Cisco Support Community
Community Member

Cisco Prime Decryption Settings - Import Certificate

Hi there,


I have exported a PFX from a Windows server and converted it to PEM with an unencrypted key file as pem format also. I have done this many times before for Linux based appliances with no problems so i know the format is correct. 

When I go to Decryption Settings and try to import the certificate it is giving me this error: certificate:The certificate to be used by the TLS decryption engine must be enabled as a certificate authority

I have added the root certificate of this certificate chain and the intermediate to the root authority section in Prime (Configuration > Certificates) but it still gives me this error. I could see one post on the Internet with a similar error and he had converted it from PFX to PEM like myself. 

If anyone has any tips that'd be great. 




Community Member

Did you ever find a solution?

Did you ever find a solution?  I am currently facing this same issue and have tried just about everything to fix.  Created a TAC case, but haven't gotten a response yet.



Cisco Employee

The error message is probably

The error message is probably correct - You are probably trying to upload a Server Certificate.  You can verify using openssl using the following command:


openssl x509 -noout -text -in <certificate file name>


The x509 constraint should state "CA: TRUE"

If it is False or it doesn't show at all, there is the problem.


Community Member

Hey,It's actually the root


It's actually the root certificate that is meant to be uploaded to Prime not a standard certificate as it turns out (I got replies from a TAC case). 

The solution is to use the root certificate from a Windows certificate authority server in a domain environment or use the self signed certificate that Prime can generate. The root certificate then must be installed onto any machines that are using web filtering or else they'll get a certificate warning/error when they start web browsing. If there's a certificate authority server and all your machines are joined to the domain then the certificate will more than likely already be trusted by PCs. 

Haven't got around to trying this yet though. 

Hope this helps. 




Community Member

Yes, but what about all the

Yes, but what about all the non-domain machines and non-standard browsers that maintain their own cert store?  I'm losing interested very quickly in this CX module.  I've got a TAC case open myself and am not liking the responses so far.  :-/

CreatePlease to create content