https://community.cisco.com/t5/network-security/cube-ios-xe-cannot-import-signed-certificate/m-p/4732973#M1095664 <P>hello<BR />I have a similar symptom, could you please share the procedure for handling it?<BR />Please also ask for the command.</P> Tue, 06 Dec 2022 06:40:26 GMT lkbge7549 2022-12-06T06:40:26Z https://community.cisco.com/t5/network-security/cube-ios-xe-cannot-import-signed-certificate/m-p/4568632#M1088156 <P>I am currently trying to set up RESTCONF on one of my lab CUBEs. For this i need the HTTPS server, and for that i needed a valid certificate on the router.</P><P>&nbsp;</P><P>Cisco IOS XE Software, Version 17.03.04a</P><P>bootflash:isr4300-universalk9.17.03.04a.SPA.bin</P><P>&nbsp;</P><P>So i creater a Trustpoint for the router on the router and generated a CSR:</P><P>&nbsp;</P><PRE>hh-srst-cube(config)#crypto pki trustpoint hh-srst-cube hh-srst-cube(ca-trustpoint)#enrollment terminal pem hh-srst-cube(ca-trustpoint)#serial-number none hh-srst-cube(ca-trustpoint)#fqdn none hh-srst-cube(ca-trustpoint)#ip-address none hh-srst-cube(ca-trustpoint)#subject-name CN=hh-srst-cube.*******.com, C=DE, ST=Hamburg, L=Hamburg, O="********", OU=Services hh-srst-cube(ca-trustpoint)#revocation-check none hh-srst-cube(ca-trustpoint)#rsakeypair hh-srst-cube hh-srst-cube(ca-trustpoint)#exit hh-srst-cube(config)#crypto pki authenticate hh-srst-cube</PRE><P>&nbsp;</P><P><SPAN>All fine. I got the CSR and had it signed with our CA.</SPAN></P><P><SPAN>Then i created a trustpoint for our root and intermediate CA:</SPAN></P><PRE>hh-srst-cube(config)#crypto pki trustpoint hh_root hh-srst-cube(ca-trustpoint)#enrollment terminal pem hh-srst-cube(ca-trustpoint)#revocation-check none hh-srst-cube(ca-trustpoint)#exit hh-srst-cube(config)#crypto pki authenticate hh_root</PRE><P><SPAN>Root was fine. No errors. Fingerprint matched.</SPAN></P><P>&nbsp;</P><PRE>hh-srst-cube(config)#crypto pki trustpoint hh_intermediate hh-srst-cube(ca-trustpoint)#enrollment terminal pem hh-srst-cube(ca-trustpoint)#revocation-check none hh-srst-cube(ca-trustpoint)#exit hh-srst-cube(config)#crypto pki authenticate hh_intermediate</PRE><P><SPAN>Intermediate worked fine, fingerprint matched, didnt need confirmation as it matched with the already created root trustpoint.</SPAN></P><P><SPAN>So then finally i wanted to import the signed certificate.</SPAN></P><P>&nbsp;</P><PRE>hh-srst-cube(config)#crypto pki import hh-srst-cube certificate % You must authenticate the Certificate Authority before you can import the router's certificate.</PRE><P><SPAN>What did i do wrong? I tried setting the Root or Intermediate Trustpoint as Primary. Nothing helped. </SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Mar 2022 09:17:18 GMT https://community.cisco.com/t5/network-security/cube-ios-xe-cannot-import-signed-certificate/m-p/4568632#M1088156 pescla 2022-03-11T09:17:18Z https://community.cisco.com/t5/network-security/cube-ios-xe-cannot-import-signed-certificate/m-p/4568674#M1088158 <P>As always, i found my mistake just now after asking:</P><P>&nbsp;</P><P>I forgot to authenticate the intermediate CA (which issues the CUBE Cert) on the CUBE trustpoint.</P><P>&nbsp;</P><P>So i had to do a</P><P>&nbsp;</P><P>crypto pki authenticate hh-srst-cube</P><P>&nbsp;</P><P>and paste the certificate of hh_intermediate.</P> Fri, 11 Mar 2022 10:19:26 GMT https://community.cisco.com/t5/network-security/cube-ios-xe-cannot-import-signed-certificate/m-p/4568674#M1088158 pescla 2022-03-11T10:19:26Z https://community.cisco.com/t5/network-security/cube-ios-xe-cannot-import-signed-certificate/m-p/4732973#M1095664 <P>hello<BR />I have a similar symptom, could you please share the procedure for handling it?<BR />Please also ask for the command.</P> Tue, 06 Dec 2022 06:40:26 GMT https://community.cisco.com/t5/network-security/cube-ios-xe-cannot-import-signed-certificate/m-p/4732973#M1095664 lkbge7549 2022-12-06T06:40:26Z