Applying SSL Certificate on a Cisco Router

Cisco AnyConnect VPN client software, the successor of the legacy VPN Client v5, is restrictive when it comes to connecting to VPN Servers that has invalid, expired or revoked SSL certificates. With that, AnyConnect wont allow you to connect if you are not using a valid SSL certificate on your router. (Tip: Self-signed certificate will work if you dont wish to purchase a CA-signed one).

So below is a hassle-free and simplified way of updating your certificate on your Cisco Router.

Example is to renew/update license for vpn.marktugbo.com

The easiest way is to create a new Trustpoint on the router and adjust the VPN settings to that Trustpoint. This is to avoid certificate confusion.

Create a new trustpoint

MRK-AKL-RTR-01(config)#crypto pki trustpoint godaddy.trustpoint-2017
MRK-AKL-RTR-01(ca-trustpoint)#enrollment terminal
MRK-AKL-RTR-01(ca-trustpoint)# serial-number none
MRK-AKL-RTR-01(ca-trustpoint)# fqdn vpn.marktugbo.com
MRK-AKL-RTR-01(ca-trustpoint)# ip-address none
MRK-AKL-RTR-01(ca-trustpoint)#$subject-name CN=vpn.marktugbo.com,O=MyCompany,OU=MyMSP,L=Auckland,ST=Auckland,C=NZ
MRK-AKL-RTR-01(ca-trustpoint)# revocation-check none
MRK-AKL-RTR-01(ca-trustpoint)# rsakeypair GDKey
MRK-AKL-RTR-01(ca-trustpoint)#exit

MRK-AKL-RTR-01(config)#cry pki en
MRK-AKL-RTR-01(config)#cry pki enroll godaddy.trustpoint-2017
% Start certificate enrollment ..

% The subject name in the certificate will include: CN=vpn.marktugbo.com,O=MyCompany,OU=MyMSP,L=Auckland,ST=Auckland,C=NZ
% The subject name in the certificate will include: vpn.marktugbo.com
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIDFzCCAf8CAQAwgbAxCzAJBgNVBAYTAk5aMREwDwYDVQQIEwhBdWNrbGFuZDER
…

—End – This line not part of the certificate request—

Sent CSR to GoDaddy for renewal.

Log-on to Godaddy portal, find the certificate you need (vpn.marktugbo.com) and revoke the existing license and request a new one by providing the CSR details above.

remember to add delimiter below so it will be accepted by the system

—–BEGIN CERTIFICATE REQUEST—–
YouR-CSR-code-goes-HerE
—–END CERTIFICATE REQUEST—–

–

Godaddy will then process validation by sending email to the owner of the addresses (typically DNS Administrator/Hosting Company or the registered office. Once its validated it will generate a new certificate which you can download from Godaddy portal.

=============

Download the Certificate.

The .zip file will contain two files.

First one, is bearing the Certificate Serial Number (ea1e85c5c31a8a8) is the actual Certificate and the gd_bundle is the authentication certificate. You can view the base64 (“text-version”)version by opening the certificate via Notepad.
On the router, import the generated certificates through the new trustpoints and associate it to the SSL-VPN configuration in the next steps.

You will need to Input the authenticate certificate first (bundle) and then the actual certificate (one with serial number)

MRK-AKL-RTR-01(config)#crypto pki authenticate godaddy.trustpoint-2017

Enter the base 64 encoded CA certificate.
End with a blank line or the word “quit” on a line by itself

—–BEGIN CERTIFICATE—–
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
..
—–END CERTIFICATE—–

Trustpoint ‘godaddy.trustpoint-2017’ is a subordinate CA and holds a non self sgned cert
Certificate has the following attributes:
Fingerprint MD5: XXX
Fingerprint SHA1: XXX

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

MRK-AKL-RTR-01(config)#crypto pki import godaddy.trustpoint-2017 certificate

Enter the base 64 encoded certificate.
End with a blank line or the word “quit” on a line by itself

—–BEGIN CERTIFICATE—–
MIIFVDCCBDygAwIBAgIJAOoeGFxcMaioMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
….
—–END CERTIFICATE—–

% Router Certificate successfully imported

and then reconfigure the SSL-VPN to point to the new trustpoint bearing the updated certificate.

MRK-AKL-RTR-01(config)#webvpn gateway Cisco-WebVPN-Gateway
MRK-AKL-RTR-01(config-webvpn-gateway)#ssl trustpoint godaddy.trustpoint-2017
MRK-AKL-RTR-01(config-webvpn-gateway)#end

==

TEST THE CERTIFICATE

Examine the URL and look into the certificate details, you should be able to see the new serial number in the details.