Unable to authenticate trustpoint in Cisco IOS router

Rajesh11735 · ‎01-10-2024

Hello All,

I am trying to install Godaddy SSL certificate in a Cisco 921 ISR router (IOS). I got the CSR issuing the following command crypto pki enroll godaddy.trustpoint and the related config goes like this:

crypto pki trustpoint godaddy.trustpoint
enrollment terminal
fqdn XXXX
subject-name CN=XXXX
revocation-check crl
rsakeypair GD_KEYPAIR

When I tried to authenticate, I get this error

Host(config)#crypto pki authenticate godaddy.trustpoint
% Please delete your existing CA certificate first.
% You must use 'no crypto pki trustpoint <trustpoint-name>' to delete the CA certificate.

------------------------------

Also, if I tried to import the intermediate or main certificate, I get the following error:

AbrasiveHost(config)#crypto pki import godaddy.trustpoint certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

MIIJggYJKoZIhvcNAQcCoIIJczCCCW8CAQExADALBgkqhkiG9w0BBwGggglVMIIE
0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxEDAO

<trimmed output>
r6EAMQA=

% Failed to parse or verify imported certificate

I have got 3 files from Godaddy to install certificates. Names are as follows:
b47e0a.crt
b47e0a.pem
gd-g2_iis_intermediates.p7b

Kindly tell me if there's anything I am missing out in my config or during cert installation.

Thank you!

Rajesh

MHM Cisco World · ‎01-10-2024

you need to contact your CA get CA cert. and add it under

crypto pki trustpoint godaddy.trustpoint
enrollment terminal
fqdn vpn.asimn.com
subject-name CN=vpn.asimn.com
revocation-check crl
rsakeypair GD_KEYPAIR

Host(config)#crypto pki authenticate godaddy.trustpoint

add CA Cert. under this

OR try use URL to download it auotmatic (under trustpoint)

MHM

M02@rt37 · ‎01-10-2024

Hello @Rajesh11735

Contact Godady to obtain the CA certificate. They usually provide this in a file or may direct you to a URL to download the CA certificate.

Download the CA certificate (usually a .crt or .pem file) from GoDaddy a you can add this CA certificate directly to your trustpoint configuration using the `crypto pki authenticate` command:

crypto pki authenticate godaddy.trustpoint

...Follow the prompts to enter the base64-encoded CA certificate. This will associate the CA certificate with the trustpoint.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Rajesh11735 · ‎01-10-2024

Hello @MHM Cisco World and @M02@rt37,

Thanks for your responses. When I tried this command, I get only the following error, though I have deleted other trustpoints.

Host(config)#crypto pki authenticate godaddy.trustpoint
% Please delete your existing CA certificate first.
% You must use 'no crypto pki trustpoint <trustpoint-name>' to delete the CA certificate.

Host#sh run | i crypto pki
crypto pki trustpoint godaddy.trustpoint
crypto pki certificate chain godaddy.trustpoint

When i tried to import the files as well, it didnt work out.

AbrasiveHost(config)#crypto pki import godaddy.trustpoint certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

MIIJggYJKoZIhvcNAQcCoIIJczCCCW8CAQExADALBgkqhkiG9w0BBwGggglVMIIE
0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxEDAO
r6EAMQA=

% Failed to parse or verify imported certificate

Later, I tried to add the cert path in the trustpoint configuration and authenticate, but no luck.

crypto pki trustpoint godaddy.trustpoint
enrollment url flash:b4aa33ff86a07e0a.crt
fqdn XXXX
subject-name CN=XXXX
revocation-check crl
rsakeypair GD_KEYPAIR

I have the cert files provided by GoDaddy and I can confirm the 64 encoded certificate value given to them matches the one in the router.

I am trying to figure out why it still asks me to delete other trustpoints or failing to verify the imported cert.

Rob Ingram · ‎01-10-2024

@Rajesh11735 If you have received the files from GoDaddy that implies you have already generated a CSR and sent to them for signing. I assume you created the CSR on this router? as this would explain why you cannot authenticate the trustpoint, you must have already done this prior to generating the CSR.

You just need to import the signed identity certificate.

MHM Cisco World · ‎01-10-2024

show crypto pki certificates

Share this

MHM

Rajesh11735 · ‎01-10-2024

Hello @MHM Cisco World , below is the output

Host#show crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 1BE715
Certificate Usage: Signature
Issuer:
ou=Go Daddy Class 2 Certification Authority
o=The Go Daddy Group
Inc.
c=US
Subject:
cn=Go Daddy Root Certificate Authority - G2
o=GoDaddy.com
Inc.
l=Scottsdale
st=Arizona
c=US
CRL Distribution Points:
http://crl.godaddy.com/gdroot.crl
Validity Date:
start date: 02:00:00 EST Jan 1 2014
end date: 03:00:00 summer May 30 2031
Associated Trustpoints: godaddy.trustpoint
Storage: nvram:GoDaddyClass#E715CA.cer

Certificate
Status: Available
Certificate Serial Number (hex): 0389F26B
Certificate Usage: General Purpose
Issuer:
cn=ACT2 SUDI CA
o=Cisco
Subject:
Name: C921-4P
Serial Number: PID:C921-4P SN:PSZ44601KN2
cn=C921-4P
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:C921-4P SN:PSZ44601KN2
Validity Date:
start date: 02:17:20 EST Feb 22 2019
end date: 16:25:41 summer May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 61096E7D00000000000C
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=ACT2 SUDI CA
o=Cisco
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 13:56:57 summer Jun 30 2011
end date: 16:25:42 summer May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 5FF87B282B54DC8D42A315B568C9ADFF
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Root CA 2048
o=Cisco Systems
Validity Date:
start date: 16:17:12 summer May 14 2004
end date: 16:25:42 summer May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool

Hello @Rob Ingram ,

Thanks for pitching in. I tried importing the certs first in all possible commands either the URL method (or) copy pasting the 64bit encoded cert. It throws errors in the below fashion.

Should I use a different trustpoint while importing any of these files? and is there any particular cert I have to target?

b47e0a.crt
b47e0a.pem
gd-g2_iis_intermediates.p7b

Host(config)#crypto pki import godaddy.trustpoint certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

MIIJggYJKoZIhvcNAQcCoIIJczCCCW8CAQExADALBgkqhkiG9w0BBwGggglVMIIE
0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxEDAO
r6EAMQA=

% Failed to parse or verify imported certificate

Host(config)#crypto pki import godaddy.trustpoint pem url flash:b4aa33ff86a07e0a.pem password cisco123
% Trustpoint 'godaddy.trustpoint' is in use.
% Please delete it or use a different label.

Host(config)#crypto pki import godaddy.trustpoint pkcs12 flash:gd-g2_iis_intermediates.p7b password cisco123
% Trustpoint 'godaddy.trustpoint' is in use.
% Please delete it or use a different label.

MHM Cisco World · ‎01-10-2024

You have a CA cert. And it valid until 2031.

So no need to auth trustpoint.

For get cert. For your device let me check your config

MHM

Rob Ingram · ‎01-10-2024

@Rajesh11735 Right, but did you generate the CSR on this router or not when you initially created this trustpoint and authenticated it ?

Which certificate did you paste when running - crypto pki import godaddy.trustpoint certificate? It needs to be the signed identity certificate

Rajesh11735 · ‎01-10-2024

Rob,

I did generate the CSR in this router and while running the command - crypto pki import godaddy.trustpoint certificate, I used the 64 bit cert from each of the the following file in every attempt

b47e0a.crt
b47e0a.pem
gd-g2_iis_intermediates.p7b

The intended validity is for 1 year (till May 2024).

MHM Cisco World · ‎01-10-2024

There are two type of enrollment'

Here you use copy paste so you use manaul enrollment

You need to export csr and then send it to your ca signed it then import it.

https://www.ciscopress.com/articles/article.asp?p=1684781

MHM

MHM Cisco World · ‎01-10-2024

Check link I share it good source to understand manaul enrollment

MHM

Rajesh11735 · ‎01-10-2024

@MHM Cisco World Thanks for the link. I was checking the same and figured out one issue.

When I gave CSR request, I sent the 64 bit value which I got in the terminal using the "crypto pki enroll godaddy.trustpoint" command. While the link suggests us to use the below and send the 64 bit value for signing.

crypto pki export godaddy.trustpoint pem terminal

The 64 bit value from the above command and the one I gave to Godaddy doesnt match.

I may have to redo the trustpoint again and get it signed by them.

MHM Cisco World · ‎01-10-2024

I wish you Good luck friend

MHM

Rob Ingram · ‎01-10-2024

@Rajesh11735 no you don't need to use that export command, that link refers to using a Two-Tier CA on Cisco routers, where the router is signing the certificates.

You've probably authenticated the root certificate into the trustpoint you are attempting to import the identity certificate, but that root certificate did not issue the certificate, the intermediate CA did. You need to create 2 trustpoints. The 1st trustpoint is for the Root CA and the second for the intermediate root. Generate the CSR and import the sign identity certificate into the 2nd trustpoint (the trustpoint which has the intermediate root certificate).