Cisco Services Modules

Document ID: 63456

Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Main Task
      Task
      Step-by-Step Instructions
      Intermediate Certificates
Verify
Troubleshoot
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document describes how to:

• create a certificate signing request (CSR) on the Secure Socket Layer Module (SSLM)

• import the certificate using cut and paste in privacy-enhanced mail (PEM) format

Prerequisites

Before you begin, you need to know the domain name that is assigned to the certificate. You also need the Certificates Authorities (CA) root certificate, and possibly the CA intermediate certificate.

Requirements

Before attempting this configuration, ensure that you meet these requirements:

• CA root certificate; possibly the intermediate root certificate

• domain name for certificate

• information

Components Used

The information in this document is based on these software and hardware versions:

• release 2.1(2)

• Verisign Test Certificate

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Main Task

Task

This section details each step needed to create the CSR, from the creation of the key pair to importing the server certificate.

Step-by-Step Instructions

Complete the instructions in this section.

1. Create the key pair.

   nov10-key is the name of the key pair.

   Note: Be sure to specify exportable; otherwise, you are not able to export the key pair from the SSLM.

   ssl-proxy(config)#crypto key generate rsa general-keys label nov10-key exportable
   The name for the keys will be: nov10-key
   Choose the size of the key modulus in the range of 360 to 2048 for your
     General Purpose Keys. Choosing a key modulus greater than 512 may take
     a few minutes.
   
   How many bits in the modulus [512]: 1024
   % Generating 1024 bit RSA keys ...[OK]

2. Create the trustpoint .

   The name of the trustpoint is yoursite. You need to enter the subject name in X.509 format and your domain name. This information is used to create the CSR.

   ssl-proxy(config)#crypto ca trustpoint yoursite
   ssl-proxy(ca-trustpoint)#enrollment terminal pem
   ssl-proxy(ca-trustpoint)#crl optional
   ssl-proxy(ca-trustpoint)#subject-name C=US, ST=Massachusetts, L=Boxborough, O=Cisco, 
       OU=Tac, CN=www.yourdomain.com
   ssl-proxy(ca-trustpoint)#fqdn www.yourdomain.com
   ssl-proxy(ca-trustpoint)#rsakeypair nov10-key
   ssl-proxy(ca-trustpoint)#exit
   

3. Generate the CSR.

   ssl-proxy(config)#crypto ca enroll yoursite
   % Start certificate enrollment .. 
   % The subject name in the certificate will be: C=US, ST=Massachusetts, L=Boxborough, O=Cisco, 
       OU=Tac, CN=www.yourdomain.com
   % The fully-qualified domain name in the certificate will be: www.yourdomain.com
   % The subject name in the certificate will be: www.yourdomain.com
   % Include the router serial number in the subject name? [yes/no]: no
   % Include an IP address in the subject name? [no]: no
   Display Certificate Request to terminal? [yes/no]: yes
   
   Certificate Request follows:
   
   -----BEGIN CERTIFICATE REQUEST-----
   MIIB+jCCAWMCAQAwgZgxGzAZBgNVBAMTEnd3dy55b3VyZG9tYWluLmNvbTEMMAoG
   A1UECxMDVGFjMQ4wDAYDVQQKEwVDaXNjbzETMBEGA1UEBxMKQm94Ym9yb3VnaDEW
   MBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMxITAfBgkqhkiG9w0B
   CQIWEnd3dy55b3VyZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
   gYEAwwCQrKH+RYvhQpZuuVADHAh4BoFRefiV+b6UXXI8dOmnkKB/w1w+Hure4N6p
   QsBPMEg1mku5AT38JcrWKu8JfGVEEap54UX+ZGs4o37ssskL4vr0qeNQ0PxkIVE4
   4iZLb+KxS5XbGrNRN6Mx4A8npV8xe1Wew8TqNw2h+oNYEBcCAwEAAaAhMB8GCSqG
   SIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBAUAA4GBAKjW
   SeLVzYdRSIkEL+rrYeuJfpoQTPIgTyjLNeI1a/ipoA/cQYPR0RBQ3N1k8G2JhXhW
   De4hNDsYPtnPZ65kUSjLLV6BenxKjXzIDhdc2x8MyhMu5t/tAbxelG3daJGhHUBd
   Of5meQ4JrbfwZHATmoiTEpAbWVNHC2h7oJO5Ldhw
   -----END CERTIFICATE REQUEST-----
   
   
   ---End - This line not part of the certificate request---
   
   Redisplay enrollment request? [yes/no]: no
   

4. Send the CSR to your CA.

   Use copy and paste to send the CSR to your CA. If your CA asks for a server type, select Apache.

5. Load the CA root certificate

   Before you can load the server certificate, you must load any CA certificates. At a minimum, this is the CA root certificate, and possibly a CA intermediate certificate. Your CA is able to provide you with the necessary certificates.

   ssl-proxy(config)#crypto ca authenticate yoursite
   Enter the base 64 encoded CA certificate.
   End with a blank line or the word "quit" on a line by itself
   
   
   -----BEGIN CERTIFICATE-----
   MIICTTCCAfcCEFKp9CTaZ0ydr09TeFKr724wDQYJKoZIhvcNAQEEBQAwgakxFjAU
   BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
   cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
   RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
   IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTk4MDYwNzAwMDAwMFoXDTA2MDYwNjIz
   NTk1OVowgakxFjAUBgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52
   ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBM
   aWFiLiBMVEQuMUYwRAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0
   aW5nIG9ubHkuIE5vIGFzc3VyYW5jZXMgKEMpVlMxOTk3MFwwDQYJKoZIhvcNAQEB
   BQADSwAwSAJBAMak6xImJx44jMKcbkACy5/CyMA2fqXK4PlzTtCxRq5tFkDzne7s
   cI8oFK/J+gFZNE3bjidDxf07O3JOYG9RGx8CAwEAATANBgkqhkiG9w0BAQQFAANB
   AKWnR/KPNxCglpTP5nzbo+QCIkmsCPjTCMnvm7KcwDJguaEwkoi1gBSY9biJp9oK
   +cv1Yn3KuVM+YptcWXLfxxI=
   -----END CERTIFICATE-----
   quit
   
   Certificate has the following attributes:
   Fingerprint: 40065311 FDB33E88 0A6F7DD1 4E229187 
   % Do you accept this certificate? [yes/no]: yes
   Trustpoint CA certificate accepted.
   % Certificate successfully imported
   

6. Load the server certificate.

   ssl-proxy(config)#crypto ca import yoursite certificate 
   % The fully-qualified domain name in the certificate will be: www.yourdomain.com
   
   Enter the base 64 encoded certificate.
   End with a blank line or the word "quit" on a line by itself
   
   
   -----BEGIN CERTIFICATE-----
   MIIDNTCCAt+gAwIBAgIQAequL43ZqGWLN5H/5BzhGDANBgkqhkiG9w0BAQUFADCB
   qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu
   LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU
   RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s
   eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDQxMTEwMDAwMDAwWhcNMDQx
   MTI0MjM1OTU5WjB1MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0
   czETMBEGA1UEBxQKQm94Ym9yb3VnaDEOMAwGA1UEChQFQ2lzY28xDDAKBgNVBAsU
   A1RhYzEbMBkGA1UEAxQSd3d3LnlvdXJkb21haW4uY29tMIGfMA0GCSqGSIb3DQEB
   AQUAA4GNADCBiQKBgQDDAJCsof5Fi+FClm65UAMcCHgGgVF5+JX5vpRdcjx06aeQ
   oH/DXD4e6t7g3qlCwE8wSDWaS7kBPfwlytYq7wl8ZUQRqnnhRf5kazijfuyyyQvi
   +vSp41DQ/GQhUTjiJktv4rFLldsas1E3ozHgDyelXzF7VZ7DxOo3DaH6g1gQFwID
   AQABo4HRMIHOMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEIGA1UdHwQ7MDkwN6A1
   oDOGMWh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL1NlY3VyZVNlcnZlclRlc3RpbmdD
   QS5jcmwwUQYDVR0gBEowSDBGBgpghkgBhvhFAQcVMDgwNgYIKwYBBQUHAgEWKmh0
   dHA6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvVGVzdENQUzAdBgNVHSUE
   FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADQQCbMUY/lyyp
   2jt6YxiZNEaFNFHPRU5kQZAY8X+IWnQ0tLfASd0nJ4wdaaeGpJSZQKbMdae3aunz
   55LCq8QsB0AH
   -----END CERTIFICATE-----
   quit
   
   % Router Certificate successfully imported
   

Intermediate Certificates

If you have an intermediate certificate, you need to configure two trustpoints. One trustpoint contains the CA root certificate only. You only need to configure enrollment terminal PEM and Certificate Revocation List (CRL) optional. The second trustpoint contains the intermediate certificate and the server certificate. The second trustpoint is configured similar to the first trustpoint, however, instead of the root certificate, use the intermediate certificate.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides troubleshooting information relevant to this configuration.

If you run into problems loading the certificates, enable debugging with the debug crypto pki transactions command.

Make sure you have the complete certificate chain. You can determine this by viewing the certificates on a PC. Save the certificates with a .cer extension, then double click to open them.

The root certificate is shown in Figure 1. You can determine this by looking at the Issued to and Issued by sections. Both sections are the same. Also, note that the certificate is showing up as not trusted because it a test certificate.

The server certificate is shown in Figure 2. You call determine that it matches the root certificate because the Issued by section matches the Issued by section on the root certificate.

NetPro Discussion Forums - Featured Conversations

Related Information

• Catalyst 6500 Series SSL Services Module Installation and Verification Note
• Catalyst 6500 Series SSL Services Module Installation and Configuration Note, 1.2
• Downloads - Catalyst 6500/6000 Module Software ( registered customers only)
• Release Notes for Catalyst 6500 Series Switch SSL Services Module Software Release 2.x
• Catalyst 6500 Series SSL Services Module System Message Guide, 2.1
• Catalyst 6500 Series SSL Services Module Command Reference, 2.1
• Technical Support - Cisco Systems