02-16-2021 02:06 AM
Just purchased a C1111-8P running Gibraltar. Would like to install a certificate that can be used for https and VPN. Trying to follow the documentation, but got stuck with a 400 Bad Request No required SSL certificate was sent after setting the https to use the trustpoint.
So far I have done the following:
crypto key generate rsa general-keys modulus 2048
netlab(config)#crypto pki trustpoint quovadis
netlab(ca-trustpoint)#enrollment terminal pem
netlab(ca-trustpoint)#fqdn mydomain.com
netlab(ca-trustpoint)#subject-name C=AU,ST=Victoria,L=Melbourne,O=myorg,OU=IT,CN=mydomain.com
netlab(ca-trustpoint)#revocation-check none
netlab(ca-trustpoint)#rsakeypair mydomain.com 2048
netlab(ca-trustpoint)#serial-number none
netlab(ca-trustpoint)#ip-address none
netlab(ca-trustpoint)#exit
netlab(config)#crypto pki enroll quovadis
<downloaded certificate request>
This provided a cer, I sent it off and i received three certificates in return, root, intermediate and entity
next step was
crypto pki authenticate quovadis
<submitted intermediate certificate>
crypto pki import quovadis certificate
<submitted entity certificate>
next step was
copy running-config startup-config
show crypto pki certificates
I can see the general purpose and signature certificates
next step
no ip http server
ip http secure-server
ip http secure-port 443
ip http secure-client-auth
ip http secure-trustpoint quovadis
end
show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha dhe-aes-128-cbc-sha
ecdhe-rsa-aes-128-cbc-sha rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Enabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: quovadis
HTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL
copy running-config startup-config
I've been pointed to several documents that really don't help, so I would appreciate knowing what I need to do.
Can I install the root certificate that I was sent without having to recreate the trustpoint and requesting certificates again? I ask this because I see in some examples that a chain is created to a root trustpoint using
crypto pki trustpoint root
enrollment terminal
chain-validation stop
exit
crypto pki trustpoint quovadis
chain-validation continue root <- this is the line I did not include when I generated the CSR - can it be added later?
I would appreciate some help to get my webui and VPN secured
02-16-2021 02:26 AM
here is the step by step : ( cross-check the process each level)
02-16-2021 02:34 AM
Thank you for posting a webpage that I have already looked at. I have looked at most of the websites that a google search indicates for several search terms.
You may notice that it includes details on how to chain to a root certificate.
this example has two intermediate certificates, and does not indicate how to get the certificate to work with https after installation.
My questions are:
1. do I need to request a new certificate or can I edit the trustpoint to point to a root? It appears that I will be provided with root, intermediate and entity certificates.
2. what steps are needed to ensure that https works - can a general purpose certificate be used - and what steps are involved
3. similarly for the VPN setup.
02-17-2021 12:04 PM - edited 02-17-2021 12:04 PM
I don't believe SSL-VPN is even supported on newer IOS routers. The cisco recommended Remote Access VPN solution for cisco routers, is FlexVPN which uses IKEv2/IPSec instead of SSL.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
02-17-2021 04:11 PM
thx Rob, this appears to apply to ASA, we have an ISR and I'm trying to follow the secure VPN setup guide.
Any pointers to ISR? I was also told that ASDM might help, but will it work with ISR?
02-18-2021 12:14 AM - edited 02-18-2021 10:54 AM
No it doesn't apply to ASA...FlexVPN Remote Access VPN is only supported on Cisco IOS/IOS-XE routers using AnyConnect.
ASDM is only supported with ASA, not routers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: