Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2848
Views
7
Helpful
7
Replies

ACS V4.0 - Certificates & Unsupported private key file format.

U100045NRO
Level 1
Level 1

‎11-17-2006 12:31 AM - edited ‎03-10-2019 02:50 PM

I'm attempting to use EAP-TLS authentication for our Wireless clients.

We are using a MS Win2k CA and have followed the "User Guide for Cisco Secure ACS Solution Engine Version 4.0" and the "EAP TLS Deployment Guide for Wireless WAN Networks" White paper.

The issue I am having is when I download the Certificate (created on the Win2K server which is the CA in Base64-encoded X.509., 1024 key size etc), it demands a private key file. So we exported the Private Key file in Base64 and it generated a .pfx file. So this is all looking good. When we hit the submit button we get "Unsupported private key file format." We have read and re-read the doco but cannot find any guidance on the export of the private key file. We have now tried 8 different combinations on the export of the key file with the same result every time.

What's the magic Key! Rgds - Nick

Labels:
0 Helpful
7 Replies 7

a.kiprawih
Level 7
Level 7

‎11-17-2006 04:04 AM

Where do you see the "Unsupported private key file format"? Is it in Cisco ACS when you try to generate cert under "Generate Certificate Signing Request"? This should be under "System Configuration - ACS Certificate setup".

Try to use ".pk" as the private key extension. I have similar problem before successfully getting them to work.

Certificate subject : cn=csacs-appl

Private key file : private-key1.pk <---- this format/extension works

Private key password : abc123

Retype private key password : abc123

Key length : 1024 (default value)

Digest to sign with : SHA1 (default value)

Hope this helps. Pls rate all useful post(s)

AK

U100045NRO
Level 1
Level 1
In response to a.kiprawih

‎11-17-2006 02:51 PM

Thanks for the info.

The Error message appears when attempting to "Install ACS Certificate" on the ACS.

If we use the .pk extension the same error message is generated on the ACS.

Bear in mind the Certificate and Key has been exported from our Win2K CA server in our network, NOT from the ACS. We are trying to install a server certificate for the ACS generated using the "Advanced Certificate Request" on the MS CA server. We used the "Web Server" template as per section 6.2.1 Page 19 in the "EAP TLS Deployment Guide for Wireless LAN Networks".

If we use generate a Cert and Key file on the ACS (Generate Self-Signed Certificate) it works fine. But of no use for our production network which uses the MS CA's on all our client w/stations and Laptops.

Hope this clarifys the situation.

Nick

0 Helpful

a.kiprawih
Level 7
Level 7
In response to U100045NRO

‎11-17-2006 04:41 PM

I have successfully imp0lement similar setup with ACS 3.2 Appliance, with MS CA server to generate the cert for ACS and wireless client.

The only thing different is probably the way I import the digital cert from CA to ACS which is via FTP. This is due to the limitationof ACS 3.2 appliance when it was first release by Cisco. But I did a few experiment, and everything works fine.

Attached is my partial configuration for ACS, how to generate & import digicert to ACS via FTP.

Hope this helps.

AK

Preview file
196 KB
0 Helpful

U100045NRO
Level 1
Level 1
In response to a.kiprawih

‎11-19-2006 04:10 PM

Thanks for the files but ACS4.0 insists on a key with the Cert. We used your procedure but as no key is generated, we could not install the Certificate. We attempted to install the Cert on the CA to allow us to export the Key, but no luck there.

I have attached 2 files.

File 1 is the results of installing the Cert using your procedure and using our procedure to generate a cert and a key.

File 2 is the procedure we used for generating the Cert and the Key. Hope this is of use.

Preview file
254 KB
0 Helpful

mmmoookkk
Level 1
Level 1

‎11-23-2006 05:19 AM

Hello

this is a full guide on how to build a 802.1x for wired lan. you can use most of it to certify your ACS with the domain CA.

in any case - I alway use the private.cer

extention for the private key file and it works for me.

hope this helps

Motti

0 Helpful

U100045NRO
Level 1
Level 1
In response to mmmoookkk

‎11-23-2006 12:57 PM

Hi Motti,

Thanks for the post. We resolved it last Friday. What the guide infers is that the Private Key is generated by the CA. It's not. It's generated by the ACS when the Certificate Signing Request is submitted.

We used this to get a Cert for the ACS from the CA and used the Private Key generated from the Cert Signing Request on the ACS.

The Cisco doco infers you have to download the Private Key via Ftp. You don't, it's already on the machine. This is what led us astray.

Thanks for your assistance anyhow.

Rgds - Nick

brian.kachel
Level 4
Level 4
In response to U100045NRO

‎02-27-2008 03:02 PM

Wow thank you so much!!! I have been pulling my hair out on this one because the Cisco doc is wrong!!

As mentioned, the key is created by ACS and you just need to put in the password and it accepts the .pvk!! THANK YOU!!

0 Helpful
Customers Also Viewed These Support Documents