cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2254
Views
0
Helpful
5
Replies

C1100 setup and install certificate for https and VPN

markagregory
Level 1
Level 1

Just purchased a C1111-8P running Gibraltar. Would like to install a certificate that can be used for https and VPN. Trying to follow the documentation, but got stuck with a 400 Bad Request No required SSL certificate was sent after setting the https to use the trustpoint.

 

So far I have done the following:

crypto key generate rsa general-keys modulus 2048

netlab(config)#crypto pki trustpoint quovadis
netlab(ca-trustpoint)#enrollment terminal pem
netlab(ca-trustpoint)#fqdn mydomain.com
netlab(ca-trustpoint)#subject-name C=AU,ST=Victoria,L=Melbourne,O=myorg,OU=IT,CN=mydomain.com
netlab(ca-trustpoint)#revocation-check none
netlab(ca-trustpoint)#rsakeypair mydomain.com 2048
netlab(ca-trustpoint)#serial-number none
netlab(ca-trustpoint)#ip-address none
netlab(ca-trustpoint)#exit

netlab(config)#crypto pki enroll quovadis

<downloaded certificate request>

 

This provided a cer, I sent it off and i received three certificates in return, root, intermediate and entity

next step was

crypto pki authenticate quovadis

<submitted intermediate certificate>

crypto pki import quovadis certificate

<submitted entity certificate>

 

next step was

copy running-config startup-config

show crypto pki certificates

I can see the general purpose and signature certificates

 

next step

no ip http server

ip http secure-server

ip http secure-port 443

ip http secure-client-auth

ip http secure-trustpoint quovadis

end

show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha dhe-aes-128-cbc-sha
ecdhe-rsa-aes-128-cbc-sha rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Enabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: quovadis
HTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL

copy running-config startup-config

 

I've been pointed to several documents that really don't help, so I would appreciate knowing what I need to do.

Can I install the root certificate that I was sent without having to recreate the trustpoint and requesting certificates again? I ask this because I see in some examples that a chain is created to a root trustpoint using

crypto pki trustpoint root

enrollment terminal

chain-validation stop

exit

crypto pki trustpoint quovadis

chain-validation continue root <- this is the line I did not include when I generated the CSR - can it be added later?

 

I would appreciate some help to get my webui and VPN secured

 

 

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

here is the step by step : ( cross-check the process each level)

 

https://www.entrust.com/knowledgebase/ssl/how-to-install-ssltls-certificates-on-cisco-appliance-using-cli

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for posting a webpage that I have already looked at. I have looked at most of the websites that a google search indicates for several search terms.

 

You may notice that it includes details on how to chain to a root certificate.

this example has two intermediate certificates, and does not indicate how to get the certificate to work with https after installation.

 

My questions are:

1. do I need to request a new certificate or can I edit the trustpoint to point to a root? It appears that I will be provided with root, intermediate and entity certificates.

2. what steps are needed to ensure that https works - can a general purpose certificate be used - and what steps are involved

3. similarly for the VPN setup.

@markagregory 

I don't believe SSL-VPN is even supported on newer IOS routers. The cisco recommended Remote Access VPN solution for cisco routers, is FlexVPN which uses IKEv2/IPSec instead of SSL.

 

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

 

thx Rob, this appears to apply to ASA, we have an ISR and I'm trying to follow the secure VPN setup guide.

 

Any pointers to ISR? I was also told that ASDM might help, but will it work with ISR?

@markagregory 

No it doesn't apply to ASA...FlexVPN Remote Access VPN is only supported on Cisco IOS/IOS-XE routers using AnyConnect.

 

ASDM is only supported with ASA, not routers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: