Wednesday, May 18, 2011

Setup SSL Certificate on Cisco 3000 Series VPN Concentrator

In this case we went with a SSL Certificate from GoDaddy.com because of price. The problem arose from the fact that the CSR (Certificate Signing Request) wasn’t generated from the Cisco VPN Concentrator itself. However, in retrospect, this was probably the only way to do it properly because there doesn’t seem to be a way to export the private key from the Cisco. This would have posed a problem in our case because we purchased a Wildcard SSL Certificate (*.domain.tld) that can be installed on unlimited servers in our domain, and secure any host server within our domain.
Required Resources: The following software was used to complete this project:
Resolution: These are the general steps necessary to set this up, and should work for most major Certificate Authorities (CAs):
  1. Certificate Signing Request (CSR) generated on IIS Server. The CSR contains the Requested Public Key. The Private Key is left on the server.
  2. CSR submitted to Certificate Authority (CA). They generate the SSL Certificate, and provide the Cert, along with their CA Cert and Intermediate Cert.
  3. The CA Cert and Intermediate Cert are installed as CA Certs on the Cisco VPN Concentrator 3000.
  4. Here’s the tricky part. The Cisco Concentrator requires the SSL Cert to be in PKCS8 format, and contain the Private key and SSL Cert.
  5. I exported the Private/Public Key pair from the IIS Server, using the Windows Certificate Export Wizard; selecting to export both keys, and saving withOUT ‘high security’, and a password.
  6. This generates an encrypted PKCS12 file.
  7. At the unix command line (I used CYGWIN), I used OpenSSL (thanks to this site for OpenSSL basics)to first convert the PKCS12 file to standard format:
    openssl pkcs12 -in CERTIFICATE_NAME.pfx -out CERTIFICATE_NAME.pem
    The command prompts for the password used to export the key file from the IIS server. Then asks for a new password.
  8. I then converted the standard file to PKCS8 format for the Cisco:
    openssl pkcs8 -in CERTIFICATE_NAME.pem -topk8 -out CERTIFICATE_NAME.pk8
    Again the command prompts for the ‘New Password’ from the last export, and asks again for a newer password.
  9. Back on the Cisco Concentrator, I import a SSL certificate manually with Private Key for the Private Interface. Use the ‘copy and paste’ method.
  10. One other issue we have is that our CA uses an ‘Intermediate Certificate’. Thus creating a ‘chain’ of 3 trusted certificates: Ours, the ‘intermediate’ CA and the ‘root’ CA.
  11. In a text editor open both the CERTIFICATE_NAME.pk8 Private Key file you generated, along with the CERTIFICATE_NAME.cer SSL Certificate file provided to you by the CA.
  12. Copy and paste the Private key into the text box on the concentrator.
  13. Then immediately after, copy and paste the SSL Certifcate. Avoid any excess spaces, or blank lines.
  14. Then copy and paste the Issuing certifacte after the SSL Certificate.
  15. Finally copy and paste the Root Certificate at the end.
  16. The whole thing should look something like this:
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIICiyuqweiSDuryiGquweryiDFuqweyGrqour

    9bgt3ouiiDnmbweFmnriorGuweioruu8u=
    -----END ENCRYPTED PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIEZkjasdlkDFajljkFyasdf8kGlyysfklysk

    asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEQkjasdlkDFajljkFyasdf8kGlyysfklysk

    asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIC5jasdlkDFajljkFyasdf8kGlyysfklysk

    asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
    -----END CERTIFICATE-----
  17. Enter the same sequence of data again for the Public interface.
Posted by at
Labels:

1 comment:

  1. Cheap Wildcard SSLJuly 9, 2011 at 5:33 AM

    This worked for VPN concentrator 3005 too, in August 2010.

    ReplyDelete

Subscribe to: Post Comments (Atom)