cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
842
Views
4
Helpful
3
Replies

Create Ipsec tunnel using digital Certificates

roeeshimrit
Level 1
Level 1

                   Hello

I am trying to open IPSEC tunnel between 2 Cisco Routers 3800 using additional 3800 Router as CA server .

Before I added the CA server everything go smoothly .

Attached my setup  ,Attached debug commands from the CA server and router configuration

It seems as the routers doesn't receive the certificate from the CA Router (R3) because i see Certificate is pending in the status  :

  #
R3#
R3#show crypto pki certificate verbose cisco
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=cisco1.cisco.com L\=RTP C\=US
  Subject:
    cn=cisco1.cisco.com L\=RTP C\=US
  Validity Date:
    start date: 10:12:13 UTC Sep 8 2013
    end   date: 10:12:13 UTC Sep 7 2016
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (512 bit)
  Signature Algorithm: MD5 with RSA Encryption
  Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
  Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 56F091F7 7016A63F 89B46900 B13E6719 8B0D548E
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 56F091F7 7016A63F 89B46900 B13E6719 8B0D548E
    Authority Info Access:
  Associated Trustpoints: cisco
  Storage: nvram:cisco1ciscoc#4CA.cer


R3#

Appreciate your assitance and I will send additional evidence if necessary

tx

Roee

1 Accepted Solution

Accepted Solutions

jorgeramos78
Level 1
Level 1

I haven't looked at your configuration, but accroding to your description it sounds like you haven't approved the pending certificate requests on your CA router. Here are the commands that you need:

To view pending requests:

   crypto pki server "CA router" info requests

To grant pending requests:

   crypto pki server "CA router" info grant all

View solution in original post

3 Replies 3

jorgeramos78
Level 1
Level 1

I haven't looked at your configuration, but accroding to your description it sounds like you haven't approved the pending certificate requests on your CA router. Here are the commands that you need:

To view pending requests:

   crypto pki server "CA router" info requests

To grant pending requests:

   crypto pki server "CA router" info grant all

thanku very much

In my router the commands are :

crypto pki server "cisco1"

grant auto

I recommend that you configure NTP on the CA router. Whenever you use digifital certificates you need to make sure that your devices all agree on a common time, and NTP is the easiest way to do that.

      

It would also help if you posted the current configuration of all 3 routers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: