How-To

Install SSL certificate on Cisco Prime Infrastructure

Installing a trusted SSL certificate in Cisco Prime Infrastructure is recommended. It is a job handled from the CPI CLI described in the Cisco Prime Infrastructure Administrator Guide (link to version 3.1)

This How-To is an abstract from the Administrator Guide with some added useful notes.

From CPI CLI start by generating the CSR request

ncs key genkey -newdn -csr csrfile.csr repository defaultRepo

where csrfile is an arbitrary name of your choice (for example: MyCertificate. csr). This will generate the CSR and keep a private key on the CPI server for later installation of the certificate. Take care not to run the command again as it will overwrite the private key matching the CSR
Copy the CSR file to a location you can access. For example:

copy disk: /defaultRepo/ csrfile.csr ftp://your.ftp.server

Now send  the csrfile.csr to you CA provider

When you receive the certificate from the CA is time to install it on the CPI server. Copy the certificate back to your defaultRepo

copy ftp://your.ftp.server/certificate.cer disk:/defaultRepo/

Install the certificate

ncs key importsignedcert certificate.cer repository defaultRepo

You might want to add the public certificate from the root- and intermediate CA server

Get the root certificates and place them together in one text file called certificate_bundle.cer. Copy to the defaultRepo as before

ncs key importcacert <some name> certificate_bundle.cer repository defaultRepo

Tips:

If you receive a certificate bundle fra the CA in p7b format it can be converted using openssl from the CPI shell acces

openssl pkcs7 -inform DER -outform PEM -in certificate.p7b -print_certs > certificate_bundle.cer

To have the new certificate to take action the application need to be restartet.

application stop NCS
application start NCS

Leave a Reply