Solved: Re: Can I install same certificate on different CSR1000v

gary391 · ‎05-19-2020

Hi

I am trying to configure certificate based authentication for VPN (IKEv2). I have different CAs between myself and my peer for the authentication. My configuration works i.e. IPsec Tunnel are established and traffic is encrypted and decrypted correctly.

I have a general question question related to CSR (Certificate signing requests) request and signed certificate from CA.

Since I have a 10 routers I will have to create 10 certificate signing request and enroll 10 certificates individually, also track the expiration and renewal. Can I use one certificate generated by one certificate signing request and implement it on all the CSRs since all of the CSR1000v have the same CA ?

I did try on two CSR1000v i.e. using the same certificate (I modifying the trustpoint configuration accordingly i.e. same fqdn, CN etc) it did work.

I am trying to understand why is it working as most of the documentation says the Certificate generated with a CSR will only work with the specific private key generated during the key-pair generation step prior to sending the csr request to CA.

Any pointers are much appreciated.

Thanks,

Francesco Molino · ‎05-26-2020

Here a step by step to generate a csr, sign it and import it on the router.

1. Using openssl, we generate a private key

openssl genrsa -out MyPrivateKey.key 2048

2. We generate a CSR using openssl

openssl req -new -key MyPrivateKey.key -out csr1k.csr   
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:QC
Locality Name (eg, city) []:Montreal
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LAB
Organizational Unit Name (eg, section) []:LABCERT
Common Name (e.g. server FQDN or YOUR name) []:myrouter.router.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Cisco12345
An optional company name []:Cisco12345

3. Once the certificate is signed you will have your certificate + your private key + Authority chain (root, subca), we want to combine them into pkcs12 file to be imported in your device.

MyPrivateKey.key = Private Key

certificate_signed.cer = My certificate signed by PKI based on CSR generated

root.cer = My authority chain certificate

openssl pkcs12 -export -out CERT-TO-IMPORT-CSR1k.pfx -inkey MyPrivateKey.key -in certificate_signed.cer -certfile root.cer
Enter Export Password:
Verifying - Enter Export Password:

4. Transfer the file CERT-TO-IMPORT-CSR1k.pfx to your router.

5. My trustpoint config looks like:

crypto pki trustpoint TESTCERT2
 fqdn myrouter.router.com
 subject-name C=CA, ST=QC, L=Montreal, O=LAB, OU=LABCERT, CN=myrouter.router.com
 revocation-check crl

6. Import the certificate to this trustpoint

crypto pki import TESTCERT2 pkcs12 flash:/CERT-TO-IMPORT-CSR1k.pfx password Cisco12345

So you have 1 certificate you can import into all your routers by repeating steps 4 to 6.

Is it more clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎05-19-2020

Hi
How did you generate the certificate an exported it and imported it?
I don't know what you mean you modified the trustpoint because after you created a trustpoint, you'll generate the CSR and import the certificate.

But let's say you generate a CSR using openssl, sign this certificate with your CA authority and then combine the certificate signed + the key you have locally on your machine into a pkcs12 certificate, you can import it on all your CSRs and it's going to work without issue even if you have the same certificate.
The important thing is the certificate signed by your PKI you import will check the private key on your CSR and so if you generate a CSR on each of them and try to import the certificate, it won't work but if you export it including the private key and import the combination (cert + key) on other CSRs it's going to work

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gary391 · ‎05-26-2020

Thanks for your response. I am unable to understand the process "generate a CSR using openssl, sign this certificate with your CA authority and then combine the certificate signed + the key you have locally on your machine into a pkcs12 certificate" If I creating a Certificate signing Request using openssl, I will have to import my public key generated from the device as well ? As certificate signing request will have my information + public key. Is my understanding correct ? Thanks in advance for your feed back.

Francesco Molino · ‎05-26-2020

Here a step by step to generate a csr, sign it and import it on the router.

1. Using openssl, we generate a private key

openssl genrsa -out MyPrivateKey.key 2048

2. We generate a CSR using openssl

openssl req -new -key MyPrivateKey.key -out csr1k.csr   
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:QC
Locality Name (eg, city) []:Montreal
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LAB
Organizational Unit Name (eg, section) []:LABCERT
Common Name (e.g. server FQDN or YOUR name) []:myrouter.router.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Cisco12345
An optional company name []:Cisco12345

3. Once the certificate is signed you will have your certificate + your private key + Authority chain (root, subca), we want to combine them into pkcs12 file to be imported in your device.

MyPrivateKey.key = Private Key

certificate_signed.cer = My certificate signed by PKI based on CSR generated

root.cer = My authority chain certificate

openssl pkcs12 -export -out CERT-TO-IMPORT-CSR1k.pfx -inkey MyPrivateKey.key -in certificate_signed.cer -certfile root.cer
Enter Export Password:
Verifying - Enter Export Password:

4. Transfer the file CERT-TO-IMPORT-CSR1k.pfx to your router.

5. My trustpoint config looks like:

crypto pki trustpoint TESTCERT2
 fqdn myrouter.router.com
 subject-name C=CA, ST=QC, L=Montreal, O=LAB, OU=LABCERT, CN=myrouter.router.com
 revocation-check crl

6. Import the certificate to this trustpoint

crypto pki import TESTCERT2 pkcs12 flash:/CERT-TO-IMPORT-CSR1k.pfx password Cisco12345

So you have 1 certificate you can import into all your routers by repeating steps 4 to 6.

Is it more clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gary391 · ‎05-27-2020

Thanks Francesco for your response, I really appreciate.