05-19-2020 05:11 PM - edited 05-19-2020 05:13 PM
Hi
I am trying to configure certificate based authentication for VPN (IKEv2). I have different CAs between myself and my peer for the authentication. My configuration works i.e. IPsec Tunnel are established and traffic is encrypted and decrypted correctly.
I have a general question question related to CSR (Certificate signing requests) request and signed certificate from CA.
Since I have a 10 routers I will have to create 10 certificate signing request and enroll 10 certificates individually, also track the expiration and renewal. Can I use one certificate generated by one certificate signing request and implement it on all the CSRs since all of the CSR1000v have the same CA ?
I did try on two CSR1000v i.e. using the same certificate (I modifying the trustpoint configuration accordingly i.e. same fqdn, CN etc) it did work.
I am trying to understand why is it working as most of the documentation says the Certificate generated with a CSR will only work with the specific private key generated during the key-pair generation step prior to sending the csr request to CA.
Any pointers are much appreciated.
Thanks,
Solved! Go to Solution.
05-26-2020 07:29 PM
Here a step by step to generate a csr, sign it and import it on the router.
1. Using openssl, we generate a private key
openssl genrsa -out MyPrivateKey.key 2048
2. We generate a CSR using openssl
openssl req -new -key MyPrivateKey.key -out csr1k.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:QC Locality Name (eg, city) []:Montreal Organization Name (eg, company) [Internet Widgits Pty Ltd]:LAB Organizational Unit Name (eg, section) []:LABCERT Common Name (e.g. server FQDN or YOUR name) []:myrouter.router.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Cisco12345 An optional company name []:Cisco12345
3. Once the certificate is signed you will have your certificate + your private key + Authority chain (root, subca), we want to combine them into pkcs12 file to be imported in your device.
MyPrivateKey.key = Private Key
certificate_signed.cer = My certificate signed by PKI based on CSR generated
root.cer = My authority chain certificate
openssl pkcs12 -export -out CERT-TO-IMPORT-CSR1k.pfx -inkey MyPrivateKey.key -in certificate_signed.cer -certfile root.cer Enter Export Password: Verifying - Enter Export Password:
4. Transfer the file CERT-TO-IMPORT-CSR1k.pfx to your router.
5. My trustpoint config looks like:
crypto pki trustpoint TESTCERT2 fqdn myrouter.router.com subject-name C=CA, ST=QC, L=Montreal, O=LAB, OU=LABCERT, CN=myrouter.router.com revocation-check crl
6. Import the certificate to this trustpoint
crypto pki import TESTCERT2 pkcs12 flash:/CERT-TO-IMPORT-CSR1k.pfx password Cisco12345
So you have 1 certificate you can import into all your routers by repeating steps 4 to 6.
Is it more clear?
05-19-2020 05:56 PM
05-26-2020 02:46 PM
05-26-2020 07:29 PM
Here a step by step to generate a csr, sign it and import it on the router.
1. Using openssl, we generate a private key
openssl genrsa -out MyPrivateKey.key 2048
2. We generate a CSR using openssl
openssl req -new -key MyPrivateKey.key -out csr1k.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:QC Locality Name (eg, city) []:Montreal Organization Name (eg, company) [Internet Widgits Pty Ltd]:LAB Organizational Unit Name (eg, section) []:LABCERT Common Name (e.g. server FQDN or YOUR name) []:myrouter.router.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Cisco12345 An optional company name []:Cisco12345
3. Once the certificate is signed you will have your certificate + your private key + Authority chain (root, subca), we want to combine them into pkcs12 file to be imported in your device.
MyPrivateKey.key = Private Key
certificate_signed.cer = My certificate signed by PKI based on CSR generated
root.cer = My authority chain certificate
openssl pkcs12 -export -out CERT-TO-IMPORT-CSR1k.pfx -inkey MyPrivateKey.key -in certificate_signed.cer -certfile root.cer Enter Export Password: Verifying - Enter Export Password:
4. Transfer the file CERT-TO-IMPORT-CSR1k.pfx to your router.
5. My trustpoint config looks like:
crypto pki trustpoint TESTCERT2 fqdn myrouter.router.com subject-name C=CA, ST=QC, L=Montreal, O=LAB, OU=LABCERT, CN=myrouter.router.com revocation-check crl
6. Import the certificate to this trustpoint
crypto pki import TESTCERT2 pkcs12 flash:/CERT-TO-IMPORT-CSR1k.pfx password Cisco12345
So you have 1 certificate you can import into all your routers by repeating steps 4 to 6.
Is it more clear?
05-27-2020 05:46 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide