Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1198
Views
25
Helpful
3
Replies

Trustpoint subject name for router site to site IPSEC VPN

Go to solution
andrew.jimenez
Level 1
Level 1

‎01-29-2022 10:26 AM

Hello,

 

I am building site to site IPsec VPN tunnels using certificates.  I see that in the Cisco trustpoint there is a subject name field. Is that based off the certificate you issued or can you name that anything you want?  If it is pulled from the certificate is there a command that states the subject name with the proper formatting.  I did this on another vendor equipment and it was pulled from the actual cert but there was also a command that gave you the subject name.  

 

I appreciate the feedback.

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎01-29-2022 10:36 AM - edited ‎01-29-2022 11:01 AM

here  I see that in the Cisco trustpoint there is a subject name field. Is that based off the certificate you issued or can you name that anything you want?

 

subject name has to be your certificate name.For example what you have provided in your CSR to your CA authority.

 

 

 

If it is pulled from the certificate is there a command that states the subject name with the proper formatting.

show crypto pki certificates

show crypto ca certificate

 

 

 

if you doing a certificate enrollment. these are the step you required

 

Make sure your routers time is correct before starting. I suggest you setup NTP to keep the routers time correct. If the routers time is not correct, it will affect the certificate’s functionality.

  1. Create a 2048 bit RSA key. GoDaddy now only supports 2048 or greater key length for security reasons. On their site they claim that computer performance will be capable of breaking a 1024 bit key by 2012. Will that be the end of the world? 
  2. Create the trustpoint. A trustpoint is basically a certificate authority who you trust.
  3. 1.PNG

 

3. You can get the certificate request by issuing the following commands:

2.PNG

 

4. Paste the certificate request into the GoDaddy page to complete the request. The certificate request must be in the format below. You will need to add the begin and end lines. The begin and end certificate lines must be on separate lines or GD will give you an error. HINT: turn off word wrap in your text editor to ensure the format is proper.

5.PNG

 

5.Once the Certificate is issued you will receive an email to download your certificates and the intermediates bundle. Save these certificates locally and open them in a text editor like Notepad or, preferably, Notepad++. Select server type “other” for the download.

 

6. The next step is to install the intermediate certificate bundle into the routers Trustpoint you created earlier. Run the command below. Copy the INTERMEDIATE certificate you opened in your text editor and paste into your terminal session when prompted. The certificate will be named gd_intermediate.crt.

 

6.PNG

 

7. You will now install the actual certificate. Follow the same copy and paste procedure as above. Notice the command is different than the command used to install the GoDaddy intermediate certificate bundle.

7.PNG

 

8. If everything went well, you should now have your certificates successfully installed. You can run the following commands to verify your certificate is properly installed. You should see both the intermediates and the issued certificate. Remember to exit config mode and save your configuration.

 

3.PNG

 

here 

please do not forget to rate.

View solution in original post

3 Replies 3

Go to solution
Sheraz.Salim
VIP
VIP

‎01-29-2022 10:36 AM - edited ‎01-29-2022 11:01 AM

here  I see that in the Cisco trustpoint there is a subject name field. Is that based off the certificate you issued or can you name that anything you want?

 

subject name has to be your certificate name.For example what you have provided in your CSR to your CA authority.

 

 

 

If it is pulled from the certificate is there a command that states the subject name with the proper formatting.

show crypto pki certificates

show crypto ca certificate

 

 

 

if you doing a certificate enrollment. these are the step you required

 

Make sure your routers time is correct before starting. I suggest you setup NTP to keep the routers time correct. If the routers time is not correct, it will affect the certificate’s functionality.

  1. Create a 2048 bit RSA key. GoDaddy now only supports 2048 or greater key length for security reasons. On their site they claim that computer performance will be capable of breaking a 1024 bit key by 2012. Will that be the end of the world? 
  2. Create the trustpoint. A trustpoint is basically a certificate authority who you trust.
  3. 1.PNG

 

3. You can get the certificate request by issuing the following commands:

2.PNG

 

4. Paste the certificate request into the GoDaddy page to complete the request. The certificate request must be in the format below. You will need to add the begin and end lines. The begin and end certificate lines must be on separate lines or GD will give you an error. HINT: turn off word wrap in your text editor to ensure the format is proper.

5.PNG

 

5.Once the Certificate is issued you will receive an email to download your certificates and the intermediates bundle. Save these certificates locally and open them in a text editor like Notepad or, preferably, Notepad++. Select server type “other” for the download.

 

6. The next step is to install the intermediate certificate bundle into the routers Trustpoint you created earlier. Run the command below. Copy the INTERMEDIATE certificate you opened in your text editor and paste into your terminal session when prompted. The certificate will be named gd_intermediate.crt.

 

6.PNG

 

7. You will now install the actual certificate. Follow the same copy and paste procedure as above. Notice the command is different than the command used to install the GoDaddy intermediate certificate bundle.

7.PNG

 

8. If everything went well, you should now have your certificates successfully installed. You can run the following commands to verify your certificate is properly installed. You should see both the intermediates and the issued certificate. Remember to exit config mode and save your configuration.

 

3.PNG

 

here 

please do not forget to rate.

Go to solution
andrew.jimenez
Level 1
Level 1
In response to Sheraz.Salim

‎01-29-2022 10:53 AM - edited ‎01-29-2022 10:56 AM

Thank you Sheraz!

 

When I run "show crypto pki certificates" command it the subject name comes up as follows: 

 

Subject:
Name: TEST-RTR01.cisco.com
hostname: TEST-RTR01.cisco.com
cn=TEST-RTR01
ou=cisco
ou=com
c=US

 

Now, I have to build the certificate map on the other remote side so what would I put for the subject name? Would I ignore the name and hostname.  

 

subject-name eq cn=TEST-RTR01, ou=cisco, ou=com, c=US

Go to solution
Sheraz.Salim
VIP
VIP
In response to andrew.jimenez

‎01-29-2022 11:05 AM - edited ‎01-29-2022 11:06 AM

for certificate map use "subject-name co cn=TEST-RTR01" instead of "subject-name eq cn=TEST-RTR01". you can ignore the Hostname and name.

 

When i create my crypto map i use subject-name contain instead of eq to.

 

 

please do not forget to rate.
Customers Also Viewed These Support Documents