Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1971
Views
5
Helpful
5
Replies

crypto pki import with warning of no CA cert found

yong khang NG
Level 5
Level 5

‎01-16-2020 09:14 PM

Hi All

 

As above title mentioned, i convert the third part cert in .crt format to .pfx or pkcs12

 

Somehow when i install into cisco device running in 12.x or 15.x, it prompt the message of % Warning: CA cert is not found. The imported certs might not be usable.

 

i found over the internet, but it make no sense to , there's no way the cert provider will share the CA cert to me, as they produce the cert to me as in trusted provider.

.

Any clue how i come deal with this?

 

Thanks

Noel

Labels:
0 Helpful
5 Replies 5

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-16-2020 10:09 PM

Hi,

 

If your CA provider is not sharing root certificate then, you can export the certificate from your PC if it is already available in your trusted store. you need to go to "manage computer certificates" then goto trusted root certificate. When exporting certificate select the option "export the private key". 

 

Once you have the certificate, you need to convert it to PKCS12 in Base64.

 

Once done, you can import the CA certifcate in your Cisco device. 

   

 

 

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-17-2020 06:41 AM

I doubt you will be able to export the CA root priv key from your local machine :)
Check out here: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cert-enroll-pki.html
If the CA has a sub-CA setup for network device enrollment service allowing enrollment via SCEP, then you can accomplish what you are trying to do via CLI and SCEP. Essentially you would setup a pki trustpoint on your Cisco device with an enrollment url, etc. This way your device could install the cert chain & eliminate your error. Verify with #show crypto pki certificates. There are other ways to import manually which are also identified in the link.

Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎01-17-2020 04:19 PM

@Mike.Cifelli 

you are right, we cant export private keys :)

0 Helpful

yong khang NG
Level 5
Level 5
In response to Mike.Cifelli

‎01-19-2020 08:06 PM

Hi Mike,

The cert chain is working fine, checking on the certification path show no issue.

I need to use the manual way by issuing crypto pki import command

what does it mean enrollment url? if i just copy the pcks12 cert into device flash?
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to yong khang NG

‎01-20-2020 08:04 AM

See this section in the link: Configuring Cut-and-Paste Certificate Enrollment Example
That way should walk you through the manual process. The enrollment url reference I was mentioning was in regard to utilizing SCEP for device auto enrollment.
0 Helpful
Customers Also Viewed These Support Documents