Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2247
Views
0
Helpful
0
Replies

How do I install CA certificate for SSL client for HTTPS with CWMP/TR.69

paul_savage
Level 1
Level 1

‎07-27-2010 05:36 AM - edited ‎03-09-2019 11:05 PM

Hi all,

I am having problems getting TR.69/CWMP to work with SSL/HTTPS to authenticate the username and pull down the correct config.  If i use HTTP all works well, but I need to secure the connection.  The issue is not so much the CWMP/TR.69 as that works if using HTTP instead of HTTPS.  I need help to install certificate onto router so that router can authenticate with the Configuration server using SSL.

I have the following requirement:

This is the CWMP/TR.69 config:

cwmp agent

enable
enable download
management server username Username
management server password 0 Password
management server url https://domain-name.domain.co.com/cwmpWeb/WGCPEMgt
!

I need to have the cisco router use the specified username and password to authenticate with the ACS server to pull down the config for the ADSL connection. The ACS Server is expecting the router to use SSL.

My question is this:


I have been given what I believe to be CA sbordinate certificate.  How do I install the CA Sub certificate so that the router has the correct credentials to authenticate with the ACS server, in that the router sends the right credentials so that the Cisco router acts as the client in the 3 way handshake and not as the server????

I have installed cert as a Trustpoint but this does not seem to work:

PKI transaction and some CWMP message debugs below when cnfigured with a Trust point.  I used this as a guide and followd steps 2 and 6, which was to create trustpoint, then authenticate the cert.  Do I need any other steps or to do this in a completely different way?

http://bytesolutions.com/Support/Knowledgebase/KB_Viewer/smid/622/ArticleID/21/reftab/195/t/Installing-GoDaddy-SSL-Certificates-on-a-Cisco-IOS-Router-using-CLI.aspx

:

thanks for taking a look.

000383: Jul 27 09:37:31.702: CRYPTO_PKI: status = 65535: failed to send out the pki message
000384: Jul 27 09:37:31.702: CRYPTO_PKI: transaction Unknown completed
000385: Jul 27 09:37:31.702: CRYPTO_PKI: Poll CRL callback
000386: Jul 27 09:37:31.702: CRYPTO_PKI: status = 106: Blocking chain verification callback received status
000387: Jul 27 09:37:31.706: CWMP: cwmp_session_response_data -> HTTP ACS Response code 0
000388: Jul 27 09:37:31.706: CWMP: cwmp_session_response_data -> HTTP ACS Response string

000398: Jul 27 09:37:37.862: CRYPTO_PKI: Identity selected (NAMEDTRUSTPOINT) for session 10013
000399: Jul 27 09:37:37.862: CRYPTO_PKI: Can not select private key (DOMAIN)
000400: Jul 27 09:37:37.862: CRYPTO_PKI: unlocked trustpoint NAMEDTRUSTPOINT, refcount is 0
000401: Jul 27 09:37:37.966: CRYPTO_PKI: Identity not specified for session 10014
000402: Jul 27 09:37:37.970: CRYPTO_PKI: Added x509 peer certificate - (1014) bytes
000403: Jul 27 09:37:37.970: CRYPTO_PKI: Added x509 peer certificate - (976) bytes
000404: Jul 27 09:37:37.974: CRYPTO_PKI: Added x509 peer certificate - (923) bytes
000405: Jul 27 09:37:37.974: CRYPTO_PKI: validation path has 2 certs

000406: Jul 27 09:37:37.974: CRYPTO_PKI: Found a issuer match
000407: Jul 27 09:37:37.974: CRYPTO_PKI: Using NAMEDTRUSTPOINT to validate certificate
000408: Jul 27 09:37:37.986: CRYPTO_PKI: Starting CRL revocation
000409: Jul 27 09:37:37.986: CRYPTO_PKI: Retreive CRL using HTTP URI
000410: Jul 27 09:37:37.986: CRYPTO_PKI: pki request queued properly
000411: Jul 27 09:37:37.986: CRYPTO_PKI: status = 0: poll CRL CRYPTO_PKI: Bypassing SCEP capabilies request 0
000412: Jul 27 09:37:37.986: CRYPTO_PKI: Requesting CRL at http://DOMAIN/NAMEDTRUSTPOINT.crl:

000413: Jul 27 09:37:37.986: CRYPTO_PKI: locked trustpoint NAMEDTRUSTPOINT, refcount is 1
000414: Jul 27 09:37:38.038: CRYPTO_PKI: http connection opened
000415: Jul 27 09:37:38.038: CRYPTO_PKI: Sending HTTP message

000416: Jul 27 09:37:38.038: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0

000417: Jul 27 09:37:43.038: %PKI-3-SOCKETSELECT: Failed to select the socket.
000418: Jul 27 09:37:43.038: CRYPTO_PKI: unlocked trustpoint NAMEDTRUSTPOINT, refcount is 0
000419: Jul 27 09:37:43.038: CRYPTO_PKI: Send HTTP header:
GET /crl.v/NAMEDTRUSTPOINT.crl HTTP/1.0

000421: Jul 27 09:37:43.038: CRYPTO_PKI: status = 65535: failed to send out the pki message
000422: Jul 27 09:37:43.038: CRYPTO_PKI: transaction Unknown completed
000423: Jul 27 09:37:43.038: CRYPTO_PKI: Poll CRL callback
000424: Jul 27 09:37:43.038: CRYPTO_PKI: status = 106: Blocking chain verification callback received status
000425: Jul 27 09:37:43.042: CWMP: cwmp_session_response_data -> HTTP ACS Response code 0
000426: Jul 27 09:37:43.042: CWMP: cwmp_session_response_data -> HTTP ACS Response string
000427: Jul 27 09:37:43.042: CWMP ERROR: cwmp_session_response_data -> HTTPC Response failed with httpc error 5
000428: Jul 27 09:37:43.042: CWMP: cwmp_https_close_connection -> Session and Connection to DOMAIN closed successfully

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents