[c-nsp] OpenSSL Certs in 3000 Concentrator
Crist Clark
crist.clark at globalstar.com
Fri Apr 22 17:05:04 EDT 2005
Crist Clark wrote:
> I'm trying to import some home-made certificated generated with OpenSSL
> into a Cisco VPN Concentrator 3000. In the configuration GUI, I'm talking
> about the,
>
> Administration | Certificate Management | Install | SSL Certificate with Private Key | Cut & Paste Text
>
> Page. It doesn't seem to like the formats of the files I'm putting
> in there. I thought they may want a PKCS#12 file, but that appears
> incorrect. My guess is that they don't like the format of the key file.
> I've tried the default key file,
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,F63C0CC7BECA87C3
>
> <snip key data>
>
> Format and pasting in an unencrypted (but encoded, obviously) key.
>
> Does anyone know what _exactly_ formats the files are supposed to be in?
> Ideally, example OpenSSL command lines to generate the files would also
> answer the question.
Responding to my own question for the sake of the list archives.
Figured this out by a combination of trial-and-error and looking at the
format the system uses to export certificates and keys. The trick is that
it wants keys in PKCS#8 format, and not in the encrypted PEM format that
OpenSSL uses within the 'rsa' command. So, I had the usual PEM certificate
I got from the CA, and the PEMed PKCS#8 key I made with,
$ openssl pkcs8 -in privkey.pem -topk8
Where 'privkey.pem' was the RSA key that I had generated with my
certificate request (the OpenSSL 'req' command).
--
Crist J. Clark crist.clark at globalstar.com
Globalstar Communications (408) 933-4387
More information about the cisco-nsp
mailing list