12-04-2012 12:35 PM
Trying to install a second certificate issued by the same Certificate Authority (CA). However, the new certificate replaces it's predecessor.
Original Certificate Enrollment Config:
crypto pki trustpoint ca.domain.null
enrollment url http://ca.domain.null:80
usage ike
ip-address none
fingerprint <removed-for-forum-post>
subject-name c=CA, st=State, l=City, o=Company, ou=old-1, ou=old-2, cn=router.domain.null
revocation-check crl
source interface Loopback0
rsakeypair router.domain.null 1024
auto-enroll 90 regenerate
Amendments to Certificate Enrollment Config:
crypto pki trustpoint ca.domain.null
subject-name c=CA, st=State, l=City, o=Company, ou=new-1, ou=new-2, cn=vpn-1.router.domain.null, hostname=vpn-1.router.domain.null
rsakeypair vpn-1.router.domain.null 1024
Note: Amended Organizational Unit (ou) fields.
Note: Specified a different Common Name (prepended "vpn-1").
Note: Tried with and without "hostname=vpn-1.router.domain.null".
Note: Specified a different RSA keypair.
Enrollment for Second Certificate (same CA):
router(config)#crypto pki enroll ca.domain.null
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: c=CA, st=State, l=City, o=Company, ou=new-1, ou=new-2, cn=vpn-1.router.domain.null, hostname=vpn-1.router.domain.null
% The subject name in the certificate will include: router.domain.null
% Include the router serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose ca.domain.null' command will show the fingerprint.
Note: Statement above indicates "% The subject name in the certificate will include: router.domain.null".
Note: The new certificate is created with the same name as the original certificate, and replaces it.
New Certificate:
router(config)#do sh crypto pki certificate
Certificate
Status: Available
Certificate Serial Number (hex): 23
Certificate Usage: General Purpose
Issuer:
cn=ca.domain.null
Subject:
Name: router.domain.null
hostname=router.domain.null
c=CA
st=State
l=City
o=Company
ou=new-1
ou=new-2
cn=vpn-1.router.domain.null
hostname=vpn-1.router.domain.null
CRL Distribution Points:
http://ca.domain.null/cgi-bin/pkiclient.exe?operation=GetCRL
Validity Date:
start date: 14:10:41 EST Dec 4 2012
end date: 04:24:14 EDT Jul 15 2013
renew date: 22:16:52 EDT Jun 22 2013
Associated Trustpoints: ca.domain.null
Note: The following remain the same when the new certificate is created, despite the subject-name input provided:
Subject:
Name: router.domain.null
hostname=router.domain.null
The original certificate is overwritten with the new one, and is not to be found in the
"sh crypto pki certificate" output.
Any thoughts or solutions on how to successfully install a second certificate issued from the same CA would be welcome.
Best Regards,
Mike
Solved! Go to Solution.
12-06-2012 12:05 AM
Mike,
To (hopefully) answer both of your questions.
You can have different trustpoints with same issuer certificate, no need to use two different CAs.
I actually was not 100% corrent in my previous statment, trustpoints will also have associated rollover/shadow certs, so strictly speaking more than two.
irt. IKEv1 and identity we have limited options.
1) auto (pick up method depending on connection type)
2) Address - provide IP address associated with crypto map instsance (i.e. source of crypto packets).
3) Hostname - configured hostname on the box. (FQDN)
4) DN - chosen certificate's DN
Additionally you can setup user-fqdn as identity.
As far as IKE goes, you can have as many certificates as you like from as many CAs as you want (during MM3 and MM4 both sides of negotion will agree on using one certificate to authenticate to each other).
M.
12-05-2012 02:23 AM
Mike,
Maybe I missed it, but why not use a second trustpoint to hold the new cert (and CA cert ideally).
The trustpoint, as a container, can have only one identity cert + one CA cert at a time, everything else requires chaining (on IOS).
In your case having two separate trustpoint would work (both with identity and CA cert).
M.
12-05-2012 10:50 PM
Marcin:
Thank you for your repsonse.
The existing CA is a repurposed Cisco 800 series router, residing on a server VLAN. We were hoping to sidestep the provisioning of a second CA, and the resources it would consume (rack space, power consumption, etc.). We'll repurpose the next available router as a secondary CA.
With regard to your statement "The trustpoint, as a container, can have only one identity cert + one CA cert at a time, everything else requires chaining (on IOS).", I presume that the output of "sh crypto pki trustpoints status" represents the "one identity cert + one CA cert" contained by the trustpoint.
router# sh crypto pki trustpoints status
Trustpoint ca.domain.null:
Issuing CA certificate configured:
Subject Name:
cn=ca.domain.null
Fingerprint MD5: HexBlock HexBlock HexBlock HexBlock
Fingerprint SHA1: HexBlock HexBlock HexBlock HexBlock HexBlock
Router General Purpose certificate configured:
Subject Name:
hostname=router.domain.null,c=CA,st=State,l=City,o=Company,ou=new-1,ou=new-1,cn=router.domain.null
Fingerprint MD5: HexBlock HexBlock HexBlock HexBlock
Fingerprint SHA1: HexBlock HexBlock HexBlock HexBlock HexBlock
Next enrollment attempt:
11:05:03 EDT Apr 12 2013
* A new key will be generated *
* Configuration will not be saved after enrollment *
State:
Keys generated ............. Yes (General Purpose, exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes
Open to comments.
Best Regards,
Mike
12-05-2012 11:49 PM
Marcin:
Noticed that a few of the DMVPN spokes are limited in terms of options for the ISAKMP Profile "self-identity" command.
They allow specification of "fqdn", but without the ability to specify a "specific" fqdn.
Am I correct in believing that these routers would not support more than one certificate (each from a different CA)?
Note: We're currently matching certificate maps in ISAKMP profiles, and were looking to use different certificates for different cryptographic goals.
Best Regards,
Mike
12-06-2012 12:05 AM
Mike,
To (hopefully) answer both of your questions.
You can have different trustpoints with same issuer certificate, no need to use two different CAs.
I actually was not 100% corrent in my previous statment, trustpoints will also have associated rollover/shadow certs, so strictly speaking more than two.
irt. IKEv1 and identity we have limited options.
1) auto (pick up method depending on connection type)
2) Address - provide IP address associated with crypto map instsance (i.e. source of crypto packets).
3) Hostname - configured hostname on the box. (FQDN)
4) DN - chosen certificate's DN
Additionally you can setup user-fqdn as identity.
As far as IKE goes, you can have as many certificates as you like from as many CAs as you want (during MM3 and MM4 both sides of negotion will agree on using one certificate to authenticate to each other).
M.
12-12-2012 11:42 AM
Marcin:
"You can have different trustpoints with same issuer certificate, no need to use two different CAs."
That's the part I needed to hear. Thanks.
Have the new certificates installed, but I've encountered difficulty with the hub sending the wrong certificate. I think the issue is attributable to the device's inability to accommodate the common CA, or a deficiency in my configuration(s).
I'm going to initiate a new discussion titled:
DMVPN - Constructing a CERT payload with the wrong certificate.
Best Regards,
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide