Install X.509 CA certificate to Cisco IOS for DynDNS

You must install X.509 CA certificate into IOS configuration, then IOS could verify the chain of trust in created for TLS socket HTTPS. Ufff…

For checking chain of trust of certificate, understand?

• How certificate need? The easiest way to learn - create TLS/SSL socket to real system:

# openssl s_client -showcerts -host dyn.dns.he.net -port 443

• The output will contain real data about the certificates:

CONNECTED(00000004)
depth=0 /C=US/ST=CA/L=Fremont/O=Hurricane Electric/OU=Secure Services/CN=dyn.dns.he.net/emailAddress=dnsadmin@he.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=CA/L=Fremont/O=Hurricane Electric/OU=Secure Services/CN=dyn.dns.he.net/emailAddress=dnsadmin@he.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=Fremont/O=Hurricane Electric/OU=Secure Services/CN=dyn.dns.he.net/emailAddress=dnsadmin@he.net
   i:/C=US/ST=CA/L=Fremont/O=Hurricane Electric/OU=Secure Services/CN=dyn.dns.he.net/emailAddress=dnsadmin@he.net
---
Server certificate
----
-BEGIN CERTIFICATE-----MIIFtjCCA54CCQC5vsyLyslykjANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdGcmVtb250MRswGQYDVQQKExJIdXJy
aWNhbmUgRWxlY3RyaWMxGDAWBgNVBAsTD1NlY3VyZSBTZXJ2aWNlczEXMBUGA1UE
AxMOZHluLmRucy5oZS5uZXQxHjAcBgkqhkiG9w0BCQEWD2Ruc2FkbWluQGhlLm5l
dDAeFw0xMTAzMjYwMzQ4NTJaFw0yMTAzMjMwMzQ4NTJaMIGcMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB0ZyZW1vbnQxGzAZBgNVBAoTEkh1cnJp
Y2FuZSBFbGVjdHJpYzEYMBYGA1UECxMPU2VjdXJlIFNlcnZpY2VzMRcwFQYDVQQD
Ew5keW4uZG5zLmhlLm5ldDEeMBwGCSqGSIb3DQEJARYPZG5zYWRtaW5AaGUubmV0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz5UjeG78+Nym6CdddKRd
WydHm0Hodx02iP1ko6C+DpiU2skjPL5pzzI9SYStzuCBHueIrtA7HKuEBCGyPmDx
N0D95jY7ekOgNxklgviuFISt6HfXTss0G22HjPqkM/GTvTiwyVMQFlgcgbUrP6N9
XwZR0l/Ej2YeFFajNtw2vWNG0DoGGbstfYmqRfvq2n/9Rgmkg4LTkcne4+0uuYXZ
ZNiTcVAOWaGA29OrQ9Vs3bJeMNyEyXoz2sw16EpmXiz5zr1G0hxg5AXIpmvI0jqG
jAOXSzri1KVKA4BI/16tM86GzIAui7wzOKtq9wF1llWHsmU/cb1HmAUbOnjBmDEI
hJ5vFCPjmtmaZxBckvs5SG8NrZw+EwE5GvnTKSJTYpQBfiTTJ9VaGmq55VPrdnUN
CEwI5SRtl2TBr3cVdloRoZ1m6I3ZdBVuI8kSs9zkKxP5iSjt9FLp89J+36CDS6oo
LH5jmhWIc6K1n98BJYnBgAuvENcq/VsnGD2uwfNSoh7qtZ1wLzao6TI4GgnuX4TG
XsVtTNTZp7fHXY2GCgEK29e2VU9SpdmYwv3Gjb1t1m9GDs7XL7lhLqmfoz7pdfJn
r4p6t6QtC0X/epl8V0fpn14ZP1GqIrUE3fJb70wnJga4HG2RdhgVN7eSQ4qz6tpT
J0GMAGllZZA4gf8xrFkWKlkCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAURteQcn0
2C12U335BqtHv2D5LL0V2DUSo0u4ZjHMC06T4/sY05azqsMY1kcRvc9TVMFd1Pik
n5ZqBkSbiF9JYQhUKdzYMSQvGwCulp/pmjan0u1YPgvF+pwcmt/4riOt/1PdviXG
XoeBdvoGuN+gatRAF9eGcxPhk0VqxobMMW5NrOHz8vprl1z/EYqlHDnKCcIGeIeI
awc7eqDnYGCGG9YsoGunbHCKLpSSu6TKUW5FMc4RsLmvxuXMPcOMoiZ++vZT4QwT
ISVgDQRv6azbJWx0kXY3HTAFEJ7Y8S8Cd95qP0BGAOC5TNxF4dUdVEfuS7yk+7EE
FE59uu0xAHiBfKJD8iEUAUrT9jw2odDJGJ0N2pclIwCXAPdZuT1FaROVHKe+rwiA
83n/R1ZbjBUhyQSf0Xr8OGvryT+gZ8IuhADmA20Gpy1FjlZAYQtravVtKXjIpRTA
04m5j3A8zm3dLNCA8oh/1LK4UeJUD/YVz4QVkQdY/jnm3rRWlux21qJIC/9jlJdW
hIKJ/ZABaly+7MRtOiucRs20iXO3vi7rkGr7rdQjserxSsJi8Bj/ohGnBFKF4Syt
n/4OG9LX9F04CYVB4Lf4S1zP299eArfQ4Lpt+dXb85aHP4HGg1Aq9rxVPZcfI6WY
BBV9BRUtZTDY6D39PmUzJhs0GQuBlZHRWNM=
----
-END CERTIFICATE-----subject=/C=US/ST=CA/L=Fremont/O=Hurricane Electric/OU=Secure Services/CN=dyn.dns.he.net/emailAddress=dnsadmin@he.net
issuer=/C=US/ST=CA/L=Fremont/O=Hurricane Electric/OU=Secure Services/CN=dyn.dns.he.net/emailAddress=dnsadmin@he.net
---

• Login in Cisco IOS, create new CA trustpoint, and copy-paste and install certificate:

#ssh cisico

login:
password:

cisico#conf term
cisico(config)#crypto pki trustpoint TEST
cisico(ca-trustpoint)#revocation-check none
cisico(ca-trustpoint)#enrollment terminal pem
cisico(ca-trustpoint)#exit
cisico(config)#crypto pki authenticate TEST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

----
-BEGIN CERTIFICATE-----MIIFtjCCA54CCQC5vsyLyslykjANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdGcmVtb250MRswGQYDVQQKExJIdXJy
aWNhbmUgRWxlY3RyaWMxGDAWBgNVBAsTD1NlY3VyZSBTZXJ2aWNlczEXMBUGA1UE
AxMOZHluLmRucy5oZS5uZXQxHjAcBgkqhkiG9w0BCQEWD2Ruc2FkbWluQGhlLm5l
dDAeFw0xMTAzMjYwMzQ4NTJaFw0yMTAzMjMwMzQ4NTJaMIGcMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB0ZyZW1vbnQxGzAZBgNVBAoTEkh1cnJp
Y2FuZSBFbGVjdHJpYzEYMBYGA1UECxMPU2VjdXJlIFNlcnZpY2VzMRcwFQYDVQQD
Ew5keW4uZG5zLmhlLm5ldDEeMBwGCSqGSIb3DQEJARYPZG5zYWRtaW5AaGUubmV0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz5UjeG78+Nym6CdddKRd
WydHm0Hodx02iP1ko6C+DpiU2skjPL5pzzI9SYStzuCBHueIrtA7HKuEBCGyPmDx
N0D95jY7ekOgNxklgviuFISt6HfXTss0G22HjPqkM/GTvTiwyVMQFlgcgbUrP6N9
XwZR0l/Ej2YeFFajNtw2vWNG0DoGGbstfYmqRfvq2n/9Rgmkg4LTkcne4+0uuYXZ
ZNiTcVAOWaGA29OrQ9Vs3bJeMNyEyXoz2sw16EpmXiz5zr1G0hxg5AXIpmvI0jqG
jAOXSzri1KVKA4BI/16tM86GzIAui7wzOKtq9wF1llWHsmU/cb1HmAUbOnjBmDEI
hJ5vFCPjmtmaZxBckvs5SG8NrZw+EwE5GvnTKSJTYpQBfiTTJ9VaGmq55VPrdnUN
CEwI5SRtl2TBr3cVdloRoZ1m6I3ZdBVuI8kSs9zkKxP5iSjt9FLp89J+36CDS6oo
LH5jmhWIc6K1n98BJYnBgAuvENcq/VsnGD2uwfNSoh7qtZ1wLzao6TI4GgnuX4TG
XsVtTNTZp7fHXY2GCgEK29e2VU9SpdmYwv3Gjb1t1m9GDs7XL7lhLqmfoz7pdfJn
r4p6t6QtC0X/epl8V0fpn14ZP1GqIrUE3fJb70wnJga4HG2RdhgVN7eSQ4qz6tpT
J0GMAGllZZA4gf8xrFkWKlkCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAURteQcn0
2C12U335BqtHv2D5LL0V2DUSo0u4ZjHMC06T4/sY05azqsMY1kcRvc9TVMFd1Pik
n5ZqBkSbiF9JYQhUKdzYMSQvGwCulp/pmjan0u1YPgvF+pwcmt/4riOt/1PdviXG
XoeBdvoGuN+gatRAF9eGcxPhk0VqxobMMW5NrOHz8vprl1z/EYqlHDnKCcIGeIeI
awc7eqDnYGCGG9YsoGunbHCKLpSSu6TKUW5FMc4RsLmvxuXMPcOMoiZ++vZT4QwT
ISVgDQRv6azbJWx0kXY3HTAFEJ7Y8S8Cd95qP0BGAOC5TNxF4dUdVEfuS7yk+7EE
FE59uu0xAHiBfKJD8iEUAUrT9jw2odDJGJ0N2pclIwCXAPdZuT1FaROVHKe+rwiA
83n/R1ZbjBUhyQSf0Xr8OGvryT+gZ8IuhADmA20Gpy1FjlZAYQtravVtKXjIpRTA
04m5j3A8zm3dLNCA8oh/1LK4UeJUD/YVz4QVkQdY/jnm3rRWlux21qJIC/9jlJdW
hIKJ/ZABaly+7MRtOiucRs20iXO3vi7rkGr7rdQjserxSsJi8Bj/ohGnBFKF4Syt
n/4OG9LX9F04CYVB4Lf4S1zP299eArfQ4Lpt+dXb85aHP4HGg1Aq9rxVPZcfI6WY
BBV9BRUtZTDY6D39PmUzJhs0GQuBlZHRWNM=
----
-END CERTIFICATE-----quit
Certificate has the following attributes:
       Fingerprint MD5: C9D04C92 B9A32172 B48C1110 054E3CF6
      Fingerprint SHA1: 3FDE18F7 33EA46C2 CE737287 01FCFFA0 FCF40D06

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
cisico(config)#exit

cisico#write

• Check and write:

cisico#show crypto pki trustpoints TEST
Trustpoint TEST:
    Subject Name:
    e=dnsadmin@he.net
    cn=dyn.dns.he.net
    ou=Secure Services
    o=Hurricane Electric
    l=Fremont
    st=CA
    c=US
          Serial Number (hex): 00B9BECC8BCAC97292
    Certificate configured.

cisico#show crypto pki certificates TEST
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 00B9BECC8BCAC97292
  Certificate Usage: General Purpose
  Issuer:
    e=dnsadmin@he.net
    cn=dyn.dns.he.net
    ou=Secure Services
    o=Hurricane Electric
    l=Fremont
    st=CA
    c=US
  Subject:
    e=dnsadmin@he.net
    cn=dyn.dns.he.net
    ou=Secure Services
    o=Hurricane Electric
    l=Fremont
    st=CA
    c=US
  Validity Date:
    start date: 05:48:52 KLD Mar 26 2011
    end   date: 05:48:52 KLD Mar 23 2021
  Associated Trustpoints: TEST HE
  Storage: nvram:dnsadminhene#7272CA.cer

• And now you can use HTTPS in DynDNS methods in Cisco IOS:

ip ddns update method DDNS-METH-HE
 HTTP
  add https://host.homeunix7.org:password123@\
    dyn.dns.he.net/nic/update?hostname=host.homeunix7.org&myip=<a>
 interval maximum 0 1 0 0

interface Dialer0
 ip ddns update DDNS-METH-HE

• Similarly - with other service provider, DynDNS

Original

• We've added Dynamic DNS support!

We're working on smoothing out how it's represented in the UI and writing something that resembles documentation, but thought we'd push out what we have so it can get a little use. It's a pretty basic implementation and should work well for most applications. It's been tested with 'ddclient', and should work fine with any of the command line examples. We'll update this page when the documentation is ready. (we're hoping to have it written soon…). If you have any feedback on this new feature, please send them along to dnsadmin [at] he [dot] net

Here are a few examples to get you started

http://[your domain name]:[your password]@dyn.dns.he.net\
/update?hostname=[your domain name]

Autodetect my IPv4/IPv6 address:
% curl -4 "http://dyn.example.com:password@dyn.dns.he.net\
/nic/update?hostname=dyn.example.com"
% curl -6 "http://dyn.example.com:password@dyn.dns.he.net\
/nic/update?hostname=dyn.example.com"

Specify my IPv4/IPv6 address:
% curl "http://dyn.example.com:password@dyn.dns.he.net\
/nic/update?hostname=dyn.example.com&myip=192.168.0.1"
% curl "http://dyn.example.com:password@dyn.dns.he.net\
/nic/update?hostname=dyn.example.com&myip=2001:db8:beef:cafe::1"

Things to note about the dynamic DNS support:

• Your “username” is going to be the name of the record that has been tagged dynamic. ie You marked the A record for dyn.example.com as dynamic. Your username will be “dyn.example.com”
• You can tag an A or AAAA record by editing it once you have selected the zone. (check the box).
• Once you have “activated” the record to be dynamic, you will need to generate a key (or password if you prefer) for it. (click on the generate icon) to generate the key for the dynamic record.
• If you have tagged both an A and AAAA record to be dynamic, you will see the icon twice, it is only necessary to generate one key as it is bound to the name of the record and not the name/type. (see the part up above where we mention that we're still working on the UI part… .)
• When making updates, you will need to make a separate update for ipv4 and ipv6. We may add an additional “myipv6=” option in the future.