Ssl certificates for cisco ios ssl vpn  (2911 router)
Upcoming SlideShare
Loading in...5
×
 

Ssl certificates for cisco ios ssl vpn (2911 router)

on

  • 440 views

Leading Cisco networking products distributor-3network.com

Leading Cisco networking products distributor-3network.com
How to setup call blocking based off of incoming caller's ani

Statistics

Views

Total Views
440
Views on SlideShare
435
Embed Views
5

Actions

Likes
0
Downloads
1
Comments
0

1 Embed 5

http://www.slideee.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ssl certificates for cisco ios ssl vpn  (2911 router) Ssl certificates for cisco ios ssl vpn (2911 router) Document Transcript

    • SSL Certificates for Cisco IOS SSL VPN (2911) - Dual intermediate CA's (Thawte) I have been struggling to install the Thawte SSL123 certificate onto my Cisco IOS Router (2911 router) for use with the SSL VPN feature. After hours of testing and debugging I have found the issue. Thawte have recently made it so that two intermediate certificates are required in order to validate the signed certificate. This means that creating just one trustpoint within the IOS no longer works. It will error stating that the certificate has not been signed by an authority, this is because the Chain is invalid and the router will only be passing the signed SSL certificate to the client without the intermediates. To overcome this, you need to create two trustpoints within the IOS software, install the two intermediate certificates, link the trustpoints together and finally import your signed SSL certificate. Below is instructions on how to perform this: (please note, I have used thawte's name as that is what I configured my box with - you can replace the trustpoint names with whatever is applicable) 1 Create two trustpoints and link the secondary with the primary crypto ca trustpoint thawte.int.prim enrollment terminal rsakeypair (YOUR KEY PAIR WHICH YOU ARE SIGNING WITH) exit crypto ca trustpoint thawte.int.sec enrollment terminal subject-name CN=(HOSTNAME OF CLIENT,OU=(INSERT),O=(INSERT),C=(INSERT),ST=(INSERT),L=(INSERT) rsakeypair (YOUR KEY PAIR WHICH YOU ARE SIGNING WITH) chain-validation continue thawte.int.prim exit 2 Authenticate the primary trustpoint with Thawte's primary intermediate CA and the secondary trustpoint with Thawte's secondary intermediate CA crypto ca authenticate thawte.int.prim (COPY AND PASTE PRIMTARY CA CERTIFCATE) quit crypto ca authenticate thawte.int.sec (COPY AND PASTE SECONDARY CA CERTIFICATE) 1
    • quit 3 Import your signed SSL certificate into the secondary trustpoint crypto ca import thawte.int.sec certificate (COPY AND PASTE SIGNEGD SSL CERTIFICATE) 4 Ensure that your webvpn gateway uses the SECONDARY trustpoint webvpn gateway (SSL VPN GATEWAY) ssl trustpoint thawte.int.sec SSL chain validation now works and passes the complete chain to the client which in effect, authenticates the client. Hope this helps anyone - as I have significantly less amount of hair I did when I first came into the office this morning. To the coffee machine! It is referred from: https://supportforums.cisco.com/docs/DOC-15367 More related: How To Recover Cisco Router Password Cisco router rules of nomenclature Enterprise router recommendation: Cisco 2911 router The Difference of The Cisco Catalyst 2900 and Cisco Catalyst 1900 More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog 3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale original new Cisco networking equipments, including Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards products at competitive price and ship to worldwide. Our website: http://www.3anetwork.com Telephone: +852-3069-7733 Email: info@3Anetwork.com Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong 2