This document is intended to walk-through the steps I took to successfully implement a free SSL certificate for use with WebVPN on a Cisco IOS Router.
I had tried a couple of times to use StartSSL certificates but fell at different hurdles. However, this time I crossed the line.
The credit for this success goes 100% to a member on the StartSSL forum, dlambert – he documented his steps and I merely followed them! This post is as much for my own reference, and if it helps someone else along – great!
Dlambert’s original post can be found at https://forum.startcom.org/viewtopic.php?p=6568&sid=1750512d3d6a4bbcc95dcd3cd94d228b#p6568
- Generate RSA Key-pair for use with Certificates
RTR(config)#crypto key generate rsa general-keys label RSA.StartSSL-vpn modulus 2048 exportable RTR(config)#crypto key export rsa RSA.StartSSL-vpn pem terminal 3des <password>
This will display the RSA keys to the screen.
Copy and Paste these into a text file on your computer. Save the section containing the private key to a file called private.key
For example:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,E3568BE1DF325CB8 lxkgHIrPBaX4QNJo7EN1QzAvB+iz7A+UXNlwJvyB2Moy7UhGXdq5ss3sQUVXdbem nA56jYUnLKOjPUHjPfeMEa2zHdTCS5P9HFu6VjXgn1gc9tTtTsVXrVy/nQYJbTBv ....... 6m5N37apbOAypLZTKx6BekHsE4TfDv2FHJsbNwJxtVlBLwS5j0TlN8j0vZh4y6TK gVpKU1kMbOpBtzVHoT5LCBPCXOPak1jqg66xpU0ztlD6Vy2Vtx1mhcUZXGfXo7P7 -----END RSA PRIVATE KEY-----
2. Create a template file for the Certificate Signing Request.
Save the following code snippet and save it as 2048.cpl
################################################# [ req ] default_bits = 2048 distinguished_name = dn [ dn ] countryName = Country stateOrProvinceName = State localityName = City 0.organizationName = Company organizationalUnitName = Department commonName = FQDN emailAddress = Email #################################################
3. For the next step, you need to have Openssl binaries on your local PC to be able to prepare the CSR in the correct format that StartSSL are expecting. Visit www.openssl.org for details on how to do this, for your respective Operating System.
openssl req -new -sha1 -key private.key -out server.csr -config 2048.cpl
4. Head over to the StartSSL website to generate the Certificate, based on the CSR you just created.
Follow the Wizard to generate a Web/Server SSL/TLS certificate.
On the screen titled, Generate Private Key – click the Skip button, as you have already generated your keys on the Router.
Copy and Paste the contents of the server.csr file you generated (including header lines) into the Submit Certificate Request box.
Save the resulting certificate text into a file name of your choice.
Also, while on the certificate screen of StartCom, save the CA Certificate, and the Intermediate CA Certificates (Right-click save-as)
5. Create a Trustpoint on the router to hold the CA Certificate
RTR(config)#crypto pki trustpoint StartSSL-CA-Trustpoint RTR(config)enrollment terminal pem RTR(config)revocation-check none RTR(config)crypto pki authenticate StartSSL-CA-Trustpoint
At this point, paste in the contents of the ca.pem (CA certificate file you downloaded earlier.
Finish with quit on a line on it’s own.
6. Similar to step 5, but this time creating a Trustpoint that will hold the Intermediate CA, and linked to the RSA keys generated in Step 1.
RTR(config)#crypto pki trustpoint StartSSL-Inter-Cert-Trustpoint RTR(config)#enrollment terminal pem RTR(config)#usage ssl-server RTR(config)#serial-number none RTR(config)#fqdn vpn.domain.com RTR(config)#ip-address none RTR(config)#revocation-check crl RTR(config)#rsakeypair RSA.StartSSL-vpn RTR(config)#crypto pki authenticate StartSSL-Inter-Cert-Trustpoint
Paste in the contents of the sub.class1.server.ca.pem Intermediate CA file.
7. Now you can import your actual certificate, and it should be tied correctly to all the components.
crypto pki import StartSSL-Inter-Cert-Trustpoint certificate
Paste the contents of your certificate file you saved earlier.
Again, finishing with quit on a single line on it’s own.
If successful, you should see a good-looking message below!
% Router Certificate successfully imported
You can now configure your Webvpn context to refer to the 2nd Trustpoint you created, that contains your certificate.
Hope this helps!
2 Comments
Edward · 29th December 2015 at 03:42
Step 4 is a showstopper… when I go https://startssl.com/ToolBox select
Web Server SSL/TLS Certificate
and continue to proceed I get
Error NO Validated Domains
Error There are no validated domain names available for SSL Certificate.
Go to “Domain Validation” and validate a domain first….. Can you help… I had to create a account etc…
anthony · 29th December 2015 at 10:35
Hi Edward,
Have you been through the Domain Validation wizard on the StartSSL site ?
There you have to validate ownership of the domain you wish to register the certificate against. It’s a simple (and from memory, automated) process – I think when I did it, it required selecting an email address, such as [email protected] or [email protected], and their system sent an email with a response URL.
Once you have validated the domain, you should be able to use the Certificate Wizard.
Let me know if this helps.
Thanks,
Anthony