Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24717
Views
15
Helpful
4
Replies

Installing SSL Certificate(s) on IOS

Go to solution
mbroberson1
Level 3
Level 3

‎12-08-2010 08:45 AM

Having an issue with an SSL certificate (DigiCert) on a Cisco 2811 running IOS 124-24.T4.

I can get the certificate(s), intermediate and server certs installed fine unsing the one trustpoint created. And the ssl website works fine for IE browsers, but other browser types get errors. When I do an SSL cert check it shows that the "The server is not sending the requied intermediate certificate" (see attachment). I feel like I have followed what documentaiton is available correctly. Any suggestions is greatly appreciated.

This is the best directions I could find to follow. They are specifically for go-daddy certs but I think it would be the same process for any.

http://bytesolutions.com/Support/Knowledgebase/KB_Viewer/smid/622/ArticleID/21/reftab/195/t/Installing-GoDaddy-SSL-Certificates-on-a-Cisco-IOS-Router-using-CLI.aspx

Thanks,

BR

Labels:
Preview file
12 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rahgovin
Level 4
Level 4

‎12-08-2010 09:11 AM

Hi ,

If you have multiple CA certs, you need to authenticate the trustpoint containing the identity certs using the immediate intermediate cert and then use other trustpoints to import the  other CA certs one by one.

So basically,we need to follow the following configuration to import the 3 CA certificate and the Identity certificate on the router:


1.  Create root trustpoint
>>
>> Crypto ca trustpoint root
>> Enrollment terminal
>>
>> chain-validation stop
>>
>> revocation-check none
>>
>> Crypto ca authenticate root
>> (this will prompt to paste in the PEM/base64 of the Root CA certificate)
>> Quit after you paste the Root CA certificate.
>>
>>
>> 2.  Create intermediate trustpoint for the primary intermediate certificate
>>
>> crypto ca trustpoint intermediate-primary
>> enrollment terminal
>>
>> chain-validation continue root
>>
>> revocation-check none
>>
>> crypto ca authenticate intermediate-primary
>> (this will prompt to paste in the PEM/base64 of the Primary Intermediate CA certificate)
>> Quit after you paste the intermediate primary certificate.
>>
>>
>> 3.  Create intermediate trustpoint for the secondary intermediate certificate
>>
>> crypto ca trustpoint intermediate-secondary
>> enrollment terminal
>> keypair
>> chain-validation continue intermediate-primary
>>
>> crypto ca authenticate intermediate-secondary
>> (this will prompt to paste in the PEM/base64 of the Secondary Intermediate CA certificate)
>> Quit after you paste the intermediate secondary certificate.
>>
>> 4.  Import the IDentity certificate
>>
>> crypto ca import intermediate-secondary certificate
>> (paste the ID certificate PEM/base64 here)

View solution in original post

4 Replies 4

Go to solution
rahgovin
Level 4
Level 4

‎12-08-2010 09:11 AM

Hi ,

If you have multiple CA certs, you need to authenticate the trustpoint containing the identity certs using the immediate intermediate cert and then use other trustpoints to import the  other CA certs one by one.

So basically,we need to follow the following configuration to import the 3 CA certificate and the Identity certificate on the router:


1.  Create root trustpoint
>>
>> Crypto ca trustpoint root
>> Enrollment terminal
>>
>> chain-validation stop
>>
>> revocation-check none
>>
>> Crypto ca authenticate root
>> (this will prompt to paste in the PEM/base64 of the Root CA certificate)
>> Quit after you paste the Root CA certificate.
>>
>>
>> 2.  Create intermediate trustpoint for the primary intermediate certificate
>>
>> crypto ca trustpoint intermediate-primary
>> enrollment terminal
>>
>> chain-validation continue root
>>
>> revocation-check none
>>
>> crypto ca authenticate intermediate-primary
>> (this will prompt to paste in the PEM/base64 of the Primary Intermediate CA certificate)
>> Quit after you paste the intermediate primary certificate.
>>
>>
>> 3.  Create intermediate trustpoint for the secondary intermediate certificate
>>
>> crypto ca trustpoint intermediate-secondary
>> enrollment terminal
>> keypair
>> chain-validation continue intermediate-primary
>>
>> crypto ca authenticate intermediate-secondary
>> (this will prompt to paste in the PEM/base64 of the Secondary Intermediate CA certificate)
>> Quit after you paste the intermediate secondary certificate.
>>
>> 4.  Import the IDentity certificate
>>
>> crypto ca import intermediate-secondary certificate
>> (paste the ID certificate PEM/base64 here)

Go to solution
mbroberson1
Level 3
Level 3
In response to rahgovin

‎12-08-2010 12:02 PM

Hi Rahqovin,

Much appreciation for your assistance. What you recommended pointed to the solution. This procedure is not very well documented on the web at all.

Thanks,

-BR

0 Helpful

Go to solution
rahgovin
Level 4
Level 4
In response to mbroberson1

‎12-08-2010 12:06 PM

True. It is because that only recently that many CA vendors have changed their hierarchy. The same issue should not have affected the ASA though.

0 Helpful

Go to solution
vasili439
Level 1
Level 1
In response to rahgovin

‎05-15-2012 04:12 AM

Just for information. I had private key without passphrase. Point 3 and 4 a not necessary. I need to convert it: openssl rsa -des3 -in private.key -out private.key.new (for linux or unix). After you can import certificate on Cisco router as:

crypto pki import intermediate-secondary pem terminal

1. put intermediate-primary

2. put private.key.new

3. put intermediate-secondary

After I have https with 3rd party certificate.

0 Helpful
Customers Also Viewed These Support Documents