Trusted ROOT certificates for HTTPS client on Cisco IOS 15 M&T

cisco-trustpool-import-bundle.md

Background

If you ever need to access HTTPS site from a Cisco router running IOS, whether it's the copy command or TR-069 client or DDNS HTTP client, the request won't go through, because the SSL/TLS certificate (chain) provided by the server cannot be validated.

Install the Cisco provided trusted root bundle

Before you import CA bundle

Setup trustpool policy

crypto pki trustpool policy
 cabundle url http://www.cisco.com/security/pki/trs/ios.p7b
 chain-validation
 revocation-check none
 storage flash:/pki/trs

Having IPv6?

Why IPv6? Cisco routers do AAAA lookup regardless of IPv6 connectivity, and www.cisco.com resolves an IPv6 address.

1. Make sure you have DNS servers configured: Router# show ip dns view
2. Enable DNS lookup: Router(config)# ip domain-lookup
3. Download and import root CA bundle from Cisco to your router: Router(config)# crypto pki trustpool import clean url http://www.cisco.com/security/pki/trs/ios.p7b

IPv4 only?

There are couple workarounds when you have a DNS server responding to AAAA records but you do not have IPv6 connectivity.

Download the CA bundle

• Download ios.p7b file from the URL above and upload to your device.

• Disable domain-lookup, create ip host entry with the IPv4 address of www.cisco.com, then issue copy http command to download ios.p7b file.

• Consider adding free IPv6 connectivity using https://tunnelbroker.net

Import the CA bundle from flash:

Router(config)# crypto pki trustpool import clean url flash:/ios.p7b