Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS V4.0 - Certificates & Unsupported private key file format.

I'm attempting to use EAP-TLS authentication for our Wireless clients.

We are using a MS Win2k CA and have followed the "User Guide for Cisco Secure ACS Solution Engine Version 4.0" and the "EAP TLS Deployment Guide for Wireless WAN Networks" White paper.

The issue I am having is when I download the Certificate (created on the Win2K server which is the CA in Base64-encoded X.509., 1024 key size etc), it demands a private key file. So we exported the Private Key file in Base64 and it generated a .pfx file. So this is all looking good. When we hit the submit button we get "Unsupported private key file format." We have read and re-read the doco but cannot find any guidance on the export of the private key file. We have now tried 8 different combinations on the export of the key file with the same result every time.

What's the magic Key! Rgds - Nick


Re: ACS V4.0 - Certificates & Unsupported private key file forma

Where do you see the "Unsupported private key file format"? Is it in Cisco ACS when you try to generate cert under "Generate Certificate Signing Request"? This should be under "System Configuration - ACS Certificate setup".

Try to use ".pk" as the private key extension. I have similar problem before successfully getting them to work.

Certificate subject : cn=csacs-appl

Private key file : <---- this format/extension works

Private key password : abc123

Retype private key password : abc123

Key length : 1024 (default value)

Digest to sign with : SHA1 (default value)

Hope this helps. Pls rate all useful post(s)


New Member

Re: ACS V4.0 - Certificates & Unsupported private key file forma

Thanks for the info.

The Error message appears when attempting to "Install ACS Certificate" on the ACS.

If we use the .pk extension the same error message is generated on the ACS.

Bear in mind the Certificate and Key has been exported from our Win2K CA server in our network, NOT from the ACS. We are trying to install a server certificate for the ACS generated using the "Advanced Certificate Request" on the MS CA server. We used the "Web Server" template as per section 6.2.1 Page 19 in the "EAP TLS Deployment Guide for Wireless LAN Networks".

If we use generate a Cert and Key file on the ACS (Generate Self-Signed Certificate) it works fine. But of no use for our production network which uses the MS CA's on all our client w/stations and Laptops.

Hope this clarifys the situation.


Re: ACS V4.0 - Certificates & Unsupported private key file forma

I have successfully imp0lement similar setup with ACS 3.2 Appliance, with MS CA server to generate the cert for ACS and wireless client.

The only thing different is probably the way I import the digital cert from CA to ACS which is via FTP. This is due to the limitationof ACS 3.2 appliance when it was first release by Cisco. But I did a few experiment, and everything works fine.

Attached is my partial configuration for ACS, how to generate & import digicert to ACS via FTP.

Hope this helps.


New Member

Re: ACS V4.0 - Certificates & Unsupported private key file forma

Thanks for the files but ACS4.0 insists on a key with the Cert. We used your procedure but as no key is generated, we could not install the Certificate. We attempted to install the Cert on the CA to allow us to export the Key, but no luck there.

I have attached 2 files.

File 1 is the results of installing the Cert using your procedure and using our procedure to generate a cert and a key.

File 2 is the procedure we used for generating the Cert and the Key. Hope this is of use.

New Member

Re: ACS V4.0 - Certificates & Unsupported private key file forma


this is a full guide on how to build a 802.1x for wired lan. you can use most of it to certify your ACS with the domain CA.

in any case - I alway use the private.cer

extention for the private key file and it works for me.

hope this helps


New Member

Re: ACS V4.0 - Certificates & Unsupported private key file forma

Hi Motti,

Thanks for the post. We resolved it last Friday. What the guide infers is that the Private Key is generated by the CA. It's not. It's generated by the ACS when the Certificate Signing Request is submitted.

We used this to get a Cert for the ACS from the CA and used the Private Key generated from the Cert Signing Request on the ACS.

The Cisco doco infers you have to download the Private Key via Ftp. You don't, it's already on the machine. This is what led us astray.

Thanks for your assistance anyhow.

Rgds - Nick

New Member

Re: ACS V4.0 - Certificates & Unsupported private key file forma

Wow thank you so much!!! I have been pulling my hair out on this one because the Cisco doc is wrong!!

As mentioned, the key is created by ACS and you just need to put in the password and it accepts the .pvk!! THANK YOU!!