04-01-2014 06:20 AM
I'm trying to install a wildcard SSL on a Cisco Prime Infrastrucure 1.4.
I've manage to install this certificate on the Cisco 5508 WLC, however not so much success with the Cisco Prime.
There are alot of documentation regarding the installtion of CSR certificates however I could not find anything related to wildcard or public key certificates from Cisco.
I did find the following from a NetBoyers, I've tried this process however this seems to apply for NCS versions prior to 1.4 as it was unsuccessful
Any assistance would be creatly appreciated.
Solved! Go to Solution.
11-02-2014 07:53 AM
I was able to follow the procedure in the Admin Guide to successfully import and use a CA-issued wildcard certificate (from GoDaddy) with unencrypted private key where the original CSR was not generated by the Prime Infrastructure server.
Prime needs to be defined with a record in your DNS serving the domain in the wildcard certificate. In my case I am using both an A record and cname alias.
Following a server restart the wildcard certificate appears fine in Chrome, Firefox and IE when I browse to https://prime.<my_customer's_domain>.
Below are the commands I used. You would need to have your own certificate and keyfile. My certificate includes the full chain - server certificate, intermediate certificate and root certificate in that order.
PI01/admin# copy ftp://192.168.254.7/privatekeyplaintext.pem disk: Username: admin Password: PI01/admin# copy ftp://192.168.254.7/gd_bundle-g2-g1.crt disk: Username: admin Password: PI01/admin# PI01/admin# root Enter root password : Starting root bash shell ... ade # pwd /root ade # ade # cd .. ade # ade # cd localdisk ade # ls -al total 68 drwxr-xr-x 8 root root 4096 Nov 2 09:51 . drwxr-xr-x 28 root root 4096 Oct 28 11:22 .. lrwxrwxrwx 1 root root 20 Jul 14 13:11 crash -> /opt/CSCOlumos/crash drwxr-xr-x 2 root root 4096 Jul 15 23:31 defaultRepo drwxr-xr-x 2 root root 4096 Jul 14 13:10 ftp -rw-rw-rw- 1 root gadmin 6710 Nov 2 09:51 gd_bundle-g2-g1.crt drwx------ 2 root root 16384 Apr 17 2014 lost+found -rw-rw-rw- 1 root gadmin 1679 Nov 2 09:50 privatekeyplaintext.pem drwxr-xr-x 2 root root 4096 Jul 14 13:10 ssh drwxr-xr-x 2 root root 4096 Jul 14 13:10 telnet drwxr-xr-x 2 root root 12288 Nov 2 09:57 tftp ade # ade # mv ./gd_bundle-g2-g1.crt ./defaultRepo ade # mv ./privatekeyplaintext.pem ./defaultRepo ade # ade # exit exit PI01/admin# show repository defaultRepo PI01-140715-0330.tar.gpg PI01-140716-0330.tar.gpg gd_bundle-g2-g1.crt privatekeyplaintext.pem PI01/admin# PI01/admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo INFO: no staging url defined, using local space. rval:2 truststore used is /opt/CSCOlumos/conf/truststore The NCS server is running Changes will take affect on the next server restart Importing certificate to trust store PI01/admin# PI01/admin# ncs key importkey privatekeyplaintext.pem gd_bundle-g2-g1.crt repository defaultRepo INFO: no staging url defined, using local space. rval:2 INFO: no staging url defined, using local space. rval:2 truststore used is /opt/CSCOlumos/conf/truststore The NCS server is running Changes will take affect on the next server restart Importing RSA key and matching certificate PI01/admin# PI01/admin# ncs stop Stopping Network Control System... This may take a few minutes... Network Control System successfully shutdown. Plug and Play Gateway is being shut down..... Please wait!!! Stop of Plug and Play Gateway Completed!! SAM daemon process id does not exist DA daemon process id does not exist DA syslog daemon process id does not exist PI01/admin# ncs start Starting Network Control System... This may take a few minutes... Network Control System started successfully. PI01/admin#
08-29-2014 12:20 AM
Officially PI don’t support Wildcard certificates. We only support CSR. Also, Though some of our customer has been able to install wildcard after hit and trials.
This is the general procedure :
1. Generate the certificate signing request:
http://www.cisco.com/en/US/customer/docs/wireless/prime_infrastructure/1.3/configuration/guide/csr.html#wp1042823
2. Get the CA to generate the certificate:
The file should be in the PEM format created by combining all three certificates using a text editor in this format
-----BEGIN CERTIFICATE-----
server ( WCS/NCS/PI ) SSL server certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate CA1 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate CA2 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate CAx certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root CA certificate
-----END CERTIFICATE-----
3. Import the signed certificate:
http://www.cisco.com/en/US/customer/docs/wireless/prime_infrastructure/1.3/configuration/guide/csr.html#wp1047574
Also, there are browser issues where it doesn't works on Chrome and works on FF, which is also doubtful. There is an enhancement request to support wildcard.
You can try to perform.
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
11-02-2014 07:53 AM
I was able to follow the procedure in the Admin Guide to successfully import and use a CA-issued wildcard certificate (from GoDaddy) with unencrypted private key where the original CSR was not generated by the Prime Infrastructure server.
Prime needs to be defined with a record in your DNS serving the domain in the wildcard certificate. In my case I am using both an A record and cname alias.
Following a server restart the wildcard certificate appears fine in Chrome, Firefox and IE when I browse to https://prime.<my_customer's_domain>.
Below are the commands I used. You would need to have your own certificate and keyfile. My certificate includes the full chain - server certificate, intermediate certificate and root certificate in that order.
PI01/admin# copy ftp://192.168.254.7/privatekeyplaintext.pem disk: Username: admin Password: PI01/admin# copy ftp://192.168.254.7/gd_bundle-g2-g1.crt disk: Username: admin Password: PI01/admin# PI01/admin# root Enter root password : Starting root bash shell ... ade # pwd /root ade # ade # cd .. ade # ade # cd localdisk ade # ls -al total 68 drwxr-xr-x 8 root root 4096 Nov 2 09:51 . drwxr-xr-x 28 root root 4096 Oct 28 11:22 .. lrwxrwxrwx 1 root root 20 Jul 14 13:11 crash -> /opt/CSCOlumos/crash drwxr-xr-x 2 root root 4096 Jul 15 23:31 defaultRepo drwxr-xr-x 2 root root 4096 Jul 14 13:10 ftp -rw-rw-rw- 1 root gadmin 6710 Nov 2 09:51 gd_bundle-g2-g1.crt drwx------ 2 root root 16384 Apr 17 2014 lost+found -rw-rw-rw- 1 root gadmin 1679 Nov 2 09:50 privatekeyplaintext.pem drwxr-xr-x 2 root root 4096 Jul 14 13:10 ssh drwxr-xr-x 2 root root 4096 Jul 14 13:10 telnet drwxr-xr-x 2 root root 12288 Nov 2 09:57 tftp ade # ade # mv ./gd_bundle-g2-g1.crt ./defaultRepo ade # mv ./privatekeyplaintext.pem ./defaultRepo ade # ade # exit exit PI01/admin# show repository defaultRepo PI01-140715-0330.tar.gpg PI01-140716-0330.tar.gpg gd_bundle-g2-g1.crt privatekeyplaintext.pem PI01/admin# PI01/admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo INFO: no staging url defined, using local space. rval:2 truststore used is /opt/CSCOlumos/conf/truststore The NCS server is running Changes will take affect on the next server restart Importing certificate to trust store PI01/admin# PI01/admin# ncs key importkey privatekeyplaintext.pem gd_bundle-g2-g1.crt repository defaultRepo INFO: no staging url defined, using local space. rval:2 INFO: no staging url defined, using local space. rval:2 truststore used is /opt/CSCOlumos/conf/truststore The NCS server is running Changes will take affect on the next server restart Importing RSA key and matching certificate PI01/admin# PI01/admin# ncs stop Stopping Network Control System... This may take a few minutes... Network Control System successfully shutdown. Plug and Play Gateway is being shut down..... Please wait!!! Stop of Plug and Play Gateway Completed!! SAM daemon process id does not exist DA daemon process id does not exist DA syslog daemon process id does not exist PI01/admin# ncs start Starting Network Control System... This may take a few minutes... Network Control System started successfully. PI01/admin#
11-02-2014 07:53 AM
Good information Marvin and thanks for taking out time to share this information here. It would be good to share the version of PI you used.
I would suggest, if you can make a document of this one, which would help many other CSC users.
Kudos to you!
-Thanks
Vinod
11-02-2014 09:18 AM
Vinod,
You're welcome. I was using PI 2.1 in the example.
Good idea re creating a document. I will go ahead and do that.
11-02-2014 09:52 AM
Marvin,
I am thinking it may be an easy. With this thread PI 1.4 was in question to use Wildcard certs.
PI 2.1 bring a lot of architectural changes which may contribute to make this supportive.
Thanks again for your outstanding support on CSC.
-Thanks
Vinod
11-02-2014 10:04 AM
Sure thing Vinod.
I clarified a few points and posted the document here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide