importing key and certificate into cisco 1811

Hi,

I have GRE+IPSec VPN between two Linux boxes. I want to replace one of
the Linux boxes with Cisco 1811, and I would like it to be drop-in
replacement (with no changes on the remaining Linux box, if at all
possible). The authentication is currently done using certificates.
The certificates are signed by local CA, however the racoon (IKE daemon
on Linux) is simply configured to check the peers certificate against
local copy of other-ends certificate (using peers_certfile directive).
CA signature is not actually checked. Basically, similar as when using
self-signed certificates.

I'm having hard time importing the certificates and private keys from
existing Linux box onto Cisco 1811.

I've checked Cisco's online documentation, and googled around long and
hard, however all the examples for importing keys/certificates resulted
with errors when I attempted to use them on 1811. BTW, I'm Cisco
newbee and this is the very first Cisco box I'm configuring. If I
haven't mentioned it already ;-)

First I attempted to create pkcs12 file with private key, certificate
and CA certificate that would be used on 1811. The CA certificate
isn't really used in my config, but I guess it never hurts to have it
around.

openssl pkcs12 -inkey cisco.key -in cisco.crt -certfile cacert.crt
-export -out cisco.p12

I've copied the cisco.p12 onto flash on Cisco 1811, and attempted to
import it:

configure terminal
crypto pki trustpoint vpn-tp
usage ike
revocation-check none
^Z
configure terminal
crypto pki import vpn-tp pkcs12 flash:cisco.p12 passphrase

The last command gave me an import error:
CRYPTO_PKI: Import PKCS12 operation failed, failure status = 0x72A

The passphrase was correct (openssl can read the p12 file just fine
using the same passphrase).

Than I wiped out the trustpoint, and attempted to import just the CA
certificate itself. Just to see if it is going to work. I attempted
doing it this way:

configure terminal
crypto pki trustpoint vpn-tp
enrollment terminal pem
revocation-check none
usage ike
^Z
configure terminal
crypto pki authenticate vpn-tp

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
.... base64 of CA certificate ...
-----END CERTIFICATE-----

And again the error message:

% Error in saving certificate: status = FAIL

OK, so it doesn't let me to import CA certificate, no wonder the import
of the whole package failed...

I attempted several other variations during the day yesterday, but all
ended up with the above error messages.

So, I'm currently stuck with this trivial certificate import stuff
(obviously, not that trivial). And can't move to the fun part
(figuring out how to setup GRE and IPSec on Cisco box). I must be
doing something totally wrong here, I guess. Any help, hint or advice
would be more than welcome.

Thanks

 

[snip]

Searching the net a bit more, I found some other people having the same
problem, but no solution.

After some troubleshooting, I noticed that my CA certificate has
subjectAltName and issuerAltName defined but empty. I recreated CA
certificate without this two fields, and voila, it worked. Hint for
people having the same problem, check your CA certificate. I guess
Cisco might want to fix this in IOS, too bad I don't have service
contract to actually report the bug ;-)

Anyhow, I'm currently attempting to figure out one more thing. When I
attempt to import actual private key and certificate for the router, it
complains with "Error: failed to get key usage from cert" and fails to
import the key and certificate.

Could anybody tell me what it is looking for in the certificate, and
what the value of that thing should be? Is it possible to generate
certificate that works with Cisco routers using openssl?

Thanks

 

Well, it's not looking for anything in particular that wasn't already
there. The certificate I was attempting to import also had an empty
issuerAltName (like the CA cert had), Cisco puked and displayed
completely misleading error message. Once I regenerated certificate
without issuerAltName, it just worked.

I hope this one-man thread will be helpful and save some time to
somebody in the future.

 

Hi.
check the time on your router.
run the command "show clock".

If the time is not correct ( 2002 instead of 2009 ) there are big chances that you will not be able to import the CA certificate.