cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3034
Views
0
Helpful
5
Replies

C1100 setup and install certificate for https and VPN

markagregory
Level 1
Level 1

Just purchased a C1111-8P running Gibraltar. Would like to install a certificate that can be used for https and VPN. Trying to follow the documentation, but got stuck with a 400 Bad Request No required SSL certificate was sent after setting the https to use the trustpoint.

 

So far I have done the following:

crypto key generate rsa general-keys modulus 2048

netlab(config)#crypto pki trustpoint quovadis
netlab(ca-trustpoint)#enrollment terminal pem
netlab(ca-trustpoint)#fqdn mydomain.com
netlab(ca-trustpoint)#subject-name C=AU,ST=Victoria,L=Melbourne,O=myorg,OU=IT,CN=mydomain.com
netlab(ca-trustpoint)#revocation-check none
netlab(ca-trustpoint)#rsakeypair mydomain.com 2048
netlab(ca-trustpoint)#serial-number none
netlab(ca-trustpoint)#ip-address none
netlab(ca-trustpoint)#exit

netlab(config)#crypto pki enroll quovadis

<downloaded certificate request>

 

This provided a cer, I sent it off and i received three certificates in return, root, intermediate and entity

next step was

crypto pki authenticate quovadis

<submitted intermediate certificate>

crypto pki import quovadis certificate

<submitted entity certificate>

 

next step was

copy running-config startup-config

show crypto pki certificates

I can see the general purpose and signature certificates

 

next step

no ip http server

ip http secure-server

ip http secure-port 443

ip http secure-client-auth

ip http secure-trustpoint quovadis

end

show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha dhe-aes-128-cbc-sha
ecdhe-rsa-aes-128-cbc-sha rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Enabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: quovadis
HTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL

copy running-config startup-config

 

I've been pointed to several documents that really don't help, so I would appreciate knowing what I need to do.

Can I install the root certificate that I was sent without having to recreate the trustpoint and requesting certificates again? I ask this because I see in some examples that a chain is created to a root trustpoint using

crypto pki trustpoint root

enrollment terminal

chain-validation stop

exit

crypto pki trustpoint quovadis

chain-validation continue root <- this is the line I did not include when I generated the CSR - can it be added later?

 

I would appreciate some help to get my webui and VPN secured

 

 

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

here is the step by step : ( cross-check the process each level)

 

https://www.entrust.com/knowledgebase/ssl/how-to-install-ssltls-certificates-on-cisco-appliance-using-cli

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for posting a webpage that I have already looked at. I have looked at most of the websites that a google search indicates for several search terms.

 

You may notice that it includes details on how to chain to a root certificate.

this example has two intermediate certificates, and does not indicate how to get the certificate to work with https after installation.

 

My questions are:

1. do I need to request a new certificate or can I edit the trustpoint to point to a root? It appears that I will be provided with root, intermediate and entity certificates.

2. what steps are needed to ensure that https works - can a general purpose certificate be used - and what steps are involved

3. similarly for the VPN setup.

@markagregory 

I don't believe SSL-VPN is even supported on newer IOS routers. The cisco recommended Remote Access VPN solution for cisco routers, is FlexVPN which uses IKEv2/IPSec instead of SSL.

 

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

 

thx Rob, this appears to apply to ASA, we have an ISR and I'm trying to follow the secure VPN setup guide.

 

Any pointers to ISR? I was also told that ASDM might help, but will it work with ISR?

@markagregory 

No it doesn't apply to ASA...FlexVPN Remote Access VPN is only supported on Cisco IOS/IOS-XE routers using AnyConnect.

 

ASDM is only supported with ASA, not routers.