Guest

Cisco Services Modules

Import Certificates and Private Key with Copy and Paste

Cisco - Import Certificates and Private Key with Copy and Paste

Introduction

This document describes how to import your certificates and private key in privacy-enhanced mail (PEM) format with copy and paste.

In this document, there are two trustpoints; the first trustpoint contains the certificate authority (CA) root certificate, and the second trustpoint contains the CA intermediate and server certificates and the private key.

Prerequisites

Requirements

Before attempting this configuration, ensure that you meet these requirements:

  • Your certificates and keys must be in PEM format.

  • Your private key must be in PEM format and encrypted.

  • You must have the complete certificate chain. This includes, at a minimum, the CA root certificate, and possibly the CA intermediate and server certificates. If you do not have the complete certificate chain, the import of the server certificate fails.

Components Used

The information in this document is based on these software and hardware versions:

  • Secure Socket Layer Module (SSLM) version 2.1(2)

  • certificates in PEM format

  • encrypted private key in PEM format

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Main Task

Task

In this configuration, there are three certificates: the CA root, CA intermediate, and the server certificates. Because there are two CA certificates, you need to create two trustpoints. The first trustpoint is used to hold the CA root certificate, and the second trustpoint contains the CA intermediate and server certificate and the private key.

Step-by-Step Instructions

Complete the steps in this section.

  1. Create a trustpoint for the CA root certificate.

    ssl-proxy(config)#crypto ca trustpoint root-tank.com
    ssl-proxy(ca-trustpoint)#enrollment terminal PEM
    ssl-proxy(ca-trustpoint)#crl optional 
    ssl-proxy(ca-trustpoint)#exit
    
  2. Import the CA root certificate with copy and paste.

    ssl-proxy(config)#crypto ca authenticate root-tank.com
    
    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself
    
    -----BEGIN CERTIFICATE-----
    MIIDujCCAyOgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBoDELMAkGA1UEBhMCVVMx
    CzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpCb3hib3JvdWdoMRgwFgYDVQQKEw9SdXN0
    ZWQgUm9vdCBJTkMxEDAOBgNVBAsTB1Jvb3QgQ0ExHjAcBgNVBAMTFXJvb3RDQS5y
    dXN0ZWRyb290LmNvbTEjMCEGCSqGSIb3DQEJARYUYWRtaW4ucnVzdGVkcm9vdC5j
    b20wHhcNMDQwODI4MDQwMjA3WhcNMDUwODI4MDQwMjA3WjCBoDELMAkGA1UEBhMC
    VVMxCzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpCb3hib3JvdWdoMRgwFgYDVQQKEw9S
    dXN0ZWQgUm9vdCBJTkMxEDAOBgNVBAsTB1Jvb3QgQ0ExHjAcBgNVBAMTFXJvb3RD
    QS5ydXN0ZWRyb290LmNvbTEjMCEGCSqGSIb3DQEJARYUYWRtaW4ucnVzdGVkcm9v
    dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK0TJDw6e85ySiYfbWUV
    SZCEpMy5oBGNHeqfflwCnBjbHUdyn9EmsZR72aF7AweCpq71yIFRjaCsE6/2mJTW
    1vxJRFb5H5CkH1tLwJL5HVHtZjeGwU+FIZ6R8yKpbq2SIBSZ95+GbSz7hIjZ78qY
    61+z6qDup50W4OLJUgUL464nAgMBAAGjggEAMIH9MB0GA1UdDgQWBBQ5NXpGMxPL
    gBF67e/ydXUm4AIPYjCBzQYDVR0jBIHFMIHCgBQ5NXpGMxPLgBF67e/ydXUm4AIP
    YqGBpqSBozCBoDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpC
    b3hib3JvdWdoMRgwFgYDVQQKEw9SdXN0ZWQgUm9vdCBJTkMxEDAOBgNVBAsTB1Jv
    b3QgQ0ExHjAcBgNVBAMTFXJvb3RDQS5ydXN0ZWRyb290LmNvbTEjMCEGCSqGSIb3
    DQEJARYUYWRtaW4ucnVzdGVkcm9vdC5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkq
    hkiG9w0BAQQFAAOBgQAvLLBopgRnr1sYmCP+kmqRkqvBsdXjAG77nWB4TeNEmYJi
    +eCxuXXhBsQnWNye0yxakaj4EL2wJiXI6eNKCT0gZqZRb66/p2ki7Mpu/3x8g4qe
    Bma/nzCvAaA25o5kh8VlgUHSnFoOmhpLsxrDm90umBWTSALci8v70pjBT+09QA==
    -----END CERTIFICATE-----
    quit
    
    Certificate has the following attributes:
    Fingerprint: 615171D8 C3989EFA 4D45B23F 8ACBCDC3 
    % Do you accept this certificate? [yes/no]: yes
    Trustpoint CA certificate accepted.
    % Certificate successfully imported
    
    
  3. Create a second trustpoint for the CA intermediate and server certificates and the private key

    ssl-proxy(config)#crypto ca trustpoint server-tank.com
    ssl-proxy(ca-trustpoint)#enrollment terminal PEM
    ssl-proxy(ca-trustpoint)#crl optional 
    ssl-proxy(ca-trustpoint)#exit
    
  4. In this order, import the: CA intermediate certificate, private key, and server certificate with copy and paste. luckydog is the password for the private key.

    ssl-proxy(config)#crypto ca import server-tank.com PEM terminal luckydog
    
    % Enter PEM-formatted CA certificate.
    % End with a blank line or "quit" on a line by itself.
    
    -----BEGIN CERTIFICATE-----
    MIIDrTCCAxagAwIBAgIBATANBgkqhkiG9w0BAQQFADCBoDELMAkGA1UEBhMCVVMx
    CzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpCb3hib3JvdWdoMRgwFgYDVQQKEw9SdXN0
    ZWQgUm9vdCBJTkMxEDAOBgNVBAsTB1Jvb3QgQ0ExHjAcBgNVBAMTFXJvb3RDQS5y
    dXN0ZWRyb290LmNvbTEjMCEGCSqGSIb3DQEJARYUYWRtaW4ucnVzdGVkcm9vdC5j
    b20wHhcNMDQwODI4MDQyMDM2WhcNMDUwODI4MDQyMDM2WjCBkzELMAkGA1UEBhMC
    VVMxCzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpCb3hib3JvdWdoMRYwFAYDVQQKEw1U
    YW5rIERvZyBUb3lzMRQwEgYDVQQLEwtUYW5rIFN0aWNrczEVMBMGA1UEAxMMd3d3
    LnRhbmsuY29tMR0wGwYJKoZIhvcNAQkBFg5hZG1pbi50YW5rLmNvbTCBnzANBgkq
    hkiG9w0BAQEFAAOBjQAwgYkCgYEA65WjIJcEvYynLrWUsPz1H+VM5O8sRMp10BLI
    vSTCWsrWD9rn0Hut9R3Cwc2MmjecDk8avDXxF+vqKLkI41KGLz6yniNcjVfsLi8X
    InXrRL53INAXkC1xbP0jsnz5iJU9aquvh81ak/f2nvKm9p9y8QLGYouDdzoFBHc4
    kE5DNoECAwEAAaOCAQAwgf0wHQYDVR0OBBYEFD1zYK+rk0zEDJ1hRHev7QO9OQhx
    MIHNBgNVHSMEgcUwgcKAFDk1ekYzE8uAEXrt7/J1dSbgAg9ioYGmpIGjMIGgMQsw
    CQYDVQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJveGJvcm91Z2gxGDAW
    BgNVBAoTD1J1c3RlZCBSb290IElOQzEQMA4GA1UECxMHUm9vdCBDQTEeMBwGA1UE
    AxMVcm9vdENBLnJ1c3RlZHJvb3QuY29tMSMwIQYJKoZIhvcNAQkBFhRhZG1pbi5y
    dXN0ZWRyb290LmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GB
    AKC9izT+RkBQ8lUOK2VsLMYSi7a6uAzJwUwfIezYevl9U1AgQKrO++GvKKaTwfcS
    NerJajut7JZr+JOh4+Ai16Ccz7yZjqZ8/lFmB0dDzJGlib5ASE0eiy/+azp6GFG1
    acYcDdCtNAa3oR6DknNKDWihRQpIF3P/rFsbPb0+t/OD
    -----END CERTIFICATE-----
    quit
    
    % Enter PEM-formatted encrypted private key.
    % End with "quit" on a line by itself.
    
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,C33CAD1289ACFEFA
    
    J9YQleEpRFS2otCWKJJUm9N6mul6bvZCyJNe8B/fRxApPVP944SqN1Mjf6ZiDhHN
    GDSyVSxwSmdkqhWdYW9wWy3nbcJ8On005jfvpmlmnMtLRJS95doDF0MhdD59RI2O
    ZzUiR+tyBSdhPGnBYgdNta4z6QaITA1EHOpSfQFe5fRc553l1esySCCMTTSsioZB
    2h8RJ/7dbFbJlHoI7vNX5/Eu0Xa40aVUPa7vWJYcU+NFl05xgO4zQt4JHHKg6O7v
    JSEJGN/L+8WG0UC7jLUMdpupL1LQB4wHMzvU3Ir5pLbZje3KT7DZE3J450rCWR+3
    JhoQLAM44xWgOzcEUe3Fdt7Qn1LEuAXNiRs4oZBXNTP4FtwcOcWvIbMF/yJVeQSm
    sPgTop+NMj+rrf8IX9PjmFNiu9mnruanGs9hkrDjmoeV1685csDT9mSNhKZbWgUs
    M/2RUNXdHSNezSsaMLVG58lLY54fvrd6Q3iPGcCOEsWUirXvqkZjJvaPUUsV/V/q
    Ljn9/900U5lYrgQCX8Qt4k3qFJuzh9jIK4wW8fqPDGc/iDqH6yh3ykSc4OL1xRGr
    0rL6AfViBg4yTCFh4iN3JeGMlfCpn0fQloc0UzBElN/0njnAqR6VvFTTm1gtixFz
    7EqshltIRPT/nZAwOVPmcEFQZ3CaOL0tO9Z5+j9hstj3IIqFhU8CXgUhH3ofuPAE
    gjL6O0U13TydXtNAzR4/jTX5M+6EQrQNNor8RW9zfH/ATA2+Kmr1bfsMn+tQJsop
    1n0HAqSgGIsEUy0RSaw6tuOpn1z/9wQH4x0K/S/LSYIkRUyVFHwXcA==
    -----END RSA PRIVATE KEY-----
    
    quit
    
    % Enter PEM-formatted certificate.
    % End with a blank line or "quit" on a line by itself.
    -----BEGIN CERTIFICATE-----
    MIICmzCCAgQCAQEwDQYJKoZIhvcNAQEEBQAwgZMxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJNQTETMBEGA1UEBxMKQm94Ym9yb3VnaDEWMBQGA1UEChMNVGFuayBEb2cg
    VG95czEUMBIGA1UECxMLVGFuayBTdGlja3MxFTATBgNVBAMTDHd3dy50YW5rLmNv
    bTEdMBsGCSqGSIb3DQEJARYOYWRtaW4udGFuay5jb20wHhcNMDQwODI4MDQzNTU2
    WhcNMDUwODI4MDQzNTU2WjCBlzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRMw
    EQYDVQQHEwpCb3hib3JvdWdoMRYwFAYDVQQKEw1UYW5rIERvZyBUb3lzMRgwFgYD
    VQQLEw9UYW5rIENoZXcgU3RpY2sxFTATBgNVBAMTDHd3dy50YW5rLmNvbTEdMBsG
    CSqGSIb3DQEJARYOYWRtaW4udGFuay5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
    MIGJAoGBANSFialDM3AuM82o2ypTtyo1F2hGaqHIuX1NVAcsYepH9qg3MvxwdlWr
    ubCKZPCJFJGLOK9noA1QMdiXKqQPW5EuMXHff+ZeocT41VteTl/eWmPC7x4Ehjxk
    ZVwD+yZo03H3c6EnxFVmEW4kwHZfICq2YklHpROMSozC+M7i6p+NAgMBAAEwDQYJ
    KoZIhvcNAQEEBQADgYEAbRuXwfIUggg51i/6PJmY5qyJO8cOnKoc2tZxtE4Ed4jj
    /Uoh0v8xBJAbTGwD0h/gJCOgmF3/MTJ1HodL2srx9wP6OQcdKBg3YiwEMcj7dSZK
    8awdXCJ/gwmOGc7xJt6cOKDXnHjAvEsHcm8A7GQ2aROvJL3y3ozNeqdxhH3dwH0=
    -----END CERTIFICATE-----
    quit
    
    % PEM files import succeeded.
    

Verify

Use these commands to view your certificates and trustpoints:

  • ssl-mod#show crypto ca certificates server-tank.com

  • ssl-mod#show crypto ca trustpoints server-tank.com

  • ssl-mod#show crypto key mypubkey rsa

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

If you run into problems loading the certificates, enable debugging with the debug crypto pki transactions command.

If your private key is not encrypted, you can use openssl rsa -in your-key.PEM -out new-key-des3.PEM -des3 to encrypt it.

Related Information

Updated: Nov 30, 2005
Document ID: 63485