Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2012
Views
0
Helpful
2
Replies

Cisco 7921 EAP-TLS "certificate verification failed"

kfarrington
Level 3
Level 3

‎04-01-2009 04:58 AM - edited ‎07-03-2021 05:23 PM

Hi All,

I am trying to install a digi cert on a 7921 and I get the message on import of "certificate verification failed".

Can anyone help me, as there does not seem to be much documentation with the above error message.

Many thx indeed,

Ken

1 person had this problem
Labels:
0 Helpful
2 Replies 2

kfarrington
Level 3
Level 3

‎04-01-2009 06:09 AM

Hi there,

It appears I was exporting the cert with base64 encoding rather than DER encoding.

Can anyone tell me what the difference is between base64 and der format?

Many thx,

Ken

0 Helpful

Srinivasaraghavan Parthipattu
Cisco Employee
Cisco Employee
In response to kfarrington

‎07-14-2012 06:43 AM

Hi ,

Here  is some information  i  found on  cert with base64 encoding rather than DER encoding.

https://support.ssl.com/index.php?/Knowledgebase/Article/View/19

Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

To  complete the eap tls logic on the 7921 phone.

You should have a  publicly known CA cert ( in some cases Misosoft CA your own which you distribute)  installed in the  7921 Phone  when you   generate the  CSR ( request ) from the phone which is  generated   combining the Public cert information. Now  you take  that  request to the  ROOT CA server and he signs  you CSR and generates a CERT For the  7921 phone which is expertable. once the generated cert chain is  downloaded, Export and install the signed cert for 7921 on the phone. The  7921 phone will not install the certificate if  the CSR was issued by any unknown CA.

How does it know that ? , because you had  installed or told the phone  the root CA cert infomation which you used to generate the CSR so when you get the certified or signed cert from CA during installation  will be able to  decode it only  if the CERT was signed by the CA  it knows thus verifying that its the right Cert signed by  its right CA authority. This is the beauty of it.

Hope this  logic clarifies   and helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card