cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot change radius certificate engine (key invalid)

Cannot change radius certificate engine (key invalid)

AnthonyP
New Contributor

Hello,

 

I am trying to generate certificate for one of my NAC Engine (running 8.3.1.9) from XMC (Extreme Management Center 8.3.1.9).

 

I have an internal CA where I have generated a certificate with its private key. But when I try to update them I receive a “nacengine.key is not a recognized file format, or the password is incorrect”.

 

I did not specify any password for so I let the private key password area empty. I tried to upload them bundled, or with the PKCS12 keysyore format but still nothing.

 

Anybody already faced this problem ?

 

Thank you for the help

3 REPLIES 3

mfluechter
New Contributor

I have the same issue in 8.4.1.24. I cannot update certificates for XMC-Webserver or Radius in Control. In both cases the error mentioned by you occured “nac.key is not a recognized file format, or the password is incorrect” and “xmc.key is not a recognized file format, or the password is incorrect” .

In both ways I sticked to the KB-Articles:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Generate-A-Certificate-Signing-Requ...

and

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-generate-a-CSR-Certificate-Signing-...

Any clues?

AnthonyP
New Contributor

Thank you, many thanks !

 

At the end, i did not struggle with it. I just migrate the nac engine without re-deployment. 

 

KR,

Ryan_Yacobucci
Extreme Employee

Hello,

 

Likely there is a problem with the format of the key that is causing NAC to not be able to process it. Without knowing exactly how it was generated or what format it’s in I can’t provide any guidance as to how to convert it to something that works.

 

What you may be able to do is generate another CSR and key using the openssl stack on the NAC appliance and submit the CSR to your internal CA to issue a new certificate that has a password key that is usable: 

 

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Generate-A-Certificate-Signing-Requ...

 

Make sure to use the EKU for server_authentication if you’re going to be using it for EAP-PEAP or EAP-TLS

 

Thanks

-Ryan

GTM-P2G8KFN