Catalyst 6500 Series Switch Content Switching Module with SSL (CSM-S) Installation and Configuration Note
Configuring the SSL Services
Download this chapter
Configuring the SSL ServicesConfiguring the SSL Services
give_us_feedback

Table Of Contents

Configuring SSL Services Secure Transactions

Configuring the Public Key Infrastructure

Configuring the Keys and the Certificates

Configuring the Trustpoint Using SCEP

Manual Certificate Enrollment

Importing and Exporting the Key Pairs and Certificates

Importing the PEM Files for Three Levels of Certificate Authority

Verifying the Certificates and the Trustpoints

Sharing the Keys and the Certificates

Configuring a Root CA (Trusted Root)

Saving Your Configuration

Oversized Configuration

Verifying the Saved Configuration

Erasing the Saved Configuration

Backing Up the Keys and the Certificates

Security Guidelines

Monitoring and Maintaining the Keys and Certificates

Deleting the RSA Keys from the Module

Displaying the Keys and Certificates

Deleting the Certificates from the Configuration

Assigning a Certificate to a Proxy Service

Renewing a Certificate

Configuring the Automatic Certificate Renewal and Enrollment

Enabling the Key and Certificate History

Caching the Peer Certificates

Configuring the Certificate Expiration Warning

Configuring the Certificate Authentication

Client Certificate Authentication

Server Certificate Authentication

Certificate Revocation List

Downloading the CRL

Configuring the CRL Options

Updating a CRL

Entering the X.500 CDP Information

Entering a CRL Manually

Displaying the CRL Information

Deleting a CRL

Certificate Security Attribute-Based Access Control


Configuring SSL Services Secure Transactions

This chapter describes how to configure the CSM-S from the command line interface (CLI) of the module and contains these sections:

Configuring the Public Key Infrastructure

Configuring the Certificate Authentication

Configuring the Public Key Infrastructure

The SSL daughter card on the CSM-S uses the SSL protocol to enable secure transactions of data through privacy, authentication, and data integrity; the protocol relies upon certificates, public keys, and private keys.

The certificates, which are similar to digital ID cards, verify the identity of the server to the clients and the clients to the server. The certificates, which are issued by certificate authorities, include the name of the entity to which the certificate was issued, the entity's public key, and the time stamps that indicate the certificate's expiration date.

The public and private keys are the ciphers that are used to encrypt and decrypt information. The public key is shared without any restrictions, but the private key is never shared. Each public-private key pair works together; data that is encrypted with the public key can only be decrypted with the corresponding private key.

Each SSL daughter card acts as an SSL proxy for up to 256 SSL clients and servers. You must configure a pair of keys for each client or server to apply for a certificate for authentication.

We recommend that the certificates be stored in NVRAM so that the module does not need to query the certificate authority at startup to obtain the certificates or to automatically enroll. See the "Configuring a Root CA (Trusted Root)" section for more information.

The SSL daughter card authenticates certificates that it receives from external devices when you configure the SSL daughter card as an SSL server and you configure the server proxy to authenticate the client certificate, or when you configure the SSL daughter card as an SSL client. The SSL daughter card validates the start time, end time, and the signature on the certificate received.

A valid certificate may have been revoked if the key pair has been compromised. If a revocation check is necessary, the SSL daughter card downloads the certificate revocation list (CRL) from the certificate authority and looks up the serial number of the certificate received. See the "Certificate Revocation List" section for information on CRLs.

The certificate can also be filtered by matching certain certificate attribute values with access control list (ACL) maps. Only authenticated certificates that are issued by trusted certificate authorities are accepted. See the "Certificate Security Attribute-Based Access Control" section for information on ACLs.

Note Only the certificate is authenticated, not the sender of the certificate. As part of the SSL handshake, the certificate sender is challenged for ownership of the private key that corresponds to the public key published in the certificate. If the challenge fails, the SSL handshake is aborted by the SSL daughter card.

The SSL daughter card cannot verify that the sender of the certificate is the expected end user or host of the communication session. To authenticate the end user or host, additional validation is necessary during the data phase, using a username and password, bank account number, credit card number, or mother's maiden name.

If the certificate sender is an SSL client, the SSL daughter card can extract attributes from the client certificate and insert these attributes into the HTTP header during the data phase. The server system that receives these headers can further examine the subject name of the certificate and other attributes and then determine the authenticity of the end user or host. See the "HTTP Header Insertion" section for information on configuring HTTP header insertion. See the "Client Certificate Authentication" section for information on configuring client certificate authentication.

These sections describe how to configure the public key infrastructure (PKI):

Configuring the Keys and the Certificates

Verifying the Certificates and the Trustpoints

Configuring a Root CA (Trusted Root)

Saving Your Configuration

Backing Up the Keys and the Certificates

Monitoring and Maintaining the Keys and Certificates

Assigning a Certificate to a Proxy Service

Renewing a Certificate

Configuring the Automatic Certificate Renewal and Enrollment

Enabling the Key and Certificate History

Caching the Peer Certificates

Configuring the Certificate Expiration Warning

Configuring the Keys and the Certificates

You can configure keys and certificates using one of the following methods:

If you are using the Simple Certificate Enrollment Protocol (SCEP), configure the keys and certificates by doing the following:

Generate a key pair.

Declare the trustpoint.

Get the certificate authority certificate.

Send an enrollment request to a certificate authority on behalf of the SSL server.

See the "Configuring the Trustpoint Using SCEP" section for details.

If you are not using SCEP, configure the keys and certificates using the manual certificate enrollment (TFTP and cut-and-paste) feature by doing the following:

Generate or import a key pair.

Declare the trustpoint.

Get the certificate authority certificate, and enroll the trustpoint by using TFTP or cut-and-paste to create a PKCS10 file.

Request the SSL server certificate offline by using the PKCS10 package.

Import the SSL server certificate by using TFTP or cut-and-paste.

See the "Manual Certificate Enrollment" section for details.

If you are using an external PKI system, do the following:

Generate PKCS12 or PEM files.

Import this file to the module.

See the "Importing and Exporting the Key Pairs and Certificates" section for details.

An external PKI system is a server or a PKI administration system that generates key pairs and enrolls for certificates from a certificate authority or a key and certificate archival system. The Public-Key Cryptography Standards (PKCS) specifies the transfer syntax for personal identity information, including the private keys and certificates. This information is packaged into an encrypted file. To open the encrypted file, you must know a pass phrase. The encryption key is derived from the pass phrase.

Note You do not need to configure a trustpoint before importing the PKCS12 or PEM files. If you import keys and certificates from PKCS12 or PEM files, the trustpoin is created automatically if it does not already exist.

See Figure 8-1 for an overview on configuring keys and certificates.

Figure 8-1 Key and Certificate Configuration Overview

Configuring the Trustpoint Using SCEP

To configure a trustpoint using SCEP, complete the following tasks:

Generating the RSA Key Pairs

Declaring the Trustpoint

Obtaining the Certificate Authority Certificate

Requesting a Certificate

Generating the RSA Key Pairs

Note The first key pair that is generated enables SSH on the module. If you are using SSH, configure a key pair for SSH. See the "Configuring SSH" section.

RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Aldeman. The RSA algorithm is widely used by the certificate authorities and the SSL servers to generate key pairs. Each certificate authority and each SSL server has its own RSA key pair. The SSL server sends its public key to the certificate authority when enrolling for a certificate. The SSL server uses the certificate to prove its identity to clients when setting up the SSL session.

The SSL server keeps the private key in a secure storage and sends only the public key to the certificate authority, which uses its private key to sign the certificate that contains the server's public key and other identifying information about the server.

Each certificate authority keeps the private key secret and uses the private key to sign certificates for its subordinate certificate authorities and SSL servers. The certificate authority has a certificate that contains its public key.

The certificate authorities form a hierarchy of one or more levels. The top-level certificate authority is called the root certificate authority. The lower level certificate authorities are called the intermediate or subordinate certificate authorities. The root certificate authority has a self-signed certificate, and it signs the certificate for the next level subordinate certificate authority, which signs the certificate for the next lower level certificate authority, and so on. The lowest level certificate authority signs the certificate for the SSL server.

Note The SSL daughter card supports up to eight levels of certificate authority (one root certificate authority and up to seven subordinate certificate authorities). For an example of a three-level (3-tier) enrollment, see the "Example of Three-Tier Certificate Authority Enrollment" section.

These certificates form a chain with the server certificate at the bottom and the root certificate authority's self-signed certificate at the top. Each signature is formed by using the private key of the issuing certificate authority to encrypt a hash digest of the certificate body. The signature is attached to the end of the certificate body to form the complete certificate.

When setting up an SSL session, the SSL server sends its certificate chain to the client. The client verifies the signature of each certificate up the chain by retrieving the public key from the next higher-level certificate to decrypt the signature attached to the certificate body. The decryption result is compared with the hash digest of the certificate body. Verification terminates when one of the certificate authority certificates in the chain matches one of the trusted certificate authority certificates stored in the client's own database.

If the top-level certificate authority certificate is reached in the chain, and there is no match of trusted self-signed certificates, the client may terminate the session or prompt the user to view the certificates and determine if they can be trusted.

After the SSL client authenticates the server, it uses the public key from the server certificate to encrypt a secret and send it over to the server. The SSL server uses its private key to decrypt the secret. Both sides use the secret and two random numbers that they exchanged to generate the key material required for the rest of the SSL session for data encryption, decryption, and integrity checking.

Note The SSL daughter card supports only general-purpose keys.

When you generate general-purpose keys, only one pair of RSA keys is generated. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate. We recommend that you specify a name for the key pairs.

Note The generated key pair resides in system memory (RAM). Key pairs will be lost on power failure or module reset. You must enter the copy system:running-config nvram:startup-config command to save the running configuration and the key pairs to the private configuration file in the module NVRAM.

To generate the RSA key pairs, perform this task:

Command
Purpose 
ssl-proxy(config)# crypto key generate rsa 
[usage-keysgeneral-keys label key-label 
[exportable1 ] [modulus size]

Generates RSA key pairs.

1 The exportable keyword specifies that the key is allowed to be exported. You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.


Note When you generate the RSA keys, you are prompted to enter a modulus length in bits. The SSL daughter card supports modulus lengths of 512, 768, 1024, 1536, and 2048 bits. Although you can specify 512 or 768, we recommend a minimum modulus length of 1024. A longer modulus takes longer to generate and takes longer to use, but it offers stronger security.

This example shows how to generate special-usage RSA keys: 

crypto key generate rsa usage-keys


The name for the keys will be: myrouter.example.com

Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. 

Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[512]? <return>


Generating RSA keys.... [OK].

Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. 

Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[512]? <return>


Generating RSA keys.... [OK].

This example shows how to generate general-purpose RSA keys:

Note You cannot generate both special-usage and general-purpose keys; you can generate only one or the other. 

ssl-proxy(config)# crypto key generate rsa general-keys label kp1 exportable 


The name for the keys will be: kp1

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.

How many bits in the modulus [512]: 1024

Generating RSA keys.... [OK].

Declaring the Trustpoint

You should declare one trustpoint to be used by the module for each certificate.

To declare the trustpoint that your module uses and specify characteristics for the trustpoint, perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1  

ssl-proxy(config)# crypto ca trustpoint 
trustpoint-label1

Declares the trustpoint that your module should use. Enabling this command puts you in ca-trustpoint configuration mode.

Step 2  

ssl-proxy(ca-trustpoint)# rsakeypair key-label

Specifies which key pair to associate with the certificate.

Step 3  

ssl-proxy(ca-trustpoint)# enrollment [mode ra] 
[retry [period minutes] [count count]] url url

Specifies the enrollment parameters for your certificate authority.

Step 4  

ssl-proxy(ca-trustpoint)# ip-address 
server_ip_addr

(Optional) Specifies the IP address of the proxy service that will use this certificate2 .

Step 5  

ssl-proxy(ca-trustpoint)# crl [best-effort | 
optional | query host:[port]]

(Optional) Specifies how this trustpoint looks up a certificate revocation list when validating a certificate associated with this trustpoint.

See the "Certificate Revocation List" section for information on CRLs.

Step 6  

ssl-proxy(ca-trustpoint)# subject-name line3 , 4

(Optional) Configures the host name of the proxy service5 .

Step 7  

ssl-proxy(ca-trustpoint)# password password

(Optional) Configures a challenge password.

Step 8  

ssl-proxy(ca-trustpoint)# exit

Exits ca-trustpoint configuration mode.

1 The trustpoint-label should match the key-label of the keys; however, this match is not required.

2 Some web browsers compare the IP address in the SSL server certificate with the IP address that might appear in the URL. If the IP addresses do not match, the browser may display a dialog box and ask the client to accept or reject this certificate.

3 For example, subject-name CN=server1.domain2.com, where server1 is the name of the SSL server that appears in the URL. The subject-name command uses the Lightweight Directory Access Protocol (LDAP) format.

4 Arguments specified in the subject name must be enclosed in quotation marks if they contain a comma, for example, O="Cisco, Inc."

5 Some browsers compare the CN field of the subject name in the SSL server certificate with the hostname that might appear in the URL. If the names do not match, the browser may display a dialog box and ask the client to accept or reject the certificate. Also, some browsers will reject the SSL session setup and silently close the session if the CN field is not defined in the certificate.

This example shows how to declare the trustpoint PROXY1 and verify connectivity: 

ssl-proxy(config)# crypto ca trustpoint PROXY1

ssl-proxy(ca-trustpoint)# rsakeypair PROXY1

ssl-proxy(ca-trustpoint)# enrollment url http://exampleCA.cisco.com

ssl-proxy(ca-trustpoint)# ip-address 10.0.0.1

ssl-proxy(ca-trustpoint)# password password

ssl-proxy(ca-trustpoint)# crl optional

ssl-proxy(ca-trustpoint)# serial-number

ssl-proxy(ca-trustpoint)# subject-name C=US; ST=California; L=San Jose; O=Cisco; OU=Lab;

CN=host1.cisco.com

ssl-proxy(ca-trustpoint)# end

ssl-proxy# ping example.cisco.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

ssl-proxy#

Obtaining the Certificate Authority Certificate

For each trustpoint, you must obtain a certificate that contains the public key of the certificate authority; multiple trustpoints can use the same certificate authority.

Note Contact the certificate authority to obtain the correct fingerprint of the certificate and verify the fingerprint displayed on the console.

To obtain the certificate that contains the public key of the certificate authority, perform this task in global configuration mode:

Command
Purpose 
ssl-proxy(config)# crypto ca authenticate 
trustpoint-label

Obtains the certificate that contains the public key of the certificate authority. Enter the same trustpoint_label that you entered when declaring the trustpoint.


This example shows how to obtain the certificate of the certificate authority: 

ssl-proxy(config)# crypto ca authenticate PROXY1

Certificate has the following attributes:

Fingerprint: A8D09689 74FB6587 02BFE0DC 2200B38A 

% Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

ssl-proxy(config)# end

ssl-proxy#

Requesting a Certificate

You must obtain a signed certificate from the certificate authority for each trustpoint.

To request signed certificates from the certificate authority, perform this task in global configuration mode:

Command
Purpose 
ssl-proxy(config)# crypto ca enroll 
trustpoint-label1

Requests a certificate for the trustpoint.

1 You have the option to create a challenge password that is not saved with the configuration. This password is required if your certificate needs to be revoked, so you must remember this password.


Note If your module or switch reboots after you have entered the crypto ca enroll command but before you have received the certificates, you must reenter the command and notify the certificate authority administrator.

This example shows how to request a certificate: 

ssl-proxy(config)# crypto ca enroll PROXY1

%

% Start certificate enrollment.. 


% The subject name in the certificate will be: C=US; ST=California; L=San Jose; O=Cisco; 
OU=Lab; CN=host1.cisco.com

% The subject name in the certificate will be: host.cisco.com

% The serial number in the certificate will be: 00000000

% The IP address in the certificate is 10.0.0.1


% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

% The 'show crypto ca certificate' command will also show the fingerprint.

Fingerprint:  470DE382 65D8156B 0F84C2AF 4538B913 


ssl-proxy(config)# end

After you configure the trustpoint, see the "Verifying the Certificates and the Trustpoints" section to verify the certificate and trustpoint information.

Example of Three-Tier Certificate Authority Enrollment

The SSL daughter card supports up to eight levels of certificate authority (one root certificate authority and up to seven subordinate certificate authorities).

This example shows how to configure three levels of certificate authority:

Generating the Keys

This example shows how to generate a key: 

ssl-proxy(onfig)# crypto key generate rsa general-keys label key1 exportable

The name for the keys will be:key1

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.


How many bits in the modulus [512]:1024

% Generating 1024 bit RSA keys ...[OK]

Defining the Trustpoints

This example shows how to define a trustpoint: 

ssl-proxy(config)# crypto ca trustpoint 3tier-root

ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.1

ssl-proxy(ca-trustpoint)#

ssl-proxy(ca-trustpoint)# exit 

ssl-proxy(config)# crypto ca trustpoint 3tier-sub1 

ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.2

ssl-proxy(ca-trustpoint)#

ssl-proxy(ca-trustpoint)# exit

ssl-proxy(config)# crypto ca trustpoint tp-proxy1 

ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.3

ssl-proxy(ca-trustpoint)# serial-number 

ssl-proxy(ca-trustpoint)# password cisco

ssl-proxy(ca-trustpoint)# subject CN=ste.cisco.com

ssl-proxy(ca-trustpoint)# rsakeypair key1 

ssl-proxy(ca-trustpoint)# show

 enrollment url tftp://10.1.1.3

 serial-number

 password 7 02050D480809

 subject-name CN=ste.cisco.com

 rsakeypair key1

end


ssl-proxy(ca-trustpoint)# exit

Authenticating the Three Certificate Authorities (One Root And Two Subordinate Certificate Authorities) 

ssl-proxy(config)# crypto ca authenticate 3tier-root

Certificate has the following attributes:

Fingerprint:84E470A2 38176CB1 AA0476B9 C0B4F478 

% Do you accept this certificate? [yes/no]:yes

Trustpoint CA certificate accepted.

ssl-proxy(config)#

ssl-proxy(config)# crypto ca authenticate 3tier-sub1

Certificate has the following attributes:

Fingerprint:FE89FB0D BF8450D7 9934C926 6C66708D 

Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.

ssl-proxy(config)#

ssl-proxy(config)# crypto ca authenticate tp-proxy1

Certificate has the following attributes:

Fingerprint:6E53911B E29AE44C ACE773E7 26A098C3 

Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.

Enrolling with the Third Level Certificate Authority 

ssl-proxy(config)# crypto ca enroll tp-proxy1

%

% Start certificate enrollment .. 


% The fully-qualified domain name in the certificate will be:ste.

% The subject name in the certificate will be:ste.

% The serial number in the certificate will be:B0FFF0C2

% Include an IP address in the subject name? [no]:

Request certificate from CA? [yes/no]:yes

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

% The 'show crypto ca certificate' command will also show the fingerprint.


ssl-proxy(config)#    Fingerprint: 74390E57 26F89436 6FC52ABE 24E23CD9 


ssl-proxy(config)#

*Apr 18 05:10:20.963:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority

Manual Certificate Enrollment

The Manual Certificate Enrollment (TFTP and cut-and-paste) feature allows you to generate a certificate request and accept certificate authority certificates as well as router certificates. These tasks are accomplished with a TFTP server or manual cut-and-paste operations. You may want to use TFTP or manual cut-and-paste enrollment in the following situations:

Your certificate authority does not support Simple Certificate Enrollment Protocol (SCEP)—This method is the most common method for sending and receiving requests and certificates.

A network connection between the router and the certificate authority is not possible—A router running Cisco IOS software obtains its certificate using this method.

Configure the Manual Certificate Enrollment (TFTP and cut-and-paste) feature as described at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftmancrt.htm

Note If the certificate revocation list (CRL) fails to download because the CRL server is unreachable or the CRL download path does not exist, the certificate might fail to import. Make sure that all trustpoints that are linked to the import process are able to download the CRL. If the CRL path does not exist, or if the CRL server is unreachable, you should enter the crl optional command for all trustpoints that are linked to the import process. Enter the show crypto ca certificates command to display information for all certificates, and obtain a list of associated trustpoints from the display of the certificate authority certificate. Enter the crl optional command for all these trustpoints.

For example, in a three-tier certificate authority hierarchy (root CA, subordinate CA1, and subordinate CA2), when you import the subordinate CA1 certificate, enter the crl optional command for all the trustpoints associated with root CA. Similarly, when you import the subordinate CA2 certificate, enter the crl optional command for all the trustpoints associated with root CA and subordinate CA1.

After you successfully import the certificate, you can restore the original CRL options on the trustpoints.

Configuring a Certificate Enrollment Using TFTP (One-Tier Certificate Authority)

To configure the certificate enrollment using TFTP, perform these steps:

Step 1 Configure the trustpoint: 

ssl-proxy# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

ssl-proxy(config)# crypto ca trustpoint tftp_example

ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.2/win2k

ssl-proxy(ca-trustpoint)# rsakeypair pair3

ssl-proxy(ca-trustpoint)# exit

Step 2 Request a certificate for the trustpoint: 

ssl-proxy(config)# crypto ca enroll tftp_example 

% Start certificate enrollment .. 


% The fully-qualified domain name in the certificate will be: ssl-proxy.cisco.com

% The subject name in the certificate will be: ssl-proxy.cisco.com

% Include the router serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 00000000

% Include an IP address in the subject name? [no]: 

Send Certificate Request to tftp server? [yes/no]: yes

% Certificate request sent to TFTP Server

% The certificate request fingerprint will be displayed.

% The 'show crypto ca certificate' command will also show the fingerprint.

ssl-proxy(config)#    Fingerprint:  D012D925 96F4B5C9 661FEC1E 207786B7 

!!

Step 3 Obtain the certificate that contains the public key of the certificate authority: 

ssl-proxy(config)# crypto ca auth tftp_example

Loading win2k.ca from 10.1.1.2 (via Ethernet0/0.168): !

[OK - 1436 bytes]


Certificate has the following attributes:

Fingerprint: 2732ED87 965F8FEB F89788D4 914B877D 

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

ssl-proxy(config)#

Step 4 Import the server certificate: 

ssl-proxy(config)# crypto ca import tftp_example cert

% The fully-qualified domain name in the certificate will be: ssl-proxy.cisco.com

Retrieve Certificate from tftp server? [yes/no]: yes

% Request to retrieve Certificate queued


ssl-proxy(config)#

Loading win2k.crt from 10.1.1.2 (via Ethernet0/0.168): !

[OK - 2112 bytes]


ssl-proxy(config)#

*Apr 15 12:02:33.535: %CRYPTO-6-CERTRET: Certificate received from Certificate Authority

ssl-proxy(config)#

Configuring a Certificate Enrollment Using Cut-and-Paste (One-Tier Certificate Authority)

To configure the certificate enrollment using cut-and-paste, perform these steps:

Step 1 Generate the RSA key pair: 

ssl-proxy(config)# crypto key generate rsa general-keys label CSR-key exportable 

The name for the keys will be:CSR-key

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.


How many bits in the modulus [512]:1024

% Generating 1024 bit RSA keys ...[OK]

Step 2 Configure the trustpoints: 

ssl-proxy(config)# crypto ca trustpoint CSR-TP

ssl-proxy(ca-trustpoint)# rsakeypair CSR-key

ssl-proxy(ca-trustpoint)# serial

ssl-proxy(ca-trustpoint)# subject-name CN=abc, OU=hss, O=cisco

ssl-proxy(ca-trustpoint)# enrollment terminal

ssl-proxy(ca-trustpoint)# exit

a. Request a certificate for the trustpoint: 

ssl-proxy(config)# crypto ca enroll CSR-TP

% Start certificate enrollment .. 


% The subject name in the certificate will be:CN=abc, OU=hss, O=cisco

% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.com

% The subject name in the certificate will be:ssl-proxy.cisco.com

% The serial number in the certificate will be:B0FFF22E

% Include an IP address in the subject name? [no]:no

Display Certificate Request to terminal? [yes/no]:yes

Certificate Request follows:


MIIBwjCCASsCAQAwYTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEMMAoG

A1UEAxMDYWJjMTMwDwYDVQQFEwhCMEZGRjIyRTAgBgkqhkiG9w0BCQIWE3NzbC1w

cm94eS5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALt7O6tt

30lBVVK1qAE/agsuzIaa15YZft3bDb9t3pPncKh0ivBTgVKpJiLPWGZPjdbtejxQ

tYSF77R1pmhK0WSKPuu7fJPYr/Cbo80OUzkRAgMBAAGgITAfBgkqhkiG9w0BCQ4x

EjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQQFAAOBgQC2GIX06/hihXHA

DA5sOpxgLsO1rMP8PF4bZDdlpWLVBSOrp4S1L7hH9P2NY9rgZAJhDTRfGGm179JY

GOtUuCyPYPkpb0S5VGTUrHvvUWekleKq2d91kfgbkRmJmHBaB2Ev5DNBcV11SIMX

RULG7oUafU6sxnDWqbMseToF4WrLPg==


---End - This line not part of the certificate request---


Redisplay enrollment request? [yes/no]:no

Step 3 Import the certificate authority certificate: 

ssl-proxy(config)# crypto ca authenticate CSR-TP


Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself


-----BEGIN CERTIFICATE-----

MIICxzCCAjCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJBVTET

MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ

dHkgTHRkMQswCQYDVQQDEwJjYTAeFw0wMzA2MjYyMjM4MDlaFw0wODEyMTYyMjM4

MDlaMFIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQK

ExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMTAmNhMIGfMA0GCSqG

SIb3DQEBAQUAA4GNADCBiQKBgQCcG9ObqOLmf0cASkF48jz8X7ZQxT1H68OQKNC3

ks95vkGbOAa/1/R4ACQ3s9iPkcGQVqi4Dv8/iNG/1mQo8HBwtR9VgG0l8IGBbuiZ

dlarYnQHUz6Bm/HzE1RXVOY/VmyPOVevYy8/cYhwx/xOE9BYQOyP15Chi8nhIS5F

+WWoHQIDAQABo4GsMIGpMB0GA1UdDgQWBBS4Y+/lSXKDrw5N5m/tgCzu/W81PDB6

BgNVHSMEczBxgBS4Y+/lSXKDrw5N5m/tgCzu/W81PKFWpFQwUjELMAkGA1UEBhMC

QVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp

dHMgUHR5IEx0ZDELMAkGA1UEAxMCY2GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG

9w0BAQQFAAOBgQB/rPdLFVuycbaJQucdFQG7kl/XBNI7aY3IL3Lkeumt/nXD+eCn

RpYE5WWY8X1Aizqnj4bqFdqPqYdD7Lg8viwqm2tQmU6zCsdaKhL1J7FCWbfs2+Z5

oNV2Vsqx0Ftnf8en/+HtyS2AdXHreThfgkXz3euXD0ISMFVKRy81o4EdzA==

-----END CERTIFICATE-----


Certificate has the following attributes:

Fingerprint:B8B35B00 095573D0 D3B8FA03 B6CA8934 

% Do you accept this certificate? [yes/no]:yes

Trustpoint CA certificate accepted.

% Certificate successfully imported


ssl-proxy(config)#

Step 4 Import the server certificate (the server certificate is issued by the certificate authority whose certificate is imported in Step 4): 

ssl-proxy(config)# crypto ca import CSR-TP certificate

% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.com


Enter the base 64 encoded certificate.

End with a blank line or the word "quit" on a line by itself


-----BEGIN CERTIFICATE-----

MIIB7TCCAVYCAQQwDQYJKoZIhvcNAQEEBQAwUjELMAkGA1UEBhMCQVUxEzARBgNV

BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0

ZDELMAkGA1UEAxMCY2EwHhcNMDMxMTIwMDAxMzE2WhcNMDQxMTE5MDAxMzE2WjAs

MQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMQwwCgYDVQQDEwNhYmMwgZ8w

DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALt7O6tt30lBVVK1qAE/agsuzIaa15YZ

ft3bDb9t3pPncKh0ivBTgVKpJiLPWGZPjdbtejxQksuSY589V+GMDrO9B4Sxn+5N

p2bQmd745NvI4gorNRvXcdjmE+/SzE+bBSBcKAwNtYSF77R1pmhK0WSKPuu7fJPY

r/Cbo80OUzkRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAjqJ9378P6Gz69Ykplw06

Powp+2rbe2iFBrE1xE09BL6G6vzcBQgb5W4uwqxe7SIHrHsS0/7Be3zeJnlOseWx

/KVj7I02iPgrwUa9DLavwrTyaa0KtTpti/i5nIwTNh5xkp2bBJQikD4TEK7HAvXf

HQ9SyB3YZJk/Bjp6/eFHEfU=

-----END CERTIFICATE-----


% Router Certificate successfully imported


ssl-proxy(config)#^Z

Configuring a Certificate Enrollment Using TFTP (Three-Tier Certificate Authority)

To configure certificate enrollment using TFTP, perform these steps:

Step 1 Generate the RSA key pair: 

ssl-proxy(config)# crypto key generate rsa general-keys label test-3tier exportable 

The name for the keys will be:test-3tier

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.


How many bits in the modulus [512]:1024

% Generating 1024 bit RSA keys ...[OK]

Step 2 Configure the trustpoint: 

ssl-proxy(config)# crypto ca trustpoint test-3tier 

ssl-proxy(ca-trustpoint)# serial-number 

ssl-proxy(ca-trustpoint)# password cisco

ssl-proxy(ca-trustpoint)# subject CN=test-3tier, OU=hss, O=Cisco

ssl-proxy(ca-trustpoint)# rsakeypair test-3tier 

ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-3tier

ssl-proxy(ca-trustpoint)# exit

Step 3 Generate the certificate signing request (CSR) and send it to the TFTP server: 

ssl-proxy(config)# crypto ca enroll test-3tier

%

% Start certificate enrollment .. 


% The subject name in the certificate will be:CN=test-3tier, OU=hss, O=Cisco

% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.com

% The subject name in the certificate will be:ssl-proxy.cisco.com

% The serial number in the certificate will be:B0FFF22E

% Include an IP address in the subject name? [no]:

Send Certificate Request to tftp server? [yes/no]:yes

% Certificate request sent to TFTP Server

% The certificate request fingerprint will be displayed.

% The 'show crypto ca certificate' command will also show the fingerprint.


ssl-proxy(config)# Fingerprint: 19B07392 319B2ACF F8FABE5C 52798971 


ssl-proxy(config)#

!!

Step 4 Use the CSR to acquire the SSL certificate offline from the third-level certificate authority.

Step 5 Authenticate the three certificate authorities (one root and two subordinate certificate authorities): 

ssl-proxy(config)# crypto ca trustpoint test-1tier 

ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-1tier 

ssl-proxy(ca-trustpoint)# crl optional

ssl-proxy(ca-trustpoint)# exit

ssl-proxy(config)# crypto ca authenticate test-1tier 

Loading test-1tier.ca from 10.1.1.3 (via Ethernet0/0.172):!

[OK - 1046 bytes]


Certificate has the following attributes:

Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10 

% Do you accept this certificate? [yes/no]:yes

Trustpoint CA certificate accepted.


ssl-proxy(config)# crypto ca trustpoint test-2tier 

ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-2tier 

ssl-proxy(ca-trustpoint)# crl optional

ssl-proxy(ca-trustpoint)# exit

ssl-proxy(config)# crypto ca authenticate test-2tier 

Loading test-2tier.ca from 10.1.1.3 (via Ethernet0/0.172):!

[OK - 1554 bytes]


Certificate has the following attributes:

Fingerprint:50A986F6 B471B82D E11B71FE 436A9BE6 

Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.


ssl-proxy(config)# crypto ca authenticate test-3tier 

Loading test-3tier.ca from 10.1.1.3 (via Ethernet0/0.172):!

[OK - 1545 bytes]


Certificate has the following attributes:

Fingerprint:2F2E44AC 609644FA 5B4B6B26 FDBFE569 

Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.

Step 6 Import the server certificate: 

ssl-proxy(config)# crypto ca import test-3tier certificate 

% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.com

Retrieve Certificate from tftp server? [yes/no]:yes

% Request to retrieve Certificate queued


ssl-proxy(config)#

Loading test-3tier.crt from 10.1.1.3 (via Ethernet0/0.172):!

[OK - 1608 bytes]


ssl-proxy(config)#

*Nov 25 21:52:36.299:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority

ssl-proxy(config)# ^Z

Configuring a Certificate Enrollment Using Cut-and-Paste (Three-Tier Certificate Authority)

To configure a certificate enrollment using cut-and-paste, perform these steps:

Step 1 Generate the RSA key pair: 

ssl-proxy(config)# crypto key generate rsa general-keys label tp-proxy1 exportable

The name for the keys will be:tp-proxy1

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.


How many bits in the modulus [512]:1024

% Generating 1024 bit RSA keys ...[OK]

Step 2 Configure the trustpoint: 

ssl-proxy(config)# crypto ca trustpoint tp-proxy1

ssl-proxy(ca-trustpoint)# enrollment ter

ssl-proxy(ca-trustpoint)# rsakeypair tp-proxy1

ssl-proxy(ca-trustpoint)# serial

ssl-proxy(ca-trustpoint)# subject-name CN=test

ssl-proxy(ca-trustpoint)# exit

Step 3 Request a certificate for the trustpoint: 

ssl-proxy(config)# crypto ca enroll tp-proxy1

% Start certificate enrollment .. 


% The subject name in the certificate will be:CN=test

% The fully-qualified domain name in the certificate will be:ssl-proxy.

% The subject name in the certificate will be:ssl-proxy.

% The serial number in the certificate will be:B0FFF14D

% Include an IP address in the subject name? [no]:no

Display Certificate Request to terminal? [yes/no]:yes

Certificate Request follows:


MIIBnDCCAQUCAQAwOzENMAsGA1UEAxMEdGVzdDEqMA8GA1UEBRMIQjBGRkYxNEQw

FwYJKoZIhvcNAQkCFgpzc2wtcHJveHkuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB

iQKBgQDFx1ol9IXoAx4fyUhaXH6s4p5t9soIZ1gvLtVX6Fp6zfuX47os5TGJH/IX

zV9B4e5Kv+wlMD0AvTh+/tvyAP3TMpCdpHYosd2VaTIgExpHf4M5Ruh8IebVKV25

rraIpNiS0PvPLFcrw4UfJVNpsc2XBxBhpT+FS9y67LqlhfSN4wIDAQABoCEwHwYJ

KoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEEBQADgYEA

kOIjd1KNJdKLMf33YELRd3MW/ujJIuiT1J8RYVbw1eE8JQf68TTdKiYqzQcoMgsp

ez3vSPxXFZ/c6naXdVyrTikTX3GZ1mu+UOvV6/Jaf5QcXa9tAi3fgyguV7jQMPjk

Qj2GrwhXjcqZGOMBh6Kq6s5UPsIDgrL036I42B6B3EQ=


---End - This line not part of the certificate request---


Redisplay enrollment request? [yes/no]:no

Step 4 Get the certificate request (from Step 3) signed by a third-level certificate authority.

Step 5 Define and import all certificate authorities (one root and two subordinate certificate authorities).

a. Define the two truspoints for the root certificate authority and subordinate 1 certificate authority.

Note Use tp-proxy1 to import the subordinate 2 certificate authority certificate. 

ssl-proxy(config)# crypto ca trustpoint 3tier-root

ssl-proxy(ca-trustpoint)# enrollment terminal

ssl-proxy(ca-trustpoint)# crl op

ssl-proxy(ca-trustpoint)# exit

ssl-proxy(config)# crypto ca trustpoint 3tier-sub1

ssl-proxy(ca-trustpoint)# enrollment terminal

ssl-proxy(ca-trustpoint)# crl op

ssl-proxy(ca-trustpoint)# exit

b. Import the root certificate authority certificate: 

ssl-proxy(config)# crypto ca authenticate 3tier-root


Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself


-----BEGIN CERTIFICATE-----

MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1

MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2Fu

IGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3Np

bXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIx

NTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNV

BAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYD

VQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sA

MEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5l

VQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8G

A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGX

BgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVu

cm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9c

XGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290

LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wy

YjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IO

EoBcmZteA+TQcKg=

-----END CERTIFICATE-----


Certificate has the following attributes:

Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10 

% Do you accept this certificate? [yes/no]:yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

c. Import the subordinate 1 certificate authority certificate: 

ssl-proxy(config)# crypto ca authenticate 3tier-sub1


Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself


-----BEGIN CERTIFICATE-----

MIIETzCCA/mgAwIBAgIKGj0cBwAAAAAADjANBgkqhkiG9w0BAQUFADB1MQswCQYD

VQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2Ux

DjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24t

ZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMzIyMDQyMVoXDTA0MTExMzIyMTQyMVow

dTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNh

biBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdz

aW1wc29uLWRldnRlc3Qtc3ViMS1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDc

vV48nC2uukoSyGJ/GymCIEXZzMSzpbkYS7eWPaZYyiJDhCIKuUsMgFDRNfMQmUSA

rcWmPizFZc9PFumDa03vAgMBAAGjggJpMIICZTAQBgkrBgEEAYI3FQEEAwIBADAd

BgNVHQ4EFgQUWaaNN2U14BaBoU9mY+ncuHpP920wCwYDVR0PBAQDAgHGMA8GA1Ud

EwEB/wQFMAMBAf8wga4GA1UdIwSBpjCBo4AUJgYtQFMo130SBSiceehK9seDRrGh

eaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQH

EwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UE

AxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCEGnVMc1P4ve4Q5mUWCdWwXAwgZcG

A1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5y

b2xsL3NpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDBFoEOgQYY/ZmlsZTovL1xc

Y2lzY28tbDhqNm9ocG5yXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXJvb3Qt

Q0EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Np

c2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL2Npc2NvLWw4ajZvaHBucl9zaW1wc29u

LWRldnRlc3Qtcm9vdC1DQS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2Nv

LWw4ajZvaHBuclxDZXJ0RW5yb2xsXGNpc2NvLWw4ajZvaHBucl9zaW1wc29uLWRl

dnRlc3Qtcm9vdC1DQS5jcnQwDQYJKoZIhvcNAQEFBQADQQA6kAV3Jx/BOr2hlSp9

ER36ZkDJNIW93gNt2MkpcA07RmcrHln6q5RJ9WbvTxFnONdgpsag1EcOwn97XErH

Z2ow

-----END CERTIFICATE-----


Certificate has the following attributes:

Fingerprint:50A986F6 B471B82D E11B71FE 436A9BE6 

Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported

d. Import the subordinate 2 certificate authority certificate: 

ssl-proxy(config)# crypto ca authenticate tp-proxy1


Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself


-----BEGIN CERTIFICATE-----

MIIESTCCA/OgAwIBAgIKHyiFxAAAAAAABjANBgkqhkiG9w0BAQUFADB1MQswCQYD

VQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2Ux

DjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24t

ZGV2dGVzdC1zdWIxLWNhMB4XDTAzMTExMzIyMjI1MloXDTA0MTExMzIyMTQyMVow

dTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNh

biBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdz

aW1wc29uLWRldnRlc3Qtc3ViMi1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC7

ChZc0NYLBHf1sr/3Z4y6w5WoeioIpCOCSydhnbd5wnwuethoyStVt9lr6i61jWKl

d68Z8EoTg71daiV/WR/HAgMBAAGjggJjMIICXzAQBgkrBgEEAYI3FQEEAwIBADAd

BgNVHQ4EFgQU6FmJopqqzpbFMj6TaB2/wjlWlqEwCwYDVR0PBAQDAgHGMA8GA1Ud

EwEB/wQFMAMBAf8wgagGA1UdIwSBoDCBnYAUWaaNN2U14BaBoU9mY+ncuHpP922h

eaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQH

EwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UE

AxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCCho9HAcAAAAAAA4wgZcGA1UdHwSB

jzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL3Np

bXBzb24tZGV2dGVzdC1zdWIxLWNhLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28t

ZzI1dWE2bzRlXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXN1YjEtY2EuY3Js

MIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWcy

NXVhNm80ZS9DZXJ0RW5yb2xsL2Npc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRl

c3Qtc3ViMS1jYS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWcyNXVh

Nm80ZVxDZXJ0RW5yb2xsXGNpc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qt

c3ViMS1jYS5jcnQwDQYJKoZIhvcNAQEFBQADQQCieB8rvVCqVF2cFw9/v51jGn7L

Q6pUGT3bMRbOrgQKytTz/Yx09156nYZHrvVuLzmzz5CriI2saVx+q1Tarwil

-----END CERTIFICATE-----


Certificate has the following attributes:

Fingerprint:2F2E44AC 609644FA 5B4B6B26 FDBFE569 

Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported

e. Import the server certificate: 

ssl-proxy(config)# crypto ca import tp-proxy1 certificate 

% The fully-qualified domain name in the certificate will be:ssl-proxy.


Enter the base 64 encoded certificate.

End with a blank line or the word "quit" on a line by itself


-----BEGIN CERTIFICATE-----

MIIENTCCA9+gAwIBAgIKLmibDwAAAAAACDANBgkqhkiG9w0BAQUFADB1MQswCQYD

VQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2Ux

DjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24t

ZGV2dGVzdC1zdWIyLWNhMB4XDTAzMTExOTIzNDUzNVoXDTA0MTExMzIyMTQyMVow

PTERMA8GA1UEBRMIQjBGRkYxNEQxGTAXBgkqhkiG9w0BCQITCnNzbC1wcm94eS4x

DTALBgNVBAMTBHRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXHWiX0

hegDHh/JSFpcfqzinm32yghnWC8u1VfoWnrN+5fjuizlMYkf8hfNX0Hh7kq/7CUw

Af8EBAMCBaAwHQYDVR0OBBYEFCXlzcYHyo1PNbfubnivi8d2VO22MIGoBgNVHSME

gaAwgZ2AFOhZiaKaqs6WxTI+k2gdv8I5VpahoXmkdzB1MQswCQYDVQQGEwJVUzET

MBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoT

BWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1z

dWIxLWNhggofKIXEAAAAAAAGMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9j

aXNjby1vam14Y25jenYvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtc3ViMi1j

YS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLW9qbXhjbmN6dlxDZXJ0RW5yb2xs

XHNpbXBzb24tZGV2dGVzdC1zdWIyLWNhLmNybDCByAYIKwYBBQUHAQEEgbswgbgw

WQYIKwYBBQUHMAKGTWh0dHA6Ly9jaXNjby1vam14Y25jenYvQ2VydEVucm9sbC9j

aXNjby1vam14Y25jenZfc2ltcHNvbi1kZXZ0ZXN0LXN1YjItY2EuY3J0MFsGCCsG

AQUFBzAChk9maWxlOi8vXFxjaXNjby1vam14Y25jenZcQ2VydEVucm9sbFxjaXNj

by1vam14Y25jenZfc2ltcHNvbi1kZXZ0ZXN0LXN1YjItY2EuY3J0MA0GCSqGSIb3

DQEBBQUAA0EAtbxmUBOxZ/hcrCc3hY7pa6q/LmLonXSL8cjAbV2I7A5QGYaNi5k9