Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3787
Views
0
Helpful
7
Replies

Prime Infrastructure 1.3 Certificate Installation failure

patrick.kofler
Level 1
Level 1

‎07-04-2013 06:59 AM - edited ‎07-04-2021 12:21 AM

Hi all,

hope someone can help me further. I tried to install a certificate for secure web access.

Therefore I have generated a CSR as well as a private key. I sent this to our CA and I got a certificate.

However I have done this before the installation of Prime, so I did not directly invoke the commands from within the appliance.

I now have tried several options to get it working. According to the documentation the procedure would be via the CLI with the command:

ncs key importkey prime.key prime.cer repository prime-repo

Whenever I try this I get this exception error thrown at me:

Error importing key java.lang.IllegalArgumentException: Unrecognized key file format

I have however tried to import it with Base64 as well as DER encryption.

We are running Prime Infrastructure 1.3 virtual appliance - small OVA.

Anybody knows a hint? Thanks in advance

Regards,

Patrick

Labels:
0 Helpful
7 Replies 7

mmangat
Level 1
Level 1

‎07-07-2013 11:56 PM

Hello,

Have you tried the following steps:

Step 1 Use  the openssl toolkit to generate an RSA Private Key and CSR (Certificate  Signing Request). The RSA Private Key is a 1024 bit key which is stored  in a PEM format. The following example shows how to generate the RSA  key. 

openssl genrsa -out server.key 1024


Generating RSA private key, 1024 bit long modulus


.....++++++


.................................++++++


e is 65537 (0x10001)

Step 2 After generating the RSA key, generate the CSR. The following example shows how to generate the CSR. 

openssl req -new -key server.key -out server.csr


You are about to be asked to enter information that will be incorporated


into your certificate request.


What you are about to enter is what is called a Distinguished Name or a DN.


There are quite a few fields but you can leave some blank


For some fields there will be a default value,


If you enter '.', the field will be left blank.


-----


Country Name (2 letter code) [GB]:US


State or Province Name (full name) [Berkshire]:California


Locality Name (eg, city) [Newbury]:SanJose


Organization Name (eg, company) [My Company Ltd]:Cisco Systems


Organizational Unit Name (eg, section) []:Org


Common Name (eg, your name or your server's hostname) []:


Email Address []:

Note Make sure the generated certificate is not shared and it should be protected.

Step 3 The  CSR file can be used to generate a signed server certificate from a  certificate authority (CA) or you can generate a self-signed  certificate.

Step 4 To generate a self-signed certificate, use the following command. 

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


Signature ok


subject=/C=US/ST=California/L=SanJose/O=Cisco Systems/OU=Org/CN=


Getting Private key

For more information, please have a look at the following cisco doc:

http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/quickstart/guide/cpi_qsg_1_3.html#wp53194

0 Helpful

patrick.kofler
Level 1
Level 1
In response to mmangat

‎07-09-2013 01:42 AM

Hello Mantej,

I initially used the openSSL toolkit to request a certificate. However I am using an RSA key with 2048 bit and a company issued certificate. I have already tried to upload both files, private key and certificate in PEM format, but then the aforementioned error occurs.

When I follow the link this leads me to the steps for generating a certificate for the Prime Infrastructure PnP Gateway, which we don't use.

I am also currently in the process of applying the first patch for 1.3. I will get back to see, if this resolves the issue or not.

Regards,

Patrick

0 Helpful

patrick.kofler
Level 1
Level 1
In response to patrick.kofler

‎07-09-2013 02:26 AM

Unfortunately it did not work. The same error occurs.

Regards,

Patrick

0 Helpful

Rollin Kibbe
Cisco Employee
Cisco Employee
In response to patrick.kofler

‎07-09-2013 12:39 PM

Hi Patrick:

Whenever you're reporting something this, it's important to include ALL the lines of CLI output--from the prompt where you typed in the command to and including the returned command prompt.  What may look irrelevant to you might actually be very helpful. 

However, in this case, I think this was doomed from the start.  

However I have done this before the installation of Prime, so I did not directly invoke the commands from within the appliance.

You can use your wife's keys to start the car and run an errand, but you can't take her passport and leave the country.

My suggestion would be to start again, only this time, use

ncs key genkey myCSR.csr repository

ncs stop

ncs start

to generate a new key and have Prime Infrastructure use that key, and put the new certificate signing request myCSR.csr in your repository.  Retrieve myCSR.csr from the repository, and submit it to your CA to regenerate the certificate.  When you get it back, use

ncs key importcacert myCert myCert.cer repository

ncs stop

ncs start

to import that fresh certificate "myCert.cer" through your repository and have Prime Infrastructure use the key created from the last step and it's accompanying certificate.  If there's still trouble, consider opening a TAC Service Request to get assistance with this.

0 Helpful

patrick.kofler
Level 1
Level 1
In response to Rollin Kibbe

‎07-10-2013 05:33 AM

Hi Rollin,

If I am to develop your analogy further then why would the government (Prime) allow me to use the passport of my wife (ncs key importkey command) from the start?

What I meant with this is that I have already generated an RSA key together with a CSR via the openSSL toolkit. This is a standard procedure I follow and so far it has always worked. Wether it was for WLCs, WCS, ACS or ISE. Each of them supported it. Some of them proved challenging at the start, but I got the knack of importing a "foreign" private key as well as a certificate on each of them eventually. Prime however eludes me as far as this is concerned.

A TAC case regarding this has already been opened.

P.S.: I have not yet tried to use Prime as key and CSR generator, but to be honest I don't want to as long as the other option is available, supported and documented. Call me stubborn, but that's the way it is

Regards,

Patrick

0 Helpful

Rollin Kibbe
Cisco Employee
Cisco Employee
In response to patrick.kofler

‎07-10-2013 06:01 AM

Hi Patrick:

Fair enough.  The TAC should be able to sort it out with complete logs, or if something's truly broken, they'll get a bug filed on it and it'll get fixed.

Rollin

0 Helpful

patrick.kofler
Level 1
Level 1

‎07-22-2013 01:31 AM

After troubleshooting with TAC it turned out to be a character encoding issue with the private key. It was set to UTF-8 with a BOM character. I didn't see it when I was looking at it with NP++.

Changing it to ASCII the import of the file went down without problems and after restarting Prime I was shown the correct certificate.

Regards,

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card