Create or Import TLS Certificates on Cisco IOS
You can generate a self-signed certificate on Cisco IOS. If that fails, you can generate one on another machine and import it.
Let IOS Generate a Self-Signed Certificate
First, we create a CA:
ISR4321# conf t
ISR4321(config)# crypto pki trustpoint mytp
ISR4321(ca-trustpoint)# enrollment selfsigned
ISR4321(ca-trustpoint)# fqdn isr4300.test
ISR4321(ca-trustpoint)# ip-address 192.168.88.254
ISR4321(ca-trustpoint)# subject-alt-name isr4300.test
ISR4321(ca-trustpoint)# hash sha256
Now, we can create a self-signed TLS certificate:
ISR4321(config)# crypto pki enroll mytp
Mar 4 15:28:56.870: %CRYPTO-6-AUTOGEN: Generated new 1024 bit key pair
% Include the router serial number in the subject name? [yes/no]: no
Generate Self Signed ISR4321 Certificate? [yes/no]: yes
ISR4321 Self Signed Certificate successfully created
Inspect the just-created certificate details:
ISR4321# sh crypto pki certificates mytp
ISR4321 Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
serialNumber=FDO2431M1QP+hostname=ISR4300+ipaddress=192.168.88.254
Subject:
Name: ISR4300
IP Address: 192.168.88.254
Serial Number: FDO2431M1QP
serialNumber=FDO2431M1QP+hostname=ISR4300+ipaddress=192.168.88.254
Validity Date:
start date: 16:29:19 CET Mar 4 2019
end date: 01:00:00 CET Jan 1 2020
Associated Trustpoints: mytp
Export the certificate:
ISR4321# conf t
ISR4321(config)# crypto pki export mytp pem terminal
% Self-signed CA certificate:
-----BEGIN CERTIFICATE-----
MIICWTCCAcKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBIMUYwEgYDVQQFEwtGRE8y
NDMxTTFRUDATBgkqhkiG9w0BCQIWBlJvdXRlcjAbBgkqhkiG9w0BCQgTDjE5Mi4x
NjguODguMjU0MB4XDTE5MDMwNDE1MjkxOVoXDTIwMDEwMTAwMDAwMFowSDFGMBIG
A1UEBRMLRkRPMjQzMU0xUVAwEwYJKoZIhvcNAQkCFgZSb3V0ZXIwGwYJKoZIhvcN
AQkIEw4xOTIuMTY4Ljg4LjI1NDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
tuJpgwpPUOxiYLxfMsL9kiQa5i0l2kmwYbyTm0XlqjEwOk8eRcyNQHybnyDBrmtu
P4nlT/BkY3r0ZG7qD6fqg3xqZ5oOZe3w3vsvOF6U2G+eBbWAF8uu5BBT63r7rKcI
g1mhEcAHCjEiGbDB4qQEKxEooELIlgjlEL3RAAdVkEECAwEAAaNTMFEwDwYDVR0T
AQH/BAUwAwEB/zAfBgNVHSMEGDAWgBQcHfCtlFrqWC2SaBVzHS7XwxGF6DAdBgNV
HQ4EFgQUHB3wrZRa6lgtkmgVcx0u18MRhegwDQYJKoZIhvcNAQEFBQADgYEAVP2S
cAXMJllCPuvfyEyYVJW5H/iCgG1HV7CSI1IucGadRjJnd1hiIpoSXHRZ0wACkRXt
sfJEnQmK52YHFUnlJr3nMlUluNZWroRMubAh3t04Rrr+OBIIc9q3BjTbzQtIE34u
/o3hUya8mJKHf/+SxAhnbS/jOCkIT/PzwHwEmUw=
-----END CERTIFICATE-----
% RSA keypair 'ISR4321' is not exportable.
Copy and past into export.crt and inspect with openssl x509 -in export.crt -noout -text.
Import a TLS Certificate
You can also create a certificate on another machine and import into IOS.
-
Generate key pair:
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 \ -out key.pemBy default, OpenSSL version 3 when invoked with
openssl genpkeycreates a PKCS#8 file (BEGIN PRIVATE KEY). (My version of) IOS only seems to accept encrypted PKCS#1 (BEGIN RSA PRIVATE KEY).1 -
Convert to PKCS#1 (
-traditional) and encrypt with 3DES (-des3):openssl pkey -in key.pem -traditional -des3 -passout pass:foobarbaz -out key.enc.pem -
Generate cert (valid for 10 years):
openssl req -x509 \ -key key.pem \ -out isr4300.crt \ -days 3700 \ -subj /CN=isr4300.test \ -addext 'subjectAltName=DNS:isr4300.test,IP:192.168.88.254' -
Import this as a “trustpoint” into Cisco IOS:
ISR4300(config)# crypto pki import mytp pem terminal password foobarbazWe see the following in
running-config:crypto pki trustpoint mytp enrollment pkcs12 revocation-check crl rsakeypair mytp ! ! crypto pki certificate chain mytp certificate ca 7FBC7EFBC685713BD7225B9AF3E8C7A3E0486078 3082032E 30820216 A0030201 0202147F BC7EFBC6 85713BD7 225B9AF3 E8C7A3E0 ... quit
Enable TLS to Create Secure Server
ISR4321(config)# ip http secure-trustpoint mytp
ISR4321(config)# ip http secure-server
And disable cleartext HTTP:
ISR4321(config)# no ip http server
-
You can see the difference in ASN.1 structure with
openssl asn1parse -i -in <file>. (The-iflag “indents the output according to the ‘depth’ of the structures”.) ↩︎