cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3517
Views
0
Helpful
7
Replies

Prime Infrastructure 1.3 Certificate Installation failure

patrick.kofler
Level 1
Level 1

Hi all,

hope someone can help me further. I tried to install a certificate for secure web access.

Therefore I have generated a CSR as well as a private key. I sent this to our CA and I got a certificate.

However I have done this before the installation of Prime, so I did not directly invoke the commands from within the appliance.

I now have tried several options to get it working. According to the documentation the procedure would be via the CLI with the command:

ncs key importkey prime.key prime.cer repository prime-repo

Whenever I try this I get this exception error thrown at me:

Error importing key java.lang.IllegalArgumentException: Unrecognized key file format

I have however tried to import it with Base64 as well as DER encryption.

We are running Prime Infrastructure 1.3 virtual appliance - small OVA.

Anybody knows a hint? Thanks in advance

Regards,

Patrick

7 Replies 7

mmangat
Level 1
Level 1

Hello,

Have you tried the following steps:

Step 1 Use  the openssl toolkit to generate an RSA Private Key and CSR (Certificate  Signing Request). The RSA Private Key is a 1024 bit key which is stored  in a PEM format. The following example shows how to generate the RSA  key.

openssl genrsa -out server.key 1024

Generating RSA private key, 1024 bit long modulus

.....++++++

.................................++++++

e is 65537 (0x10001) 

Step 2 After generating the RSA key, generate the CSR. The following example shows how to generate the CSR.

openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:California

Locality Name (eg, city) [Newbury]:SanJose

Organization Name (eg, company) [My Company Ltd]:Cisco Systems

Organizational Unit Name (eg, section) []:Org

Common Name (eg, your name or your server's hostname) []:

Email Address []: 


Note Make sure the generated certificate is not shared and it should be protected.


Step 3 The  CSR file can be used to generate a signed server certificate from a  certificate authority (CA) or you can generate a self-signed  certificate.

Step 4 To generate a self-signed certificate, use the following command.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=US/ST=California/L=SanJose/O=Cisco Systems/OU=Org/CN=

Getting Private key

For more information, please have a look at the following cisco doc:

http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/quickstart/guide/cpi_qsg_1_3.html#wp53194

Hello Mantej,

I initially used the openSSL toolkit to request a certificate. However I am using an RSA key with 2048 bit and a company issued certificate. I have already tried to upload both files, private key and certificate in PEM format, but then the aforementioned error occurs.

When I follow the link this leads me to the steps for generating a certificate for the Prime Infrastructure PnP Gateway, which we don't use.

I am also currently in the process of applying the first patch for 1.3. I will get back to see, if this resolves the issue or not.

Regards,

Patrick

Unfortunately it did not work. The same error occurs.

Regards,

Patrick

Hi Patrick:

Whenever you're reporting something this, it's important to include ALL the lines of CLI output--from the prompt where you typed in the command to and including the returned command prompt.  What may look irrelevant to you might actually be very helpful. 

However, in this case, I think this was doomed from the start. 

However I have done this before the installation of Prime, so I did not directly invoke the commands from within the appliance.

You can use your wife's keys to start the car and run an errand, but you can't take her passport and leave the country.

My suggestion would be to start again, only this time, use

ncs key genkey myCSR.csr repository

ncs stop

ncs start

to generate a new key and have Prime Infrastructure use that key, and put the new certificate signing request myCSR.csr in your repository.  Retrieve myCSR.csr from the repository, and submit it to your CA to regenerate the certificate.  When you get it back, use

ncs key importcacert myCert myCert.cer repository

ncs stop

ncs start

to import that fresh certificate "myCert.cer" through your repository and have Prime Infrastructure use the key created from the last step and it's accompanying certificate.  If there's still trouble, consider opening a TAC Service Request to get assistance with this.

Hi Rollin,

If I am to develop your analogy further then why would the government (Prime) allow me to use the passport of my wife (ncs key importkey command) from the start?

What I meant with this is that I have already generated an RSA key together with a CSR via the openSSL toolkit. This is a standard procedure I follow and so far it has always worked. Wether it was for WLCs, WCS, ACS or ISE. Each of them supported it. Some of them proved challenging at the start, but I got the knack of importing a "foreign" private key as well as a certificate on each of them eventually. Prime however eludes me as far as this is concerned.

A TAC case regarding this has already been opened.

P.S.: I have not yet tried to use Prime as key and CSR generator, but to be honest I don't want to as long as the other option is available, supported and documented. Call me stubborn, but that's the way it is

Regards,

Patrick

Hi Patrick:

Fair enough.  The TAC should be able to sort it out with complete logs, or if something's truly broken, they'll get a bug filed on it and it'll get fixed.

Rollin

patrick.kofler
Level 1
Level 1

After troubleshooting with TAC it turned out to be a character encoding issue with the private key. It was set to UTF-8 with a BOM character. I didn't see it when I was looking at it with NP++.

Changing it to ASCII the import of the file went down without problems and after restarting Prime I was shown the correct certificate.

Regards,

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: