Re: [OSL | CCIE_Security] Certificates and RSA keys export and import

Fri, 26 Aug 2011 01:24:09 -0700 

Hi Piotr

It doesn't work even, if I import the key first. The following is the one I
did:

*Import Keys *

router1(config)#crypto key import rsa cisco terminal cisco123
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK8nP10mvsTXwATr9c5kgpdvPIDJhbC8
DTyyaDqtLd1ZySOP36dn2RODtBOJs0SMfs1sLql2JUTHsBShpCKEnxECAwEAAQ==
-----END PUBLIC KEY-----

% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,27AFA32C5384234F

jx+trNy1tCUbhhBVupWT5ueoLTvtzUb5KqEhIpFgfsyUfZb+XPnrKI2CpKro5Ump
7x1Pr8HqqBMB7eHrY2h8ViXaZkf97xMIB8HOS2q0q49uvUpMT6Vnsb9wpIF/WHB+
SrPqsLQMY80nzWG8J5hwwNL7kbLoPHpgLyMLr/OHn+mDVIQw4gKUDY4NqtpWh67X
nKu3smjNdZBhCmGGnsshFRl5MEVEfS7LTuoqSBJynQDF18AVESq55lF/1RA6cXOR
O8374SjysXPhbKhG+louRQ78wksWO4QodojyR2wgOw/gRoFrhsaq6OrbRdGFlxsI
5NMJ+4jcHD43+IczY7WEM+5aJNS5DvEGmR6f02LtvVnYcnIYMELf3vugAM9FCnQd
XMRtTgs2CMaNz9ZiAG27l6y/TXTXkxopazOVcDn3wTE=
-----END RSA PRIVATE KEY-----

*Adding the certificate chain*

router1(config)#crypto pki certificate chain cisco
router1(config-cert-chain)#
router1(config-cert-chain)#certificate 04
Enter the certificate in hexidecimal representation....

router1(config-pubkey)#$030201 02020104 300D0609 2A864886 F70D0101 04050030
router1(config-pubkey)#$0A1305 6B696E67 73310D30 0B060355 04031304 6B696E67
router1(config-pubkey)#$363037 32353533 5A170D31 32303832 35303732 3535335A
router1(config-pubkey)#$864886 F70D0109 02161072 6F757465 72342E6B 696E672E
router1(config-pubkey)#$2A8648 86F70D01 01010500 034B0030 48024100 AE6BF6F0
router1(config-pubkey)#$A4BE1A 8132C851 93F9801F B8B018D0 ADCB18D4 18630197
router1(config-pubkey)#$CF2141 FCD666B7 9746B21C 72BFFA52 53DE28C9 02030100
router1(config-pubkey)#$551D0F 0101FF04 04030205 A0301F06 03551D23 04183016
router1(config-pubkey)#$CDB2B0 3BE21A12 1D34E85A F189301D 0603551D 0E041604
router1(config-pubkey)#$739BD4 D3904A23 EB51739D 75300D06 092A8648 86F70D01
router1(config-pubkey)#$48308A 4C9742C8 67B8B08E EA7B2C08 C25574FF C3AB34F1
router1(config-pubkey)#$07DFE1 151F7F56 8B8BE9B5 DE2BD906 59F0A346 48CD1B06
router1(config-pubkey)#$59D96B 4372E587 B123ABDD 0B5DD161 56390FAB CB02F95D
router1(config-pubkey)#$A21EB8 3838EE76 7E54C6F4 62F68464 19A4FA0B D595E2CF
router1(config-pubkey)# C54B1871 10488BD2
router1(config-pubkey)#       quit
router1(config-cert-chain)#certificate ca 01
Enter the certificate in hexidecimal representation....

router1(config-pubkey)#$030201 02020101 300D0609 2A864886 F70D0101 04050030
router1(config-pubkey)#$0A1305 6B696E67 73310D30 0B060355 04031304 6B696E67
router1(config-pubkey)#$363037 31353136 5A170D31 34303832 35303731 3531365A
router1(config-pubkey)#$040A13 056B696E 6773310D 300B0603 55040313 046B696E
router1(config-pubkey)#$864886 F70D0101 01050003 818D0030 81890281 81009C47
router1(config-pubkey)#$C25182 7207F12C 68FE2B8C 7D417817 46D5368D 8217E61D
router1(config-pubkey)#$A33602 49F3B85B 63F34033 E52FDD25 3DFB3093 70A6FA63
router1(config-pubkey)#$ABA60E 1C35AF05 DF9BADBE 68550CD4 3B5602F0 8262B9C7
router1(config-pubkey)#$D1D190 E3BFDDCB C50E6CAA E512A50C 8DD99212 920D0203
router1(config-pubkey)#$060355 1D130101 FF040530 030101FF 300E0603 551D0F01
router1(config-pubkey)#$1F0603 551D2304 18301680 14EDBBF0 B4E2E970 CDB2B03B
router1(config-pubkey)#$301D06 03551D0E 04160414 EDBBF0B4 E2E970CD B2B03BE2
router1(config-pubkey)#$0D0609 2A864886 F70D0101 04050003 8181001E 0B9A8021
router1(config-pubkey)#$C3E71C CD7AB3FC 8EFF3E4A 875767D2 6599184C A431F55A
router1(config-pubkey)#$0AD6EC E89A0F22 AEA2942A 827D6DBD 2C0DD6A6 D84C6698
router1(config-pubkey)#$850EB0 89A78CD8 7ED7AAC3 0AB36A59 7E69BA36 0C073694
router1(config-pubkey)#$62D4FC2 4F4A2423 BB9E2057 20E753E6 99919680 721877
router1(config-pubkey)#       quit
router1(config-cert-chain)#^Z

*Trustpoint doesn't have a key*

router1#sh crypto pki trustpoints status
Trustpoint cisco:
  Issuing CA certificate configured:
    Subject Name:
     cn=king,o=kings
    Fingerprint MD5: 418AC420 AD4B6825 9DF0F0C9 DEA93F7C
    Fingerprint SHA1: 5AB16E4A 1F1A4F3F 9C929C87 F8259D42 D274CE90
  Router Not Set certificate configured:
    Subject Name:
     hostname=router4.king.com
    Fingerprint MD5: 50960F9F 8F06DF3C CF113B6F 2A5B378A
    Fingerprint SHA1: 7221E458 63EED191 C1DE2D9C D3F2E050 FBABF91E
  State:
    Keys generated ............. No
    Issuing CA authenticated ....... Yes
    Certificate request(s) ..... Yes

*
Snippet of debug crypto isakmp O/P** informs that keypair is not found*

Aug 26 07:55:44.950: ISAKMP:(4011):Using FQDN as My ID
Aug 26 07:55:44.950: ISAKMP:(4011):SA is doing RSA signature authentication
usin
g id type ID_FQDN
Aug 26 07:55:44.950: ISAKMP (0:4011): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : router1.king.con
        protocol     : 17
        port         : 500
        length       : 24
Aug 26 07:55:44.950: ISAKMP:(4011):Total payload length: 24
Aug 26 07:55:44.950: ISAKMP (0:4011): constructing CERT payload for
hostname=rou
ter4.king.com
Aug 26 07:55:44.954: ISAKMP:(4011): using the cisco trustpoint's keypair to
sign
Aug 26 07:55:44.954: ISAKMP:(4011): keypair not found
Aug 26 07:55:44.954: ISAKMP (0:4011): FSM action returned error: 2
Aug 26 07:55:44.954: ISAKMP:(4011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLE
TE
Aug 26 07:55:44.954: ISAKMP:(4011):Old State = IKE_R_MM5  New State =
IKE_P1_COM
PLETE

Aug 26 07:55:54.938: ISAKMP (0:4011): received packet from 10.77.165.202
dport 5
00 sport 500 Global (R) MM_KEY_EXCH
Aug 26 07:55:54.938: ISAKMP:(4011): phase 1 packet is a duplicate of a
previous
packet.
Aug 26 07:55:54.938: ISAKMP:(4011): retransmitting due to retransmit phase 1
Aug 26 07:55:54.938: ISAKMP:(4011): no outgoing phase 1 packet to
retransmit. MM
_KEY_EXCH

*Associating key pair manually to the trustpoint*

router1(config)#crypto pki trustpoint cisco
router1(ca-trustpoint)#rsakeypair cisco

router1#sh crypto pki trustpoints status
Trustpoint cisco:
  Issuing CA certificate configured:
    Subject Name:
     cn=king,o=kings
    Fingerprint MD5: 418AC420 AD4B6825 9DF0F0C9 DEA93F7C
    Fingerprint SHA1: 5AB16E4A 1F1A4F3F 9C929C87 F8259D42 D274CE90
  State:
    Keys generated ............. Yes (General Purpose, non-exportable)
    Issuing CA authenticated ....... Yes
    Certificate request(s) ..... None


*Snippet of debug crypto isakmp O/P informs that router can't build cert
chain*


Aug 26 08:00:02.944: ISAKMP:(4012):Total payload length: 12
Aug 26 08:00:02.944: ISAKMP (0:4012): unable to build cert chain
Aug 26 08:00:02.944: ISAKMP (0:4012): FSM action returned error: 2
Aug 26 08:00:02.944: ISAKMP:(4012):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLE
TE
Aug 26 08:00:02.944: ISAKMP:(4012):Old State = IKE_R_MM5  New State =
IKE_P1_COM
PLETE

Aug 26 08:00:02.944: ISAKMP:(4011):deleting SA reason "Receive initial
contact"
state (R) MM_KEY_EXCH (peer 10.77.165.202)
Aug 26 08:00:02.944: ISAKMP: Unlocking peer struct 0x478DE95C for
isadb_mark_sa_
deleted(), count 1
Aug 26 08:00:02.944: ISAKMP:(4011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 26 08:00:02.944: ISAKMP:(4011):Old State = IKE_DEST_SA  New State =
IKE_DEST
_SA

Aug 26 08:00:12.928: ISAKMP (0:4012): received packet from 10.77.165.202
dport 5
00 sport 500 Global (R) MM_KEY_EXCH
Aug 26 08:00:12.928: ISAKMP:(4012): phase 1 packet is a duplicate of a
previous
packet.
Aug 26 08:00:12.928: ISAKMP:(4012): retransmitting due to retransmit phase 1
Aug 26 08:00:12.928: ISAKMP:(4012): no outgoing phase 1 packet to
retransmit. MM
_KEY_EXCH
Aug 26 08:00:14.684: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended
Aug 26 08:00:22.928: ISAKMP (0:4012): received packet from 10.77.165.202
dport 5
00 sport 500 Global (R) MM_KEY_EXCH
Aug 26 08:00:22.928: ISAKMP:(4012): phase 1 packet is a duplicate of a
previous
packet.
Aug 26 08:00:22.928: ISAKMP:(4012): retransmitting due to retransmit phase 1
Aug 26 08:00:22.928: ISAKMP:(4012): no outgoing phase 1 packet to
retransmit. MM
_KEY_EXCH
Aug 26 08:00:32.928: ISAKMP (0:4012): received packet from 10.77.165.202
dport 5
00 sport 500 Global (R) MM_KEY_EXCH
Aug 26 08:00:32.928: ISAKMP:(4012): phase 1 packet is a duplicate of a
previous
packet.
Aug 26 08:00:32.928: ISAKMP:(4012): retransmitting due to retransmit phase 1
Aug 26 08:00:32.928: ISAKMP:(4012): no outgoing phase 1 packet to
retransmit. MM
_KEY_EXCH



With regards
Kings

On Fri, Aug 26, 2011 at 11:32 AM, Kingsley Charles <
kingsley.char...@gmail.com> wrote:

> Hi Piotr
>
> Exporting with "crypto pki export" works fine as mentioned in Case 1 of my
> earlier mail. But I was curious to know,  why it was not working in case 2.
>
> I will try to import keys first and get back.
>
> With regards
> Kings
>
>
> On Thu, Aug 25, 2011 at 9:30 PM, Piotr Matusiak <pi...@howto.pl> wrote:
>
>> Hi Kings,
>>
>> Try to first import keys and then paste certificates.
>> The question is why don't you just export keys + certs with PKCS12 format?
>>
>> cry pki exp CA pkcs12....
>>
>>
>> Regards,
>> Piotr
>>
>>
>> 2011/8/25 Kingsley Charles <kingsley.char...@gmail.com>
>>
>>> Hi all
>>>
>>> This topic is certainly out of CCIE scope. I was playing with it to
>>> understanding PKI better.
>>>
>>> I am building a site to site VPN between R1 and R2 using digital
>>> certificate. I am able to bring up the site to site VPN up using pre-shared
>>> keys and certificates.
>>>
>>>
>>>             R3
>>>              I
>>> R1 ----------------- R2
>>>
>>>
>>>
>>> Now, I am trying to play with certificates as following:
>>>
>>> *Case 1*
>>>
>>>
>>>    - I take another router R4, generate keys and enroll with R3.
>>>    - R4 now has the certs and keys.
>>>    - I delete the existing keys and enroll certs on R1.
>>>    - From R4, I export keys and certs using  the command "crypto pki
>>>    export".
>>>    - I import the keys and certs into R1 using crypto pki import"
>>>
>>>
>>> The site to site VPN between R1 and R2 works fine.
>>>
>>> *Case 2*
>>>
>>>
>>>    - I take another router R4, generate keys and enroll with R3.
>>>    - R4 now has the certs and keys.
>>>    - I delete the existing keys and enroll certs on R1
>>>    - From R4, I copy the cert chain directly from running configuration.
>>>    - Put the keys into the R1's running configuration using the command
>>>    "crypto pki certificate chain".
>>>    - So R1 has the certs now.
>>>    - I export the keys from R4 using "crypto key export rsa"
>>>    - I import the keys in R1 using "crypto key export rsa"
>>>    - R1 has the keys and certs from R4
>>>
>>>
>>> The site to site VPN fails and in the debugs of R1, I see that it is not
>>> able to build the chain.
>>>
>>> R1 has the cert and keys but it doesn't work.
>>>
>>> What could be the problem?
>>>
>>>
>>> With regards
>>> Kings
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>> Are you a CCNP or CCIE and looking for a job? Check out
>>> www.PlatinumPlacement.com
>>>
>>
>>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to