Archive

Posts Tagged ‘NCS’

NCS SSL Administration Certificate

2012/03/05 1 comment

While working on NCS, recently, I had to install an SSL certificate in order to get rid of that nasty SSL certificate error that pops up due to the self-signed certificate that NCS includes by default. In addition to the dirth of instructions available for the process, there were a couple of other key factors that made it more challenging:

1. The certificate had already been created using a 3rd party SSL authority
2. The chain included a root and an intermediate CA certificate.
3. The certificate was a wildcard cert, meaning that it was not specific to a host. Rather, it used “*” plus the domain name.

After investigating and additional trial and error, I finally figured out a way to do this. I didn’t have to install the “root enable package” mentioned in https://supportforums.cisco.com/thread/2132859.  I did have to install Openssl 0.9.8.  Finally, this required having both a P7B and a PFX file.  The P7B file provided both CA certificates, while the PFX file provided the proper server wildcard certificate and key.  In the end, I was able to login with no certificate error.  Hopefully this helps some others out there trying to do the same thing.

  1. Opened “P7B” file.
  2. Exported both the intermediate CA and the root CA certificates as Base-64 encoded X.509.
  3. Combined exported CA certificates.  I did this by simply opening both files with Notepad++.  Then, I copied each, with intermediate first and root second, into one new file.  Gave the file suffix “cer”.
  4. Imported into NCS over an SSH connection using the command “ncs key importcacert CA-Certs cacerts.cer repository ncs-ftp-repo“, where CA-Certs was the description I gave to the CA, cacerts.cer was the combined certificates file, and ncs-ftp-repowas the repository where I put the combined certificate file.  That repository had been created earlier.  This should result in ouput similar to the following:
    • INFO: no staging url defined, using local space.        rval:2
    • The WCS server is running
    • Changes will take affect on the next server restart
    • Importing certificate to trust store
  5. Converted “PFX” file to key and pem files using the following commands:
    • openssl pkcs12 -in cert.pfx -nocerts -out key.pem
    • openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
    • openssl rsa -in key.pem -out key-nopw.pem
    • The last command removes the password from the key, so that it can be imported.  Many thanks to http://www.spiceup.net.in/2010/11/extract-ssl-certificate-and-key-from.html for the list of commands for this part of the process.
  6. Import the key file (no password) and the converted pem file into NCS using “ncs key importkey key-nopw.pem cert.pem repository ncs-ftp-repo”  This should result in output similar to the following:
    • INFO: no staging url defined, using local space.        rval:2
    • INFO: no staging url defined, using local space.        rval:2
    • The WCS server is running
    • Changes will take affect on the next server restart
    • Importing RSA key and matching certificate
  7. Reload the NCS server.
Once NCS comes back up, you should be able to login to the server using the domain name listed in DNS for NCS without a certificate error.  The nice thing about a wildcard certificate is that you can change the DNS entry at any time and it will still work!
Advertisements