Configuration Example, Security
Import PKCS12 certificate on IOS router
Nowadays IOS routers can be configured with WebVPN (Clientless SSL VPN) functionalities. WebVPN allows a user to securely access resources on the corporate LAN from anywhere with an SSL-enabled Web browser. To secure the connection you should use a SSL certificate to encrypt all transferred data. There are different ways of creating and importing SSL certificates on an IOS router, but I always use the same method:
- 1. I generate a CSR and private key on my own laptop with Cygwin and OpenSSL;
- 2. I sent the CSR to a CA for signing, like VeriSign or GeoTrust;
- 3. I create a PKCS12 certificate with the signed cert and the private key;
- 4. Import the PKCS12 certificate on the router;
With this procedure I always have the “real” certificate, and all related files, on my own laptop for backup purposes. Mostly you can also generate a CSR on an appliance and import the signed certificate to the appliance and you are also done. But sometimes you don’t have the opportunity to export the certificate for backup purposes. So what if the appliance crashes or needs to be replaced?
Now I will show you how to import the PKCS12 to an IOS router. First we need to create a trustpoint on the router. The trustpoint contains the certificate authority that signed the certificate in use.
router(config)#crypto pki trustpoint trustpoint_www
router(ca-trustpoint)#fqdn www.booches.nl
router(ca-trustpoint)#subject-name cn=www.booches.nl
router(ca-trustpoint)#revocation-check crl
router(ca-trustpoint)#rsakeypair trustpoint_www
Next I will import the certificate. There are multiple ways for importing the certificate, but I just use TFTP to transfer the certificate from my laptop to the router.
router(config)#crypto ca import trustpoint_www pkcs12 tftp: passphrase
% Importing pkcs12…
Address or name of remote host []? 10.10.1.58
Source filename [trustpoint_home]? www-booches-nl.pfx
Reading file from tftp://10.10.1.58/www-booches-nl.pfx
Loading www-booches-nl.pfx from 10.10.1.58 (via BVI1): !
[OK – 2629 bytes]CRYPTO_PKI: Imported PKCS12 file successfully.
The certificate is now successfully imported into the router and can be associated with the WebVPN configuration. Useful commands to verify your trustpoints and certificates are:
show crypto pki certificates
show crypto pki trustpoints
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021
Dear Friend,
I use same method to import .PFX file to Cisco router but no luck.
error:
CRYPTO_PKI: Import PKCS12 operation failed, bad HMAC
Possible causes: bad password or corrupted PKCS12
Plz reply with solution…
To Amar, you need a p12 file but you have a pfx file. Some people think these are the same but I had the same problem as you had. You need to create a p12 file.
Only we tell the complete story. – Automatic Mode.
No worries.
Thanks very nihe blog!
Great Job, Rene !
Worked very well .
I had to disable zone based firewall configuration on the Router interface, when running the TFTP download of the pkcs12 certificate.
But after I found that out , the certificate installs and runs well without any warning when using Anyconnect.
Router version 15.x
Anyconnect version 4.7
Thanks dude. Every year I come back to this site to check the details. I’m using a 2901 ISR and the only thing I’ll mention is that the syntax is slightly different. Where you have `crypto ca import trustpoint_www pkcs12 tftp: passphrase` I actually needed to use `crypto pki import trustpoint_www pkcs12 tftp: password [mypass]`.
From memory many years ago when a very senior guy would show me (a junior) how to get this done, we done it slightly different. At cert renewal time we would just import the new cert in the existing trustpoint. But it’s just as simple to re-import the new pfx as a new trustpoint and then move the webvpn config over to the new trustpoint.
Just learning this stuff. What would the command be to import a .pfx certificate from usbflash0: Thank you.