Scribd
Upload
338 views

SSL Certificates For Cisco IOS SSL VPN (2911 Router)

To install an SSL certificate from Thawte that uses dual intermediate certificates on a Cisco IOS router, two trustpoints must be created: 1. Configure the first trustpoint with Thawte's primary intermediate CA. 2. Configure the second trustpoint with Thawte's secondary intermediate CA and link it to the first trustpoint. 3. Import the signed SSL certificate into the second trustpoint. The SSL chain validation will now work properly to authenticate clients.

Uploaded by

Cassandra Shaffer
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
338 views

SSL Certificates For Cisco IOS SSL VPN (2911 Router)

To install an SSL certificate from Thawte that uses dual intermediate certificates on a Cisco IOS router, two trustpoints must be created: 1. Configure the first trustpoint with Thawte's primary intermediate CA. 2. Configure the second trustpoint with Thawte's secondary intermediate CA and link it to the first trustpoint. 3. Import the signed SSL certificate into the second trustpoint. The SSL chain validation will now work properly to authenticate clients.

Uploaded by

Cassandra Shaffer
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 2

SSL Certificates for Cisco IOS SSL VPN (2911) - Dual intermediate CA s (!

"a#te)
I have been struggling to install the Thawte SSL123 certificate onto my Cisco IOS Router (2 11 router! for use with the SSL "#$ feature% &fter hours of testing an' 'ebugging I have foun' the issue% Thawte have recently ma'e it so that two interme'iate certificates are re(uire' in or'er to vali'ate the signe' certificate% This means that creating )ust one trust*oint within the IOS no longer wor+s% It will error stating that the certificate has not been signe' by an authority, this is because the Chain is invali' an' the router will only be *assing the signe' SSL certificate to the client without the interme'iates% To overcome this, you nee' to create two trust*oints within the IOS software, install the two interme'iate certificates, lin+ the trust*oints together an' finally im*ort your signe' SSL certificate% -elow is instructions on how to *erform this. (*lease note, I have use' thawte/s name as that is what I configure' my bo0 with 1 you can re*lace the trust*oint names with whatever is a**licable! 1 Create t#o trust$oints and lin% t"e secondar& #it" t"e $rimar& cry*to ca trust*oint thawte%int%*rim enrollment terminal rsa+ey*air (2O3R 452 #&IR 67IC7 2O3 &R5 SI8$I$8 6IT7! e0it cry*to ca trust*oint thawte%int%sec enrollment terminal sub)ect1name C$9(7OST$&:5 O; CLI5$T,O39(I$S5RT!,O9(I$S5RT!,C9(I$S5RT!,ST9(I$S5RT!,L9(I$S5RT! rsa+ey*air (2O3R 452 #&IR 67IC7 2O3 &R5 SI8$I$8 6IT7! chain1vali'ation continue thawte%int%*rim e0it 2 Aut"enticate t"e $rimar& trust$oint #it" !"a#te s $rimar& intermediate CA and t"e secondar& trust$oint #it" !"a#te s secondar& intermediate CA cry*to ca authenticate thawte%int%*rim (CO#2 &$< #&ST5 #RI:T&R2 C& C5RTI;C&T5! (uit cry*to ca authenticate thawte%int%sec (CO#2 &$< #&ST5 S5CO$<&R2 C& C5RTI;IC&T5!
1

(uit ' Im$ort &our si(ned SSL certificate into t"e secondar& trust$oint cry*to ca im*ort thawte%int%sec certificate (CO#2 &$< #&ST5 SI8$58< SSL C5RTI;IC&T5! ) *nsure t"at &our #e+,$n (ate#a& uses t"e S*CONDA-. trust$oint webv*n gateway (SSL "#$ 8&T56&2! ssl trust*oint thawte%int%sec

SSL chain vali'ation now wor+s an' *asses the com*lete chain to the client which in effect, authenticates the client% 7o*e this hel*s anyone 1 as I have significantly less amount of hair I 'i' when I first came into the office this morning% To the coffee machine=

It is referred from: https://supportforums.cisco.com/docs/DOC-15367 /ore related0 7ow To Recover Cisco Router #asswor' Cisco router rules of nomenclature 5nter*rise router recommen'ation. Cisco 2 11 router The <ifference of The Cisco Catalyst 2 >> an' Cisco Catalyst 1 >> /ore Cisco $roducts and -e,ie#s &ou can ,isit0 http://www.3anetwork.com/b o!

3&networ+%com is a worl' lea'ing Cisco networ+ing *ro'ucts wholesaler, we wholesale original new Cisco networ+ing e(ui*ments, inclu'ing Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco wireless *ro'ucts, Cisco mo'ules an' interface car's *ro'ucts at com*etitive *rice an' shi* to worl'wi'e% Our website. htt*.??www%3anetwor+%com Tele*hone. @AB213>C 1DD33 5mail. infoE3&networ+%com &''ress. 23?; Luc+y #laFa, 31B1321 Loc+hart Roa', 6anchai, 7ong+ong

"

You might also like