03-10-2008 07:56 PM - edited 03-09-2019 08:17 PM
Does anyone have any docs on setting up a CA on a Windows 2003 box as it pertains to Cisco. I am not a windows guy anymore, so it's been giving me grief. I've search online, but seems as if there are several ways of setting this thing up. The only thing I can find that reference Cisco & CA Servers deals with wireless. I'm not worried about that at this time.
I would just like to get step-by-step instructions on setting this thing up for use with my a firewall and a VPN concentrator.
I even found a link on the Cisco site but the link was dead or outdated
Any help would be appreciated.
03-14-2008 02:23 PM
03-16-2008 05:07 AM
I am not a windows person, I am a Unix guy but
I wrote this instructions two years in preparing
for the CCIE Security lab and it is very to
read and understand. Let me know if you need
additional help.
The steps below will illustrate how to install and configure
Microsoft Certificate Authority (CA) Server and how to setup Cisco
network devices to communicate with the CA server.
step 1: Make sure that Microsoft IIS service is installed
Make sure that both Windows 2003 Server and the router/Pix are synchronizing
with accurate time, preferably from the same NTP server
on the windows 2003: net time /setsntp:ntp_IP_address
on the router: ntp server ntp_IP_address
on the Pix 7.x code: ntp server ntp_IP_address
where ântp_IP_addressâ is the actual ip address of the ntp server
step 2: Install Certificate Services on the Windows 2003 Server box.
Check both the "Certificate Services CA" and "Cerfificate Services Web
Enrollment Support" boxes. You will be prompted for some default questions.
Just make it up as you go along.
step 3: Go to microsoft website and download the cepsetup.exe file.
That is the SCEP add-on from microsoft. Make sure you download the right
file for the OS. In my test environment, I use windows 2003 server so I
use cepsetup.exe. If you use windows 2000 server, the cepsetup.exe is
available in the resource toolkit CD or you can download that from
Microsoft website as well.
step 4: Install cepsetup.exe. During the installation, you will see the box
that says "accept passphrase challenge". That boxis checked. LEAVE IT CHECK
and continue with the installation of cepsetup.exe. In other words, accept
all the defaults.
step 5: Go to IIS Manager and expand the local computer IIS Server.
You will see "Application Pools" under the local computer.
Expanded the "Application Pools" and you will see "SCEP".
Right click on SCEP and go to Properties,
In the SCEP propterties, go to "identity" tab,
Under the "Predefined", select "Local System". After that, select "OK"
Right click on SCEP to stop SCEP service.
Right click on SCEP to start SCEP service.
Create a user account on the Windows 2003 box or you can use the "Administrator" as well.
I normally use the Administrator account.
At this point, the install and configuration on the Microsoft Windows 2003 box
is completed. The next step is to configure the cisco network device to
communicate with Microsoft CA server
step 6: On the Pix 7.x code: perform the following commands:
hostname device_name
domain-name yourdomain.com
crypto key zeroize rsa
crypto key generate rsa modulus 1024
crypto ca trustpoint your_trustpoint_name
crl optional
enrollment url http://msCA_Server/certsrv/mscep/mscep.dll exit
crypto ca authenticate your_trustpoint_name
cryto ca enroll your_trustpoint_name
At this point, on the pix, you will be prompted for a password:
step 7: Launch Internet Explorer and point to
the CA server: http://msCA_Server/certsrv/mscep
you will be prompted for a username/password. I normally use the "Administrator"
account of the system but if you create your own account, it will work too.
Once you are successfully authenticate, you will see the following in the browser:
Simple Certificate Enrollment Protocol (SCEP) Add-On for Certificate Services
Welcome
The CA certificate's thumbprint is 708B8470 202191B4 019E3C6A E147213C.
Your enrollment challenge password is AD1A0E5B9D7DECB9 and will expire within 60 minutes.
This password can only be used once.
Each enrollment requires a new challenge password. You can refresh this web page
to obtain a new challenge password.
For more information please see the online documentation mscephlp.htm.
The password will be "AD1A0E5B9D7DECB9".
Paste this password in the pix at the password prompt of the "crypto ca enroll cisco"
Congratulations. You've successfully put a certificate into the Pix.
Now you can go ahead and do IPSec via certifcate instead of "pre-share".
CCIE Security
03-17-2008 07:58 AM
Thanks a million. I will look into these a give it a go. I will post feedback/rating today on if anything works
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: