Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

help using Custom ssl cert in Aironet https web Interface

I spent a few hours learning how to import certificates, and I think I did ok with that part. If I use the selfsigned cert when HTTPS is enabled through the web interface, HTTPS works just fine, but the second I

ip http secure-trustpoint test

I get a connection reset error in my test browsers.

ip http secure-trustpoint TP-self-signed-3349201592

doesn't fix it, it just gives me an "invalid certificate" error. I'm going to include what I did to get to where I am now, and hopefully you can see where I'm going wrong.

In Linux:

openssl genrsa -out test.key 2048

openssl req -new -nodes -key test.key -out test.csr

got csr cert and root ca from CACert

openssl rsa -in test.key -des3 -passin pass: -out keyout.pem

password:12345678

scp root.ca root@10.0.0.20:flash:/root.ca

scp keyout.pem root@10.0.0.20:flash:/test.key

scp test.crt root@10.0.0.20:flash:/test.crt

In Aironet IOS

crypto ca trustpoint test

crypto ca import test pem url flash:/test 12345678

% Importing CA certificate...

Source filename [test.ca]? root.crt

Reading file from flash:root.crt

% Importing private key PEM file...

Source filename [test.prv]? test.key

Reading file from flash:test.key

% Importing certificate PEM file...

Source filename [test.crt]?

Reading file from flash:/test% PEM files import failed.

ok so that didn't work, but I can see that the root.crt imported at least

show crypto ca trustpoints

Trustpoint TP-self-signed-3349201592:

Subject Name:

cn=IOS-Self-Signed-Certificate-3349201592

Serial Number: 01

Persistent self-signed certificate trust point

Trustpoint test:

Subject Name:

ea=support@cacert.org

cn=CA Cert Signing Authority

ou=http://www.cacert.org

o=Root CA

Serial Number: 00

Persistent self-signed certificate trust point

I then tried to import just the keypair

crypto key import rsa test pem url flash:/test 12345678

% Importing public key or certificate PEM file...

Source filename [test.pub]? test.crt

Reading file from flash:test.crt

% Importing private key PEM file...

Source filename [test.prv]? test.key

Reading file from flash:test.key% Key pair import succeeded.

Strangely, that worked, and now I have my keypair.

show crypto key mypubkey rsa

% Key pair was generated at: 03:39:07 GMT Jul 29 2009

Key name: BenCloud

Usage: General Purpose Key

Key is not exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

00CAC0D9 4C79D716 140D38BF C97C1120 8A0FDCED DDDF5438 8A4BDC5C 00629676 .......

Now to apply it to the trust point, I also tried to mimick the selfsigned TP's settings, and this is what I ended up with

show

enrollment selfsigned

subject-name cn=CA Cert Signing Authority

revocation-check none

rsakeypair test

end

vs

show

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3349201592

revocation-check none

rsakeypair TP-self-signed-3349201592

end

Then I tried applying this new TP to the HTTPS server

ip http secure-trustpoint test

Which caused the error I discribed earlier

2 REPLIES
Silver

Re: help using Custom ssl cert in Aironet https web Interface

If the browser produces an "invalid certificate" error, delete the router's certificate from the browser's certificate store (if it was saved there), or restart the browser (if the certificate was accepted temporarily).

New Member

Re: help using Custom ssl cert in Aironet https web Interface

That isn't the problem, it says "The connection was interrupted" when I use my own Trust Point.

As I said, if I disable HTTPS, then reenable it, through the WebUI, it regenerates the self signed keys and works just fine. I think I'm assigning the keys incorrectly, but I don't know where I'm going wrong.

603
Views
0
Helpful
2
Replies