Renew Cisco IOS IPSec VPN Certificates from Symantec

I am not sure if there is other better way to do it. There is no good documentation from Cisco or somewhere else regarding how you should do on renewing your ssl certificates once it is expired. Every a couple of years, I have to face this problem,  renewing all routers ssl certificates. As far as I know, you can not renew current existing certificates, you will have to created a new trustpoint , generate new CSR and import a renewed certificate. Actually you can use same trustpoint configuration configured before as long as you are using different trustpoint name.

I recorded those steps again which I did a couple of years ago in following posts:

• All VPN posts
• Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN - HA Deployment
• Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 2
• Cisco IOU IPsec Site to Site VPN with External Third Party CA (XCA) - Part 3

1. Create a new Trustpoint with new name Symantec2017
Some Basic Information:

• trustpoint: container to configure and define parameters around the certificate
• crypto ca trustpoint—Declares the CA that the router should use.
• subject-name [x.500-name]—Specifies the subject name in the certificate request. If the subject-name subcommand is not used, by default, the router Fully Qualified Domain Name (FQDN) is used. This is used in ca-trustpoint configuration mode.

16th-M#show crypto key mypubkey all
% Key pair was generated at: 09:55:58 EST Mar 9 2013
Key name: TP-self-signed-2633522734
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A4C55D 
  1DEEAEDB EAAE75D0 989275A6 B5426968 CB1C0ABE 8E585118 872A84AF 559BE393 
  A91ECCFB 276561C6 E4D0AEAF 5B5943E8 5690DD8B 256F0BDC B3E8FC6F DB1492AC 
  AD6AC5B5 FA22C688 436EB5DA E64FAEC8 E8EE1A37 B387A28F 3263A0A4 B85B46FB 
  4F1AB7DD 5D172666 1CEFBB8C 60654CFB 9DEA11C7 C689E036 21A5329D 59020301 0001
% Key pair was generated at: 17:32:48 EDT Mar 10 2014
Key name: 16th-M.test.com
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
  00DF8C50 A98D8C62 1101D434 5AA2E780 730C9866 4E363B78 5A3DE7EE 8C759DFA 
  348DAD35 E6B3CD46 1D976EEC 79D5B9DD 4E606F03 15C252E9 CA62E231 11CF493B 
  82DCB66E 1F71FAF7 30215164 4070BF33 190A999A 5B440137 64CF6D68 CDAE9D05 
  B71E9AC2 D042D2A4 5050D438 5738688C C44BF585 79757D73 8F2934FD 148255EC 
  F0EC9D13 E47E1A41 038227DA 973ED65C 013C1468 2A63E064 3BDD5018 B6D8C192 
  49B2914D 25255262 B121021B C69F9D38 D5091C21 A6218924 9914057A 41CD767F 
  DCB400B3 C489165A 1A62FE63 9C7C7538 9974E710 A9E84F6B 05FBD6D5 0D4D5051 
  E83B2316 C5037EAF 7B9AE0A0 20D30BF9 7862FD12 5468BBFA 09D103A1 1D2E2876 
  F5020301 0001
% Key pair was generated at: 13:55:31 EST Nov 22 2015
Key name: TP-self-signed-2633522734.server
Key type: RSA KEYS
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B03C6F 367C38A3 
  17EA9CD0 894C5D85 61629C37 F12A0E08 222F7851 E6E07E0A 894BD454 42EDEE0A 
  C818957A 0FC3863B 2F571747 93E06B6C F52552F3 EE5E72B6 6F2C0B59 0B7F52E7 
  9AC7DA2A 47D69833 6B32F64D A05DD6B3 360D6325 E3270409 D1020301 0001

16th-M(config)# 

crypto pki trustpoint Symantec2017
 enrollment terminal
 fqdn 16th-M.test.com
 subject-name CN=16th-M.test.com,OU=IT,O=Test,C=CA,ST=Ontario
 revocation-check none
 rsakeypair 16th-M.test.com
!

2. Generate CSR

16th-M(config)#crypto pki enroll Symantec2017
% Start certificate enrollment .. 

% The subject name in the certificate will include: CN=16th-M.test.com,OU=IT,O=Test,C=CA,ST=Ontario
% The subject name in the certificate will include: 16th-M.test.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIC6TCCAdECAQAwgYIxEDAOBgNVBAgTB09udGFyaW8xCzAJgNVBAYTAkNBMQww
CgYDVQQKDANHJkQxCzAJBgNVBAsTAklUMR8wHQYDVQQDExxNnRoLU1hcmtoYW0u
Z2ktZGUuY29tMSUwIwYJKoZIhvcNAQkCFhYxNnRoLU1hcmtoW0uZ2ktZGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA34xQqYMYhEB1DRaoueA
cwyYZk42O3haPefujHWd+jSNrTXms81GHZdu7HnVud1OYG8DcJS6cpi4jERz0k7
gty2bh9x+vcwIVFkQHC/MxkKmZpbRAE3ZM9taM2unQW3HprC0ESpFBQ1DhXOGiM
xEv1hXl1fXOPKTT9FIJV7PDsnRPkfhpBA4In2pc+1lwBPBRomPgZDvdUBi22MGS
SbKRTSUlUmKxIQIbxp+dONUJHCGmIYkkmRQFekHNdn/ctACzxkWWhpi/mOcfHU4
mXTnEKnoT2sF+9bVDU1QUeg7IxbFA36ve5rgoCDTC/l4Yv0SVi7+gnRA6EdLih2
9QIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBMCBaAwDQYJKoZI
hvcNAQEFBQADggEBAHoO0tkllzrj0hEw9rcliL8iVzZehBYJAN8l2p8k/EYWetb
AF8qqC+cZiVEh2DQ90V+Lz1/sQE+h8l2EYIPQsHNX4mDgVKTERTH9PrMD45ehBa
kZMxmhWq9wdBSzAaUa55jeiTmdKFp+mi5+eGNe/+EM0ZGSpInYeDA3JTB98gGCP
YgLge/4bRdZP0qstI0a7g/WQWDS11Epgc1H0F2CMYeBzzmJSoro2jpRo0bqKb0Q
BVkW39wVrk2+QB5zAYCf1ZhKi46ZOR/5VP/phDtNo9Qt309rjkNqEJG8xyJXgez
i6aUchapQhqWZ8Bl8tmzq5OKsJW2HaHOw9ZylAA=

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: 

3. Sent to Symantec to renew your certificate

After a couple of days, Symantec will send you an email to confirm your ssl certificate is ready.

4. Import Intermediate CA certificate to your trustpoint.
From Downloaded zip file, you will find a couple of files including two certificates. One file name is IntermediateCA.crt and another is ssl_certificate.crt.

We will import IntermediateCA.crt into our new created Symantec2017 trustpoint.

16th-M(config)#crypto pki authenticate Symantec2017

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----

Trustpoint 'Symantec2017' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
       Fingerprint MD5: 23D5858E BC898610 7CB7AC1E 17F726C5 
      Fingerprint SHA1: FF67367C 5CD4DE4A E18BCCE1 D70FDABD 7C866135 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

5. Import SSL certificate

ssl_certificate.crt has your Symantec signed ssl certificate which will be imported into your router.

16th-M(config)#crypto pki import Symantec2017 certificate 

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIG8zCCBdugAwIBAgIQbquKQO1HxIm1UJWBjeuHSTANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE3MDIyMTAwMDAwMFoX
DTIwMDMwODIzNTk1OVowgYMxCzAJBguVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlv
MRAwDgYDVQQHDAdNYXJraGFtMS8wLQYDVQQKDCZHaWVzZWNrZSAmIERldnJpZW50
IHN5c3RlbXMgY2FuYWRhIGluYzEfMB0GA1UEAwwWMTZ0aC1NYXJraGFtLmdpLWRl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+MUKmNjGIRAdQ0
WqLngHMMmGZONjt4Wj3n7ox1nfo0ja015rPNRh2Xbux51bndTmBvAxXCUunKYuIx
Ec9JO4Lctm4fcfr3MCFRZEBwvzMZCpmaW0QBN2TPbWjNrp0Ftx6awtBC0qRQUNQ4
VzhojMRL9YV5dX1zjyk0/RSCVezw7J0T5H4aQQOCJ9qXPtZcATwUaCpj4GQ73VAY
ttjBkkmykU0lJVJisSECG8afnTjVCRwhpiGJJJkUBXpBzXZ/3LQAs8SJFloaYv5j
nHx1OJl05xCp6E9rBfvW1Q1NUFHoOyMWxQN+r3ua4KAg0wv5eGL9ElRou/oJ0QOh
HS4odvUCAwEAAaOCA2UwggNhMCEGA1UdEQQaMBiCFjE2dGgtTWFya2hhbS5naS1k
ZS5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6g
HIYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcmwwYQYDVR0gBFowWDBWBgZngQwB
AgIwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYB
BQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFF9gz2GQVd+EQxSKYCqy9Xr0Qxjv
MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NzLnN5bWNkLmNv
bTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcnQwggH2Bgor
BgEEAdZ5AgQCBIIB5gSCAeIB4AB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0R
xM227L7MAAABWmEiAokAAAQDAEcwtQIgIHyZL332dKs+vnxZ2UCiDLQAjYLyFexL
MBF4ugX5fiICIQD3tlZugt44sbvGUh+OZXF+C6k+pjnyuhZ19JfUvWxQUwB2AKS5
CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABWmEiAr8AAAQDAEcwRQIg
CN84AlcvYIRFy8iA4pczG5muCvODSJg49UfeH7UvF/kCIQCaSZlSruK7Y87QFc5Q
eELhy0NsW35rj2laNAIvN3fEHgB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDE
e4l6qP3LAAABWmEiAtkAAAQDAEcwRQIgG/pqEdK86FSP809U5kGuD6lzEOmgme2H
W1hRxAXX0uECIQCHd1oFD/N8cAOPeCMRnJnt2SovuQHDQMZGd7EuIGTkFQB2ALx4
4d/F9jxoRkkzTaEPoV8JeWkgCcCBtPP2kX8+2bilAAABWmEiA4oAAAQDAEcwRQIg
OqU6BOqzBdIhIWSgg9wGW9pmn7CX3luyA4UliziIhZ8CIQClAB69xOCJC+yMMMut
G/u9glb0BKKj1S1uz6nPk3AALTANBgkqhkiG9w0BAQsFAAOCAQEAjN+BkspnG52g
LJIyRokoO+ftoSHcj1AqVPUZ/eo0qC8MZcbbJv3e9UAN76nca3+TLrO5D8qNRAjT
6yn5FJANr/9YQg9kodmJl0b1DZMpWGM6F4HWFJragIbcSinXYCbNrYP28NNatmXw
ASNXEdHhXIN1TBGSm2TwW8uIwzA/EyjdEnz1u4R8ktnz8Xt2UGohNJARnDCas9pz
uvmBJ8uq00B6rbtmsoRib9xaRjFMsRDAx3U6Bk2N3LYNNnipdiqI9DCfFQEo6+9S
KLPIQ6nHio3qwfTRwD6jY0ZHHeszl+4cHkXUHw8D46NQ3au72acKwZs1GoSLy2cI
6RgBgcZfYg==
-----END CERTIFICATE-----

% Router Certificate successfully imported

16th-M(config)#

Verify:

16th-M#show crypto pki certificates 
Certificate
  Status: Available
  Certificate Serial Number (hex): 6EAB8A40ED47C489B55095818DEB8749
  Certificate Usage: General Purpose
  Issuer: 
    cn=Symantec Class 3 Secure Server CA - G4
    ou=Symantec Trust Network
    o=Symantec Corporation
    c=US
  Subject:
    Name: 16th-M.test.com
    cn=16th-M.test.com
    o=Giesecke & Devrient systems canada inc
    l=Markham
    st=Ontario
    c=CA
  CRL Distribution Points: 
    http://ss.symcb.com/ss.crl
  Validity Date: 
    start date: 19:00:00 EST Feb 20 2017
    end   date: 19:59:59 EDT Mar 8 2020
  Associated Trustpoints: Symantec2017 
  Storage: nvram:SymantecClas#8749.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 513FB9743870B73440418D30930699FF
  Certificate Usage: Signature
  Issuer: 
    cn=VeriSign Class 3 Public Primary Certification Authority - G5
    ou=(c) 2006 VeriSign
     Inc. - For authorized use only
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  Subject: 
    cn=Symantec Class 3 Secure Server CA - G4
    ou=Symantec Trust Network
    o=Symantec Corporation
    c=US
  CRL Distribution Points: 
    http://s1.symcb.com/pca3-g5.crl
  Validity Date: 
    start date: 20:00:00 EDT Oct 30 2013
    end   date: 19:59:59 EDT Oct 30 2023
  Associated Trustpoints: Symantec2017 
  Storage: nvram:VeriSignClas#99FFCA.cer

Certificate
  Status: Available
  Certificate Serial Number (hex): 04681FB41D03897F3C61766E1DD5C42F
  Certificate Usage: General Purpose
  Issuer: 
    cn=VeriSign Class 3 Secure Server CA - G3
    ou=Terms of use at https://www.verisign.com/rpa (c)10
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  Subject:
    Name: 16th-M.test.com
    cn=16th-M.test.com
    ou=Terms of use at www.verisign.com/rpa (c)05
    o=Giesecke & Devrient systems canada inc
    l=Markham
    st=Ontario
    c=CA
  CRL Distribution Points: 
    http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl
  Validity Date: 
    start date: 20:00:00 EDT Mar 9 2014
    end   date: 18:59:59 EST Mar 9 2017
  Associated Trustpoints: Verisign2014 
  Storage: nvram:VeriSignClas#C42F.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 6ECC7AA5A7032009B8CEBCF4E952D491
  Certificate Usage: Signature
  Issuer: 
    cn=VeriSign Class 3 Public Primary Certification Authority - G5
    ou=(c) 2006 VeriSign
     Inc. - For authorized use only
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  Subject: 
    cn=VeriSign Class 3 Secure Server CA - G3
    ou=Terms of use at https://www.verisign.com/rpa (c)10
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  CRL Distribution Points: 
    http://crl.verisign.com/pca3-g5.crl
  Validity Date: 
    start date: 19:00:00 EST Feb 7 2010
    end   date: 18:59:59 EST Feb 7 2020
  Associated Trustpoints: Verisign2014 
  Storage: nvram:VeriSignClas#D491CA.cer

Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer: 
    cn=IOS-Self-Signed-Certificate-2633522734
  Subject:
    Name: IOS-Self-Signed-Certificate-2633522734
    cn=IOS-Self-Signed-Certificate-2633522734
  Validity Date: 
    start date: 09:55:58 EST Mar 9 2013
    end   date: 19:00:00 EST Dec 31 2019
  Associated Trustpoints: TP-self-signed-2633522734 
  Storage: nvram:IOS-Self-Sig#1.cer


16th-M#

Reference:

• Installing GoDaddy SSL Certificates on a Cisco IOS Router using CLI
• Certficate renewal – how was it after years?