Certificate error on Cisco Prime Infrastructure

anthic.lobo · ‎02-24-2013

Hi,

I have Cisco PI version 1.2 running on a VM player. It has an ip address 172.16.x.6. and a hostname of NCS01.

I need to get away with the certificate error that pops up from the browser when i type in the hostname, therfore i installed a certificate following procedures on the website. The certiicate was installed correctly.

Now when i type in the hostname in the web browser, though the certificate error has disappeared, i am not able to get past the login page of the NCS. The browser becomes unresponsive after the credentials are entered.

If however, i type in the IP address of the server, i am able to get access past the login page but the certificate error comes back again.

If anyone has encounterd or knows about such behaviour, request you to please help

Thanks.

patoberli · ‎03-04-2013

I also have exactly this error in Chrome too. It seems to work in latest Firefox though.

Please note, after I upgraded to PI 1.3 I lost my certificate, it seems to be replaced with a self signed again.

Even weirder, I can't anymore install my old (on 1.2 working) one:

cpi1/admin# ncs key importsignedcert cpi1.domain.com.pem repo defaultRepo

INFO: no staging url defined, using local space. rval:2

truststore used is /opt/CSCOlumos/conf/truststore

The NCS server is running

Changes will take affect on the next server restart

Importing signed certificate for key

Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat

I used a company domain wide signed one.

Daniel Hammarsten · ‎03-28-2013

I installed a wildcard certificate (issued by GlobalSign) on a PI 1.2 running on a physical appliance the other week and I believe everything was working well.

Shortly thereafter the system was upgraded to PI 1.3 and the certificate was automatically replaced by a self-signed one. Re-installed the wildcard certificate and since then users with Chrome cannot get past the login screen if using the FQDN. It’s working with MSIE.

To get the FQDN working again in Chrome I created a new self-signed certificate and I’m now back on square one.

Have anyone found a solution to this issue?

Daniel Hammarsten · ‎03-28-2013

Found two bugs that are related to this:

CSCud15404 Bug Details
After PI 1.2 upgrade to PI 2.0 http web certificate missing on server.

Symptom:
Signed certificates that were installed on Prime Infrastructure 1.2.x.x are no longer there after upgrading.

Conditions:

Workaround:
At this time, there is no workaround. Please stop Prime Infrastructure, then reinstall the certificates while Prime Infrastructure is stopped and restart Prime Infrastructure. If the message "New certificate does not match key for tomcat" appears, please give the command "ncs key deletecacert tomcat" and stop/start Prime Infrastructure again.

CSCue55368 Bug Details
Can't login to PI 1.2.1.012 after installing signed certificate from CA.

Symptom:
After installing signed certificate users can't login to the web gui using Goggle Chrome standalone browser.

Conditions:
Prime Infrastructure 1.2.1.012 using a certificate obtained from a signing authority after submitting the CSR (Certificate signing request) that was generated out of PI.

Workaround:
To access the system from a web browser, use the ip address of the server, not the fqdn.