cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6723
Views
0
Helpful
1
Comments
Craig Lorentzen
Cisco Employee
Cisco Employee

Purpose:

How to install a certificate where the CSR and private key were not generated on the VPN3k.  The VPN3k uses a non-standard format to import/export certificates, the format is

PKCS8 encrypted key followed by the Base64 encoded certificate

e.g.

-----BEGIN ENCRYPTED PRIVATE KEY-----
MII...encrypted private key...
-----END ENCRYPTED PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MII...base64 encoded certificate...
-----END CERTIFICATE-----

Requirements:

The certificate and it's associated RSA private key or the pkcs12 of the certificate

Computer with the OpenSSL Toolkit.

Procedure:

Assumptions:

The pkcs12 is named: cert.pfx

The password for the pkcs12 is: cisco

The unencrypted private key file is named: private.key

The certificate is named: cert.crt

Final product: cert.vpn3k

If you already have the RSA private key and Certificate in seperate files, skip step 1 and proceed to step 2.

1. Extract the Certificate and RSA private key

From the same folder as the cert.pfx file, assuming openssl is installed in the path, run the following command to export the unencrptyed RSA private key and the certificate.

openssl pkcs12 -in cert.pfx -passin pass:cisco -clcerts -nodes

!The above command takes in the PKCS12, decrypted with the password defined in passin pass: and displays only the client certificate (clcerts) without encryption (nodes)

create two text files, one neamed cert.crt and one named private.key

Copy everything between and including the

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
into the cert.crt file

and copy everything between and including the

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

into the private.key file

2. We need to encode the RSA PRIVATE key with the pkcs8 format.  Again we will use openssl to do this

From the same folder as the private.key run the following command

openssl pkcs8 -topk8 -passout pass:cisco -in private.key -out private.key.enc

!The above command uses the pkcs8 format to encode and encrypt the key (topk8) with the password defined in the passout pass: command and store it as private.key.enc

3. Now we need to create a single file where the encrypted private key is combined with the certificate.

Create a new file named cert.vpn3k

Copy the entire contents of private.key.enc into the cert.vpn3k.

Ensure that you are on a new line and paste the entire contents of cert.crt into the same file (cert.vpn3k)

You should now have a file named cert.vpn3k which follows the format shown in the purpose portion of this document.  The contents of this file can be used to cut and paste install your certificate and private key into the VPN 3000 through the Administration->Cetificate Management->Installation, Import SSL certificate with private key tool.

Further Refereces----

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Comments

Thank you for the detailed hint, it helped a lot!

Markus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: