Cisco IOS XE Certificates Install/Regeneration

voipeee · ‎03-02-2022

Symptoms

Diagnosis

Solution

There are two way to Install/Regeneration certificates on Cisco IOS XE Routers

1. Generate Keypair and CSR on Cisco Router

2. Import Keypair and Certificate

// Generate the Key and CSR on the Cisco Router

# Generate a key-pair

crypto key generate rsa general-keys label cube1key modulus 2048 exportable

# Add PKI trust point for the CUBE

// This is for Host/Router/Identity cert

crypto pki trustpoint cube1

enrollment terminal

fqdn cube1.voipee.com

subject-name CN=cube1.voipee.com

revocation-check crl

rsakeypair cube1key

# Add PKI Trustpoint for the CA

// This is for Root/CA

crypto pki trustpoint cube1-CA

enrollment terminal

revocation-check crl

# Add PKI Trustpoint for the Intermediate(if any)

// This is for Intermediate

crypto pki trustpoint usertrust-CA

enrollment terminal

revocation-check crl

# Generate CSR on the CUBE

Generate Certificate Signing request for the host certificate

crypto pki enroll cube1

hostname(config)#crypto pki enroll cube1
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=cube1.voipee.com
% The subject name in the certificate will include: cube1.voipee.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

Certificate signing request will be displayed on the terminal, Copy this and Send to Certificate Provider so that they can provide you SSL Certificate.

# Add the certificates for or CA Trust Point(s)

Root CA for CA Trustpoint, Intermediate for Intermediate trustpoint and host for host trustpoint

crypto pki authenticate <trustpoint>

# Import only the host certificate(not CA)

crypto pki import cube1.voipee.com certificate

PS: If this is imported successfully that means CA and Intermediate were able to authenticate the host certificate, if it is not successful that means something was missing in the chain.

## During troubleshooting I found out: We need to authenticate the intermediate cert first with the same trustpoint as CSR(from which CSR was generated) and then imported the host certificate(router cert) with the same trustpoint.
There after authenticate Root _CA

Some show command:

show crypto pki trustpoints

show run | be crypto pki trustpoints

show sip-ua tcp tls detail

show crypto key mypubkey cube1key

# To Remove trustpoint

no crypto pki trustpoint cube1.voipee.com

// Import Keypair and Certificate

This is usually used when you do backup restore on another hardware.

# Export the key and certificate(host and intermediate(if any)) from the source device

crypto pki export cube1.voipee.com pkcs12 bootflash:cube1.voipee.com password cisco

# Add pki trustpoint for the CUBE in the destination device

crypto pki trustpoint cube1.voipee.com

enrollment pkcs12

revocation-check crl

# Import PKCS12 formatted file in the destination device

crypto pki import cube1.voipee.com pkcs12 bootflash:cube1.voipee.com password cisco

### Last give Thumpsup to this document. Like this and share with your friends/colleagues

Elito Haylett · ‎11-14-2022

Hello

Referencing this link (https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html) will this be the same as step 2 in this documentation? because I'm confused where this file will be imported from....

Thanks,

voipeee · ‎11-14-2022

What is your exact requirement?

Elito Haylett · ‎11-14-2022

I'm trying to configure FlexVPN-AnyConnect-IKE-v2 on an ISR-4331 with IOS-XE installed and was trying to follow the instructions in the link and was a little stumped on step number 2 (PKCS12--The router imports certificates in PKCS12 format from an external server). I'm trying to use router as the CA since it's a small Remote Access deployment. Are your instructions the same as what the document is asking for creating the PKCS12 file to be stored in the bootflash?

thanks