topic Re: SSLM: Configuring multi-tier certificates issues in Application Networking

SSLM: Configuring multi-tier certificates issues

sgonsalv — Wed, 18 Aug 2010 02:08:31 GMT

Hi Guys,

Wanted to know what was the preferred or Cisco accepted way to install / configure multi-tier certificates on the SSL module? When reading the config guide, it discusses in detail how to handle a single tier cert (i.e just a root ca cert), however there is no real example for handling multi-tier certs (i.e. a root ca cert and an intermediate cert)..

As an example, we've always installed a multi tier cert the following way:

! Setup the main trustpoint which contains the subject name

crypto pki trustpoint DIRECTORY
enrollment terminal
fqdn directory.monash.edu.au
subject-name C=AU, ST=Victoria, L=Clayton, O=Monash University, OU=ITS, CN=directory.monash.edu.au
revocation-check none
rsakeypair DIRECTORY
!

! Setup a trustpoint for the Root certificate
crypto pki trustpoint DIRECTORY-Root
enrollment terminal pem
revocation-check none
crl optional
!
! Setup a trustpoint for the Intermediate certificate
crypto pki trustpoint DIRECTORY-Intermediate
enrollment terminal
revocation-check none
crl optional
!

! Enroll the trustpoint DIRECTORY for the CSR

! Obtain signed cert from CA (Thawte)

! Authenticate DIRECTORY-Intermediate using the intermediate cert

crypto pki authenticate DIRECTORY-Intermediate

! Authenticate DIRECTORY-Root using the root cert

crypto pki authenticate HYBRID-Root

! Authenticate DIRECTORY using the root cert

crypto pki authenticate DIRECTORY

! Import signed cert against DIRECTORY

crypto pki import DIRECTORY cert

This has always worked fine, until recently we've noticed on one of our SSL modules, that we get the following error when authenticating the intermediate cert against DIRECTORY-Intermediate

Trustpoint 'DIRECTORY-Intermediate' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

Hence i can't continue to install the rest of the chain. Am going to chase this up via TAC, however i wanted to post this here just to know whether there is anything that immediately sticks out to people, as far as the procedure we follow or anything else?

thanks

Sheldon

Re: SSLM: Configuring multi-tier certificates issues

cschneid — Fri, 20 Aug 2010 22:42:51 GMT

Sheldon,

Not sure if you've seen this document but it covers an example of installing a multi-tiered

cert install on the SSLM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008037d1c8.shtml

Maybe go through this step-by-step and if you run into any problems then open

a TAC case for assistance.

Good luck!

-Chip

SSLM: Configuring multi-tier certificates issues

mjuch — Thu, 04 Oct 2012 07:42:51 GMT

Hello Sheldon, if you forget "revocation-check none" within the root trustpoint the validation failed even the root Cert is valid. In debug (for IOS PKI) crypto pki validation you can see

Oct 4 07:35:13.496: CRYPTO_PKI: Checking certificate revocation
Oct 4 07:35:13.496: CRYPTO_PKI: Matching CRL not found

and the validation failed with

Authentication failed - could not validate certificate

br Mike

SSLM: Configuring multi-tier certificates issues

rajsures — Tue, 22 Oct 2013 11:38:42 GMT

hi Sridhar,

I found this link which explains

" Authenticating the Three Certificate Authorities (One Root And Two Subordinate Certificate Authorities)":

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ssl/2.1/configuration/guide/config.html#wp1201447

is this what you were looking for ?

Thanks,

Rajesh.

SSLM: Configuring multi-tier certificates issues

sridharlatcw — Fri, 25 Oct 2013 15:23:06 GMT

Thank you for the link Suresh, the section "

Example of Importing PEM Files for Three Levels of Certificate Authority" does cover the mulitiple CA installation, but when I followed this, I did root CA installation, the cert got authenticated. I created trustpoint for first intermediate CA and then tried authenticating it threw me an error saying this

Trustpoint "XXXXXXXX' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

I have masked trustpoint name with XXX.

Still not understanding how to authenticate the CAs including the root.

Sridhar

Re: SSLM: Configuring multi-tier certificates issues

marinogr — Fri, 08 Aug 2025 05:55:58 GMT

It is very important the order of Chain cert (RootCA->SubCA->Cert):

crypto pki authenticate DNAC-CA
-----BEGIN CERTIFICATE-----
RootCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
SubCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Cert
-----END CERTIFICATE-----
quit

Certificate has the following attributes:
Fingerprint MD5: "omitted"
Fingerprint SHA1: "omitted"

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

Re: SSLM: Configuring multi-tier certificates issues

jackjame6es — Sun, 30 Nov 2025 12:10:51 GMT

That’s a solid walkthrough of multi-tier certs! While you troubleshoot the SSL module, I’ve been exploring some secure setups and testing features over at Golo777 their platform handles certificates and secure connections really smoothly.

Re: SSLM: Configuring multi-tier certificates issues

merigens63 — Sun, 01 Mar 2026 10:55:53 GMT

It looks like your multi-tier setup is mostly correct, but the error usually points to a mismatch between the intermediate cert and the trustpoint configuration or the enrollment method. Double-check that the intermediate cert matches the exact subject and issuer expected by the DIRECTORY-Intermediate trustpoint. Step-by-step guides for similar SSL module multi-tier setups have been shared and recommended on https://alostoratv.app/ , which could help clarify the proper ordering and authentication procedure.