Solved: Re: Cisco 9200 AD CA SSL certificate CSR and import - Page 2

JamesEdmondsAspall · ‎06-30-2022

Hi,

I have read the Cisco documentation on HTTPS certs for Cisco IOS here

Sadly, I don't quite understand what a "TrustPoint" is, and what steps I do and do not need to take to generate a CSR to submit to our internal AD CA. It's also talking about URLs, and I'm not sure which CA URLs it is asking for.

My 9200 stack has a default trust point and self signed cert configured automatically.

Can anyone tell me which steps I need to follow in order to create a "TrustPoint" for our CA, and how to then generate a CSR?

Many thanks.

James

balaji.bandi · ‎07-06-2022

You need upgrade the IOS in normal process of upgrade, config syntax (some may change). since you moving from LITE to next version. ( 95% should work as expected).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JamesEdmondsAspall · ‎07-07-2022

Think I'm just going to try and open a support ticket with Cisco, as I find it hard to believe I need a completely different image just to be able to generate and import a bloody SSL certificate.

JamesEdmondsAspall · ‎07-07-2022

Cisco support have directed me to this post, and I have been able to generate a cert:

https://community.cisco.com/t5/networking-documents/creating-a-csr-authenticating-a-ca-and-enrolling-certificates-on/ta-p/4436090

My issue, is as per the other commenter on that post, in that Chrome/Edge still does not trust the cert, as there is no SAN.

How do I specify a SAN during cert request?

This issue is not limited to the 9200 series, as I have the same issue with SG350X switches I have posted about here:

SG350XG SSL Certificate SAN - Cisco Community

Thanks

James

JamesEdmondsAspall · ‎07-12-2022

Cisco support have advised I needed to use OpenSSL to generate the CSR with a SAN which I have now done.

I have the cert in multiple different formats (Cer, Perm, PKCS12), so now I'm wondering if someone can advise how to just import this certificate into the switch?

Cheers

James

JamesEdmondsAspall · ‎11-18-2022

I have a resolution to this problem. Cisco support advised my issue was that the cert was missing DEK header information.

So, my process is;

1. Generate key and CSR using below command:

openssl req -newkey rsa:2048 -subj "[certificate_details]" -sha256 -keyout [key_name].key -out [csr_name].csr -config [ConfigFilePath]\openssl-san.cnf

2. Convert the key or add DEK header info using the below command:
openssl rsa -in keyin.key -out keyout.key -des3

3. Generate cert from CSR

4. Import cert to switch using below command:
crypto pki import TRUSTPOINT_NAME pem terminal password KEY_PASSWORD

5. Enter the root CA cert, key and cert text when prompted

6. Set the trustpoint as the one used for https using below command:
ip http secure-trustpoint TRUSTPOINT_NAME

Hope this helps others.

Regards

James

Terri2022 · ‎04-27-2023

I came across your post because I am attempting to go through the same process. I think I am confused as to what the trustpoint is ? Is this the name of my root CA certificate, issuing CA or the actual DNS name of the switch ?