03-24-2022 12:30 AM
Hello Folks,
I am trying to install a third party signed cert on Cisco prime version 3.7.
The certificate is valid and in use in the customers ISE deployment. I have exported the certificate from ISE in .pem format and the private key exists on .pvk format. Its a wildcard cert so, we want to utilize it for Prime administration and also, in using TLS with ISE.
Upon using the procedure provided in the admin guide, I am unable to load the certificate using one the repositories provided in Prime. It throws an error as shown below. On reading posts about similar issues on the community, I see that individuals facing the same issue have changed formats etc to make it work using OPENSSL.
I have tried doing the same but with no success.
Please note, I have included the entire cert in on file, which has the server certificate, the intermediate and then full certificate in the same order.
I am using the command:
ncs key importkey private-key.pvk gd_bundle-g2-g1.crt repository Backup
The error:
139750375704240:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:550:
139750375704240:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
139750375704240:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
139750375704240:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:142:
ERROR: Failed to import key certificate. Public key in certificate does not match with private key
ERROR: ncs key importkey command failed. rval:256
Thanks
Aamir
03-24-2022 01:14 AM
digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:550:
ERROR: Failed to import key certificate. Public key in certificate does not match with private key ERROR: ncs key importkey command failed. rval:256
This shows something wrong with the certs as per i know, so can you able to read that files.
Prime accepts base64 format, is your ISE is PKI?
03-24-2022 02:05 AM
Hello,
the .pvk format might be the problem. What if you convert the .pvk to a .pem ?
03-27-2022 04:09 AM
Hello Georg,
Actually, even I was leaning towards the same but, I am unable to find the exact command to do that via openssl when i checked online.
Are you able to provide it, if its in your armory?
Thanks
Aamir
03-27-2022 08:50 AM
Hello,
I think the exact syntax depends on the OpenSSL software you have installed. You could try this:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide