Problem assigning certificate to IOS HTTPS server

Unanswered Question
Aug 31st, 2010

I have been trying in vein to assign a certificate that I got from my Windows based PKI to be used by the HTTPS server built into IOS routers.  I'm doing this because I'm tired of the self signed certificates that are currently there and since I have a PKI already, I might as well use it (self signed certificates are also giving me grief with my MARS box, but that isn't directly related to this).

So, I followed Cisco's doc for configuring IOS to request a certificate from a certificate server using SCEP.  Everything goes as expected and I get a certificate on the device.  If I leave the self-signed certificate, HTTPS uses it and it works.  If I remove the self-signed certificate I can't get into the router using HTTPS.  If I blow away the certificate and create a new self-signed certificate, HTTPS works fine.

To do this, I first remove any certificates and keys that are currently in the config using "no crypto pki trustpoint <self-signed definition>" and "crypto key zeroize rsa".  Once I finish that I enter in the following:

crypto pki trustpoint certtest
     enrollment url http://caserver.ca/certsrv/mscep/mscep.dll
     ip-address FastEthernet4
     auto-enroll 90 regenerate
     password <one time password retrieved earlier from CA server>
     exit
crypto pki authenticate certtest

Once I do all this, I accept the CA certificate and a certificate automatically shows up in the router.  At this point, SSH works and I think I'm good.  Unfortuantely HTTPS doesn't work.  I've tried using "ip http secure-trustpoint certtest", but it doesn't make a difference.

I'm not sure what else to try.  It almost seems that the certificates are not right, but from what I've been able to gather from various "sho crypto pki" and "sho crypto key" commands, the certificates have the appropriate settings.  Sure hope that someone else has run into this before...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fadlouni Thu, 10/14/2010 - 11:14

Curtis,

after you authenticate the ca cert, enroll your router and assign the trustpoint to the https server, can you check http and pki debugs to see what's going in the processing of the packets?

-debug crypto pki transactions

-debug crypto pki messages

-debug crypto pki validation

-debug ip http all

debug output might give a clue.

Regards,

Fadi.

curtiskobelsky Wed, 10/20/2010 - 14:19

I think I figured out the probelm (with a bit of help from Cisco TAC).

By default Microsoft uses the IPSEC (Offline request) template for certificates using NDES.  This type of certificate won't work for the HTTPS server.  Instead, I needed to change the NDES General Purpose template to Web Server.  Once I did this and got a certificate, I could use it for the IOS HTTPS server.

fadlouni Thu, 10/21/2010 - 01:19

excellent, glad it's solved now.

indeed the EKU (extended key usage) field of the cert can restrict the purpose of the cert. and if it's set to ipsec, then only encryption will work. having a general (or actually server) EKU is needed for https based operations.

Regards,

Fadi.

Actions

This Discussion