export out from cisco IOS CA issued client certificate

Andriy Sidko · ‎03-21-2018

Hi guys.

i have IOS CA configured at cisco router 891f powered by c800-universalk9-mz.SPA.154-3.M9.bin

it got csr, I approved it, new certificate generated for client (This is linux hosts, no no SCEP yet)

I see issued certificate number 2 (bellow)

++++++

gate#sh cry pki ser MY-CA | i number
Last certificate issued serial number (hex): 2
gate#

++++++

also I see that certificate file has been written in flash:

++++++

gate#sh flash: | i .crt
26 527 Mar 20 2018 11:17:20 -04:00 MY-CA/CRT/1.crt
29 1037 Mar 20 2018 14:00:30 -04:00 MY-CA/CRT/2.crt
gate#

++++++

Question.

How to export certificate generated for client (2.crt)

previously I used "crypto export" command from exec but there is no such command there anymore:

++++++

gate#crypto ?
eap EAP
gdoi GDOI related commands
ikev2 IKEv2
ipsec IPSec
key Key related commands.
pki Public Key components

gate#crypto

++++++

I downloaded 2.crt to linux tftp server and tried to decode it by openssl but everytime got "unknown format error".

Could you suggest?

Thank you

Bogdan Nita · ‎03-21-2018

crypto pki export pem ?

also check if show crypto key states that key is exportable

HTH

Bogdan

Andriy Sidko · ‎03-21-2018

I can export only certificate associated with trustpoint but there is no truspoint created for client certificates. CA router has CA (self) trustpoint:

+++++++++

gate(config)#crypto pki export ?
WORD Trustpoint label to associate keys and certs with

gate(config)#end

+++++++++

also there is no available command like crypto pki export in that IOS:

+++++++++

gate#crypto pki ?
benchmark Benchmark commands
crl crl command
server Server
token Log in to cryptographic token

gate#

+++++++++

as soon as I unshutdown CA server it automatically create non-exportable keys without any questions:

+++++++++

gate(config)#do sh cry key mypu rsa | i MY-CA|export
Key name: MY-CA
Key is not exportable.
Key name: MY-CA.server
Key is not exportable.
gate(config)#

+++++++++

any idea?

Bogdan Nita · ‎03-22-2018

Why don't just copy the crt from flash ?

Andriy Sidko · ‎03-22-2018

Hi Bogdan.

This crt fire is not recognized by openssl as valid crt certificate or pkcs12 bundle

++++++++++++++

[sam@st1 tftpboot]$ openssl x509 -in 2.crt -text -noout
unable to load certificate
4155991744:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

[sam@st1 tftpboot]$

[sam@st1 tftpboot]$
[sam@st1 tftpboot]$ openssl pkcs12 -info -in 2.crt
4155274944:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1197:
4155274944:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:765:
4155274944:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=version, Type=PKCS12
[sam@sidko tftpboot]$

++++++++++++++

actually I got only one time when I can grab real client certificate.

When I manually grant SCR (cry pki ser MY-CA grant <request number>) granted certificate appears at console.

In case I copy it from IOS CA console I can export (paste) it to linux server but if IOS CA grant mode is auto certificate is not showing at console and I cannot use .crt file at router flash.

I useing following confiuratuion:

+++++++++++++++++++

gate#sh runn | s MY-C
crypto pki server MY-CA
database level complete
database archive pkcs12 password 7 020E205131321D7741
issuer-name CN=st1.net C=CA
hash sha512
lifetime ca-certificate 1825
cdp-url http://gate.st1.net/
auto-rollover 62
database url flash:
database url cnm flash:MY-CA/CRT/
database url crl flash:MY-CA/CRL/
database url crt flash:MY-CA/CRT/
database url p12 flash:MY-CA/P12/
database url pem flash:MY-CA/PEM/
database url ser flash:MY-CA/CER/

crypto pki trustpoint MY-CA
revocation-check crl
rsakeypair MY-CA

crypto pki certificate chain MY-CA
certificate ca 01
3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 0D050030
-= ommited for briefly=-
D55A9B20 FFDBA17F 72B33E82 DC436F26 E5B887C0 707A5285 D8CE089D C8CE6CC9
E8C6086F 24E76ECA 68DC9FC7 E7C365
quit

+++++++++++++++++++

Any idea?

Thank you.