd_bundle-g2-g1.crt repository defaultRepo
INFO: no staging url defined, using local space.        rval:2
INFO: no staging url defined, using local space.        rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing RSA key and matching certificate
PI01/admin# 
PI01/admin# ncs stop

Stopping Network Control System...

This may take a few minutes...

Network Control System successfully shutdown.

Plug and Play Gateway is being shut down..... Please wait!!!

Stop of Plug and Play Gateway Completed!!
SAM daemon process id does not exist
DA daemon process id does not exist
DA syslog daemon process id does not exist

PI01/admin# ncs start

Starting Network Control System...

This may take a few minutes...

Network Control System started successfully.

PI01/admin#

 

Good information Marvin and thanks for taking out time to share this information here. It would be good to share the version of PI you used.

I would suggest, if you can make a document of this one, which would help many other CSC users. 

Kudos to you! 

-Thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Vinod,

You're welcome. I was using PI 2.1 in the example.

Good idea re creating a document. I will go ahead and do that.

Marvin,

I am thinking it may be an easy. With this thread PI 1.4 was in question to use Wildcard certs.

PI 2.1 bring a lot of architectural changes which may contribute to make this supportive.

Thanks again for your outstanding support on CSC.

-Thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Sure thing Vinod.

I clarified a few points and posted the document here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco