Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6888
Views
5
Helpful
3
Replies

Difficulty importing CA certificates for 3850 switches!

Go to solution
blooy
Level 1
Level 1

‎03-11-2019 01:13 PM

Our Cisco 3850's are running 16.6.2.

 

We are having immense difficulty installing certs into our switches. 

We have been following this document: https://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-ssl-services-module/63456-sslm-csr.html suggested from Cisco TAC.

 

This is our process:

1. Generate Key: 

crypto key generate rsa exportable label KEY1 modulus 2048

 

2. Create Trustpoint

crypto pki trustpoint CA1
enrollment terminal pem
subject-name C=x, ST=x, L=x, O=x, CN=hostname, serialNumber=x
fqdn x
rsakeypair KEY1
exit


 3. Create CSR (And Submit request)

crypto pki enroll CA1

y

n

y

 

4. Create second trustpoint for ROOT Cert (Per the configuration guide above:)

(If you have an intermediate certificate, you need to configure two trustpoints. One trustpoint contains the CA root certificate only. You only need to configure enrollment terminal PEM and Certificate Revocation List (CRL) optional. The second trustpoint contains the intermediate certificate and the server certificate. The second trustpoint is configured similar to the first trustpoint, however, instead of the root certificate, use the intermediate certificate.)

!

crypto pki trustpoint ROOT
enrollment terminal pem
exit
crypto pki authenticate ROOT

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

y

 

5. Add intermediate and public cert 

This is where the problems begin. The document above has told us to create two trustpoints, and so now we are going to try to add the intermediate cert:

crypto pki authenticate CA1

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Trustpoint 'CA1' is a subordinate CA.
Authentication failed - could not validate certificate
% Error in saving certificate: status = FAIL

 

However if I were to paste in the public cert we got back from the CA at this point, it would accept the CERT. But then I am now without the intermediate, and my https is still saying the switch is using a self-signed certificate. (I am using command: ip https secure-trustpoint CA1)

 

Help!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-13-2019 01:58 PM

Hi,

I experienced a similar error when attempting to authenticate the Intermediate Root CA.

 

Trustpoint 'INTROOT_CA' is a subordinate CA.
Authentication failed - could not validate certificate
% Error in saving certificate: status = FAIL

HQ-RTR-2(config)#
*Mar 13 20:53:02.940: %PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///

 

I resolved this by disabling CRL on both the RootCA and IntRootCA trustpoints.

 

crypto pki trustpoint ROOT_CA
 revocation-check none
crypto pki trustpoint INTROOT_CA
 revocation-check none

 

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎03-13-2019 01:58 PM

Hi,

I experienced a similar error when attempting to authenticate the Intermediate Root CA.

 

Trustpoint 'INTROOT_CA' is a subordinate CA.
Authentication failed - could not validate certificate
% Error in saving certificate: status = FAIL

HQ-RTR-2(config)#
*Mar 13 20:53:02.940: %PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///

 

I resolved this by disabling CRL on both the RootCA and IntRootCA trustpoints.

 

crypto pki trustpoint ROOT_CA
 revocation-check none
crypto pki trustpoint INTROOT_CA
 revocation-check none

 

HTH

Go to solution
blooy
Level 1
Level 1
In response to Rob Ingram

‎03-18-2019 01:18 PM

Thank you, I have disabled the revocation check and that allowed to me to import the public certificate!

 

Now that I have the root, intermediate, and public certificate loaded on the switch, I have added these two configurations:

 

ip ssh rsa keypair-name KEY1
ip http secure-trustpoint CA1

 

Still, when I try to access via https or ssh, the certificate is invalid. (Not Secure, Certificate Invalid) and https is lined through on the browser. 

 

Am I doing something wrong?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to blooy

‎03-18-2019 01:59 PM

Hi,
What hostname did you define in the certificate? When you connect via https do you connect to the switch using the hostname/CN defined in the certificate or the IP address? If you don't connect using the CN defined in the certificate it will error.

When you connect via https if you look at the certificate does it display the correct CA chain or is it still using the self-signed cisco certificate?
What is the output of "show crypto pki certificates verbose"? does it display the full certificate chain correctly.

Please upload screenshots if you need further assistance to help troubleshoot further.
0 Helpful
Customers Also Viewed These Support Documents