cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1197
Views
4
Helpful
6
Replies

External CA

Marvin Rhoads
Hall of Fame
Hall of Fame

I am trying to install a certificate from a 3rd party root CA (Thawte).I'm using the SSLutil.pl script as instructed here. For some reason the utility doesn't seem to recognize my .crt file. Here is what I get:

You have the following options

1. Display CiscoWorks Server Certificate Information
2. Display the input Certificate Information
3. Display Root CA Certificates trusted by CiscoWorks Server
4. Verify the input Certificate/ Certificate Chain
5. Upload Single Server Certificate to CiscoWorks Server
6. Upload a Certificate Chain to CiscoWorks Server
7. Modify Common Services Certificate
8. Quit

Enter your choice [1-8]:4

Enter the location of the Signed Server Certificate: c:\cert\cw.net.real.com.crt

ERROR: Invalid File or Location
ERROR: Please Enter the absolute path of the file

I've tried moving the cert to the root directory, putting it in the Apache directory, specifying only the directory without the file name, renaming the file, etc.- all to no avail. Am I missing something simple?

1 Accepted Solution

Accepted Solutions

If the cert is already in the proper format, just copy it and its private key to NMSROOT/MDC/Apache/conf/ssl, and rename them as server.crt and server.key respectively.  Then restart Daemon Manager.  You should then see Apache use the desired CA-signed cert.

View solution in original post

6 Replies 6

yjdabear
VIP Alumni
VIP Alumni

"ERROR: Invalid File or Location" reads to me that it leaves open another possibility of an "invalid" certifcate being the issue. Here's what the LMS documentation says about option 4:

"When you choose this option, the utility:

Verifies if the certificate is in Base64 Encoded X.509Certificate format.

Verifies if the certificate is valid on the server

Verifies if the server private key and input server certificate match.

Verifies if the server certificate can be traced to the required Root CA certificate using which it was signed.

Constructs the certificate chain, if the intermediate chains are also given, and verifies if the chain ends with the proper Root CA certificate."

Personally, I'd first suspect the cert is not base64 encoded.

Joe Clarke
Cisco Employee
Cisco Employee

The code which generates this error is very simple.  It does a perl -e (exists) test on the path entered.  Therefore, either c:\cert\cw.net.real.com.crt does not exist (e.g. maybe it has a hidden ".txt" extension) or you do not have access to stat it.  I tested the SSLUtil.pl locally, and it does work with such a path.

It was the hidden txt extension. I removed that an then option 4 saw the crt. I did, however then have to supplant the server.key (after backing it up) with my own key file for t to decode the crt file. I did that and successfully validated my external key under option 4.That step confirmed that my root CA (Thawte) is among the trusted root CAs and the cert is well-formed.

So, feeling like I'm making headway, I went ahead and ran option 5. Grrr, it hung (30 minutes and no indication of progress). Could it be due to the fact that I did not request the cert using the server's CSR file?

I let it sit overnight, still no luck. Option 5 (loading my external cert) just hangs with no output.

Here is the output from option 4:

Enter the location of the Signed Server Certificate: c:\cert\cw.net.real.com.crt


INFO: Certificate is a Base64-Encoded X.509Certificate
Loading 'screen' into random state -Loading 'screen' into random state - done
done
INFO: Certificate validated with Server's Private Key successfully
INFO: Certificate date is valid on the server

NOTE:

1. If you are verifying a Certificate Chain, you will also have to enter the loc
ation of any intermediate Certificates.

2. CiscoWorks maintains a list of prominent Root CA certificates in its TrustSto
re.(Check with option 3 of this script). If your Certificate is not issued/signe
d by a prominent CA, you will also have to enter the Root CA certificate as an i
nput

Are there any intermediate Certificates  or Root CA Certificate [y/n]? n
[Tue Dec 22 08:45:16 EST 2009]*** Certificate Name ***

CN=cw.net.real.com, OU=GIO-NE, O="RealNetworks, Inc.", L=Seattle, ST=Washington,
C=US

[Tue Dec 22 08:45:16 EST 2009]INFO: Server Certificate Chain is not fully determ
ined
[Tue Dec 22 08:45:16 EST 2009]INFO: Root CA Certificate may be available in Cisc
oWorks Server's KeyStore

[Tue Dec 22 08:45:16 EST 2009]*****Loading CiscoWorks Keystore*****

[Tue Dec 22 08:45:16 EST 2009]Initializing SSL properties
[Tue Dec 22 08:45:16 EST 2009]Loading MODSSL KeyStore...

[Tue Dec 22 08:45:16 EST 2009]*****Loaded CiscoWorks Keystore*****

[Tue Dec 22 08:45:16 EST 2009]INFO: Certificate can be uploaded

INFO: The given Certificate(s) do not constitute a Complete Chain.
INFO: But CiscoWorks KeyStore has the required Root CA Certificate for verificat
ion.
INFO: Input Certificate/Certificate Chain Verification Successful
INFO: The Certificate(s) can be uploaded to the CiscoWorks Server.

Please press ENTER to return to Main Menu


If the cert is already in the proper format, just copy it and its private key to NMSROOT/MDC/Apache/conf/ssl, and rename them as server.crt and server.key respectively.  Then restart Daemon Manager.  You should then see Apache use the desired CA-signed cert.

That did it, Joe. Thanks again.

My server is now using its FQDN and a trusted certificate over ssl. It seems to open and launch more quickly than when it was using the local hostname.

I did in the meantime open a TAC case on the SSLUtil not working properly.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: