cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2521
Views
0
Helpful
9
Replies

How to specify a certificate to be used by the http secure-server on the IOS router?

Difan Zhao
Level 5
Level 5

Hi, I am not sure if this is the right place for the question...

I followed some link to generate key, then a CSR. Then I went to the MS cert server and obtained a cert (with the webserver template). Then I imported the cert in my router. 

GIR02-70#show crypto pki certificates verbose INT-IT-00-CER-PRO1-CA
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 5B0001BCFFFAFE2C330CBE2C1C00020001BCFF
  Certificate Usage: General Purpose
  Issuer:
    cn=int-IT-00-CER-PRO1-CA
    dc=int
    dc=pason
    dc=com
  Subject:
    cn=gir02-70.int.pason.com
    ou=DigitComm
    o=Pason Systems Corp
    st=Alberta
    c=CA
    hostname=gir02-70.int.pason.com
  CRL Distribution Points:
    ldap:///CN=int-IT-00-CER-PRO1-CA(1),CN=it-00-cer-pro1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    http://pki.int.pason.com/CertEnroll/int-IT-00-CER-PRO1-CA(1).crl
  Validity Date:
    start date: 19:53:35 CST Jan 7 2021
    end   date: 19:53:35 CST Jan 7 2023
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA256 with RSA Encryption
  Fingerprint MD5: 82AB5A87 1F3FCE9F DD639091 54B91A5D
  Fingerprint SHA1: 1D796A63 2D226AD6 ACB05632 83AFA795 FAA44D0D
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: 72CD118A 9329BEB4 BA1F6D85 9B3FF674 8078C697
    X509v3 Authority Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24
    Authority Info Access:
        CA ISSUERS: ldap:///CN=int-IT-00-CER-PRO1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority
        CA ISSUERS: http://pki.int.pason.com/CertEnroll/it-00-cer-pro1.int.pason.com_int-IT-00-CER-PRO1-CA(2).crt
    Extended Key Usage:
        Server Auth
  Associated Trustpoints: INT-IT-00-CER-PRO1-CA

Now, how do I specify it to be used with the http secure-server? When I open the browser with the router's hostname, I still see it using the original self-signed cert.

 

Thanks,

Difan

9 Replies 9

TJ-20933766
Spotlight
Spotlight

I believe the command is:

Router(config)# ip http secure-trustpoint INT-IT-00-CER-PRO1-CA

Then when you open a web browser and go to https://gir02-70.int.pason.com (I'm assuming you have already created an A-record in your internal DNS that will resolve to the router IP address), you should get the management web page of the router using that certificate.

Let me know if that works and if so, please consider rating this post as helpful