Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

SSLM: Configuring multi-tier certificates issues

Hi Guys,

Wanted to know what was the preferred or Cisco accepted way to install / configure multi-tier certificates on the SSL module?  When reading the config guide, it discusses in detail how to handle a single tier cert (i.e just a root ca cert), however there is no real example for handling multi-tier certs (i.e. a root ca cert and an intermediate cert)..

As an example, we've always installed a multi tier cert the following way:

! Setup the main trustpoint which contains the subject name

crypto pki trustpoint DIRECTORY
  enrollment terminal
  fqdn directory.monash.edu.au
  subject-name C=AU, ST=Victoria, L=Clayton, O=Monash University, OU=ITS, CN=directory.monash.edu.au
  revocation-check none
  rsakeypair DIRECTORY
!

! Setup a trustpoint for the Root certificate
crypto pki trustpoint DIRECTORY-Root
  enrollment terminal pem
  revocation-check none
  crl optional
!
! Setup a trustpoint for the Intermediate certificate
crypto pki trustpoint DIRECTORY-Intermediate
  enrollment terminal
  revocation-check none
  crl optional
!

! Enroll the trustpoint DIRECTORY for the CSR

! Obtain signed cert from CA (Thawte)

! Authenticate DIRECTORY-Intermediate using the intermediate cert

crypto pki authenticate DIRECTORY-Intermediate

<paste intermediate cert>

! Authenticate DIRECTORY-Root using the root cert

crypto pki authenticate HYBRID-Root

<paste root cert>

! Authenticate DIRECTORY using the root cert

crypto pki authenticate DIRECTORY

<paste root cert>

! Import signed cert against DIRECTORY

crypto pki import DIRECTORY cert

<paste signed cert>

This has always worked fine, until recently we've noticed on one of our SSL modules, that we get the following error when authenticating the intermediate cert against DIRECTORY-Intermediate

Trustpoint 'DIRECTORY-Intermediate' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

Hence i can't continue to install the rest of the chain.  Am going to chase this up via TAC, however i wanted to post this here just to know whether there is anything that immediately sticks out to people, as far as the procedure we follow or anything else?

thanks

Sheldon

4 REPLIES
Cisco Employee

Re: SSLM: Configuring multi-tier certificates issues

Sheldon,

Not sure if you've seen this document but it covers an example of installing a multi-tiered

cert install on the SSLM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008037d1c8.shtml

Maybe go through this step-by-step and if you run into any problems then open

a TAC case for assistance.

Good luck!

-Chip

Community Member

SSLM: Configuring multi-tier certificates issues

Hello Sheldon, if you forget "revocation-check none" within the root trustpoint the validation failed even the root Cert is valid. In debug (for IOS PKI) crypto pki validation you can see

Oct  4 07:35:13.496: CRYPTO_PKI: Checking certificate revocation
Oct  4 07:35:13.496: CRYPTO_PKI: Matching CRL not found

and the validation failed with

Authentication failed - could not validate certificate

br Mike

Cisco Employee

SSLM: Configuring multi-tier certificates issues

hi Sridhar,

I found this link which explains

" Authenticating the Three Certificate Authorities (One Root And Two Subordinate Certificate Authorities)":

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ssl/2.1/configuration/guide/config.html#wp1201447

is this what you were looking for ?

Thanks,

Rajesh.

Community Member

SSLM: Configuring multi-tier certificates issues

Thank you for the link Suresh, the section "

Example of Importing PEM Files for Three Levels of Certificate Authority" does cover the mulitiple CA installation, but when I followed this, I did root CA installation, the cert got authenticated. I created trustpoint for first intermediate CA and then tried authenticating it threw me an error saying this

Trustpoint "XXXXXXXX' is a subordinate CA.
Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL

I have masked trustpoint name with XXX.

Still not understanding how to authenticate the CAs including the root.

Sridhar

3028
Views
0
Helpful
4
Replies
CreatePlease to create content