I want to demonstrate three scenerios:
- A: Where we need to generate a self-signed certificate
The following command generates a new RSA key
crypto key generate rsa label ssl-vpn-key modulus 2048
We should then create a 'trustpoint' (this is simply a container that holds certificates):
crypto ca trustpoint localtrust
And then set the certificate type
enrollment self
Specify the FQDN:
fqdn mysslvpn.test.internal
Specify the subject:
subject-name CN=mysslvpn.test.internal
Specify the private key:
keypair ssl-vpn-key
Enroll the trustpoint:
crypto ca enroll localtrust
and finally apply the trustpoint to the interface:
ssl trust-point localtrust outside
To review any trustpoint configurations we can issue:
show ssl
- B: Where we need to apply a certificate from a public CA (or local CA like AD Certificate Authority)
The following command generates a new RSA key
crypto key generate rsa label ssl-vpn-key modulus 2048
We should then create a 'trustpoint' (this is simply a container that holds certificates):
crypto ca trustpoint publictrust
And then set the certifcate type (in this case we want it to be in interactive mode so we can copy the CSR)
enrollment terminal
Specify the FQDN:
fqdn mysslvpn.mydomain.com
Specify the subject:
subject-name CN=mysslvpn.mydomain.com
Specify the private key:
keypair ssl-vpn-key
Enroll the trustpoint:
crypto ca enroll publictrust
This will then generate the CSR we can copy and paste to our public CA portal from the terminal.
Once we have a certificate from our CA - we should then proceed to get hold of the Root Certificate and intermediary certificates and export them to BASE64 format - we should then copy all of them (chained) into the terminal:
crypto ca authenticate publictrust
Finally we should then proceed by importing the identity certificate with:
crypto ca authenticate publictrust certificate
(again BASE64 needed)
To review any trustpoint configurations we can issue:
show ssl
** Import a CA root certificate:
Backing up / exporting SSL certificates:
We can generate a PCKS12 file (includes both private and public key) using something like:
crypto ca export publictrust pkcs12 NotAStrongPassword
No comments:
Post a Comment