importing key and certificate into cisco 1811


I have GRE+IPSec VPN between two Linux boxes. I want to replace one of the Linux boxes with Cisco 1811, and I would like it to be drop-in replacement (with no changes on the remaining Linux box, if at all possible). The authentication is currently done using certificates. The certificates are signed by local CA, however the racoon (IKE daemon on Linux) is simply configured to check the peers certificate against local copy of other-ends certificate (using peers_certfile directive). CA signature is not actually checked. Basically, similar as when using self-signed certificates.

I'm having hard time importing the certificates and private keys from existing Linux box onto Cisco 1811.

I've checked Cisco's online documentation, and googled around long and hard, however all the examples for importing keys/certificates resulted with errors when I attempted to use them on 1811. BTW, I'm Cisco newbee and this is the very first Cisco box I'm configuring. If I haven't mentioned it already ;-)

First I attempted to create pkcs12 file with private key, certificate and CA certificate that would be used on 1811. The CA certificate isn't really used in my config, but I guess it never hurts to have it around.

openssl pkcs12 -inkey cisco.key -in cisco.crt -certfile cacert.crt

-export -out cisco.p12

I've copied the cisco.p12 onto flash on Cisco 1811, and attempted to import it:

configure terminal crypto pki trustpoint vpn-tp usage ike revocation-check none ^Z configure terminal crypto pki import vpn-tp pkcs12 flash:cisco.p12 passphrase

The last command gave me an import error: CRYPTO_PKI: Import PKCS12 operation failed, failure status = 0x72A

The passphrase was correct (openssl can read the p12 file just fine using the same passphrase).

Than I wiped out the trustpoint, and attempted to import just the CA certificate itself. Just to see if it is going to work. I attempted doing it this way:

configure terminal crypto pki trustpoint vpn-tp enrollment terminal pem revocation-check none usage ike ^Z configure terminal crypto pki authenticate vpn-tp

Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE----- ... base64 of CA certificate ...


And again the error message:

% Error in saving certificate: status = FAIL

OK, so it doesn't let me to import CA certificate, no wonder the import of the whole package failed...

I attempted several other variations during the day yesterday, but all ended up with the above error messages.

So, I'm currently stuck with this trivial certificate import stuff (obviously, not that trivial). And can't move to the fun part (figuring out how to setup GRE and IPSec on Cisco box). I must be doing something totally wrong here, I guess. Any help, hint or advice would be more than welcome.


Reply to
Loading thread data ...


Searching the net a bit more, I found some other people having the same problem, but no solution.

After some troubleshooting, I noticed that my CA certificate has subjectAltName and issuerAltName defined but empty. I recreated CA certificate without this two fields, and voila, it worked. Hint for people having the same problem, check your CA certificate. I guess Cisco might want to fix this in IOS, too bad I don't have service contract to actually report the bug ;-)

Anyhow, I'm currently attempting to figure out one more thing. When I attempt to import actual private key and certificate for the router, it complains with "Error: failed to get key usage from cert" and fails to import the key and certificate.

Could anybody tell me what it is looking for in the certificate, and what the value of that thing should be? Is it possible to generate certificate that works with Cisco routers using openssl?


Reply to

Well, it's not looking for anything in particular that wasn't already there. The certificate I was attempting to import also had an empty issuerAltName (like the CA cert had), Cisco puked and displayed completely misleading error message. Once I regenerated certificate without issuerAltName, it just worked.

I hope this one-man thread will be helpful and save some time to somebody in the future.

Reply to
amiliv Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.