Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem assigning certificate to IOS HTTPS server

I have been trying in vein to assign a certificate that I got from my Windows based PKI to be used by the HTTPS server built into IOS routers.  I'm doing this because I'm tired of the self signed certificates that are currently there and since I have a PKI already, I might as well use it (self signed certificates are also giving me grief with my MARS box, but that isn't directly related to this).

So, I followed Cisco's doc for configuring IOS to request a certificate from a certificate server using SCEP.  Everything goes as expected and I get a certificate on the device.  If I leave the self-signed certificate, HTTPS uses it and it works.  If I remove the self-signed certificate I can't get into the router using HTTPS.  If I blow away the certificate and create a new self-signed certificate, HTTPS works fine.

To do this, I first remove any certificates and keys that are currently in the config using "no crypto pki trustpoint <self-signed definition>" and "crypto key zeroize rsa".  Once I finish that I enter in the following:

crypto pki trustpoint certtest
     enrollment url
     ip-address FastEthernet4
     auto-enroll 90 regenerate
     password <one time password retrieved earlier from CA server>
crypto pki authenticate certtest

Once I do all this, I accept the CA certificate and a certificate automatically shows up in the router.  At this point, SSH works and I think I'm good.  Unfortuantely HTTPS doesn't work.  I've tried using "ip http secure-trustpoint certtest", but it doesn't make a difference.

I'm not sure what else to try.  It almost seems that the certificates are not right, but from what I've been able to gather from various "sho crypto pki" and "sho crypto key" commands, the certificates have the appropriate settings.  Sure hope that someone else has run into this before...

Everyone's tags (3)

Re: Problem assigning certificate to IOS HTTPS server


after you authenticate the ca cert, enroll your router and assign the trustpoint to the https server, can you check http and pki debugs to see what's going in the processing of the packets?

-debug crypto pki transactions

-debug crypto pki messages

-debug crypto pki validation

-debug ip http all

debug output might give a clue.



New Member

Re: Problem assigning certificate to IOS HTTPS server

I think I figured out the probelm (with a bit of help from Cisco TAC).

By default Microsoft uses the IPSEC (Offline request) template for certificates using NDES.  This type of certificate won't work for the HTTPS server.  Instead, I needed to change the NDES General Purpose template to Web Server.  Once I did this and got a certificate, I could use it for the IOS HTTPS server.


Re: Problem assigning certificate to IOS HTTPS server

excellent, glad it's solved now.

indeed the EKU (extended key usage) field of the cert can restrict the purpose of the cert. and if it's set to ipsec, then only encryption will work. having a general (or actually server) EKU is needed for https based operations.