Skip to content
Feb 10 / jocke

SSL-certificate on Cisco Prime Infrastructure

Usually I don’t bother installing appropriate (i.e. public/proper) HTTPS/SSL-certificates for management softwares and other “internal” software. However, making parts of Cisco Prime Infrastructure available for “outsiders” can be quite useful, hence I saw the need to install a proper certificate.

I recently had to do this while installing Cisco Prime Infrastructure 3.0, so I thought I’d document it, since it’s not as straight-forward as one would think. The last time I did the procedure, was after installing Prime Infrastructure 2.0 almost 2 years ago.

There are basically three steps;

1) Fetch CA + properly convert the certificate
2) Install the CA certificates
3) Install the actual certificate



1. Properly convert the certificate

This assumes that you already have a public certificate (i.e. from a proper CA), or at least a proper certificate from your internal PKI. We received ours as a .pfx file, so that’s what I’ll be using in my example. The procedure should be somewhat similar for other formats.

Also, make sure that you use OpenSSL v0.9.8. This is due to a bug (read about it here). That was the case for PI2.x, not sure if it’s needed in PI3.x.

First we fetch the CA1 and CA2 of our certificate provider;

wget -Obp-2-ca-1.cer http://www.buypass.no/cert/bpcl2.cer
wget -Obp-2-ca-2.cer http://crt.buypass.no/crt/BPClass2CA2.cer

Then we can start working on our actual certificate (the .pfx file);

# Fetch the private key
openssl pkcs12 -in mydomain.pfx -nocerts -out mydomain.key.pem

# Decrypt the private key
openssl rsa -in mydomain.key.pem -out mydomain.key.pem2
mv mydomain.key.pem2 mydomain.key.pem

# Fetch the certificate
openssl pkcs12 -in mydomain.pfx -clcerts -nokeys -out mydomain.cert.pem

# Convert to DER
openssl x509 -outform der -in mydomain.cert.pem -out mydomain.cert.der

At this point we have the files we need.



2. Install the CA certificates

First we need to define a remote repository to access the files made in step 1). I’m using SFTP, but there are other options as well;

pi/admin# configure 
Enter configuration commands, one per line.  End with CNTL/Z.
pi/admin(config)# repository remote
pi/admin(config-Repository)# user pi password plain supersecret
pi/admin(config-Repository)# url sftp://foo.example.com//home/pi
pi/admin(config-Repository)# end
pi/admin# wr mem
Generating configuration...
pi/admin# 

Then we can install the two CA’s;

pi/admin# ncs key importcacert Buypass2-CA-1 bp-2-ca-1.cer repository remote
pi/admin# ncs key importcacert Buypass2-CA-2 bp-2-ca-2.cer repository remote



3. Install the actual certificate

Then we can finally install the certificate itself;

pi/admin# ncs key importkey mydomain.key.pem mydomain.cert.der repository remote

Then you could either reload or stop/start PI;

pi/admin# ncs stop
pi/admin# ncs start

# or

pi/admin# reload
Leave a Comment