Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23833
Views
91
Helpful
10
Replies

VCS-E Private Key

Go to solution
jamie.mai
Level 1
Level 1

‎04-28-2017 02:00 PM - edited ‎03-18-2019 01:03 PM

I created a CSR from the first VCS server and received my SAN cert for both VCS-E servers. I installed on first server, all good. Now I want to install on second server and asks for private key. I tried copy/pasting the PEM from the first server at the top of the Server Certificate page next to the cert into a file but says invalid private key when I try to install, Where do I get the private key? I tried searching this site but getting an Ajax error. Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alok Jaiswal
Level 4
Level 4

‎04-28-2017 09:51 PM

SSH on the server from where you have generated the CSR and already uploaded the certificate.

You need to login as root  and then go to the folder root/tandberg/persistent/certs. 

Inside this you will see the priv-key.pem file, you can use the cat command to read the content and copy it in a text file and save it as .pem file.

After this try to upload the certificate on the second server using this priv-key. 

You can also use winscp to login using root to VCS if you are not comfortable with CLI mode. Path location will be same.

Regards,

Alok

View solution in original post

10 Replies 10

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni

‎04-28-2017 02:46 PM

If you generate the CSR on VCS, you don't get to see the private key, or do anything with it, you just get the CSR and then you need to upload it after it has been signed.  The private key is stored securely on the VCS and cannot be viewed or downloaded.

If you generate the CSR and key with something like openssl, then you can upload both of them.

0 Helpful

Go to solution
Alok Jaiswal
Level 4
Level 4

‎04-28-2017 09:51 PM

SSH on the server from where you have generated the CSR and already uploaded the certificate.

You need to login as root  and then go to the folder root/tandberg/persistent/certs. 

Inside this you will see the priv-key.pem file, you can use the cat command to read the content and copy it in a text file and save it as .pem file.

After this try to upload the certificate on the second server using this priv-key. 

You can also use winscp to login using root to VCS if you are not comfortable with CLI mode. Path location will be same.

Regards,

Alok

Go to solution
jamie.mai
Level 1
Level 1
In response to Alok Jaiswal

‎05-01-2017 06:13 AM

Thanks for all the responses guys, I was able to follow Alok's suggestion to use root to copy the key from the first server and was able to use it to upload with the cert on the second server. For the record it is not a clustered environment, I have one server for remote Jabber and one for Jabber guest. Thanks again!

0 Helpful

Go to solution
Ahmad Fahim Kakar
Level 1
Level 1
In response to Alok Jaiswal

‎03-21-2019 06:54 AM

login in to exp e publisher as root

 

Copy the private key from publisher: 

~ # cd /tandberg/persistent/certs

~/persistent/certs # ls -a

~/persistent/certs # cat privkey.pem

 

Copy the private key, save it in editor as private.pem  -> import it into the secondary server. As the server certificate, you can select the certificate generated for the publisher. Upload -> restart the subscriber and check exp c zone for connection status. It should show green in appr. 3 min again. 

 

 

 

Go to solution
blkadministrator
Level 1
Level 1
In response to Ahmad Fahim Kakar

‎09-23-2020 01:34 AM

hi,

thank you for your reply, i find the file, but can not copy from command prompt, as i am login with VM console

 

please suggest

 

thank you

 

Aliasgar Jhabuwala

Go to solution
Elias Sevilla Duarte
Cisco Employee
Cisco Employee

‎04-30-2017 08:02 AM

I wonder if you generated CSR for a clustered system, meaning that both VCS-E described above are in a cluster.

If that is the case, here is what the guide says about clustered systems:

Server Certificates and Clustered Systems

When a CSR is generated, a single request and private key combination is generated for that peer only. If you have a cluster of VCSs, you must generate a separate signing request on each peer. Those requests must then be sent to the certificate authority and the returned server certificates uploaded to each relevant peer. You must ensure that the correct server certificate is uploaded to the appropriate peer, otherwise the stored private key on each peer will not correspond to the uploaded certificate.

The above indicates that not even extracting the private key from the first VCS-E will make the certificate upload to work, as the private key will mismatch.

Clonclusion: You need a CSR to be generated in each VCS-E, and then upload separate certificaes to each one peer.

Page 8 on the below guide:

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-9/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-9.pdf

I hope this helps.

0 Helpful

Go to solution
Alok Jaiswal
Level 4
Level 4
In response to Elias Sevilla Duarte

‎04-30-2017 04:11 PM

Hi Elias,

I can confirm you that's wrong. What document says is the best practice only.  But while generating a certificate for e.g. even in a clustered system you get two options, 

1) cluster FQDN and this peer only

2) cluster FQDN and all peers.

if you choose second option, then you can just get one certificate signed and that will contain the other peer under SAN entry. 

And then you can get the priv-key file from the location mentioned in this thread and upload it on second node with same signed certificate.

Regards,

Alok

Go to solution
Elias Sevilla Duarte
Cisco Employee
Cisco Employee
In response to Alok Jaiswal

‎05-01-2017 05:34 AM

Hi Alok,

I may be wrong, but if the Cisco guide says that this is a "must" then I don't argue, but you could be right.

My statement refers to clustered systems.

0 Helpful

Go to solution
Gregory Brunn
Spotlight
Spotlight
In response to Elias Sevilla Duarte

‎09-23-2020 01:49 PM

Cisco documents when it comes to certificates and UC products tend to be a little how do we say not always correct.

. I have been myself told by TAC that you can not copy a private key off one expressway to another yet have seen it working and been told by another Cisco engineer they did it to a production system. 

 

 

0 Helpful

Go to solution
Ahmad Fahim Kakar
Level 1
Level 1

‎03-21-2019 06:56 AM - edited ‎03-21-2019 06:58 AM

login in to exp e publisher as root

 

Copy the private key from publisher: 

~ # cd /tandberg/persistent/certs

~/persistent/certs # ls -a


. ca.pem.default crl-update.conf policy-services.crl privkey.pem.default server.pem
.. client-ca.crl .crl-update.conf.bak policy-services.crl.default sch_server_cert.pem server.pem.default
ca.pem client-ca.crl.default generated_csr privkey.pem sch_server_cert.pem.default server-ssh.pem

 

~/persistent/certs # cat privkey.pem

 

----BEGIN PRIVATE KEY-----
MIIJPwIBADANBgkqhkiG9w0BAQEFAASCCSkwggklAgEAAoICAQCjxNnDTSDeiKSU
o1JONOB9iXux/+2fG1wCDmj4vo1daHcYFCbQA+ZYV1mMOyvsNi/SwZem1H1NloTL
DjsmkpkDp7I9Gi2VOTmXvfyMepYoeaF20E13VW9I2vhhbWkV5VEZs2OEm2/e6Qq0
RjDiXKU1gSlI3ATZDTngIIAAO608PHykUEAwxKk+05Jj5uyif6pPAKbZnE5SNCCIK/zn

2ZV/WQVo3gb6sL3mBw0o3ibXeDmU23qb3AshvgsaQxaVBP0wt5FSX57kEUL3uKk

GXbHrV+slw02PgI3nj76MlHZrOTJN20OqiEAfQnTpG/+dFUI9hdh2nhkamxxkXQ==
-----END PRIVATE KEY-----

 

Copy the private key, save it in editor as private.pem  -> import it into the secondary server. As the server certificate, you can select the certificate generated for the publisher. Upload -> restart the subscriber and check exp c zone for connection status. It should show green in appr. 3 min again. 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents