Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5881
Views
0
Helpful
6
Replies

SSLM: Configuring multi-tier certificates issues

sgonsalv
Level 1
Level 1

‎08-17-2010 07:08 PM

Hi Guys,

Wanted to know what was the preferred or Cisco accepted way to install / configure multi-tier certificates on the SSL module?  When reading the config guide, it discusses in detail how to handle a single tier cert (i.e just a root ca cert), however there is no real example for handling multi-tier certs (i.e. a root ca cert and an intermediate cert)..

As an example, we've always installed a multi tier cert the following way:

! Setup the main trustpoint which contains the subject name

crypto pki trustpoint DIRECTORY
  enrollment terminal
  fqdn directory.monash.edu.au
  subject-name C=AU, ST=Victoria, L=Clayton, O=Monash University, OU=ITS, CN=directory.monash.edu.au
  revocation-check none
  rsakeypair DIRECTORY
!

! Setup a trustpoint for the Root certificate
crypto pki trustpoint DIRECTORY-Root
  enrollment terminal pem
  revocation-check none
  crl optional
!
! Setup a trustpoint for the Intermediate certificate
crypto pki trustpoint DIRECTORY-Intermediate
  enrollment terminal
  revocation-check none
  crl optional
!

! Enroll the trustpoint DIRECTORY for the CSR

! Obtain signed cert from CA (Thawte)

! Authenticate DIRECTORY-Intermediate using the intermediate cert

crypto pki authenticate DIRECTORY-Intermediate

<paste intermediate cert>

! Authenticate DIRECTORY-Root using the root cert

crypto pki authenticate HYBRID-Root

<paste root cert>

! Authenticate DIRECTORY using the root cert

crypto pki authenticate DIRECTORY

<paste root cert>

! Import signed cert against DIRECTORY

crypto pki import DIRECTORY cert

<paste signed cert>

This has always worked fine, until recently we've noticed on one of our SSL modules, that we get the following error when authenticating the intermediate cert against DIRECTORY-Intermediate

Trustpoint 'DIRECTORY-Intermediate' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

Hence i can't continue to install the rest of the chain.  Am going to chase this up via TAC, however i wanted to post this here just to know whether there is anything that immediately sticks out to people, as far as the procedure we follow or anything else?

thanks

Sheldon

Labels:
0 Helpful
6 Replies 6

cschneid
Cisco Employee
Cisco Employee

‎08-20-2010 03:42 PM

Sheldon,

Not sure if you've seen this document but it covers an example of installing a multi-tiered

cert install on the SSLM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008037d1c8.shtml

Maybe go through this step-by-step and if you run into any problems then open

a TAC case for assistance.

Good luck!

-Chip

0 Helpful

mjuch
Level 5
Level 5

‎10-04-2012 12:42 AM

Hello Sheldon, if you forget "revocation-check none" within the root trustpoint the validation failed even the root Cert is valid. In debug (for IOS PKI) crypto pki validation you can see

Oct  4 07:35:13.496: CRYPTO_PKI: Checking certificate revocation
Oct  4 07:35:13.496: CRYPTO_PKI: Matching CRL not found

and the validation failed with

Authentication failed - could not validate certificate

br Mike

0 Helpful

rajsures
Cisco Employee
Cisco Employee
In response to mjuch

‎10-22-2013 04:38 AM

hi Sridhar,

I found this link which explains

" Authenticating the Three Certificate Authorities (One Root And Two Subordinate Certificate Authorities)":

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ssl/2.1/configuration/guide/config.html#wp1201447

is this what you were looking for ?

Thanks,

Rajesh.

0 Helpful

sridharlatcw
Level 1
Level 1
In response to mjuch

‎10-25-2013 08:23 AM

Thank you for the link Suresh, the section "

Example of Importing PEM Files for Three Levels of Certificate Authority" does cover the mulitiple CA installation, but when I followed this, I did root CA installation, the cert got authenticated. I created trustpoint for first intermediate CA and then tried authenticating it threw me an error saying this

Trustpoint "XXXXXXXX' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

I have masked trustpoint name with XXX.

Still not understanding how to authenticate the CAs including the root.

Sridhar

0 Helpful

marinogr
Level 1
Level 1

‎08-07-2025 10:55 PM

It is very important the order of Chain cert  (RootCA->SubCA->Cert):

crypto pki authenticate DNAC-CA
-----BEGIN CERTIFICATE-----
RootCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
SubCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Cert
-----END CERTIFICATE-----
quit

Certificate has the following attributes:
Fingerprint MD5: "omitted"
Fingerprint SHA1: "omitted"

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

0 Helpful

jackjame6es
Level 1
Level 1

‎11-30-2025 04:10 AM

That’s a solid walkthrough of multi-tier certs! While you troubleshoot the SSL module, I’ve been exploring some secure setups and testing features over at Golo777 their platform handles certificates and secure connections really smoothly.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card