There are two way to Install/Regeneration certificates on Cisco IOS XE Routers
1. Generate Keypair and CSR on Cisco Router
2. Import Keypair and Certificate
// Generate the Key and CSR on the Cisco Router
# Generate a key-pair
crypto key generate rsa general-keys label cube1key modulus 2048 exportable
# Add PKI trust point for the CUBE
// This is for Host/Router/Identity cert
crypto pki trustpoint cube1
enrollment terminal
fqdn cube1.voipee.com
subject-name CN=cube1.voipee.com
revocation-check crl
rsakeypair cube1key
# Add PKI Trustpoint for the CA
// This is for Root/CA
crypto pki trustpoint cube1-CA
enrollment terminal
revocation-check crl
# Add PKI Trustpoint for the Intermediate(if any)
// This is for Intermediate
crypto pki trustpoint INTER-CA
enrollment terminal
revocation-check crl
# Generate CSR on the CUBE
Generate Certificate Signing request for the host certificate
crypto pki enroll cube1
hostname(config)#crypto pki enroll cube1
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=cube1.voipee.com
% The subject name in the certificate will include: cube1.voipee.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
Certificate signing request will be displayed on the terminal, Copy this and Send to Certificate Provider so that they can provide you SSL Certificate.
# Add the certificates for or CA Trust Point(s)
Authenticate Intermediate with the TP from which the CSR was generated
Authenticate the Root Cert with Root TP
Import Router Signed Certificate( TP from which CSR was Generated. Same TP in Step 1)
crypto pki authenticate <trustpoint>
# Import only the host certificate(not CA)
crypto pki import cube1.voipee.com certificate
PS: If this is imported successfully that means CA and Intermediate were able to authenticate the host certificate, if it is not successful that means something was missing in the chain.
Using the table below one can illustrate the certificate to command to trustpoint mapping with colors that correspond to the previous chain to assist with visualization.
Certificate Name | Trustpoint to use | Command to use |
Root CA | crypto pki trustpoint cube1-CA | crypto pki authenticate cube1-CA |
Intermediate CA 1 | crypto pki trustpoint cube1 | crypto pki authenticate cube1 |
Identity Certificate | crypto pki trustpoint cube1 | crypto pki import cube1 certificate |
The same logic can be applied to a certificate chain with two intermediate CA certificates. Again colors are provided to help with the visualization of where the new Intermediate CA is applied to the IOS XE configuration.
- Root CA
- Intermediate CA 1
- Intermediate CA 2
- Identity Certificate
Certificate Name | Trustpoint to use | Command to use |
Root CA | crypto pki trustpoint cube1-CA | crypto pki authenticate cube1-CA |
Intermediate CA 1 | crypto pki trustpoint INTER-CA | crypto pki authenticate INTER-CA |
Intermediate CA 2 | crypto pki trustpoint cube1 | crypto pki authenticate cube1 |
Identity Certificate | crypto pki trustpoint cube1 | crypto pki import cube1 certificate |
Looking closely one can notice two patterns:
- All Root or Intermediate certificates are loaded into trustpoints using crypto pki authenticate (regardless of how many there are).
- One can also notice that the final certificate before the device's identity certificate (read the one that directly signed the identity certificate) is always authenticated on the same trustpoint where the identity certificate is to be imported.
- Similar to the error shown earlier, IOS XE will not let an administrator import a certificate without first authenticating the the CA certificate used to directly sign this certificate.
These two patterns above can be used for any number of intermediate certificates beyond two although in most deployments an administrator is likely to see more than two intermediate CAs in a certificate chain.
For completeness the following Root/Identity certificate table is also provided:
- Root CA
- Identity Certificate
Certificate Name | Trustpoint to use | Command to use |
Root CA | crypto pki trustpoint cube1 | crypto pki authenticate cube1 |
Identity Certificate | crypto pki trustpoint cube1 | crypto pki import cube1 certificate |
Some show command:
show crypto pki trustpoints
show run | be crypto pki trustpoints
show sip-ua tcp tls detail
show crypto key mypubkey cube1key
# To Remove trustpoint
no crypto pki trustpoint cube1.voipee.com
// Import Keypair and Certificate
This is usually used when you do backup restore on another hardware.
# Export the key and certificate(host and intermediate(if any)) from the source device
crypto pki export cube1.voipee.com pkcs12 bootflash:cube1.voipee.com password cisco
# Add pki trustpoint for the CUBE in the destination device
crypto pki trustpoint cube1.voipee.com
enrollment pkcs12
revocation-check crl
# Import PKCS12 formatted file in the destination device
crypto pki import cube1.voipee.com pkcs12 bootflash:cube1.voipee.com password cisco
### Last give Thumpsup to this document. Like this and share with your friends/colleagues