SSLM: Configuring multi-tier certificates issues

Unanswered Question
Aug 17th, 2010
User Badges:

Hi Guys,

Wanted to know what was the preferred or Cisco accepted way to install / configure multi-tier certificates on the SSL module?  When reading the config guide, it discusses in detail how to handle a single tier cert (i.e just a root ca cert), however there is no real example for handling multi-tier certs (i.e. a root ca cert and an intermediate cert)..

As an example, we've always installed a multi tier cert the following way:

! Setup the main trustpoint which contains the subject name

crypto pki trustpoint DIRECTORY
  enrollment terminal
  subject-name C=AU, ST=Victoria, L=Clayton, O=Monash University, OU=ITS,
  revocation-check none
  rsakeypair DIRECTORY

! Setup a trustpoint for the Root certificate
crypto pki trustpoint DIRECTORY-Root
  enrollment terminal pem
  revocation-check none
  crl optional
! Setup a trustpoint for the Intermediate certificate
crypto pki trustpoint DIRECTORY-Intermediate
  enrollment terminal
  revocation-check none
  crl optional

! Enroll the trustpoint DIRECTORY for the CSR

! Obtain signed cert from CA (Thawte)

! Authenticate DIRECTORY-Intermediate using the intermediate cert

crypto pki authenticate DIRECTORY-Intermediate

<paste intermediate cert>

! Authenticate DIRECTORY-Root using the root cert

crypto pki authenticate HYBRID-Root

<paste root cert>

! Authenticate DIRECTORY using the root cert

crypto pki authenticate DIRECTORY

<paste root cert>

! Import signed cert against DIRECTORY

crypto pki import DIRECTORY cert

<paste signed cert>

This has always worked fine, until recently we've noticed on one of our SSL modules, that we get the following error when authenticating the intermediate cert against DIRECTORY-Intermediate

Trustpoint 'DIRECTORY-Intermediate' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

Hence i can't continue to install the rest of the chain.  Am going to chase this up via TAC, however i wanted to post this here just to know whether there is anything that immediately sticks out to people, as far as the procedure we follow or anything else?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mjuch Thu, 10/04/2012 - 00:42
User Badges:

Hello Sheldon, if you forget "revocation-check none" within the root trustpoint the validation failed even the root Cert is valid. In debug (for IOS PKI) crypto pki validation you can see

Oct  4 07:35:13.496: CRYPTO_PKI: Checking certificate revocation
Oct  4 07:35:13.496: CRYPTO_PKI: Matching CRL not found

and the validation failed with

Authentication failed - could not validate certificate

br Mike

sridharlatcw Fri, 10/25/2013 - 08:23
User Badges:

Thank you for the link Suresh, the section "

Example of Importing PEM Files for Three Levels of Certificate Authority" does cover the mulitiple CA installation, but when I followed this, I did root CA installation, the cert got authenticated. I created trustpoint for first intermediate CA and then tried authenticating it threw me an error saying this

Trustpoint "XXXXXXXX' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

I have masked trustpoint name with XXX.

Still not understanding how to authenticate the CAs including the root.



This Discussion