Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Certificates for Cisco IOS SSL VPN (2911) - Dual intermediate CA's (Thawte)

Good Afternoon,

I have been struggling to install the Thawte SSL123 certificate onto my Cisco IOS Router (2911) for use with the SSL VPN feature. After hours of testing and debugging I have found the issue.

Thawte have recently made it so that two intermediate certificates are required in order to validate the signed certificate. This means that creating just one trustpoint within the IOS no longer works. It will error stating that the certificate has not been signed by an authority, this is because the Chain is invalid and the router will only be passing the signed SSL certificate to the client without the intermediates.

To overcome this, you need to create two trustpoints within the IOS software, install the two intermediate certificates, link the trustpoints together and finally import your signed SSL certificate. Below is instructions on how to perform this:

(please note, I have used thawte's name as that is what I configured my box with - you can replace the trustpoint names with whatever is applicable)

1/ Create two trustpoints and link the secondary with the primary

crypto ca trustpoint thawte.int.prim

enrollment terminal

rsakeypair (YOUR KEY PAIR WHICH YOU ARE SIGNING WITH)

exit

crypto ca trustpoint thawte.int.sec

enrollment terminal

subject-name CN=(HOSTNAME OF CLIENT,OU=(INSERT),O=(INSERT),C=(INSERT),ST=(INSERT),L=(INSERT)

rsakeypair (YOUR KEY PAIR WHICH YOU ARE SIGNING WITH)

chain-validation continue thawte.int.prim

exit

2/ Authenticate the primary trustpoint with Thawte's primary intermediate CA and the secondary trustpoint with Thawte's secondary intermediate CA

crypto ca authenticate thawte.int.prim

(COPY AND PASTE PRIMTARY CA CERTIFCATE)

quit

crypto ca authenticate thawte.int.sec

(COPY AND PASTE SECONDARY CA CERTIFICATE)

quit

3/ Import your signed SSL certificate into the secondary trustpoint

crypto ca import thawte.int.sec certificate

(COPY AND PASTE SIGNEGD SSL CERTIFICATE)

4/ Ensure that your webvpn gateway uses the SECONDARY trustpoint

webvpn gateway (SSL VPN GATEWAY)

ssl trustpoint thawte.int.sec

SSL chain validation now works and passes the complete chain to the client which in effect, authenticates the client.

Hope this helps anyone - as I have significantly less amount of hair I did when I first came into the office this morning. To the coffee machine!

All the best,

Tim

Version history
Revision #:
1 of 1
Last update:
‎02-24-2011 05:11 AM
Updated by:
 
Labels (1)
Comments

Works great, did need to re-add ssl trustpoint to gateway, reload router and import certificate again but other than that no problems.

New Member

Above information is incorrect. Cisco IOS is not supporting presenting multi-tier (complete chain) to end user under SSL process, see bug id: CSCuc17466

NB! It is supporting validation of a chain, thats what above commands do.

New Member

Last info that I submitted was incomplete - Cisco says that this is working as described in RFC, that last certificate in chain may be omitted. Funny thing is that this is different from ASA default SSL VPN behavior, that sends all certificates in the chain.

If you need to get IOS router to send two intermediate certificates you also need to add certificate that authenticated last intermediate. In that Thawte case you need to install totally 4 certificates:

  • trustpoint sslgw - with 2 certificates (your_router_cer + thawte_ssl_ca)
  • trustpoint primary - with certificate thawte_primary_root_ca 
  • trustpoint premium - with ceritificate thawte_premium_server_ca

It's a 4 cert cain, but IOS router is excluding last cert.

You can verify this:

NB! I had huge problem when with playing certificates and trustpoints with following. For some strange reason when modifying (even deleting) trustpoints didn't have any effect on user end. Changes were seen from user end when i changed under "webvpn gateway" associated "ssl trustpoint" name for a second to something else and then back.

P.S. chain-validation does not have any effect how routers SSL VPN presents certificates. I had it pointing to deleted trustpoint and gateway still sent correct chain.