help using Custom ssl cert in Aironet https web Interface

Unanswered Question
Jul 29th, 2009
User Badges:

I spent a few hours learning how to import certificates, and I think I did ok with that part. If I use the selfsigned cert when HTTPS is enabled through the web interface, HTTPS works just fine, but the second I


ip http secure-trustpoint test


I get a connection reset error in my test browsers.


ip http secure-trustpoint TP-self-signed-3349201592


doesn't fix it, it just gives me an "invalid certificate" error. I'm going to include what I did to get to where I am now, and hopefully you can see where I'm going wrong.


In Linux:


openssl genrsa -out test.key 2048


openssl req -new -nodes -key test.key -out test.csr


got csr cert and root ca from CACert


openssl rsa -in test.key -des3 -passin pass: -out keyout.pem

password:12345678


scp root.ca [email protected]:flash:/root.ca

scp keyout.pem [email protected]:flash:/test.key

scp test.crt [email protected]:flash:/test.crt



In Aironet IOS


crypto ca trustpoint test


crypto ca import test pem url flash:/test 12345678

% Importing CA certificate...

Source filename [test.ca]? root.crt

Reading file from flash:root.crt

% Importing private key PEM file...

Source filename [test.prv]? test.key

Reading file from flash:test.key

% Importing certificate PEM file...

Source filename [test.crt]?

Reading file from flash:/test% PEM files import failed.


ok so that didn't work, but I can see that the root.crt imported at least


show crypto ca trustpoints

Trustpoint TP-self-signed-3349201592:

Subject Name:

cn=IOS-Self-Signed-Certificate-3349201592

Serial Number: 01

Persistent self-signed certificate trust point



Trustpoint test:

Subject Name:

ea=[email protected]

cn=CA Cert Signing Authority

ou=http://www.cacert.org

o=Root CA

Serial Number: 00

Persistent self-signed certificate trust point


I then tried to import just the keypair


crypto key import rsa test pem url flash:/test 12345678

% Importing public key or certificate PEM file...

Source filename [test.pub]? test.crt

Reading file from flash:test.crt

% Importing private key PEM file...

Source filename [test.prv]? test.key

Reading file from flash:test.key% Key pair import succeeded.


Strangely, that worked, and now I have my keypair.


show crypto key mypubkey rsa

% Key pair was generated at: 03:39:07 GMT Jul 29 2009

Key name: BenCloud

Usage: General Purpose Key

Key is not exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

00CAC0D9 4C79D716 140D38BF C97C1120 8A0FDCED DDDF5438 8A4BDC5C 00629676 .......


Now to apply it to the trust point, I also tried to mimick the selfsigned TP's settings, and this is what I ended up with


show

enrollment selfsigned

subject-name cn=CA Cert Signing Authority

revocation-check none

rsakeypair test

end


vs


show

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3349201592

revocation-check none

rsakeypair TP-self-signed-3349201592

end


Then I tried applying this new TP to the HTTPS server


ip http secure-trustpoint test


Which caused the error I discribed earlier

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carenas123 Wed, 08/05/2009 - 15:03
User Badges:
  • Silver, 250 points or more

If the browser produces an "invalid certificate" error, delete the router's certificate from the browser's certificate store (if it was saved there), or restart the browser (if the certificate was accepted temporarily).

bwkingston Wed, 08/05/2009 - 16:24
User Badges:

That isn't the problem, it says "The connection was interrupted" when I use my own Trust Point.


As I said, if I disable HTTPS, then reenable it, through the WebUI, it regenerates the self signed keys and works just fine. I think I'm assigning the keys incorrectly, but I don't know where I'm going wrong.

Actions

This Discussion