cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28466
Views
50
Helpful
8
Comments
voipeee
Level 3
Level 3

Symptoms

Cisco IOS XE Certificates Install/Regeneration

Diagnosis

 

Solution

There are two way to Install/Regeneration certificates on Cisco IOS XE Routers

 

1. Generate Keypair and CSR on Cisco Router

2. Import Keypair and Certificate

 

 

// Generate the Key and CSR on the Cisco Router

 

# Generate a key-pair

 

crypto key generate rsa general-keys label cube1key modulus 2048 exportable

 

# Add PKI trust point for the CUBE

// This is for Host/Router/Identity cert

crypto pki trustpoint cube1

enrollment terminal

fqdn cube1.voipee.com

subject-name CN=cube1.voipee.com

revocation-check crl

rsakeypair cube1key

 

# Add PKI Trustpoint for the CA

// This is for Root/CA

crypto pki trustpoint cube1-CA

enrollment terminal

revocation-check crl

 

 

# Add PKI Trustpoint for the Intermediate(if any)

// This is for Intermediate

crypto pki trustpoint INTER-CA

enrollment terminal

revocation-check crl

 

# Generate CSR on the CUBE

 

Generate Certificate Signing request for the host certificate

 

crypto pki enroll cube1

 

hostname(config)#crypto pki enroll cube1
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=cube1.voipee.com
% The subject name in the certificate will include: cube1.voipee.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

 

 

 

Certificate signing request will be displayed on the terminal, Copy this and Send to Certificate Provider so that they can provide you SSL Certificate.

 

# Add the certificates for or CA Trust Point(s)

 

Authenticate Intermediate with the TP from which the CSR was generated
Authenticate the Root Cert with Root TP
Import Router Signed Certificate( TP from which CSR was Generated. Same TP in Step 1)

 

crypto pki authenticate <trustpoint>

 

# Import only the host certificate(not CA)

 

crypto pki import cube1.voipee.com certificate

 

PS: If this is imported successfully that means CA and Intermediate were able to authenticate the host certificate, if it is not successful that means something was missing in the chain.

Using the table below one can illustrate the certificate to command to trustpoint mapping with colors that correspond to the previous chain to assist with visualization.

Certificate NameTrustpoint to useCommand to use
Root CAcrypto pki trustpoint cube1-CAcrypto pki authenticate cube1-CA
Intermediate CA 1crypto pki trustpoint cube1crypto pki authenticate cube1
Identity Certificatecrypto pki trustpoint cube1crypto pki import cube1 certificate

The same logic can be applied to a certificate chain with two intermediate CA certificates. Again colors are provided to help with the visualization of where the new Intermediate CA is applied to the IOS XE configuration.

- Root CA
- Intermediate CA 1
- Intermediate CA 2
- Identity Certificate
Certificate NameTrustpoint to useCommand to use
Root CAcrypto pki trustpoint cube1-CAcrypto pki authenticate cube1-CA
Intermediate CA 1crypto pki trustpoint INTER-CAcrypto pki authenticate INTER-CA
Intermediate CA 2crypto pki trustpoint cube1crypto pki authenticate cube1
Identity Certificatecrypto pki trustpoint cube1crypto pki import cube1 certificate

Looking closely one can notice two patterns:

  1. All Root or Intermediate certificates are loaded into trustpoints using crypto pki authenticate (regardless of how many there are). 
  2. One can also notice that the final certificate before the device's identity certificate (read the one that directly signed the identity certificate) is always authenticated on the same trustpoint where the identity certificate is to be imported.
    • Similar to the error shown earlier, IOS XE will not let an administrator import a certificate without first authenticating the the CA certificate used to directly sign this certificate.

These two patterns above can be used for any number of intermediate certificates beyond two although in most deployments an administrator is likely to see more than two intermediate CAs in a certificate chain.

For completeness the following Root/Identity certificate table is also provided:

- Root CA
- Identity Certificate
Certificate NameTrustpoint to useCommand to use
Root CAcrypto pki trustpoint cube1crypto pki authenticate cube1
Identity Certificatecrypto pki trustpoint cube1crypto pki import cube1 certificate

 

*Illustration borrowed from

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/220422-configure-ca-signed-certificates-with-io.html

Some show command:

 

show crypto pki trustpoints

show run | be crypto pki trustpoints

show sip-ua tcp tls detail

show crypto key mypubkey cube1key

 

# To Remove trustpoint 

no crypto pki trustpoint cube1.voipee.com

 

// Import Keypair and Certificate

This is usually used when you do backup restore on another hardware.

 

# Export the key and certificate(host and intermediate(if any)) from the source device

 

crypto pki export cube1.voipee.com pkcs12 bootflash:cube1.voipee.com password cisco

 

# Add pki trustpoint for the CUBE in the destination device

 

crypto pki trustpoint cube1.voipee.com

enrollment pkcs12

revocation-check crl

 

# Import PKCS12 formatted file in the destination device 

 

crypto pki import cube1.voipee.com pkcs12 bootflash:cube1.voipee.com password cisco

 

### Last give Thumpsup to this document. Like this and share with your friends/colleagues

Comments
Elito Haylett
Level 1
Level 1

Hello

Referencing this link (https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html) will this be the same as step 2 in this documentation? because I'm confused where this file will be imported from....

Thanks,

 

voipeee
Level 3
Level 3
What is your exact requirement?
Elito Haylett
Level 1
Level 1

I'm trying to configure FlexVPN-AnyConnect-IKE-v2 on an ISR-4331 with IOS-XE installed and was trying to follow the instructions in the link and was a little stumped on step number 2 (PKCS12--The router imports certificates in PKCS12 format from an external server). I'm trying to use router as the CA since it's a small Remote Access deployment. Are your instructions the same as what the document is asking for creating the PKCS12 file to be stored in the bootflash?

thanks

voipeee
Level 3
Level 3

Thank you so much! @Maren Mahoney and @Roger Kallberg for linking this post. I am deeply honoured and grateful.

Hi,

When I renew the certificate can I use the same trustpoint "cube1" or should I use "crypto pki enroll cube1-2"?

Thanks.

voipeee
Level 3
Level 3
Yes, you can use any name. It doesn't matter. You can follow the exact
naming which O have mentioned in doc as well.

Thank you. So if already have working cert with this config "crypto pki trustpoint CUBE1.domain.com" and I want generate a new CSR crypto pki enroll CUBE1, it will not brake current TLS connection? I just want to make sure that I don't screw up anything.

voipeee
Level 3
Level 3
No, it won't as long as TP name is different. cube1 is not same as
cube1.something
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: