cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

How To Use the All-In-One SimpleCA For a Physical Router

1665
Views
3
Helpful
2
Comments

When you boot up the 3node topology within your all-in-one (AiO) VM, each instance will automatically get a CA-signed certificate signed by our "simpleCA" scripts.  There will also be a ca.pem root certificate file within the "cisco" user's home directory.  If you have physical routers, and you'd like to use the same root certificate, follow these steps.

On the physical router, configure a trustpoint for the simpleCA CA:

Router(config)#crypto pki trustpoint simpleCA

Router(ca-trustpoint)#enrollment terminal pem

Router(ca-trustpoint)#revocation-check none

Router(ca-trustpoint)#exit

Next, copy the contents of ~cisco/ca.pem from the AiO VM into your copy buffer.  On the physical router, enter the following command:

Router(config)#crypto pki authenticate simpleCA

input (cut & paste) CA certificate (chain) in PEM format;

end the input with a line containing only END OF INPUT :

At this point, paste the contents of ca.pem into the terminal (remember to include the ---BEGIN and ---END markers!).

Next, on the AiO VM, change directory to ~cisco/.simpleCA, and run the following command:

cisco@onepk:~/.simpleCA$ ./createNEp12.sh -cn HOSTNAME -ip IP_ADDR -out HOSTNAME.p12 -pass PASSWORD

Where HOSTNAME is the short hostname of your router, IP_ADDR is the router's management IP address, and PASSWORD is a password for your cert.

Next, copy the HOSTNAME.p12 file to your router's flash.  Then enter the following command on the router:

Router(config)#crypto pki import onepTP pkcs12 flash://HOSTNAME.p12 password PASSWORD

Again, PASSWORD is the password you used when you generated the certificate above.

At this point, you should be able to use your onePK applications with the same ca.pem file from the AiO VM.

Comments
Community Member

Hi, Thank you for explain how to use it.

I'm using same method to apply pkcs12 to ASR1001.

But I'm only did final two part.

  1. cisco@onepk:~/.simpleCA$ ./createNEp12.sh -cn HOSTNAME -ip IP_ADDR -out HOSTNAME.p12 -pass PASSWORD 
  2. Router(config)#crypto pki import onepTP pkcs12 flash://HOSTNAME.p12 password PASSWORD 

It's working only these two settings without problems. and trust endpoint is automatically insert to config lines when I config 2nd line.

Do I need to add trustendpoint and pem config lines manually??

Hall of Fame Cisco Employee

You're correct.  You don't need the CA cert on the router since we don't need to generate a CSR on the router.  However, for completeness I added this step in case one does want to generate a CSR using this CA.

Content for Community-Ad
FusionCharts will render here
This widget could not be displayed.