[c-nsp] Cisco ISE cannot create a CSR in X.509 valid format (Bug ID: CSCtu03384)
Peter Rathlev
peter at rathlev.dk
Tue Jul 23 16:05:12 EDT 2013
On Tue, 2013-07-23 at 11:10 +0200, Manu Chao wrote:
> I need openssl assistance since Cisco ISE cannot generate a CSR in
> X.509 format.
>
> I get both .pem and .pvk files from Cisco ISE export.
OpenSSL 1.0.1e seems to support PVK files; the 1.0.0e version from
Fedora 17 does not. To convert you PVK file to something that can be
used by "openssl req":
openssl rsa -in keyfile.pvk -inform pvk -out private-key.pem
After this you can use the regular OpenSSL commands:
openssl req -new -key private-key.pem -out request.csr
If you need anything special like subjectAltName or extensions in your
certificate you need to supply a custom configuration file. Take a look
at "man 5 config" for details on the configuration file syntax.
This might be worth a read:
http://www.openssl.org/docs/HOWTO/certificates.txt
--
Peter
More information about the cisco-nsp
mailing list