Guest

Cisco Services Modules

Create a Certificate Signing Request on the SSL Services Module Using Copy and Paste

Cisco - Create a Certificate Signing Request on the SSL Services Module Using Copy and Paste

Document ID: 63456

Updated: Dec 15, 2004

   Print

Introduction

This document describes how to:

  • create a certificate signing request (CSR) on the Secure Socket Layer Module (SSLM)

  • import the certificate using cut and paste in privacy-enhanced mail (PEM) format

Prerequisites

Before you begin, you need to know the domain name that is assigned to the certificate. You also need the Certificates Authorities (CA) root certificate, and possibly the CA intermediate certificate.

Requirements

Before attempting this configuration, ensure that you meet these requirements:

  • CA root certificate; possibly the intermediate root certificate

  • domain name for certificate

  • information

Components Used

The information in this document is based on these software and hardware versions:

  • release 2.1(2)

  • Verisign Test Certificate

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Main Task

Task

This section details each step needed to create the CSR, from the creation of the key pair to importing the server certificate.

Step-by-Step Instructions

Complete the instructions in this section.

  1. Create the key pair.

    nov10-key is the name of the key pair.

    Note: Be sure to specify exportable; otherwise, you are not able to export the key pair from the SSLM.

    ssl-proxy(config)#crypto key generate rsa general-keys label nov10-key exportable
    The name for the keys will be: nov10-key
    Choose the size of the key modulus in the range of 360 to 2048 for your
      General Purpose Keys. Choosing a key modulus greater than 512 may take
      a few minutes.
    
    How many bits in the modulus [512]: 1024
    % Generating 1024 bit RSA keys ...[OK]
  2. Create the trustpoint .

    The name of the trustpoint is yoursite. You need to enter the subject name in X.509 format and your domain name. This information is used to create the CSR.

    ssl-proxy(config)#crypto ca trustpoint yoursite
    ssl-proxy(ca-trustpoint)#enrollment terminal pem
    ssl-proxy(ca-trustpoint)#crl optional
    ssl-proxy(ca-trustpoint)#subject-name C=US, ST=Massachusetts, L=Boxborough, O=Cisco, 
        OU=Tac, CN=www.yourdomain.com
    ssl-proxy(ca-trustpoint)#fqdn www.yourdomain.com
    ssl-proxy(ca-trustpoint)#rsakeypair nov10-key
    ssl-proxy(ca-trustpoint)#exit
    
  3. Generate the CSR.

    ssl-proxy(config)#crypto ca enroll yoursite
    % Start certificate enrollment .. 
    % The subject name in the certificate will be: C=US, ST=Massachusetts, L=Boxborough, O=Cisco, 
        OU=Tac, CN=www.yourdomain.com
    % The fully-qualified domain name in the certificate will be: www.yourdomain.com
    % The subject name in the certificate will be: www.yourdomain.com
    % Include the router serial number in the subject name? [yes/no]: no
    % Include an IP address in the subject name? [no]: no
    Display Certificate Request to terminal? [yes/no]: yes
    
    Certificate Request follows:
    
    -----BEGIN CERTIFICATE REQUEST-----
    MIIB+jCCAWMCAQAwgZgxGzAZBgNVBAMTEnd3dy55b3VyZG9tYWluLmNvbTEMMAoG
    A1UECxMDVGFjMQ4wDAYDVQQKEwVDaXNjbzETMBEGA1UEBxMKQm94Ym9yb3VnaDEW
    MBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMxITAfBgkqhkiG9w0B
    CQIWEnd3dy55b3VyZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
    gYEAwwCQrKH+RYvhQpZuuVADHAh4BoFRefiV+b6UXXI8dOmnkKB/w1w+Hure4N6p
    QsBPMEg1mku5AT38JcrWKu8JfGVEEap54UX+ZGs4o37ssskL4vr0qeNQ0PxkIVE4
    4iZLb+KxS5XbGrNRN6Mx4A8npV8xe1Wew8TqNw2h+oNYEBcCAwEAAaAhMB8GCSqG
    SIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBAUAA4GBAKjW
    SeLVzYdRSIkEL+rrYeuJfpoQTPIgTyjLNeI1a/ipoA/cQYPR0RBQ3N1k8G2JhXhW
    De4hNDsYPtnPZ65kUSjLLV6BenxKjXzIDhdc2x8MyhMu5t/tAbxelG3daJGhHUBd
    Of5meQ4JrbfwZHATmoiTEpAbWVNHC2h7oJO5Ldhw
    -----END CERTIFICATE REQUEST-----
    
    
    ---End - This line not part of the certificate request---
    
    Redisplay enrollment request? [yes/no]: no
    
  4. Send the CSR to your CA.

    Use copy and paste to send the CSR to your CA. If your CA asks for a server type, select Apache.

  5. Load the CA root certificate

    Before you can load the server certificate, you must load any CA certificates. At a minimum, this is the CA root certificate, and possibly a CA intermediate certificate. Your CA is able to provide you with the necessary certificates.

    ssl-proxy(config)#crypto ca authenticate yoursite
    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself
    
    
    -----BEGIN CERTIFICATE-----
    MIICTTCCAfcCEFKp9CTaZ0ydr09TeFKr724wDQYJKoZIhvcNAQEEBQAwgakxFjAU
    BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
    cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
    RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
    IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTk4MDYwNzAwMDAwMFoXDTA2MDYwNjIz
    NTk1OVowgakxFjAUBgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52
    ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBM
    aWFiLiBMVEQuMUYwRAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0
    aW5nIG9ubHkuIE5vIGFzc3VyYW5jZXMgKEMpVlMxOTk3MFwwDQYJKoZIhvcNAQEB
    BQADSwAwSAJBAMak6xImJx44jMKcbkACy5/CyMA2fqXK4PlzTtCxRq5tFkDzne7s
    cI8oFK/J+gFZNE3bjidDxf07O3JOYG9RGx8CAwEAATANBgkqhkiG9w0BAQQFAANB
    AKWnR/KPNxCglpTP5nzbo+QCIkmsCPjTCMnvm7KcwDJguaEwkoi1gBSY9biJp9oK
    +cv1Yn3KuVM+YptcWXLfxxI=
    -----END CERTIFICATE-----
    quit
    
    Certificate has the following attributes:
    Fingerprint: 40065311 FDB33E88 0A6F7DD1 4E229187 
    % Do you accept this certificate? [yes/no]: yes
    Trustpoint CA certificate accepted.
    % Certificate successfully imported
    
  6. Load the server certificate.

    ssl-proxy(config)#crypto ca import yoursite certificate 
    % The fully-qualified domain name in the certificate will be: www.yourdomain.com
    
    Enter the base 64 encoded certificate.
    End with a blank line or the word "quit" on a line by itself
    
    
    -----BEGIN CERTIFICATE-----
    MIIDNTCCAt+gAwIBAgIQAequL43ZqGWLN5H/5BzhGDANBgkqhkiG9w0BAQUFADCB
    qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu
    LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU
    RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s
    eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDQxMTEwMDAwMDAwWhcNMDQx
    MTI0MjM1OTU5WjB1MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0
    czETMBEGA1UEBxQKQm94Ym9yb3VnaDEOMAwGA1UEChQFQ2lzY28xDDAKBgNVBAsU
    A1RhYzEbMBkGA1UEAxQSd3d3LnlvdXJkb21haW4uY29tMIGfMA0GCSqGSIb3DQEB
    AQUAA4GNADCBiQKBgQDDAJCsof5Fi+FClm65UAMcCHgGgVF5+JX5vpRdcjx06aeQ
    oH/DXD4e6t7g3qlCwE8wSDWaS7kBPfwlytYq7wl8ZUQRqnnhRf5kazijfuyyyQvi
    +vSp41DQ/GQhUTjiJktv4rFLldsas1E3ozHgDyelXzF7VZ7DxOo3DaH6g1gQFwID
    AQABo4HRMIHOMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEIGA1UdHwQ7MDkwN6A1
    oDOGMWh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL1NlY3VyZVNlcnZlclRlc3RpbmdD
    QS5jcmwwUQYDVR0gBEowSDBGBgpghkgBhvhFAQcVMDgwNgYIKwYBBQUHAgEWKmh0
    dHA6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvVGVzdENQUzAdBgNVHSUE
    FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADQQCbMUY/lyyp
    2jt6YxiZNEaFNFHPRU5kQZAY8X+IWnQ0tLfASd0nJ4wdaaeGpJSZQKbMdae3aunz
    55LCq8QsB0AH
    -----END CERTIFICATE-----
    quit
    
    % Router Certificate successfully imported
    

Intermediate Certificates

If you have an intermediate certificate, you need to configure two trustpoints. One trustpoint contains the CA root certificate only. You only need to configure enrollment terminal PEM and Certificate Revocation List (CRL) optional. The second trustpoint contains the intermediate certificate and the server certificate. The second trustpoint is configured similar to the first trustpoint, however, instead of the root certificate, use the intermediate certificate.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides troubleshooting information relevant to this configuration.

If you run into problems loading the certificates, enable debugging with the debug crypto pki transactions command.

Make sure you have the complete certificate chain. You can determine this by viewing the certificates on a PC. Save the certificates with a .cer extension, then double click to open them.

The root certificate is shown in Figure 1. You can determine this by looking at the Issued to and Issued by sections. Both sections are the same. Also, note that the certificate is showing up as not trusted because it a test certificate.

Figure 1

sslm-csr-2.gif

The server certificate is shown in Figure 2. You call determine that it matches the root certificate because the Issued by section matches the Issued by section on the root certificate.

Figure 2

sslm-csr-1.gif

Related Information

Updated: Dec 15, 2004
Document ID: 63456