Hi Everyone,

I recently had to go through getting a PEM certificate package created for a VSOM instance where the certificate package needed to be signed by a standalone Microsoft Certificate Authority for the clients internal PKI.  While there are probably many ways to accomplish this, it really came down to the client absolutely needing a CSR that they could 'sign like we typically do', so I ended up taking the following route.  There isn't much in the way of Cisco documentation on this, so I figured I would share what worked for us:

<Generate CSR as per Apache documentation>

'openssl req -new -newkey rsa:2048 -nodes -keyout vsmserver.key -out vsmserver.csr'

<Receive Signed cert and CA chain in pkcs7 package from MS> "newcert.p7b" (Can open in Windows and use wizard to export to individual .cer files)

- Export ClientCA public certificate into Base64 X.509 .cer package.

- Export vsmserver public certificate into Base64 X.509 .cer package.

<Reassemble both certificates and vsmserver private key material into pkcs12 PFX package with passphrase>

'openssl pkcs12 -export -in vsmserver.cer -inkey vsmserver.key -out vsmserver.pfx -certfile ClientCA.cer -passout pass:#REDACTED#'

<Convert PFX package into industry standard .PEM package for import>

[root@vsmserver ~]# 'openssl pkcs12 -in vsmserver.pfx -out vsmserver.pem -passin pass:#REDACTED# -passout pass:#REDACTED#'
MAC verified OK

Then import .PEM package via VSMC console.

Also, here’s a tip that may come in handy. 

Remember that passing passphrases via the CLI in a shell can get tricky if they contain *special characters* (which they should… right? Right.)  If you are supplying a literal passphrase to the CLI escape the special characters with a backslash.

i.e. – ‘SummerTime!4700’ becomes ‘SummerTime\!4700’

If you find this post helpful, please rate it!

Cheers!