Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1458
Views
0
Helpful
4
Replies

Unable to install third party signed certificate in Cisco Prime

aamir.aleem
Level 1
Level 1

‎03-24-2022 12:30 AM

Hello Folks,

 

I am trying to install a third party signed cert on Cisco prime version 3.7.

 

The certificate is valid and in use in the customers ISE deployment. I have exported the certificate from ISE in .pem format and the private key exists on .pvk format. Its a wildcard cert so, we want to utilize it for Prime administration and also, in using TLS with ISE.

 

Upon using the procedure provided in the admin guide, I am unable to load the certificate using one the repositories provided in Prime. It throws an error as shown below. On reading posts about similar issues on the community, I see that individuals facing the same issue have changed formats etc to make it work using OPENSSL. 

 

I have tried doing the same but with no success.

 

Please note, I have included the entire cert in on file, which has the server certificate, the intermediate and then full certificate in the same order.

 

I am using the command:

 

ncs key importkey private-key.pvk gd_bundle-g2-g1.crt repository Backup

 

The error:

 

139750375704240:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:550:
139750375704240:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
139750375704240:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
139750375704240:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:142:
ERROR: Failed to import key certificate. Public key in certificate does not match with private key
ERROR: ncs key importkey command failed. rval:256

 

 

Thanks

 

Aamir

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-24-2022 01:14 AM 

digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:550:
ERROR: Failed to import key certificate. Public key in certificate does not match with private key
ERROR: ncs key importkey command failed. rval:256

This shows something wrong with the certs as per i know, so can you able to read that files.

 

Prime accepts base64 format, is your ISE is PKI?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎03-24-2022 02:05 AM

Hello,

 

the .pvk format might be the problem. What if you convert the .pvk to a .pem ?

0 Helpful

aamir.aleem
Level 1
Level 1
In response to Georg Pauwen

‎03-27-2022 04:09 AM

Hello Georg,

 

Actually, even I was leaning towards the same but, I am unable to find the exact command to do that via openssl when i checked online.

 

Are you able to provide it, if its in your armory?

 

Thanks

 

 

Aamir

 

 

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to aamir.aleem

‎03-27-2022 08:50 AM

Hello,

 

I think the exact syntax depends on the OpenSSL software you have installed. You could try this:

 

https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-product-guide/page/GUID-1FEC8732-7466-4A16-A837-6A709958817F.html

0 Helpful
Customers Also Viewed These Support Documents