cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2783
Views
10
Helpful
5
Replies

Adding certificate in IOS

AntonioMacia
Level 1
Level 1

Hi,

 

I need to upload a certificate + private key + root CA certificate into a Cisco IOS for AnyConnect access. I tried using the command crypto pki import my-trustpoint pem terminal password, however the private key I've been given is not password protected so, I get an "unable to decode key" error after pasting it. 

Is there any other way to upload the certificate?

 

Thanks,

1 Accepted Solution

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @AntonioMacia,

You must combine all three files (private key, certificate, and issuing CA) into one PKCS12 file, and then import that file to Cisco IOS. You can use OpenSSL for combining these files together. Pay attention that Cisco IOS is using Base64 encoded certificate, so you have to format it correctly.

After that, please use crypto pki import my-trustpoint pkcs12 terminal my-password command.

I havent used PEM wariant of this command, but I would assume it is just matter of different certificate formating.

BR,

Milos

View solution in original post

5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @AntonioMacia,

You must combine all three files (private key, certificate, and issuing CA) into one PKCS12 file, and then import that file to Cisco IOS. You can use OpenSSL for combining these files together. Pay attention that Cisco IOS is using Base64 encoded certificate, so you have to format it correctly.

After that, please use crypto pki import my-trustpoint pkcs12 terminal my-password command.

I havent used PEM wariant of this command, but I would assume it is just matter of different certificate formating.

BR,

Milos

Thanks Milos,

 

PKCS12 was my second option. I'll let you know as soon as I give it a try.

MageshP2
Level 1
Level 1

Hi @Milos_Jovanovic ,Greetings! 

We have an use-case to upload Server Certificate + private key + intermediate certificate into IOS.

We tried with pem option with the command crypto pki import <trustpoint name> pem exportable terminal password <password> creating a CLI session to device and it works.

But we face issues when we try to integrate in java. We use SSHJ client and we write the same cert+key+intercert content into the output-stream and it fails with the error 

Unable to decode key.
% PEM files import failed.

We built the content this way -> intermediate cert content + \n + quit + \n + encrypted pvt key + \n + quit + \n + server cert content + \n + quit.

Request your help on this

 

Hi @MageshP2,

I'm not usually manipulating txt files, as I'm not confident in proper formating, which is why I'm using OpenSSL to manipulate these files (combine, split, reformat, etc.).

Kind regards,

Milos