06-30-2022 02:48 PM
Hi,
I have read the Cisco documentation on HTTPS certs for Cisco IOS here
Sadly, I don't quite understand what a "TrustPoint" is, and what steps I do and do not need to take to generate a CSR to submit to our internal AD CA. It's also talking about URLs, and I'm not sure which CA URLs it is asking for.
My 9200 stack has a default trust point and self signed cert configured automatically.
Can anyone tell me which steps I need to follow in order to create a "TrustPoint" for our CA, and how to then generate a CSR?
Many thanks.
James
Solved! Go to Solution.
11-18-2022 03:11 AM
I have a resolution to this problem. Cisco support advised my issue was that the cert was missing DEK header information.
So, my process is;
1. Generate key and CSR using below command:
openssl req -newkey rsa:2048 -subj "[certificate_details]" -sha256 -keyout [key_name].key -out [csr_name].csr -config [ConfigFilePath]\openssl-san.cnf
2. Convert the key or add DEK header info using the below command:
openssl rsa -in keyin.key -out keyout.key -des3
3. Generate cert from CSR
4. Import cert to switch using below command:
crypto pki import TRUSTPOINT_NAME pem terminal password KEY_PASSWORD
5. Enter the root CA cert, key and cert text when prompted
6. Set the trustpoint as the one used for https using below command:
ip http secure-trustpoint TRUSTPOINT_NAME
Hope this helps others.
Regards
James
06-30-2022 11:58 PM
Just make it clear, what are you trying to achieve here ? Do you like the device web GUI cert to be authorized by Local CA?
07-01-2022 01:03 AM
Yes, exactly.
I would like to apply an internally issued SSL certificate to the Web GUI, so that when browsing to the Web GUI the certificate is trusted (rather than showing a certificate error because it is using a self-signed cert).
Many thanks
James
07-01-2022 05:02 AM
Trustpoint to your CA.
here is some good steps ( for Router) - but same should work for Switch too.
07-01-2022 11:35 AM
Sorry, still a little lost.
Do I need to;
1. Generate a keypair:
crypto key generate rsa general-keys label MYCAKEYS exportable modulus 2048
2. Create a trustpoint for my CA:
crypto ca trustpoint MYCA
enrollment terminal
chain-validation stop
3. Create a trustpoint for the cert I am going to generate from my CA:
crypto ca trustpoint MYSWITCHDNSNAME
enrollment terminal
chain-validation continue MYCA
$O=MYORG, OU=MYOU, CN=MYSWITCHDNSNAME
fqdn MYSWITCHDNSNAME
rsakeypair MYCAKEYS
4. Generate the CSR:
crypto ca enroll MYSWITCHDNSNAME
5. Submit the CSR to my CA and generate a certificate
6. Import the cert:
crypto ca authenticate MYSWITCHDNSNAME
PASTE BASE64 CERT
If that's correct, I will give this a go.
Thanks
James
07-01-2022 12:17 PM
Hi James,
Your steps match with what Entrust has on their site. See the below link:
Just remember if you want to use a public CA, you have to renew it once a year or every 3 years (depending on your contract with the provider). Not sure how large your teams are, but getting the certs from CA is usually done by the server team.
HTH
07-01-2022 01:30 PM
Hi,
I get stuck at step 2.
"Crypto ca" is not a recognised command:
07-02-2022 12:41 AM
Crypto ca" is not a recognised command:
post below information :
show version
show ip ssh
crypto ca ? (what option you see ?)
07-04-2022 07:26 AM
Show version returns a lot. Is there a specific bit you want to see, or shall I paste the whole lot?
Key one I suspect might be this:
Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- * 1 28 C9200L-24T-4G 17.03.03 CAT9K_LITE_IOSXE INSTALL 2 28 C9200L-24T-4G 17.03.03 CAT9K_LITE_IOSXE INSTALL
show ip ssh:
SSH Enabled - version 1.99 Authentication methods:publickey,keyboard-interactive,password Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 2048 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-126708313 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGijhpzD7cPY5s1vKVPD0vp+Zgg4326Kn7MiLsBHSu kOtKRwxaYbzCjE1MwsWEGwPhBKPY7AGdeLPdmwcP0xX08CbqMSBlfIyIciw5gP+Yd+y28CkD8Zi3yZme /APYwuaNj43XlHqebHkRsnIsTTEWgutBmupR+pckx6h61k8DxjsERl85cFMhoyoLRaviSEf/PAJ3wBSq 0aMQvbDEmwrrq4qdNVoI8kYYhW9OiHgjw4wEHMmGVtjiloAx/pMc7FMnKgR2xRrjdWCY4JO3tEdigS4t cqB+lF4lcH0kp0GHkSSMN3bjUrPhZWPNczWrC0Zvd21y+8l9ihY5KNJimZhj
crypto ca ?:
ASP-COSW-01#crypto ca ^ % Invalid input detected at '^' marker.
Let me know if you need anything else.
Cheers
James
07-04-2022 08:15 AM
ASP-COSW-01#crypto ca ^ % Invalid input detected at '^' marker.
command need to be excute in config more
config t
!
(config)#crypt ?
and
(config)#crypt ca ?
07-05-2022 07:25 AM
Yes, unfortunately it is still unrecognised:
Many thanks
James
07-05-2022 07:46 AM
apologies..i have observed that you have LITE image, that may not work..
07-05-2022 09:13 AM
Thanks.
Any suggestions on how to find steps to complete for the image we have?
Is there perhaps a way instead to do it through the Web GUI rather than CLI?
Many thanks
James
07-05-2022 09:37 AM
LITE do not support i guess, you need change the IOS image.
07-06-2022 02:28 AM
Surely there must be some way to just create a CSR to submit to my internal CA, either by CLI or in the GUI?
What is involved in changing the image, and can it be done without affecting my current running config?
Cheers
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide