cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2747
Views
0
Helpful
5
Replies

Installing 2nd Certificate from the same CA.

michael.leblanc
Level 4
Level 4

Trying to install a second certificate issued by the same Certificate Authority (CA). However, the new certificate replaces it's predecessor.

Original Certificate Enrollment Config:

crypto pki trustpoint ca.domain.null

enrollment url http://ca.domain.null:80

usage ike

ip-address none

fingerprint <removed-for-forum-post>

subject-name c=CA, st=State, l=City, o=Company, ou=old-1, ou=old-2, cn=router.domain.null

revocation-check crl

source interface Loopback0

rsakeypair router.domain.null 1024

auto-enroll 90 regenerate

Amendments to Certificate Enrollment Config:

crypto pki trustpoint ca.domain.null

subject-name c=CA, st=State, l=City, o=Company, ou=new-1, ou=new-2, cn=vpn-1.router.domain.null, hostname=vpn-1.router.domain.null

rsakeypair vpn-1.router.domain.null 1024

Note: Amended Organizational Unit (ou) fields.

Note: Specified a different Common Name (prepended "vpn-1").

Note: Tried with and without "hostname=vpn-1.router.domain.null".

Note: Specified a different RSA keypair.

Enrollment for Second Certificate (same CA):

router(config)#crypto pki enroll ca.domain.null

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: c=CA, st=State, l=City, o=Company, ou=new-1, ou=new-2, cn=vpn-1.router.domain.null, hostname=vpn-1.router.domain.null

% The subject name in the certificate will include: router.domain.null

% Include the router serial number in the subject name? [yes/no]: n

Request certificate from CA? [yes/no]: y

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose ca.domain.null' command will show the fingerprint.

Note: Statement above indicates "% The subject name in the certificate will include: router.domain.null".

Note: The new certificate is created with the same name as the original certificate, and replaces it.

New Certificate:

router(config)#do sh crypto pki certificate

Certificate

  Status: Available

  Certificate Serial Number (hex): 23

  Certificate Usage: General Purpose

  Issuer:

    cn=ca.domain.null

  Subject:

    Name: router.domain.null

    hostname=router.domain.null

    c=CA

    st=State

    l=City

    o=Company

    ou=new-1

    ou=new-2

    cn=vpn-1.router.domain.null

    hostname=vpn-1.router.domain.null

  CRL Distribution Points:

    http://ca.domain.null/cgi-bin/pkiclient.exe?operation=GetCRL

  Validity Date:

    start date: 14:10:41 EST Dec 4 2012

    end   date: 04:24:14 EDT Jul 15 2013

    renew date: 22:16:52 EDT Jun 22 2013

  Associated Trustpoints: ca.domain.null

Note: The following remain the same when the new certificate is created, despite the subject-name input provided:

  Subject:

    Name: router.domain.null

    hostname=router.domain.null

The original certificate is overwritten with the new one, and is not to be found in the

"sh crypto pki certificate" output.

Any thoughts or solutions on how to successfully install a second certificate issued from the same CA would be welcome.

Best Regards,

Mike

1 Accepted Solution

Accepted Solutions

Mike,

To (hopefully) answer both of your questions.

You can have different trustpoints with same issuer certificate, no need to use two different CAs.

I actually was not 100% corrent in my previous statment, trustpoints will also have associated rollover/shadow certs, so strictly speaking more than two.

irt. IKEv1 and identity we have limited options.

1) auto (pick up method depending on connection type)

2) Address - provide IP address associated with crypto map instsance (i.e. source of crypto packets).

3) Hostname - configured hostname on the box. (FQDN)

4) DN - chosen certificate's DN

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-D3C7A306-A689-4953-9146-D4F2F861C567

Additionally you can setup user-fqdn as identity.

http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-s1.html#GUID-E0956592-4754-4C48-9ACB-9AF58594E74D

As far as IKE goes, you can have as many certificates as you like from as many CAs as you want (during MM3 and MM4 both sides of negotion will agree on using one certificate to authenticate to each other).

M.

View solution in original post

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Mike,

Maybe I missed it, but why not use a second trustpoint to hold the new cert (and CA cert ideally).

The trustpoint, as a container, can have only one identity cert + one CA cert at a time, everything else requires chaining (on IOS).

In your case having two separate trustpoint would work (both with identity and CA cert).

M.

Marcin:

Thank you for your repsonse.

The existing CA is a repurposed Cisco 800 series router, residing on a server VLAN. We were hoping to sidestep the provisioning of a second CA, and the resources it would consume (rack space, power consumption, etc.). We'll repurpose the next available router as a secondary CA.

With regard to your statement "The trustpoint, as a container, can have only one identity cert + one CA cert at a time, everything else requires chaining (on IOS).", I presume that the output of  "sh crypto pki trustpoints status" represents the "one identity cert + one CA cert" contained by the trustpoint.

router# sh crypto pki trustpoints status

Trustpoint ca.domain.null:

  Issuing CA certificate configured:

    Subject Name:

     cn=ca.domain.null

    Fingerprint MD5: HexBlock HexBlock HexBlock HexBlock 

    Fingerprint SHA1: HexBlock HexBlock HexBlock HexBlock HexBlock

  Router General Purpose certificate configured:

    Subject Name:

     hostname=router.domain.null,c=CA,st=State,l=City,o=Company,ou=new-1,ou=new-1,cn=router.domain.null

    Fingerprint MD5: HexBlock HexBlock HexBlock HexBlock

    Fingerprint SHA1: HexBlock HexBlock HexBlock HexBlock HexBlock

  Next enrollment attempt:

    11:05:03 EDT Apr 12 2013

    * A new key will be generated *

    * Configuration will not be saved after enrollment *

  State:

    Keys generated ............. Yes (General Purpose, exportable)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... Yes

Open to comments.

Best Regards,

Mike

Marcin:

Noticed that a few of the DMVPN spokes are limited in terms of options for the ISAKMP Profile "self-identity" command.

They allow specification of "fqdn", but without the ability to specify a "specific" fqdn.

Am I correct in believing that these routers would not support more than one certificate (each from a different CA)?

Note: We're currently matching certificate maps in ISAKMP profiles, and were looking to use different certificates for different cryptographic goals.

Best Regards,

Mike

Mike,

To (hopefully) answer both of your questions.

You can have different trustpoints with same issuer certificate, no need to use two different CAs.

I actually was not 100% corrent in my previous statment, trustpoints will also have associated rollover/shadow certs, so strictly speaking more than two.

irt. IKEv1 and identity we have limited options.

1) auto (pick up method depending on connection type)

2) Address - provide IP address associated with crypto map instsance (i.e. source of crypto packets).

3) Hostname - configured hostname on the box. (FQDN)

4) DN - chosen certificate's DN

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-D3C7A306-A689-4953-9146-D4F2F861C567

Additionally you can setup user-fqdn as identity.

http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-s1.html#GUID-E0956592-4754-4C48-9ACB-9AF58594E74D

As far as IKE goes, you can have as many certificates as you like from as many CAs as you want (during MM3 and MM4 both sides of negotion will agree on using one certificate to authenticate to each other).

M.

Marcin:

"You can have different trustpoints with same issuer certificate, no need to use two different CAs."

That's the part I needed to hear. Thanks.

Have the new certificates installed, but I've encountered difficulty with the hub sending the wrong certificate. I think the issue is attributable to the device's inability to accommodate the common CA, or a deficiency in my configuration(s).

I'm going to initiate a new discussion titled:

DMVPN - Constructing a CERT payload with the wrong certificate.

Best Regards,

Mike