Import Domain certificate from RootCA to your Cisco router

Today I will show you how to import a signed domain certificate from your own Domain Root Certification Authority. First we will generate a certificate for the Cisco router. I needed this for the WebVPN gateway to connect SSL VPN user. In my example, we will use “vpn.1337company.com“. You need a working RootCA in your windows domain. Go to the server via RDP and open the IIS management console. Go to the server certificates:

iis-servercertificates

choose “Create Domain Certificate”

iis-domaincert

create the new certificate with the suitable name.

iis-certenroll1

choose your RootCA and a friendly name for your certificate

iis-certenroll2

Now we will export the certificate to a pfx file containing the public certificate from your RootCA and the public and private certificate for your website / SSL VPN Gateway. We need to open the local computer certificate management console. Go to Start -> Run, type “mmc” and press Enter. Click on File -> Add/Remove Snap-In and choose “Certificates”. Choose “Computer account”, click Next, Finish and OK. Go to Personal -> Certificates and export your new certificate:

cert-export1

export the private key

cert-export2

choose “include all certificates…” because we need the public certificate from your RootCA

cert-export3

choose a password for export. In my case I used MyPasswordABC123. Save the file as sslvpncert.pfx on your desktop.

cert-export4

 

Copy the .pfx file to your Cisco router via TFTP. I always use TFTPD32 for this.

copy tftp flash

crypto pki import vpn.1337company.com pkcs12 sslvpncert.pfx password MyPasswordABC123

Reading file from usbflash0:sslvpncert.pfx
% You already have RSA keys named vpn.1337company.com.
% If you replace them, all router certs issued using these keys
% will be removed.
% Do you really want to replace them? [yes/no]: yes
CRYPTO_PKI: Imported PKCS12 file successfully.

now change to the new certificate:

webvpn gateway CompanySSLgateway
ip address 8.7.6.5 port 443
ssl trustpoint vpn.1337company.com

go to https://yourserveraddress to see if the certificate is bounded to the webserver. If you have any problems or suggestions, please write it in the comments below.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.