Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3752
Views
15
Helpful
10
Replies

SSL Cert error

Starthorn
Level 1
Level 1

‎06-05-2009 08:41 AM - edited ‎07-03-2021 05:41 PM

we are following this doc:http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

We are at the part that wants us to:

6. Combine the CA.pem certificate with the private key, and then convert the file to a .pem file.

Issue this command in the OpenSSL application:

openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts

-passin pass:check123 -passout pass:check123

When we type it in we get this

pass:fakepassword-1 -passout pass:fakepassword-1

Loading 'screen' into random state - done

No certificate matches private key

unable to write 'random state'

error in pkcs12

were not sure whats wrong. What password should I be using? Should it be the challenge password is step 3?

Also we picked Microsoft as our server in the enrollment tool part. Could this be part of the problem? If so what should we have picked

Labels:
0 Helpful
10 Replies 10

George Stefanick
VIP Alumni
VIP Alumni

‎06-05-2009 08:39 PM

The password is the password you used when you created the request. This PW is encrypted in your "mykey.pem" file, or whatever you named it. If these dont match you will get an error.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

rcsu-it
Level 1
Level 1

‎06-24-2009 12:02 PM

I've noted on the Verisign page from another Cisco device query (ACS 3.2) that:

"

..step..

12. Go to Enrollment. When enrolling for the SSL Certificate you will be asked to choose a server vendor, choose Apache. This will allow a certificate that is compatible with the Cisco ACS.

"

I'm wondering if anyone knows what Vendor type would be appropriate for a Cisco 4400 series controller. Was about to send Verisign an email but thought this may be "vendor" specific.

0 Helpful

Starthorn
Level 1
Level 1
In response to rcsu-it

‎06-25-2009 09:09 AM

I just tried picking Apache. When I try to merge the files I get a new error message:

Loading 'screen' into random state - done

unable to write 'random state'

0 Helpful

bgoulet00
Level 1
Level 1

‎01-25-2013 12:11 PM

anyone ever come up with the solution to this?  i'm stuck on the same step with the same error.  i have copied the device, intermediate, and root cert files (using proper delimiters and in proper order) into and All-certs.pem and ran the command pkcs12 -export -in All-certs.pem -inkey mykey.pem -out CA.p12 -clcerts

i did not use the -pass options as no password was ever set during the private key generation step.  i get the error No certificate matches private key

all files are right in the bin folder with the openssl executable.  i know openssl is finding them because if i take them out of that folder i get file not found errors.  i have also verified the files are a matching set by comparing the md5 hashes with the following commands

x509 -noout -modulus -in All-certs.pem | openssl md5

rsa -noout -modulus -in mykey.pem | openssl md5

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to bgoulet00

‎01-25-2013 12:39 PM

Well the password is mandatory.. also that error means that the private key does not match or is not found in the same directory your running the command.

Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.

Issue these commands in the OpenSSL application in order to create the All-certs.pem and final.pem files:

openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem 
       -out All-certs.p12 -clcerts -passin pass:check123 
       -passout pass:check123
  
openssl>pkcs12 -in All-certs.p12 -out final-cert.pem 
       -passin pass:check123 -passout pass:check123

Note: In this command, you must enter a password for the parameters -passin and -passout. The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123.

final.pem is the file that we need to download to the Wireless LAN Controller. The next step is to download this file to the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

bgoulet00
Level 1
Level 1
In response to Scott Fella

‎01-25-2013 12:51 PM

can the -passin parameter be left out?  we didn't set a password when generating the private key so there is no argument to supply to -passin.

if the -passin command is required and private key must have a password, is there a way to add the password after the fact or do i have to go through the generation process again?  will the lack of password use cause this error or is it just a requirement for load onto the WLC at the end?

it was my understanding that the error meant the private key does not match or is not found in the same directory but as i mentioned above, when the files are not in bin, i get error that the file can't be found or cannot be opened.  those errors go away when i drop the files in the bin directory so that tells me openSSL is seeing them.  the only way i know to determain if the private key matches is with the md5 hash and that test passes so i'm not sure what else the problem could be.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to bgoulet00

‎01-25-2013 07:36 PM

can the -passin parameter be left out? we didn't set a password when generating the private key so there is no argument to supply to -passin.

No it can't.... you don't need to setup one when your are doing the CSR.... this is just to put one in so when you upload it to the WLC the WLC will take it.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Kayle Miller
Level 7
Level 7
In response to Scott Fella

‎01-28-2013 08:10 AM

If you follow all the steps correctly it should work, you cannot leave the password as Scott indicated because it is required.

Help out other by using the rating system and marking answered questions as "Answered"

0 Helpful

Tim Davies
Level 1
Level 1

‎09-02-2014 08:38 AM

Hi there, Did you manage to resolve this?

0 Helpful

rcsu-it
Level 1
Level 1
In response to Tim Davies

‎09-24-2014 07:38 PM

Here is my response to the TAC Engineer at the time:

 

Sent: Tuesday, September 01, 2009 3:08 PM

To: Vijaya Baliwada (vbaliwad)

Subject: Re: Sev3 SR 612355487 : WLC WebAuth Cert Issue

 

Vijaya,

 

I'm glad to inform you that by using the X.509 certificate response file from Verisign and after trying a combination of the entity certificate, intermediate certificate AND the proper X.509 Base-64 bit format Verisign Root certificate the commands in the documentation worked.

 

Our main issue was incorrectly using the PKCS#7 certificate from Verisign. The openssl commands worked instantly using x.509. We also had difficulty obtaining the correct root certificate from Verisign. We obtained the browser DER formatted root from internet explorer and exported it from IE to an x.509 Base-64 format. Then did the combination described above and added it to webauth.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card