Wildcard certificate on a Cisco Router

Help
1

I am trying to install a wildcard certificate on a Cisco router.
It’s a virtual router running IOS-XE version 17.09.05a

Do I need to fill out all the info asked?
My case is a little different as I am not having an issue generating the certs.
So I have not included all the info for domain name, host provider, etc.
I am running certbot version 2.9.0

I’ve seen several related posts here and on Cisco’s site.
But none have worked for me.

This is one I am following.

It is an old post and things have changed.
Lets Encrypt is now issuing ECDSA certs instead of RSA.

I have successfully created the wildcard cert for my domain.
I have the following files: cert.pem, chain.pem, fullchain.pem, and privkey.pem

Following the procedures from the link, a few of the commands did not work for me.

Step 3 says to use OpenSSL to assign a password to the private key, using this command:
openssl ec -des -in privkey.pem -out privkey-enc.pem

That command created the privkey-enc.pem file, but never asked me for a password.
I used ‘ec’ in the command rather than ‘rsa’, as OpenSSL told me it was not an RSA key.

I found a different command that lets me assign a password.
So I used this instead:
ssh-keygen -p -f privkey.pem

Also the command at Step 5 needed modification.
I used this:
crypto key import ec host.domain.com.pem exportable terminal Cisco123

It asked me to paste in the public key and then the private key.

Then I get this:
% Key pair import failed.

No other messages in the logs.

Any ideas?

I suspect something is wrong with the private key and they way I assigned the password.

Thanks

2 Likes
2

Agree the form does not match well to your problem. And, you did a nice enough job supplying info.

I don't have a specific solution for you. I actually think your question is better directed at Cisco Router support. But, I have some comments that might help ...

Yes, things have changed since 2015 :slight_smile: For one Let's Encrypt no longer has the cross-signed cert (it recently expired). All the steps related to DST_Root_CA_X3 should be skipped.

I have no idea if the Cisco Router has changed its requirements since then too.

Let's Encrypt (the ACME Server) still issues RSA as well as ECDSA certs. It is up to the ACME Client (Certbot in this case) to request one or the other. It is true that Certbot now defaults to requesting ECDSA. Use its --key-type rsa to get an RSA cert.

It is possible Cisco requires RSA so that might be necessary. You might just try RSA before having to dig further into Cisco specs.

3 Likes
3

Hi there. My original tutorial was based on IOS 12, and a lot changed on IOS-XE used for about anything Cisco now. And I never took the time to upgrade the tutorial to reflect the changes - sorry. However I did kept my own personal notes in, so hopefully this might help. Please note I am still stuck with RSA certs so you might need to adjust things for the EC if that’s the standard you’ll be using.

Also, depending on the IOS code you are running, you might want to use OpenSSL v1.x instead, as OpenSSL v3 changed something while generating the pfx file and the IOS device doesn’t like it.

Last but not least, the Root and Intermediate certificates can be found on LE website. Match them with whichever cert type you are using or feel free to add all of them if you so desire not change them unless LE changes them too.

  1. To generate the required files:
    => Terminal:
    openssl pkcs12 -export -in domain.rsa.pem -inkey domain.rsa.key -chain -CAfile domain.fullchain.rsa.pem -out ~user/domain.pfx -passout pass:@Password@
    chown user:user ~user/domain.pfx

  2. Import the Root and Intermediate CA (one time only):
    => CLI:
    copy sftp://server/ISRG_Root_X1.pem nvram:
    copy sftp://server/R3.pem nvram:
    conf t
    crypto pki certificate pool
    cabundle nvram:ISRG_Root_X1.pem
    cabundle nvram:R3.pem
    end

=> GUI:
(One time only) Import the Root and Intermediate CA:
Configuration > Security > PKI Management > Trustpool > Import

  1. Cert update (periodic);
    => CLI:
    copy sftp://server/domain.pfx flash:
    conf t
    crypto pki import domain-X pkcs12 flash:domain.pfx password @Password@
    ip http secure-trustpoint domain-X
    end

=> GUI:
Configuration > Security > PKI Management > Add Certificate > Import PKCS12 Certificate

1 Like
4

First, great followup. Thanks.

Is pinning the intermediate separately required?

Because R3 is retired. The RSA intermediates randomly alternate between R10 and R11 and backups of R12 and R13 could be employed at any time (hopefully never but ...).

The intermediates for ECDSA vary too

Can't you upload the intermediate that Let's Encrypt returns along with its matching leaf?

3 Likes
5

Hi @MikeMcQ. My notes were made generic enough so I could use them to update my own automation scripts with formats Cisco expects and certificates LE provides, but to your point, one could add both R10 and R11 for RSA, R12 and R13 for EC, or R10-R13 for pinning for both RSA and EC. Cisco also requires pinning the chain for internal validation.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.