SSLM: Configuring multi-tier certificates issues

Unanswered Question
Aug 17th, 2010
User Badges:

Hi Guys,


Wanted to know what was the preferred or Cisco accepted way to install / configure multi-tier certificates on the SSL module?  When reading the config guide, it discusses in detail how to handle a single tier cert (i.e just a root ca cert), however there is no real example for handling multi-tier certs (i.e. a root ca cert and an intermediate cert)..


As an example, we've always installed a multi tier cert the following way:


! Setup the main trustpoint which contains the subject name

crypto pki trustpoint DIRECTORY
  enrollment terminal
  fqdn directory.monash.edu.au
  subject-name C=AU, ST=Victoria, L=Clayton, O=Monash University, OU=ITS, CN=directory.monash.edu.au
  revocation-check none
  rsakeypair DIRECTORY
!

! Setup a trustpoint for the Root certificate
crypto pki trustpoint DIRECTORY-Root
  enrollment terminal pem
  revocation-check none
  crl optional
!
! Setup a trustpoint for the Intermediate certificate
crypto pki trustpoint DIRECTORY-Intermediate
  enrollment terminal
  revocation-check none
  crl optional
!


! Enroll the trustpoint DIRECTORY for the CSR

! Obtain signed cert from CA (Thawte)


! Authenticate DIRECTORY-Intermediate using the intermediate cert

crypto pki authenticate DIRECTORY-Intermediate

<paste intermediate cert>


! Authenticate DIRECTORY-Root using the root cert

crypto pki authenticate HYBRID-Root

<paste root cert>


! Authenticate DIRECTORY using the root cert

crypto pki authenticate DIRECTORY

<paste root cert>


! Import signed cert against DIRECTORY

crypto pki import DIRECTORY cert

<paste signed cert>


This has always worked fine, until recently we've noticed on one of our SSL modules, that we get the following error when authenticating the intermediate cert against DIRECTORY-Intermediate


Trustpoint 'DIRECTORY-Intermediate' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL


Hence i can't continue to install the rest of the chain.  Am going to chase this up via TAC, however i wanted to post this here just to know whether there is anything that immediately sticks out to people, as far as the procedure we follow or anything else?


thanks

Sheldon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mjuch Thu, 10/04/2012 - 00:42
User Badges:

Hello Sheldon, if you forget "revocation-check none" within the root trustpoint the validation failed even the root Cert is valid. In debug (for IOS PKI) crypto pki validation you can see


Oct  4 07:35:13.496: CRYPTO_PKI: Checking certificate revocation
Oct  4 07:35:13.496: CRYPTO_PKI: Matching CRL not found


and the validation failed with


Authentication failed - could not validate certificate


br Mike

sridharlatcw Fri, 10/25/2013 - 08:23
User Badges:

Thank you for the link Suresh, the section "

Example of Importing PEM Files for Three Levels of Certificate Authority" does cover the mulitiple CA installation, but when I followed this, I did root CA installation, the cert got authenticated. I created trustpoint for first intermediate CA and then tried authenticating it threw me an error saying this


Trustpoint "XXXXXXXX' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL


I have masked trustpoint name with XXX.


Still not understanding how to authenticate the CAs including the root.


Sridhar

Actions

This Discussion