Cisco IOS SSL VPN W/ Let's Encrypt


Would anyone have a guide or a link to a guide on how to request and import a letsencrypt certificate into a Cisco router for the purpose of SSL VPN?

I should note, that my configuration is complete and working with a self-signed certificate; however, the certificate errors are cumbersome. Just looking to remedy that.

Any help would be much appreciated.

Thank you.


hi kissmyaxe

what version of cisco IOS are you using.

Generally you would need to import the certificate and intermediate certs and then configure cisco to use those certificates

please note: this will need to be done every 90 days

there are a few guides available below

Let's Encrypt with Cisco ASA AnyConnect VPN
Install cert on Network Devices?

Hi Andrei,

Thanks for your reply. I am running the following image:


Thank you for the guides below.

Patrick Dalla Vicenza


Hi Patrick

Have a look at this article.

Essentially you create the CSR and Private Key on Cisco IoS
Complete the CSR using a Let’s Encrypt Client (Certbot etc)
Make sure you download the certificate + chain in one file (this will install the intermediates needed for Lets Encrypt)

I have a cisco router with crypto image i can set up but it may be a while before i can complete the testing



This nails it!.

Thanks Andrei, this was a huge help!

Patrick Dalla Vicenza


I followed that guide using a certificate obtained from and got
the following error.

"crypto pki authenticate zerossl.trustpoint

Enter the base 64 encoded CA certificate.
End with a blank line or the word “quit” on a line by itself


% Error in saving certificate: status = FAIL

Debug output returns the following:

Jan 30 10:51:28.919 EST: …/cert-c/source/certobj.c(853) : E_INPUT_DATA :
invalid encoding format for input data
Jan 30 10:51:28.919 EST: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid
encoding format for input data): BER/DER decoding of certificate has failed
Jan 30 10:51:28.919 EST: CRYPTO_PKI: status = 65535: failed to process RA

So I’m hung up there right now. Seems that this could be related to a Cisco
bug; however, I’m not quite there yet.

Patrick Dalla Vicenza


@kissmyaxe your private key should be kept private, never posted on a public place. You should destroy that key and certificate now, and create new ones.

Was that what you pasted as the “certificate” ? if so it was the wrong one thing to post - it should be the certificate, not the key.


Disregard my previous e-mail.

I believe I missed a step. I will follow up once completed.

Patrick Dalla Vicenza


ya that’s what happened.

i read the output wrong.

Patrick Dalla Vicenza


also I believe the format returned by LetsEncrypt is PEM

so you will need to covert to DER

OpenSSL is my usual go to tool for this :smiley:

openssl x509 -outform der -in certificate.pem -out certificate.der

Your key should be fine as it’s on the router :smiley:


Thanks Andrei

Patrick Dalla Vicenza
Network Operations
1-800-788-0363 ext. 5240


Hi Patrick

I may have led you down a silly path so apologies for this.

My router was version 12.04 and the crypto on it was crap. Got Cisco IOU to behave finally so was able to muck around a bit more

A) Generate a PCKS12 bundle (also known as PFX) using you preferred method
B) As PFX is very common in the Windows World so i have written an article on how to do this a manual way but still fairly straight way:
C) You can then use the command below to import the PFX and associate it with your trustpoint


Thanks Andrei,

I’ll get back to you and let you know how I make out. I’m currently waiting
on the TXT record to be created.

Patrick Dalla Vicenza
Network Operations
1-800-788-0363 ext. 5240

Help generating certificate for MikroTik RouterOS v6.38.5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.