Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1802
Views
0
Helpful
3
Replies

Problem assigning certificate to IOS HTTPS server

curtiskobelsky
Level 1
Level 1

‎08-31-2010 04:21 PM

I have been trying in vein to assign a certificate that I got from my Windows based PKI to be used by the HTTPS server built into IOS routers.  I'm doing this because I'm tired of the self signed certificates that are currently there and since I have a PKI already, I might as well use it (self signed certificates are also giving me grief with my MARS box, but that isn't directly related to this).

So, I followed Cisco's doc for configuring IOS to request a certificate from a certificate server using SCEP.  Everything goes as expected and I get a certificate on the device.  If I leave the self-signed certificate, HTTPS uses it and it works.  If I remove the self-signed certificate I can't get into the router using HTTPS.  If I blow away the certificate and create a new self-signed certificate, HTTPS works fine.

To do this, I first remove any certificates and keys that are currently in the config using "no crypto pki trustpoint <self-signed definition>" and "crypto key zeroize rsa".  Once I finish that I enter in the following:

crypto pki trustpoint certtest
     enrollment url http://caserver.ca/certsrv/mscep/mscep.dll
     ip-address FastEthernet4
     auto-enroll 90 regenerate
     password <one time password retrieved earlier from CA server>
     exit
crypto pki authenticate certtest

Once I do all this, I accept the CA certificate and a certificate automatically shows up in the router.  At this point, SSH works and I think I'm good.  Unfortuantely HTTPS doesn't work.  I've tried using "ip http secure-trustpoint certtest", but it doesn't make a difference.

I'm not sure what else to try.  It almost seems that the certificates are not right, but from what I've been able to gather from various "sho crypto pki" and "sho crypto key" commands, the certificates have the appropriate settings.  Sure hope that someone else has run into this before...

Labels:
0 Helpful
3 Replies 3

fadlouni
Level 1
Level 1

‎10-14-2010 11:14 AM

Curtis,

after you authenticate the ca cert, enroll your router and assign the trustpoint to the https server, can you check http and pki debugs to see what's going in the processing of the packets?

-debug crypto pki transactions

-debug crypto pki messages

-debug crypto pki validation

-debug ip http all

debug output might give a clue.

Regards,

Fadi.

0 Helpful

curtiskobelsky
Level 1
Level 1
In response to fadlouni

‎10-20-2010 02:19 PM

I think I figured out the probelm (with a bit of help from Cisco TAC).

By default Microsoft uses the IPSEC (Offline request) template for certificates using NDES.  This type of certificate won't work for the HTTPS server.  Instead, I needed to change the NDES General Purpose template to Web Server.  Once I did this and got a certificate, I could use it for the IOS HTTPS server.

0 Helpful

fadlouni
Level 1
Level 1
In response to curtiskobelsky

‎10-21-2010 01:19 AM

excellent, glad it's solved now.

indeed the EKU (extended key usage) field of the cert can restrict the purpose of the cert. and if it's set to ipsec, then only encryption will work. having a general (or actually server) EKU is needed for https based operations.

Regards,

Fadi.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents