cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8977
Views
15
Helpful
2
Comments
mulatif
Cisco Employee
Cisco Employee

Objective:

Import a PKCS12 format Certificate from an External CA to IOS Router. The certificate will be used for IOS SSL VPN.

Symptom:

During the Certificate import the below messages appear on the Router. Eventually the certificate doesn't seem to work for SSL when assigned to the WebVPN Config.

% Warning: CA cert is not found. The imported certs might not be usable.

CRYPTO_PKI: Import PKCS12 operation failed to create trustpoint test

<SNIP>


%PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.

The problem above is that the PKCS12 file only includes the Router\Identity Certificate but does not include the CA certificate. This results in the Certificate Chain creation failure on the Router, when the router tries to send it during SSL negotiation for SSL VPN.

Solution:

Options 1:

1. Import the CA Root Certificate in Windows. The Root Certificate can be obtained by contacting the Vendor.

2. Import the PKCS12 file in Windows. When importing the certificate, make sure that you check the box " Mark this key as exportable..".

3. Windows OS will create the Certificate Chain automatically.

4. Export the just imported certificate again ,when exporting certificate select the option "Yes,  export the private key".

    Also during export "check" the box "Include all certificates in the certification path, if possible".

    Also "uncheck" the box "Enable strong protection..."

5. The above exported certificate will be in binary format. This needs to be converted to PKCS12 in Base64.

    This can be done using OpenSSL (http://gnuwin32.sourceforge.net/packages/openssl.htm) as below

   openssl base64 -in <Exported Cert Name> -out <Any Filename for Base64 Cert>

6. Import the certificate from Step 5 above into the Router.

Options 2:

In case the above option doesn't work due to Windows not being able to create the Certificate Chain Or Access to Windows OS not available then OpenSSL can be used as below

1. Convert the PKCS12 from base64 to PFX

    openssl base64 -d -in <cert inBase64> -out <filename.pfx>

2. Extract the private key

    openssl.exe pkcs12 -nocerts -in <filename.pfx> -out mykey.key

3. Extract the public key\certificate

     openssl.exe pkcs12 -clcerts -nokeys -in <filename.pfx> -out mycert.cer

4. Combine the Private key, Public Key (As from Step 2,3 above) and the "CA Certificate" as below

    openssl pkcs12 -export -in mycert.cer -inkey mykey.key -certfile <CA Cert.cer> -out myallcert.pfx

5. Convert the PFX from Step 4 to base64. This file can now be imported in the Router and contains the Root Cert

     openssl base64 -in myallcert.pfx -out myallcertb64.p12

Comments
paolo bevilacqua
Hall of Fame
Hall of Fame

IOS accepts PKCS12 binary format. No need for step 5 above.

Raul Ricano
Level 1
Level 1

Importing SSL Certificate into IOS Router.  (Marking for search ability)

 

After much research and failure I got to this thread and this was the one that did the trick for importing the SSL (Wildcard) Cert into the router.

Do not have an Existing TrustPoint name you are going to use.

Follow Solution 1 through Step 4 and Also Export with Password and not Username etc..

copy cert to router flash then import with the following command.  Worked like a Champ for me.

 

crypto pki import TrustPointNameHere pkcs12 flash:CertNameHere.pfx password PasswordHere

 

Mulatif and Paolo Thank you for making this article and helping me resolve my issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: