View the Cisco Trusted Root Store
A root certificate is required when Secure Access proxies and decrypts HTTPS traffic intended for a website. Cisco provides trusted root store bundles, which contain information about certificates used by Cisco products. Within a bundle, you can view the list of trusted Cisco Certification Authorities (CA), type of root certificate, and certificate fingerprint (SHA-1).
The Secure Access trusted root certificate information is stored in the Cisco Trusted Union Root bundle. The Cisco Trusted Union Root bundle is a PKCS#7 bundle file (.p7b). The Cisco Trusted Union Root bundle is signed with a digital signing certificate, which you use to verify the bundle.
Table of Contents
Prerequisites
- You must have administrative privileges on the devices in the organization or network administrative permissions over the network.
- Use a version of OpenSSL v1.0 or greater to extract the root bundle.
Download the Cisco Trusted Union Root Bundle
- Navigate to the Cisco Cryptographic Services site at Cisco PKI: Policies, Certificates, and Documents.
- Under Trusted Root Stores, download the Cisco Trusted Union Root Bundle: https://www.cisco.com/security/pki/trs/ios_union.p7b.
Extract the Certificates
Step 1: Extract the Signing Certificate
Extract the signing certificate from the Trusted Union Root bundle (ios_union.p7b) and save the signing certificate in a file named RootBundleSigningCertificate.cer.
openssl pkcs7 -in ios_union.p7b -inform DER -print_certs > RootBundleSigningCertificate.cer
Step 2: Extract Certificate Bundle as Message
Use the extracted signing certificate (RootBundleSigningCertificate.cer) to verify the Trusted Union Root bundle (ios_union.p7b).
# This command extracts the certificate bundle as a message into the
# file iosBundleBodyVerified.p7b if the signature verifies
openssl cms -verify -nointern -noverify -inform DER -in ios_union.p7b -outform DER \
-out iosBundleBodyVerified.p7b -certfile RootBundleSigningCertificate.cer
The output is similar to:
Verification successful
Step 3: Extract PEM-Formatted Certificates From Bundle
# This command extracts the certificates from the bundle into a separate
# file, iosCerts.PEM, containing only the PEM-formatted certificates from the bundle.
openssl pkcs7 -inform DER -print_certs -outform PEM < iosBundleBodyVerified.p7b \
|grep -v 'subject=' |grep -v 'issuer=' |sed '/^$/d' > iosCerts.PEM
Step 4: Generate Individual Certificate Files
Linux
# If you are on Linux, use this command to split the PEM bundle into individual certificate files
# (Does not work on a Mac due to GNU awk)
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} {print > c ".pem"}' < ../iosCerts.PEM
macOS
# If you are on a Mac, use this command to split the PEM bundle into individual certificate files
# (Does not work on Linux due to split not supporting the -p flag)
split -p "-----BEGIN CERTIFICATE-----" iosCerts.PEM individual-
View an Individual Certificate File
Use openssl x509
to view the contents of an individual certificate file as plain text. Provide the name of the individual file as an argument to the openssl
command.
openssl x509 -in <individual-file> -text
Add Customer CA Signed Root Certificate < View Cisco Trusted Root Store > Certificates for Private Resource Decryption
Updated 12 months ago