This article is for Prime deployments running version 3.4 or later. For earlier versions of Prime, please check out this earlier version of this article.
Introduction
Managing trusted certificates across your network devices and management software is often looked over since the end-user is never exposed to those big red security warnings you see showing up in every administrator's web browser every now and then. Most administrators have simply learned to deal with the warnings and click right past them, but if you want to do things the proper way you should always try to secure your systems with proper certificates.
I don't blame administrators simply not making the effort to install certificates (at least sometimes) because it can be really tough and tedious. There are a lot of different certificate formats and extensions to deal with and every system is different: some will accept any format/extension, some will accept specific formats/extensions and some require a mix of different formats/extensions.
In this guide, we will be installing a Wildcard SSL certificate onto the management system Cisco Prime Infrastructure. A lot of organizations have access to a Wildcard SSL-certificate (like *.yourcompany.com) from a third-party trusted Certificate Authority (CA) like GlobalSign, Geotrust and so on which can be used to secure several different systems or services, all with the same certificate (hence the wildcard star *). You could of course create a certificate to be specifically used for your Prime server, but I'll leave that process for another time. If you have some experience with Certificate Signing Requests you could probably pull it off together with the help of the guide below.
If you are not able to get the certificates needed in the correct format/extensions from your certificate provider you can use a tool such as OpenSSL to convert the certificates to the correct, following formats.
Preparations
This is what you will need:
An FTP or SFTP-server
CLI/SSH access to your Prime-server
Root certificate in .PEM-format
Intermediate certificate in .PEM-format
Wildcard certificate in .PEM-format
Wildcard certificate private key in .PEM-format unlocked using its password (if it's not unlocked you can use OpenSSL to unlock it using:
OpenSSL> rsa -in privateKey.pem -out newPrivateKey.pem and then entering the private key's password)
Create a Repository
First off we need to create a repository in Prime that enables us to use FTP/TFTP/SFTP and more to grab the certificate files and the private key needed. In this case, we are going to use FTP:
prime-01/admin(config)# repository MY-FTP-SERVER
prime-01/admin(config-Repository)# url ftp://10.100.1.250
prime-01/admin(config-Repository)# user ftpuser password plain ciscodisco123!
prime-01/admin(config-Repository)# exit
Copy Root and Intermediate certificates
Copy the Root and Intermediate certificates (.PEM-format) from the FTP-server to the Prime-server's local repository "disk:/defaultRepo"):
prime-01/admin# copy ftp://10.100.1.250/root-cert.pem disk:/defaultRepo
prime-01/admin# copy ftp://10.100.1.250/intermediate-cert.pem disk:/defaultRepo
Copy Wildcard Certificate and Private Key
Copy the Wildcard certificate and it's private key from the FTP-server to the Prime-server's local repository "disk:/defaultRepo"):
prime-01/admin# copy ftp://10.100.1.250/wildcard.pem disk:/defaultRepo
prime-01/admin# copy ftp://10.100.1.250/wildcard-private-key.pem disk:/defaultRepo
Import Root/Intermediate Certificates into Trusted Store
Make Prime add the Root and Intermediate certificates into its trusted certificate store from the the local repository "defaultRepo":
Do note that the word MYROOT below is just a friendly name, you can put whatever you want here.
In Prime 3.4 at later there are several different trusted stores (user, system, public, etc.), and the one called “user” is used for user logins (like on the web-GUI of Prime).
prime-01/admin# ncs certvalidation trusted-ca-store importcacert alias MYROOT repository defaultRepo root-cert.pem truststore user
Certificate is added to trust store. Changes will take affect on the next server restart
prime-01/admin#
Do note that the word MYINTERMEDIATE below is just a friendly name, you can put whatever you want here.
prime-01/admin# ncs certvalidation trusted-ca-store importcacert alias MYINTERMEDIATE repository defaultRepo intermediate-cert.pem truststore user
Certificate is added to trust store. Changes will take affect on the next server restart
prime-01/admin#
Bind Wildcard Certificate to Private Key
Bind the Wildcard certificate and its private key together and then save your configuration:
prime-01/admin# ncs key importkey wildcard-private-key.pem wildcard.pem repository defaultRepo
Imported server key. Changes will take affect on the next server restart
prime-01/admin# write memory
Generating configuration...
Restart Prime Services
Stop and start the Prime service on the server to enable the certificate in the web-GUI:
prime-01/admin# ncs stop
Stopping Prime Infrastructure...
This may take a few minutes...
prime-01/admin# ncs start
Wait a couple of (long) minutes and then you are done!
Verification
Use your favorite browser to access your Prime server and it should look something like this:
All green and secure!
Final Notes
Make sure you have created a DNS-name for your Prime-server like prime-01.yourcompany.com
Use show clock to determine that the time is running correctly on your Prime server.
Connect to your Prime server using the DNS name, not the IP address!
The installation of this certificate will not make warnings go away when you try to connect to Prime with SSH, as that is a different certificate being used to establish the secure connection.