Importing SSL certificates on Cisco IOS

A requirement came up to use Cisco’s AnyConnect VPN on a router. For this, an SSL certificate and corresponding private key is required – I used CAcert.org.

I will deliberately skip the detail of how to generate an RSA private key, create a CSR and get this signed by a CA. Straight to the chase – here is how to import the key and certificate on to an IOS router.

Use openssl rsa -in foo.key -pubout to display the corresponding public key for your private key foo.key. This will begin with BEGIN PUBLIC KEY.

Next, ensure your private key has a password – use openssl rsa -in foo.key. If it doesn’t, encrypt it with 3DES using openssl rsa -in foo.key -3des and specify a password.

On the IOS device in question, use crypto key import rsa foo pem terminal to import the PEM encoded public key:


cr(config)#crypto key import rsa foo pem terminal strongpassword
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
...

Ensure there is a complete blank line after pasting the public key, and the router will then prompt:

% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.

Paste in the 3DES-encrypted key – it will begin BEGIN RSA PRIVATE KEY, and type ‘quit’ on a blank line at the end.

That’s it. It’s not straightforward, and I know I’ll forget if I don’t write it down!

1 thought on “Importing SSL certificates on Cisco IOS”

  1. I am trying to do the same thing… import an existing priv/pub key pair and signed SSL certificate for AnyConnect! I’ve got the keypair import process down, but I was hoping you’d be able to share the second half on how to import the SSL Certificate! Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *