Problems with IOS HTTPS and Certificates

Discussion in 'Cisco' started by S. Schmid, Nov 10, 2003.

  1. S. Schmid

    S. Schmid Guest

    Hello,

    I am trying to setup our Cisco 7200 (c7200-jk8o3s-mz.123-1a.B.bin) for
    HTTPS access.

    It seems to work without explicitly configuring a CA trustpoint (as
    the router automatically generates a temporary SSL certificate).
    However, the problem is that after each reboot (and also
    periodically), the certificate changes, and the client gets a security
    warning message until they install the new temporary certificate.

    Therefore, I tried to configure a CA trustpoint and enrolled a
    certificate from our Windows .NET 2003 server according to
    * http://www.cisco.com/en/US/products...ts_feature_guide09186a0080087ca7.html#xtocid7
    and
    * http://www.tburke.net/info/reskittools/topics/mscep_enrolling.htm.

    This seemed to have worked fine:

    acccessII#show crypto ca certificates
    Certificate
    Status: Available
    Certificate Serial Number: 29DCDE6E000000000053
    Certificate Usage: General Purpose
    Issuer:
    CN = Testbed Root CA
    OID.0.9.2342.19200300.100.1.25 = testbed
    OID.0.9.2342.19200300.100.1.25 = net
    Subject:
    Name: acccessII.testbed.net
    CN = accessII.testbed.net
    OID.1.2.840.113549.1.9.2 = acccessII.testbed.net
    CRL Distribution Point:
    http://domain.testbed.net/CertEnroll/Testbed Root CA.crl
    Validity Date:
    start date: 18:54:10 GMT Oct 29 2003
    end date: 18:54:10 GMT Oct 28 2005
    renew date: 00:00:00 GMT Jan 1 1970
    Associated Trustpoints: testbed

    CA Certificate
    Status: Available
    Certificate Serial Number: 3075376C20F1A9834E3BE841634144E4
    Certificate Usage: General Purpose
    Issuer:
    CN = Testbed Root CA
    OID.0.9.2342.19200300.100.1.25 = testbed
    OID.0.9.2342.19200300.100.1.25 = net
    Subject:
    CN = Testbed Root CA
    OID.0.9.2342.19200300.100.1.25 = testbed
    OID.0.9.2342.19200300.100.1.25 = net
    CRL Distribution Point:
    http://domain.testbed.net/CertEnroll/Testbed Root CA.crl
    Validity Date:
    start date: 17:59:37 GMT Feb 12 2003
    end date: 17:59:37 GMT Feb 12 2008
    Associated Trustpoints: testbed

    However, when I now try to connect to the router via HTTPS
    (https://router/), the router reports an HTTPS error.

    w0d: %HTTPS: SSL handshake fail (-6997)
    1w0d: HTTP: ssl handshake failed (-40404)

    1w0d: %HTTPS: SSL handshake fail (-6996)
    1w0d: HTTP: ssl handshake failed (-40404)

    Also, Netscape reports an error regarding the routers certificate
    (while IE simply fails to display anything).

    Since I am really stuck with this (I already tried for hours/days
    without success), I would highly appreciate if you could advise me
    what to do.

    Thanks a lot in advance.

    - Stefan

    PS: Below you find parts of the router config and the certificate
    state.

    !
    aaa new-model
    !
    !
    aaa authentication login default local group radius aaa authorization
    auth-proxy default group radius aaa session-id common ...
    !
    crypto ca trustpoint testbed
    enrollment mode ra
    enrollment url http://domain.testbed.net:80/certsrv/mscep/mscep.dll
    subject-name CN=accessII.testbed.net
    crl optional
    !
    crypto ca certificate chain testbed
    certificate 29DCDE6E000000000053
    308205A0 30820488 A0030201 02020A29
    ....
    !
    interface GigabitEthernet0/0.838
    encapsulation dot1Q 838
    ip address 10.30.62.4 255.255.255.0
    ip access-group wlan-in in
    ip auth-proxy wlan-users
    ....
    !ip http server
    ip http access-class 61
    ip http authentication aaa
    ip http secure-server
    ip http secure-trustpoint testbed
    !
    S. Schmid, Nov 10, 2003
    #1
    1. Advertising

  2. S. Schmid

    ADB

    Joined:
    Sep 6, 2006
    Messages:
    1
    Hi, did you ever get this to work?
    I have the same issue and I believe I know what the problem is but don't know how to resolve it:

    When the router (and PIX in my case) generate a self-signed certificate it doesn't contain the 'Key Usage' or the 'Enhanced Key Usage' fields. When you enroll with a Windows 2003 CA using the SCEP method the certificate has the 'Key Usage' or the 'Enhanced Key Usage' fields with the Key Usage set to 'Digital Signature, Key Encipherment (a0)' and the Enhanced Key Usage set to 'IP security IKE intermediate (1.3.6.1.5.5.8.2.2)'. I think this second one prevents IE (or Netscape, firefox etc) from accepting the certificate. I think the certificate should contain the Enhanced Key Usage of 'Server Authentication (1.3.6.1.5.5.7.3.1)'.
    I don't know how to change the Certifactes that the SCEP enrolls you into add the additional Enhanced Key Usage.

    Anyone help

    Andy
    ADB, Sep 6, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?T21hciBLYXJpbQ==?=

    Wireless problem with SP2 and HTTPS

    =?Utf-8?B?T21hciBLYXJpbQ==?=, Nov 22, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    614
    Malke
    Nov 26, 2004
  2. S. Schmid
    Replies:
    1
    Views:
    1,055
    troy lebouef
    Nov 27, 2003
  3. Rich Williams

    Problem with IOS VPN using certificates

    Rich Williams, Jan 13, 2006, in forum: Cisco
    Replies:
    3
    Views:
    5,785
    Michael Fleming
    Jan 14, 2006
  4. Lord Amoeba

    Self-issued certificates and commercial certificates.

    Lord Amoeba, Apr 30, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    886
    David W.E. Roberts
    May 5, 2004
  5. Mike Rahl
    Replies:
    1
    Views:
    1,194
    Trendkill
    May 30, 2007
Loading...

Share This Page