Masterpadlock-smallThis document is intended to walk-through the steps I took to successfully implement a free SSL certificate for use with WebVPN on a Cisco IOS Router.

I had tried a couple of times to use StartSSL certificates but fell at different hurdles.   However, this time I crossed the line.
The credit for this success goes 100% to a member on the StartSSL forum, dlambert – he documented his steps and I merely followed them!  This post is as much for my own reference, and if it helps someone else along – great!
Dlambert’s original post can be found at https://forum.startcom.org/viewtopic.php?p=6568&sid=1750512d3d6a4bbcc95dcd3cd94d228b#p6568

  1. Generate RSA Key-pair for use with Certificates
RTR(config)#crypto key generate rsa general-keys label RSA.StartSSL-vpn modulus 2048 exportable

RTR(config)#crypto key export rsa RSA.StartSSL-vpn pem terminal 3des <password>

This will display the RSA keys to the screen.
Copy and Paste these into a text file on your computer.  Save the section containing the private key to a file called private.key
For example:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E3568BE1DF325CB8

lxkgHIrPBaX4QNJo7EN1QzAvB+iz7A+UXNlwJvyB2Moy7UhGXdq5ss3sQUVXdbem
nA56jYUnLKOjPUHjPfeMEa2zHdTCS5P9HFu6VjXgn1gc9tTtTsVXrVy/nQYJbTBv
.......
6m5N37apbOAypLZTKx6BekHsE4TfDv2FHJsbNwJxtVlBLwS5j0TlN8j0vZh4y6TK
gVpKU1kMbOpBtzVHoT5LCBPCXOPak1jqg66xpU0ztlD6Vy2Vtx1mhcUZXGfXo7P7
-----END RSA PRIVATE KEY-----

2. Create a template file for the Certificate Signing Request.

Save the following code snippet and save it as 2048.cpl

#################################################
[ req ]
default_bits    = 2048
distinguished_name   = dn

[ dn ]
countryName    = Country
stateOrProvinceName    = State
localityName    = City
0.organizationName    = Company
organizationalUnitName    = Department
commonName    = FQDN
emailAddress    = Email
#################################################

3. For the next step, you need to have Openssl binaries on your local PC to be able to prepare the CSR in the correct format that StartSSL are expecting.  Visit www.openssl.org for details on how to do this, for your respective Operating System.

openssl req -new -sha1 -key private.key -out server.csr -config 2048.cpl

4.  Head over to the StartSSL website to generate the Certificate, based on the CSR you just created.

Follow the Wizard to generate a Web/Server SSL/TLS certificate.
On the screen titled, Generate Private Key – click the Skip button, as you have already generated your keys on the Router.

Copy and Paste the contents of the server.csr file you generated (including header lines)   into the Submit Certificate Request box.

Save the resulting certificate text into a file name of your choice.

Also, while on the certificate screen of StartCom, save the CA Certificate, and the Intermediate CA Certificates  (Right-click save-as)

5.  Create a Trustpoint on the router to hold the CA Certificate

RTR(config)#crypto pki trustpoint StartSSL-CA-Trustpoint
RTR(config)enrollment terminal pem
RTR(config)revocation-check none

RTR(config)crypto pki authenticate StartSSL-CA-Trustpoint

At this point, paste in the contents of the ca.pem (CA certificate file you downloaded earlier.
Finish with quit on a line on it’s own.

6.  Similar to step 5, but this time creating a Trustpoint that will hold the Intermediate CA, and linked to the RSA keys generated in Step 1.

RTR(config)#crypto pki trustpoint StartSSL-Inter-Cert-Trustpoint
RTR(config)#enrollment terminal pem
RTR(config)#usage ssl-server
RTR(config)#serial-number none
RTR(config)#fqdn vpn.domain.com
RTR(config)#ip-address none
RTR(config)#revocation-check crl
RTR(config)#rsakeypair RSA.StartSSL-vpn

RTR(config)#crypto pki authenticate StartSSL-Inter-Cert-Trustpoint

Paste in the contents of the  sub.class1.server.ca.pem Intermediate CA file.

7.  Now you can import your actual certificate, and it should be tied correctly to all the components.

crypto pki import StartSSL-Inter-Cert-Trustpoint certificate

Paste the contents of your certificate file you saved earlier.
Again, finishing with quit on a single line on it’s own.

If successful, you should see a good-looking message below!

% Router Certificate successfully imported

You can now configure your Webvpn context to refer to the 2nd Trustpoint you created, that contains your certificate.

 

Hope this helps!

Categories: Networking

2 Comments

Edward · 29th December 2015 at 03:42

Step 4 is a showstopper… when I go https://startssl.com/ToolBox select

Web Server SSL/TLS Certificate

and continue to proceed I get

Error NO Validated Domains

Error There are no validated domain names available for SSL Certificate.
Go to “Domain Validation” and validate a domain first….. Can you help… I had to create a account etc…

    anthony · 29th December 2015 at 10:35

    Hi Edward,
    Have you been through the Domain Validation wizard on the StartSSL site ?
    There you have to validate ownership of the domain you wish to register the certificate against. It’s a simple (and from memory, automated) process – I think when I did it, it required selecting an email address, such as [email protected] or [email protected], and their system sent an email with a response URL.
    Once you have validated the domain, you should be able to use the Certificate Wizard.

    Let me know if this helps.
    Thanks,
    Anthony

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.