View the Cisco Trusted Root Store

A root certificate is required when Secure Access proxies and decrypts HTTPS traffic intended for a website. Cisco provides trusted root store bundles, which contain information about certificates used by Cisco products. Within a bundle, you can view the list of trusted Cisco Certification Authorities (CA), type of root certificate, and certificate fingerprint (SHA-1).

The Secure Access trusted root certificate information is stored in the Cisco Trusted Union Root bundle. The Cisco Trusted Union Root bundle is a PKCS#7 bundle file (.p7b). The Cisco Trusted Union Root bundle is signed with a digital signing certificate, which you use to verify the bundle.

Table of Contents

Prerequisites

  • You must have administrative privileges on the devices in the organization or network administrative permissions over the network.
  • Use a version of OpenSSL v1.0 or greater to extract the root bundle.

Download the Cisco Trusted Union Root Bundle

  1. Navigate to the Cisco Cryptographic Services site at Cisco PKI: Policies, Certificates, and Documents.
  2. Under Trusted Root Stores, download the Cisco Trusted Union Root Bundle: https://www.cisco.com/security/pki/trs/ios_union.p7b.

Extract the Certificates

Step 1: Extract the Signing Certificate

Extract the signing certificate from the Trusted Union Root bundle (ios_union.p7b) and save the signing certificate in a file named RootBundleSigningCertificate.cer.

openssl pkcs7 -in ios_union.p7b -inform DER -print_certs > RootBundleSigningCertificate.cer

Step 2: Extract Certificate Bundle as Message

Use the extracted signing certificate (RootBundleSigningCertificate.cer) to verify the Trusted Union Root bundle (ios_union.p7b).

# This command extracts the certificate bundle as a message into the
#   file iosBundleBodyVerified.p7b if the signature verifies
openssl cms -verify -nointern -noverify -inform DER -in ios_union.p7b -outform DER \
  -out iosBundleBodyVerified.p7b -certfile RootBundleSigningCertificate.cer

The output is similar to:

Verification successful

Step 3: Extract PEM-Formatted Certificates From Bundle

# This command extracts the certificates from the bundle into a separate
#   file, iosCerts.PEM, containing only the PEM-formatted certificates from the bundle.
openssl pkcs7 -inform DER -print_certs -outform PEM < iosBundleBodyVerified.p7b \
  |grep -v 'subject=' |grep -v 'issuer=' |sed '/^$/d' > iosCerts.PEM

Step 4: Generate Individual Certificate Files

Linux

# If you are on Linux, use this command to split the PEM bundle into individual certificate files
# (Does not work on a Mac due to GNU awk)
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} {print > c ".pem"}' < ../iosCerts.PEM

macOS

# If you are on a Mac, use this command to split the PEM bundle into individual certificate files
# (Does not work on Linux due to split not supporting the -p flag)
split -p "-----BEGIN CERTIFICATE-----" iosCerts.PEM individual-

View an Individual Certificate File

Use openssl x509 to view the contents of an individual certificate file as plain text. Provide the name of the individual file as an argument to the openssl command.

openssl x509 -in <individual-file> -text

Add Customer CA Signed Root Certificate < View Cisco Trusted Root Store > Certificates for Private Resource Decryption