Solved: Generate Out of band Certificate Signing Request on Cisco router

Kach · ‎04-26-2019

Hi all,

I have a DMVPN architecture with PSK as an authentification method. I want to change the PSK by PKI certificate using the customer's internal CA server.
The customer CA server has a private IP address so it is not reachable via internet. Therefore, the first PKI certificate to install must be generated manually and sent to the PKI team via an out of band way for signature. And then we will install the signed certificates on the routers ( spoke & Hubs). Once the DMVPN tunnel will be up and the private addresses announced via the tunnel, the CA server will be reachable for the certificate renewal. I am using ISR1111-4P and Cisco 800 series.
I tried to generate the certificate signing request (CSR) out of band in vain. The router does still try to join the CA server.

Is there any way to generate the CSR based on CA information on cisco routers?

Here is the commands used:

1/ Generate RSA key
crypto key generate rsa modulus 1024

2/CA informations
crypto pki trustpoint Trusted-CA
subject-name CN=routername.domainname, O=Domain, E=email
revocation-check none

3/CSR generation
crypto pki enroll Trusted-CA

Rob Ingram · ‎04-27-2019

Hi,
I assume the PKI Trustpoint is configured to use SCEP, change the enrollment method to use terminal. You will then need to authenticate and enroll via copy and paste.

crypto pki trustpoint Trusted-CA
enrollment terminal

HTH

View solution in original post

Rob Ingram · ‎04-27-2019

Hi,
I assume the PKI Trustpoint is configured to use SCEP, change the enrollment method to use terminal. You will then need to authenticate and enroll via copy and paste.

crypto pki trustpoint Trusted-CA
enrollment terminal

HTH

Kach · ‎04-29-2019

Hi,

Thank you for your feedback. I will try that and I will let you know later if it works.

Regards,

Kach

Kach · ‎05-10-2019

Hello RJI,

It works. Thank you very much!

Regards,