Tutorial: Get Let's Encrypt on Cisco routers/switches

So after playing for a while, here is how I managed to get my Cisco router running regular IOS 15 using a Let's Encrypt certificate for HTTPS access. The procedure to attach this certificate to a SSLVPN should be very similar, but you need to adjust your SSLVPN settings accordingly and I will let this as a homework.

You still need a letsencrypt client for it to work, and you might need to be a little creative: in order to generate the certificate for the router, I redirected port 80 on the target domain to a linux box I managed, so the client could get me almost all the required certificates. So here is the sequence:

At your linux box:

1.Create your certs and keys:

letsencrypt-auto certonly -d host.domain.com

2.Browse to /etc/letsencrypt/live/host.domain.com

3.Pick a password (ie, @Password@), and encrypt the private key. The password will be asked immediately after you run the command:

openssl rsa -des -in privkey.pem -out privkey-enc.pem

4.Extract a public key from the private key:

openssl pkey -in privkey.pem -pubout -out pubkey.pem

On your router:

5.Import the private and public keys on the router:

crypto key import rsa host.domain.com.pem exportable pem encryption terminal @Password@

Paste the contents of public key pubkey.pem and type quit on a single line.
Paste the contents of the password protected private key privkey-enc.pem and type quit on a single line.
If the key is accepted, you should read

"% Key pair import succeeded."

IMPORTANT:

If you want to use IdenTrust certificates - passes all SSL verifications/web browsers (see the Cross Signing section on Certificates page - Chain of Trust - Let's Encrypt), scroll down for instructions.

6.Create a trustpoint for the ISRG root certificate:

crypto pki trustpoint ISRG_Root_X1
chain-validation stop
revocation-check none
enrollment terminal pem
exit

7.Import the ISRG root txt/pem certificate (found on Certificates page - Chain of Trust - Let's Encrypt):

crypto pki authenticate ISRG_Root_X1

Paste the contents of the ISRG root certificate and type quit on a single line. If it is accepted, you should read

"Certificate has the following attributes:
Fingerprint MD5: 0CD2F9E0 DA1773E9 ED864DA5 E370E74E
Fingerprint SHA1: CABD2A79 A1076A31 F21D2536 35CB039D 4329A5E8

% Do you accept this certificate? [yes/no]: "

Type yes to confirm and press enter. If the root cert is accepted, you should read

"Trustpoint CA certificate accepted.
% Certificate successfully imported"

8.Create another trustpoint, this time for the Let's Encrypt Authority X1, signed by ISRG:

crypto pki trustpoint Lets_Encrypt_Authority_X1_signed_by_ISRG_Root_X1
chain-validation continue ISRG_Root_X1
revocation-check none
enrollment terminal pem
exit

9.Import the Let's Encrypt Authority X1, signed by ISRG txt/pem certificate (also found on Certificates page - Chain of Trust - Let's Encrypt):

crypto pki authenticate Lets_Encrypt_Authority_X1_signed_by_ISRG_Root_X1

Paste the contents of the Let's Encrypt Authority X1, signed by ISRG certificate and type quit on a single line. If the intermediate cert is accepted, you should read

"Certificate has the following attributes:
Fingerprint MD5: AE52EB85 30A2E6C2 3EC639F5 5CBD3B67
Fingerprint SHA1: E045A5A9 59F42780 FA5BD762 3512AF27 6CF42F20
Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.
% Certificate successfully imported"

10.Finally, import your router certificates:

crypto pki import host.domain.com-cert pem terminal password @Password@

Paste the contents of Let's Encrypt Authority X1, signed by ISRG certificate and type quit on a single line.
Paste the contents of the password protected private key privkey-enc.pem and type quit on a single line.
Paste the contents of your router's certificate cert.pem and type quit on a single line. If your certificate is accepted, you should read

"% PEM files import succeeded."

If you want to use IdenTrust certificates - passes all SSL verifications/web browsers (see the Cross Signing section on Certificates page - Chain of Trust - Let's Encrypt):

6.Create a trustpoint for the DST root certificate:

crypto pki trustpoint DST_Root_CA_X3
chain-validation stop
revocation-check none
enrollment terminal pem
exit

7.Import the DST root txt/pem certificate (link found on Certificates page - Chain of Trust - Let's Encrypt):

crypto pki authenticate DST_Root_CA_X3

Paste the contents of the DST root certificate and type quit on a single line. If it is accepted, you should read

"Certificate has the following attributes:
Fingerprint MD5: 410352DC 0FF7501B 16F0028E BA6F45C5
Fingerprint SHA1: DAC9024F 54D8F6DF 94935FB1 732638CA 6AD77C13

% Do you accept this certificate? [yes/no]: "

Type yes to confirm and press enter. If the root cert is accepted, you should read

"Trustpoint CA certificate accepted.
% Certificate successfully imported"

8.Create another trustpoint, this time for the Let's Encrypt Authority X1, IdenTrust cross-signed:

crypto pki trustpoint Lets_Encrypt_Authority_X1_signed_by_DST_Root_CA_X3
chain-validation continue DST_Root_CA_X3
revocation-check none
enrollment terminal pem
exit

9.Import the Let's Encrypt Authority X1, IdenTrust cross-signed txt/pem certificate (also found on Certificates page - Chain of Trust - Let's Encrypt):

crypto pki authenticate Lets_Encrypt_Authority_X1_signed_by_DST_Root_CA_X3

Paste the contents of the Let's Encrypt Authority X1, IdenTrust cross-signed certificate and type quit on a single line. If the intermediate cert is accepted, you should read

"Certificate has the following attributes:
Fingerprint MD5: 33E25CB5 1753B4C3 8817774E 38BD2107
Fingerprint SHA1: 3EAE9193 7EC85D74 483FF4B7 7B07B43E 2AF36BF4
Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.
% Certificate successfully imported"

10.Finally, import your router certificates:

crypto pki import host.domain.com-cert pem terminal password @Password@

Paste the contents of Let's Encrypt Authority X1, IdenTrust cross-signed certificate and type quit on a single line.
Paste the contents of the password protected private key privkey-enc.pem and type quit on a single line.
Paste the contents of your router's certificate cert.pem and type quit on a single line. If your certificate is accepted, you should read

"% PEM files import succeeded."

Then enable HTTPS on the router and associate the certificate to it:

ip http secure-server
ip http secure-trustpoint host.domain.com-cert

Try to open you router via HTTPS to confirm it works. Optionally, test your certificate via SSL Server Test (Powered by Qualys SSL Labs)

Before 90 days, you will need to update your certificates. Just renew your certs using the letsencrypt client, and rerun the router certificates import step #10, and you are good to go for 90 more days.

Hope this helps.

PS: Don't forget to save your router's config

Edit History

• Updated tutorial's formatting
• Clarified trustpoint names on the router settings
• Created instructions for for people looking for fully validated certs from IdenTrust

hi mr. Alex,
at step 10 in which parts make cert.pem router certificate?
I’ve tried to take on a linux box cert.pem file folder: / etc / letsencrypt / live / but no success … the Unable to decode key.
% Import PEM files failed.

thanks,

heru

Heru,

It seems LetsEncrypt recently changed the Authority certificate they are using for signing the certs - or more likely, I missed that piece during my tutorial write up. Instead of using only Authority X1, they are using any of their available Authority servers. Which makes perfect sense on a load balancing standpoint

So at Step 4, you need to find out which Authority Xn your certificate was issued against. Please run the following command on your Linux box:

openssl x509 -in cert.pem -text -noout | grep "Authority X"

You will see an output like this:

   Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3

The Authority X3 is the certificate you need to use on steps 8, 9 and 10. You can, if you want, update the certificate labels to reflect the Authority name you are using - instead of X1 as my tutorial suggests, use X3 or whatever Authority server it was assigned to issue your certificates.

As soon as I figure out how to edit a 10 month old post, I will make these corrections.

See if that helps you.

@Alex_HQuest, this change happened on March 25 of this year. Currently X3 is used exclusively.

Because the intermediate used to issue certificates can change over time, the ACME protocol provides for downloading the corresponding one along with the certificate. Whatever means you use to get your certificate from Let’s Encrypt should be able to give you the appropriate intermediate at the same time (for example if you use Certbot it will get saved as chain.pem and included in fullchain.pem).

For this reason I would not recommend to most people to download things from https://letsencrypt.org/certificates/ in most circumstances.

(I don’t know if this will account for @hfi’s problem or not. “Unable to decode key” doesn’t seem at first glance like it relates to a mismatched intermediate cert, but maybe!)

@schoen this explains a few gaps - I’ve been so busy with other things I did not had a chance to catch up with LE latest changes (even while they happened so long ago).

The Cisco process is an advanced one. Granted, the original steps should give a general idea but we should not be seeing many people doing this, as ESX hosts, Cisco routers, switches, ISE, ACS, Prime Infrastructure, ASA and WLC devices are not too common at homes, and at your corporate network we would use our own internal corporate CA. Although I proudly have all these named products at home under LE certs .

Besides being advanced, Cisco way of doing things is a little… different. You know what I am talking about. And I too agree average users should not download anything manually. certbot provides a lot of information, usually enough for most situations.

Thanks for the heads up on the X3 note. I learned something new today.