09-07-2021 02:28 AM
Hello there,
I want to have a connection between Cisco ASR and the certified 5G antenna.
The client with the antenna has given me his certificate and I have to pass him one generated by Cisco. The certificate is a .pem file (for both).
Now, what are the steps I have to do to generate a certificate (.pem) in the cisco and send it to the client so that it can be imported?
What do I do with the certificate that you send me?
What would the configuration for the tunnel operation with that certificate be like?
I have been reading forums and links regarding this but they are all always with cisco devices against cisco
09-07-2021 02:56 AM
The client with the antenna has given me his certificate and I have to pass him one generated by Cisco. The certificate is a .pem file (for both).
so the client give you his root CA certificate that you need to upload into your ASR router? if that is the case than you need to upload his cert into your ASR for authentication purpose.
crypto pki trustpoint CA enrollment terminal ! crypto pki authenticate CA |here you past the CA cert|
for CSR
1- generate a 1024/2048 key size:
crypto key generate rsa label mycaxx modulus 1024
crypto ca enroll CA
here a similar issue discussed about how to generate a CSR.
09-07-2021 03:13 AM
Hi,
Yes, he sent me his root certificate.
Now
crypto key generate rsa label mycaxx modulus 1024
crypto ca enroll CA
This generate un CRS and then ?
I need a CA authority to sign that certificate and send it to him so that he can upload it to his device and then be able to do the ikev2 configuration, right?
He needs to upload a certificate that I generate in the Cisco so that he places it in the configuration of his device. After this, lift the ikev2 tunnel
09-07-2021 03:35 AM - edited 09-07-2021 03:57 AM
1. crypto key gen rsa module 4096
2. crypto pki trustpoint CA
enrol term pem
exit
3.crypto pki enroll CA
% Start certificate enrollment ..
% The subject name in the certificate will include: Router
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIEgDCCAmgCAQAwGj1258GCSqGSIb3DQEJAhYJVVQtVEMtV0FOMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtoB4/86fu1NxAlDrxkmcOHV/83kzxZs4
rttkaXj78jVRZnp7FiMryAl2OyAGWytpD1R4vuYamC4F11i/JnZ8lJ2cK00t49SB
/uXavK91g+ElMQQyyW0FIjdrSfc7854255JpAy5f8oDa7fj+aGbSYAgIzrVqfIq
UDOT2/rt/yTUnWg2OS6CNyYLUivftfmuCQ7Mpsx1C/QE2TBgLRYn365RakHsy6bM
D6RTWelE9MORqVlxBWl1udRdMgX5nY+BNcGZ5arJeIvxvOVL6OV2ihbUDja/rzIL
YzypCVNoy4Ss2alCmmHrLNubtB/uCsjdbyQJWnCYAyq0wXaINomZq8nxStvPS1WT
Qzq2n/yEcga+3scRdOMJ1+DtkcFHUhYgJ6e8oqY3W9Mj37DPBhQa0ZahJbkguU+2
gw16jjGo2r34i2H3IYzIdHjrVUj043l/SpSYpxUV2FX9QKZ5aTl9ClhYaRHF/acK
wtC17d8O2AK2TJIZUfLk0o7DaZ99HcmedROC1F#15889dWvtt2yWdAEEEHQ9vPL
or58PgyD5GX19bEQDrCt1bqyny61g0itfhsf7VPdp5yqWQk9Ik7XhmPmXLrDGGGo
X6U8L4FQRVgSyRg1nb/uk8YFElNa0ecMjRA2Mj7wCMwAH40ApwcxhuQsvh47Vx5s
YX9gtoVuyZcCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWg
MA0GCSqGSIb3DQEBBQUAA4ICAQAEZ/LDWo0FHiQmKOMf5NFz1RavIWL2UaIzFbOc
PfA2TGgmpN1SMPO8ZWeWge8gtLokYP6OCYZW1NIbuouTmm6Q3jDUuDHg/XO/fdc+
OUp5BPqcqjuhSjw4tag1XLk+v6WE+pOmjTGqdNue//LuXG1T4um1ibPE5QR7+Iy4
PjQkzikvCGlXcGrhEl5hPqtS06cIhEQH6d1rVhu9PspSzBJNRisnNwoj5NisjPG2
SUvBOpeiQ2AhFd3L9n+h5aeSmUqRmgXaKya7tb68SirVPiE4Wi+OYEOs+HfA1kY2
3K4+z6ExD7Nf9MgHIpaXp80vNqkvXYKdmAvtA/RVuUBQ+b0dgCC7oG6MkfGdWTo2
twSIThvTknT/eamX5eR1sH+nj9ujLDrvbTTt38nPEryUxiKVpoovffeY4fzQUlOT
s7Hz4n0ldfF121aMZ9Qnb2zyM72WyY3s15kBJBHHMVn8zZZCrxIRFsDotqsSWokr
NZeCAy7jNhzr6nCAhduGgBQffJrPyvPThA5PnddJ8DW/+jVIN7DYK7pUYZBpkjuc
cS9pOsmWcbQZdGEUPz8w/npqGKovyC54VCV4fpErNMzO7YZpsS8IS1Qwd/pRU9ox
wt/hM7roabeyCluVgbUnGOUsRscj/PuppY2vz3+hoDM/26oZox8EnCaoNT04Jnre
rAIRvQ==
---End - This line not part of the certificate request---
4.give this text to your remote side so they can generate a identity cert againsit your CSR.
5. now to upload your identity cert that given by your remote client
crypto pki authenticate CA
Paste the CA
if they have a sub ca involed and if they file is given too you need to upload that cert sub ca too.
crypto pki trustpoing SUB-CA
enroll ter
!
crypto pki authenticate SUB-CA
past the SUB-CA
!
follow this link they mentioned how to generate the CSR against the CA and how to upload the cert once the CA singed your CSR.
https://blog.destephen.com/wordpress/?p=1200
09-07-2021 04:12 AM
Hi,
could i do CA server in the cisco and sign the certificate with the same server without the need to go to a page?
09-07-2021 04:19 AM
You mean you want to make your router as CA server and issue the cert to your Router and the remote side? if this you looking for yes you can do this way too. where you have to create your router as CA authority and issuing cert to remote clients.
09-07-2021 04:45 AM
Yes I want to say:
I have the root ca certificate from the other device, I need to upload its certificate to my ASR for authentication purposes, then I need to generate a CRS with the enrollment, and then I need to sign that certificate (with my CA SERVER) and lastly, we need to send that CA to import on his device
09-07-2021 05:01 AM - edited 09-07-2021 05:02 AM
I have the root ca certificate from the other device, I need to upload its certificate to my ASR for authentication purposes
Ok. you have a root certificate from the other devices and you need to upload the root CA cert in to ASR. the configuration be below.
crypto pki trustpoint CA enrollment terminal ! crypto pki authenticate CA
###here past your CA Root Cert####
!
then I need to generate a CRS with the enrollment, and then I need to sign that certificate (with my CA SERVER) and lastly, we need to send that CA to import on his device
crypto key gen rsa lable Router module 4096 ! crypto pki trustpoint Certificate enroll ter pem rsakeypair Router ! crypto pki enroll Certificate
##fill up the information for the CSR####
Take the CSR and get it signed from your CA server once it signed you need to upload it to router.
crypto pki authenticate Certificate ###here past the cert from your CA which signed the CSR#
09-07-2021 06:23 AM
09-07-2021 06:40 AM - edited 09-07-2021 07:02 AM
This error occurs when the root or inter sub ca missing from the trustpoint.
I have tested in my lab and it work for me here is my working config.
=================================
crypto key generate rsa modulus 4096 label RouterASR.com
crypto pki trustpoint RouterASR
enrollment terminal pem
serial-number none
fqdn none
ip-address none
subject-name cn=TEST,dc=RouterASR.com
revocation-check none
rsakeypair RouterASR.com
enrollment terminal pem
crypto pki enroll RouterASR.com
!
uploading the root CA
!
crypto pki trustpoint ROOT-CA
enroll ter
!
crypto pki authenticate ROOT-CA
---BEGIN CERTIFICATE---
!
Crypto pki authenticate RouterASR
---BEGIN CERTIFICATE---
!
crypto pki import RouterASR
---BEGIN CERTIFICAT
============================
09-08-2021 03:15 AM
Hi,
I have some question,
Crypto pki authenticate RouterASR -> what certificate do i upload here ?
---BEGIN CERTIFICATE---
09-09-2021 04:45 AM
Hi,
Now i have this error:
t is done, Is already qualified
Now i want to white you this. I have this error
Sep 9 08:15:39.880: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Sep 9 08:15:39.880: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
Sep 9 08:15:39.881: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
Sep 9 08:15:39.881: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint ciscocert
Sep 9 08:15:39.881: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
Sep 9 08:15:39.881: IKEv2:(SESSION ID = 41629,SA ID = 1):Get peer's authentication method
Sep 9 08:15:39.881: IKEv2:(SESSION ID = 41629,SA ID = 1):Peer's authentication method is 'RSA'
Sep 9 08:15:39.882: IKEv2:Validation list created with 1 trustpoints
Sep 9 08:15:39.882: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain
Sep 9 08:15:39.883: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain FAILED
Sep 9 08:15:39.883: IKEv2-ERROR:(SESSION ID = 41629,SA ID = 1):: Platform errors
Sep 9 08:15:39.883: IKEv2:(SESSION ID = 41629,SA ID = 1):Verify cert failed
Sep 9 08:15:39.883: IKEv2:(SESSION ID = 41629,SA ID = 1):Verification of peer's authentication data FAILED
Sep 9 08:15:39.883: IKEv2:(SESSION ID = 41629,SA ID = 1):Sending authentication failure notify
Sep 9 08:15:39.883: IKEv2:(SESSION ID = 41629,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
09-09-2021 05:06 AM
please could you provide us the full output of "show crypto pki certificates" from both routers sides.
09-09-2021 05:28 AM
asr#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 00C38TEDIGU29
Certificate Usage: General Purpose
Issuer:
cn=Cliente
ou=Cliente-Test.
o=Test-LLC.
c=US
Subject:
cn=Cliente
ou=Cliente-Test.
o=Test-LLC.
c=US
Validity Date:
start date: 09:09:53 UTC Oct 19 2015
end date: 09:09:53 UTC Oct 16 2025
Associated Trustpoints: AV
Storage: nvram:test#7096CA.cer
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 06
Certificate Usage: General Purpose
Issuer:
hostname=ASR.com
o=Test
cn=www.cisco.com
Subject:
Name: ASR.com
hostname=ASR.com
o=Test
cn=www.cisco.com
Validity Date:
start date: 14:33:15 UTC Sep 8 2021
end date: 00:00:00 UTC Jan 1 2030
Associated Trustpoints: ciscocert
Storage: nvram:ASR#6.cer
The other device is not cisco, it is a 5g antenna
09-10-2021 03:43 AM
Hi,
News ? can anybody help me ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide