01-10-2024 07:46 AM - edited 01-10-2024 07:50 AM
Hello All,
I am trying to install Godaddy SSL certificate in a Cisco 921 ISR router (IOS). I got the CSR issuing the following command crypto pki enroll godaddy.trustpoint and the related config goes like this:
crypto pki trustpoint godaddy.trustpoint
enrollment terminal
fqdn XXXX
subject-name CN=XXXX
revocation-check crl
rsakeypair GD_KEYPAIR
When I tried to authenticate, I get this error
Host(config)#crypto pki authenticate godaddy.trustpoint
% Please delete your existing CA certificate first.
% You must use 'no crypto pki trustpoint <trustpoint-name>' to delete the CA certificate.
------------------------------
Also, if I tried to import the intermediate or main certificate, I get the following error:
AbrasiveHost(config)#crypto pki import godaddy.trustpoint certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIIJggYJKoZIhvcNAQcCoIIJczCCCW8CAQExADALBgkqhkiG9w0BBwGggglVMIIE
0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxEDAO
<trimmed output>
r6EAMQA=
% Failed to parse or verify imported certificate
I have got 3 files from Godaddy to install certificates. Names are as follows:
b47e0a.crt
b47e0a.pem
gd-g2_iis_intermediates.p7b
Kindly tell me if there's anything I am missing out in my config or during cert installation.
Thank you!
Rajesh
01-11-2024 05:40 AM
Hello @Rob Ingram ,
Thanks for your input again. In the first trustpoint (godaddy.trustpoint), I was able to import the intermediate certificate (gd-g2_iis_intermediates.p7b) by converting it to .crt file.
As you suggested, I have imported the identity certificate (b47e0a.crt) In the 2nd truspoint (godaddy). Now both are showing up in the router, but I am not able to use it in the webvpn for authentication. Below is the config:
crypto pki trustpoint godaddy.trustpoint
enrollment terminal
fqdn XXXX
subject-name CN=XXXX
revocation-check crl
rsakeypair GD_KEYPAIR
crypto pki trustpoint godaddy
enrollment terminal pem
fqdn XXXX
subject-name CN=XXXX
revocation-check crl
rsakeypair GD_KEYPAIR
AbrasiveHost#sh crypto pki trustpoint
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
cn=ACT2 SUDI CA
o=Cisco
Serial Number (hex): 61096E7D00000000000C
Certificate configured.
Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2048
o=Cisco Systems
Serial Number (hex): 5FF87B282B54DC8D42A315B568C9ADFF
Certificate configured.
Trustpoint godaddy.trustpoint:
Subject Name:
cn=Go Daddy Root Certificate Authority - G2
o=GoDaddy.com
Inc.
l=Scottsdale
st=Arizona
c=US
Serial Number (hex): 1BE715
Certificate configured.
Trustpoint godaddy:
Subject Name:
cn=vpn.asimn.com
Serial Number (hex): 00B4AA33FF86A07E0A
Certificate configured.
AbrasiveHost# sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 00B4AA33FF86A07E0A
Certificate Usage: General Purpose
Issuer:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com
Inc.
l=Scottsdale
st=Arizona
c=US
Subject:
cn=vpn.asimn.com
CRL Distribution Points:
http://crl.godaddy.com/gdig2s1-5871.crl
Validity Date:
start date: 03:22:04 summer May 29 2023
end date: 16:33:06 summer May 27 2024
Associated Trustpoints: godaddy
Storage: nvram:GoDaddySecur#7E0ACA.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 1BE715
Certificate Usage: Signature
Issuer:
ou=Go Daddy Class 2 Certification Authority
o=The Go Daddy Group
Inc.
c=US
Subject:
cn=Go Daddy Root Certificate Authority - G2
o=GoDaddy.com
Inc.
l=Scottsdale
st=Arizona
c=US
CRL Distribution Points:
http://crl.godaddy.com/gdroot.crl
Validity Date:
start date: 02:00:00 EST Jan 1 2014
end date: 03:00:00 summer May 30 2031
Associated Trustpoints: godaddy.trustpoint
Storage: nvram:GoDaddyClass#E715CA.cer
Certificate
Status: Available
Certificate Serial Number (hex): 0389F26B
Certificate Usage: General Purpose
Issuer:
cn=ACT2 SUDI CA
o=Cisco
Subject:
Name: C921-4P
Serial Number: PID:C921-4P SN:PSZ23081KN2
cn=C921-4P
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:C921-4P SN:PSZ23081KN2
Validity Date:
start date: 02:17:20 EST Feb 22 2019
end date: 16:25:41 summer May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI
CA Certificate
Status: Available
Certificate Serial Number (hex): 61096E7D00000000000C
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=ACT2 SUDI CA
o=Cisco
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 13:56:57 summer Jun 30 2011
end date: 16:25:42 summer May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI
CA Certificate
Status: Available
Certificate Serial Number (hex): 5FF87B282B54DC8D42A315B568C9ADFF
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Root CA 2048
o=Cisco Systems
Validity Date:
start date: 16:17:12 summer May 14 2004
end date: 16:25:42 summer May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool
Is there anything I should configure (or) check with Godaddy?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide