01-07-2021 06:39 PM
Hi, I am not sure if this is the right place for the question...
I followed some link to generate key, then a CSR. Then I went to the MS cert server and obtained a cert (with the webserver template). Then I imported the cert in my router.
GIR02-70#show crypto pki certificates verbose INT-IT-00-CER-PRO1-CA
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 5B0001BCFFFAFE2C330CBE2C1C00020001BCFF
Certificate Usage: General Purpose
Issuer:
cn=int-IT-00-CER-PRO1-CA
dc=int
dc=pason
dc=com
Subject:
cn=gir02-70.int.pason.com
ou=DigitComm
o=Pason Systems Corp
st=Alberta
c=CA
hostname=gir02-70.int.pason.com
CRL Distribution Points:
ldap:///CN=int-IT-00-CER-PRO1-CA(1),CN=it-00-cer-pro1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://pki.int.pason.com/CertEnroll/int-IT-00-CER-PRO1-CA(1).crl
Validity Date:
start date: 19:53:35 CST Jan 7 2021
end date: 19:53:35 CST Jan 7 2023
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 82AB5A87 1F3FCE9F DD639091 54B91A5D
Fingerprint SHA1: 1D796A63 2D226AD6 ACB05632 83AFA795 FAA44D0D
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 72CD118A 9329BEB4 BA1F6D85 9B3FF674 8078C697
X509v3 Authority Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24
Authority Info Access:
CA ISSUERS: ldap:///CN=int-IT-00-CER-PRO1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority
CA ISSUERS: http://pki.int.pason.com/CertEnroll/it-00-cer-pro1.int.pason.com_int-IT-00-CER-PRO1-CA(2).crt
Extended Key Usage:
Server Auth
Associated Trustpoints: INT-IT-00-CER-PRO1-CA
Now, how do I specify it to be used with the http secure-server? When I open the browser with the router's hostname, I still see it using the original self-signed cert.
Thanks,
Difan
01-07-2021 11:40 PM
I believe the command is:
Router(config)# ip http secure-trustpoint INT-IT-00-CER-PRO1-CA
Then when you open a web browser and go to https://gir02-70.int.pason.com (I'm assuming you have already created an A-record in your internal DNS that will resolve to the router IP address), you should get the management web page of the router using that certificate.
Let me know if that works and if so, please consider rating this post as helpful
01-08-2021 08:35 AM
Hi Tyson, thank you for the reply! I actually have tried it already... Sorry - I should have mentioned it in my original post. I just disabled/re-enabled the http server and http secure server, thinking that whether it is required for the new trustpoint to take effect but failed... Could it be something on the certificate? It is my first time generating a cert for the router. I am not sure if I did everything right. Thanks!
GIR02-70#show ip http server status HTTP server status: Enabled HTTP server port: 80 HTTP server active supplementary listener ports: HTTP server authentication method: local HTTP server auth-retry 0 time-window 0 HTTP server digest algorithm: md5 HTTP server access class: 0 HTTP server IPv4 access class: None HTTP server IPv6 access class: None HTTP server base path: HTTP File Upload status: Disabled HTTP server upload path: HTTP server help root: Maximum number of concurrent server connections allowed: 300 Maximum number of secondary server connections allowed: 50 Server idle time-out: 180 seconds Server life time-out: 180 seconds Server session idle time-out: 600 seconds Maximum number of requests allowed on a connection: 25 Server linger time : 60 seconds HTTP server active session modules: ALL HTTP secure server capability: Present HTTP secure server status: Enabled HTTP secure server port: 443 HTTP secure server ciphersuite: aes-128-cbc-sha dhe-aes-128-cbc-sha ecdhe-rsa-aes-128-cbc-sha rsa-aes-cbc-sha2 rsa-aes-gcm-sha2 dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2 ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2 HTTP secure server TLS version: TLSv1.2 TLSv1.1 HTTP secure server client authentication: Disabled HTTP secure server PIV authentication: Disabled HTTP secure server PIV authorization only: Disabled HTTP secure server trustpoint: INT-IT-00-CER-PRO1-CAHTTP secure server peer validation trustpoint: HTTP secure server ECDHE curve: secp256r1 HTTP secure server active session modules: ALL
01-08-2021 09:12 AM
It looks like you have the certificate installed and assigned to the HTTP secure server interface.
Not to insult your intelligence so please don't take offense when I ask this but are you inspecting the certificate within the browser when you visit the router's web interface or just assuming that it is self-signed because you're getting an untrusted certificate warning? I would open up the certificate and verify that it is indeed either the self-signed cert or is actually using the installed cert but your browser just doesn't trust it.
01-08-2021 02:32 PM
Hey Tyson, I got it figured out and it was that I didn't import the (intermediate) CA cert correctly... I probably messed up which text copy... I also have imported the root CA and configured the "chain-validation".. Not sure if they helped too. Thanks for the advice anyway! Now I have another two trivial issues
1. Browser (Chrome) and postman still complain about "connection is not private"... And yes, to answer your question, I have verified that the cert the browser sees now is the Microsoft CA assigned one, instead of the self-signed one from before. On my ubuntu box, "openssl verify" reports "ok" though. I have also got my Windows admin guys to verify that my Windows PC has the intermediate and root CA installed properly.
2. I don't have the Subject Alternative Name (SAN) field in the cert. It instead becomes "Unstructured Name = gir02-70.int.pason.com". I am not sure if it contributes to the above privacy error... Here is my CSR
crypto pki trustpoint INT-IT-00-CER-PRO1-CA enrollment terminal fqdn gir02-70.int.pason.com subject-name CN=gir02-70.int.pason.com,OU=DigitComm,O=Pason Systems Corp,C=CA,ST=Alberta subject-alt-name gir02-70.int.pason.com chain-validation continue PASONROOTCA-CA revocation-check none
I also opened a case about this. I know it's hard to troubleshoot this without seeing other configs that I might not be able to share here. Please let me know what you think about the two problems. I will report back when I hear back from the support team too. Thanks!
01-08-2021 03:26 PM
What is the validity length for your certificate. Sept last year, Chrome and Firefox will throw a warning if any certificate is valid for more than 1 year even though everything else about the certificate is perfect.
Have you imported the CA certificate into your computer along with any intermediates into your trusted store?
01-11-2021 10:11 AM
Hey Tyson, yes I think so but who am I to say that for sure? I am doing it for the very first time. Here are the show command outputs. And yes, they are all over one year in length... However, I just went to my company's home page https://www.pason.com and it has validity till 2022, and I am not seeing a warning with it. thanks!
--- Intermediate CA cert and the router cert ---
GIR02-70#sh crypto pki certificates verbose INT-IT-00-CER-PRO1-CA Certificate Status: Available Version: 3 Certificate Serial Number (hex): 5B0001BD11CB55A932430BA54000020001BD11 Certificate Usage: General Purpose Issuer: cn=int-IT-00-CER-PRO1-CA dc=int dc=pason dc=com Subject: Name: gir02-70.int.pason.com cn=gir02-70.int.pason.com ou=DigitComm o=Pason Systems Corp st=Alberta c=CA hostname=gir02-70.int.pason.com CRL Distribution Points: ldap:///CN=int-IT-00-CER-PRO1-CA(1),CN=it-00-cer-pro1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://pki.int.pason.com/CertEnroll/int-IT-00-CER-PRO1-CA(1).crl Validity Date: start date: 14:33:44 CST Jan 8 2021 end date: 14:33:44 CST Jan 8 2023 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Signature Algorithm: SHA256 with RSA Encryption Fingerprint MD5: 339767AB BC4926C4 46F63613 7EA50208 Fingerprint SHA1: 494CCC81 FFA19A2E 6FE33D19 87857ABD 333AC690 X509v3 extensions: X509v3 Key Usage: A0000000 Digital Signature Key Encipherment X509v3 Subject Key ID: 72CD118A 9329BEB4 BA1F6D85 9B3FF674 8078C697 X509v3 Authority Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24 Authority Info Access: CA ISSUERS: ldap:///CN=int-IT-00-CER-PRO1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority CA ISSUERS: http://pki.int.pason.com/CertEnroll/it-00-cer-pro1.int.pason.com_int-IT-00-CER-PRO1-CA(2).crt Extended Key Usage: Server Auth Associated Trustpoints: INT-IT-00-CER-PRO1-CA Key Label: GIR02-70.int.pason.com Key storage device: private config CA Certificate Status: Available Version: 3 Certificate Serial Number (hex): 1C000000092E292EC4629493CA000200000009 Certificate Usage: Signature Issuer: cn=PASONROOTCA-CA Subject: cn=int-IT-00-CER-PRO1-CA dc=int dc=pason dc=com CRL Distribution Points: ldap:///CN=PASONROOTCA-CA,CN=PasonRootCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://pki.int.pason.com/CertEnroll/PASONROOTCA-CA.crl Validity Date: start date: 10:33:13 CDT Sep 12 2019 end date: 10:43:13 CDT Sep 12 2026 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Signature Algorithm: SHA256 with RSA Encryption Fingerprint MD5: 8104BE20 E3E9F86D 550F278C E2B53B12 Fingerprint SHA1: 6647F887 8F7EC830 81EBFDED 6E7DFEF4 4728967B X509v3 extensions: X509v3 Key Usage: 86000000 Digital Signature Key Cert Sign CRL Signature X509v3 Subject Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24 X509v3 Basic Constraints: CA: TRUE X509v3 Authority Key ID: 9CC4D990 565259B2 34A12338 5D7A3E5A 0F4F5295 Authority Info Access: CA ISSUERS: ldap:///CN=PASONROOTCA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority CA ISSUERS: http://pki.int.pason.com/CertEnroll/PasonRootCA_PASONROOTCA-CA(2).crt Associated Trustpoints: INT-IT-00-CER-PRO1-CA
--- root CA cert ---
GIR02-70#show crypto pki certificates verbose PASONROOTCA-CA
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 7DDDC26D79CCA0AC43FB3C977EC5151F
Certificate Usage: Signature
Issuer:
cn=PASONROOTCA-CA
Subject:
cn=PASONROOTCA-CA
Validity Date:
start date: 16:29:47 CDT Mar 19 2019
end date: 09:42:12 CDT Sep 12 2029
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: B1BCE85A BC47C428 4217A0F3 47389202
Fingerprint SHA1: 51386996 7DA7D471 EECBB789 8DA5BA42 ADD601C2
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 9CC4D990 565259B2 34A12338 5D7A3E5A 0F4F5295
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: PASONROOTCA-CA
01-09-2021 07:10 PM
Cisco Doc.
"This option is used to create a self-signed trustpoint certificate for the router that contains the trustpoint name in the Subject Alternative Name (subjectAltName) field. This Subject Alternative Name can be used only when the enrollment selfsigned command is specified for self-signed enrollment in the trustpoint policy."
01-11-2021 11:07 AM
Hey thanks MHM, could you send me the link for this, please? SAN should be a very common field. I am surprised to know that it is designed to be used only in the self-signed certs..
01-13-2021 01:20 PM
So I got answers from the Cisco tech.
You must have a valid SAN field in your certificate for browsers to accept
Cisco routers have this bug that doesn't generate the SAN correctly https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsk85992that
The workaround is to generate the key and CSR with a third-party tool like openssl, then obtain the cert from the CA with the pkcs12 format, then import it into the router.
Cisco router will not send the full cert path. It requires the browsers to have already installed the root and intermediate certs.
Thanks for the help guys!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide