Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3236
Views
5
Helpful
1
Comments

Configuring Subject Alternative Name in Cat 9K Certificates

Tim Glen
Cisco Employee
Cisco Employee

‎08-06-2022 01:43 PM - edited ‎08-06-2022 09:05 PM

Table of Contents

 

Summary

Certificates are a passion of mine. enuf said.

The introduction of the Subject Alternative Name (SAN) extension in certificates was very important to the industry. This is evidenced by RFC 2818 (May 2000) stating that SAN is preferred to the common-name field, and the Certificate Authority / Browser Forum has mandated it (2016) in Section 7.1.4.2.1 of the Baseline Requirements.  In March 2017 Google Chrome stopped looking at the commonName field and is only looking at the SAN field! 

Subject Alternative Name is required in Certificates!

In older versions of IOS XE when configuring a Trustpoint you were able to configure a SAN using the subject-alt-name command in Trustpoint configuration mode. Unfortunately, this only worked when the IOS XE device was provisioning a Self Signed Certificate.

WELCOME to IOS XE 17.8(1)!    While the Release Notes don't specify this a little-known added feature was enhancing the subject-alt-name command to introduce external CA support! 

Let's see...

 

 

Configuration Steps

The configuration steps listed below ONLY create the Trustpoint and include the SAN option.

If you are interested in ALL the steps for manual Certificate Enrollment please see this document I authored.

 

!
configure terminal
!
crypto pki trustpoint MY-TRUSTPOINT
  enrollment terminal pem 
  subject-name C=VI, ST=St. John, L=Saltpond Bay, O=Integrated Security Inc, OU=Tims-Lab, CN=MY-SWITCH-HOSTNAME.MYDOMAIN.NET
  subject-alt-name MY-SWITCH-HOSTNAME.MYDOMAIN.NET
!
end
!

 

 

Verification

Certificate Signing Request Using OpenSSL

openssl req -noout -text

Lets view the PEM data right from the Switch. We can the output right off the Switch and paste it into OpenSSL to verify.  

openssl req 1 (WEB).png

openssl req 2 (WEB).png

openssl req 3 (WEB).png

 

Now that we KNOW the SAN is populated in the Certificate Signing Request, send it to your Certificate Authority and then import the certificate into the Switch.  

 

Certificate On Switch

show crypto pki certificates verbose TRUSTPOINT

This shows us the certificate we installed contains the x509 SAN field and that the field is populated with the FQDN we specified in our Trustpoint Config.

show crypto pki verb trustpoint (WEB).png

 

Certificate Using OpenSSL

openssl x509 -in CERTIFICATE-FILE-NAME.CER -text

I love using openssl for working with certificates.  It's an incredibly powerful tool.

openssl cert 1 (WEB).png

openssl cert 2 (WEB).png

 

 

References

CA Browser Forum Baseline Requirements

Subject Alternative Name Wiki

 

 

Comments
JPavonM
VIP
VIP
‎08-12-2022 07:16 AM

I found the way to create a CSR with SAN for versions lower than 17.8.

Create the CSR on a external server and import it.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents