cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1259
Views
0
Helpful
3
Replies
Beginner

Issues with ACS 5.3 and CSR windows 2k8 r2

All,

   First thanks for taking the time to look at this, now onto the issue.

I generated a CSR for the client whose CA is a windows 2008 r2 machine.

First headache-Windows 2008 r2 only accepts pkcs12 certificates (what I'm told by client).

I Generate the CSR on the ACS appliance and export it along with the self signed certificate and use Openssl to create the pkcs12 file.

ncash-mac:zcoracs1 ncash$ ls

Certificate_Signing_Request5.pemzcoracs1.key  (private key exported)

zcoracs1.cer   (Self Signed Cert)

ncash-mac:zcoracs1 ncash$ openssl pkcs12 -export -out zcoracs1.pfx -inkey zcoracs1.key -in zcoracs1.cer -certfile Certificate_Signing_Request5.pem

Enter pass phrase for zcoracs1.key:<enter password>

Enter Export Password:<enter password>

Verifying - Enter Export Password:<enter password>

ncash-mac:zcoracs1 ncash$ ls

Certificate_Signing_Request5.pemzcoracs1.key

zcoracs1.cer

zcoracs1.pfx

ncash-mac:zcoracs1 ncash$ openssl pkcs12 -info -in zcoracs1.pfx (test cert to make sure it is valid)

Enter Import Password:<enter password>

MAC Iteration 2048

MAC verified OK

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

Certificate bag

Bag Attributes

    localKeyID: <BEREVITY>

subject=/<scrubbed>

issuer=/<scrubbed>

-----BEGIN CERTIFICATE-----

--removed for berevity

-----END CERTIFICATE-----

PKCS7 Data

Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Bag Attributes

    localKeyID: <scrubbed>

Key Attributes: <No Attributes>

Enter PEM pass phrase:<password>

Verifying - Enter PEM pass phrase:<password>

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,E9248F06C82E7BB2

-Removed for berevity-

-----END RSA PRIVATE KEY-----

The client then generated the certificate based on the pkcs12 and sent me the pkcs12 RA signed cert for my ACS box.  After converting and trying to install into the acs I get a 'Certificate Validation Error=Unable to Parse Certificate'

Any ideas from anyone?

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Issues with ACS 5.3 and CSR windows 2k8 r2

yeah, i've dealt with ms ca a few times and usually have better luck with the cli certreq command than the gui.

older versions don't seem to have the webserver option installed by default.

i think you can generate a csr on the ca itself, maybe that's how they were doing it?  i've always i used the appliance generated csr though as some apps need to marry the final cert with the csr on the box.

good to know you've got it sorted

jim

View solution in original post

3 REPLIES 3
Highlighted
Beginner

Issues with ACS 5.3 and CSR windows 2k8 r2

hello,

do you convert the cert back to base64 after it's signed?  have you tried viewing it in a decoder to see if it's legit?

jim

Beginner

Re: Issues with ACS 5.3 and CSR windows 2k8 r2

I figured it out after labbing it up.  The server team wasn't signing the CSR correctly.  I had them enable the Certificate Authority Web Enrollment and had them request a certificate from there.  My csr was valid I tested it with open SSL.  I have no idea how they were trying to request a certificate prior to me labbing it up and writing a howto guide on the whole thing.  For future reference if anyone runs into the problem and needs the howto I can forward it to them.

Edit- Also if you go this route there is no need to mess with converting certificates.  What I was told as the win2k8 only accepting certain types of certs were wrong.

Beginner

Re: Issues with ACS 5.3 and CSR windows 2k8 r2

yeah, i've dealt with ms ca a few times and usually have better luck with the cli certreq command than the gui.

older versions don't seem to have the webserver option installed by default.

i think you can generate a csr on the ca itself, maybe that's how they were doing it?  i've always i used the appliance generated csr though as some apps need to marry the final cert with the csr on the box.

good to know you've got it sorted

jim

View solution in original post