installing SSL certificates

Unanswered Question
Jul 21st, 2009

I have:

- Comodo root certificate (UTN-USERFirst-Hardware.cer)

- RBC certificate signed by Comodo (RBCHCHighAssuranceServices.crt)

- My wildcard certificate (*.company.com) signed by RBC (RBC HC Wildcard Certificate.crt)

Help me to install this certificate chain on router (3825) to provide secure trusted access to router (https) and SSLVPN service.

Have anyone step-by-step instruction?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Roman Rodichev Tue, 07/21/2009 - 22:09

Hello Sergey,

try this:

crypto pki trustpoint sslvpncert

enrollment terminal

fqdn none

subject-name cn=*.company.com,etc (<== whatever the subject name that was used for creating your wildcard cert)

revocation-check crl

!

crypto pki authenticate sslvpncert

If your Comodo's CER file is in DER format (not BASE64), you can simply export COMODO's root certificate from Internet Explorer using BASE64 format

!

crypto pki import sslvpncert certificate

If I'm not mistaken, you need the PKCS12 certificate that includes the private/public key pair in it (since you are using a wildcard certificate). Normally, you'd create private/public key pair in IOS, generate CSR and then submit it to cert vendor, but in your case your certificate should include the key pair. I don't remember if that can be included with a BASE64 CRT file, or if you need PKCS12 file (.p12 extension). You are probably ok with your CRT file.

webvpn gateway ssl

hostname hostname.company.com

ip address port 443

http-redirect port 80

ssl trustpoint sslvpncert

inservice

!

webvpn install svc flash:anyconnect.pkg

!

webvpn context sslvpn

ssl authenticate verify all

policy group sslvpn

functions svc-required

svc address-pool "svc-pool"

svc keep-client-installed

default-group-policy sslvpn

aaa authentication list sslvpn

gateway ssl

inservice

!

ip local pool svc-pool 172.16.2.1 172.16.2.253

!

aaa new-model

aaa authentication login sslvpn local

!

ip http secure-server

ip http secure-trustpoint sslvpncert

Regards,

Roman

SergeySokolov Wed, 07/22/2009 - 01:23

Hello Roman!

Problem in certificate import.

At attempt of import I receive:

c3825(config)#crypto pki import sslvpncert certificate

% The fully-qualified domain name will not be included in the certif

Enter the base 64 encoded certificate.

End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIIE+DCCA+CgAwIBAgIRAOqOboD0WyGK7GkHS3kiWjowDQYJKoZIhvcNAQEFBQAw

...........

-----END CERTIFICATE-----

Cannot import certificate -

Certificate does not contain router's General Purpose public key

for trust point sslvpncert

% Failed to parse or verify imported certificate

Roman Rodichev Wed, 07/22/2009 - 12:14

That's what I was worried about. If I'm not mistaken (and I easily could be!), wildcard certificate is supposed to include the private/public key pair (password protected) if you want to import it on 2nd, 3rd, etc device. Only the first device that CSR was generated on has the original public/private key pair.

I've setup a few SSL VPN boxes with wildcard certificates (required for ASA vpn load balancing), and I usually generated the key pair right on the box (IOS/ASA), then create the CSR on the box (IOS/ASA), submit it to the cert vendor, and get the CRT file from them. I think that CRT file doesn't include the key pair, because my CSR doesn't include the key pair either. I simply import the certificate and everything is working because private/public key pair is already on the box.

I suspect that since you already have this wildcard certificate, you (or someone else) must have generated the public/private key pair and the CSR on some other device already. I don't believe that you can request wildcard certificate without having a CSR, and you can't have a CSR without a public/private key pair. If that is the case, you actually need to go to that device (could be a windows server for example), or in fact any device that this wildcard certificate is already installed on, and you have to export it in PKCS12 format (.p12 extension) which will include the certificate and the private/public key pair. You can then import it to your IOS device (see #3 below).

I suspect that someone simply gave you the .CER file they received from CA. Instead, they should have exported the installed certificate from their device in PKCS12 format (.p12).

If I'm wrong, and your IOS device is the first device generating this certificate, then follow the instructions below.

By the way, I believe that you can have multiple different wildcard certificates generated based on different public/private key pairs. The question is why spend all that $

Here is what I think needs to be done if you want to generate new (and pay for it) wildcard certificate.

1. You have to generate the public/private key pair on some device first. Your IOS router could be the first device that needs the wildcard cert to generate this key pair.

hostname(config)# crypto key generate rsa label SSLVPN modulus 1024

2. Recreate trustpoint. Authenticate using ROOT CA. Genereate CSR on your IOS router (now you have to specify keypair under trustpoint).

no crypto pki trustpoint sslvpncert

crypto pki trustpoint sslvpncert

enrollment terminal

fqdn none

subject-name CN=*.company.com,OU=Department,O=Company,C=RU,St=State,L=City

revocation-check crl

rsakeypair SSLVPN

!

crypto pki authenticate sslvpncert

!

crypto pki enroll sslvpncert

3. Next you'll have to resubmit CSR to your cert vendor or to your CA. If it's your internal CA, I assume you don't have to pay. You will need to get a new certificate using the new public/private key pair. Once you get the CRT file, import it, it should work this time:

crypto pki import sslvpncert certificate

4. You're done. Now, if you want some other device on your network to use this wildcard certificate, you can export your IOS certificate to flash: using PKCS12 format:

crypto pki export sslvpncert pkcs12 flash:

It will ask you to password protect it. This certificate will include the private/public key pair that was originally generated on your IOS device. You can then use this .p12 file and import it on another device.

Please let me know if you figure this out.

Regards,

Roman

SergeySokolov Wed, 07/22/2009 - 13:23

I start to understand.

Roman, you are right. The CRS was generated by me on Linux Box. So I have *.key file contained:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type:4,ENCRYPTED DEK-Info: DES-EDE3-CBC,519C207C84495599

yZEW3wsoFI4efCYTeZ1h1SjqVS1cFxgTYIcdsLCvC

....

-----END RSA PRIVATE KEY-----

I do not paid attention to this fact.

So I will try to export this key to router and reimport certificates.

Actions

This Discussion