Hi Everyone,
I recently had to go through getting a PEM certificate package created for a VSOM instance where the certificate package needed to be signed by a standalone Microsoft Certificate Authority for the clients internal PKI. While there are probably many ways to accomplish this, it really came down to the client absolutely needing a CSR that they could 'sign like we typically do', so I ended up taking the following route. There isn't much in the way of Cisco documentation on this, so I figured I would share what worked for us:
<Generate CSR as per Apache documentation>
'openssl req -new -newkey rsa:2048 -nodes -keyout vsmserver.key -out vsmserver.csr'
<Receive Signed cert and CA chain in pkcs7 package from MS> "newcert.p7b" (Can open in Windows and use wizard to export to individual .cer files)
- Export ClientCA public certificate into Base64 X.509 .cer package.
- Export vsmserver public certificate into Base64 X.509 .cer package.
<Reassemble both certificates and vsmserver private key material into pkcs12 PFX package with passphrase>
'openssl pkcs12 -export -in vsmserver.cer -inkey vsmserver.key -out vsmserver.pfx -certfile ClientCA.cer -passout pass:#REDACTED#'
<Convert PFX package into industry standard .PEM package for import>
[root@vsmserver ~]# 'openssl pkcs12 -in vsmserver.pfx -out vsmserver.pem -passin pass:#REDACTED# -passout pass:#REDACTED#'
MAC verified OK
Then import .PEM package via VSMC console.
Also, here’s a tip that may come in handy.
Remember that passing passphrases via the CLI in a shell can get tricky if they contain *special characters* (which they should… right? Right.) If you are supplying a literal passphrase to the CLI escape the special characters with a backslash.
i.e. – ‘SummerTime!4700’ becomes ‘SummerTime\!4700’
If you find this post helpful, please rate it!
Cheers!
Scott Olsen
Solutions Specialist
Bulletproof Solutions Inc.
Web: www.bulletproofsi.com