How to set up Cisco routers to establish IPsec tunnels using DN-based certificate authentication
Originally Published: 2002-09-05
Article Number
Applies To
Cisco IOS 12.8
Cisco Router
Microsoft Windows 2000 Server SP1
SCEP
Issue
Certificate attribute issues when making request from Cisco routers via SCEP
Cause
Resolution
Requesting a certificate with the required DN:
DNs are essentially a series of attributes with specified values. One example of a DN would be:
OU=nsite,CN=nsite-cert,O=Cisco,C=USA
The most commonly used attributes are:
String X.500 AttributeType
CN commonName
L localityName
ST stateOrProvinceName
O organizationName
OU organizationalUnitName
C countryName
STREET streetAddress
DC domainComponent
UID userid
[For full details, please see RFC 2253 available at http://www.ietf.org/rfc/rfc2253.txt?number=2253]
One very important thing to understand is that any of the DN values used for authentication must appear in the ?Subject? line of the certificate. This will happen only if these values are specified at the time the certificate is requested.
For example, suppose we want a router to identify itself with the DN values in the example above. The fields must be specified during enrollment as follows:
crypto isakmp trustpoint Cisco.com
enrollment mode ra
enrollment URL http://100.1.1.5:80
subject-name OU=nsite,CN=nsite-cert,O=Cisco,C=USA
crl optional
exit
(The default subject name is the FQDN of the router)
Specify that the router will use the DN as its identity:
This is very straightforward. The required command is:
crypto isakmp id dn
On the receiving end, configure a check for this DN:
First, configure the crypto id desired and then associate it with the correct crypto map:
crypto id from_moab
dn OU=nsite,CN=nsite-cert,O=Cisco,C=USA
crypto map crypmap 1 ipsec-iaskmp
set peer 1.1.1.1
set transform some_trans
set identity from_moab
match address some_acl
Some clarifications regarding crypto id:
A crypto id can have several DNs specified under it. For example:
crypto id from_moab
dn OU=nsite,CN=nsite-cert,O=Cisco,C=USA
dn OU=tac
dn CN=tac-cert
dn O=Nortel
fqdn moab.Cisco.com
The thing to remember is that it is enough for any one of the several DNs specified to be valid. I.e. when multiple DNs are specified, the router essentially treats them as if there was an ?OR? between them. However, when multiple attributes are specified for a DN, all of the attributes must match;
i.e. all the individual attributes are ?AND?ed.
So, in the above example, it is enough if any of the DNs is matched, i.e. the remote end could have a dn with O=Nortel and that would be enough.
However, if the router receives a DN of:
dn OU=nsite,CN=nsite-cert,O=Cisco,C=IN
, then the DN check will fail since C=IN instead of ?US?. This is because the crypto id specified on the router is looking for ?OU=nsite AND CN=nsite-cert AND O=Cisco AND C=US?, and the DN received is ?OU=nsite AND CN=nsite-cert AND O=Cisco AND C=IN?.
So, to reiterate, if you are looking to match dn (OU=nsite OR CN=nsite-cert OR O=Cisco), you would configure:
crypto id from_moab
dn OU=nsite
dn CN=nsite-cert
dn O=Cisco
and if you are looking to match dn (OU=nsite AND CN=nsite-cert AND O=Cisco), you would configure:
crypto id from_moab
dn OU=nsite,CN=nsite-cert,O=Cisco
Examples of certificates on routers showing the DN attributes:
Certificate obtained after specifying the following at enrollment:
crypto ca trustpoint cisco.com
enrollment url http://100.1.1.5:80
subject-name CN=xyvenus4, OU=xynsite, O=xycisco
crl optional
VENUS-4# sho cry ca cert
Certificate
Status: Available
Certificate Serial Number: 1D
Certificate Usage: General Purpose
Issuer:
CN = Certificate Manager
OU =<> my_ipsec
O =<> my_nsite
C = US
Subject:
Name: VENUS-4.cisco.com
OID.1.2.840.113549.1.9.2 =<16> VENUS-4.cisco.com
CN = xyvenus4
OU = xynsite
O = xycisco
Validity Date:
start date: 13:41:11 edt Jun 13 2002
end date: 13:41:11 edt Jun 13 2003
renew date: 19:00:00 est Dec 31 1969
Associated Trustpoints: cisco.com
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
CN = Certificate Manager
OU =<> my_ipsec
O =<> my_nsite
C = US
Subject:
CN = Certificate Manager
OU =<> my_ipsec
O =<> my_nsite
C = US
Validity Date:
start date: 00:00:00 edt May 20 2002
end date: 00:00:00 edt May 20 2004
Associated Trustpoints: cisco.com
VENUS-4#
If no subject name is specified during the enrollment, the certificates look like:
crypto ca trustpoint cisco.com
enrollment url http://100.1.1.5:80
crl optional
VENUS-8#sho cry ca cert
Certificate
Status: Available
Certificate Serial Number: 20
Certificate Usage: General Purpose
Issuer:
CN = Certificate Manager
OU =<> my_ipsec
O =<> my_nsite
C = US
Related Articles
Unable to recognize the .iso file while uploading the patch through web browser from the Operations Console in RSA Authent… Number of Views How to upload files onto the RSA SFTP server Number of Views How to recover from "Error: The private key could not be parsed" when trying to upload the RSA SecurID Access Identity Rou… Number of Views Invalid content type error when uploading attachments to change requests in RSA Identity Governance & Lifecycle Number of Views Run Reports Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
