Menu Color:
Banner Color:
Main Color:
Header Image:
  • background1
  • background2
  • background3
  • background4
  • background5
  • background6
  • background7
  • background8
  • background9
en-USes-ES
Search
en-USes-ES
November 26, 2014
You are here : Support  >  Knowledgebase  >  KB Viewer
Computer Support Article Viewer
Installing GoDaddy SSL Certificates on a Cisco IOS Router using CLI
Created by Gary in 12/7/2009 8:11:33 AM

I have found the process of getting a GoDaddy certificate installed on an IOS router had, like many Cisco projects, become a research project. The process is poorly documented and much of the documented commands are outdated due to the changes in IOS. I hope this helps save some time and energy on your part.


I have found the process of getting a GoDaddy certificate installed on an IOS router had, like many Cisco projects, become a research project. The process is poorly documented and much of the documented commands are outdated due to the changes in IOS. I hope this helps save some time and energy on your part. Make sure your routers time is correct before starting. I suggest you setup NTP to keep the routers time correct. If the routers time is not correct, it will affect the certificate's functionality.

  1. Create a 2048 bit RSA key. GoDaddy now only supports 2048 or greater key length for security reasons. On their site they claim that computer performance will be capable of breaking a 1024 bit key by 2012. Will that be the end of the world? :-)
Router(config)#crypto key generate rsa general-keys Label GDKey modulus 2048  
! Generates 2048 bit RSA key pair. "GDKey" defines the name of the key pair.
  1. Create the trustpoint. A trustpoint is basically a certificate authority who you trust.
Router(config)#crypto ca trustpoint godaddy.trustpoint
! Creates the trustpoint.
Router(config-ca-trustpoint)#enrollment terminal
! Specifies cut and paste enrollment with this trustpoint.
Router(config-ca-trustpoint)#subject-name CN=sslvpn.mydomain.com,OU=SSLVPN,O=My Company Name,C=US,ST=Florida
! Defines x.500 distinguished name.
Router(config-ca-trustpoint)#rsakeypair GDKey
! Specifies key pair generated previously
Router(config-ca-trustpoint)#fqdn sslvpn.mydomain.com
! Specifies subject alternative name (DNS:).
Router(config-ca-trustpoint)#exit
  1. You can get the certificate request  by issuing the following commands:
Router(config)#crypto ca enroll godaddy.trustpoint
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=Webvpn.cisco.com
% The subject name in the certificate will include: webvpn.cisco.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
! Displays the PKCS#10 enrollment request to the terminal.
! You will need to copy this from the terminal to a text
! file or web text field to submit to the 3rd party CA.
Certificate Request follows:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
Router(config)#

 

  1. Paste the certificate request into the GoDaddy page to complete the request. The certificate request must be in the format below. You will need to add the begin and end lines. The begin and end certificate lines must be on separate lines or GD will give you an error. HINT: turn off word wrap in your text editor to ensure the format is proper.
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx
-----END CERTIFICATE-----
  1. Once the Certificate is issued you will receive an email to download your certificates and the intermediates bundle. Save these certificates locally and open them in a text editor like Notepad or, preferably, Notepad++. Select server type "other" for the download.
  2. The next step is to install the intermediate certificate bundle into the routers Trustpoint you created earlier. Run the command below. Copy the INTERMEDIATE certificate you opened in your text editor and paste into your terminal session when prompted. The certificate will be named gd_intermediate.crt.
Router(config)#crypto ca authenticate godaddy.trustpoint
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
quit
Trustpoint 'godaddy.trustpoint' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: D5DF85B7 9A5287D1 8CD50F90 232DB534
Fingerprint SHA1: 7C4656C3 061F7F4C 0D67B319 A855F60E BC11FC44
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
% Certificate successfully imported

 

  1. You will now install the actual certificate. Follow the same copy and paste procedure as above. Notice the command is different than the command used to install the GoDaddy intermediate certificate bundle.
Router(config)#crypto ca import godaddy.trustpoint certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
quit
% Router Certificate successfully imported
  1. If everything went well, you should now have your certificates successfully installed. You can run the following commands to verify your certificate is properly installed. You should see both the intermediates and the issued certificate. Remember to exit config mode and save your configuration.
Router#show crypto pki certificates

Certificate
  Status: Available
  Certificate Serial Number (hex): XXXXXXXXXXXX
  Certificate Usage: General Purpose
  Issuer:
    serialNumber=000000000
    cn=Go Daddy Secure Certification Authority
    ou=http://certificates.godaddy.com/repository
    o=GoDaddy.com\
     Inc.
    l=Scottsdale
    st=Arizona
    c=US
  Subject:
    Name: sslvpn.mydomain.com
    cn=sslvpn.mydomain.com
    ou=Domain Control Validated
    o=sslvpn.mydomain.com
  CRL Distribution Points:
    http://crl.godaddy.com/gds1-11.crl
  Validity Date:
    start date: 13:52:30 PCTime Dec 6 2009
    end   date: 13:52:30 PCTime Dec 6 2012
  Associated Trustpoints: sslvpn.mydomain.com
  Storage: nvram:07969287#2222.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 0000
  Certificate Usage: Signature
  Issuer:
    ou=Go Daddy Class 2 Certification Authority
    o=The Go Daddy Group\
     Inc.
    c=US
  Subject:
    serialNumber=07969287
    cn=Go Daddy Secure Certification Authority
    ou=http://certificates.godaddy.com/repository
    o=GoDaddy.com\
     Inc.
    l=Scottsdale
    st=Arizona
    c=US
  CRL Distribution Points:
    http://certificates.godaddy.com/repository/gdroot.crl
  Validity Date:
    start date: 20:54:37 PCTime Nov 15 2006
    end   date: 20:54:37 PCTime Nov 15 2026
  Associated Trustpoints: sslvpn.mydomain.com
  Storage: nvram:GoDaddyClass#303CA.cer
 

Router#show crypto pki  trustpoints
Trustpoint godaddy.trustpointsslvpn.mycert.com:
Subject Name:
serialNumber=0000000
cn=Go Daddy Secure Certification Authority
ou=http://certificates.godaddy.com/repository
o=GoDaddy.com\
Inc.
l=Scottsdale
st=Arizona
c=US
Serial Number (hex): 0000
Certificate configured.

Installing GoDaddy SSL Certificates on a Cisco IOS Router using CLI

 GoDaddy SSL Certificates

 SSL Certificates on a Cisco IOS Router
 

Tags