Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How To Use a 3rd Party Wildcard Certificate with Prime Infrastructure

Being a network engineer who focuses primarily in security, I always dislike using self-signed certificates. Often customers don't want to purchase a proper certificate from a well-known public Certificate Authority (CA). However, the Prime Infrastructure I am working on currently was at a customer who had a nice 5-year wildcard certificate issued by GoDaddy. The documentation was a bit ambiguous on this approach although a PI 1.4 discussion here in CSC seemed to indicate it might be possible to use such a certificate.

I was able to follow the procedure in the PI 2.1 Admin Guide to successfully import and use a CA-issued wildcard certificate with unencrypted private key where the original CSR was not generated by the Prime Infrastructure server.

Note: My original private key was encrypted so I used openssl and the passpharase to get a plaintext version of the private key. Be VERY careful to protect that private key as it is used to properly secure every server in your infrastructure that's using the wildcard certificate.

Prime needs to be defined with a record in your DNS serving the domain in the wildcard certificate. In my case I am using both an A record and cname alias (with PTR for reverse lookups of course!).

Following a server restart the wildcard certificate appears fine in Chrome, Firefox and IE when I browse to https://prime.<my_customer's_domain>. Now there are no more annoying security messages (or need to install and trust the self-signed certificate to avoid them).

Below are the commands I used. You would need to have your own certificate and keyfile. My certificate includes the full chain - server certificate, intermediate certificate and root certificate in that order.

Hope this helps others facing the same situation. Enjoy!

p.s. I was able to use the same certificate and keyfile to similarly secure the Prime Security Manager (PRSM). The PRSM User Guide kindly explains to concatenate the server and issuing CA certificates together and exposes the installation process in its GUI so the process was a bit less command line-intensive.

p.p.s UPDATE Dec 2015 - You can also use this procedure on PI 3.x. Note that you can use a remote repository with an ftp URL and thus save the step of doing a separate ftp copy.

 

PI01/admin# copy ftp://192.168.254.7/privatekeyplaintext.pem disk:
Username: admin
Password: 
PI01/admin# copy ftp://192.168.254.7/gd_bundle-g2-g1.crt disk:
Username: admin
Password: 
PI01/admin#
PI01/admin# root
Enter root password : 
Starting root bash shell ... 
ade # pwd
/root
ade #
ade # cd ..
ade #
ade # cd localdisk
ade # ls -al
total 68
drwxr-xr-x  8 root root    4096 Nov  2 09:51 .
drwxr-xr-x 28 root root    4096 Oct 28 11:22 ..
lrwxrwxrwx  1 root root      20 Jul 14 13:11 crash -> /opt/CSCOlumos/crash
drwxr-xr-x  2 root root    4096 Jul 15 23:31 defaultRepo
drwxr-xr-x  2 root root    4096 Jul 14 13:10 ftp
-rw-rw-rw-  1 root gadmin  6710 Nov  2 09:51 gd_bundle-g2-g1.crt
drwx------  2 root root   16384 Apr 17  2014 lost+found
-rw-rw-rw-  1 root gadmin  1679 Nov  2 09:50 privatekeyplaintext.pem
drwxr-xr-x  2 root root    4096 Jul 14 13:10 ssh
drwxr-xr-x  2 root root    4096 Jul 14 13:10 telnet
drwxr-xr-x  2 root root   12288 Nov  2 09:57 tftp
ade #

ade # mv ./gd_bundle-g2-g1.crt ./defaultRepo
ade # mv ./privatekeyplaintext.pem ./defaultRepo
ade #

ade # exit
exit
PI01/admin# show repository defaultRepo
PI01-140715-0330.tar.gpg
PI01-140716-0330.tar.gpg
gd_bundle-g2-g1.crt
privatekeyplaintext.pem
PI01/admin# 

PI01/admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo
INFO: no staging url defined, using local space.        rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing certificate to trust store
PI01/admin# 

PI01/admin# ncs key importkey privatekeyplaintext.pem gd_bundle-g2-g1.crt repository defaultRepo
INFO: no staging url defined, using local space.        rval:2
INFO: no staging url defined, using local space.        rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing RSA key and matching certificate
PI01/admin# 
PI01/admin# ncs stop

Stopping Network Control System...

This may take a few minutes...

Network Control System successfully shutdown.

Plug and Play Gateway is being shut down..... Please wait!!!

Stop of Plug and Play Gateway Completed!!
SAM daemon process id does not exist
DA daemon process id does not exist
DA syslog daemon process id does not exist

PI01/admin# ncs start

Starting Network Control System...

This may take a few minutes...

Network Control System started successfully.

PI01/admin#

 

Version history
Revision #:
1 of 1
Last update:
‎11-02-2014 09:40 AM
Updated by:
 
Labels (1)
Comments
Cisco Employee

Awesome Marvin! Very useful! Thanks for your unsolicited contribution. :-)

Cheers..

Vinod

Nice. Thanks for sharing.

Cisco Employee

Hi

I am facing some issues while i am following the procedure

how do i get this file generated

privatekeyplaintext.pem
Hall of Fame Super Silver

chijosep  

It needs to be retrieved from the server that generated the initial Certificate Signing Request (CSR).

The exact process varies according to the type of host that was.

Cisco Employee

Hi Marvin

Mine is a Prime Infrastrcuture 3.0.2 VM.  Is the procedure mentioned somewhere ?

The certificates are coming ( the CA) from godaddy. Supported formats are apache and tomcat , with SSL certificate and root certificate

Hall of Fame Super Silver

If you generated the CSR from Prime Infrastructure, the private key is already the server's private key and you can ignore the step of having to import it separately.

In my use case, the CSR had been generated on a separate server and thus I had to extract and import it into the Prime Infrastructure server.

Cisco Employee

Same is the case in my use case as well - the certificate is shared the security team-  it is  a wild card certificate . It is not generated from Prime Infrastructure. I followed the below steps

Copied the gd_bundle-g2-g1.crt to defaultrepo

admin# copy ftp://myftpserver/gd_bundle-g2-g1.crt   disk:defaultRepo


Imported it using import key command
 admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo


Restarted the server for the change to take place
admin# ncs stop
admin# ncs start

i do not know how do i get and where do i get the key from (

privatekeyplaintext.pem - the one mentioned in your post)

Hall of Fame Super Silver

To use a wildcard certificate you need the plaintext private key. As I noted, the normal practice is that It needs to be retrieved from the server that generated the initial Certificate Signing Request (CSR).

If you do not have access to that system, then any other system that is currently successfully using the private key can also be used.

The most common method is to extract it using openssl. The openssl utilitiy (open source download) syntax will vary according to the OS and server type where you are currently using the certificate. It is well documented in the openssl help syntax and there are numerous Internet postings on using it.

Hall of Fame Super Silver

Update - same procedure still works with Prime Infrastructure 3.1.

The only exception is that we now use the "shell" command vs. the older style "root" to drop into the Linux OS.

Also note that Prime Infrastructure's Linux includes the necessary OpenSSL binaries and associated libraries so you can do any needed key transforms on the server itself.