cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2694
Views
0
Helpful
5
Replies

Create more secure self-signed certificates on IOS router?

ROBERT HOLMES
Level 1
Level 1

I am running a 1921 router and use it partially as an AnyConnect (WebVPN) server for remote access into the location.  The certificate I used was a self-signed certificate & trustpoint generated on the router.  I am running the latest IOS track available to insure it has all the newest capabilities.

Doing a quick SSL check against it from Qualys, it appears to have many known vulnerabilities and weaknesses.

* Poodle TLS

* TLS 1.0 only

* SHA1

* Diffie-Hellman 1024 bit

* Some older ciphers that appear to be available (but I never specified), like TLS RC4_128_MD5

The crypto mechanism and commands to create the cert didn't give me much choice in the matter.

Is there a newer/better way to create a more secure certificate chain on an IOS router?  I couldn't find the instructions anywhere.

Robert

2 Accepted Solutions

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

Have a look at my guide for doing Suite-B VPNs.  It creates much more secure certificates.  Note my comment about the minimum software version to use.

https://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

View solution in original post

No you don't.  It is only the certificate portion that is relevant to your question.

View solution in original post

5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

Have a look at my guide for doing Suite-B VPNs.  It creates much more secure certificates.  Note my comment about the minimum software version to use.

https://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

Very interesting, thanks!

Do you require IKEv2 using this method?  I need the ability to do split-tunneling.

No you don't.  It is only the certificate portion that is relevant to your question.

OK, trying this now and looking it over.  It seems to be way more involved that what I was expecting.  Isn't there a way to just have it use a reliable cert (AES-256, SHA256, etc) without having to create a unique cert for each client?  This will be used by a variety of clients that I don't want to pre-load a cert for, from iPhone's to PC's.

Thanks.

If you only want a certificate for the router that is secure - then only generate a certificate for the router.  You don't need to generate certificates for users if they don't need them.