Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSL Cert error

we are following this doc:http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

We are at the part that wants us to:

6. Combine the CA.pem certificate with the private key, and then convert the file to a .pem file.

Issue this command in the OpenSSL application:

openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts

-passin pass:check123 -passout pass:check123

When we type it in we get this

pass:fakepassword-1 -passout pass:fakepassword-1

Loading 'screen' into random state - done

No certificate matches private key

unable to write 'random state'

error in pkcs12

were not sure whats wrong. What password should I be using? Should it be the challenge password is step 3?

Also we picked Microsoft as our server in the enrollment tool part. Could this be part of the problem? If so what should we have picked

10 REPLIES

Re: SSL Cert error

The password is the password you used when you created the request. This PW is encrypted in your "mykey.pem" file, or whatever you named it. If these dont match you will get an error.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: SSL Cert error

I've noted on the Verisign page from another Cisco device query (ACS 3.2) that:

"

..step..

12. Go to Enrollment. When enrolling for the SSL Certificate you will be asked to choose a server vendor, choose Apache. This will allow a certificate that is compatible with the Cisco ACS.

"

I'm wondering if anyone knows what Vendor type would be appropriate for a Cisco 4400 series controller. Was about to send Verisign an email but thought this may be "vendor" specific.

New Member

Re: SSL Cert error

I just tried picking Apache. When I try to merge the files I get a new error message:

Loading 'screen' into random state - done

unable to write 'random state'

New Member

SSL Cert error

anyone ever come up with the solution to this?  i'm stuck on the same step with the same error.  i have copied the device, intermediate, and root cert files (using proper delimiters and in proper order) into and All-certs.pem and ran the command pkcs12 -export -in All-certs.pem -inkey mykey.pem -out CA.p12 -clcerts

i did not use the -pass options as no password was ever set during the private key generation step.  i get the error No certificate matches private key

all files are right in the bin folder with the openssl executable.  i know openssl is finding them because if i take them out of that folder i get file not found errors.  i have also verified the files are a matching set by comparing the md5 hashes with the following commands

x509 -noout -modulus -in All-certs.pem | openssl md5

rsa -noout -modulus -in mykey.pem | openssl md5

Hall of Fame Super Silver

SSL Cert error

Well the password is mandatory.. also that error means that the private key does not match or is not found in the same directory your running the command.

Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.

Issue these commands in the OpenSSL application in order to create the All-certs.pem and final.pem files:

openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem 
       -out All-certs.p12 -clcerts -passin pass:check123 
       -passout pass:check123
  
openssl>pkcs12 -in All-certs.p12 -out final-cert.pem 
       -passin pass:check123 -passout pass:check123

Note: In this command, you must enter a password for the parameters -passin and -passout. The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123.

final.pem is the file that we need to download to the Wireless LAN Controller. The next step is to download this file to the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

SSL Cert error

can the -passin parameter be left out?  we didn't set a password when generating the private key so there is no argument to supply to -passin.

if the -passin command is required and private key must have a password, is there a way to add the password after the fact or do i have to go through the generation process again?  will the lack of password use cause this error or is it just a requirement for load onto the WLC at the end?

it was my understanding that the error meant the private key does not match or is not found in the same directory but as i mentioned above, when the files are not in bin, i get error that the file can't be found or cannot be opened.  those errors go away when i drop the files in the bin directory so that tells me openSSL is seeing them.  the only way i know to determain if the private key matches is with the md5 hash and that test passes so i'm not sure what else the problem could be.

Hall of Fame Super Silver

SSL Cert error

can the -passin parameter be left out? we didn't set a password when generating the private key so there is no argument to supply to -passin.

No it can't.... you don't need to setup one when your are doing the CSR.... this is just to put one in so when you upload it to the WLC the WLC will take it.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

SSL Cert error

If you follow all the steps correctly it should work, you cannot leave the password as Scott indicated because it is required.

Help out other by using the rating system and marking answered questions as "Answered"

New Member

Hi there, Did you manage to

Hi there, Did you manage to resolve this?

New Member

Here is my response to the

Here is my response to the TAC Engineer at the time:

 

Sent: Tuesday, September 01, 2009 3:08 PM

To: Vijaya Baliwada (vbaliwad)

Subject: Re: Sev3 SR 612355487 : WLC WebAuth Cert Issue

 

Vijaya,

 

I'm glad to inform you that by using the X.509 certificate response file from Verisign and after trying a combination of the entity certificate, intermediate certificate AND the proper X.509 Base-64 bit format Verisign Root certificate the commands in the documentation worked.

 

Our main issue was incorrectly using the PKCS#7 certificate from Verisign. The openssl commands worked instantly using x.509. We also had difficulty obtaining the correct root certificate from Verisign. We obtained the browser DER formatted root from internet explorer and exported it from IE to an x.509 Base-64 format. Then did the combination described above and added it to webauth.

 

2102
Views
15
Helpful
10
Replies
CreatePlease to create content