Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Certificate Question

Hello Community,

We are currently using IronPort S370 as our web security. The certificate we are using is just the one that was generated by IronPort in the format of .pem. The certifcate is already installed on 2000+ PCs. We are currently testing out android devices on the network. My phone (Droid X w/ 2.3.3) works fine with the certificate. However, when trying out the Xoom tablet with OS 3.2.4, it will only accept a PKCS#12 certifcate. If we would create a new certificate with openSSL and load it into IronPort, how bad will it mess things up? We are expecting that none of the machines will pass through till they have the new certificate. Is there any way to do a dual certificate and migrate people over slowly to the PKCS#12 certificate? Just looking for a possible solution to this mess. Any help would be appreciated.

Thank You,

Tom

4 REPLIES

Certificate Question

Convert the PEM to a PKCS#12, and use the same cert for the Xooms.

Taken from http://www.sslshopper.com/article-most-common-openssl-commands.html

    

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

    If you've already deployed the cert, it would be CRAZY to redeploy a new cert... you'd have to do it all over again anyway...

    New Member

    Certificate Question

    Ken,

    Thanks for the quick response.

    By all the reading I've been reading and your post,  when the certifcate was generated on IronPort, it created the  certificate and a key. However, you can only download the certificate to  distribute to the computers. The downloaded certificate is only in a  pem format, however I can convert to all types of other certicate  formats without the key. For the Xoom, it requires the PKCS#12 format  which includes the key also. Looking at everything, once I can find the  key IronPort made, I can create the PKCS#12 certificate using a machine  with openSSL. Is there a location this key can be found or a way to  export it? I've been unable to find how to do that through the Manual. Searching the web more to see I might be able to find a way.

    Thanks,

    Tom

    Certificate Question

    Need more coffee... Sorry, I spaced that the key you're using is the one generated by the Ironport, so you won't have access to the private key, and I couldn't find any way to get to it either.

    And as far as I can tell, you can't use mulitple certs at the same time.

    TAC may be able to help...

    New Member

    Certificate Question

    You shouldn't be including the private key to the end user devices as this would compromise the integrity of your certificate. They should only need the PUBLIC key to be able trust that certification authority. I did see your issue in Windows of not being able to export as a PKCS#12 without having the private key. I did find this article:

    http://forums.androidcentral.com/motorola-xoom/74766-how-install-certificates-xoom-including-root-certs.html

    For all other certificates including root certificates:
    Export as "Base-64 encoded X.509 (.CER)" certificate. Again the Xoom will not pick this up, so rename *.cer to *.crt

    Now copy the *p12 and *.crt files to the root sdcard folder or /mnt/sdcard/ folder (or using Windows Under \Device Storage\)

    Now disconnect the cable (must be done)

    Now go to Settings->Location & Security->Install from USB storage (under Credential Storage)

    Select each one, one by one and they will disappear from the sdcard/ as they are installed.

    I tried renaming them using a file explorer as well as moving them using the file explorer and those did not get recognized by the Xoom. I installed a self-signed root certificate without a problem.

    2043
    Views
    0
    Helpful
    4
    Replies
    CreatePlease to create content