cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Generating a Certificate Signing Request and Importing a Certificate Authority (CA)

4633
Views
5
Helpful
4
Comments

 

Introduction

During Cisco Prime 2.0 upgrade to CPI 2.1 process, the self-signed certificate will not be migrated and we need to create a new CSR and import the cert again.

Generating a Certificate Signing Request (CSR) File

An SSL certificate can be obtained from a third party. To set up this support, you must:

  1. Generate a Certificate Signing Request file.
  2. Submit the signing request to a Certificate Authority you choose.
  3. Apply the signed Security Certificate file to the server.

Step 1 Generate a Certificate Signing Request (CSR) file for the Prime Infrastructure server:

  • a. At the Prime Infrastructure appliance, exit to the command line.
  • b. At the command line, log in using the administrator ID and password used to install Prime Infrastructure.
  • c. Enter the following command to generate the CSR file in the default backup repository:

- ncs key genkey -newdn -csr CertName .csr repository RepoName

where:

– CertName is an arbitrary name of your choice (for example: MyCertificate.csr).

– RepoName is any previously configured backup repository (for example: defaultRepo).

Step 2 Copy the CSR file to a location you can access. For example:

copy disk:/ RepoName / CertName .csr ftp://your.ftp.server

Step 3 Send the CSR file to a Certificate Authority (CA) of your choice.

Note Once you have generated and sent the CSR file for certification, do not use the genkey command again to generate a new key on the same Prime Infrastructure server. If you do, importing the signed certificate file will result in mismatches between keys in the file and on the server.

Step 4 You will receive a signed certificate file with the same filename, but with the file extension CER, from the CA. Before continuing, ensure:

There is only one CER file. In some cases, you may receive chain certificates as individual files. If so, concatenate these files into a single CER file.
Any blank lines in the CER file are removed.
Step 5 At the command line, copy the CER file to the backup repository. For example:

- copy ftp://your.ftp.server/ CertName .cer disk: RepoName

Step 6 Import the CER file into the Prime Infrastructure server using the following command:

- ncs key importsignedcert CertName .cer repository RepoName

Step 7 Restart the Prime Infrastructure server by issuing the following commands in this order:

- ncs stop

- ncs start

Step 8 If the Certificate Authority who signed the certificate is not already a trusted CA: Instruct users to add the certificate to their browser trust store when accessing the Prime Infrastructure login page.

Importing a Certificate Authority (CA) Certificate and Key

Step 1 At the command line, log in using the administrator ID and password and enter the following command:

ncs key importcacert aliasname ca-cert-filename repository repositoryname

where

 aliasname is a short name given for this CA certificate.
 ca-cert-filename is the CA certificate file name.
 repositoryname is the repository name configured in Prime Infrastructure where the ca-cert-filename is hosted.
Step 2 To import an RSA key and signed certificate to Prime Infrastructure, enter the following command in admin mode:

ncs key importkey key-filename cert-filename repository repositoryname

where

 key-filename is the RSA private key file name.
 cert-filename is the certificate file name.
 repositoryname is the repository name configured in Prime Infrastructure where the key-file and cert-file are hosted.
Step 3 Restart the Prime Infrastructure server by issuing the following commands in this order:

- ncs stop

- ncs start

Example

ncs key genkey -newdn -csr mycert repository myrepo

Copy the mycert file to the CA and get the CA back. Copy all certificates together for a chain which needs to be imported in the following order:

-----BEGIN CERTIFICATE-----

*Device cert*

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

*Intermediate CA cert *

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

*Root CA cert *

-----END CERTIFICATE-----

Additional we need the p7b file from the CA which contains the chain.

Import Certificate
Import cer

ncs key importcacert mycert.cer mycert.cer reporitory myrepo

ncs stop
ncs start

The restart is necessary before we import the p7b file. Otherwise we might get an 
error message

Import p7b file

ncs key importsignedcert mycert.p7b repository myrep

ncs stop
ncs start

Reference

Cisco Prime 2.0 upgrade to CPI 2.1 process
Generating a Certificate Signing Request (CSR) File

Comments
Beginner

Hello,

We are running Prime 3.1 and would like to add a "Subject Alternative Name" to the CSR.  There are no documented steps on how to do this.  Do you have any suggestions on how to accomplish this task?  We are able to generate a CSR with SAN using OpenSSL, however, we recieve the following error when trying to import the cert:

Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat

ERROR: ncs key importsignedcert command failed. rval:256

Beginner

voipis4me,

I'm receiving the same error - did you find a way to successfully import the certificate?

Thanks,

Brian

Beginner

We were told by TAC that the CSR procedures for Prime Infrastructure must be followed exactly for the import to be successful, therefore it is not possible to add a Subject Alternative Name to the certificate.

We will be adding this to our feature requests list.

Not applicable

We are running 2.1 (2.1.0.0.87) .  I replaced the cert with one with a SAN.

Generate crt with openssl and SANs, get it signed so that it still has the SANs

All the above was done on a different machine.

put key and cert in /localdisk/defaultRepo/ (using scp in a root shell)

key file needs to be in pem format and cert needs to be der format

then ncs stop , ncs start  .  Seems fully functional so far.  Did this with self-signed cert +SANs and cert signed by internal CA w/ SANs

May not be Cisco supported, are setup is on the simpler side, your mileage may vary

Attached is my edited end certificate and the request configuration file I used (also edited)

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards