Solved: Basic import of SSL cert on 9200 for web UI SSL

JamesEdmondsAspall · ‎07-28-2022

Hello,

I am trying to complete a basic import of a certificate to our 9200 switches, so that it covers the HTTPS access via the web GUI.

I am however struggling a bit, and Cisco first line support don't quite have the knowledge to clearly guide me.

I have used OpenSSL to generate a CSR and private key, with a common name and SAN for the switch.

I have then used the CSR to generate a base64 certificate from our AD CA.

I am trying to run

crypto pki import CERTNAME pem terminal password KEYPASSWORD

I am asked to enter the base64 data for the CA root cert (which I have done), the encrypted key (which I have obtained from the openssl generated key file, and the cert itself, which I have from the AD CA.

When I enter all this though, the command fails with:

Unable to decode key.

% PEM files import failed.

Does anyone have any thoughts on where I may have gone wrong?

Thanks

James

JamesEdmondsAspall · ‎11-18-2022

I have a resolution to this problem. Cisco support advised my issue was that the cert was missing DEK header information.

So, my process is;

1. Generate key and CSR using below command:

openssl req -newkey rsa:2048 -subj "[certificate_details]" -sha256 -keyout [key_name].key -out [csr_name].csr -config [ConfigFilePath]\openssl-san.cnf

2. Convert the key or add DEK header info using the below command:
openssl rsa -in keyin.key -out keyout.key -des3

3. Generate cert from CSR

4. Import cert to switch using below command:
crypto pki import TRUSTPOINT_NAME pem terminal password KEY_PASSWORD

5. Enter the root CA cert, key and cert text when prompted

6. Set the trustpoint as the one used for https using below command:
ip http secure-trustpoint TRUSTPOINT_NAME

Hope this helps others.

Regards

James

View solution in original post

JamesEdmondsAspall · ‎09-30-2022

Can anyone guide me on this?

Cisco support are suggesting a much more convoluted process to convert the certs into PFXs, upload via FTP, and then install to the switch.

The switch provides commands that look to suggest I should be able to import directly from a PEM and KEY, but it doesn't seem to work and they aren't being too helpful in helping me figure out why.

Cheers

James

MichaelHusk · ‎10-13-2022

Hey James,

Were you able to resolve this issue? I am having the same problem.

Thanks,

JamesEdmondsAspall · ‎10-18-2022

Hi MIchael,

I have been working with Cisco support for some time on this issue, but they keep telling me to go through some convoluted process to convert the file to a PFX, upload it to the switch via FTP or SCP etc. then import it from switch storage.

This is a headache for me, nightmare for anyone with a larger fleet of switches.

It has been escalated, and I am trying to understand why this process is failing, and whether or not it is a supported/expected procedure to follow.

Will update as soon as I have a concrete answer.

Many thanks

James

JamesEdmondsAspall · ‎11-18-2022

I have a resolution to this problem. Cisco support advised my issue was that the cert was missing DEK header information.

So, my process is;

1. Generate key and CSR using below command:

openssl req -newkey rsa:2048 -subj "[certificate_details]" -sha256 -keyout [key_name].key -out [csr_name].csr -config [ConfigFilePath]\openssl-san.cnf

2. Convert the key or add DEK header info using the below command:
openssl rsa -in keyin.key -out keyout.key -des3

3. Generate cert from CSR

4. Import cert to switch using below command:
crypto pki import TRUSTPOINT_NAME pem terminal password KEY_PASSWORD

5. Enter the root CA cert, key and cert text when prompted

6. Set the trustpoint as the one used for https using below command:
ip http secure-trustpoint TRUSTPOINT_NAME

Hope this helps others.

Regards

James