Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PEM or DER Format certificate chain

I have installe an ISE 1.2.0.899. It is used for Guest Services only, the customer require all its employees be able to access the sponsor portal and validated their credentials using LDAPS. Not LDAP, not AD feature in ISE. The problem is because in order to enable LDAPS I must upload to ISE the root CA certificate, the customer is not providing the root CA certificate for security reasons (?); they said the certificate chain should be enough. Even the ISE user guide indicates root CA or certificate chain. So, the customer downloaded the certificate chain from its PKI (Microsoft 2008) and give it to me, but it is in .p7b (PKCS#7) format (they said there is no choice to select another format). This format is not supported by ISE, so I needed to use third party tools to convert the file (www.sslshopper.com and openssl). It appears the convertion is successfull but when I try to upload on ISE Certificate Store always I get the same errror: "Unable to read certificate file - please be sure file is in PEM or DER format".

So the questions are:

1. Is the file provided by the PKI in p7b format always?

2. What should be the most proper way to convert the file to something the ISE can understand?

3. Should be the root CA certificate a vey best option?

Even the conversion problems indicated above, I tried to open and convert the file using the mmc. I know the certificate chain has three files, I recovered them and uploaded to ISE. Whit two of these three files selected on LDAPS security configuration I can run the "Test bind to Server" successfully but everytime an user try with its own credentials always the access is denied with "invalid username or password" error.

Locking in the ISE log I found this messages:

ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): error message = SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally",LdapSslConnectionContext.cpp:226

ERROR,0x2b263618c940,LdapConnectionBindingState::onInput(id = 634): bind ended with an error: 117,LdapConnectionStates.cpp:396

631,WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvClientInfoCB - Alert raised: code=0x230=560, where=0x4008=16392, source=local,SSLConnection.cpp:2765

WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=102, Crypto.SSLConnection.writeData - failed write the data,SSLConnection.cpp:970

ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): crypto result = 102,LdapSslConnectionContext.cpp:202

ERROR,0x2b263618c940,cntx=0000005789,user=tmxedscalcan,LdapServer::onAcquireConnectionResponse: failed to acquire connection,LdapServer.cpp:461

ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::openCdcConnection] Can't open CDC session due to error 32: ADClient is not running,ActiveDirectoryClient.cpp:1328

ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::connectClient] AD CDC client connection failed!,ActiveDirectoryClient.cpp:117

ERROR,0x2b263436e940,NIL-CONTEXT,ActiveDirectoryIDStore::performConnection - Connecting client failed,ActiveDirectoryIDStore.cpp:608

I don't have idea what do they mean.

Someone told me the convertion made with mmc on my pc was an error and I need to repeat the same process using administrative tools on a server

I'm really confused and I don't know how continue with a troubleshoot process.

How can I know the original file is correct?

How can I know the conversion is correct?

As the original chain includes three certificates, I should upload them to ISE separately or as one file?

Attached is the Sponsor policy screenshoot. I have two rules with the same conditions one por AD (just for test), one for LDAPS.

I will appreciate your help

Regards.

Daniel Escalante

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PEM or DER Format certificate chain

Hi,

If you open the .p7b file on a Windows machine. (Open not install)

Go to the Certification Path and click on the root certificate, click View Certificate.

Now you have the root certificate.

Go to Details and click Copy to File. This give you the option to exprot the root cert.

Click next, here you can select to save as Base-64 encoded (DER) that you can import in ISE.

Click next and save. Then try to import under Server certifiactes on ISE

You can do this for sub-CA cert in the chain as well.

HTH

2 REPLIES
New Member

Re: PEM or DER Format certificate chain

Hi,

If you open the .p7b file on a Windows machine. (Open not install)

Go to the Certification Path and click on the root certificate, click View Certificate.

Now you have the root certificate.

Go to Details and click Copy to File. This give you the option to exprot the root cert.

Click next, here you can select to save as Base-64 encoded (DER) that you can import in ISE.

Click next and save. Then try to import under Server certifiactes on ISE

You can do this for sub-CA cert in the chain as well.

HTH

New Member

PEM or DER Format certificate chain

Hi Mikael:

Up to now all my test are being satisfactory.

Thank you so much.

Regards

1761
Views
0
Helpful
2
Replies
CreatePlease to create content