cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2547
Views
0
Helpful
9
Replies

How to specify a certificate to be used by the http secure-server on the IOS router?

Difan Zhao
Level 5
Level 5

Hi, I am not sure if this is the right place for the question...

I followed some link to generate key, then a CSR. Then I went to the MS cert server and obtained a cert (with the webserver template). Then I imported the cert in my router. 

GIR02-70#show crypto pki certificates verbose INT-IT-00-CER-PRO1-CA
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 5B0001BCFFFAFE2C330CBE2C1C00020001BCFF
  Certificate Usage: General Purpose
  Issuer:
    cn=int-IT-00-CER-PRO1-CA
    dc=int
    dc=pason
    dc=com
  Subject:
    cn=gir02-70.int.pason.com
    ou=DigitComm
    o=Pason Systems Corp
    st=Alberta
    c=CA
    hostname=gir02-70.int.pason.com
  CRL Distribution Points:
    ldap:///CN=int-IT-00-CER-PRO1-CA(1),CN=it-00-cer-pro1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    http://pki.int.pason.com/CertEnroll/int-IT-00-CER-PRO1-CA(1).crl
  Validity Date:
    start date: 19:53:35 CST Jan 7 2021
    end   date: 19:53:35 CST Jan 7 2023
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA256 with RSA Encryption
  Fingerprint MD5: 82AB5A87 1F3FCE9F DD639091 54B91A5D
  Fingerprint SHA1: 1D796A63 2D226AD6 ACB05632 83AFA795 FAA44D0D
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: 72CD118A 9329BEB4 BA1F6D85 9B3FF674 8078C697
    X509v3 Authority Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24
    Authority Info Access:
        CA ISSUERS: ldap:///CN=int-IT-00-CER-PRO1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority
        CA ISSUERS: http://pki.int.pason.com/CertEnroll/it-00-cer-pro1.int.pason.com_int-IT-00-CER-PRO1-CA(2).crt
    Extended Key Usage:
        Server Auth
  Associated Trustpoints: INT-IT-00-CER-PRO1-CA

Now, how do I specify it to be used with the http secure-server? When I open the browser with the router's hostname, I still see it using the original self-signed cert.

 

Thanks,

Difan

9 Replies 9

TJ-20933766
Spotlight
Spotlight

I believe the command is:

Router(config)# ip http secure-trustpoint INT-IT-00-CER-PRO1-CA

Then when you open a web browser and go to https://gir02-70.int.pason.com (I'm assuming you have already created an A-record in your internal DNS that will resolve to the router IP address), you should get the management web page of the router using that certificate.

Let me know if that works and if so, please consider rating this post as helpful

Hi Tyson, thank you for the reply! I actually have tried it already... Sorry - I should have mentioned it in my original post. I just disabled/re-enabled the http server and http secure server, thinking that whether it is required for the new trustpoint to take effect but failed... Could it be something on the certificate? It is my first time generating a cert for the router. I am not sure if I did everything right. Thanks!

GIR02-70#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server active supplementary listener ports:
HTTP server authentication method: local
HTTP server auth-retry 0 time-window 0
HTTP server digest algorithm: md5
HTTP server access class: 0
HTTP server IPv4 access class: None
HTTP server IPv6 access class: None
HTTP server base path:
HTTP File Upload status: Disabled
HTTP server upload path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 300
Maximum number of secondary server connections allowed: 50
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 600 seconds
Maximum number of requests allowed on a connection: 25
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite:  aes-128-cbc-sha dhe-aes-128-cbc-sha
        ecdhe-rsa-aes-128-cbc-sha rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
        dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
        ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version:  TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: INT-IT-00-CER-PRO1-CAHTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL

 

TJ-20933766
Spotlight
Spotlight

It looks like you have the certificate installed and assigned to the HTTP secure server interface.

Not to insult your intelligence so please don't take offense when I ask this but are you inspecting the certificate within the browser when you visit the router's web interface or just assuming that it is self-signed because you're getting an untrusted certificate warning? I would open up the certificate and verify that it is indeed either the self-signed cert or is actually using the installed cert but your browser just doesn't trust it.

Hey Tyson, I got it figured out and it was that I didn't import the (intermediate) CA cert correctly... I probably messed up which text copy... I also have imported the root CA and configured the "chain-validation".. Not sure if they helped too. Thanks for the advice anyway! Now I have another two trivial issues

1. Browser (Chrome) and postman still complain about "connection is not private"... And yes, to answer your question, I have verified that the cert the browser sees now is the Microsoft CA assigned one, instead of the self-signed one from before. On my ubuntu box, "openssl verify" reports "ok" though. I have also got my Windows admin guys to verify that my Windows PC has the intermediate and root CA installed properly.

2. I don't have the Subject Alternative Name (SAN) field in the cert. It instead becomes "Unstructured Name = gir02-70.int.pason.com". I am not sure if it contributes to the above privacy error... Here is my CSR

crypto pki trustpoint INT-IT-00-CER-PRO1-CA
 enrollment terminal
 fqdn gir02-70.int.pason.com
 subject-name CN=gir02-70.int.pason.com,OU=DigitComm,O=Pason Systems Corp,C=CA,ST=Alberta
 subject-alt-name gir02-70.int.pason.com
 chain-validation continue PASONROOTCA-CA
 revocation-check none

I also opened a case about this. I know it's hard to troubleshoot this without seeing other configs that I might not be able to share here. Please let me know what you think about the two problems. I will report back when I hear back from the support team too. Thanks!

 

What is the validity length for your certificate. Sept last year, Chrome and Firefox will throw a warning if any certificate is valid for more than 1 year even though everything else about the certificate is perfect.

Have you imported the CA certificate into your computer along with any intermediates into your trusted store?

Hey Tyson, yes I think so but who am I to say that for sure? I am doing it for the very first time. Here are the show command outputs. And yes, they are all over one year in length... However, I just went to my company's home page https://www.pason.com and it has validity till 2022, and I am not seeing a warning with it. thanks!

 

--- Intermediate CA cert and the router cert ---
GIR02-70#sh crypto pki certificates verbose INT-IT-00-CER-PRO1-CA Certificate Status: Available Version: 3 Certificate Serial Number (hex): 5B0001BD11CB55A932430BA54000020001BD11 Certificate Usage: General Purpose Issuer: cn=int-IT-00-CER-PRO1-CA dc=int dc=pason dc=com Subject: Name: gir02-70.int.pason.com cn=gir02-70.int.pason.com ou=DigitComm o=Pason Systems Corp st=Alberta c=CA hostname=gir02-70.int.pason.com CRL Distribution Points: ldap:///CN=int-IT-00-CER-PRO1-CA(1),CN=it-00-cer-pro1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://pki.int.pason.com/CertEnroll/int-IT-00-CER-PRO1-CA(1).crl Validity Date: start date: 14:33:44 CST Jan 8 2021 end date: 14:33:44 CST Jan 8 2023 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Signature Algorithm: SHA256 with RSA Encryption Fingerprint MD5: 339767AB BC4926C4 46F63613 7EA50208 Fingerprint SHA1: 494CCC81 FFA19A2E 6FE33D19 87857ABD 333AC690 X509v3 extensions: X509v3 Key Usage: A0000000 Digital Signature Key Encipherment X509v3 Subject Key ID: 72CD118A 9329BEB4 BA1F6D85 9B3FF674 8078C697 X509v3 Authority Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24 Authority Info Access: CA ISSUERS: ldap:///CN=int-IT-00-CER-PRO1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority CA ISSUERS: http://pki.int.pason.com/CertEnroll/it-00-cer-pro1.int.pason.com_int-IT-00-CER-PRO1-CA(2).crt Extended Key Usage: Server Auth Associated Trustpoints: INT-IT-00-CER-PRO1-CA Key Label: GIR02-70.int.pason.com Key storage device: private config CA Certificate Status: Available Version: 3 Certificate Serial Number (hex): 1C000000092E292EC4629493CA000200000009 Certificate Usage: Signature Issuer: cn=PASONROOTCA-CA Subject: cn=int-IT-00-CER-PRO1-CA dc=int dc=pason dc=com CRL Distribution Points: ldap:///CN=PASONROOTCA-CA,CN=PasonRootCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://pki.int.pason.com/CertEnroll/PASONROOTCA-CA.crl Validity Date: start date: 10:33:13 CDT Sep 12 2019 end date: 10:43:13 CDT Sep 12 2026 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Signature Algorithm: SHA256 with RSA Encryption Fingerprint MD5: 8104BE20 E3E9F86D 550F278C E2B53B12 Fingerprint SHA1: 6647F887 8F7EC830 81EBFDED 6E7DFEF4 4728967B X509v3 extensions: X509v3 Key Usage: 86000000 Digital Signature Key Cert Sign CRL Signature X509v3 Subject Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24 X509v3 Basic Constraints: CA: TRUE X509v3 Authority Key ID: 9CC4D990 565259B2 34A12338 5D7A3E5A 0F4F5295 Authority Info Access: CA ISSUERS: ldap:///CN=PASONROOTCA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority CA ISSUERS: http://pki.int.pason.com/CertEnroll/PasonRootCA_PASONROOTCA-CA(2).crt Associated Trustpoints: INT-IT-00-CER-PRO1-CA

--- root CA cert ---
GIR02-70#show crypto pki certificates verbose PASONROOTCA-CA
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 7DDDC26D79CCA0AC43FB3C977EC5151F
Certificate Usage: Signature
Issuer:
cn=PASONROOTCA-CA
Subject:
cn=PASONROOTCA-CA
Validity Date:
start date: 16:29:47 CDT Mar 19 2019
end date: 09:42:12 CDT Sep 12 2029
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: B1BCE85A BC47C428 4217A0F3 47389202
Fingerprint SHA1: 51386996 7DA7D471 EECBB789 8DA5BA42 ADD601C2
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 9CC4D990 565259B2 34A12338 5D7A3E5A 0F4F5295
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: PASONROOTCA-CA

Cisco Doc.
"This option is used to create a self-signed trustpoint certificate for the router that contains the trustpoint name in the Subject Alternative Name (subjectAltName) field. This Subject Alternative Name can be used only when the enrollment selfsigned command is specified for self-signed enrollment in the trustpoint policy."

Hey thanks MHM, could you send me the link for this, please? SAN should be a very common field. I am surprised to know that it is designed to be used only in the self-signed certs.. 

Difan Zhao
Level 5
Level 5

So I got answers from the Cisco tech. 

You must have a valid SAN field in your certificate for browsers to accept

Cisco routers have this bug that doesn't generate the SAN correctly https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsk85992that

The workaround is to generate the key and CSR with a third-party tool like openssl, then obtain the cert from the CA with the pkcs12 format, then import it into the router. 

Cisco router will not send the full cert path. It requires the browsers to have already installed the root and intermediate certs.

Thanks for the help guys!