Hi koksm,

Yeah - I got it to work. I dont know how many of these steps you have done, but heres how I did it :

RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:

crypto key generate rsa

Then define the trustpoint:

crypto ca trustpoint Verisign

crl optional

enrollment terminal

subject-name CN=host.domain.com,OU=Unit,O=Organisation,C=NL,St=xxx,L=xxx,EA=postmaster@domain.com

Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):

crypto ca authenticate Verisign

---BEGIN--- or ---END--- lines do not matter>

quit

INFO: Certificate has the following attributes:

Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

Generate the CSR:

crypto ca enroll Verisign

% Start certificate enrollment ..

% The subject name in the certificate will be: xxxx

% The fully-qualified domain name in the certificate will be: hostname.domain.com

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

MIICNjCCAZ8CAQAwgbwxJTAjBgkqhkiG9w0BCQEWFnNlcnZpY2VkZXNrQGR5bm9t

aWMubmwxEjAQBgNVBAcTCUJpbHRob3ZlbjEQMA4GA1UECBMHVXRyZWNodDELMAkG

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.

After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:

crypto ca import Verisign certificate

% The fully-qualified domain name in the certificate will be: xxx.domain.com

Enter the base 64 encoded certificate.

End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIIDcTCCAtqgAwIBAgIQIHOwJ7acK6Fmibyhf67HlDANBgkqhkiG9w0BAQUFADC

MXN/DqZw504SdlIkm3K4Dt7kSa5NILlncBiPhJJPJRjcOk6wRB6vuGG85uz6twR

nq4BqbMitzpgxvK12hgS9ZDy62kC

-----END CERTIFICATE-----

quit

INFO: Certificate successfully imported

Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:

ssl trust-point thawte.com [interface]

One more thing - the verisign root cert, I did NOT get from their webpage, but I took the one that accompanies the Internet Explorer.

Hope it helps

Kdam

I guess we did the same, except...

We did use an intermediate certificate to authenticate Verisign.

Do you happen to have the root certificate?

You have it yourself, in the Internet Eplorer :-)

go to Tools | Internet Options | Content | Certificates

I think its under rootcerts or intermediates...hope it helps :)

Kind regards

Kelvin

Last question, :)

Indeed, i have it, but i have twelve!

Which one did you use?

Hmm, not sure - but you can contact your local Verisign support (sorted by country) and they can guide you to wich cert to use.

I think I tried the first one, and was in luck

/Kdam