IOS CA - basic deployment; certificate enrollment and signing process.

Document

Jan 31, 2011 8:22 AM
Jan 31st, 2011

1.
1. Purpose of this document

This document is intended as an introduction to how to implement basic deployment of IOS CA and understand the process behind certificate enrollment.

2. 2. What is IOS CA?

IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates in environments where PKI is needed for security reasons.

A typical scenario would be a VPN between two or more hosts and this is why the document is in this section of forums.

Please note that for the purpose of this exercise I will focus on manual deployment, rather than using SCEP.

SCEP is the more efficient and automatic way to deploy and maintain certificates and will be showcased in section 6.

During this exercise I'm using an older version of IOS - 12.4(15)T.

3. 3. Configuration

For purpose of this exercise I'm using  a very basic configuration.

ntp server 192.168.5.1

hostname CA

ip domain-name cisco.com

crypto key generate rsa modulus 1024 label cisco exportable

crypto key export rsa cisco perm url nvram: 3des cisco123

crypto pki server cisco
database level complete
issuer-name CN=CA.cisco.com,OU=TAC

no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: cisco123

Re-enter password: cisco123
% Exporting Certificate Server signing certificate and keys...

Let's have a look at CA certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: OU=TAC, CN=CA.cisco.com
        Validity
            Not Before: Jan 31 16:21:02 2011 GMT
            Not After : Jan 30 16:21:02 2014 GMT
        Subject: OU=TAC, CN=CA.cisco.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):

                    00:85:50:2a:9b:b0:b9:d7:9d:10:f6:a9:3e:18:03:
                    e7:53:9f:db:f4:69:b5:35:8b:4b:2d:6d:48:67:dc:
                    3b:79:b2:c2:3b:e4:aa:3a:92:b5:fd:32:25:de:19:
                    5e:be:cf:f0:db:53:63:d3:57:39:de:ac:0b:78:d5:
                    52:e3:0c:e4:e9:17:bc:a8:ba:ac:47:22:8d:fd:27:
                    af:c4:9e:c3:d4:8e:0a:e3:30:65:01:95:4b:be:24:
                    4c:27:c0:e6:ca:ca:1f:d9:00:df:f5:08:43:54:a5:
                    04:32:e2:68:85:e6:b6:9c:94:11:73:73:da:97:e8:
                    b2:87:e3:7a:86:4f:fa:86:d3

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier:
                keyid:42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29

            X509v3 Subject Key Identifier:
                42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29
    Signature Algorithm: md5WithRSAEncryption
        01:a0:8c:0a:62:82:22:25:18:de:d8:9a:bf:8e:41:d8:e6:c2:
        82:ff:49:df:2d:0a:b7:35:6c:f6:6a:cf:9c:ee:1d:33:cf:6f:
        17:42:8e:72:bd:8a:9f:c8:7d:8c:57:22:36:64:9b:1f:eb:9f:
        bf:90:8c:fb:7b:a7:43:76:2a:b0:cf:56:ae:d8:5c:61:47:d5:
        81:31:a1:66:4a:b7:2a:12:12:87:59:58:79:b8:d2:ca:73:40:
        78:9d:b3:87:81:6d:e8:78:42:e8:9b:3c:61:86:46:f2:72:ae:
        db:dc:44:51:92:24:1f:fa:28:96:ef:12:ba:f3:7a:33:37:5c:
        b1:39

Please note that the public key of CA decodes to.

You can find the public key in "show crypto key mypub rsa" output.

   00:85:50:2a:9b:b0:b9:d7:9d:10:f6:a9:3e:18:03:
    e7:53:9f:db:f4:69:b5:35:8b:4b:2d:6d:48:67:dc:
    3b:79:b2:c2:3b:e4:aa:3a:92:b5:fd:32:25:de:19:
    5e:be:cf:f0:db:53:63:d3:57:39:de:ac:0b:78:d5:
    52:e3:0c:e4:e9:17:bc:a8:ba:ac:47:22:8d:fd:27:
    af:c4:9e:c3:d4:8e:0a:e3:30:65:01:95:4b:be:24:
    4c:27:c0:e6:ca:ca:1f:d9:00:df:f5:08:43:54:a5:
    04:32:e2:68:85:e6:b6:9c:94:11:73:73:da:97:e8:
    b2:87:e3:7a:86:4f:fa:86:d3

Note that keyid and subjet key identifier are the same. Since both are the same the certificate is self signed.

4. 4. Getting a spoke up to speed.

Getting a spoke functional in terms of PKI will require two steps.

But also some basic preparation:

ntp server 192.168.5.1

hostname PINGER

ip domain-name cisco.com

crypto key generate rsa modulus 1024

Following this one should create a container for certificate - a trustpoint.

crypto pki trustpoint CISCO
enrollment terminal
subject-name CN=Pinger.cisco.com,OU=TAC
revocation-check crl

4.1 Authentication.


We need to specify which CA we can trust.

We'll use certificate from CA I just created.

First of you need to export it from CA itself. To do this you need to see the certificat associated with PKI server and export.

CAconfig)#do sh run | s crypto pki
crypto pki server cisco
database level complete
issuer-name CN=CA.cisco.com,OU=TAC
crypto pki trustpoint cisco
revocation-check crl
rsakeypair cisco

(...output ommited...)

CA(config)#crypto pki export cisco pem terminal
% The specified trustpoint is not enrolled (cisco).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xMTAxMzExNjIxMDJaFw0xNDAxMzAx
NjIxMDJaMCUxDDAKBgNVBAsTA1RBQzEVMBMGA1UEAxMMQ0EuY2lzY28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFUCqbsLnXnRD2qT4YA+dTn9v0abU1
i0stbUhn3Dt5ssI75Ko6krX9MiXeGV6+z/DbU2PTVznerAt41VLjDOTpF7youqxH
Io39J6/EnsPUjgrjMGUBlUu+JEwnwObKyh/ZAN/1CENUpQQy4miF5raclBFzc9qX
6LKH43qGT/qG0wIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBhjAfBgNVHSMEGDAWgBRCyCby7OybBWvo0N9L6tt/D5ZOKTAdBgNVHQ4EFgQU
Qsgm8uzsmwVr6NDfS+rbfw+WTikwDQYJKoZIhvcNAQEEBQADgYEAAaCMCmKCIiUY
3tiav45B2ObCgv9J3y0KtzVs9mrPnO4dM89vF0KOcr2Kn8h9jFciNmSbH+ufv5CM
+3unQ3YqsM9WrthcYUfVgTGhZkq3KhISh1lYebjSynNAeJ2zh4Ft6HhC6Js8YYZG
8nKu29xEUZIkH/oolu8SuvN6MzdcsTk=
-----END CERTIFICATE-----

PINGER(config)#crypto ca authenticate CISCO

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
(...lines ommited...)
8nKu29xEUZIkH/oolu8SuvN6MzdcsTk=
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
       Fingerprint MD5: FB9ADAE5 23B823D4 8C029A58 3BBE7630
      Fingerprint SHA1: 1676B7A7 2D8D0662 BD485DDD E3545BC6 CE7865BD

4.2 Actual enrollment

4.2.1 Generate a Certificate signing request (CSR):

PINGER(config)#crypto pki enroll CISCO
% Start certificate enrollment ..

% The subject name in the certificate will include: CN=Pinger.cisco.com,OU=TAC
% The subject name in the certificate will include: PINGER.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 273278
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]:
% Skipping IP address

Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIBujCCASMCAQAwWTEMMAoGA1UECxMDVEFDMRkwFwYDVQQDExBQaW5nZXIuY2lz
Y28uY29tMS4wDQYDVQQFEwYyNzMyNzgwHQYJKoZIhvcNAQkCFhBQSU5HRVIuY2lz
Y28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbNqBE3uduYMm747yK
lIgDFOVpN4VzpwkxXWkHVXR9kTum7UVWJ4MS2TNAptLc49NyP3mfLxL2XB5Gy9Cz
v3etCHaKqHYed5YEEzXUtF+du8kXA8WXeUT7+nVsHz41PoKlkOnechKTNNFAsEqg
pDfBSWGPWFPJ5yL3bpKBwEmvfwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNV
HQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEEBQADgYEAC3TLYyk44PCGkb3aZsz4sJjf
t6rg2RebkKII3a7HWoIQyArBm8zroTLmHdgWYbnYSKC+6zvzpyKah7cKdMEMmfqR
AVh+xcDfvNFK3NGk5mn30LWg7AM8PL8C6+7OV/Tg/pP2Q6c5m8GUEYMU+FUpnMyR
++GUaIla73DFFXY4W1E=

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

The CSR decodes to:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: OU=TAC, CN=Pinger.cisco.com/serialNumber=273278/unstructuredName=PINGER.cisco.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
                    88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
                    74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
                    d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
                    d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
                    35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
                    75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
                    d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
                    22:f7:6e:92:81:c0:49:af:7f

                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
    Signature Algorithm: md5WithRSAEncryption
        0b:74:cb:63:29:38:e0:f0:86:91:bd:da:66:cc:f8:b0:98:df:
        b7:aa:e0:d9:17:9b:90:a2:08:dd:ae:c7:5a:82:10:c8:0a:c1:
        9b:cc:eb:a1:32:e6:1d:d8:16:61:b9:d8:48:a0:be:eb:3b:f3:
        a7:22:9a:87:b7:0a:74:c1:0c:99:fa:91:01:58:7e:c5:c0:df:
        bc:d1:4a:dc:d1:a4:e6:69:f7:d0:b5:a0:ec:03:3c:3c:bf:02:
        eb:ee:ce:57:f4:e0:fe:93:f6:43:a7:39:9b:c1:94:11:83:14:
        f8:55:29:9c:cc:91:fb:e1:94:68:89:5a:ef:70:c5:15:76:38:
        5b:51

Let's verify the public key in this CSR.

Following is the public key on "PINGER" (checked via "show crypto key mypub rsa")

   00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
    88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
    74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
    d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
    d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
    35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
    75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
    d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
    22:f7:6e:92:81:c0:49:af:7f

They match.

Sidenote. Handling of your RSA keys.

Do not share your private key with anyone. Private key, as opposed to public one, should remain hidden.

If you need to transport the RSA keys over insecure medium make sure they are secured with password.

Example:

I'm securing my RSA keys associated with label "cisco" with passord of "cisco123".

Please also note that the public key is NOT protected.

CA(config)#crypto key export rsa cisco pem terminal 3des cisco123
% Key name: cisco
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFUCqbsLnXnRD2qT4YA+dTn9v0
abU1i0stbUhn3Dt5ssI75Ko6krX9MiXeGV6+z/DbU2PTVznerAt41VLjDOTpF7yo
uqxHIo39J6/EnsPUjgrjMGUBlUu+JEwnwObKyh/ZAN/1CENUpQQy4miF5raclBFz
c9qX6LKH43qGT/qG0wIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,443BEA5AEE91B3DB

8a8Sfj+WaS8+ZXjTfjxHMjv857S89eBvF4h3LPBQjH96AEa7JN+VOJRvrNZC1YCM
m6Vlnf5wAs0koTpVXAvm/D4a8F9iO64xKAwISBMcbE88ZtGZBZtOzzkJzBy5F/Am
kJb7k8ClwEev8cXS7JzaA/cQd+SLI2IwWnKnLtxxZU0Fmn49jjpzpDqzcHuYb7G3
anCMWRWyusaL2wFWceupMVCGYqhyrZbmS0ogQlgDbqiVUfwumF+tP/cwjHCDH+qR
6RL6YASWaq+GKmHaCJhuLt1/cBXcKIQh0Ij1UzCEyoqrYGxC+nDVUynGH11nU2+g
8m+uzQ1GLSJK/i9FDedMw4ctbsZSz1hH246uiAFoZygBLLcSbynLw99CO29XKPbz
6FfArIHC0+4YXkHlPbRvJhHSTxabg16shd3Aq23sW6up11AUbTnHKPGS0eeZT1Om
I4InMxeMfARH7XMQW0E0s+oKqO5EMn8CF8Pu+IT3DJefnfvlneABBguR8aPbebB2
nZiQfz1033LpvZ6Ij8J/TTu8V2djT4weKtw24iFI7HMtmgjFmtejjESseBAsezDO
4Sz0gLvX+YbdqVqxfBlf5X32GlF/6ieV30fgvvx7v6OeYFG7BuJLkzKHpAI5/Mz3
5Lpzhc7sHItN3Xk3t25qqTZ5JkHU/29eBhzFAjZZT0vELcXT/yal6WFf0HGcTQku
EdxN+MIB5tmN+dpN+hEusKwgNfWovCiroouLBhmrYt9cxdsfQB94glLDB415OU2a
idkb8K08fhbQMZ/tkPdrXhaa6Lt2DcMD2ZiI4+0Jpe8=
-----END RSA PRIVATE KEY-----

4.2.2 Grant the certificate on CA:

Let's introduce the CSR into CA, so CA can sign it.

CA# crypto pki server cisco request pkcs10 terminal base64
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
MIIBujCCASMCAQAwWTEMMAoGA1UECxMDVEFDMRkwFwYDVQQDExBQaW5nZXIuY2lz
(.... lines ommited...)
++GUaIla73DFFXY4W1E=
quit
% Enrollment request pending, reqId=1

Let's grant the certificate request in CA.

CA#crypto pki server cisco grant 1
% Granted certificate:
MIICRjCCAa+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xMTAxMzExNzQ2MzJaFw0xMjAxMzEx
NzQ2MzJaMFkxDDAKBgNVBAsTA1RBQzEZMBcGA1UEAxMQUGluZ2VyLmNpc2NvLmNv
bTEuMA0GA1UEBRMGMjczMjc4MB0GCSqGSIb3DQEJAhYQUElOR0VSLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmzagRN7nbmDJu+O8ipSIAxTl
aTeFc6cJMV1pB1V0fZE7pu1FVieDEtkzQKbS3OPTcj95ny8S9lweRsvQs793rQh2
iqh2HneWBBM11LRfnbvJFwPFl3lE+/p1bB8+NT6CpZDp3nISkzTRQLBKoKQ3wUlh
j1hTyeci926SgcBJr38CAwEAAaNSMFAwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQY
MBaAFELIJvLs7JsFa+jQ30vq238Plk4pMB0GA1UdDgQWBBQ3qC/WLZtHT3ZgjhON
7JyRZ4h16zANBgkqhkiG9w0BAQQFAAOBgQBYtPIv3mL/rU4RpdZ/1iajlWC/XQ8v
RJW8Nf0QAFDQpnwxvX5qVTbKgpEYyi7KZAsr7LGbb0hElDp2QTpRFRWKvsJ9Rax/
vD7MsRhBE4SvEY6RxdoLQRL/0RVaynWH31X0NpUy1IBk84qOjaP9hEC64BZ5OWdJ
oS9erg6au5DTwg==

Which decodes to:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: md5WithRSAEncryption
       Issuer: OU=TAC, CN=CA.cisco.com
        Validity
            Not Before: Jan 31 17:46:32 2011 GMT
            Not After : Jan 31 17:46:32 2012 GMT
        Subject: OU=TAC, CN=Pinger.cisco.com/serialNumber=273278/unstructuredName=PINGER.cisco.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                   00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
                    88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
                    74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
                    d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
                    d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
                    35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
                    75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
                    d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
                    22:f7:6e:92:81:c0:49:af:7f

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Authority Key Identifier:
                keyid:42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29

            X509v3 Subject Key Identifier:
                37:A8:2F:D6:2D:9B:47:4F:76:60:8E:13:8D:EC:9C:91:67:88:75:EB
    Signature Algorithm: md5WithRSAEncryption
        58:b4:f2:2f:de:62:ff:ad:4e:11:a5:d6:7f:d6:26:a3:95:60:
        bf:5d:0f:2f:44:95:bc:35:fd:10:00:50:d0:a6:7c:31:bd:7e:
        6a:55:36:ca:82:91:18:ca:2e:ca:64:0b:2b:ec:b1:9b:6f:48:
        44:94:3a:76:41:3a:51:15:15:8a:be:c2:7d:45:ac:7f:bc:3e:
        cc:b1:18:41:13:84:af:11:8e:91:c5:da:0b:41:12:ff:d1:15:
        5a:ca:75:87:df:55:f4:36:95:32:d4:80:64:f3:8a:8e:8d:a3:
        fd:84:40:ba:e0:16:79:39:67:49:a1:2f:5e:ae:0e:9a:bb:90:
        d3:c2

you will notice that public key is the one of client and not CA but the keyid is the one of CA.

It means that that CA, with this key identifier, signed this certificate.

4.2.3 Import the granted certificate:

PINGER(config)#crypto pki import CISCO certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

MIICRjCCAa+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
(....lines ommited....)
oS9erg6au5DTwg==

% Router Certificate successfully imported

5. 5. Verification.

On PKI client.

PINGER#sh crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number: 0x2
  Certificate Usage: General Purpose
  Issuer:
    cn=CA.cisco.com
    ou=TAC
  Subject:
    Name: PINGER.cisco.com
    Serial Number: 273278
    serialNumber=273278+hostname=PINGER.cisco.com
    cn=Pinger.cisco.com
    ou=TAC
  Validity Date:
    start date: 17:46:32 CET Jan 31 2011
    end   date: 17:46:32 CET Jan 31 2012
  Associated Trustpoints: CISCO

CA Certificate
  Status: Available
  Certificate Serial Number: 0x1
  Certificate Usage: Signature
  Issuer:
    cn=CA.cisco.com
    ou=TAC
  Subject:
    cn=CA.cisco.com
    ou=TAC
  Validity Date:
    start date: 16:21:02 CET Jan 31 2011
    end   date: 16:21:02 CET Jan 30 2014
  Associated Trustpoints: CISCO

A trustpoint configured like this can be used to authenticate and validate IPSec and SSL sessions coming in.

6. 6. SCEP enrollment process

Just so everyone can see how faster and easier SCEP is, I'm going to enroll a spoke with SCEP.

6.1 Preparation on IOS CA for quick deployment

CA(config)#ip http server
*Jan 31 18:48:49.314: %PKI-6-CS_ENABLED: Certificate server now enabled.
CA(config)#exit

CA# sh crypto pki server
Certificate Server cisco:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=CA.cisco.com,OU=TAC
    CA cert fingerprint: FB9ADAE5 23B823D4 8C029A58 3BBE7630
    Granting mode is: manual
    Last certificate issued serial number: 0x2
    CA certificate expiration timer: 16:21:02 CET Jan 30 2014
    CRL NextUpdate timer: 22:21:02 CET Jan 31 2011
    Current primary storage dir: nvram:
    Current storage dir for .p12 files: nvram:
    Database Level: Complete - all issued certs written as <serialnum>.cer

Let's also make sure that certificates are granted automatically;

CAconfig)#crypto pki server cisco
CA(cs-server)#shut
Certificate server 'shut' event has been queued for processing.
CA(cs-server)#grant auto
CA(cs-server)#no shut
Certificate server 'no shut' event has been queued for processing.
*Jan 31 18:54:14.226: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.

6.2 Let's enroll the the spoke:

Spoke config

Spoke_895(config)#do sh run | s crypto pki
crypto pki trustpoint cisco
enrollment url http://10.34.10.1:80
subject-name CN=Spoke.cisco.com,OU=TAC
revocation-check crl
source interface Ethernet1/0
auto-enroll

Let's see the process - please note that all I needed to do is type "yes".

Spoke_895(config)#crypto pki authenticate cisco
Certificate has the following attributes:
       Fingerprint MD5: FB9ADAE5 23B823D4 8C029A58 3BBE7630
      Fingerprint SHA1: 1676B7A7 2D8D0662 BD485DDD E3545BC6 CE7865BD

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Spoke_895(config)#%
% Start certificate enrollment ..

% The subject name in the certificate will include: CN=Spoke.cisco.com,OU=TAC
% The subject name in the certificate will include: Spoke_895.cisco.com
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate cisco verbose' commandwill show the fingerprint.

*Jan 31 18:56:30.938: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint cisco
Spoke_895(config)#
*Jan 31 18:56:30.950: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 6BFE1B37 F3575C3A 178D1030 CA0390F9
*Jan 31 18:56:30.950: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 39C3BCDC 426E0733 8316CAA2 E1F5446C EEE959D3
Spoke_895(config)#
*Jan 31 18:56:33.250: %PKI-6-CERTRET: Certificate received from Certificate Authority
Spoke_895(config)#
*Jan 31 18:56:33.250: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate

DONE!

6.3 SCEP enrollment verifications.

Spoke_895#sh crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number: 0x3
  Certificate Usage: General Purpose
  Issuer:
    cn=CA.cisco.com
    ou=TAC
  Subject:
    Name: Spoke_895.cisco.com
    hostname=Spoke_895.cisco.com
    cn=Spoke.cisco.com
    ou=TAC
  Validity Date:
    start date: 18:56:33 CET Jan 31 2011
    end   date: 18:56:33 CET Jan 31 2012
  Associated Trustpoints: cisco

CA Certificate
  Status: Available
  Certificate Serial Number: 0x1
  Certificate Usage: Signature
  Issuer:
    cn=CA.cisco.com
    ou=TAC
  Subject:
    cn=CA.cisco.com
    ou=TAC
  Validity Date:
    start date: 16:21:02 CET Jan 31 2011
    end   date: 16:21:02 CET Jan 30 2014
  Associated Trustpoints: cisco


You are now ready to establish VPN between Pinger and Spoke_895.

7. 7. Final configuration.


7.1 CA configuration

crypto pki server cisco
database level complete
issuer-name CN=CA.cisco.com,OU=TAC
grant auto
database url p12 nvram:

no shut

Following trustpoing is generated automatically.

crypto pki trustpoint cisco
revocation-check crl
rsakeypair cisco

7.2 Example spoke config

SCEP

crypto pki trustpoint cisco
enrollment url http://10.34.10.1:80
subject-name CN=Spoke.cisco.com,OU=TAC
revocation-check crl
source interface Ethernet1/0
auto-enroll

Non-scep

crypto pki trustpoint CISCO
enrollment terminal
subject-name CN=Pinger.cisco.com,OU=TAC
revocation-check crl

8. 8. Further reading.

- Configuration guide - how to configure IOS CA.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html

- I used open ssl to decode part of this document:

http://www.openssl.org/

- about PKI in general:

http://en.wikipedia.org/wiki/Public_key_infrastructure

- about SCEP:

http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol

9. 9. Feedback

If you have any feedback or suggestions - leave a comment.

Average Rating: 5 (4 ratings)

Comments

Actions

Login or Register to take actions

This Document

Posted January 31, 2011 at 8:22 AM
Stats:
Comments:1 Avg. Rating:5
Views:13038 Contributors:1
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
5