Cisco IOS SSL VPN W/ Let's Encrypt


#1

Would anyone have a guide or a link to a guide on how to request and import a letsencrypt certificate into a Cisco router for the purpose of SSL VPN?

I should note, that my configuration is complete and working with a self-signed certificate; however, the certificate errors are cumbersome. Just looking to remedy that.

Any help would be much appreciated.

Thank you.


#2

hi kissmyaxe

what version of cisco IOS are you using.

Generally you would need to import the certificate and intermediate certs and then configure cisco to use those certificates

please note: this will need to be done every 90 days

there are a few guides available below


Let's Encrypt with Cisco ASA AnyConnect VPN
Install cert on Network Devices?
#3

Hi Andrei,

Thanks for your reply. I am running the following image:

c800-universalk9-mz.SPA.154-3.M2.bin

Thank you for the guides below.

Patrick Dalla Vicenza


#4

Hi Patrick

Have a look at this article.

Essentially you create the CSR and Private Key on Cisco IoS
Complete the CSR using a Let’s Encrypt Client (Certbot etc)
Make sure you download the certificate + chain in one file (this will install the intermediates needed for Lets Encrypt)

I have a cisco router with crypto image i can set up but it may be a while before i can complete the testing

Andrei


#5

This nails it!.

Thanks Andrei, this was a huge help!

Patrick Dalla Vicenza


#6

I followed that guide using a certificate obtained from zerossl.com and got
the following error.

"crypto pki authenticate zerossl.trustpoint

Enter the base 64 encoded CA certificate.
End with a blank line or the word “quit” on a line by itself

-----BEGIN RSA PRIVATE KEY-----
xxxxx
-----END RSA PRIVATE KEY-----

% Error in saving certificate: status = FAIL

Debug output returns the following:

Jan 30 10:51:28.919 EST: …/cert-c/source/certobj.c(853) : E_INPUT_DATA :
invalid encoding format for input data
Jan 30 10:51:28.919 EST: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid
encoding format for input data): BER/DER decoding of certificate has failed
Jan 30 10:51:28.919 EST: CRYPTO_PKI: status = 65535: failed to process RA
certificate"

So I’m hung up there right now. Seems that this could be related to a Cisco
bug; however, I’m not quite there yet.

Patrick Dalla Vicenza


#7

@kissmyaxe your private key should be kept private, never posted on a public place. You should destroy that key and certificate now, and create new ones.

Was that what you pasted as the “certificate” ? if so it was the wrong one thing to post - it should be the certificate, not the key.


#8

Disregard my previous e-mail.

I believe I missed a step. I will follow up once completed.

Patrick Dalla Vicenza


#9

ya that’s what happened.

i read the output wrong.

Patrick Dalla Vicenza


#10

also I believe the format returned by LetsEncrypt is PEM

so you will need to covert to DER

OpenSSL is my usual go to tool for this :smiley:

openssl x509 -outform der -in certificate.pem -out certificate.der

Your key should be fine as it’s on the router :smiley:


#11

Thanks Andrei

Patrick Dalla Vicenza
Vianet
Network Operations
1-800-788-0363 ext. 5240


#12

Hi Patrick

I may have led you down a silly path so apologies for this.

My router was version 12.04 and the crypto on it was crap. Got Cisco IOU to behave finally so was able to muck around a bit more

A) Generate a PCKS12 bundle (also known as PFX) using you preferred method
B) As PFX is very common in the Windows World so i have written an article on how to do this a manual way but still fairly straight way: https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke
C) You can then use the command below to import the PFX and associate it with your trustpoint


#13

Thanks Andrei,

I’ll get back to you and let you know how I make out. I’m currently waiting
on the TXT record to be created.

Patrick Dalla Vicenza
Vianet
Network Operations
1-800-788-0363 ext. 5240


Help generating certificate for MikroTik RouterOS v6.38.5
#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.