Configuration Example, Security

Import PKCS12 certificate on IOS router

René Jorissen on February 11, 2010 7 Comments • Tags: #ca #certificate #crypto #import #ios #passphrase #pkcs12 #pki #router #tftp #trustpoint

Nowadays IOS routers can be configured with WebVPN (Clientless SSL VPN) functionalities. WebVPN allows a user to securely access resources on the corporate LAN from anywhere with an SSL-enabled Web browser. To secure the connection you should use a SSL certificate to encrypt all transferred data. There are different ways of creating and importing SSL certificates on an IOS router, but I always use the same method:

  1. 1. I generate a CSR and private key on my own laptop with Cygwin and OpenSSL;
  2. 2. I sent the CSR to a CA for signing, like VeriSign or GeoTrust;
  3. 3. I create a PKCS12 certificate with the signed cert and the private key;
  4. 4. Import the PKCS12 certificate on the router;

With this procedure I always have the “real” certificate, and all related files, on my own laptop for backup purposes. Mostly you can also generate a CSR on an appliance and import the signed certificate to the appliance and you are also done. But sometimes you don’t have the opportunity to export the certificate for backup purposes. So what if the appliance crashes or needs to be replaced?

Now I will show you how to import the PKCS12 to an IOS router. First we need to create a trustpoint on the router. The trustpoint contains the certificate authority that signed the certificate in use.

router(config)#crypto pki trustpoint trustpoint_www
router(ca-trustpoint)#revocation-check crl
router(ca-trustpoint)#rsakeypair trustpoint_www

Next I will import the certificate. There are multiple ways for importing the certificate, but I just use TFTP to transfer the certificate from my laptop to the router.

router(config)#crypto ca import trustpoint_www pkcs12 tftp: passphrase
% Importing pkcs12…
Address or name of remote host []?
Source filename [trustpoint_home]? www-booches-nl.pfx
Reading file from tftp://
Loading www-booches-nl.pfx from (via BVI1): !
[OK – 2629 bytes]

CRYPTO_PKI: Imported PKCS12 file successfully.

The certificate is now successfully imported into the router and can be associated with the WebVPN configuration. Useful commands to verify your trustpoints and certificates are:

show crypto pki certificates
show crypto pki trustpoints

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

  1. Amar Nirgunkar says:

    Dear Friend,

    I use same method to import .PFX file to Cisco router but no luck.
    CRYPTO_PKI: Import PKCS12 operation failed, bad HMAC
    Possible causes: bad password or corrupted PKCS12

    Plz reply with solution…

  2. tony says:

    To Amar, you need a p12 file but you have a pfx file. Some people think these are the same but I had the same problem as you had. You need to create a p12 file.

  3. Only we tell the complete story. – Automatic Mode.
    No worries.

  4. Top1Kids says:

    Thanks very nihe blog!

  5. -JayJay- says:

    Great Job, Rene !
    Worked very well .
    I had to disable zone based firewall configuration on the Router interface, when running the TFTP download of the pkcs12 certificate.
    But after I found that out , the certificate installs and runs well without any warning when using Anyconnect.
    Router version 15.x
    Anyconnect version 4.7

  6. Tony says:

    Thanks dude. Every year I come back to this site to check the details. I’m using a 2901 ISR and the only thing I’ll mention is that the syntax is slightly different. Where you have `crypto ca import trustpoint_www pkcs12 tftp: passphrase` I actually needed to use `crypto pki import trustpoint_www pkcs12 tftp: password [mypass]`.

    From memory many years ago when a very senior guy would show me (a junior) how to get this done, we done it slightly different. At cert renewal time we would just import the new cert in the existing trustpoint. But it’s just as simple to re-import the new pfx as a new trustpoint and then move the webvpn config over to the new trustpoint.

  7. Sandy Barnes says:

    Just learning this stuff. What would the command be to import a .pfx certificate from usbflash0: Thank you.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.