Thursday, July 26, 2012

Lazy certificate import for Cisco SSL VPN engine

We'll consider our vpn gateway as sgvpn.mydomain.com, our webvpn gateway sggateway and the external address 165.21.250.150. Our certificate we will suppose has been encoded as PKCS12, named sgvpn-full.pfx in the example:

sing-gw1(config)#crypto pki trustpoint SGVPN

sing-gw1(ca-trustpoint)# fqdn sgvpn.mydomain.com


sing-gw1(ca-trustpoint)# revocation-check crl


sing-gw1(ca-trustpoint)# rsakeypair SGVPN


sing-gw1(ca-trustpoint)#^Z


sing-gw1(config)#crypto ca import SGVPN pkcs12 ftp://myftpaccount:mypassword@myftpipaddress/sgvpn-full.pfx My_Certificate_Password

Now we are ready to add the trust point to our webvpn:

sing-gw1(config)#webvpn gateway sggateway

sing-gw1(webvpn)# ip address 165.21.250.150 port 443

sing-gw1(webvpn)# http-redirect port 80

sing-gw1(webvpn)# ssl trustpoint SGVPN

sing-gw1(webvpn)# logging enable

sing-gw1(webvpn)# inservice

sing-gw1(webvpn)# end


Our webvpn node should be ready to use the new certificate. In case our provider doesn't provide a PKCS12 we can easily transform it using the windows certificates snap-in:

First thing, import the certificate in your system - double click on the certificate, enter the password and automatically select the certificate store location.

After that, locate your certificate in your system - I did import mine in my personal account, your's may vary:


We right click on the certificate, all tasks, export:


We follow the wizard:


We select export the private key:


We need to include all the certificates, and extended properties:


We type our new password (the one we will enter in the command line in the router):


We select a secure place for our certificate:


Click on Finish, and the certificate will be ready to be imported.