LMS Prime: Certificate Signing Request Issue

alex.dersch · ‎10-08-2011

Hello,

i installed LMS Prime on a softappliance i am trying to generate a Signing Request to request a certificate from our corporate CA. I add the information under Admin > Trust Management > Local Server > Certificate Setup and pressed apply.

But only the server.crt and server.pk8 were created. But i need the server.csr file to request a new certificate. I tried using the old server.csr file but the hostname in the issued vertificate doesn't match the hostname.

Any ideas why server.csr and server the server.key were not updated?

-rwxr-xr-x 1 casuser casusers 404 Oct 8 13:00 openssl.conf

-r--r----- 1 casuser casusers 1054 Oct 8 13:00 server.crt

-r-------- 1 casuser casusers 595 Jul 18 11:59 server.csr

-r-------- 1 casuser casusers 891 Jul 18 11:59 server.key

-r--r----- 1 casuser casusers 636 Oct 8 13:00 server.pk8

Thanks

alex

Michel Hegeraat · ‎10-08-2011

Have a look in CSCOpx\MDC\apache\ssl\

There are some scripts to generate normally in the same directory

Cheers,

Michel

alex.dersch · ‎10-08-2011

Hi Michel,

there is no folder ssl in /opt/CSCXpx/MDC/Apache

do you refer to the windows based version of LMS?

regards

Alex

AFROJ AHMAD · ‎10-08-2011

Hi Alex,

try this :

 
1.go to /opt/CSCOpx/MDC/Apache/conf/ssl and delete or backup the following files:
 
server.crt 
server.csr 
server.key 
server.pk8

(2) Do a /opt/CSCOpx/MDC/Apache/bin/ConfigSSL.pl -disable
(3) then /opt/CSCOpx/MDC/Apache/bin/ConfigSSL.pl -enable

Enter all the information to generate the certificate

(4) /etc/init.d/dmgtd stop
Wait 10 minutes
 
(6) /etc/init.d/dmgtd start

Thanks

Afroj

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

alex.dersch · ‎10-08-2011

Hello Afroj,

thanks for supporting me, i did what you recommended. In SSLUtil i got this warning

Please note the requirements below for uploading certificate(s)

** CiscoWorks requires the Certificate(s) to be uploaded in Base64-Encoded X.509Certificate format

** You should have obtained the third Party Certificate using the CSR file generated by CiscoWorks Server.

** If you have not obtained the Certificate from a Prominent third party CA, you will also have to upload the root CA certificate as part of the Certificate Chain

** It is recommended that you run this script with option '4' first to verify the Certificate(s) to be uploaded

Do you want to continue [y/n]?y

Enter the location of the Server Certificate to be uploaded: /opt/CSCOpx/MDC/Apache/conf/ssl/server.crt

INFO: Certificate is a Base64-Encoded X.509Certificate

INFO: Certificate validated with Server's Private Key successfully

WARNING: HostName in Certificate does not match CiscoWorks Server name.

HostName in Given Certificate : nos-ch-wbn-lms1.nosergroup.lan

HostName as known to CiscoWorks: nos-ch-wbn-lms1

Do you want to continue [y/n]?

i guess that is because i used the full qualified domain name to create the certificate instead just the hostname. Will this cause any problems later?

regards

alex

alex.dersch · ‎10-08-2011

I verified the certificate with option 4 and got this result.

[Sun Oct 09 00:51:14 CEST 2011]INFO: The Certificate Chain is Complete

INFO: The given Certificate(s) constitute a complete Chain

INFO: Input Certificate/Certificate Chain Verification Successful

INFO: The Certificate(s) can be uploaded to the CiscoWorks Server

i am little bit suspicious because i screwed recently my LMS and had to set it up again.

regards

alex

AFROJ AHMAD · ‎10-08-2011

Hi Alex,

I would recommed you to generate the certificate with HostName not with FQDN.

Thanks

Afroj

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

alex.dersch · ‎10-09-2011

Hello Afroj,

i create the signing request with the hostname only. After adding the certificate and the CA certificate with SSLUtil option 6 the Apache server doesn't start anymore.

I used option 1 of SSLUtil to display the certificate information and i got this message.

*** CiscoWorks Server Certificate Information ***

unable to load certificate

8534:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

Use of uninitialized value in scalar chomp at /opt/CSCOpx/MDC/Apache/bin/SSLUtil.pl line 739, line 1.

Use of uninitialized value in scalar chomp at /opt/CSCOpx/MDC/Apache/bin/SSLUtil.pl line 745, chunk 1.

Use of uninitialized value in scalar chomp at /opt/CSCOpx/MDC/Apache/bin/SSLUtil.pl line 739, line 1.

Use of uninitialized value in scalar chomp at /opt/CSCOpx/MDC/Apache/bin/SSLUtil.pl line 745, chunk 1.

Use of uninitialized value in substitution (s///) at /opt/CSCOpx/MDC/Apache/bin/SSLUtil.pl line 103, line 1.

Use of uninitialized value in substitution (s///) at /opt/CSCOpx/MDC/Apache/bin/SSLUtil.pl line 104, line 1.

[Sun Oct 09 20:15:03 CEST 2011]Error occurred while reading Certificate: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.

Error occurred while trying to validate the given Certificate

PDSHOW give this

pdshow Apache

Process= Apache

State = Administrator has shut down this server

Pid = 0

RC = 1

Signo = 0

Start = 10/09/11 20:24:14

Stop = 10/09/11 20:24:15

Core = Not applicable

Info = Application started by administrator request.

any ideas?

regards

Alex