- Getting following error when trying to deploy iWAN through APIC-EM iWAN app-- deploying hub site.
- Nov 29 21:51:37.156: CRYPTO_PKI: status = 0x747(E_EOS : end of i/o stream): Imported PKCS12 file failure
- *Nov 29 21:51:37.156: %PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.
- Done debug crypto messages/transaction. Check if the devices are contacting APIC-EM by its external IP somehow while importing certificate.
*Nov 29 22:09:06.707: CRYPTO_PKI: Copying pkcs12 from http://xx.xx.xx.xx/api/v1/trust-point/pkcs12/7bf507b5-4566-4b55-a440-d0cfcbc7a298/3c4nlc88u5tq266glql3bfq36p
xx- should be internal IP
APIC-EM behind NAT (NAT'ed controller) support for brownfield branch sites to be released in 1.4 release.
Regarding public/private address for PKI cert import - does that mean with EM 1.3 we can not use iWAN app provisioning over INET (in which case we have no choice but to NAT the controller)? In my case, it is a dual-router LTE branch
[Edited 01/23/2017: Pre release 1.4, NAT'ed controller support for iWAN is for greenfield sites only. In release 1.4, we are extending that support to brownfield sites as well]
No support for NAT'ed controller. As long as there's a connectivity from your branch to the controller, the PKCS12 import should be fine.
Try to answer the following Questions and see all is as per the release notes. What is the device details here. What platform. What release of APIC-EM is in use. Which iWAN workflow is this - the hub provisioning or branch provisioning. Figure out if there's any routing that's causing this in your set-up.
Additionally, there's a known issue on device side where if the certificate is more than 4K bytes of size, then PKCS import will fail. So please check the size of your cert.
Limitation on cert size is specific to subCA deployment. If you don't have subCA deployment, you are fine.
Checkout this url - https://communities.cisco.com/thread/72808