I have found the process of getting a GoDaddy certificate installed on an IOS router had, like many Cisco projects, become a research project. The process is poorly documented and much of the documented commands are outdated due to the changes in IOS. I hope this helps save some time and energy on your part.
I have found the process of getting a GoDaddy certificate installed on an IOS router had, like many Cisco projects, become a research project. The process is poorly documented and much of the documented commands are outdated due to the changes in IOS. I hope this helps save some time and energy on your part. Make sure your routers time is correct before starting. I suggest you setup NTP to keep the routers time correct. If the routers time is not correct, it will affect the certificate's functionality.
- Create a 2048 bit RSA key. GoDaddy now only supports 2048 or greater key length for security reasons. On their site they claim that computer performance will be capable of breaking a 1024 bit key by 2012. Will that be the end of the world? :-)
Router(config)#crypto key generate rsa general-keys Label GDKey modulus 2048
! Generates 2048 bit RSA key pair. "GDKey" defines the name of the key pair.
- Create the trustpoint. A trustpoint is basically a certificate authority who you trust.
Router(config)#crypto ca trustpoint godaddy.trustpoint
! Creates the trustpoint.
Router(config-ca-trustpoint)#enrollment terminal
! Specifies cut and paste enrollment with this trustpoint.
Router(config-ca-trustpoint)#subject-name CN=sslvpn.mydomain.com,OU=SSLVPN,O=My Company Name,C=US,ST=Florida
! Defines x.500 distinguished name.
Router(config-ca-trustpoint)#rsakeypair GDKey
! Specifies key pair generated previously
Router(config-ca-trustpoint)#fqdn sslvpn.mydomain.com
! Specifies subject alternative name (DNS:).
Router(config-ca-trustpoint)#exit
- You can get the certificate request by issuing the following commands:
Router(config)#crypto ca enroll godaddy.trustpoint
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=Webvpn.cisco.com
% The subject name in the certificate will include: webvpn.cisco.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
! Displays the PKCS#10 enrollment request to the terminal.
! You will need to copy this from the terminal to a text
! file or web text field to submit to the 3rd party CA.
Certificate Request follows:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
Router(config)#
- Paste the certificate request into the GoDaddy page to complete the request. The certificate request must be in the format below. You will need to add the begin and end lines. The begin and end certificate lines must be on separate lines or GD will give you an error. HINT: turn off word wrap in your text editor to ensure the format is proper.
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx
-----END CERTIFICATE-----
- Once the Certificate is issued you will receive an email to download your certificates and the intermediates bundle. Save these certificates locally and open them in a text editor like Notepad or, preferably, Notepad++. Select server type "other" for the download.
- The next step is to install the intermediate certificate bundle into the routers Trustpoint you created earlier. Run the command below. Copy the INTERMEDIATE certificate you opened in your text editor and paste into your terminal session when prompted. The certificate will be named gd_intermediate.crt.
Router(config)#crypto ca authenticate godaddy.trustpoint
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
quit
Trustpoint 'godaddy.trustpoint' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: D5DF85B7 9A5287D1 8CD50F90 232DB534
Fingerprint SHA1: 7C4656C3 061F7F4C 0D67B319 A855F60E BC11FC44
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
% Certificate successfully imported
- You will now install the actual certificate. Follow the same copy and paste procedure as above. Notice the command is different than the command used to install the GoDaddy intermediate certificate bundle.
Router(config)#crypto ca import godaddy.trustpoint certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
quit
% Router Certificate successfully imported
- If everything went well, you should now have your certificates successfully installed. You can run the following commands to verify your certificate is properly installed. You should see both the intermediates and the issued certificate. Remember to exit config mode and save your configuration.
Router#show crypto pki certificatesCertificate
Status: Available
Certificate Serial Number (hex): XXXXXXXXXXXX
Certificate Usage: General Purpose
Issuer:
serialNumber=000000000
cn=Go Daddy Secure Certification Authority
ou=http://certificates.godaddy.com/repository
o=GoDaddy.com\
Inc.
l=Scottsdale
st=Arizona
c=US
Subject:
Name: sslvpn.mydomain.com
cn=sslvpn.mydomain.com
ou=Domain Control Validated
o=sslvpn.mydomain.com
CRL Distribution Points:
http://crl.godaddy.com/gds1-11.crl
Validity Date:
start date: 13:52:30 PCTime Dec 6 2009
end date: 13:52:30 PCTime Dec 6 2012
Associated Trustpoints: sslvpn.mydomain.com
Storage: nvram:07969287#2222.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 0000
Certificate Usage: Signature
Issuer:
ou=Go Daddy Class 2 Certification Authority
o=The Go Daddy Group\
Inc.
c=US
Subject:
serialNumber=07969287
cn=Go Daddy Secure Certification Authority
ou=http://certificates.godaddy.com/repository
o=GoDaddy.com\
Inc.
l=Scottsdale
st=Arizona
c=US
CRL Distribution Points:
http://certificates.godaddy.com/repository/gdroot.crl
Validity Date:
start date: 20:54:37 PCTime Nov 15 2006
end date: 20:54:37 PCTime Nov 15 2026
Associated Trustpoints: sslvpn.mydomain.com
Storage: nvram:GoDaddyClass#303CA.cer
Router#show crypto pki trustpoints
Trustpoint godaddy.trustpointsslvpn.mycert.com:
Subject Name:
serialNumber=0000000
cn=Go Daddy Secure Certification Authority
ou=http://certificates.godaddy.com/repository
o=GoDaddy.com\
Inc.
l=Scottsdale
st=Arizona
c=US
Serial Number (hex): 0000
Certificate configured.
Installing GoDaddy SSL Certificates on a Cisco IOS Router using CLI
GoDaddy SSL Certificates
SSL Certificates on a Cisco IOS Router
|
Comments
| 5/9/2013 1:51:19 AM | Dillon
| | | I've been looking for weeks to find help with installing my cert. It's funny because I also used GoDaddy so I didn't have to change a thing besides my fqdn. Thanks a ton!!! |
|
|
|
|
| 7/31/2012 6:22:19 PM | Marco
| | |
|
|
| 4/20/2012 1:12:17 PM | ChrisM
| | | Worked Great, had to change the lines to -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- when pasting the CSR into godaddy. |
|
|
|
|
| 4/10/2012 10:43:15 AM | JRS
| | A big help, for others reading it, the intermediate cert is available here:
https://certs.godaddy.com/anonymous/repository.seam |
|
|
|
|
| 9/28/2011 9:46:21 AM | Sander
| | | Worked fine in general, I did add the IP address to the trustpoint. I got back a bundle of intermediate certificates from GoDaddy but the top one worked fine. Forgot to add the BEGIN and END lines as well, thanks for the tips. |
|
|
|
|
| 11/2/2010 3:21:14 PM | mr_dirt
| | | This process works very well. |
|
|
|
|
| 8/5/2010 3:19:25 PM | mr_dirt
| | | Thanks, I used this process to enroll a router with the GoDaddy CA for SSLVPN. Thanks again. |
|
|
|
|
|
| |
|
|