Loading...
Loading...
crypto pki trustpool import url does not work: 16.3.3(config)#crypto pki trustpool import url flash:/trustpool.p7b Reading file from bootflash:/trustpool.p7b % No certificates imported from flash:/trustpool.p7b. 16.3.3(config)#crypto pki trustpool import url flash:/trustpool.pem Reading file from bootflash:/trustpool.pem % No certificates imported from flash:/trustpool.pem.
IOS-XE 16.3.3, 16.5.1b On IOS-XE 16.3.2 import in pen format works.
none
This is not a bug but a behaviour change introduced by fix CSCvc33171. CISCO devices are restricted to import trustpools by download from URL only in form of PKCS7 bundles signed by Cisco Certificate Authority. PEM download is not supported. Import from terminal (copy/paste) using PEM is supported. This behaviour has been incorporated to avoid DNS spoofing where wrong bundle can be imported which will lead to connection acceptance with wrong SSL servers. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-16-12/sec-pki-xe-16-12-book/sec-pki-trustpool-mgmt.html?bookSearch=true#GUID-69129282-65DE-4DC4-88C8-25904C21F862 "Restrictions for PKI Trustpool Management ... You can download only a Cisco signed PKCS7 certificate through the trustpool URL." For the list of versions with the change please check CSCvc33171 integrated releases.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.