Certifacate Authority Setup

Unanswered Question
Mar 10th, 2008

Does anyone have any docs on setting up a CA on a Windows 2003 box as it pertains to Cisco. I am not a windows guy anymore, so it's been giving me grief. I've search online, but seems as if there are several ways of setting this thing up. The only thing I can find that reference Cisco & CA Servers deals with wireless. I'm not worried about that at this time.

I would just like to get step-by-step instructions on setting this thing up for use with my a firewall and a VPN concentrator.

I even found a link on the Cisco site but the link was dead or outdated

Any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Sun, 03/16/2008 - 05:07

I am not a windows person, I am a Unix guy but

I wrote this instructions two years in preparing

for the CCIE Security lab and it is very to

read and understand. Let me know if you need

additional help.

The steps below will illustrate how to install and configure

Microsoft Certificate Authority (CA) Server and how to setup Cisco

network devices to communicate with the CA server.

step 1: Make sure that Microsoft IIS service is installed

Make sure that both Windows 2003 Server and the router/Pix are synchronizing

with accurate time, preferably from the same NTP server

on the windows 2003: net time /setsntp:ntp_IP_address

on the router: ntp server ntp_IP_address

on the Pix 7.x code: ntp server ntp_IP_address

where “ntp_IP_address” is the actual ip address of the ntp server

step 2: Install Certificate Services on the Windows 2003 Server box.

Check both the "Certificate Services CA" and "Cerfificate Services Web

Enrollment Support" boxes. You will be prompted for some default questions.

Just make it up as you go along.

step 3: Go to microsoft website and download the cepsetup.exe file.

That is the SCEP add-on from microsoft. Make sure you download the right

file for the OS. In my test environment, I use windows 2003 server so I

use cepsetup.exe. If you use windows 2000 server, the cepsetup.exe is

available in the resource toolkit CD or you can download that from

Microsoft website as well.

step 4: Install cepsetup.exe. During the installation, you will see the box

that says "accept passphrase challenge". That boxis checked. LEAVE IT CHECK

and continue with the installation of cepsetup.exe. In other words, accept

all the defaults.

step 5: Go to IIS Manager and expand the local computer IIS Server.

You will see "Application Pools" under the local computer.

Expanded the "Application Pools" and you will see "SCEP".

Right click on SCEP and go to Properties,

In the SCEP propterties, go to "identity" tab,

Under the "Predefined", select "Local System". After that, select "OK"

Right click on SCEP to stop SCEP service.

Right click on SCEP to start SCEP service.

Create a user account on the Windows 2003 box or you can use the "Administrator" as well.

I normally use the Administrator account.

At this point, the install and configuration on the Microsoft Windows 2003 box

is completed. The next step is to configure the cisco network device to

communicate with Microsoft CA server

step 6: On the Pix 7.x code: perform the following commands:

hostname device_name

domain-name yourdomain.com

crypto key zeroize rsa

crypto key generate rsa modulus 1024

crypto ca trustpoint your_trustpoint_name

crl optional

enrollment url http://msCA_Server/certsrv/mscep/mscep.dll exit

crypto ca authenticate your_trustpoint_name

cryto ca enroll your_trustpoint_name

At this point, on the pix, you will be prompted for a password:

step 7: Launch Internet Explorer and point to

the CA server: http://msCA_Server/certsrv/mscep

you will be prompted for a username/password. I normally use the "Administrator"

account of the system but if you create your own account, it will work too.

Once you are successfully authenticate, you will see the following in the browser:

Simple Certificate Enrollment Protocol (SCEP) Add-On for Certificate Services


The CA certificate's thumbprint is 708B8470 202191B4 019E3C6A E147213C.

Your enrollment challenge password is AD1A0E5B9D7DECB9 and will expire within 60 minutes.

This password can only be used once.

Each enrollment requires a new challenge password. You can refresh this web page

to obtain a new challenge password.

For more information please see the online documentation mscephlp.htm.

The password will be "AD1A0E5B9D7DECB9".

Paste this password in the pix at the password prompt of the "crypto ca enroll cisco"

Congratulations. You've successfully put a certificate into the Pix.

Now you can go ahead and do IPSec via certifcate instead of "pre-share".

CCIE Security

dphills18 Mon, 03/17/2008 - 07:58

Thanks a million. I will look into these a give it a go. I will post feedback/rating today on if anything works


This Discussion