Showing results for 
Search instead for 
Did you mean: 


Cisco IOS XE Certificates Install/Regeneration




There are two way to Install/Regeneration certificates on Cisco IOS XE Routers


1. Generate Keypair and CSR on Cisco Router

2. Import Keypair and Certificate



// Generate the Key and CSR on the Cisco Router


# Generate a key-pair


crypto key generate rsa general-keys label cube1key modulus 2048 exportable


# Add PKI trust point for the CUBE

// This is for Host/Router/Identity cert

crypto pki trustpoint cube1

enrollment terminal



revocation-check crl

rsakeypair cube1key


# Add PKI Trustpoint for the CA

// This is for Root/CA

crypto pki trustpoint cube1-CA

enrollment terminal

revocation-check crl



# Add PKI Trustpoint for the Intermediate(if any)

// This is for Intermediate

crypto pki trustpoint usertrust-CA

enrollment terminal

revocation-check crl


# Generate CSR on the CUBE


Generate Certificate Signing request for the host certificate


crypto pki enroll cube1


hostname(config)#crypto pki enroll cube1
% Start certificate enrollment ..
% The subject name in the certificate will include:
% The subject name in the certificate will include:
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:




Certificate signing request will be displayed on the terminal, Copy this and Send to Certificate Provider so that they can provide you SSL Certificate.


# Add the certificates for or CA Trust Point(s)


Root CA for CA Trustpoint, Intermediate for Intermediate trustpoint and host for host trustpoint


crypto pki authenticate <trustpoint>


# Import only the host certificate(not CA)


crypto pki import certificate


PS: If this is imported successfully that means CA and Intermediate were able to authenticate the host certificate, if it is not successful that means something was missing in the chain.

## During troubleshooting I found out: We need to authenticate the intermediate cert first with the same trustpoint as CSR(from which CSR was generated) and then imported the host certificate(router cert) with the same trustpoint.
There after authenticate Root _CA

Some show command:


show crypto pki trustpoints

show run | be crypto pki trustpoints

show sip-ua tcp tls detail

show crypto key mypubkey cube1key


# To Remove trustpoint 

no crypto pki trustpoint


// Import Keypair and Certificate

This is usually used when you do backup restore on another hardware.


# Export the key and certificate(host and intermediate(if any)) from the source device


crypto pki export pkcs12 password cisco


# Add pki trustpoint for the CUBE in the destination device


crypto pki trustpoint

enrollment pkcs12

revocation-check crl


# Import PKCS12 formatted file in the destination device 


crypto pki import pkcs12 password cisco


### Last give Thumpsup to this document. Like this and share with your friends/colleagues

Elito Haylett


Referencing this link ( will this be the same as step 2 in this documentation? because I'm confused where this file will be imported from....



What is your exact requirement?
Elito Haylett

I'm trying to configure FlexVPN-AnyConnect-IKE-v2 on an ISR-4331 with IOS-XE installed and was trying to follow the instructions in the link and was a little stumped on step number 2 (PKCS12--The router imports certificates in PKCS12 format from an external server). I'm trying to use router as the CA since it's a small Remote Access deployment. Are your instructions the same as what the document is asking for creating the PKCS12 file to be stored in the bootflash?


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links