topic Re: CUBE - Wildcard certificates in Collaboration Applications

CUBE - Wildcard certificates

Shalid Kurunnan Chalil — Tue, 17 Aug 2021 11:59:47 GMT

Hi,

Kindly requesting your input to on my attempt to install the wildcard certificates on a CUBE. I will be using this for MS team direct routing testing. Please find the steps and commands that i used in this.

Configured the trustpoint.

crypto pki trustpoint sbcssl

enrollment terminal

fqdn none

subject-name cn=*.mydomain.net

Placed the root certificate chain

crypto pki authenticate sbcssl

<<paste the certificate chain here >>

paste the certificate and private key

crypto pki import sbcssl certificate

<<paste the private key and then certificate >>

received the error: Cannot import certificate -
Certificate does not contain router's General Purpose public key for trust point sbcssl

please note that i am using the wildcard certificate and private key provided. I didnt generated the CSR from the CUBE router. If i remember correctly, i read it below URL that wildcard certificate worked in the MS direct routing setup. so i would like to try it from my end.

reference: Cisco ISR 4321 SBC for MS Teams Direct Routing

Please let me know if anyone can shed some light on it.

Regards

Re: CUBE - Wildcard certificates

Nithin Eluvathingal — Wed, 18 Aug 2021 02:10:39 GMT

I assume its the problem with the key. Use CSR to generate the wildcard cert. I hope it could resolve the issue.

Re: CUBE - Wildcard certificates

Shalid Kurunnan Chalil — Tue, 17 Aug 2021 12:52:45 GMT

Thanks for your reply.

I would like to get the wildcard certificate corrected if that is a possible option. Is it possible for you to verify the steps that i mentioned is correct or not?

Regards

Re: CUBE - Wildcard certificates

Nithin Eluvathingal — Wed, 18 Aug 2021 02:24:20 GMT

Below mentioned are the steps for signing a router certificate.

1) Generate the keypair
2) Create the trustpoints
3) Generate CSR (Certificate Signing Request)
4) Obtain public signed SSL/TLS certificate
5) Import certificate to trustpoint

Note sure if we can upload the private key. I assume that you didnt do the step 1 and step 3 mentioned above.

Generate CSR and use the same CSR for downloading your wildcard certificate.

Re: CUBE - Wildcard certificates

Scott Leport — Mon, 23 Aug 2021 21:03:48 GMT

Hello,

Not sure if you've seen this video or not, but I've used it once or twice to refresh myself on the process:

https://www.youtube.com/watch?v=IVH5PdPsQyw

I haven't done any wildcard certificates with Teams Direct Routing (yet), but on page 54 in the Direct Routing for Microsoft Phone System with Cisco CUBE doc, a CSR is generated after the RSA keys and Trust Points configured in this example. It might be that you have to do the same here too.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/interoperability-portal/direct-routing-with-cube.pdf

Re: CUBE - Wildcard certificates

Nuno Melo — Wed, 12 Jan 2022 12:48:06 GMT

Unfortunately the direct routing documentation does not provide a clear example when we are not generating a certificate csr on the cisco cube and thus are not generating a private key.

However it should be possible to import the private key/signed certificate when bundled in .pkcs12 format, if the pfx file is uploaded to the router flash and imported as per the bellow screenshot:

Re: CUBE - Wildcard certificates

joeharb — Thu, 03 Aug 2023 19:20:13 GMT

I am attempting to import our wildcard certificate but I am getting a Message that states:

% Importing pkcs12...
Source filename [wlcd_xxx_com_new_pw_2023_11.pfx]?
Reading file from bootflash:wlcd_xxx_com_new_pw_2023_11.pfx% You already have RSA keys named padsbc.xxx.com
% If you replace them, all router certs issued using these keys
% will be removed.
% Do you really want to replace them? [yes/no]: yes
% Warning: CA cert is not found. The imported certs might not be usable.
CRYPTO_PKI: Import PKCS12 operation failed to create trustpoint padsbc.xxx.com

I have tried to install the Root CA from DigiCert that the certificate is signed by but not having any luck with that either.

Please advise,

Joe

Re: CUBE - Wildcard certificates

Vaijanath Sonvane — Wed, 24 Jan 2024 14:54:20 GMT

Recently I was working with customer to integrate CUCM and Microsoft Teams using Microsoft Teams Direct Routing. In this case, we used their existing wildcard certificate. Here is the process:

1. Do not generate any CSR on CUBE Router.

2. Customer must combine their existing Root CA, Intermediate CA, Wildcard Certificate and Private Key in single PKCS12 bundle. For more details, refer to this post here. This is the single file you need to import on CUBE Router.

3. Copy this file from FTP/SFTP to CUBE Router flash. For example:

copy ftp://<username>:<password>@<x.x.x.x>/wildcard.pfx flash: Destination filename [wildcard]? Accessing ftp://*:*@<x.x.x.x>/wildcard.pfx...! [OK - 4931/4096 bytes]

4. Using the below command, import the wildcard certificate to CUBE. This will automatically create the trustpoint “WILDCARD_TP”.

crypto pki import WILDCARD_TP pkcs12 flash:wildcard.pfx password ******* % Importing pkcs12... Source filename [wildcard.pfx]? Reading file from bootflash:wildcard.pfx CRYPTO_PKI: Imported PKCS12 file successfully.

5. Show running configuration can be used to verify the trust point.

crypto pki trustpoint WILDCARD_TP enrollment pkcs12 revocation-check none rsakeypair WILDCARD_TP ! crypto pki certificate chain WILDCARD_TP 30820676 3082055E A0030201 02021006 245011EF 815DF299 C14D422D AC6F9830 0D06092A 864886F7 0D01010B 05003060 310B3009 06035504 06130255 53311530 13060355 040A130C 44696769 43657274 20496E63 31193017 06035504 0B131077 77772E64 69676963 6572742E 636F6D31 1F301D06 03550403 13164765 6F547275

5. Show crypto pki certificates can be used to display information about the wildcard certificate and the certificate of the CA.

CUBE_ROUTER#sh crypto pki certificates WILDCARD_TP Certificate Status: Available Certificate Serial Number (hex): 00D868B5A81343A259 Certificate Usage: General Purpose Issuer: cn=Go Daddy Secure Certificate Authority - G2 ou=http://certs.godaddy.com/repository/ o=GoDaddy.com Inc. l=Scottsdale st=Arizona c=US Subject: Name: *.example.com cn=*.example.com ou=Domain Control Validated CRL Distribution Points: http://crl.godaddy.com/gdig2s1-2592.crl Validity Date: start date: 22:36:28 UTC Jan 6 2021 end date: 22:36:28 UTC Jan 6 2022 Associated Trustpoints: WILDCARD_TP Storage: nvram:GoDaddySecur#A259.cer CA Certificate Status: Available Certificate Serial Number (hex): 07 Certificate Usage: Signature Issuer: cn=Go Daddy Root Certificate Authority - G2 o=GoDaddy.com Inc. l=Scottsdale st=Arizona c=US Subject: cn=Go Daddy Secure Certificate Authority - G2 ou=http://certs.godaddy.com/repository/ o=GoDaddy.com Inc. l=Scottsdale st=Arizona c=US CRL Distribution Points: http://crl.godaddy.com/gdroot-g2.crl Validity Date: start date: 07:00:00 UTC May 3 2011 end date: 07:00:00 UTC May 3 2031 Associated Trustpoints: WILDCARD_TP Storage: nvram:GoDaddyRootC#7CA.cer

6. Specify the default trust point under sip-ua.

sip-ua crypto signaling default trustpoint WILDCARD_TP

Re: CUBE - Wildcard certificates

aneesh.abraham — Fri, 05 Jul 2024 06:23:42 GMT

I followed the same steps, however not able to import the wildcard certificate, its going till reading the file but I am not getting the import confirmation prompt and the certificate is not shown in the running configuration.

crypto pki import lifenew pkcs12 flash:wildcard.pfx password xxxxx
% Importing pkcs12...Reading file from bootflash:wildcard.pfx
SBC01#
SBC01#

Have you faced this issue or any pointer.

Regards,

Aneesh

Re: CUBE - Wildcard certificates

Vaijanath Sonvane — Fri, 05 Jul 2024 12:22:55 GMT

Hi @aneesh.abraham,

Yes I did face similar issue. It was related to certificate format. If you have wildcard certificate in .p12 format. That will work too.

Re: CUBE - Wildcard certificates

aneesh.abraham — Fri, 05 Jul 2024 12:54:44 GMT

Thanks @Vaijanath Sonvane , let me check and let you know how it goes.

Re: CUBE - Wildcard certificates

MrSerge — Fri, 06 Dec 2024 21:57:51 GMT

@aneesh.abraham wrote:

crypto pki import lifenew pkcs12 flash:wildcard.pfx password xxxxx
% Importing pkcs12...Reading file from bootflash:wildcard.pfx
SBC01#
SBC01#

Got the same issue.
Problem was solved by using keys "-macalg sha1" and "-legacy" in "openssl pkcs12 -export ..." command.
openssl pkcs12 -export -in star.mycompany.com_cert.pem -inkey star.mycompany.com_key.pem -certfile chain.crt -out bundle.p12 -macalg sha1 -legacy

Re: CUBE - Wildcard certificates

Rich_U — Tue, 17 Dec 2024 18:10:19 GMT

I can confirm that the p12 or adding the legacy format works with the wildcard certs. I used this procedure for our situation.

Be sure the star cert is issued without any special characters in the passphrase.

Prepare the certificate for the CUBEs.

Concatenate the GoDaddy Intermediate and Root Certificates to form a root/intermediate chain.
- cat gd-intermediate.crt gdroot-g2.crt > int-root-chain.crt
Run openssl using legacy flags the rsa.key, star.crt and the int-root-chain.crt chain to build a .p12 bundled cert.
- openssl pkcs12 -export \
  -inkey rsa.key \
  -in star.crt \
  -certfile int-root-chain.crt \
  -name wc-bundle \
  -legacy -macalg sha1 \
  -out wc_Bundle.p12

CLI on the ISR

Import the cert into the router directly or upload it to the flash and import it.

crypto pki import wc-bundle pkcs12 sftp://username:password@sftphost.westernu.edu/wc_Bundle.p12 password xxxxxxxxxxx

% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
CRYPTO_PKI: Imported PKCS12 file successfully.

conf t
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http secure-trustpoint wc-20260105
sip-ua
crypto signaling default trustpoint wc-bundle
end
write memory