Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
5
Helpful
4
Replies

Cisco Prime Decryption Settings - Import Certificate

shanemolloy
Level 1
Level 1

‎06-12-2014 04:46 AM

Hi there,

 

I have exported a PFX from a Windows server and converted it to PEM with an unencrypted key file as pem format also. I have done this many times before for Linux based appliances with no problems so i know the format is correct. 

When I go to Decryption Settings and try to import the certificate it is giving me this error: certificate:The certificate to be used by the TLS decryption engine must be enabled as a certificate authority

I have added the root certificate of this certificate chain and the intermediate to the root authority section in Prime (Configuration > Certificates) but it still gives me this error. I could see one post on the Internet with a similar error and he had converted it from PFX to PEM like myself. 

If anyone has any tips that'd be great. 

 

Thanks

 

2 people had this problem
Labels:
0 Helpful
4 Replies 4

Greg Terkanian
Level 1
Level 1

‎07-30-2014 11:07 AM

Did you ever find a solution?  I am currently facing this same issue and have tried just about everything to fix.  Created a TAC case, but haven't gotten a response yet.

 

Thanks.

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to Greg Terkanian

‎08-07-2014 12:01 AM

The error message is probably correct - You are probably trying to upload a Server Certificate.  You can verify using openssl using the following command:

 

openssl x509 -noout -text -in <certificate file name>

 

The x509 constraint should state "CA: TRUE"

If it is False or it doesn't show at all, there is the problem.

 

0 Helpful

shanemolloy
Level 1
Level 1

‎07-30-2014 11:20 AM

Hey,

It's actually the root certificate that is meant to be uploaded to Prime not a standard certificate as it turns out (I got replies from a TAC case). 

The solution is to use the root certificate from a Windows certificate authority server in a domain environment or use the self signed certificate that Prime can generate. The root certificate then must be installed onto any machines that are using web filtering or else they'll get a certificate warning/error when they start web browsing. If there's a certificate authority server and all your machines are joined to the domain then the certificate will more than likely already be trusted by PCs. 

Haven't got around to trying this yet though. 

Hope this helps. 

 

Shane

 

0 Helpful

Greg Terkanian
Level 1
Level 1
In response to shanemolloy

‎07-30-2014 11:31 AM

Yes, but what about all the non-domain machines and non-standard browsers that maintain their own cert store?  I'm losing interested very quickly in this CX module.  I've got a TAC case open myself and am not liking the responses so far.  :-/

Customers Also Viewed These Support Documents