01-29-2015 01:58 AM - edited 11-18-2020 03:09 AM
During Cisco Prime 2.0 upgrade to CPI 2.1 process, the self-signed certificate will not be migrated and we need to create a new CSR and import the cert again.
An SSL certificate can be obtained from a third party. To set up this support, you must:
Step 1 Generate a Certificate Signing Request (CSR) file for the Prime Infrastructure server:
- ncs key genkey -newdn -csr CertName .csr repository RepoName
where:
– CertName is an arbitrary name of your choice (for example: MyCertificate.csr).
– RepoName is any previously configured backup repository (for example: defaultRepo).
Step 2 Copy the CSR file to a location you can access. For example:
copy disk:/ RepoName / CertName .csr ftp://your.ftp.server
Step 3 Send the CSR file to a Certificate Authority (CA) of your choice.
Note Once you have generated and sent the CSR file for certification, do not use the genkey command again to generate a new key on the same Prime Infrastructure server. If you do, importing the signed certificate file will result in mismatches between keys in the file and on the server.
Step 4 You will receive a signed certificate file with the same filename, but with the file extension CER, from the CA. Before continuing, ensure:
There is only one CER file. In some cases, you may receive chain certificates as individual files. If so, concatenate these files into a single CER file.
Any blank lines in the CER file are removed.
Step 5 At the command line, copy the CER file to the backup repository. For example:
- copy ftp://your.ftp.server/ CertName .cer disk: RepoName
Step 6 Import the CER file into the Prime Infrastructure server using the following command:
- ncs key importsignedcert CertName .cer repository RepoName
Step 7 Restart the Prime Infrastructure server by issuing the following commands in this order:
- ncs stop
- ncs start
Step 8 If the Certificate Authority who signed the certificate is not already a trusted CA: Instruct users to add the certificate to their browser trust store when accessing the Prime Infrastructure login page.
Step 1 At the command line, log in using the administrator ID and password and enter the following command:
ncs key importcacert aliasname ca-cert-filename repository repositoryname
where
aliasname is a short name given for this CA certificate.
ca-cert-filename is the CA certificate file name.
repositoryname is the repository name configured in Prime Infrastructure where the ca-cert-filename is hosted.
Step 2 To import an RSA key and signed certificate to Prime Infrastructure, enter the following command in admin mode:
ncs key importkey key-filename cert-filename repository repositoryname
where
key-filename is the RSA private key file name.
cert-filename is the certificate file name.
repositoryname is the repository name configured in Prime Infrastructure where the key-file and cert-file are hosted.
Step 3 Restart the Prime Infrastructure server by issuing the following commands in this order:
- ncs stop
- ncs start
ncs key genkey -newdn -csr mycert repository myrepo
Copy the mycert file to the CA and get the CA back. Copy all certificates together for a chain which needs to be imported in the following order:
-----BEGIN CERTIFICATE----- *Device cert* -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- *Intermediate CA cert * -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- *Root CA cert * -----END CERTIFICATE----- Additional we need the p7b file from the CA which contains the chain. Import Certificate Import cer ncs key importcacert mycert.cer mycert.cer reporitory myrepo ncs stop ncs start The restart is necessary before we import the p7b file. Otherwise we might get an error message Import p7b file ncs key importsignedcert mycert.p7b repository myrep ncs stop ncs start
Cisco Prime 2.0 upgrade to CPI 2.1 process
Generating a Certificate Signing Request (CSR) File
Hello,
We are running Prime 3.1 and would like to add a "Subject Alternative Name" to the CSR. There are no documented steps on how to do this. Do you have any suggestions on how to accomplish this task? We are able to generate a CSR with SAN using OpenSSL, however, we recieve the following error when trying to import the cert:
Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat
ERROR: ncs key importsignedcert command failed. rval:256
voipis4me,
I'm receiving the same error - did you find a way to successfully import the certificate?
Thanks,
Brian
We were told by TAC that the CSR procedures for Prime Infrastructure must be followed exactly for the import to be successful, therefore it is not possible to add a Subject Alternative Name to the certificate.
We will be adding this to our feature requests list.
We are running 2.1 (2.1.0.0.87) . I replaced the
Generate
All the above was done on a different machine.
put key and cert in /localdisk/defaultRepo/ (using
then
May not be Cisco supported, are setup is on the simpler side, your mileage may vary
Attached is my edited end certificate and the request configuration file I used (also edited)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: