Objective:
Import a PKCS12 format Certificate from an External CA to IOS Router. The certificate will be used for IOS SSL VPN.
Symptom:
During the Certificate import the below messages appear on the Router. Eventually the certificate doesn't seem to work for SSL when assigned to the WebVPN Config.
% Warning: CA cert is not found. The imported certs might not be usable.
CRYPTO_PKI: Import PKCS12 operation failed to create trustpoint test
<SNIP>
%PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.
The problem above is that the PKCS12 file only includes the Router\Identity Certificate but does not include the CA certificate. This results in the Certificate Chain creation failure on the Router, when the router tries to send it during SSL negotiation for SSL VPN.
Solution:
Options 1:
1. Import the CA Root Certificate in Windows. The Root Certificate can be obtained by contacting the Vendor.
2. Import the PKCS12 file in Windows. When importing the certificate, make sure that you check the box " Mark this key as exportable..".
3. Windows OS will create the Certificate Chain automatically.
4. Export the just imported certificate again ,when exporting certificate select the option "Yes, export the private key".
Also during export "check" the box "Include all certificates in the certification path, if possible".
Also "uncheck" the box "Enable strong protection..."
5. The above exported certificate will be in binary format. This needs to be converted to PKCS12 in Base64.
This can be done using OpenSSL (http://gnuwin32.sourceforge.net/packages/openssl.htm) as below
openssl base64 -in <Exported Cert Name> -out <Any Filename for Base64 Cert>
6. Import the certificate from Step 5 above into the Router.
Options 2:
In case the above option doesn't work due to Windows not being able to create the Certificate Chain Or Access to Windows OS not available then OpenSSL can be used as below
1. Convert the PKCS12 from base64 to PFX
openssl base64 -d -in <cert inBase64> -out <filename.pfx>
2. Extract the private key
openssl.exe pkcs12 -nocerts -in <filename.pfx> -out mykey.key
3. Extract the public key\certificate
openssl.exe pkcs12 -clcerts -nokeys -in <filename.pfx> -out mycert.cer
4. Combine the Private key, Public Key (As from Step 2,3 above) and the "CA Certificate" as below
openssl pkcs12 -export -in mycert.cer -inkey mykey.key -certfile <CA Cert.cer> -out myallcert.pfx
5. Convert the PFX from Step 4 to base64. This file can now be imported in the Router and contains the Root Cert
openssl base64 -in myallcert.pfx -out myallcertb64.p12