- Root Access to the Command Line interface (CLI) of the Prime Provisioning will be needed. Root access is generated upon Install.
Note: For PCP Version(s) 12.X and above please refer to the bottom of this document under Further Notes
Prime Collaboration Provisioning
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
This will allow you to access the Prime Collaboration Provisioning (PCP) for business purposes with multiple Domain Name Server (DNS) entries using the same certificate and not encounter the certificate error when you access the webpage.
Procedure and Steps
At the time of this document wasw written, from the Graphical User interface (GUI) you can only generate the CSR with no alternate name, These are the instructions to accomplish this task.
Step 1. Log in to PCP as the root user
Step 2. Navigate to /opt/cupm/httpd/ by the input cd/opt/cupm/httpd/
Step 3. Type: vi san.cnf
Note: This will create a new file called san.cnf which will be empty at the moment
Step 4. Press I for insert (this will allow to edit the file) and copy/paste the below in the grey field
Please note as well the entry at the bottom DNS.1 = pcptest23.cisco.ab.edu is the primary DNS entry that will be used for the CSR and DNS.2 will be the secondary; This way you can access PCP and use either of the DNS entries.
After a copy/paste in this example, please remove the pcptest examples with the ones you need for your application.
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
DNS.1 = pcptest23.cisco.ab.edu
DNS.2 = pcptest.gov.cisco.ca
Step 5. Type: esc then type :wq! (this will save the file and the changes just made).
Step 6. Restart services for the config file to take affect properly. Type: /opt/cupm/bin/cpcmcontrol.sh stop
type /opt/cupm/bin/cpcmcontrol.sh status to ensure all services have stopped
Step 7. Type this command to allow the services to come back up: /opt/cupm/bin/cpcmcontrol.sh start
Step 8. You should still be in the /opt/cupm/httpd/ directory, you can type pwd to find your current directory to make sure.
Step 9. Run this command to generate the Private key and CSR.
[root@ryPCP11-5 httpd]# openssl req -out PCPSAN.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
Generating a 2048 bit RSA private key
writing new private key to 'private.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) :US
State or Province Name (full name) :TX
Locality Name (eg, city) :RCDN
Organization Name (eg, company) :CISCO
Common Name (e.g. server FQDN or YOUR name) :doctest.cisco.com
The CSR gets generated and to verify if the CSR contains the correct Alternate names type this command
openssl req -noout -text -in PCPSAN.csr | grep DNS
Step 4. Logout of your current user and login with the userid you created and the password provided by TAC.
Step 5. Navigate to Troubleshooting Account>>Launch>>Click on Console Account and create your cli user id and password.
Step 6. Now login to PCP as the user you created and perform the initial steps decribed in this document.
Note: PCP version 12.x and above you need to input in the command sudo prior to all instructions for it to work. For step 9, the command therefore will be sudo openssl req -out PCPSAN.csr -newkey rsa:2048 -nodes -keyout PCPSAN.key -config san.cnf. To verify the dns you then would use the command sudoopenssl req -noout -text -in PCPSAN.csr | grep DNS