Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Problems with IOS HTTPS and Certificates

Reply
Thread Tools

Problems with IOS HTTPS and Certificates

 
 
S. Schmid
Guest
Posts: n/a
 
      11-10-2003
Hello,

I am trying to setup our Cisco 7200 (c7200-jk8o3s-mz.123-1a.B.bin) for
HTTPS access.

It seems to work without explicitly configuring a CA trustpoint (as
the router automatically generates a temporary SSL certificate).
However, the problem is that after each reboot (and also
periodically), the certificate changes, and the client gets a security
warning message until they install the new temporary certificate.

Therefore, I tried to configure a CA trustpoint and enrolled a
certificate from our Windows .NET 2003 server according to
* http://www.cisco.com/en/US/products/...7.html#xtocid7
and
* http://www.tburke.net/info/reskittoo..._enrolling.htm.

This seemed to have worked fine:

acccessII#show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 29DCDE6E000000000053
Certificate Usage: General Purpose
Issuer:
CN = Testbed Root CA
OID.0.9.2342.19200300.100.1.25 = testbed
OID.0.9.2342.19200300.100.1.25 = net
Subject:
Name: acccessII.testbed.net
CN = accessII.testbed.net
OID.1.2.840.113549.1.9.2 = acccessII.testbed.net
CRL Distribution Point:
http://domain.testbed.net/CertEnroll...0Root%20CA.crl
Validity Date:
start date: 18:54:10 GMT Oct 29 2003
end date: 18:54:10 GMT Oct 28 2005
renew date: 00:00:00 GMT Jan 1 1970
Associated Trustpoints: testbed

CA Certificate
Status: Available
Certificate Serial Number: 3075376C20F1A9834E3BE841634144E4
Certificate Usage: General Purpose
Issuer:
CN = Testbed Root CA
OID.0.9.2342.19200300.100.1.25 = testbed
OID.0.9.2342.19200300.100.1.25 = net
Subject:
CN = Testbed Root CA
OID.0.9.2342.19200300.100.1.25 = testbed
OID.0.9.2342.19200300.100.1.25 = net
CRL Distribution Point:
http://domain.testbed.net/CertEnroll...0Root%20CA.crl
Validity Date:
start date: 17:59:37 GMT Feb 12 2003
end date: 17:59:37 GMT Feb 12 2008
Associated Trustpoints: testbed

However, when I now try to connect to the router via HTTPS
(https://router/), the router reports an HTTPS error.

w0d: %HTTPS: SSL handshake fail (-6997)
1w0d: HTTP: ssl handshake failed (-40404)

1w0d: %HTTPS: SSL handshake fail (-6996)
1w0d: HTTP: ssl handshake failed (-40404)

Also, Netscape reports an error regarding the routers certificate
(while IE simply fails to display anything).

Since I am really stuck with this (I already tried for hours/days
without success), I would highly appreciate if you could advise me
what to do.

Thanks a lot in advance.

- Stefan

PS: Below you find parts of the router config and the certificate
state.

!
aaa new-model
!
!
aaa authentication login default local group radius aaa authorization
auth-proxy default group radius aaa session-id common ...
!
crypto ca trustpoint testbed
enrollment mode ra
enrollment url http://domain.testbed.net:80/certsrv/mscep/mscep.dll
subject-name CN=accessII.testbed.net
crl optional
!
crypto ca certificate chain testbed
certificate 29DCDE6E000000000053
308205A0 30820488 A0030201 02020A29
....
!
interface GigabitEthernet0/0.838
encapsulation dot1Q 838
ip address 10.30.62.4 255.255.255.0
ip access-group wlan-in in
ip auth-proxy wlan-users
....
!ip http server
ip http access-class 61
ip http authentication aaa
ip http secure-server
ip http secure-trustpoint testbed
!
 
Reply With Quote
 
 
 
 
ADB ADB is offline
Junior Member
Join Date: Sep 2006
Posts: 1
 
      09-06-2006
Quote:
Originally Posted by S. Schmid
Hello,

I am trying to setup our Cisco 7200 (c7200-jk8o3s-mz.123-1a.B.bin) for
HTTPS access.

It seems to work without explicitly configuring a CA trustpoint (as
the router automatically generates a temporary SSL certificate).
However, the problem is that after each reboot (and also
periodically), the certificate changes, and the client gets a security
warning message until they install the new temporary certificate.

Therefore, I tried to configure a CA trustpoint and enrolled a
certificate from our Windows .NET 2003 server according to
* http://www.cisco.com/en/US/products/...7.html#xtocid7
and
* http://www.tburke.net/info/reskittoo..._enrolling.htm.

This seemed to have worked fine:

acccessII#show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 29DCDE6E000000000053
Certificate Usage: General Purpose
Issuer:
CN = Testbed Root CA
OID.0.9.2342.19200300.100.1.25 = testbed
OID.0.9.2342.19200300.100.1.25 = net
Subject:
Name: acccessII.testbed.net
CN = accessII.testbed.net
OID.1.2.840.113549.1.9.2 = acccessII.testbed.net
CRL Distribution Point:
http://domain.testbed.net/CertEnroll...0Root%20CA.crl
Validity Date:
start date: 18:54:10 GMT Oct 29 2003
end date: 18:54:10 GMT Oct 28 2005
renew date: 00:00:00 GMT Jan 1 1970
Associated Trustpoints: testbed

CA Certificate
Status: Available
Certificate Serial Number: 3075376C20F1A9834E3BE841634144E4
Certificate Usage: General Purpose
Issuer:
CN = Testbed Root CA
OID.0.9.2342.19200300.100.1.25 = testbed
OID.0.9.2342.19200300.100.1.25 = net
Subject:
CN = Testbed Root CA
OID.0.9.2342.19200300.100.1.25 = testbed
OID.0.9.2342.19200300.100.1.25 = net
CRL Distribution Point:
http://domain.testbed.net/CertEnroll...0Root%20CA.crl
Validity Date:
start date: 17:59:37 GMT Feb 12 2003
end date: 17:59:37 GMT Feb 12 2008
Associated Trustpoints: testbed

However, when I now try to connect to the router via HTTPS
(https://router/), the router reports an HTTPS error.

w0d: %HTTPS: SSL handshake fail (-6997)
1w0d: HTTP: ssl handshake failed (-40404)

1w0d: %HTTPS: SSL handshake fail (-6996)
1w0d: HTTP: ssl handshake failed (-40404)

Also, Netscape reports an error regarding the routers certificate
(while IE simply fails to display anything).

Since I am really stuck with this (I already tried for hours/days
without success), I would highly appreciate if you could advise me
what to do.

Thanks a lot in advance.

- Stefan

PS: Below you find parts of the router config and the certificate
state.
Hi, did you ever get this to work?
I have the same issue and I believe I know what the problem is but don't know how to resolve it:

When the router (and PIX in my case) generate a self-signed certificate it doesn't contain the 'Key Usage' or the 'Enhanced Key Usage' fields. When you enroll with a Windows 2003 CA using the SCEP method the certificate has the 'Key Usage' or the 'Enhanced Key Usage' fields with the Key Usage set to 'Digital Signature, Key Encipherment (a0)' and the Enhanced Key Usage set to 'IP security IKE intermediate (1.3.6.1.5.5.8.2.2)'. I think this second one prevents IE (or Netscape, firefox etc) from accepting the certificate. I think the certificate should contain the Enhanced Key Usage of 'Server Authentication (1.3.6.1.5.5.7.3.1)'.
I don't know how to change the Certifactes that the SCEP enrolls you into add the additional Enhanced Key Usage.

Anyone help

Andy
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems using client certificates with net/https Jim Clark Ruby 4 12-03-2007 03:19 AM
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
Are SSL certificates and x.509 certificates the same? n33470 ASP .Net Web Services 0 12-14-2005 03:30 PM
Self-issued certificates and commercial certificates. Lord Amoeba Computer Security 2 05-05-2004 01:40 PM
xmlrpc4r and https certificates? Neil Spring Ruby 0 01-10-2004 09:01 AM



Advertisments