However, the controllers only recognize PEM format certificates. Who knows why, since they're not used for protected email of any form. The only reason that I can think for use of this format is that it's well known and can accommodate both certificates containing private keys and certificates containing only public keys. Cisco calls certificates including private keys "Vendor Device Certificates", and certificates containing only public keys, such as a CA certificate for verifying digital signatures, a "Vendor CA Certificate".
If you're certificate authority or PKI is based on Microsoft, which does not support PEM, then you're stuck converting certificates from PKCS12, PFX, DER, or Base64 into PEM format for import on the controller. Here's how to do it:
First, download and install OpenSSL on your workstation, either linux or Windows. It can be found here:
http://www.openssl.org/
http://www.slproweb.com/products/Win32OpenSSL.html
If PFX or PCKS12 device certificates need to be converted to PEM format, complete the following steps:
- Copy the PFX or PCKS12 certificate to a PC with OpenSSL installed
- Execute the C:\OpenSSL\bin\openssl.exe file on Windows from a command prompt, or the executable file on Linux, and enter the following commands:
openssl> pkcs12 –in certificate.pfx –out newcertifcate.pem
Enter Import Password : existing_private_key_password
MAC verified Ok
Enter PEM Pass phrase: new_private_key_password
Verifying – PEM pass phrase: new_private_key_password
- The certificate file is now converted to PEM format and is ready to be downloaded to the controller.
If DER or Base 64 CA certificates need to be converted to PEM format, complete the following steps:
- Copy the DER or Base 64 certificate to a PC with OpenSSL installed
- Execute the C:\OpenSSL\bin\openssl.exe file on Windows from a command prompt, or the executable file on Linux, and enter the following commands:
openssl> x509 –in certificate.cer –inform DER –out newcertifcate.pem –outform PEM
- The certificate file is now converted to PEM format and is ready to be downloaded to the controller.
If private key and certificate files both in PEM format need to be merged into a single PKCS12 file, complete the following steps:
- Copy the PEM private key and certificate files to a PC with OpenSSL installed
- Execute the C:\OpenSSL\bin\openssl.exe file on Windows from a command prompt, or the executable file on Linux, and enter the following commands:
OpenSSL> pkcs12 -export -inkey certpvk.pem -in cert.pem -out certnew.p12
Loading 'screen' into random state – done
Enter Export Password: new_private_key_password
Verifying - Enter Export Password: new_private_key_password
OpenSSL>
- The certificate and private key are now merged into one PKCS12 file.
Upload the converted certificates to the controller either through the web interface or the CLI.
Andrew
Hello what if you have an SSL Wildcard certificate? Do you need to do the same or you can just directly load it to the WLC in .pem format?
ReplyDeleteWildcard certificates are the same. They need to be in PEM format. You might need to convert them.
ReplyDelete