So after playing for a while, here is how I managed to get my Cisco router running regular IOS 15 using a Let's Encrypt certificate for HTTPS access. The procedure to attach this certificate to a SSLVPN should be very similar, but you need to adjust your SSLVPN settings accordingly and I will let this as a homework.
You still need a letsencrypt client for it to work, and you might need to be a little creative: in order to generate the certificate for the router, I redirected port 80 on the target domain to a linux box I managed, so the client could get me almost all the required certificates. So here is the sequence:
At your linux box:
1.Create your certs and keys:
letsencrypt-auto certonly -d host.domain.com
2.Browse to /etc/letsencrypt/live/host.domain.com
3.Pick a password (ie, @Password@), and encrypt the private key. The password will be asked immediately after you run the command:
openssl rsa -des -in privkey.pem -out privkey-enc.pem
4.Extract a public key from the private key:
openssl pkey -in privkey.pem -pubout -out pubkey.pem
On your router:
5.Import the private and public keys on the router:
crypto key import rsa host.domain.com.pem exportable pem encryption terminal @Password@
Paste the contents of public key pubkey.pem and type quit on a single line.
Paste the contents of the password protected private key privkey-enc.pem and type quit on a single line.
If the key is accepted, you should read
"% Key pair import succeeded."
IMPORTANT:
If you want to use IdenTrust certificates - passes all SSL verifications/web browsers (see the Cross Signing section on Certificates page - Chain of Trust - Let's Encrypt), scroll down for instructions.
6.Create a trustpoint for the ISRG root certificate:
crypto pki trustpoint ISRG_Root_X1
chain-validation stop
revocation-check none
enrollment terminal pem
exit
7.Import the ISRG root txt/pem certificate (found on Certificates page - Chain of Trust - Let's Encrypt):
crypto pki authenticate ISRG_Root_X1
Paste the contents of the ISRG root certificate and type quit on a single line. If it is accepted, you should read
"Certificate has the following attributes:
Fingerprint MD5: 0CD2F9E0 DA1773E9 ED864DA5 E370E74E
Fingerprint SHA1: CABD2A79 A1076A31 F21D2536 35CB039D 4329A5E8% Do you accept this certificate? [yes/no]: "
Type yes to confirm and press enter. If the root cert is accepted, you should read
"Trustpoint CA certificate accepted.
% Certificate successfully imported"
8.Create another trustpoint, this time for the Let's Encrypt Authority X1, signed by ISRG:
crypto pki trustpoint Lets_Encrypt_Authority_X1_signed_by_ISRG_Root_X1
chain-validation continue ISRG_Root_X1
revocation-check none
enrollment terminal pem
exit
9.Import the Let's Encrypt Authority X1, signed by ISRG txt/pem certificate (also found on Certificates page - Chain of Trust - Let's Encrypt):
crypto pki authenticate Lets_Encrypt_Authority_X1_signed_by_ISRG_Root_X1
Paste the contents of the Let's Encrypt Authority X1, signed by ISRG certificate and type quit on a single line. If the intermediate cert is accepted, you should read
"Certificate has the following attributes:
Fingerprint MD5: AE52EB85 30A2E6C2 3EC639F5 5CBD3B67
Fingerprint SHA1: E045A5A9 59F42780 FA5BD762 3512AF27 6CF42F20
Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.
% Certificate successfully imported"
10.Finally, import your router certificates:
crypto pki import host.domain.com-cert pem terminal password @Password@
Paste the contents of Let's Encrypt Authority X1, signed by ISRG certificate and type quit on a single line.
Paste the contents of the password protected private key privkey-enc.pem and type quit on a single line.
Paste the contents of your router's certificate cert.pem and type quit on a single line. If your certificate is accepted, you should read
"% PEM files import succeeded."
If you want to use IdenTrust certificates - passes all SSL verifications/web browsers (see the Cross Signing section on Certificates page - Chain of Trust - Let's Encrypt):
6.Create a trustpoint for the DST root certificate:
crypto pki trustpoint DST_Root_CA_X3
chain-validation stop
revocation-check none
enrollment terminal pem
exit
7.Import the DST root txt/pem certificate (link found on Certificates page - Chain of Trust - Let's Encrypt):
crypto pki authenticate DST_Root_CA_X3
Paste the contents of the DST root certificate and type quit on a single line. If it is accepted, you should read
"Certificate has the following attributes:
Fingerprint MD5: 410352DC 0FF7501B 16F0028E BA6F45C5
Fingerprint SHA1: DAC9024F 54D8F6DF 94935FB1 732638CA 6AD77C13% Do you accept this certificate? [yes/no]: "
Type yes to confirm and press enter. If the root cert is accepted, you should read
"Trustpoint CA certificate accepted.
% Certificate successfully imported"
8.Create another trustpoint, this time for the Let's Encrypt Authority X1, IdenTrust cross-signed:
crypto pki trustpoint Lets_Encrypt_Authority_X1_signed_by_DST_Root_CA_X3
chain-validation continue DST_Root_CA_X3
revocation-check none
enrollment terminal pem
exit
9.Import the Let's Encrypt Authority X1, IdenTrust cross-signed txt/pem certificate (also found on Certificates page - Chain of Trust - Let's Encrypt):
crypto pki authenticate Lets_Encrypt_Authority_X1_signed_by_DST_Root_CA_X3
Paste the contents of the Let's Encrypt Authority X1, IdenTrust cross-signed certificate and type quit on a single line. If the intermediate cert is accepted, you should read
"Certificate has the following attributes:
Fingerprint MD5: 33E25CB5 1753B4C3 8817774E 38BD2107
Fingerprint SHA1: 3EAE9193 7EC85D74 483FF4B7 7B07B43E 2AF36BF4
Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.
% Certificate successfully imported"
10.Finally, import your router certificates:
crypto pki import host.domain.com-cert pem terminal password @Password@
Paste the contents of Let's Encrypt Authority X1, IdenTrust cross-signed certificate and type quit on a single line.
Paste the contents of the password protected private key privkey-enc.pem and type quit on a single line.
Paste the contents of your router's certificate cert.pem and type quit on a single line. If your certificate is accepted, you should read
"% PEM files import succeeded."
Then enable HTTPS on the router and associate the certificate to it:
ip http secure-server
ip http secure-trustpoint host.domain.com-cert
Try to open you router via HTTPS to confirm it works. Optionally, test your certificate via SSL Server Test (Powered by Qualys SSL Labs)
Before 90 days, you will need to update your certificates. Just renew your certs using the letsencrypt client, and rerun the router certificates import step #10, and you are good to go for 90 more days.
Hope this helps.
PS: Don't forget to save your router's config
Edit History
- Updated tutorial's formatting
- Clarified trustpoint names on the router settings
- Created instructions for for people looking for fully validated certs from IdenTrust