Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Services Modules

Import Certificates and Private Key with Copy and Paste

Downloads

Document ID: 63485


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Main Task
      Task
      Step-by-Step Instructions
Verify
Troubleshoot
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document describes how to import your certificates and private key in privacy-enhanced mail (PEM) format with copy and paste.

In this document, there are two trustpoints; the first trustpoint contains the certificate authority (CA) root certificate, and the second trustpoint contains the CA intermediate and server certificates and the private key.

Prerequisites

Requirements

Before attempting this configuration, ensure that you meet these requirements:

  • Your certificates and keys must be in PEM format.

  • Your private key must be in PEM format and encrypted.

  • You must have the complete certificate chain. This includes, at a minimum, the CA root certificate, and possibly the CA intermediate and server certificates. If you do not have the complete certificate chain, the import of the server certificate fails.

Components Used

The information in this document is based on these software and hardware versions:

  • Secure Socket Layer Module (SSLM) version 2.1(2)

  • certificates in PEM format

  • encrypted private key in PEM format

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Main Task

Task

In this configuration, there are three certificates: the CA root, CA intermediate, and the server certificates. Because there are two CA certificates, you need to create two trustpoints. The first trustpoint is used to hold the CA root certificate, and the second trustpoint contains the CA intermediate and server certificate and the private key.

Step-by-Step Instructions

Complete the steps in this section.

  1. Create a trustpoint for the CA root certificate.

    ssl-proxy(config)#crypto ca trustpoint root-tank.com
ssl-proxy(ca-trustpoint)#enrollment terminal PEM
ssl-proxy(ca-trustpoint)#crl optional 
ssl-proxy(ca-trustpoint)#exit

  2. Import the CA root certificate with copy and paste.

    ssl-proxy(config)#crypto ca authenticate root-tank.com

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIDujCCAyOgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBoDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpCb3hib3JvdWdoMRgwFgYDVQQKEw9SdXN0
ZWQgUm9vdCBJTkMxEDAOBgNVBAsTB1Jvb3QgQ0ExHjAcBgNVBAMTFXJvb3RDQS5y
dXN0ZWRyb290LmNvbTEjMCEGCSqGSIb3DQEJARYUYWRtaW4ucnVzdGVkcm9vdC5j
b20wHhcNMDQwODI4MDQwMjA3WhcNMDUwODI4MDQwMjA3WjCBoDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpCb3hib3JvdWdoMRgwFgYDVQQKEw9S
dXN0ZWQgUm9vdCBJTkMxEDAOBgNVBAsTB1Jvb3QgQ0ExHjAcBgNVBAMTFXJvb3RD
QS5ydXN0ZWRyb290LmNvbTEjMCEGCSqGSIb3DQEJARYUYWRtaW4ucnVzdGVkcm9v
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK0TJDw6e85ySiYfbWUV
SZCEpMy5oBGNHeqfflwCnBjbHUdyn9EmsZR72aF7AweCpq71yIFRjaCsE6/2mJTW
1vxJRFb5H5CkH1tLwJL5HVHtZjeGwU+FIZ6R8yKpbq2SIBSZ95+GbSz7hIjZ78qY
61+z6qDup50W4OLJUgUL464nAgMBAAGjggEAMIH9MB0GA1UdDgQWBBQ5NXpGMxPL
gBF67e/ydXUm4AIPYjCBzQYDVR0jBIHFMIHCgBQ5NXpGMxPLgBF67e/ydXUm4AIP
YqGBpqSBozCBoDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpC
b3hib3JvdWdoMRgwFgYDVQQKEw9SdXN0ZWQgUm9vdCBJTkMxEDAOBgNVBAsTB1Jv
b3QgQ0ExHjAcBgNVBAMTFXJvb3RDQS5ydXN0ZWRyb290LmNvbTEjMCEGCSqGSIb3
DQEJARYUYWRtaW4ucnVzdGVkcm9vdC5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQQFAAOBgQAvLLBopgRnr1sYmCP+kmqRkqvBsdXjAG77nWB4TeNEmYJi
+eCxuXXhBsQnWNye0yxakaj4EL2wJiXI6eNKCT0gZqZRb66/p2ki7Mpu/3x8g4qe
Bma/nzCvAaA25o5kh8VlgUHSnFoOmhpLsxrDm90umBWTSALci8v70pjBT+09QA==
-----END CERTIFICATE-----
quit

Certificate has the following attributes:
Fingerprint: 615171D8 C3989EFA 4D45B23F 8ACBCDC3 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

  3. Create a second trustpoint for the CA intermediate and server certificates and the private key 

    ssl-proxy(config)#crypto ca trustpoint server-tank.com
ssl-proxy(ca-trustpoint)#enrollment terminal PEM
ssl-proxy(ca-trustpoint)#crl optional 
ssl-proxy(ca-trustpoint)#exit

  4. In this order, import the: CA intermediate certificate, private key, and server certificate with copy and paste. luckydog is the password for the private key. 

    ssl-proxy(config)#crypto ca import server-tank.com PEM terminal luckydog

% Enter PEM-formatted CA certificate.
% End with a blank line or "quit" on a line by itself.

-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIBATANBgkqhkiG9w0BAQQFADCBoDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpCb3hib3JvdWdoMRgwFgYDVQQKEw9SdXN0
ZWQgUm9vdCBJTkMxEDAOBgNVBAsTB1Jvb3QgQ0ExHjAcBgNVBAMTFXJvb3RDQS5y
dXN0ZWRyb290LmNvbTEjMCEGCSqGSIb3DQEJARYUYWRtaW4ucnVzdGVkcm9vdC5j
b20wHhcNMDQwODI4MDQyMDM2WhcNMDUwODI4MDQyMDM2WjCBkzELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpCb3hib3JvdWdoMRYwFAYDVQQKEw1U
YW5rIERvZyBUb3lzMRQwEgYDVQQLEwtUYW5rIFN0aWNrczEVMBMGA1UEAxMMd3d3
LnRhbmsuY29tMR0wGwYJKoZIhvcNAQkBFg5hZG1pbi50YW5rLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEA65WjIJcEvYynLrWUsPz1H+VM5O8sRMp10BLI
vSTCWsrWD9rn0Hut9R3Cwc2MmjecDk8avDXxF+vqKLkI41KGLz6yniNcjVfsLi8X
InXrRL53INAXkC1xbP0jsnz5iJU9aquvh81ak/f2nvKm9p9y8QLGYouDdzoFBHc4
kE5DNoECAwEAAaOCAQAwgf0wHQYDVR0OBBYEFD1zYK+rk0zEDJ1hRHev7QO9OQhx
MIHNBgNVHSMEgcUwgcKAFDk1ekYzE8uAEXrt7/J1dSbgAg9ioYGmpIGjMIGgMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJveGJvcm91Z2gxGDAW
BgNVBAoTD1J1c3RlZCBSb290IElOQzEQMA4GA1UECxMHUm9vdCBDQTEeMBwGA1UE
AxMVcm9vdENBLnJ1c3RlZHJvb3QuY29tMSMwIQYJKoZIhvcNAQkBFhRhZG1pbi5y
dXN0ZWRyb290LmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GB
AKC9izT+RkBQ8lUOK2VsLMYSi7a6uAzJwUwfIezYevl9U1AgQKrO++GvKKaTwfcS
NerJajut7JZr+JOh4+Ai16Ccz7yZjqZ8/lFmB0dDzJGlib5ASE0eiy/+azp6GFG1
acYcDdCtNAa3oR6DknNKDWihRQpIF3P/rFsbPb0+t/OD
-----END CERTIFICATE-----
quit

% Enter PEM-formatted encrypted private key.
% End with "quit" on a line by itself.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C33CAD1289ACFEFA

J9YQleEpRFS2otCWKJJUm9N6mul6bvZCyJNe8B/fRxApPVP944SqN1Mjf6ZiDhHN
GDSyVSxwSmdkqhWdYW9wWy3nbcJ8On005jfvpmlmnMtLRJS95doDF0MhdD59RI2O
ZzUiR+tyBSdhPGnBYgdNta4z6QaITA1EHOpSfQFe5fRc553l1esySCCMTTSsioZB
2h8RJ/7dbFbJlHoI7vNX5/Eu0Xa40aVUPa7vWJYcU+NFl05xgO4zQt4JHHKg6O7v
JSEJGN/L+8WG0UC7jLUMdpupL1LQB4wHMzvU3Ir5pLbZje3KT7DZE3J450rCWR+3
JhoQLAM44xWgOzcEUe3Fdt7Qn1LEuAXNiRs4oZBXNTP4FtwcOcWvIbMF/yJVeQSm
sPgTop+NMj+rrf8IX9PjmFNiu9mnruanGs9hkrDjmoeV1685csDT9mSNhKZbWgUs
M/2RUNXdHSNezSsaMLVG58lLY54fvrd6Q3iPGcCOEsWUirXvqkZjJvaPUUsV/V/q
Ljn9/900U5lYrgQCX8Qt4k3qFJuzh9jIK4wW8fqPDGc/iDqH6yh3ykSc4OL1xRGr
0rL6AfViBg4yTCFh4iN3JeGMlfCpn0fQloc0UzBElN/0njnAqR6VvFTTm1gtixFz
7EqshltIRPT/nZAwOVPmcEFQZ3CaOL0tO9Z5+j9hstj3IIqFhU8CXgUhH3ofuPAE
gjL6O0U13TydXtNAzR4/jTX5M+6EQrQNNor8RW9zfH/ATA2+Kmr1bfsMn+tQJsop
1n0HAqSgGIsEUy0RSaw6tuOpn1z/9wQH4x0K/S/LSYIkRUyVFHwXcA==
-----END RSA PRIVATE KEY-----

quit

% Enter PEM-formatted certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIICmzCCAgQCAQEwDQYJKoZIhvcNAQEEBQAwgZMxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJNQTETMBEGA1UEBxMKQm94Ym9yb3VnaDEWMBQGA1UEChMNVGFuayBEb2cg
VG95czEUMBIGA1UECxMLVGFuayBTdGlja3MxFTATBgNVBAMTDHd3dy50YW5rLmNv
bTEdMBsGCSqGSIb3DQEJARYOYWRtaW4udGFuay5jb20wHhcNMDQwODI4MDQzNTU2
WhcNMDUwODI4MDQzNTU2WjCBlzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRMw
EQYDVQQHEwpCb3hib3JvdWdoMRYwFAYDVQQKEw1UYW5rIERvZyBUb3lzMRgwFgYD
VQQLEw9UYW5rIENoZXcgU3RpY2sxFTATBgNVBAMTDHd3dy50YW5rLmNvbTEdMBsG
CSqGSIb3DQEJARYOYWRtaW4udGFuay5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANSFialDM3AuM82o2ypTtyo1F2hGaqHIuX1NVAcsYepH9qg3MvxwdlWr
ubCKZPCJFJGLOK9noA1QMdiXKqQPW5EuMXHff+ZeocT41VteTl/eWmPC7x4Ehjxk
ZVwD+yZo03H3c6EnxFVmEW4kwHZfICq2YklHpROMSozC+M7i6p+NAgMBAAEwDQYJ
KoZIhvcNAQEEBQADgYEAbRuXwfIUggg51i/6PJmY5qyJO8cOnKoc2tZxtE4Ed4jj
/Uoh0v8xBJAbTGwD0h/gJCOgmF3/MTJ1HodL2srx9wP6OQcdKBg3YiwEMcj7dSZK
8awdXCJ/gwmOGc7xJt6cOKDXnHjAvEsHcm8A7GQ2aROvJL3y3ozNeqdxhH3dwH0=
-----END CERTIFICATE-----
quit

% PEM files import succeeded.

Verify

Use these commands to view your certificates and trustpoints:

  • ssl-mod#show crypto ca certificates server-tank.com

  • ssl-mod#show crypto ca trustpoints server-tank.com

  • ssl-mod#show crypto key mypubkey rsa

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

If you run into problems loading the certificates, enable debugging with the debug crypto pki transactions command.

If your private key is not encrypted, you can use openssl rsa -in your-key.PEM -out new-key-des3.PEM -des3 to encrypt it.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for CDN
Emerging Technologies: Content Networking

Related Information

Updated: Nov 30, 2005Document ID: 63485