01-07-2021 06:39 PM
Hi, I am not sure if this is the right place for the question...
I followed some link to generate key, then a CSR. Then I went to the MS cert server and obtained a cert (with the webserver template). Then I imported the cert in my router.
GIR02-70#show crypto pki certificates verbose INT-IT-00-CER-PRO1-CA
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 5B0001BCFFFAFE2C330CBE2C1C00020001BCFF
Certificate Usage: General Purpose
Issuer:
cn=int-IT-00-CER-PRO1-CA
dc=int
dc=pason
dc=com
Subject:
cn=gir02-70.int.pason.com
ou=DigitComm
o=Pason Systems Corp
st=Alberta
c=CA
hostname=gir02-70.int.pason.com
CRL Distribution Points:
ldap:///CN=int-IT-00-CER-PRO1-CA(1),CN=it-00-cer-pro1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://pki.int.pason.com/CertEnroll/int-IT-00-CER-PRO1-CA(1).crl
Validity Date:
start date: 19:53:35 CST Jan 7 2021
end date: 19:53:35 CST Jan 7 2023
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 82AB5A87 1F3FCE9F DD639091 54B91A5D
Fingerprint SHA1: 1D796A63 2D226AD6 ACB05632 83AFA795 FAA44D0D
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 72CD118A 9329BEB4 BA1F6D85 9B3FF674 8078C697
X509v3 Authority Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24
Authority Info Access:
CA ISSUERS: ldap:///CN=int-IT-00-CER-PRO1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority
CA ISSUERS: http://pki.int.pason.com/CertEnroll/it-00-cer-pro1.int.pason.com_int-IT-00-CER-PRO1-CA(2).crt
Extended Key Usage:
Server Auth
Associated Trustpoints: INT-IT-00-CER-PRO1-CA
Now, how do I specify it to be used with the http secure-server? When I open the browser with the router's hostname, I still see it using the original self-signed cert.
Thanks,
Difan
01-07-2021 11:40 PM
I believe the command is:
Router(config)# ip http secure-trustpoint INT-IT-00-CER-PRO1-CA
Then when you open a web browser and go to https://gir02-70.int.pason.com (I'm assuming you have already created an A-record in your internal DNS that will resolve to the router IP address), you should get the management web page of the router using that certificate.
Let me know if that works and if so, please consider rating this post as helpful