Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS/SSL import a .pfx cert PKCS12 for association

Hello All,

I have been working to import and associate a .pfx cert with PKCS12 into our CSS11503 v8.10 and have little success. I was finally able to import it but have trouble associating it I keep getting this error:

CSS11503# copy ssl ftp SSL import ProdCert.com.pfx PKCS12 "cisco" "cisco"

Connecting (|)

Completed successfully.

CSS11503(config)# ssl associate cert ProdCert ProdCert.com.pfx

%% Not a valid key or certificate file

Any ideas???

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSS/SSL import a .pfx cert PKCS12 for association

the certificates and keys need to be imported manually on both devices.

The config, including the ssl-proxy-list, will be copied via config-sync.

Gilles.

3 REPLIES
Cisco Employee

Re: CSS/SSL import a .pfx cert PKCS12 for association

CSCek42725

Basically we can not handle a pkcs12 file that has mutliple cert bags if those bags each have a different localKeyId. We need the server cert (the one that matches the key bad) to show up first, or we need any intermeditate or root cert to not contain a localKeyId. This is the way that openssl code generates pkcs12 files.

So, use openssl to convert the file into 2 PEM files and import them separately.

This should work.

Gilles.

New Member

Re: CSS/SSL import a .pfx cert PKCS12 for association

Thx Giles,

That seemed to do the trick...Also we are running box-to-box redundancy on this will I need to import the cert to both boxes seperately? If so, will the config sync work with the ssl commands as well or will that have to be added manually to the 2nd box? Thx!

Cisco Employee

Re: CSS/SSL import a .pfx cert PKCS12 for association

the certificates and keys need to be imported manually on both devices.

The config, including the ssl-proxy-list, will be copied via config-sync.

Gilles.

1512
Views
5
Helpful
3
Replies