Cisco Prime 3.0 / 3.1 / 3.2 / 3.3 Wildcard SSL-certificate Installation

This article is for Prime deployments running version 3.3 or earlier. For later versions of Prime, please check out this updated version of this article.

Introduction

Managing trusted certificates across your network devices and management software is often looked over since the end-user is never exposed to those big red security warnings you see showing up in every administrator's web browser every now and then. Most administrators have simply learned to deal with the warnings and click right past them, but if you want to do things the proper way you should always try to secure your systems with proper certificates.

I don't blame administrators simply not making the effort to install certificates (at least sometimes) because it can be really tough and tedious. There are a lot of different certificate formats and extensions to deal with and every system is different: some will accept any format/extension, some will accept specific formats/extensions and some require a mix of different formats/extensions.

In this guide, we will be installing a Wildcard SSL certificate onto the management system Cisco Prime Infrastructure. A lot of organizations have access to a Wildcard SSL-certificate (like *.yourcompany.com) from a third-party trusted Certificate Authority (CA) like GlobalSign, Geotrust and so on which can be used to secure several different systems or services, all with the same certificate (hence the wildcard star *). You could of course create a certificate to be specifically used for your Prime server, but I'll leave that process for another time. If you have some experience with Certificate Signing Requests you could probably pull it off together with the help of the guide below.

Preparations

If you are not able to get the certificates needed in the correct format/extensions from your certificate provider you can use a tool such as OpenSSL to convert the certificates to the correct, following formats.

 

This is what you will need:

  • An FTP or SFTP-server

  • CLI/SSH access to your Prime-server

  • Root certificate in .CER-format

  • Intermediate certificate in .CER-format

  • Wildcard certificate in .DER-format

  • Wildcard certificate private key in .PEM-format unlocked using its password (if it's not unlocked you can use OpenSSL to unlock it using:

    OpenSSL> rsa -in privateKey.pem -out newPrivateKey.pem and then entering the private key's password)

Create a Repository

First off we need to create a repository in Prime that enables us to use FTP/TFTP/SFTP and more to grab the certificate files and the private key needed. In this case, we are going to use FTP:

 prime-01/admin(config)# repository MY-FTP-SERVER 

 prime-01/admin(config-Repository)# url ftp://10.100.1.250 

 prime-01/admin(config-Repository)# user ftpuser password plain ciscodisco123! 

 prime-01/admin(config-Repository)# exit 

Copy Root and Intermediate certificates

Copy the Root and Intermediate certificates (.CER-format) from the FTP-server to the Prime-server's local repository "disk:/defaultRepo"):

 prime-01/admin# copy ftp://10.100.1.250/root-cert.cer disk:/defaultRepo 

 prime-01/admin# copy ftp://10.100.1.250/intermediate-cert.cer disk:/defaultRepo 

Copy Wildcard Certificate and Private Key

Copy the Wildcard certificate and it's private key from the FTP-server to the Prime-server's local repository "disk:/defaultRepo"):

 prime-01/admin# copy ftp://10.100.1.250/wildcard.der disk:/defaultRepo 

 prime-01/admin# copy ftp://10.100.1.250/wildcard-private-key.pem disk:/defaultRepo 

Import Root/Intermediate Certificates into Trusted Store

Make Prime add the Root and Intermediate certificates into its trusted certificate store from the the local repository "defaultRepo":

Do note that the word MYROOT below is just a friendly name, you can put whatever you want here.

 prime-01/admin# ncs key importcacert MYROOT root-cert.cer repository defaultRepo 

 The NCS server is running. Changes will take affect on the next server restart 
 Importing certificate to trust store 

 

Do note that the word MYINTERMEDIATE below is just a friendly name, you can put whatever you want here.
prime-01/admin# ncs key importcacert MYINTERMEDIATE intermediate-cert.cer repository defaultRepo 

The NCS server is running. Changes will take affect on the next server restart 
 Importing certificate to trust store 

Bind Wildcard Certificate to Private Key

Bind the Wildcard certificate and its private key together and then save your configuration:

prime-01/admin# ncs key importkey wildcard-private-key.pem wildcard.der repository defaultRepo 

The NCS server is running. Changes will take affect on the next server restart 
 Importing RSA key and matching certificate

 

prime-01/admin# write memory

Generating configuration...

Restart Prime Services

Stop and start the Prime service on the server to enable the certificate in the web-GUI:

 prime-01/admin# ncs stop  

 Stopping Prime Infrastructure... 

 This may take a few minutes... 

 

 prime-01/admin# ncs start  

 

Wait a couple of (long) minutes and then you are done!

Verification

Use your favorite browser to access your Prime server and it should look something like this:

All green and secure!

Final Notes

  • Make sure you have created a DNS-name for your Prime-server like prime-01.yourcompany.com

  • Use show clock to determine that the time is running correctly on your Prime server.

  • Connect to your Prime server using the DNS name, not the IP address!

  • The installation of this certificate will not make warnings go away when you try to connect to Prime with SSH, as that is a different certificate being used to establish the secure connection.

CYBERSECURITY & NETWORKING BLOG