08-17-2010 07:08 PM
Hi Guys,
Wanted to know what was the preferred or Cisco accepted way to install / configure multi-tier certificates on the SSL module? When reading the config guide, it discusses in detail how to handle a single tier cert (i.e just a root ca cert), however there is no real example for handling multi-tier certs (i.e. a root ca cert and an intermediate cert)..
As an example, we've always installed a multi tier cert the following way:
! Setup the main trustpoint which contains the subject name
crypto pki trustpoint DIRECTORY
enrollment terminal
fqdn directory.monash.edu.au
subject-name C=AU, ST=Victoria, L=Clayton, O=Monash University, OU=ITS, CN=directory.monash.edu.au
revocation-check none
rsakeypair DIRECTORY
!
! Setup a trustpoint for the Root certificate
crypto pki trustpoint DIRECTORY-Root
enrollment terminal pem
revocation-check none
crl optional
!
! Setup a trustpoint for the Intermediate certificate
crypto pki trustpoint DIRECTORY-Intermediate
enrollment terminal
revocation-check none
crl optional
!
! Enroll the trustpoint DIRECTORY for the CSR
! Obtain signed cert from CA (Thawte)
! Authenticate DIRECTORY-Intermediate using the intermediate cert
crypto pki authenticate DIRECTORY-Intermediate
<paste intermediate cert>
! Authenticate DIRECTORY-Root using the root cert
crypto pki authenticate HYBRID-Root
<paste root cert>
! Authenticate DIRECTORY using the root cert
crypto pki authenticate DIRECTORY
<paste root cert>
! Import signed cert against DIRECTORY
crypto pki import DIRECTORY cert
<paste signed cert>
This has always worked fine, until recently we've noticed on one of our SSL modules, that we get the following error when authenticating the intermediate cert against DIRECTORY-Intermediate
Trustpoint 'DIRECTORY-Intermediate' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL
Hence i can't continue to install the rest of the chain. Am going to chase this up via TAC, however i wanted to post this here just to know whether there is anything that immediately sticks out to people, as far as the procedure we follow or anything else?
thanks
Sheldon
08-20-2010 03:42 PM
Sheldon,
Not sure if you've seen this document but it covers an example of installing a multi-tiered
cert install on the SSLM:
Maybe go through this step-by-step and if you run into any problems then open
a TAC case for assistance.
Good luck!
-Chip
10-04-2012 12:42 AM
Hello Sheldon, if you forget "revocation-check none" within the root trustpoint the validation failed even the root Cert is valid. In debug (for IOS PKI) crypto pki validation you can see
Oct 4 07:35:13.496: CRYPTO_PKI: Checking certificate revocation
Oct 4 07:35:13.496: CRYPTO_PKI: Matching CRL not found
and the validation failed with
Authentication failed - could not validate certificate
br Mike
10-22-2013 04:38 AM
hi Sridhar,
I found this link which explains
" Authenticating the Three Certificate Authorities (One Root And Two Subordinate Certificate Authorities)":
is this what you were looking for ?
Thanks,
Rajesh.
10-25-2013 08:23 AM
Thank you for the link Suresh, the section "
Example of Importing PEM Files for Three Levels of Certificate Authority" does cover the mulitiple CA installation, but when I followed this, I did root CA installation, the cert got authenticated. I created trustpoint for first intermediate CA and then tried authenticating it threw me an error saying this
Trustpoint "XXXXXXXX' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL
I have masked trustpoint name with XXX.
Still not understanding how to authenticate the CAs including the root.
Sridhar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide