help using Custom ssl cert in Aironet https web Interface

Unanswered Question
Jul 29th, 2009

I spent a few hours learning how to import certificates, and I think I did ok with that part. If I use the selfsigned cert when HTTPS is enabled through the web interface, HTTPS works just fine, but the second I

ip http secure-trustpoint test

I get a connection reset error in my test browsers.

ip http secure-trustpoint TP-self-signed-3349201592

doesn't fix it, it just gives me an "invalid certificate" error. I'm going to include what I did to get to where I am now, and hopefully you can see where I'm going wrong.

In Linux:

openssl genrsa -out test.key 2048

openssl req -new -nodes -key test.key -out test.csr

got csr cert and root ca from CACert

openssl rsa -in test.key -des3 -passin pass: -out keyout.pem

password:12345678

scp root.ca [email protected]:flash:/root.ca

scp keyout.pem [email protected]:flash:/test.key

scp test.crt [email protected]:flash:/test.crt

In Aironet IOS

crypto ca trustpoint test

crypto ca import test pem url flash:/test 12345678

% Importing CA certificate...

Source filename [test.ca]? root.crt

Reading file from flash:root.crt

% Importing private key PEM file...

Source filename [test.prv]? test.key

Reading file from flash:test.key

% Importing certificate PEM file...

Source filename [test.crt]?

Reading file from flash:/test% PEM files import failed.

ok so that didn't work, but I can see that the root.crt imported at least

show crypto ca trustpoints

Trustpoint TP-self-signed-3349201592:

Subject Name:

cn=IOS-Self-Signed-Certificate-3349201592

Serial Number: 01

Persistent self-signed certificate trust point

Trustpoint test:

Subject Name:

ea=[email protected]

cn=CA Cert Signing Authority

ou=http://www.cacert.org

o=Root CA

Serial Number: 00

Persistent self-signed certificate trust point

I then tried to import just the keypair

crypto key import rsa test pem url flash:/test 12345678

% Importing public key or certificate PEM file...

Source filename [test.pub]? test.crt

Reading file from flash:test.crt

% Importing private key PEM file...

Source filename [test.prv]? test.key

Reading file from flash:test.key% Key pair import succeeded.

Strangely, that worked, and now I have my keypair.

show crypto key mypubkey rsa

% Key pair was generated at: 03:39:07 GMT Jul 29 2009

Key name: BenCloud

Usage: General Purpose Key

Key is not exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

00CAC0D9 4C79D716 140D38BF C97C1120 8A0FDCED DDDF5438 8A4BDC5C 00629676 .......

Now to apply it to the trust point, I also tried to mimick the selfsigned TP's settings, and this is what I ended up with

show

enrollment selfsigned

subject-name cn=CA Cert Signing Authority

revocation-check none

rsakeypair test

end

vs

show

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3349201592

revocation-check none

rsakeypair TP-self-signed-3349201592

end

Then I tried applying this new TP to the HTTPS server

ip http secure-trustpoint test

Which caused the error I discribed earlier

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carenas123 Wed, 08/05/2009 - 15:03

If the browser produces an "invalid certificate" error, delete the router's certificate from the browser's certificate store (if it was saved there), or restart the browser (if the certificate was accepted temporarily).

bwkingston Wed, 08/05/2009 - 16:24

That isn't the problem, it says "The connection was interrupted" when I use my own Trust Point.

As I said, if I disable HTTPS, then reenable it, through the WebUI, it regenerates the self signed keys and works just fine. I think I'm assigning the keys incorrectly, but I don't know where I'm going wrong.

Actions

This Discussion