Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2933
Views
5
Helpful
2
Replies

How to import Cisco IOS CA certificates into Windows?

fsebera
Level 4
Level 4

‎10-07-2014 08:02 AM

Hi,

 

I am working in an isolated LAB enviroenment (no internet access) to gain understand Cisco AnyConnect VPN before moving into production.

I have setup my Cisco router as a CA ROOT and generated the root certificates as exportable. I have enrolled the ASA with the ROOT CA and can view the ID/ROOT certs on the ASA.

 

My problem is with my Windows XP client.

I cannot figure out how to get the Cisco IOS ROOT certificate(s) onto the Windows box.

When I try to import the ROOT CA certificates into Windows XP via the MMC utility, the error message says the certificate is invalid format.

 

On the IOS CA

crypto key generate rsa general-keys label ROOT exportable storage nvram:

crypto key export rsa ROOT pem url nvram: 3des cisco

 

I have also tried:

crypto key export rsa ROOT pem terminal 3des cisco

and then save the

-----BEGIN CERTIFICATE-----

%^#$^%%$^#%^%

-snip-

-----END CERTIFICATE-----

to a notepad file.

 

Each time I attempt to import into Windows via MMC, I receive the error message:

"The file is invalid for use as the following: Security Certificate"

 

Does ANYONE know what I am doing wrong...... and can explain how to do it right !!!!!

Please

Thank you

Frank

1 person had this problem
Labels:
0 Helpful
2 Replies 2

realfriend
Level 1
Level 1

‎03-05-2017 10:59 PM

I ran into the same issue and figured out the problem. You exported the router's RSA keys but that is different from the actual CA certificate. First you have to create the PKI server by doing something like this in config mode:

crypto key generate rsa label ca.home.lab exportable modulus 2048
!
crypto pki server ca.home.lab
database level complete
database archive pkcs12 password herpderp
issuer-name CN=ca.home.lab,O=Home,OU=Lab
grant auto
hash sha256
auto-rollover 90
no shutdown

After the CA has finished setting up you can then export the CA certificate, also from config mode, with this command:

crypto pki export core.home.lab pem terminal

Save the output text starting from "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----" to a file with a .cer extension, then you can open it in Windows and it will launch the certificate wizard.

Here is another good guide for running an IOS Certificate Authority: https://supportforums.cisco.com/document/57441/ios-ca-basic-deployment-certificate-enrollment-and-signing-process

fsebera
Level 4
Level 4
In response to realfriend

‎03-06-2017 05:31 AM

Hi guy!!

Thanks for the follow up! As an fyi, I solved my problem (a while back) by setting up an MS Win ROOT CA server.

I plan on trying this IOS method as it seems much more streamlined.

Thank you and Best Regards

Frank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents