Crypto PKI - Import/Copy of multiple ca certificates into certificate chain fails (subordinate ca ce...

dimzaaaaa · ‎11-27-2014

I have a certificate chain that was issued by an intermediate CA and the certificate chain consists of the router identity certificate, the subordinate ca certificate, and the root ca certificate. The router identity certificate was issued by the subordinate CA. I am currently unable to install both the subordinate ca cert and the root ca cert so they are both installed in the router. If I try the import method then I am told to delete one ca certificate before installing the other; if I try to copy the hex values that show up in running config directly into a certificate chain the second and third certificates to be copied simply overwrite the rest so there remains only one certificate in the certificate chain which is the last one to be copied. I have also read that the whole certificate chain needs to be validated up to the root and that the root certificate can not be installed via an AIA; rather it must be either copied into the router or available from microsoft(which it is not). Does anyone know the procedure to install the whole certificate chain into a router? The two platforms that will need this setup are ASR 1000 and 3945 routers.

dimzaaaaa · ‎11-30-2014

I found out the solution. By default only a single certificate will be allowed in a single trustpoint. There is an option for <chain-valication> for a certificate and the default is <chain-validation stop> which means that if you have a subordinate CA configured in the trustpoint and you trust it validation stops there. If you wanted to verify a whole certificate chain to include the root, then you would choose <chain-validation continue trustpointx> and reference a different trustpoint where you would import your root CA certificate.

Crypto PKI - Import/Copy of multiple ca certificates into certificate chain fails (subordinate ca cert and root ca cert)