I have recently been involved in some security audit work and found myself having to replace the self signed SSL certificates used by the secure HTTP service on a number of Cisco 3850 switches. Due to Chromes requirement for a SAN in every certificate I needed to generate the CSR and Key pair outside of IOS XE using OpenSSL. I then submitted the CSR to an internal Windows CA for signing, used OpenSSL to create a PKCS12 file from the Certificate and the Key file and then imported it onto a Cisco 3850 switch. It was a bit fiddly so I thought it deserved a post to cover the steps I went through.
The FQDN of our Cisco 3850 switch is myswitch1.mynetwork.com, this will be used as the Common Name in the Subject of the Certificate as well as the SAN entry.
The first thing we need is a Linux server with OpenSSL and a TFTP server installed.
Instructions can be found here for installing a bare bones Ubuntu Linux server.
Install OpenSSL and a TFTP server by running the following:
sudo apt update
sudo apt install openssl tftpd-hpa
Now we need to create a configuration file for OpenSSL to assist in generating our CSR.
Fire up your favourite text editor and create a file myswitch1.cnf with the contents as per below, change the entries in the [req_distinguished_name] section to appropriate values for your environment. The CN entry here needs to be the same as the DNS.1 entry in the [alt_names] section.
Save the file.
Now we need to generate the Key that we will be using to generate the CSR we create later.
Run the following command to create a key file called myswitch1.key and enter a password when prompted.
openssl genrsa -aes128 -out myswitch1.key 4096
Now we generate the CSR file called myswitch1.csr using the key file myswitch1.key and the configuration file myswitch1.cnf.
openssl req -sha256 -key myswitch1.key -new -out myswitch1.csr -config myswitch1.cnf
When prompted, enter the password that we used to create the key file earlier.
We should now have a file called myswitch.csr which is the CSR that is ready to be submitted to a CA for signing.
This needs to be moved onto the Windows CA for signing. The easiest way to do this is to run the following command and then copy and paste the output into a text file on the Windows CA. Make sure you get everything between and including the “—–BEGIN CERTIFICATE REQUEST—–” and the “—–END CERTIFICATE REQUEST—–” sections.
cat myswitch1.csr
Now we move to the Windows CA. How to create a CA Server in Windows is beyond the scope of this post (I might write it up one day…).
The CSR we have created could also be submitted to a Public CA like Digicert or Verisign if you need it to be trusted by devices that you dont control.
Open up a Command prompt on the Windows CA and run the following command to see what Certificate Templates are available:
certutil -catemplates
From the output I can see that the standard WebServer template is available so we will use that to sign our CSR.
certreq -attrib "CertificateTemplate:WebServer"
When prompted, select the CSR file myswitch1.csr that we copied over from the Linux server.
Name the Certificate myswitch1.cer when saving it.
Now we need to get the certificate back onto the Linux server.
The easiest way to do this is to open the newly created myswitch1.cer file with notepad and copy and paste the contents into a text editor on the Linux server, making sure you get everything between and including the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” sections.
The next step is to paste a copy of the root certificate from your Windows CA into the myswitch1.cer file. Put it after the newly generated certificate again making sure you get everything between and including the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” sections.
Make sure you name it myswitch1.cer on the Linux server and it goes into the same directory as our key file myswitch1.key.
Now we need to package the certificate file (myswitch1.cer) and the key file (myswitch1.key) into a PKCS12 (myswitch1.pfx) file that we can import into our Cisco switch.
Use the following command, entering the key file password when prompted and then creating a new export password when prompted. The export password will be used when we import the file into our Cisco switch configuration.
openssl pkcs12 -inkey myswitch1.key -in myswitch1.cer -export -out myswitch1.pfx
Nearly done!
Now we need to get the newly created PKCS12 file (myswitch1.pfx) onto the Cisco switch. This is where the TFTP server comes into play.
Copy myswitch1.pfx to the TFTP folder
sudo cp myswitch1.pfx /var/lib/tftpboot/
Now we need to log into our Cisco switch
Copy the myswitch1.pfx file down from the linux server and onto flash
copy tftp://<IP of Linux Server>/myswitch1.pfx flash:myswitch1.pfx
Now we import the PKCS12 file, substituing the ExportPassword value with the export password we entered when we created the myswitch1.pfx file.
crypto pki import MyTrustPoint pkcs12 flash:myswitch1.pfx password ExportPassword
Make a minor adjustment to the revocation check setting
conf t
crypto pki trustpoint MyTrustPoint
revocation-check none
exit
And finally we set the switch to use our new Trust Point and certificate for the secure HTTP service.
ip http secure-trustpoint MyTrustPoint
Job done!
The step where you say “The next step is to paste a copy of the root certificate from your Windows CA into the myswitch1.cer file. Put it after the newly generated certificate again making sure you get everything between and including the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” sections.” needs more explanation. I am stuck here and cant seem to get past it.
Hi Chris
Your CA will have a Root certificate that is used to sign certificates that it issues. Clients need to “Trust” this Root certificate (usually by installing into a local certificate store) so that the chain of trust can be established. A public CA will generally provide the Root certificate along with any certs that you purchase. If you are using a private Windows CA, you can download it via the Certificate Authority MMC or also via the web interface (if you installed it). I believe the URL would be https://FQDN.Of.Your.Server/certsrv
Regards
Kirin