Import third-party cert into Cisco 2821 router for SSL VPN

Unanswered Question
Sep 12th, 2007
User Badges:

I try to import a Free StartCom SSL certificate into my Cisco 2821 router (IOS 12.4.15T1). The certificate is issued bij an intermediate StartCom CA. See attachement for the things I did.

Somehow my router won't accept the certificate. What am I doing wrong ?

Ronald de Leeuw

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (2 ratings)
aghaznavi Tue, 09/18/2007 - 13:14
User Badges:
  • Silver, 250 points or more

There are two methods to setting up a CA with Cisco IOS SSLVPN. First, we can use a true trusted third-party certificate, like Verisign, which has advantages, but costs money for the certificate. It allows the client side to automatically verify the authenticity of the certificates used in the SSL connection. Alternately, you can set up your own private CA (Windows 2003 Server with SCEP add-on, Cisco IOS CA, etc.), and manually distribute the root certificate to the SSL VPN users. This is cheaper, but requires manual distribution of the root certificate for automatic verification of the SSL connection. See Appendix B for more information to setup a PKI trustpoint with the CA server.

Regardless of the CA method you choose, the trustpoint must be defined for the gateway to use it. If using multiple gateways, it is a good practice to define one trustpoint per gateway. This is mainly because the DNS hostname is included in the signed certificate used in tunnel mode. When a user browses to the WebVPN gateway, the URL of the WebVPN gateway should match the name in the certificate, or it will flag an error, which may become bothersome for users. It is best to have a clean session establishment.

The sample below shows two WebVPN gateways, which have different addresses in the same subnet and share the same trustpoint. They can be in separate subnets, as long as the address is reachable through the public network, and the subnet corresponds to that of another interface on the device


This Discussion