02-20-2012 05:05 AM - edited 07-03-2021 09:37 PM
Hi,
I have some trouble uploading a certificate in NCS.
When I upload the certificate it says:
XX-XX-NCS01/admin# ncs key importsignedcert wlan_xx_xxxx_nl.pem repository ncs-tftp-repo
INFO: no staging url defined, using local space. rval:2
The WCS server is running
Changes will take affect on the next server restart
Importing signed certificate for key
Error importing key java.security.cert.CertificateParsingException: invalid DER-encoded certificate data
ERROR: ncs key importsignedcert command failed. rval:256
The PEM is made with openSSL, the source is a pfx. Command used:
pkcs12 −in wlan_xx_xxx_nl.pfx −out wlan_xx_xxxx_nl.pem −passin pass:xxxx −passout pass:xxxx
Also tried to upload key and certificate seperately but no succes:
XX-XX-NCS01/admin# ncs key importkey wlan_xx_xxxx_nl_key.pem wlan_xx_xxxx_nl_cert.pem repository ncs-tftp-repo
INFO: no staging url defined, using local space. rval:2
INFO: no staging url defined, using local space. rval:2
The WCS server is running
Changes will take affect on the next server restart
Importing RSA key and matching certificate
Error importing key java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key
ERROR: ncs key importkey command failed. rval:256
It looks like the certificate encoded the wrong way but I can't think of another way.
Anyone any suggestions or experience with this?
Thanks!
Thomas
Solved! Go to Solution.
02-22-2012 12:52 AM
Thomas,
Did you try the keytool method as outlined in the NCS config guide appendix for server hardening (and substitute openssl for keytool), or are you following another outlined procedure somewhere?
Justin
02-22-2012 12:20 AM
Thomas,
I've seen and heard of weird issues with different versions of OpenSSL. I use v0.9.8 and have had consistenly good results with this version. Which version are you using?
Justin
02-22-2012 12:42 AM
I also use OpenSSL 0.9.8. I used this OpenSSL version to create certificates for the WLC Web Auth portal and had no issues. Any other suggestions?
02-22-2012 12:52 AM
Thomas,
Did you try the keytool method as outlined in the NCS config guide appendix for server hardening (and substitute openssl for keytool), or are you following another outlined procedure somewhere?
Justin
02-22-2012 01:00 AM
Justin,
I created a certificate through a windows client. The hostname of NCS is not the name of the certificate because of a DNS alias. Wil give the keytool method a try. I hit the correct answer button accidentally.
Thanks!
Thomas
02-22-2012 01:35 AM
Justin,
The keytool method doesn't make much sense to me. I can't translate this method to my own environment. It doesn't say in which format the certificate must be when I upload it to NCS.
The certificate I want to upload is one of my own domain (so its not a public one). The trusted CA is already uploaded to NCS with command: "ncs key importcacert".
The procedure I was following is:
http://www.cisco.com/en/US/products/ps6305/products_configuration_example09186a00808a94ca.shtml
The certificate I have is a .pfx which I converted to a .pem
Or should I convert the .pfx to a .p7b and then the .p7b to a pem?
Thomas
02-22-2012 02:25 AM
Thomas,
The procedure you linked is for WCS. You will need to follow the NCS procedure, which is different.
http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/hard.html#wp1042818
You generate your CSR from the NCS command line, submit it to your CA, and then your CA needs to issue the cert in a pkcs7 (p7b) format.
Import that signed p7b cert into NCS via CLI per the instructions an that's all you should need to do. As long as your CA root cert is trusted on your client, you should be able to hit NCS management without a warning.
Finally, it looks like the keytool method is only required when you need to put a cert on your client, which I don't gather from your post you need to do, so you can probably ignore the keytool section altogether.
Justin
Sent from Cisco Technical Support iPhone App
02-24-2012 02:25 AM
Justin,
Thanks for the response so far.
When I import the p7b certificate I get the following error:
XX-XX-NCS01/admin# ncs key importsignedcert wlan_xx_xxxx_nl.p7b repository ncs-ftp-repo
INFO: no staging url defined, using local space. rval:2
The WCS server is running
Changes will take affect on the next server restart
Importing signed certificate for key
Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat
ERROR: ncs key importsignedcert command failed. rval:256
Thomas
02-24-2012 09:52 AM
Thomas,
Are you using NCS to generate the CSR?
# ncs key genkey -csr
Justin
02-27-2012 07:00 PM
Thomas,
Just to give you an update: I have this built in my lab and I have been running into a host of issues with this procedure as documented. It has taken a TAC case and special file access so far, but the short version of the story is that the certificate request process is [natively] broken in NCS, even on version 1.1.0.58, and requires a root patch to get it working.
I have finally gotten the CSR generated and off the box. My next step, as soon as I get a chance in the next couple of days, is to submit the CSR to the CA and then import the issued cert into NCS. Hopefully that will go a little more smoothly.
I hope to post an update soon.
Justin
02-28-2012 02:53 AM
Justin,
I have it working, use the following steps:
Thomas
02-28-2012 06:41 PM
Thomas,
Thanks for your update.
Some users (such as me) will run into bug CSCty04253, which exists in 1.0.58 but is fixed in 1.1.1 (not available from CCO as of this post). There is a workaround for it. From the bug ID:
Symptom:
Trying to generate CSR fails with error 256
Conditions:
Using NCS 1.1.0.58 to try to generate a CSR fails with error 256
Workaround:
1. install root enable package on NCS
2. Login as 'root' user into NCS via SSH
3. a) For signed certificate from CA:
i. Execute the below command ' /opt/CSCOncs/bin/keyadmin.sh -newdn -csr genkey < /localdisk/ftp/filename.csr>'
ii. Download the < filename.csr> CSR file from NCS to get it signed from the CA
iii. After receiving CA certificate, signed certificates/key, please use 'ncs key importXXX' cli to install on NCS.
b) For newly generated self signed certificate:
If user wants to use newly generate self-signed certificate in NCS, please execute the below command alone in NCS root enable prompt:
' /opt/CSCOncs/bin/keyadmin.sh -newdn genkey '
4. After installing the certificates, please do 'ncs stop/start' once to make the changes into effect.
Note that the "root enable package" identified in Step 1 must be requested from TAC. When the ticket is opened, ID this bug and they'll likely send you the root package with install instructions on first response.
The workaround also states that in order to run the keyadmin.sh command, you should log into NCS as root via SSH. In my testing, SSH access was blocked on the root account, even after resetting the account password. I also ran into other issues with these instructions. After some exhaustive clicking and typing, here's what I came up with as modified steps to achieve the above workaround:
Justin
02-22-2013 07:30 AM
Just to update this, as I run now also into:
Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat
I had a CPI 1.2.1.x where I successfully installed a company signed certificate. That worked fine and the browser showed it as valid. I did had an issue, Chrome 24 didn't anymore load the site after logging in. It did work in Firefox though, so it might be a Chrome issue. I can load the website in Chrome if I connect to the IP address of the server.
Some days ago I updated to 1.3 and this reverted or replaced my certificate. It's now again a selfsigned certificate?!?
So I tried to install again my old certificate, but this time I receive the above error.
cpi1/admin# ncs key importsignedcert cpi1.domain.com.pem repository defaultRepo
INFO: no staging url defined, using local space. rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing signed certificate for key
Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat
cpi1/admin#
Any ideas, or is it broken again in 1.3?
12-03-2014 04:30 PM
The Prime 2.0 server hardening guide (http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-0/administrator/guide/PIAdminBook/config_server_settings.html) does not specify what format the signed certificate should be imported as.
It appears to be PKCS#7 (Base 64)...which for me was provided as a *.crt (not *.cer) file. This worked on Prime 2.1.0.0.87.
Trying to import a standard X509 (Base 64) signed cert failed with the dreaded "Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat".
Also you can skip FTP and just SCP from admin mode on the controllers from whatever system you have (it's Linux underneath).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide