How to set up Cisco routers to establish IPsec tunnels using DN-based certificate authentication
Originally Published: 2002-09-05
Article Number
Applies To
Cisco IOS 12.8
Cisco Router
Microsoft Windows 2000 Server SP1
SCEP
Issue
Certificate attribute issues when making request from Cisco routers via SCEP
Cause
Resolution
Requesting a certificate with the required DN:
DNs are essentially a series of attributes with specified values. One example of a DN would be:
OU=nsite,CN=nsite-cert,O=Cisco,C=USA
The most commonly used attributes are:
String X.500 AttributeType
CN commonName
L localityName
ST stateOrProvinceName
O organizationName
OU organizationalUnitName
C countryName
STREET streetAddress
DC domainComponent
UID userid
[For full details, please see RFC 2253 available at http://www.ietf.org/rfc/rfc2253.txt?number=2253]
One very important thing to understand is that any of the DN values used for authentication must appear in the ?Subject? line of the certificate. This will happen only if these values are specified at the time the certificate is requested.
For example, suppose we want a router to identify itself with the DN values in the example above. The fields must be specified during enrollment as follows:
crypto isakmp trustpoint Cisco.com
enrollment mode ra
enrollment URL http://100.1.1.5:80
subject-name OU=nsite,CN=nsite-cert,O=Cisco,C=USA
crl optional
exit
(The default subject name is the FQDN of the router)
Specify that the router will use the DN as its identity:
This is very straightforward. The required command is:
crypto isakmp id dn
On the receiving end, configure a check for this DN:
First, configure the crypto id desired and then associate it with the correct crypto map:
crypto id from_moab
dn OU=nsite,CN=nsite-cert,O=Cisco,C=USA
crypto map crypmap 1 ipsec-iaskmp
set peer 1.1.1.1
set transform some_trans
set identity from_moab
match address some_acl
Some clarifications regarding crypto id:
A crypto id can have several DNs specified under it. For example:
crypto id from_moab
dn OU=nsite,CN=nsite-cert,O=Cisco,C=USA
dn OU=tac
dn CN=tac-cert
dn O=Nortel
fqdn moab.Cisco.com
The thing to remember is that it is enough for any one of the several DNs specified to be valid. I.e. when multiple DNs are specified, the router essentially treats them as if there was an ?OR? between them. However, when multiple attributes are specified for a DN, all of the attributes must match;
i.e. all the individual attributes are ?AND?ed.
So, in the above example, it is enough if any of the DNs is matched, i.e. the remote end could have a dn with O=Nortel and that would be enough.
However, if the router receives a DN of:
dn OU=nsite,CN=nsite-cert,O=Cisco,C=IN
, then the DN check will fail since C=IN instead of ?US?. This is because the crypto id specified on the router is looking for ?OU=nsite AND CN=nsite-cert AND O=Cisco AND C=US?, and the DN received is ?OU=nsite AND CN=nsite-cert AND O=Cisco AND C=IN?.
So, to reiterate, if you are looking to match dn (OU=nsite OR CN=nsite-cert OR O=Cisco), you would configure:
crypto id from_moab
dn OU=nsite
dn CN=nsite-cert
dn O=Cisco
and if you are looking to match dn (OU=nsite AND CN=nsite-cert AND O=Cisco), you would configure:
crypto id from_moab
dn OU=nsite,CN=nsite-cert,O=Cisco
Examples of certificates on routers showing the DN attributes:
Certificate obtained after specifying the following at enrollment:
crypto ca trustpoint cisco.com
enrollment url http://100.1.1.5:80
subject-name CN=xyvenus4, OU=xynsite, O=xycisco
crl optional
VENUS-4# sho cry ca cert
Certificate
Status: Available
Certificate Serial Number: 1D
Certificate Usage: General Purpose
Issuer:
CN = Certificate Manager
OU =<> my_ipsec
O =<> my_nsite
C = US
Subject:
Name: VENUS-4.cisco.com
OID.1.2.840.113549.1.9.2 =<16> VENUS-4.cisco.com
CN = xyvenus4
OU = xynsite
O = xycisco
Validity Date:
start date: 13:41:11 edt Jun 13 2002
end date: 13:41:11 edt Jun 13 2003
renew date: 19:00:00 est Dec 31 1969
Associated Trustpoints: cisco.com
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
CN = Certificate Manager
OU =<> my_ipsec
O =<> my_nsite
C = US
Subject:
CN = Certificate Manager
OU =<> my_ipsec
O =<> my_nsite
C = US
Validity Date:
start date: 00:00:00 edt May 20 2002
end date: 00:00:00 edt May 20 2004
Associated Trustpoints: cisco.com
VENUS-4#
If no subject name is specified during the enrollment, the certificates look like:
crypto ca trustpoint cisco.com
enrollment url http://100.1.1.5:80
crl optional
VENUS-8#sho cry ca cert
Certificate
Status: Available
Certificate Serial Number: 20
Certificate Usage: General Purpose
Issuer:
CN = Certificate Manager
OU =<> my_ipsec
O =<> my_nsite
C = US
Related Articles
How to transfer an existing RSA SecurID token PIN to a replacement token in RSA Authentication Manager 8.x Number of Views Performance improvements related to T_AV_MODEL_EXPLODEDUSERENTS table in RSA Identity Governance & Lifecycle Number of Views "Error editing the Location update T_AV_CRSUBMISSION_FIELDS" when defining new Form Fields in RSA Identity Governance & Li… Number of Views Run Clam Antivirus Software Number of Views Placeholder for SNMP solution from Doc team (George) Number of Views
Trending Articles
How to Download OTP Token Seed Files from myRSA RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8
Don't see what you're looking for?
