Solved: Chris, (Shameless plug) have

chris-lawrence · ‎04-30-2015

Team,

I am using Cisco IOS XE Software, Version 03.15.00.S - Standard Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(2)S, RELEASE SOFTWARE (fc3) to support my Cisco IOS CA.

In a nutshell, I am trying to support a FlexVPN - Win7 VPN client as per tac document id 115907

In this document, it states that OpenSSL CA is used but a Cisco IOS CA can also be used. When testing I am at a point where my certificates do not match the example:

The TAC document example:

X509v3 extensions:
X509v3 Key Usage: F0000000
Digital Signature

Non Repudiation
Key Encipherment

Data Encryption

My lab version:

X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment

Question - How do I get these alternate extensions using the Cisco IOS CA?

Chris

Marcin Latosiewicz · ‎04-30-2015

Chris,

(Shameless plug) have a look at IOS CA config I used:

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html#anc8

M.

View solution in original post

Marcin Latosiewicz · ‎04-30-2015

Chris,

(Shameless plug) have a look at IOS CA config I used:

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html#anc8

M.

chris-lawrence · ‎05-01-2015

Hi Marcin,

You have the same as I - I got my lab working - I tripped up on the KeyUsage thinking that my VPN headend Cisco CSR needed these same extensions as my Win7 client did. When I adjusted my Win7 CSR to feature these extra extensions and re-enrolled, everything is working.

Thanks for your help,

Chris