PKI FlexConnect Authentication

SJY2025 · ‎07-16-2025

Hi,

I am looking for a guide on how to get certificate working with Cisco C1111-4P (code 17.12.5a)

I am trying to get ECDSA certificates working to authenticate over the FlexVPN instead of PSK

I think my first question is, is it supported and what size keys, I'm trying p256

My process so far is

crypto key generate ec keysize 256 label BLA

Created a trustpoint ROOT

Enrollment term pem

revoation check none

eckeypair BLA

THEN

crypto pki authenticate ROOT

pasted in my root CA >> this imports

crypto pki enrol ROOT creates a csr

Created a trustpoint INTER

Enrollment term pem

revoation check none

eckeypair BLA

THEN

crypto pki authenticate INTER

pasted in my intermediate cert >> this imports

then

crypto pki import INTER certificate

and pasted my signed .csr content back in (missing the root/intermediate parts)

I keep getting failed to parse or verify imported certificate

wajidhassan · ‎07-16-2025

Yes, ECDSA with P-256 is supported on IOS XE 17.12.5a and can be used for FlexVPN authentication.

The error “failed to parse or verify imported certificate” typically indicates one of the following:

The certificate does not match the private key used to generate the CSR. Ensure the key label used during CSR creation corresponds to the key associated with the certificate.
The certificate chain is incomplete. When importing, the entire chain (signed certificate plus intermediate certificates) may need to be included, not just the individual certificates separately.
The certificate format may be incorrect. Verify the certificate is in valid PEM format with correct headers and no extra spaces or characters.

Reviewing these points should help resolve the parsing error during import.

SJY2025 · ‎07-16-2025

Thanks for the quick response, does my structure look correct with a Trustpoint for each (root and intermediate)?

MHM Cisco World · ‎07-16-2025

I think what you need

Trustpoint one point to CA

crypto pki authenticate CA

crypto pki import inter-CA certificate

MHM

SJY2025 · ‎07-16-2025

I'm sure I'm making a very basic mistake but roughly

I have run crypto pki authenticate Root_CA

I've then pasted the root certificate in when requested

I've then run crypto pki enrol Root_CA generating a .csr

This has been signed by and sent back to me as a .pem file with

device - intermediate - root within the certificate

I've created a second Trustpoint as follows

I have run crypto pki authenticate Intermedaite and pasted in the Intermediate section (middle) of the pem file only

I've then crypto pki import Intermediate certificate and pasted in the top section of the certificate (the device)

I've added teh chain validation as I think MHM was suggesting?

MHM Cisco World · ‎07-16-2025

show crypto pki certificates <<- share this

MHM

SJY2025 · ‎07-16-2025

I'm not in a position to do that, what I can say is both my root and intermediate certs are installed under the correct Trustpoints, both have valid dates and have not expired, if that helps?

MHM Cisco World · ‎07-16-2025

then every think is OK
are you face issue with VPN?

SJY2025 · ‎07-16-2025

Ah okay, thats good to know the process is correct the issue I have is everytime I try and install the device cert I get

MHM Cisco World · ‎07-18-2025

Hi friend

I search about your post last day I couldn't found it

Anyway

Can I see last code yoh use?

Thanks a lot

MHM