Re: PKI FlexConnect Authentication - Page 2

SJY2025 · ‎07-16-2025

Hi,

I am looking for a guide on how to get certificate working with Cisco C1111-4P (code 17.12.5a)

I am trying to get ECDSA certificates working to authenticate over the FlexVPN instead of PSK

I think my first question is, is it supported and what size keys, I'm trying p256

My process so far is

crypto key generate ec keysize 256 label BLA

Created a trustpoint ROOT

Enrollment term pem

revoation check none

eckeypair BLA

THEN

crypto pki authenticate ROOT

pasted in my root CA >> this imports

crypto pki enrol ROOT creates a csr

Created a trustpoint INTER

Enrollment term pem

revoation check none

eckeypair BLA

THEN

crypto pki authenticate INTER

pasted in my intermediate cert >> this imports

then

crypto pki import INTER certificate

and pasted my signed .csr content back in (missing the root/intermediate parts)

I keep getting failed to parse or verify imported certificate

MHM Cisco World · ‎07-22-2025

When you check cert add to your router of root-ca and intermediate do you see it valid or not?

The chain must be correct input

Root-ca

Then

Intermediate

Lastly device cert

MHM

SJY2025 · ‎07-22-2025

I see both the Root and Intermediate certificates installed (using show crypto pki certificates verbose)

Both have a status of available and are associated with the associated trust-points, I've removed some of detail but you can see theu are installed

#show crypto pki certificates verbose
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 68FFE983B54499E3620A2B371DACE3B9E7F56704
Certificate Usage: Signature
Issuer:
cn=
ou=
o=
l=
c=
Subject:
cn=
Validity Date:
start date: 15:13:39 UTC Jun 19 2024
end date: 07:14:09 UTC Jun 20 2028
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: 9641D68F 07B3E184 9D778FD4 9A076381
Fingerprint SHA1: FB1959B9 7BD14B48 61F35ACF 041F69B6 01D4D60B
X509v3 extensions:
X509v3 Key Usage: 6000000
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 06BE81CC 458D7FBA C3727FB3 A6A0BAD7 206A6F5D
X509v3 Basic Constraints:
CA: TRUE
X509v3 Subject Alternative Name:
removed ***
IP Address :
OtherNames :
X509v3 Authority Key ID: 65DB7236 072D99CC 432BFFB6 2E74CB92 A3DFB6CB
Authority Info Access:
Cert install time: 10:29:46 UTC Jul 21 2025
Cert install time in nsec: 1753093786568954880
Associated Trustpoints: INTER

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 19E574E9FD36255D6EFBFFC0EAB1288723A11312
Certificate Usage: Signature
Issuer:
cn=
ou=
o=
l=
c=
Subject:
cn=
ou=
o=
l=
c=
Validity Date:
start date: 11:51:57 UTC Oct 20 2020
end date: 11:52:27 UTC Oct 18 2030
Subject Key Info:
Public Key Algorithm: ecEncryption
EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: C8053DC0 94355E88 FED6A671 286F649D
Fingerprint SHA1: 94C6E132 EFD4B380 F772DDEB B8F4856A D0F81A6B
X509v3 extensions:
X509v3 Key Usage: 6000000
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 65DB7236 072D99CC 432BFFB6 2E74CB92 A3DFB6CB
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 65DB7236 072D99CC 432BFFB6 2E74CB92 A3DFB6CB
Authority Info Access:
Cert install time: 10:28:29 UTC Jul 21 2025
Cert install time in nsec: 1753093709668955904
Associated Trustpoints: ROOT-CA

MHM Cisco World · ‎07-22-2025

Status: Available <<- this very good

Let me review my note and I will update ypu

Thanks for waiting

MHM

MHM Cisco World · ‎07-22-2025

Under trustpoint of intermediate

Are you sure you use

usage ike

This make cert use for ipsec (including flexvpn)?

Add this and regenerate csr' copy and get cert and add to device.

Thanks

MHM

SJY2025 · ‎07-22-2025

I hadn't used the ike command, so I've added that and gone through the process again unfortunately still the same

SJY2025 · ‎07-23-2025

After speaking with Cisco TAC and using a different CA to test where the issue might be, it appears that the solution I am using has an issue.

@MHM Cisco World thank you for all of your suggestions, they were very much appreciated

MHM Cisco World · ‎07-23-2025

Thanks for update

Can I know steps TAC recommend as solution

MHM

SJY2025 · ‎07-23-2025

I think the recommendation (which I agree with) is go and look at your CA its not signing properly, this is not a Cisco issue.

Roughly the steps, which are useful for testing purposes

Created a single trust point initially called INTER

subjectname, fqdn, no revocation check, terminal and rsa keys

authenticated and then enrolled

same error of parse + failure

Then used https://getacert.com/ as an external CA

Created trustpoint INTER2

authenticated it with getacert certificates

New .csr generated from INTER2

Signed this

Imported back into INTER2 (worked first time)

*note that trustpoint ROOT added but not needed for testing

Conclusion

Other CA, same router steps works, therefore process was good.

My CA, same router steps fail, therefore not signing correctly, therefore issue with CA

MHM Cisco World · ‎07-23-2025

So in end last steps I share (add trustpoint for flex (device certificate)) was right

But issue CA you use not correctly sign the cert of Inter and/or device cert?

Thanks alot for update me

MHM