Using Microsoft Windows Certificate Authority (CA) Certificates on Cisco IOS

IT Security Lock

I couldn’t find a guide that combined all of the necessary steps together. This guide assumes you already have SSH/telnet/terminal access to your router and already have a functioning Windows Certificate Authority, I used 2K8R2 but I’m sure you could use 2K3, 2K3R2 or 2K8. Heads up, on older versions of IOS, “pki” needs to be interchanged to “ca”.

1. Create a 2048 bit RSA key.

Router(config)#crypto key generate rsa general-keys Label keypairname modulus 2048  
! Generates 2048 bit RSA key pair. "keypairname" defines the name of the key pair.

2. Create a trustpoint. A trustpoint represents a trusted CA.

Router(config)#crypto pki trustpoint ms-ca-name
! Creates the trustpoint.
Router(config-pki-trustpoint)#enrollment terminal
! Specifies cut and paste enrollment with this trustpoint.
Router(config-pki-trustpoint)#subject-name,OU=SSLVPN,O=My Company Name,C=US,ST=Florida
! Defines x.500 distinguished name.
Router(config-pki-trustpoint)#rsakeypair keypairname
! Specifies key pair generated previously
! Specifies subject alternative name (DNS:).

3. We need to create a CSR (Certificate Request) to give to the MS Certificate Server

Router(config)#crypto pki enroll ms-ca-name
% Start certificate enrollment ..
% The subject name in the certificate will include:
% The subject name in the certificate will include:
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
! Displays the PKCS#10 enrollment request to the terminal.
! You will need to copy this from the terminal to a text
! file or web text field to submit to the 3rd party CA.
Certificate Request follows:
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no

4. Go to your Microsoft CA’s web Certificate Services.  You have to use the web services as opposed to using the MMC snap-ip. If you use the snap-in you’ll get a 0×80094801: Denied by Policy Module error because the certificate request does not contain a Certificate Template request attribute, aka it doesn’t know what kind of cert you want unless you go through the Web GUI.

Open your browser and go to https://yourserver/certsrv/certcarc.asp

Download your CA Certificate as a Base 64 certificate, and rename it to something to identify it as the root certificate.

5. Convert your CSR into an actual certificate

Head over to https://yourserver/certsrv/certrqxt.asp and paste your certificate request into the box, select “web server” from the certificate template list and press submit. When you get a result download the certificate as a base64 certificate.

6. Install the root certificate

Router(config)#crypto pki authenticate ms-ca-name
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
Certificate has the following attributes:
Fingerprint MD5: D5DF85B7 9A5287D1 8CD50F90 232DB534
Fingerprint SHA1: 7C4656C3 061F7F4C 0D67B319 A855F60E BC11FC44
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.

7. Almost there, now time to install your router’s new certificate.

Router(config)#crypto pki import ms-ca-name certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
% Router Certificate successfully imported

8. Test your Certificate

show crypto pki certificates

9. If nothing went wrong you should now have the certificate installed. You can change your hostname to match the new certificate, or change services to it. For example Cisco AnyConnect SSL VPN.


Thanks to and for helping me find the information that I combined to make this happen. Thanks guys for posting your exploits!