Importing the Embedded Test Certificate

Table Of Contents

Importing the Embedded Test Certificate


Importing the Embedded Test Certificate


A test PKCS12 file (testssl.p12) is embedded in the WebVPN software on the module. You can install the file into the Flash memory for testing purposes and for proof of concept. After the PKCS12 file is installed, you can import it to a trustpoint, and then assign it to a WebVPN gateway that is configured for testing.

To install and import the test file, perform this task:

 
Command
Purpose

Step 1 

webvpn# test webvpn platform 
certificate install 

Installs the test PKCS12 file to NVRAM.

Step 2 

webvpn# configure terminal

Enters configuration mode, selecting the terminal option.

Step 3 

webvpn(config)# crypto ca import 
trustpoint_label pkcs12 
flash:testssl.p12 passphrase

Imports the test PKCS12 file to the module.

Note For the test certificate, the passphrase is cisco.

Step 4 

webvpn(config)# ssl-proxy service 
test_service 

Defines the name of the test proxy service.

Step 5 

webvpn(config-ssl-proxy)# 
certificate rsa general-purpose 
trustpoint trustpoint_label

Applies a trustpoint configuration to the proxy server.

Step 6 

webvpn# show ssl-proxy stats 
test_service

Displays test statistics information.

This example shows how to import the test PKCS12 file:

webvpn# test webvpn platform certificate install
% Opening file, please wait ...
% Writing, please wait ...
% Please use the following config command to import the file.
  "crypto ca import <trustpoint-name> pkcs12 flash:testssl.p12 cisco"
% Then you can assign the trustpoint to a WebVPN gateway for testing. 

*May 5 20:15:57.831: %WEBVPN-6-PKI_TEST_CERT_INSTALL: Test key and certificate was 
installed into Flash in a PKCS#12 file.
webvpn# 
webvpn# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
webvpn(config)# crypto ca import test123 pkcs12 flash:testssl.p12 cisco
Source filename [testssl.p12]? 
% You already have RSA keys named test123.
% If you replace them, all router certs issued using these keys
% will be removed.
% Do you really want to replace them? [yes/no]: yes
RYPTO_PKI: Imported PKCS12 file successfully.
webvpn(config)#
*May 5 20:16:25.883: %PKI-6-PKCS12IMPORT_SUCCESS: PKCS #12 Successfully Imported.
webvpn(config)# webvpn gateway test123
webvpn(config-webvpn-gateway)# ip address 2.100.100.77
webvpn(config-webvpn-gateway)# ssl trustpoint test123
*May 5 20:16:43.683: %WEBVPN-6-PKI_SERVICE_CERT_INSTALL: Proxy: test123, Trustpoint:
test123, Key: test123, Serial#: 01, Index: 10
*May 5 20:16:43.683: %WEBVPN-6-PKI_CA_CERT_INSTALL: Root, Subject Name:
cn=testca.cisco.com,ou=Security,o=Cisco Systems Inc,l=San Jose,st=California,c=US, 
Serial#: 00, Index: 11
webvpn(config-webvpn-gateway)# inservice 
webvpn(config-webvpn-gateway)# exit
webvpn(config)#
*May 5 20:16:46.159: %SSLVPN-5-UPDOWN: sslvpn gateway : test123 changed state to UP
webvpn# show webvpn gateway test123
Admin Status: up
Operation Status: up
IP: 2.100.100.77, port: 443 
TCP Policy not configured
SSL Policy not configured
SSL Trustpoint: test123
  Certificate chain for new connections:
    Certificate:
       Key Label: test123, 1024-bit, not exportable
       Key Timestamp: 20:16:25 UTC May 5 2005
       Serial Number: 01
    Root CA Certificate:
       Serial Number: 00
  rsa-general-purpose certificate
  Certificate chain complete 
webvpn#