Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

installing SSL certificates

I have:

- Comodo root certificate (UTN-USERFirst-Hardware.cer)

- RBC certificate signed by Comodo (RBCHCHighAssuranceServices.crt)

- My wildcard certificate (* signed by RBC (RBC HC Wildcard Certificate.crt)

Help me to install this certificate chain on router (3825) to provide secure trusted access to router (https) and SSLVPN service.

Have anyone step-by-step instruction?


Re: installing SSL certificates

Hello Sergey,

try this:

crypto pki trustpoint sslvpncert

enrollment terminal

fqdn none

subject-name cn=*,etc (<== whatever the subject name that was used for creating your wildcard cert)

revocation-check crl


crypto pki authenticate sslvpncert

If your Comodo's CER file is in DER format (not BASE64), you can simply export COMODO's root certificate from Internet Explorer using BASE64 format


crypto pki import sslvpncert certificate

If I'm not mistaken, you need the PKCS12 certificate that includes the private/public key pair in it (since you are using a wildcard certificate). Normally, you'd create private/public key pair in IOS, generate CSR and then submit it to cert vendor, but in your case your certificate should include the key pair. I don't remember if that can be included with a BASE64 CRT file, or if you need PKCS12 file (.p12 extension). You are probably ok with your CRT file.

webvpn gateway ssl


ip address port 443

http-redirect port 80

ssl trustpoint sslvpncert



webvpn install svc flash:anyconnect.pkg


webvpn context sslvpn

ssl authenticate verify all

policy group sslvpn

functions svc-required

svc address-pool "svc-pool"

svc keep-client-installed

default-group-policy sslvpn

aaa authentication list sslvpn

gateway ssl



ip local pool svc-pool


aaa new-model

aaa authentication login sslvpn local


ip http secure-server

ip http secure-trustpoint sslvpncert



New Member

Re: installing SSL certificates

Hello Roman!

Problem in certificate import.

At attempt of import I receive:

c3825(config)#crypto pki import sslvpncert certificate

% The fully-qualified domain name will not be included in the certif

Enter the base 64 encoded certificate.

End with a blank line or the word "quit" on a line by itself





Cannot import certificate -

Certificate does not contain router's General Purpose public key

for trust point sslvpncert

% Failed to parse or verify imported certificate

Re: installing SSL certificates

That's what I was worried about. If I'm not mistaken (and I easily could be!), wildcard certificate is supposed to include the private/public key pair (password protected) if you want to import it on 2nd, 3rd, etc device. Only the first device that CSR was generated on has the original public/private key pair.

I've setup a few SSL VPN boxes with wildcard certificates (required for ASA vpn load balancing), and I usually generated the key pair right on the box (IOS/ASA), then create the CSR on the box (IOS/ASA), submit it to the cert vendor, and get the CRT file from them. I think that CRT file doesn't include the key pair, because my CSR doesn't include the key pair either. I simply import the certificate and everything is working because private/public key pair is already on the box.

I suspect that since you already have this wildcard certificate, you (or someone else) must have generated the public/private key pair and the CSR on some other device already. I don't believe that you can request wildcard certificate without having a CSR, and you can't have a CSR without a public/private key pair. If that is the case, you actually need to go to that device (could be a windows server for example), or in fact any device that this wildcard certificate is already installed on, and you have to export it in PKCS12 format (.p12 extension) which will include the certificate and the private/public key pair. You can then import it to your IOS device (see #3 below).

I suspect that someone simply gave you the .CER file they received from CA. Instead, they should have exported the installed certificate from their device in PKCS12 format (.p12).

If I'm wrong, and your IOS device is the first device generating this certificate, then follow the instructions below.

By the way, I believe that you can have multiple different wildcard certificates generated based on different public/private key pairs. The question is why spend all that $

Here is what I think needs to be done if you want to generate new (and pay for it) wildcard certificate.

1. You have to generate the public/private key pair on some device first. Your IOS router could be the first device that needs the wildcard cert to generate this key pair.

hostname(config)# crypto key generate rsa label SSLVPN modulus 1024

2. Recreate trustpoint. Authenticate using ROOT CA. Genereate CSR on your IOS router (now you have to specify keypair under trustpoint).

no crypto pki trustpoint sslvpncert

crypto pki trustpoint sslvpncert

enrollment terminal

fqdn none

subject-name CN=*,OU=Department,O=Company,C=RU,St=State,L=City

revocation-check crl

rsakeypair SSLVPN


crypto pki authenticate sslvpncert


crypto pki enroll sslvpncert

3. Next you'll have to resubmit CSR to your cert vendor or to your CA. If it's your internal CA, I assume you don't have to pay. You will need to get a new certificate using the new public/private key pair. Once you get the CRT file, import it, it should work this time:

crypto pki import sslvpncert certificate

4. You're done. Now, if you want some other device on your network to use this wildcard certificate, you can export your IOS certificate to flash: using PKCS12 format:

crypto pki export sslvpncert pkcs12 flash:

It will ask you to password protect it. This certificate will include the private/public key pair that was originally generated on your IOS device. You can then use this .p12 file and import it on another device.

Please let me know if you figure this out.



New Member

Re: installing SSL certificates

I start to understand.

Roman, you are right. The CRS was generated by me on Linux Box. So I have *.key file contained:


Proc-Type:4,ENCRYPTED DEK-Info: DES-EDE3-CBC,519C207C84495599




I do not paid attention to this fact.

So I will try to export this key to router and reimport certificates.