Cisco Configuration Professional ssl error

Unanswered Question
Sep 30th, 2010

I'm trying to use CCP 2.3 running on windows xp to manage a cisco router.

The router has a valid signed certificate and https/ssh enabled.

If I go to https://router.domain.name/ with my web browser it reports that the certificate is good.

When I try to use CCP to discover the router, since I have "connect securely" selected, CCP tries to use ssl to connect.

But java pops up with a security certificate alert that the certificate was issued by an untrusted certificate authority.

I've checked all the cacerts files used by java, and the certificate authority that issued the certificate is listed in cacerts.

So why is CCP complaining about a bad certificate?   Where does CCP actually get its list of certificate authorities from?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nael Mohammad Sun, 10/03/2010 - 23:05

It's a self signed certificate which is considered untrusted by most CA providers and browsers which is the reason you keep getting the error message. Depending on the browser you are using, you elect to install the certificate so the pop up does not appear.

Here is an example from Microsoft to install SSL in IE:

http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx

In Firefox:

Go to Tools > Options > Advanced > Encryption > View Certificates, on the bottom, Add Exception.

Or 

(Note: Not recommend cuz all untrusted will be honored)

Type "about:config" in your URL address bar ---> Navigate to: browser.xul.error_pages.expert_bad_cert -->Double-click on it (this will set it to equal True).

imanagement Mon, 10/04/2010 - 06:54

The router does not have a self-signed certificate. The router has a normal ssl certificate signed & issued by a 3rd-party certificate authority.

This certificate authority is present & trusted by both firefox and internet explorer. As a result, both firefox and internet explorer do not complain about the router's certificate.

The bad certificate warning is not coming the web browser, it's from CiscoCP.

CiscoCP is based on an ancient version of java (1.5.0.11). Java normally stores its certificate authorities in a file called cacerts.

There is a cacerts file in the C:\Program Files\Cisco Systems\CiscoCP\tools\jre1.5.0_11\lib\security\ directory.

If I look at the contents of the cacerts file using the java keytool utility, I can see which certificate authorities are present & trusted by java. The certificate authority that issued the router's certificate is present in the cacerts file and it is trusted.

I checked every other cacerts file on my computer, and the certificate authority that issued the router's certificate is present & trusted in the cacerts file.

So, CiscoCP must be using some other mechanism to determine what is a trusted certificate authority, but I can't figure out what CiscoCP is actually doing.

Actions

This Discussion