NCS import web management certificate

Answered Question
Feb 20th, 2012

Hi,

I have some trouble uploading a certificate in NCS.

When I upload the certificate it says:

XX-XX-NCS01/admin# ncs key importsignedcert wlan_xx_xxxx_nl.pem repository ncs-tftp-repo

INFO: no staging url defined, using local space.        rval:2

The WCS server is running

Changes will take affect on the next server restart

Importing signed certificate for key

Error importing key java.security.cert.CertificateParsingException: invalid DER-encoded certificate data

ERROR: ncs key importsignedcert command failed. rval:256

The PEM is made with openSSL, the source is a pfx. Command used:

pkcs12 −in wlan_xx_xxx_nl.pfx −out  wlan_xx_xxxx_nl.pem −passin pass:xxxx −passout pass:xxxx


Also tried to upload key and certificate seperately but no succes:

XX-XX-NCS01/admin# ncs key importkey wlan_xx_xxxx_nl_key.pem wlan_xx_xxxx_nl_cert.pem repository ncs-tftp-repo

INFO: no staging url defined, using local space.        rval:2

INFO: no staging url defined, using local space.        rval:2

The WCS server is running

Changes will take affect on the next server restart

Importing RSA key and matching certificate

Error importing key java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key

ERROR: ncs key importkey command failed.        rval:256

It looks like the certificate encoded the wrong way but I can't think of another way.

Anyone any suggestions or experience with this?

Thanks!

Thomas

I have this problem too.
0 votes
Correct Answer by airframes about 2 years 1 month ago

Thomas,

Did you try the keytool method as outlined in the NCS config guide appendix for server hardening (and substitute openssl for keytool), or are you following another outlined procedure somewhere?

Justin

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
airframes Wed, 02/22/2012 - 00:20

Thomas,

I've seen and heard of weird issues with different versions of OpenSSL. I use v0.9.8 and have had consistenly good results with this version. Which version are you using?

Justin

Thomasvdkolk Wed, 02/22/2012 - 00:42

I also use OpenSSL 0.9.8. I used this OpenSSL version to create certificates for the WLC Web Auth portal and had no issues. Any other suggestions?

Correct Answer
airframes Wed, 02/22/2012 - 00:52

Thomas,

Did you try the keytool method as outlined in the NCS config guide appendix for server hardening (and substitute openssl for keytool), or are you following another outlined procedure somewhere?

Justin

Thomasvdkolk Wed, 02/22/2012 - 01:00

Justin,

I created a certificate through a windows client. The hostname of NCS is not the name of the certificate because of a DNS alias. Wil give the keytool method a try. I hit the correct answer button accidentally.

Thanks!

Thomas

Thomasvdkolk Wed, 02/22/2012 - 01:35

Justin,

The keytool method doesn't make much sense to me. I can't translate this method to my own environment. It doesn't say in which format the certificate must be when I upload it to NCS.

The certificate I want to upload is one of my own domain (so its not a public one). The trusted CA is already uploaded to NCS with command: "ncs key importcacert".

The procedure I was following is:

http://www.cisco.com/en/US/products/ps6305/products_configuration_example09186a00808a94ca.shtml

The certificate I have is a .pfx which I converted to a .pem

Or should I convert the .pfx to a .p7b   and then the .p7b to a pem?

Thomas

airframes Wed, 02/22/2012 - 02:25

Thomas,

The procedure you linked is for WCS. You will need to follow the NCS procedure, which is different.

http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/hard.html#wp1042818

You generate your CSR from the NCS command line, submit it to your CA, and then your CA needs to issue the cert in a pkcs7 (p7b) format.

Import that signed p7b cert into NCS via CLI per the instructions an that's all you should need to do. As long as your CA root cert is trusted on your client, you should be able to hit NCS management without a warning.

Finally, it looks like the keytool method is only required when you need to put a cert on your client, which I don't gather from your post you need to do, so you can probably ignore the keytool section altogether.

Justin

Sent from Cisco Technical Support iPhone App

Thomasvdkolk Fri, 02/24/2012 - 02:25

Justin,

Thanks for the response so far.

When I import the p7b certificate I get the following error:

XX-XX-NCS01/admin# ncs key importsignedcert wlan_xx_xxxx_nl.p7b repository ncs-ftp-repo

INFO: no staging url defined, using local space.        rval:2

The WCS server is running

Changes will take affect on the next server restart

Importing signed certificate for key

Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat

ERROR: ncs key importsignedcert command failed. rval:256

Thomas

airframes Fri, 02/24/2012 - 09:52

Thomas,

Are you using NCS to generate the CSR?

# ncs key genkey -csr repository

Justin

airframes Mon, 02/27/2012 - 19:00

Thomas,

Just to give you an update: I have this built in my lab and I have been running into a host of issues with this procedure as documented. It has taken a TAC case and special file access so far, but the short version of the story is that the certificate request process is [natively] broken in NCS, even on version 1.1.0.58, and requires a root patch to get it working.

I have finally gotten the CSR generated and off the box. My next step, as soon as I get a chance in the next couple of days, is to submit the CSR to the CA and then import the issued cert into NCS. Hopefully that will go a little more smoothly.

I hope to post an update soon.

Justin

Thomasvdkolk Tue, 02/28/2012 - 02:53

Justin,

I have it working, use the following steps:

  • Add root CA certificate of your domain in NCS with: ncs key importcacert xxxxca.cer
  • Generate a CSR on NCS with: ncs key genkey -csr csrnamexxx repository ncs-ftp-repo
  • CSR is used for a offline request to the domain CA, a subject alternate name (SAN) is used for the use of another DNS name then the NCS domain name. The SA is added with help of Microsoft Technet article “How to add a Subject Alternative Name to a secure LDAP certificate” http://support.microsoft.com/kb/931351   DNS name of NCS is xx-dc-nsc01.xx.xxxx.nl, the SAN is wlan.xx.xxxx.nl (DNS records are already updated)
  • Upload the created certificate to NCS with: ncs key importsignedcert xx-dc-ncs01.cer repository ncs-ftp-repo
  • There is no need to import a private key
  • When I go to https://wlan.xx.xxxx.nl I see the inlog screen of NCS with no certificate error (client system has to be in the same domain)

Thomas

airframes Tue, 02/28/2012 - 18:41

Thomas,

Thanks for your update.

Some users (such as me) will run into bug CSCty04253, which exists in 1.0.58 but is fixed in 1.1.1 (not available from CCO as of this post). There is a workaround for it. From the bug ID:

Symptom:



Trying to generate CSR fails with error 256


Conditions:



Using NCS 1.1.0.58 to try to generate a CSR fails with error 256


Workaround:



1. install root enable package on NCS

2. Login as 'root' user into NCS via SSH


3. a) For signed certificate from CA:

i. Execute the below command ' /opt/CSCOncs/bin/keyadmin.sh -newdn -csr genkey < /localdisk/ftp/filename.csr>'

ii. Download the < filename.csr> CSR file from NCS to get it signed from the CA

iii. After receiving CA certificate, signed certificates/key, please use 'ncs key importXXX' cli to install on NCS.


b) For newly generated self signed certificate:

If user wants to use newly generate self-signed certificate in NCS, please execute the below command alone in NCS root enable prompt:

' /opt/CSCOncs/bin/keyadmin.sh -newdn genkey '


4. After installing the certificates, please do 'ncs stop/start' once to make the changes into effect.

Note that the "root enable package" identified in Step 1 must be requested from TAC. When the ticket is opened, ID this bug and they'll likely send you the root package with install instructions on first response.

The workaround also states that in order to run the keyadmin.sh command, you should log into NCS as root via SSH. In my testing, SSH access was blocked on the root account, even after resetting the account password. I also ran into other issues with these instructions. After some exhaustive clicking and typing, here's what I came up with as modified steps to achieve the above workaround:

  1. Log into the NCS as admin on the console:
    • If you have NCS on a physical appliance, use the physical console port
    • If you have NCS on a virtual appliance, use the VMWare console window to the guest machine
    • Note: If you try the following steps logged in through SSH instead of console, expect one or more of them to fail
  2. Install the root enable package per TAC instructions
  3. Again, make sure you are logged in as admin via the console, then:
  4. Execute the root_enable command to enable root access and set the root password
  5. Execute the root command. This will prompt for root login and invoke a shell to ADE#. You will have full system access (now you're in Linux; all the NCS CLI commands don't work here)
  6. Execute the key generation steps as outlined above in Step 3(a)i or 3(b).
  7. Type exit to leave the ADE# shell. You should now be back at the admin/# shell and your familiar NCS CLI commands are available again.
  8. Execute dir disk:/ftp. You should see your CSR file
  9. If you see it, proceed to Steps 3(a)ii and 3(a)iii to get your CSR signed by the CA and then your cert imported into NCS
  10. Proceed to Step 4 to stop and restart NCS services

Justin



patoberli Fri, 02/22/2013 - 07:30

Just to update this, as I run now also into:

Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat

I had a CPI 1.2.1.x where I successfully installed a company signed certificate. That worked fine and the browser showed it as valid. I did had an issue, Chrome 24 didn't anymore load the site after logging in. It did work in Firefox though, so it might be a Chrome issue. I can load the website in Chrome if I connect to the IP address of the server.

Some days ago I updated to 1.3 and this reverted or replaced my certificate. It's now again a selfsigned certificate?!?

So I tried to install again my old certificate, but this time I receive the above error.

cpi1/admin# ncs key importsignedcert cpi1.domain.com.pem repository defaultRepo

INFO: no staging url defined, using local space.        rval:2

truststore used is /opt/CSCOlumos/conf/truststore

The NCS server is running

Changes will take affect on the next server restart

Importing signed certificate for key

Error importing key java.security.KeyStoreException: New certificate does not match key for tomcat

cpi1/admin#

Any ideas, or is it broken again in 1.3?  

Actions

Login or Register to take actions

This Discussion

Posted February 20, 2012 at 5:05 AM
Stats:
Replies:12 Avg. Rating:5
Views:4755 Votes:0
Shares:0

Related Content

Discussions Leaderboard