Cisco Prime Decryption Settings - Import Certificate
I have exported a PFX from a Windows server and converted it to PEM with an unencrypted key file as pem format also. I have done this many times before for Linux based appliances with no problems so i know the format is correct.
When I go to Decryption Settings and try to import the certificate it is giving me this error: certificate:The certificate to be used by the TLS decryption engine must be enabled as a certificate authority
I have added the root certificate of this certificate chain and the intermediate to the root authority section in Prime (Configuration > Certificates) but it still gives me this error. I could see one post on the Internet with a similar error and he had converted it from PFX to PEM like myself.
It's actually the root certificate that is meant to be uploaded to Prime not a standard certificate as it turns out (I got replies from a TAC case).
The solution is to use the root certificate from a Windows certificate authority server in a domain environment or use the self signed certificate that Prime can generate. The root certificate then must be installed onto any machines that are using web filtering or else they'll get a certificate warning/error when they start web browsing. If there's a certificate authority server and all your machines are joined to the domain then the certificate will more than likely already be trusted by PCs.
Yes, but what about all the non-domain machines and non-standard browsers that maintain their own cert store? I'm losing interested very quickly in this CX module. I've got a TAC case open myself and am not liking the responses so far. :-/
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...