SSL Cert error

Unanswered Question
Jun 5th, 2009
User Badges:

we are following this doc:http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml


We are at the part that wants us to:

6. Combine the CA.pem certificate with the private key, and then convert the file to a .pem file.


Issue this command in the OpenSSL application:


openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts

-passin pass:check123 -passout pass:check123


When we type it in we get this


pass:fakepassword-1 -passout pass:fakepassword-1

Loading 'screen' into random state - done

No certificate matches private key

unable to write 'random state'

error in pkcs12



were not sure whats wrong. What password should I be using? Should it be the challenge password is step 3?


Also we picked Microsoft as our server in the enrollment tool part. Could this be part of the problem? If so what should we have picked

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (3 ratings)
Loading.
George Stefanick Fri, 06/05/2009 - 20:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

The password is the password you used when you created the request. This PW is encrypted in your "mykey.pem" file, or whatever you named it. If these dont match you will get an error.

rcsu-it Wed, 06/24/2009 - 12:02
User Badges:

I've noted on the Verisign page from another Cisco device query (ACS 3.2) that:


"

..step..

12. Go to Enrollment. When enrolling for the SSL Certificate you will be asked to choose a server vendor, choose Apache. This will allow a certificate that is compatible with the Cisco ACS.

"


I'm wondering if anyone knows what Vendor type would be appropriate for a Cisco 4400 series controller. Was about to send Verisign an email but thought this may be "vendor" specific.



Starthorn Thu, 06/25/2009 - 09:09
User Badges:

I just tried picking Apache. When I try to merge the files I get a new error message:


Loading 'screen' into random state - done

unable to write 'random state'

bgoulet00 Fri, 01/25/2013 - 12:11
User Badges:

anyone ever come up with the solution to this?  i'm stuck on the same step with the same error.  i have copied the device, intermediate, and root cert files (using proper delimiters and in proper order) into and All-certs.pem and ran the command pkcs12 -export -in All-certs.pem -inkey mykey.pem -out CA.p12 -clcerts


i did not use the -pass options as no password was ever set during the private key generation step.  i get the error No certificate matches private key


all files are right in the bin folder with the openssl executable.  i know openssl is finding them because if i take them out of that folder i get file not found errors.  i have also verified the files are a matching set by comparing the md5 hashes with the following commands


x509 -noout -modulus -in All-certs.pem | openssl md5

rsa -noout -modulus -in mykey.pem | openssl md5

Scott Fella Fri, 01/25/2013 - 12:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well the password is mandatory.. also that error means that the private key does not match or is not found in the same directory your running the command.


Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.

Issue these commands in the OpenSSL application in order to create the All-certs.pem and final.pem files:

openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem 
       -out All-certs.p12 -clcerts -passin pass:check123 
       -passout pass:check123
  
openssl>pkcs12 -in All-certs.p12 -out final-cert.pem 
       -passin pass:check123 -passout pass:check123

Note: In this command, you must enter a password for the parameters -passin and -passout. The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123.

final.pem is the file that we need to download to the Wireless LAN Controller. The next step is to download this file to the WLC.




Thanks,


Scott


Help out other by using the rating system and marking answered questions as "Answered"

bgoulet00 Fri, 01/25/2013 - 12:51
User Badges:

can the -passin parameter be left out?  we didn't set a password when generating the private key so there is no argument to supply to -passin.


if the -passin command is required and private key must have a password, is there a way to add the password after the fact or do i have to go through the generation process again?  will the lack of password use cause this error or is it just a requirement for load onto the WLC at the end?


it was my understanding that the error meant the private key does not match or is not found in the same directory but as i mentioned above, when the files are not in bin, i get error that the file can't be found or cannot be opened.  those errors go away when i drop the files in the bin directory so that tells me openSSL is seeing them.  the only way i know to determain if the private key matches is with the md5 hash and that test passes so i'm not sure what else the problem could be.

Scott Fella Fri, 01/25/2013 - 19:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

can the -passin parameter be left out? we didn't set a password when generating the private key so there is no argument to supply to -passin.


No it can't.... you don't need to setup one when your are doing the CSR.... this is just to put one in so when you upload it to the WLC the WLC will take it.


Thanks,


Scott


Help out other by using the rating system and marking answered questions as "Answered"

Kayle Miller Mon, 01/28/2013 - 08:10
User Badges:
  • Silver, 250 points or more

If you follow all the steps correctly it should work, you cannot leave the password as Scott indicated because it is required.


Help out other by using the rating system and marking answered questions as "Answered"

rcsu-it Wed, 09/24/2014 - 19:38
User Badges:

Here is my response to the TAC Engineer at the time:

 

Sent: Tuesday, September 01, 2009 3:08 PM

To: Vijaya Baliwada (vbaliwad)

Subject: Re: Sev3 SR 612355487 : WLC WebAuth Cert Issue

 

Vijaya,

 

I'm glad to inform you that by using the X.509 certificate response file from Verisign and after trying a combination of the entity certificate, intermediate certificate AND the proper X.509 Base-64 bit format Verisign Root certificate the commands in the documentation worked.

 

Our main issue was incorrectly using the PKCS#7 certificate from Verisign. The openssl commands worked instantly using x.509. We also had difficulty obtaining the correct root certificate from Verisign. We obtained the browser DER formatted root from internet explorer and exported it from IE to an x.509 Base-64 format. Then did the combination described above and added it to webauth.

 

Actions

This Discussion

 

 

Trending Topics - Security & Network