Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4674
Views
13
Helpful
9
Replies

PKCS #12 Import failed

vishal-patil
Level 1
Level 1

‎11-29-2016 12:47 PM - edited ‎03-01-2019 04:33 AM

Hi,

I am trying to deploy iWAN through APIC-EM iWAN app. While deploying hub site, I am getting following error -

Nov 29 21:51:37.156: CRYPTO_PKI: status = 0x747(E_EOS : end of i/o stream): Imported PKCS12 file failure

*Nov 29 21:51:37.156: %PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.

Please advise

Thanks,

Vish

Labels:
9 Replies 9

aradford
Cisco Employee
Cisco Employee

‎11-29-2016 12:52 PM

some one else had a similar issue in this thread.

https://communities.cisco.com/thread/72808

vishal-patil
Level 1
Level 1
In response to aradford

‎11-29-2016 01:10 PM

Thank you. did debug crypto messages/transaction. Looks like the devices are contacting APIC-EM by its external IP somehow while importing certificate.

*Nov 29 22:09:06.707: CRYPTO_PKI: Copying pkcs12 from http://xx.xx.xx.xx/api/v1/trust-point/pkcs12/7bf507b5-4566-4b55-a440-d0cfcbc7a298/3c4nlc88u5tq266glql3bfq36p


xx- should be internal IP


Hopefully I will be able to fix this


Thanks,

Vish

Igor Manassypov
Cisco Employee
Cisco Employee
In response to vishal-patil

‎12-23-2016 05:24 AM

Hi Visha,

Regarding public/private address for PKI cert import - does that mean with EM 1.3 we can not use iWAN app provisioning over INET (in which case we have no choice but to NAT the controller)? In my case, it is a dual-router LTE branch

Thanks,

Igor

cchitnis
Cisco Employee
Cisco Employee
In response to Igor Manassypov

‎12-23-2016 11:31 AM

[Edited 01/23/2017: Pre release 1.4, NAT'ed controller support for iWAN is for greenfield sites only. In release 1.4, we are extending that support to brownfield sites as well]

AFAIK, we do support NAT'ed controller. As long as there's a connectivity from your branch to the controller, the PKCS12 import should be fine.

cchitnis
Cisco Employee
Cisco Employee
In response to cchitnis

‎01-23-2017 05:25 PM

APIC-EM behind NAT (NAT'ed controller) support for brownfield branch sites to be released in 1.4 release.

Alex Pfeil
Level 7
Level 7
In response to cchitnis

‎08-31-2017 07:00 AM

Is there any update on this?

0 Helpful

cchitnis
Cisco Employee
Cisco Employee

‎11-29-2016 01:07 PM

What is the device details here? What platform? What release of APIC-EM is in use? Which iWAN workflow is this - the hub provisioning or branch provisioning? Details like these would help us understand and troubleshoot better.

Having said that, please refer to the link Adam has given to figure out if there's any routing that's causing this in your set-up.

Additionally, there's a known issue on device side where if the certificate is more than 4K bytes of size, then PKCS import will fail. So please check the size of your cert.

vishal-patil
Level 1
Level 1
In response to cchitnis

‎11-29-2016 01:12 PM

Hi,

Thanks for the info (especially certificate size. will take a note of that)

Thanks,

Visha

cchitnis
Cisco Employee
Cisco Employee
In response to vishal-patil

‎12-23-2016 11:30 AM

Limitation on cert size is specific to subCA deployment. If you don't have subCA deployment, you are fine.

Customers Also Viewed These Support Documents