I am currently trying to set up RESTCONF on one of my lab CUBEs. For this i need the HTTPS server, and for that i needed a valid certificate on the router.

Cisco IOS XE Software, Version 17.03.04a

bootflash:isr4300-universalk9.17.03.04a.SPA.bin

So i creater a Trustpoint for the router on the router and generated a CSR:

hh-srst-cube(config)#crypto pki trustpoint hh-srst-cube
hh-srst-cube(ca-trustpoint)#enrollment terminal pem
hh-srst-cube(ca-trustpoint)#serial-number none
hh-srst-cube(ca-trustpoint)#fqdn none
hh-srst-cube(ca-trustpoint)#ip-address none
hh-srst-cube(ca-trustpoint)#subject-name CN=hh-srst-cube.*******.com, C=DE, ST=Hamburg, L=Hamburg, O="********", OU=Services
hh-srst-cube(ca-trustpoint)#revocation-check none
hh-srst-cube(ca-trustpoint)#rsakeypair hh-srst-cube
hh-srst-cube(ca-trustpoint)#exit
hh-srst-cube(config)#crypto pki authenticate hh-srst-cube

All fine. I got the CSR and had it signed with our CA.

Then i created a trustpoint for our root and intermediate CA:

hh-srst-cube(config)#crypto pki trustpoint hh_root
hh-srst-cube(ca-trustpoint)#enrollment terminal pem
hh-srst-cube(ca-trustpoint)#revocation-check none
hh-srst-cube(ca-trustpoint)#exit
hh-srst-cube(config)#crypto pki authenticate hh_root

Root was fine. No errors. Fingerprint matched.

hh-srst-cube(config)#crypto pki trustpoint hh_intermediate
hh-srst-cube(ca-trustpoint)#enrollment terminal pem
hh-srst-cube(ca-trustpoint)#revocation-check none
hh-srst-cube(ca-trustpoint)#exit
hh-srst-cube(config)#crypto pki authenticate hh_intermediate

Intermediate worked fine, fingerprint matched, didnt need confirmation as it matched with the already created root trustpoint.

So then finally i wanted to import the signed certificate.

hh-srst-cube(config)#crypto pki import hh-srst-cube certificate
% You must authenticate the Certificate Authority before
 you can import the router's certificate.

What did i do wrong? I tried setting the Root or Intermediate Trustpoint as Primary. Nothing helped.