Tuesday, September 10, 2013

Cisco IOS certificate handling

This is primarily for sslvpn type stuff first off.

I use startssl.com for certs etc. They great, they're free for the common stuff and browsers recognise them.  All in all they rock.  Thanks startssl.com

Importing the cert so I can use it on the router.  Seems simple but there are some gotchas.

StartSSL give you a private key..

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,32C45D65DFE1A50C983B5F75F341764D

yeahrightlikeimgoingtogiveyoumykey

-----END RSA PRIVATE KEY-----

and a public key

-----BEGIN CERTIFICATE-----
MIIGXjCCBUagAwIBAgIDC+X4MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
...
bZB1pUEw1HLbbuN66szP7jyua2YWbKm+Q2kdi9lOGFado4n1ka3Evc7N6e9gvKrk
ADc=
-----END CERTIFICATE-----


First gotcha all they guides i've seen are old and say

crypto ca import

Most new IOS use instead

crypto pki

Second big gotcha is the IOS doesn't do AES.  So see in the private key, 3rd line it has AES we need to convert that.

It's easy if you have a Mac or a Linux box.  With windows you need to install openssl.

Save your private key on your Desktop as oldkey.pem, open the terminal and type

openssl rsa -in Desktop\oldkey.pem -out Desktop\newkey.pem -des3

Open the newkey.pem file and your public key and download the  CA certificate for your provider. They'll have a link in FAQs etc.

Log into the router, enable etc and go to config t.

To be continued


No comments: