Hi,

Yes, he sent me his root certificate.

Now

crypto key generate rsa label mycaxx modulus 1024

crypto ca enroll CA

This generate un CRS and then ?

I need a CA authority to sign that certificate and send it to him so that he can upload it to his device and then be able to do the ikev2 configuration, right?

He needs to upload a certificate that I generate in the Cisco so that he places it in the configuration of his device. After this, lift the ikev2 tunnel

1. crypto key gen rsa module 4096

2. crypto pki trustpoint CA

    enrol term pem

    exit

3.crypto pki enroll CA

% Start certificate enrollment ..

% The subject name in the certificate will include: Router
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIEgDCCAmgCAQAwGj1258GCSqGSIb3DQEJAhYJVVQtVEMtV0FOMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtoB4/86fu1NxAlDrxkmcOHV/83kzxZs4
rttkaXj78jVRZnp7FiMryAl2OyAGWytpD1R4vuYamC4F11i/JnZ8lJ2cK00t49SB
/uXavK91g+ElMQQyyW0FIjdrSfc7854255JpAy5f8oDa7fj+aGbSYAgIzrVqfIq
UDOT2/rt/yTUnWg2OS6CNyYLUivftfmuCQ7Mpsx1C/QE2TBgLRYn365RakHsy6bM
D6RTWelE9MORqVlxBWl1udRdMgX5nY+BNcGZ5arJeIvxvOVL6OV2ihbUDja/rzIL
YzypCVNoy4Ss2alCmmHrLNubtB/uCsjdbyQJWnCYAyq0wXaINomZq8nxStvPS1WT
Qzq2n/yEcga+3scRdOMJ1+DtkcFHUhYgJ6e8oqY3W9Mj37DPBhQa0ZahJbkguU+2
gw16jjGo2r34i2H3IYzIdHjrVUj043l/SpSYpxUV2FX9QKZ5aTl9ClhYaRHF/acK
wtC17d8O2AK2TJIZUfLk0o7DaZ99HcmedROC1F#15889dWvtt2yWdAEEEHQ9vPL
or58PgyD5GX19bEQDrCt1bqyny61g0itfhsf7VPdp5yqWQk9Ik7XhmPmXLrDGGGo
X6U8L4FQRVgSyRg1nb/uk8YFElNa0ecMjRA2Mj7wCMwAH40ApwcxhuQsvh47Vx5s
YX9gtoVuyZcCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWg
MA0GCSqGSIb3DQEBBQUAA4ICAQAEZ/LDWo0FHiQmKOMf5NFz1RavIWL2UaIzFbOc
PfA2TGgmpN1SMPO8ZWeWge8gtLokYP6OCYZW1NIbuouTmm6Q3jDUuDHg/XO/fdc+
OUp5BPqcqjuhSjw4tag1XLk+v6WE+pOmjTGqdNue//LuXG1T4um1ibPE5QR7+Iy4
PjQkzikvCGlXcGrhEl5hPqtS06cIhEQH6d1rVhu9PspSzBJNRisnNwoj5NisjPG2
SUvBOpeiQ2AhFd3L9n+h5aeSmUqRmgXaKya7tb68SirVPiE4Wi+OYEOs+HfA1kY2
3K4+z6ExD7Nf9MgHIpaXp80vNqkvXYKdmAvtA/RVuUBQ+b0dgCC7oG6MkfGdWTo2
twSIThvTknT/eamX5eR1sH+nj9ujLDrvbTTt38nPEryUxiKVpoovffeY4fzQUlOT
s7Hz4n0ldfF121aMZ9Qnb2zyM72WyY3s15kBJBHHMVn8zZZCrxIRFsDotqsSWokr
NZeCAy7jNhzr6nCAhduGgBQffJrPyvPThA5PnddJ8DW/+jVIN7DYK7pUYZBpkjuc
cS9pOsmWcbQZdGEUPz8w/npqGKovyC54VCV4fpErNMzO7YZpsS8IS1Qwd/pRU9ox
wt/hM7roabeyCluVgbUnGOUsRscj/PuppY2vz3+hoDM/26oZox8EnCaoNT04Jnre
rAIRvQ==

---End - This line not part of the certificate request---

4.give this text to your remote side so they can generate a identity cert againsit your CSR.

5. now to upload your identity cert that given by your remote client

crypto pki authenticate CA    

Paste the CA

if they have a sub ca involed and if they file is given too you need to upload that cert sub ca too.

crypto pki trustpoing SUB-CA

 enroll ter

!

crypto pki authenticate SUB-CA

past the SUB-CA

!

follow this link they mentioned how to generate the CSR against the CA and how to upload the cert once the CA singed your CSR.

https://blog.destephen.com/wordpress/?p=1200

Hi, 

could i do CA server in the cisco  and sign the certificate with the same server without the need to go to a page?

You mean you want to make your router as CA server and issue the cert to your Router and the remote side? if this you looking for yes you can do this way too. where you have to create your router as CA authority and issuing cert to remote clients.

Yes I want to say:

I have the root ca certificate from the other device, I need to upload its certificate to my ASR for authentication purposes, then I need to generate a CRS with the enrollment, and then I need to sign that certificate (with my CA SERVER) and lastly, we need to send that CA to import on his device

I have the root ca certificate from the other device, I need to upload its certificate to my ASR for authentication purposes

Ok. you have a root certificate from the other devices and you need to upload the root CA cert in to ASR. the configuration be below.

crypto pki trustpoint CA
 enrollment terminal
!
crypto pki authenticate CA 
###here past your CA Root Cert####
!

then I need to generate a CRS with the enrollment, and then I need to sign that certificate (with my CA SERVER) and lastly, we need to send that CA to import on his device

crypto key gen rsa lable Router module 4096
!
crypto pki trustpoint Certificate
 enroll ter pem
 rsakeypair Router
!
crypto pki enroll Certificate
##fill up the information for the CSR####

Take the CSR and get it signed from your CA server once it signed you need to upload it to router.

crypto pki authenticate Certificate
###here past the cert from your CA which signed the CSR#

Hi salim,

I have done what you told me and it gives me this error when I import the certificate

This error occurs when the root or inter sub ca missing from the trustpoint.

I have tested in my lab and it work for me here is my working config.

=================================

crypto key generate rsa modulus 4096 label RouterASR.com

crypto pki trustpoint RouterASR
enrollment terminal pem
serial-number none
fqdn none
ip-address none
subject-name cn=TEST,dc=RouterASR.com
revocation-check none
rsakeypair RouterASR.com
enrollment terminal pem

crypto pki enroll RouterASR.com
!

uploading the root CA
!
crypto pki trustpoint ROOT-CA
enroll ter
!
crypto pki authenticate ROOT-CA
---BEGIN CERTIFICATE---

!
Crypto pki authenticate RouterASR

---BEGIN CERTIFICATE---

!
crypto pki import RouterASR
---BEGIN CERTIFICAT

============================

Hi, 

I have some question,

• uploading the root CA
  !
  crypto pki trustpoint ROOT-CA    -> Here is the client's root certificate loaded (in this case, the 5 g antenna)?
  enroll tercrypto pki authenticate ROOT-CA
  ---BEGIN CERTIFICATE---

• Crypto pki authenticate RouterASR ->  what certificate do i upload here ?

  ---BEGIN CERTIFICATE---

• crypto pki import RouterASR -> What certificate do i import here ?
  ---BEGIN CERTIFICAT

Hi, 

Now i have this error:

t is done, Is already qualified

Now i want to white you this. I have this error 

Sep 9 08:15:39.880: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Sep 9 08:15:39.880: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
Sep 9 08:15:39.881: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

Sep 9 08:15:39.881: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint ciscocert
Sep 9 08:15:39.881: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
Sep 9 08:15:39.881: IKEv2:(SESSION ID = 41629,SA ID = 1):Get peer's authentication method
Sep 9 08:15:39.881: IKEv2:(SESSION ID = 41629,SA ID = 1):Peer's authentication method is 'RSA'
Sep 9 08:15:39.882: IKEv2:Validation list created with 1 trustpoints
Sep 9 08:15:39.882: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain
Sep 9 08:15:39.883: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain FAILED
Sep 9 08:15:39.883: IKEv2-ERROR:(SESSION ID = 41629,SA ID = 1):: Platform errors
Sep 9 08:15:39.883: IKEv2:(SESSION ID = 41629,SA ID = 1):Verify cert failed
Sep 9 08:15:39.883: IKEv2:(SESSION ID = 41629,SA ID = 1):Verification of peer's authentication data FAILED
Sep 9 08:15:39.883: IKEv2:(SESSION ID = 41629,SA ID = 1):Sending authentication failure notify
Sep 9 08:15:39.883: IKEv2:(SESSION ID = 41629,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

please could you provide us the full output of "show crypto pki certificates" from both routers sides.

asr#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 00C38TEDIGU29
Certificate Usage: General Purpose
Issuer:
cn=Cliente
ou=Cliente-Test.
o=Test-LLC.
c=US
Subject:
cn=Cliente
ou=Cliente-Test.
o=Test-LLC.
c=US
Validity Date:
start date: 09:09:53 UTC Oct 19 2015
end date: 09:09:53 UTC Oct 16 2025
Associated Trustpoints: AV
Storage: nvram:test#7096CA.cer

Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 06
Certificate Usage: General Purpose
Issuer:
hostname=ASR.com
o=Test
cn=www.cisco.com
Subject:
Name: ASR.com
hostname=ASR.com
o=Test
cn=www.cisco.com
Validity Date:
start date: 14:33:15 UTC Sep 8 2021
end date: 00:00:00 UTC Jan 1 2030
Associated Trustpoints: ciscocert
Storage: nvram:ASR#6.cer

The other device is not cisco, it is a 5g antenna

Hi,

News ? can anybody help me ?