Router# conf t
Router(config)# crypto pki trustpoint thawte.com
Router(ca-trustpoint)# enroll terminal
Router(ca-trustpoint)# serial-number none
Router(ca-trustpoint)# fqdn hostname.domain.com
Router(ca-trustpoint)# ip-address none
Router(ca-trustpoint)# subject-name CN=hostname.domain.com,O=Organisation, OU=Department,L=Location,ST=State,C=Country
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# end
Router# wr mem
http://mickvaites.com/2009/06/creating-a-thawte-csr-and-then-installing-the-ssl-certificate-on-cisco-ios/
Configure Certificate
crypto pki trustpoint local
enrollment selfsigned
revocation-check crl
rsakeypair my_key 1024 1024
!Generate Certificate and turn on HTTPS Service
crypto pki enroll local
ip http secure-server
======================================
router(config)crypto pki trustpoint cacert.org
router(ca-trustpoint)#enrollment terminal pem
router(ca-trustpoint)#fqdn [FQDN.MYROUTER.ME]
router(ca-trustpoint)#subject-name C=[COUNTRY], ST=[STATE] O=[DOMAIN], OU=[MY ROLE], CN=[FQDN.MYROUTER.ME]/emailAddress=[MY EMAIL ADDRESS]
router(ca-trustpoint)#revocation-check none
router(ca-trustpoint)#rsakeypair [FQDN.MYROUTER.ME] 2048
Then create some RSA keys. First start by wiping any old keys you have, so that you are starting on a clean slate:
router(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]:
Choose yes. If you have a reason to keep a particular RSA key you have already got in the router you may wish to skip this step.
Now create the keys:
router(config)#crypto key generate rsa general-keys label [FQDN.MYROUTER.ME] export modulus 2048
Being able to export your public and private key is good if you can keep it secure. It means that you can continue to use that key in the future if your router gets replaced or hardware corrupted or wiped.
The next step is to import the trustpoint root certificate. In my case I use www.cacert.org, and I can find their root certificate on their homepage.
crypto pki authenticate cacert.org
Enter the base 64 encoded CA certificate.
End with a blank line or the word “quit” on a line by itself
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
quit
Certificate has the following attributes:
Fingerprint MD5:
Fingerprint SHA1:
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Your trustpoint is now set up.
Next step is to create a CSR (certificate signing request):
router(config)#crypto pki enroll cacert.org
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=router.reub.net
% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIBgDCB6gIBADAPMQ0wCwYDVQQDEwR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GN
[snip]
—End – This line not part of the certificate request—
Redisplay enrollment request? [yes/no]: no
router(config)#
This csr is what you submit to your CA. They sign it, and return a signed certificate to you which you then enter like this:
router(config)#crypto pki import cacert.org certificate
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with a blank line or the word “quit” on a line by itself
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
% Router Certificate successfully imported
test-router(config)#
You should now be set to go.
I suggest you back up your public and private keys, and your certificate csr and signed certificate in case you ever need to reload them:
router(config)#crypto key export rsa
and
router(config)#crypto pki export
Other useful commands are:
router#show crypto pki certificates
router#show crypto key mypubkey rsa
Useful links:
http://www.cisco.com/en/US/partner/products/ps6635/products_white_paper0900aecd8029d630.shtml
