SSLM: Configuring multi-tier certificates issues

sgonsalv · ‎08-17-2010

Hi Guys,

Wanted to know what was the preferred or Cisco accepted way to install / configure multi-tier certificates on the SSL module? When reading the config guide, it discusses in detail how to handle a single tier cert (i.e just a root ca cert), however there is no real example for handling multi-tier certs (i.e. a root ca cert and an intermediate cert)..

As an example, we've always installed a multi tier cert the following way:

! Setup the main trustpoint which contains the subject name

crypto pki trustpoint DIRECTORY
enrollment terminal
fqdn directory.monash.edu.au
subject-name C=AU, ST=Victoria, L=Clayton, O=Monash University, OU=ITS, CN=directory.monash.edu.au
revocation-check none
rsakeypair DIRECTORY
!

! Setup a trustpoint for the Root certificate
crypto pki trustpoint DIRECTORY-Root
enrollment terminal pem
revocation-check none
crl optional
!
! Setup a trustpoint for the Intermediate certificate
crypto pki trustpoint DIRECTORY-Intermediate
enrollment terminal
revocation-check none
crl optional
!

! Enroll the trustpoint DIRECTORY for the CSR

! Obtain signed cert from CA (Thawte)

! Authenticate DIRECTORY-Intermediate using the intermediate cert

crypto pki authenticate DIRECTORY-Intermediate

! Authenticate DIRECTORY-Root using the root cert

crypto pki authenticate HYBRID-Root

! Authenticate DIRECTORY using the root cert

crypto pki authenticate DIRECTORY

! Import signed cert against DIRECTORY

crypto pki import DIRECTORY cert

This has always worked fine, until recently we've noticed on one of our SSL modules, that we get the following error when authenticating the intermediate cert against DIRECTORY-Intermediate

Trustpoint 'DIRECTORY-Intermediate' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

Hence i can't continue to install the rest of the chain. Am going to chase this up via TAC, however i wanted to post this here just to know whether there is anything that immediately sticks out to people, as far as the procedure we follow or anything else?

thanks

Sheldon

cschneid · ‎08-20-2010

Sheldon,

Not sure if you've seen this document but it covers an example of installing a multi-tiered

cert install on the SSLM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008037d1c8.shtml

Maybe go through this step-by-step and if you run into any problems then open

a TAC case for assistance.

Good luck!

-Chip

mjuch · ‎10-04-2012

Hello Sheldon, if you forget "revocation-check none" within the root trustpoint the validation failed even the root Cert is valid. In debug (for IOS PKI) crypto pki validation you can see

Oct 4 07:35:13.496: CRYPTO_PKI: Checking certificate revocation
Oct 4 07:35:13.496: CRYPTO_PKI: Matching CRL not found

and the validation failed with

Authentication failed - could not validate certificate

br Mike

rajsures · ‎10-22-2013

hi Sridhar,

I found this link which explains

" Authenticating the Three Certificate Authorities (One Root And Two Subordinate Certificate Authorities)":

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ssl/2.1/configuration/guide/config.html#wp1201447

is this what you were looking for ?

Thanks,

Rajesh.

sridharlatcw · ‎10-25-2013

Thank you for the link Suresh, the section "

Example of Importing PEM Files for Three Levels of Certificate Authority" does cover the mulitiple CA installation, but when I followed this, I did root CA installation, the cert got authenticated. I created trustpoint for first intermediate CA and then tried authenticating it threw me an error saying this

Trustpoint "XXXXXXXX' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

I have masked trustpoint name with XXX.

Still not understanding how to authenticate the CAs including the root.

Sridhar