10-25-2022 01:58 AM - edited 10-25-2022 02:16 AM
Hi all,
I'm unable to import a PCKS12 Device Mgmt certificate into my Wireless Controller C9800, unlike my previous 5508 WLC's there are now Trustpoints etc involved.
The way we generate Certificates is we do not generate a CSR from the Device, rather input device details manually on a Cert Server GUI and this generates a.pfx file we download. We would import this .pfx onto the device and bang! Cert installs successfully just like on my 5508's!
C9800 log:
Oct 25 08:23:37.190: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): Imported PKCS12 file failure
Oct 25 08:23:37.192: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: C9800.hello.com.pfx. Reason: Failed to import pkcs12 context
I don't want to connect to our CA Server as there are so many hurdles internally to use SCEP. Is there a way to import a .pfx into C9800 directly without a Trustpoint. Every time I create a Trustpoint, C9800 forces me to authenticate to a CA Server. Also, I am surprised the logs are complaining about invalid encoding format, aren't p12 and pfx are the same (PCKS#12) depending how your server generates them.
10-31-2022 08:45 AM
Wasn't clear from the TAC Engineer when I asked, I suppose they are checking their knowledge database for answers. I think you might be correct, perhaps this has never been tested and they presume that every customer should have a full chain Cert. Maybe the lab engineers @cisco didn't communicate well enough with their own Security Engineers. Happens more regularly than we think I would envisage.
12-05-2022 06:37 AM
I had similar issues with importing a PKCS12 cert and the fix for me was to switch from using OpenSSL v3.1.0 to OpenSSL v1.1.1 on Windows to combine the cert chain PEM file with the private key.
For OpenSSL v3.1.0, I was getting the following log/debug messages when trying to import the cert (the top two messages are "debug crypto pki transaction" logs, the bottom message is just a normal syslog message):
Dec 2 16:50:39.393 CST: CRYPTO_PKI: Copying pkcs12 from bootflash:Anchor-2022.p12
Dec 2 16:50:39.414 CST: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): Imported PKCS12 file failure
Dec 2 16:50:39.415 CST: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: Anchor-2022.p12. Reason: Failed to import pkcs12 context
Using OpenSSL v1.1.1 to combine the cert chain and private key into a PKCS12 file allowed me to import the cert with no issues.
12-05-2022 10:08 PM
03-20-2023 06:24 AM
Hi,
I had the same issue with openssl 3.0.8 for Windows. Once I used openssl v1.1.1 I could import the .pfx-file without errors.
Thanks for sharing this post.
04-25-2023 05:28 PM - edited 04-26-2023 06:19 AM
Hi -
This is possible in OpenSSL 3.x. You must use the -legacy parameter in your command. If you are running OpenSSL on Windows, then you will also need to use -provider-path <path to legacy.dll>. For OpenSSL 3 for Win64, the command would look like this:
openssl pkcs12 -export -in <cert-chain>.pem -inkey <key-pair>.key -out <hostname>.pfx -macalg SHA1 -legacy -provider-path "c:\Program Files\OpenSSL-Win64\bin"
It appears that Cisco hasn't updated the underlying OpenSSL code in IOS-XE, which is ridiculous. The notes section of the OpenSSL docs indicate why -legacy exists. https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html
Good Luck!
PSC
NOTE: Minor edit. Added `-macalg SHA1` which fixes the first error you would get (BugID CSCvz41428). The 0x705 error which you will get after solving the first will bring you here.
crypto_pki: status = 0x760(e_digest_alg_not_supported : message digest algorithms not supported): imported pkcs12 file failure
04-25-2023 09:55 PM
Thanks for that @Paul Chapman
10-30-2023 08:15 AM
Thanks Paul for that, although my distro does have an openssl 1.1 package for legacy use, this is the best answer for v3 users, and worked fine for me.
01-04-2024 05:43 AM
Cisco updated their manual for OpenSSL 3, see step 4: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--1629905883
Also it seems with 17.12.1 and newer, certificates generated with OpenSSL 3 should now work out of the box.
01-04-2024 06:15 AM
Thanks for pointing that out @patoberli
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide