SSL Certificates for Cisco IOS SSL VPN (2911 Router)
-
Upload
cassandra-shaffer -
Category
Documents
-
view
97 -
download
6
Transcript of SSL Certificates for Cisco IOS SSL VPN (2911 Router)
SSL Certificates for Cisco IOS SSL VPN (2911) - Dual intermediate CA's (Thawte)
I have been struggling to install the Thawte SSL123 certificate onto my Cisco IOS Router
(2911 router ) for use with the SSL VPN feature. After hours of testing and debugging I
have found the issue.
Thawte have recently made it so that two intermediate certificates are required in order to
validate the signed certificate. This means that creating just one trustpoint within the IOS
no longer works. It will error stating that the certificate has not been signed by an
authority, this is because the Chain is invalid and the router will only be passing the
signed SSL certificate to the client without the intermediates.
To overcome this, you need to create two trustpoints within the IOS software, install the
two intermediate certificates, link the trustpoints together and finally import your signed
SSL certificate. Below is instructions on how to perform this:
(please note, I have used thawte's name as that is what I configured my box with - you
can replace the trustpoint names with whatever is applicable)
1 Create two trustpoints and link the secondary with the primary
crypto ca trustpoint thawte.int.prim
enrollment terminal
rsakeypair (YOUR KEY PAIR WHICH YOU ARE SIGNING WITH)
exit
crypto ca trustpoint thawte.int.sec
enrollment terminal
subject-name CN=(HOSTNAME OF
CLIENT,OU=(INSERT),O=(INSERT),C=(INSERT),ST=(INSERT),L=(INSERT)
rsakeypair (YOUR KEY PAIR WHICH YOU ARE SIGNING WITH)
chain-validation continue thawte.int.prim
exit
2 Authenticate the primary trustpoint with Thawte's primary intermediate CA and
the secondary trustpoint with Thawte's secondary intermediate CA
crypto ca authenticate thawte.int.prim
(COPY AND PASTE PRIMTARY CA CERTIFCATE)
quit
crypto ca authenticate thawte.int.sec
(COPY AND PASTE SECONDARY CA CERTIFICATE)1
quit
3 Import your signed SSL certificate into the secondary trustpoint
crypto ca import thawte.int.sec certificate
(COPY AND PASTE SIGNEGD SSL CERTIFICATE)
4 Ensure that your webvpn gateway uses the SECONDARY trustpoint
webvpn gateway (SSL VPN GATEWAY)
ssl trustpoint thawte.int.sec
SSL chain validation now works and passes the complete chain to the client which in
effect, authenticates the client.
Hope this helps anyone - as I have significantly less amount of hair I did when I first
came into the office this morning. To the coffee machine!
It is referred from: https://supportforums.cisco.com/docs/DOC-15367
More related:
H ow T o R ecover C isco R outer P assword
Cisco router rules of nomenclature
Enterprise router recommendation: Cisco 2911 router
T he D ifference of T he C isco C atalyst 2900 and C isco C atalyst 1900
More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog
3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale
original new Cisco networking equipments, including Cisco Catalyst switches, Cisco
routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards
products at competitive price and ship to worldwide.
Our website: http://www.3anetwork.com
Telephone: +852-3069-7733
Email: [email protected]
Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong
2