cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2868
Views
0
Helpful
5
Replies

Cisco Configuration Professional ssl error

imanagement
Level 1
Level 1

I'm trying to use CCP 2.3 running on windows xp to manage a cisco router.

The router has a valid signed certificate and https/ssh enabled.

If I go to https://router.domain.name/ with my web browser it reports that the certificate is good.

When I try to use CCP to discover the router, since I have "connect securely" selected, CCP tries to use ssl to connect.

But java pops up with a security certificate alert that the certificate was issued by an untrusted certificate authority.

I've checked all the cacerts files used by java, and the certificate authority that issued the certificate is listed in cacerts.

So why is CCP complaining about a bad certificate?   Where does CCP actually get its list of certificate authorities from?

5 Replies 5

Nael Mohammad
Level 5
Level 5

It's a self signed certificate which is considered untrusted by most CA providers and browsers which is the reason you keep getting the error message. Depending on the browser you are using, you elect to install the certificate so the pop up does not appear.

Here is an example from Microsoft to install SSL in IE:

http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx

In Firefox:

Go to Tools > Options > Advanced > Encryption > View Certificates, on the bottom, Add Exception.

Or 

(Note: Not recommend cuz all untrusted will be honored)

Type "about:config" in your URL address bar ---> Navigate to: browser.xul.error_pages.expert_bad_cert -->Double-click on it (this will set it to equal True).

The router does not have a self-signed certificate. The router has a normal ssl certificate signed & issued by a 3rd-party certificate authority.

This certificate authority is present & trusted by both firefox and internet explorer. As a result, both firefox and internet explorer do not complain about the router's certificate.

The bad certificate warning is not coming the web browser, it's from CiscoCP.

CiscoCP is based on an ancient version of java (1.5.0.11). Java normally stores its certificate authorities in a file called cacerts.

There is a cacerts file in the C:\Program Files\Cisco Systems\CiscoCP\tools\jre1.5.0_11\lib\security\ directory.

If I look at the contents of the cacerts file using the java keytool utility, I can see which certificate authorities are present & trusted by java. The certificate authority that issued the router's certificate is present in the cacerts file and it is trusted.

I checked every other cacerts file on my computer, and the certificate authority that issued the router's certificate is present & trusted in the cacerts file.

So, CiscoCP must be using some other mechanism to determine what is a trusted certificate authority, but I can't figure out what CiscoCP is actually doing.

Can you post a screenshot of the error and the show ver of the device?

I don't have access to show ver, but it's a 1941 router with 15.0.1M3(MD).

Do you mind emailing me the signed certificate?  Who signed the certificate? What CA provider issued the SSL? 

namohamm@cisco.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: