cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13286
Views
15
Helpful
7
Replies

PKI Cert Issue UCS Manager

I am having an issue when adding the CA-issued certificate to the Keyring it corresponds to in UCS Manager.  I have added the CA's cert as a TP, but when I try to save it, i get the following error message:

Error modifying KeyRing <Name>.

verify cert error: unable to get local issuer certificate

All comments and suggestions are welcomed and appreciated.

7 Replies 7

padramas
Cisco Employee
Cisco Employee

Hello Wade,

If there is a trust chain, have you received any additional certificates from your CA  ?

Also, let us know the UCSM version running on FI.

Padma

Padma,

I'm running UCS Version 1.4(3q).  The only certificates I have available from the CA is the CA's certificate (used for the Trusted Point) and the signed request.  Thank you for you help!

Hello,

Can you please provide me the following output

scope security

show keyring detail

show trustpoint detail

Also, if you have system with openssl package , you can run the following commands to verify the certificate details.

## UCSM CSR

openssl req -text -noout -verify -in

## verify signed cert from CA

openssl x509 -in -text -noout

If you would not like to share it here, please open a TAC service request along with UCSM tech support log bundle.

Padma

ericocallaghan
Level 1
Level 1

Hi Wade,

I had the same issue. Was your end cert issued by a subordinate CA? If so you will need the certificate chain in base64 format and run the following command on a system which has openssl installed to convert from base64 p7b to base64 pem:

openssl pkcs7 -print_certs -in CACertChain.p7b -out CACertChain.crt

Then import the contents of CACertChain.crt into the TP. You will then be able to import your SubCA issued cert into the KR.

What was missing in my setup was the issuing CA cert in the certificate chain. While I had attempted to import the certificate chain I downloaded from the issuing CA, it resulted in a "failure to split certificates" error. While the root CA cert would import successfully, UCS would return the "unable to get local issuer certificate" error as it could not validate the SubCA which has issued the end certificate.

Kudos to a colleague with PKI experience!

Regards,

Eric

aaronrombaut
Level 1
Level 1

I know the original post is somewhat old, but it took me quite awhile to figure this one out in the past few days. When I started my Google search, this was the first post to come up. I wanted to make sure others had a fix as well. Unfortunately, the Cisco UCS Manager Administration Management Guide was too vague and did not provide enough details (that I could find).

 

The specific error I would receive (on firmware 3.1(2e) and firmware 3.1(2b)) was: "Error creating TP <name of Trusted Point>. failed to verify certificate chain, error: Failed to split certificate chain"

 

This is how I was able to fix and now, of course, it seems quite obvious given the name, Certificate Chain.

~~ Creating a Trusted Point ~~

  1. Launch UCS Manager
  2. Admin > Key Management > Trusted Points
  3. Click 'Add' to create a new Trusted Point
  4. Name is the name of the trusted point. It will display as (TP <whatever name you gave it>) after completion. (ie naming it 'Test' will result in 'TP Test')
  5. Certificate Chain is the certificate information for the trusted point. It is merely a concatenation of the certification chain, starting with the Intermediate Certificates, then the Root Certificate, in a top-down order. The entire contents of the Base64 encoded X.509 (CER) file starting from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- need to be copied, then immediately following on the next line, should be the next certificate starting from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE-----.
  6. See example, following. 
    -----BEGIN CERTIFICATE-----
    <Intermediate Certificate Contents>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <Intermediate + 1 Certificate Contents>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <Root Certification Authority Certificate Contents>
    -----END CERTIFICATE-----
  7. Click OK

 

As an afterthought, I should have paid more attention to the fact that the field name actually contained the word "chain" in it. I failed to "chain" the certificates together as this was not clear to do to me.

 

Hopefully, this will help you out in the future should you also encounter this error.

 

Aaron R 

I am only able to chain one of our issuing CA's with the Root CA. When I put both issuing CA's then the root I get the same error message, any thoughts?


@aaronrombaut wrote:

I know the original post is somewhat old, but it took me quite awhile to figure this one out in the past few days. When I started my Google search, this was the first post to come up. I wanted to make sure others had a fix as well. Unfortunately, the Cisco UCS Manager Administration Management Guide was too vague and did not provide enough details (that I could find).

 

The specific error I would receive (on firmware 3.1(2e) and firmware 3.1(2b)) was: "Error creating TP <name of Trusted Point>. failed to verify certificate chain, error: Failed to split certificate chain"

 

This is how I was able to fix and now, of course, it seems quite obvious given the name, Certificate Chain.

~~ Creating a Trusted Point ~~

  1. Launch UCS Manager
  2. Admin > Key Management > Trusted Points
  3. Click 'Add' to create a new Trusted Point
  4. Name is the name of the trusted point. It will display as (TP <whatever name you gave it>) after completion. (ie naming it 'Test' will result in 'TP Test')
  5. Certificate Chain is the certificate information for the trusted point. It is merely a concatenation of the certification chain, starting with the Intermediate Certificates, then the Root Certificate, in a top-down order. The entire contents of the Base64 encoded X.509 (CER) file starting from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- need to be copied, then immediately following on the next line, should be the next certificate starting from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE-----.
  6. See example, following. 
    -----BEGIN CERTIFICATE-----
    <Intermediate Certificate Contents>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <Intermediate + 1 Certificate Contents>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <Root Certification Authority Certificate Contents>
    -----END CERTIFICATE-----
  7. Click OK

 

As an afterthought, I should have paid more attention to the fact that the field name actually contained the word "chain" in it. I failed to "chain" the certificates together as this was not clear to do to me.

 

Hopefully, this will help you out in the future should you also encounter this error.

 

Aaron R 


 

SmokinBanz,

 

This procedure is a pain! Trust me, I know what you are going through. Hopefully the following will help.

 

Assuming you are on a Windows computer, you can view the certificate's 'Certification Path'. There are a few ways to go about opening the certificate to view this tab. The easiest way is to use an mmc.exe window. (Win + R; mmc.exe; File > Add/Remove Snap-in... > Certificates > Add > OK) If you right-click on a certificate, choose Open, choose Certification Path. This will show the Certification path.

 

When you build the chain like I described in earlier post, you will want to start from the lowest level certificate up the chain to the root. This means the root certificate in your chain will be the last entry in your chain trust. So starting from the bottom in the Certification path window, this will be your first entry in your text document. Keep moving up the path (from Certification path window) and add the entries after your last entry on your text document. I used Notepad++ because you can open multiple text documents in one window and this makes it easier to copy and paste without getting confused on what document is what. You can use a simple notepad tool. When you have "chained" your certificates together in the text document, save that file as something like chained-certs.crt. This will be the file you want to upload to the UCS.

 

Aaron

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: