EAP-TLS 802.1x certificate issue..

Unanswered Question
Dec 23rd, 2008

Hi All,


I m trying to setup eap-tls 802.1x using ACS SE 4.1.1.23.4 , WLC & CA. The problem i m facing is with installing the CA certificate on ACS appliance. Tried everything from cisco docs but not able to install certificate as its giving " Unsupported private key file format." The steps whic i had performed are...


1) Generate Certificate Signing Request:

Certificate subject ---- CN=idea_acs_01

Private key file ---- privatekeyfile.pem

Private key password -- cisco

Retype private key password -- cisco

Key length --- 1024

Digest to sign with --- SHA1


Then coppied the certificate signing request from the right side & pasted it on CA using "advanced certificate request" & then "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file" option on CA & pasted the output in Base-64-encoded

certificate request. Then issued the certificate from CA & downloaded it on my desktop & then from my desktop to FTP server.

Even made a file naming privatekeyfile.pem with the output got during Generating Certificate Signing Request & uploaded the same on FTP.


2)Install ACS Certificate:

Then downloaded the certificate certnew.cer from FTP server using Download certificate file option. And also Download private key file from the FTP & typed password cisco. But after Submiting it gives error:


"Unsupported private key file format."


m not able to get why this srror is comming. Even tried all the steps above changing the format of Private key file ie .pvk , .pk but its not working for me.


Can anyone guide me whats the issue. Thanks in advance..


Regards,

Piyush

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Fri, 12/26/2008 - 07:08

Have you looked at this:


http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb


Try to open up the certificate and verify that it looks something like this:


-----BEGIN CERTIFICATE-----

IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh

MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm

aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw

VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w

LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT

MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI

hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj

Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M

reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad

dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8

ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud

EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS

A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6

iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72

eUv4viaap9fTfcVM=

-----END CERTIFICATE-----

piyush_singh Wed, 01/07/2009 - 02:02

i will check this as soon as i get back to customer place & revert back.. Thanks!!!



jsmbrown Fri, 01/09/2009 - 11:36

Is this an appliance? I don't think you have to upload the private key file on appliances. I believe it stores it. Just remember the password for it.

piyush_singh Mon, 01/12/2009 - 06:47

Ya its an appliance.. do you mean to say that for appliance i dont need to create a .pem or .pvk file & upload it using ftp server.. what i need to do is just give password which i used initialy while generating the certificate during installing the CA certificate on appliance..

jsmbrown Mon, 01/12/2009 - 08:41

yes, that is what I am saying. You only download the ACS server cert and the CA server cert. For private, just specify and name and password and the field for the name will still be filled in when you install the ACS server cert. Don't change the name field, just enter the same password.

raun.williams Tue, 01/13/2009 - 13:22

Piyush,

I ran into this same issue on the non-appliance ACS ver 4.2. After reading all the docs I ended up tacing and it took a total of 5minutes and we went about it a completely different way. This is the guide that was sent to me via tac:


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAuth.html#wp327388


If you do a CSR, it's really quite simple. Once you take the csr request and you input the information into your CA (I'm assuming Windows environment) you'll get a hash key back that you can then paste into ACS and your done.

Actions

This Discussion

 

 

Trending Topics - Security & Network