Would anyone have a guide or a link to a guide on how to request and import a letsencrypt certificate into a Cisco router for the purpose of SSL VPN?
I should note, that my configuration is complete and working with a self-signed certificate; however, the certificate errors are cumbersome. Just looking to remedy that.
Any help would be much appreciated.
Thank you.
hi kissmyaxe
what version of cisco IOS are you using.
Generally you would need to import the certificate and intermediate certs and then configure cisco to use those certificates
please note: this will need to be done every 90 days
there are a few guides available below
Hi Andrei,
Thanks for your reply. I am running the following image:
c800-universalk9-mz.SPA.154-3.M2.bin
Thank you for the guides below.
Patrick Dalla Vicenza
Hi Patrick
Have a look at this article.
Essentially you create the CSR and Private Key on Cisco IoS
Complete the CSR using a Let’s Encrypt Client (Certbot etc)
Make sure you download the certificate + chain in one file (this will install the intermediates needed for Lets Encrypt)
I have a cisco router with crypto image i can set up but it may be a while before i can complete the testing
Andrei
This nails it!.
Thanks Andrei, this was a huge help!
Patrick Dalla Vicenza
I followed that guide using a certificate obtained from zerossl.com and got
the following error.
"crypto pki authenticate zerossl.trustpoint
Enter the base 64 encoded CA certificate.
End with a blank line or the word “quit” on a line by itself
-----BEGIN RSA PRIVATE KEY-----
xxxxx
-----END RSA PRIVATE KEY-----
% Error in saving certificate: status = FAIL
Debug output returns the following:
Jan 30 10:51:28.919 EST: …/cert-c/source/certobj.c(853) : E_INPUT_DATA :
invalid encoding format for input data
Jan 30 10:51:28.919 EST: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid
encoding format for input data): BER/DER decoding of certificate has failed
Jan 30 10:51:28.919 EST: CRYPTO_PKI: status = 65535: failed to process RA
certificate"
So I’m hung up there right now. Seems that this could be related to a Cisco
bug; however, I’m not quite there yet.
Patrick Dalla Vicenza
@kissmyaxe your private key should be kept private, never posted on a public place. You should destroy that key and certificate now, and create new ones.
Was that what you pasted as the “certificate” ? if so it was the wrong one thing to post - it should be the certificate, not the key.
Disregard my previous e-mail.
I believe I missed a step. I will follow up once completed.
Patrick Dalla Vicenza
ya that’s what happened.
i read the output wrong.
Patrick Dalla Vicenza
also I believe the format returned by LetsEncrypt is PEM
so you will need to covert to DER
OpenSSL is my usual go to tool for this 
openssl x509 -outform der -in certificate.pem -out certificate.der
Your key should be fine as it’s on the router
Thanks Andrei
Patrick Dalla Vicenza
Vianet
Network Operations
1-800-788-0363 ext. 5240
Hi Patrick
I may have led you down a silly path so apologies for this.
My router was version 12.04 and the crypto on it was crap. Got Cisco IOU to behave finally so was able to muck around a bit more
A) Generate a PCKS12 bundle (also known as PFX) using you preferred method
B) As PFX is very common in the Windows World so i have written an article on how to do this a manual way but still fairly straight way: https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke
C) You can then use the command below to import the PFX and associate it with your trustpoint
Thanks Andrei,
I’ll get back to you and let you know how I make out. I’m currently waiting
on the TXT record to be created.
Patrick Dalla Vicenza
Vianet
Network Operations
1-800-788-0363 ext. 5240
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.