03-11-2022 01:17 AM
I am currently trying to set up RESTCONF on one of my lab CUBEs. For this i need the HTTPS server, and for that i needed a valid certificate on the router.
Cisco IOS XE Software, Version 17.03.04a
bootflash:isr4300-universalk9.17.03.04a.SPA.bin
So i creater a Trustpoint for the router on the router and generated a CSR:
hh-srst-cube(config)#crypto pki trustpoint hh-srst-cube hh-srst-cube(ca-trustpoint)#enrollment terminal pem hh-srst-cube(ca-trustpoint)#serial-number none hh-srst-cube(ca-trustpoint)#fqdn none hh-srst-cube(ca-trustpoint)#ip-address none hh-srst-cube(ca-trustpoint)#subject-name CN=hh-srst-cube.*******.com, C=DE, ST=Hamburg, L=Hamburg, O="********", OU=Services hh-srst-cube(ca-trustpoint)#revocation-check none hh-srst-cube(ca-trustpoint)#rsakeypair hh-srst-cube hh-srst-cube(ca-trustpoint)#exit hh-srst-cube(config)#crypto pki authenticate hh-srst-cube
All fine. I got the CSR and had it signed with our CA.
Then i created a trustpoint for our root and intermediate CA:
hh-srst-cube(config)#crypto pki trustpoint hh_root hh-srst-cube(ca-trustpoint)#enrollment terminal pem hh-srst-cube(ca-trustpoint)#revocation-check none hh-srst-cube(ca-trustpoint)#exit hh-srst-cube(config)#crypto pki authenticate hh_root
Root was fine. No errors. Fingerprint matched.
hh-srst-cube(config)#crypto pki trustpoint hh_intermediate hh-srst-cube(ca-trustpoint)#enrollment terminal pem hh-srst-cube(ca-trustpoint)#revocation-check none hh-srst-cube(ca-trustpoint)#exit hh-srst-cube(config)#crypto pki authenticate hh_intermediate
Intermediate worked fine, fingerprint matched, didnt need confirmation as it matched with the already created root trustpoint.
So then finally i wanted to import the signed certificate.
hh-srst-cube(config)#crypto pki import hh-srst-cube certificate % You must authenticate the Certificate Authority before you can import the router's certificate.
What did i do wrong? I tried setting the Root or Intermediate Trustpoint as Primary. Nothing helped.
03-11-2022 02:19 AM
As always, i found my mistake just now after asking:
I forgot to authenticate the intermediate CA (which issues the CUBE Cert) on the CUBE trustpoint.
So i had to do a
crypto pki authenticate hh-srst-cube
and paste the certificate of hh_intermediate.
12-05-2022 10:40 PM
hello
I have a similar symptom, could you please share the procedure for handling it?
Please also ask for the command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide