Symptom
crypto pki trustpool import url does not work:
16.3.3(config)#crypto pki trustpool import url flash:/trustpool.p7b
Reading file from bootflash:/trustpool.p7b
% No certificates imported from flash:/trustpool.p7b.
16.3.3(config)#crypto pki trustpool import url flash:/trustpool.pem
Reading file from bootflash:/trustpool.pem
% No certificates imported from flash:/trustpool.pem.
Conditions
IOS-XE 16.3.3, 16.5.1b
On IOS-XE 16.3.2 import in pen format works.
Further Problem Description
This is not a bug but a behaviour change introduced by fix CSCvc33171.
CISCO devices are restricted to import trustpools by download from URL only in form of PKCS7 bundles signed by Cisco Certificate Authority. PEM download is not supported.
Import from terminal (copy/paste) using PEM is supported.
This behaviour has been incorporated to avoid DNS spoofing where wrong bundle can be imported which will lead to connection acceptance with wrong SSL servers.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-16-12/sec-pki-xe-16-12-book/sec-pki-trustpool-mgmt.html?bookSearch=true#GUID-69129282-65DE-4DC4-88C8-25904C21F862
"Restrictions for PKI Trustpool Management
...
You can download only a Cisco signed PKCS7 certificate through the trustpool URL."
For the list of versions with the change please check CSCvc33171 integrated releases.
