Category Archives: VPN

Installing and Configuring an SSL Certificate on Cisco 3000 Series VPN Concentrator

Some of the equipment on our network is a bit dated as we have some customers who still rely on those services for their day-to-day operations.  One of the oldest pieces of equipment we have is a Cisco 3030 VPN Concentrator.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure.  Unfortunately, this is a bit of a challenge on the Cisco VPN Concentrator due to its age and lack of support for more current certificate file formats.  When following the normal enrollment procedure within the concentrator’s UI, one receives the following error:

ErrorSo, in order to keep the concentrator’s SSL certificate current, a workaround will have to be performed.  To do this, you’ll need access to a computer with Internet Information Services (IIS)and OpenSSL.

The certificate itself is going to be created and installed on a Windows server via IIS using the VPN concentrator’s information.

Next, export the certificate, ensuring you’ve recorded the password assigned to the exported certificate.  At this point, you have a certificate in PKCS#12 format which is not supported by the VPN concentrator as it requires a certificate in PKCS#8 format.

To convert the certificate from one format to the other, we’ll use OpenSSL.  What’s interesting here is that you can’t just convert from PKCS#12 to PKCS#8.  Instead, you have to convert from PKCS#12 to PEM and then from PEM to PKCS#8.

NOTE: Make sure you launch the command prompt as Administrator or you might get “unable to write ‘random state'” errors.

So, converting the file to PEM:

Convert 12 to PEM2

pkcs12 is the OpenSSL command that indicates we’re working with a PKCS#12 format file
-in is the parameter that indicates the next input is the name of the file to be reformatted
D:\Temp\ExportCert.pfx is the path and filename of the file to be reformatted
-out is the parameter that indicates the next input is the name of the reformatted file
D:\Temp\ExportCert.pem is the path and filename of the reformatted file

You can see that I was prompted for the password of the exported certificate file.  Once that was supplied and verified, OpenSSL prompted me for a passphrase for the reformatted file.  I just used the same password I had used before to keep things simple.

Now, we’re going to convert from PEM to PKCS#8.  The commands are almost identical as the ones we used for converting to PEM from PKCS#12:

Convert PEM to 8

Hopefully, the syntax here is rather obvious with the only differences being the use of “pkcs8” rather than “pkcs12” as the OpenSSL command.  Also, you’ll see the -topk8 switch which tells OpenSSL the incoming private key is to be converted to the PKCS#8 format.

If you look at the contents of the .pk8 file, you’ll see something like this:

—–BEGIN ENCRYPTED PRIVATE KEY—–
<A whole lot of random-looking characters>
—–END ENCRYPTED PRIVATE KEY—–

Create a new text document in your favorite text editor and copy and paste the contents of the .pk8 file into it.

Once you’ve done that, open the .pem file you created when converting from .pfx and you should see a section that has the certificate you were issued by the CA:

—–BEGIN CERTIFICATE—–
<A whole lot of random-looking characters>
—–END CERTIFICATE—–

Cut and paste this section into your new text document immediately following the private key contents from the .pk8 file.  It should look like this:

—–BEGIN ENCRYPTED PRIVATE KEY—–
<A whole lot of random-looking characters>
—–END ENCRYPTED PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
<A whole lot of random-looking characters>
—–END CERTIFICATE—–

Save this file so you don’t lose what you’ve accomplished so far.

The next step is to install the certificate bundle you received from the CA which contains the Intermediate and Root CA certificates.  This should be okay to install straight into the concentrator via the UI.

Go to Administration > Certificate Management > Installation and choose “Install CA Certificate” and upload the file from the CA.  I’ve been able to do this without any problems.

Next, go to Administration > Certificate Management and look for the “SSL Certificates” section.  You should have three interfaces listed there:  Private, Public and External.  You’ll want to perform this operation on each of the interfaces:

1. Click on “Import”
2. Select “Cut & Paste Text”
3. Copy and paste the contents of the text file which contains the private key and certificate
4. Type in the password for the private key
5. Click on “Install”

That’s it!  Hopefully, this will save you a bunch of time and some heartache.  I know this problem has frustrated me for quite some time.

Let me know what you think!