Connecting the world…

tftp

Import PKCS12 certificate on IOS router

Nowadays IOS routers can be configured with WebVPN (Clientless SSL VPN) functionalities. WebVPN allows a user to securely access resources on the corporate LAN from anywhere with an SSL-enabled Web browser. To secure the connection you should use a SSL certificate to encrypt all transferred data. There are different ways of creating and importing SSL certificates on an IOS router, but I always use the same method:

  1. 1. I generate a CSR and private key on my own laptop with Cygwin and OpenSSL;
  2. 2. I sent the CSR to a CA for signing, like VeriSign or GeoTrust;
  3. 3. I create a PKCS12 certificate with the signed cert and the private key;
  4. 4. Import the PKCS12 certificate on the router;

With this procedure I always have the “real” certificate, and all related files, on my own laptop for backup purposes. Mostly you can also generate a CSR on an appliance and import the signed certificate to the appliance and you are also done. But sometimes you don’t have the opportunity to export the certificate for backup purposes. So what if the appliance crashes or needs to be replaced?

Now I will show you how to import the PKCS12 to an IOS router. First we need to create a trustpoint on the router. The trustpoint contains the certificate authority that signed the certificate in use.

router(config)#crypto pki trustpoint trustpoint_www
router(ca-trustpoint)#fqdn www.booches.nl
router(ca-trustpoint)#subject-name cn=www.booches.nl
router(ca-trustpoint)#revocation-check crl
router(ca-trustpoint)#rsakeypair trustpoint_www

Next I will import the certificate. There are multiple ways for importing the certificate, but I just use TFTP to transfer the certificate from my laptop to the router.

router(config)#crypto ca import trustpoint_www pkcs12 tftp: passphrase
% Importing pkcs12…
Address or name of remote host []? 10.10.1.58
Source filename [trustpoint_home]? www-booches-nl.pfx
Reading file from tftp://10.10.1.58/www-booches-nl.pfx
Loading www-booches-nl.pfx from 10.10.1.58 (via BVI1): !
[OK – 2629 bytes]

CRYPTO_PKI: Imported PKCS12 file successfully.

The certificate is now successfully imported into the router and can be associated with the WebVPN configuration. Useful commands to verify your trustpoints and certificates are:

show crypto pki certificates
show crypto pki trustpoints

XMODEM recovery speed

Configuring switches and routers is regular work for me. But if I would like to configure a switch or a router, I have to be able to boot the specific device…. Today I had to configure some new Cisco Catalyst 3650(E) en 3750 switches. In total I had 16 switches to configure, but three of them didn’t have any IOS image in flash and weren’t able to boot.

I have never seen this before. The switches aren’t refurbished, at least that is what the customer told me. At first I didn’t see any problem, because I wanted to upload an image from rommon through TFTP. After accessing rommon, I noticed that the Catalyst 3560 en 3750 don’t support TFTP upload in rommon. This leaves an XMODEM transfer as the only available option.

The image I wanted to upload was approximately 10 MB and upload with XMODEM at a baud rate of 9600 bps isn’t really fast. I had only one laptop to use, so it would take a whole day to upload the correct image into the three switches. Because I had only one COM port, I wasn’t able to configure anything.

I wanted to speed up my XMODEM transfer to buy some time and I found a way. At the switch prompt I set the baud rate to 115200:

switch: set BAUD 115200

Next I reconfigured my terminal (TeraTerm) to use the new baud rate of 115200. I started the XMODEM recovery procedure:

switch: copy xmodem: flash:c3560-ipbasek9-mz.122-50.SE.bin

I was satisfied while looking at the transfer rate. I had some time to invite myself to a cappuccino and  chat a little with the customer. The image was transferred in approximately 30 minutes. The last step in the recovery was setting back the baud rate to 9600, reconfigure my terminal and boot the image:

switch: set BAUD 9600

switch: boot flash:c3560-ipbasek9-mz.122-50.SE.bin

It only took two hours upload the correct IOS image to the three switches. Now I am set to start the configuration.