importing key and certificate into cisco 1811

Discussion in 'Cisco' started by amiliv, Aug 29, 2006.

  1. amiliv

    amiliv Guest


    I have GRE+IPSec VPN between two Linux boxes. I want to replace one of
    the Linux boxes with Cisco 1811, and I would like it to be drop-in
    replacement (with no changes on the remaining Linux box, if at all
    possible). The authentication is currently done using certificates.
    The certificates are signed by local CA, however the racoon (IKE daemon
    on Linux) is simply configured to check the peers certificate against
    local copy of other-ends certificate (using peers_certfile directive).
    CA signature is not actually checked. Basically, similar as when using
    self-signed certificates.

    I'm having hard time importing the certificates and private keys from
    existing Linux box onto Cisco 1811.

    I've checked Cisco's online documentation, and googled around long and
    hard, however all the examples for importing keys/certificates resulted
    with errors when I attempted to use them on 1811. BTW, I'm Cisco
    newbee and this is the very first Cisco box I'm configuring. If I
    haven't mentioned it already ;-)

    First I attempted to create pkcs12 file with private key, certificate
    and CA certificate that would be used on 1811. The CA certificate
    isn't really used in my config, but I guess it never hurts to have it

    openssl pkcs12 -inkey cisco.key -in cisco.crt -certfile cacert.crt
    -export -out cisco.p12

    I've copied the cisco.p12 onto flash on Cisco 1811, and attempted to
    import it:

    configure terminal
    crypto pki trustpoint vpn-tp
    usage ike
    revocation-check none
    configure terminal
    crypto pki import vpn-tp pkcs12 flash:cisco.p12 passphrase

    The last command gave me an import error:
    CRYPTO_PKI: Import PKCS12 operation failed, failure status = 0x72A

    The passphrase was correct (openssl can read the p12 file just fine
    using the same passphrase).

    Than I wiped out the trustpoint, and attempted to import just the CA
    certificate itself. Just to see if it is going to work. I attempted
    doing it this way:

    configure terminal
    crypto pki trustpoint vpn-tp
    enrollment terminal pem
    revocation-check none
    usage ike
    configure terminal
    crypto pki authenticate vpn-tp

    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself

    .... base64 of CA certificate ...
    -----END CERTIFICATE-----

    And again the error message:

    % Error in saving certificate: status = FAIL

    OK, so it doesn't let me to import CA certificate, no wonder the import
    of the whole package failed...

    I attempted several other variations during the day yesterday, but all
    ended up with the above error messages.

    So, I'm currently stuck with this trivial certificate import stuff
    (obviously, not that trivial). And can't move to the fun part
    (figuring out how to setup GRE and IPSec on Cisco box). I must be
    doing something totally wrong here, I guess. Any help, hint or advice
    would be more than welcome.

    amiliv, Aug 29, 2006
    1. Advertisements

  2. amiliv

    amiliv Guest


    Searching the net a bit more, I found some other people having the same
    problem, but no solution.

    After some troubleshooting, I noticed that my CA certificate has
    subjectAltName and issuerAltName defined but empty. I recreated CA
    certificate without this two fields, and voila, it worked. Hint for
    people having the same problem, check your CA certificate. I guess
    Cisco might want to fix this in IOS, too bad I don't have service
    contract to actually report the bug ;-)

    Anyhow, I'm currently attempting to figure out one more thing. When I
    attempt to import actual private key and certificate for the router, it
    complains with "Error: failed to get key usage from cert" and fails to
    import the key and certificate.

    Could anybody tell me what it is looking for in the certificate, and
    what the value of that thing should be? Is it possible to generate
    certificate that works with Cisco routers using openssl?

    amiliv, Aug 30, 2006
    1. Advertisements

  3. amiliv

    amiliv Guest

    Well, it's not looking for anything in particular that wasn't already
    there. The certificate I was attempting to import also had an empty
    issuerAltName (like the CA cert had), Cisco puked and displayed
    completely misleading error message. Once I regenerated certificate
    without issuerAltName, it just worked.

    I hope this one-man thread will be helpful and save some time to
    somebody in the future.
    amiliv, Aug 30, 2006
  4. amiliv


    Mar 25, 2009
    Likes Received:
    check the time on your router.
    run the command "show clock".

    If the time is not correct ( 2002 instead of 2009 ) there are big chances that you will not be able to import the CA certificate.
    tomi26, Mar 25, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.