This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot change radius certificate engine (key invalid)

Cannot change radius certificate engine (key invalid)

AnthonyP
New Contributor

‎01-28-2020 03:31 PM

Hello,

 

I am trying to generate certificate for one of my NAC Engine (running 8.3.1.9) from XMC (Extreme Management Center 8.3.1.9).

 

I have an internal CA where I have generated a certificate with its private key. But when I try to update them I receive a “nacengine.key is not a recognized file format, or the password is incorrect”.

 

I did not specify any password for so I let the private key password area empty. I tried to upload them bundled, or with the PKCS12 keysyore format but still nothing.

 

Anybody already faced this problem ?

 

Thank you for the help

0 Kudos
3 REPLIES 3

mfluechter
New Contributor

‎02-12-2020 11:14 AM

I have the same issue in 8.4.1.24. I cannot update certificates for XMC-Webserver or Radius in Control. In both cases the error mentioned by you occured “nac.key is not a recognized file format, or the password is incorrect” and “xmc.key is not a recognized file format, or the password is incorrect” .

In both ways I sticked to the KB-Articles:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Generate-A-Certificate-Signing-Requ...

and

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-generate-a-CSR-Certificate-Signing-...

Any clues?

0 Kudos

AnthonyP
New Contributor

‎01-30-2020 01:07 PM

Thank you, many thanks !

 

At the end, i did not struggle with it. I just migrate the nac engine without re-deployment. 

 

KR,

0 Kudos

Ryan_Yacobucci
Extreme Employee

‎01-29-2020 01:20 PM

Hello,

 

Likely there is a problem with the format of the key that is causing NAC to not be able to process it. Without knowing exactly how it was generated or what format it’s in I can’t provide any guidance as to how to convert it to something that works.

 

What you may be able to do is generate another CSR and key using the openssl stack on the NAC appliance and submit the CSR to your internal CA to issue a new certificate that has a password key that is usable: 

 

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Generate-A-Certificate-Signing-Requ...

 

Make sure to use the EKU for server_authentication if you’re going to be using it for EAP-PEAP or EAP-TLS

 

Thanks

-Ryan

0 Kudos
GTM-P2G8KFN