Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Create Ipsec tunnel using digital Certificates

                   Hello

I am trying to open IPSEC tunnel between 2 Cisco Routers 3800 using additional 3800 Router as CA server .

Before I added the CA server everything go smoothly .

Attached my setup  ,Attached debug commands from the CA server and router configuration

It seems as the routers doesn't receive the certificate from the CA Router (R3) because i see Certificate is pending in the status  :

  #
R3#
R3#show crypto pki certificate verbose cisco
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=cisco1.cisco.com L\=RTP C\=US
  Subject:
    cn=cisco1.cisco.com L\=RTP C\=US
  Validity Date:
    start date: 10:12:13 UTC Sep 8 2013
    end   date: 10:12:13 UTC Sep 7 2016
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (512 bit)
  Signature Algorithm: MD5 with RSA Encryption
  Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
  Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 56F091F7 7016A63F 89B46900 B13E6719 8B0D548E
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 56F091F7 7016A63F 89B46900 B13E6719 8B0D548E
    Authority Info Access:
  Associated Trustpoints: cisco
  Storage: nvram:cisco1ciscoc#4CA.cer


R3#

Appreciate your assitance and I will send additional evidence if necessary

tx

Roee

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Create Ipsec tunnel using digital Certificates

I haven't looked at your configuration, but accroding to your description it sounds like you haven't approved the pending certificate requests on your CA router. Here are the commands that you need:

To view pending requests:

   crypto pki server "CA router" info requests

To grant pending requests:

   crypto pki server "CA router" info grant all

3 REPLIES
New Member

Re: Create Ipsec tunnel using digital Certificates

I haven't looked at your configuration, but accroding to your description it sounds like you haven't approved the pending certificate requests on your CA router. Here are the commands that you need:

To view pending requests:

   crypto pki server "CA router" info requests

To grant pending requests:

   crypto pki server "CA router" info grant all

New Member

Re: Create Ipsec tunnel using digital Certificates

thanku very much

In my router the commands are :

crypto pki server "cisco1"

grant auto

New Member

Re: Create Ipsec tunnel using digital Certificates

I recommend that you configure NTP on the CA router. Whenever you use digifital certificates you need to make sure that your devices all agree on a common time, and NTP is the easiest way to do that.

      

It would also help if you posted the current configuration of all 3 routers.

256
Views
4
Helpful
3
Replies
CreatePlease to create content