Cisco 7921 EAP-TLS "certificate verification failed"

Unanswered Question
Apr 1st, 2009
User Badges:

Hi All,


I am trying to install a digi cert on a 7921 and I get the message on import of "certificate verification failed".


Can anyone help me, as there does not seem to be much documentation with the above error message.


Many thx indeed,

Ken

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kfarrington Wed, 04/01/2009 - 06:09
User Badges:

Hi there,


It appears I was exporting the cert with base64 encoding rather than DER encoding.


Can anyone tell me what the difference is between base64 and der format?


Many thx,

Ken

Srinivasaraghav... Sat, 07/14/2012 - 06:43
User Badges:
  • Cisco Employee,

Hi ,

Here  is some information  i  found on  cert with base64 encoding rather than DER encoding.


https://support.ssl.com/index.php?/Knowledgebase/Article/View/19


Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.


To  complete the eap tls logic on the 7921 phone.


You should have a  publicly known CA cert ( in some cases Misosoft CA your own which you distribute)  installed in the  7921 Phone  when you   generate the  CSR ( request ) from the phone which is  generated   combining the Public cert information. Now  you take  that  request to the  ROOT CA server and he signs  you CSR and generates a CERT For the  7921 phone which is expertable. once the generated cert chain is  downloaded, Export and install the signed cert for 7921 on the phone. The  7921 phone will not install the certificate if  the CSR was issued by any unknown CA.

How does it know that ? , because you had  installed or told the phone  the root CA cert infomation which you used to generate the CSR so when you get the certified or signed cert from CA during installation  will be able to  decode it only  if the CERT was signed by the CA  it knows thus verifying that its the right Cert signed by  its right CA authority. This is the beauty of it.

Hope this  logic clarifies   and helps.

Actions

This Discussion

 

 

Trending Topics - Security & Network