SSL Cert on Cisco 3000-series concentrator...

Unanswered Question
Jul 21st, 2009

Greetings - I read an article from Cisco on this, but it was a bit confusing. Can I get some clarification? Objective: I'm trying to make it so that when I attach to the "Inside / Private" interface, my administration session is protected by a trusted SSL cert. We have no WebVPN clients at all - everyone is using the normal thin-cleint (4.x and 5.x)

I've already stepped thru the process to create a Certificate Signing Request (CSR), and I have the cert already generated & in my possession. I went to complete the pending request, and I get an error about the certificate not being part of a trusted chain. The doc I read was talking about Certificate Authorities & Identity Certificates & was confusing. I could see maybe that I'd be required to import the 'next-level-up' certificate in the trust-chain, but I still got the same error. Plus, the cert I have is "two-deep" - there's the actual Verisign root cert, then a company-wide cert against-which certs are created, then there's the cert for the FQDN that's in my posession. I just need to protect my HTTPS session into the Private interface, to administer the concentrator. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 07/21/2009 - 07:14

OK, this might be a little bit long.

First you need to find out what certificate authority is it that you are using, you can check it by renaming the file you got as a ID cert into WHATEVERNAME.CER then opening it, you will see the certificate properties, and some other tabs, in there you go ahead and go to the "Certificate Path" Tab, now from there you will see the chaining this ID cert has, what you need to do is to go ahead and select both Subordinate (if any) and Root Cert, and click on"View Certificate" Then you go to detail and extract each of them to a folder, this is how this ID is chained, so after you do this you need to install these certificates to your Concentrator to make sure your chain is completed.

Now why this is done? Well first you need to have the whole path of certification to make this ID certificate trusted, and second sometimes you do not have the complete or correct chain which means that either a subordinate is not the right one or the Root is not the right one, to check you go ahead and check the serial number of each certificate against the one your ID chain has.

abatson Tue, 07/21/2009 - 08:12

This is publically available info, so here's what my chaining looks like:

Cert for my device (FQDN)---->NASA Operational CA ----->US Treasury Root CA

Now, at the top of the screen where you deal with the certs, I can only install one "Certificate Authority". Once I installed the one I did, the link went away, so I can't install any more. Even thought there's wording that says, "Current=1 Maximum=20" Given what's above, Do I need to install both the NASA cert, and the Treasury cert somewhere? If so, how do I install more Certificate Authorities if the 'install' link went away?

abatson Tue, 07/21/2009 - 08:23

Sorry, I was premature. I did find how to import multiple CA's, and I did so. Now, both the NASA and the Treasury CAs appear under "Certificate Authorities".

When I went to install my cert using the 'install' link under the Pending Request, it placed the newly-built cert under "Identity Certificates",and not under the "SSL Certificate" section. THis cert needs to go under the "Private" interface under "SSL Certificates" in order for me to use it the right way. Can I move it?

abatson Tue, 07/21/2009 - 11:49

ugggg.. I clicked on the link in the upper-LH portion of that screen I think. It must have mentioned SSL in some way, or I wouldn't have clicked on it. --Anyway, I see what you're talking about, the "Enroll" link at the end of the line for the "Private" interface in the "SSL Certificate" section, correct? Since my cert has already been generated, I probably have to revoke it & create a new CSR... I have to do this for all three certs I have for my three concentrators...

abatson Tue, 07/21/2009 - 12:09

--Once more, we're sure that the cert, in its current form, can't be exported in PKCS.12 format somehow, and imported directly into the Private Interface SSL area? I remember seeing briefly in the document you linked to, a way to export a certificate...

Ivan Martinon Tue, 07/21/2009 - 12:15

Oh, you will be able to export the cert with no problem, however due to one of the attributes of the CERT it will always be placed as ID certificate, believe me I have tried it.

abatson Wed, 07/22/2009 - 11:54

Very well :-) Your experience is valuable to me. At least the process for getting the certs isn't that hard to deal with. Thanks!


This Discussion