- Cisco Community
- Technology and Support
- Security
- Security Knowledge Base
- IOS CA - basic deployment; certificate enrollment and signing process.
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
01-31-2011 08:22 AM - edited 08-29-2017 02:37 AM
1. Purpose of this document
This document is intended as an introduction to how to implement basic deployment of IOS CA and understand the process behind certificate enrollment.
2. What is IOS CA?
IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates in environments where PKI is needed for security reasons.
A typical scenario would be a VPN between two or more hosts and this is why the document is in this section of forums.
Please note that for the purpose of this exercise I will focus on manual deployment, rather than using SCEP.
SCEP is the more efficient and automatic way to deploy and maintain certificates and will be showcased in section 6.
During this exercise I'm using an older version of IOS - 12.4(15)T.
3. Configuration
For purpose of this exercise I'm using a very basic configuration.
ntp server 192.168.5.1
hostname CA
ip domain-name cisco.com
crypto key generate rsa modulus 1024 label cisco exportable
crypto key export rsa cisco perm url nvram: 3des cisco123
crypto pki server cisco
database level complete
issuer-name CN=CA.cisco.com,OU=TAC
no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: cisco123
Re-enter password: cisco123
% Exporting Certificate Server signing certificate and keys...
Let's have a look at CA certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: OU=TAC, CN=CA.cisco.com
Validity
Not Before: Jan 31 16:21:02 2011 GMT
Not After : Jan 30 16:21:02 2014 GMT
Subject: OU=TAC, CN=CA.cisco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:85:50:2a:9b:b0:b9:d7:9d:10:f6:a9:3e:18:03:
e7:53:9f:db:f4:69:b5:35:8b:4b:2d:6d:48:67:dc:
3b:79:b2:c2:3b:e4:aa:3a:92:b5:fd:32:25:de:19:
5e:be:cf:f0:db:53:63:d3:57:39:de:ac:0b:78:d5:
52:e3:0c:e4:e9:17:bc:a8:ba:ac:47:22:8d:fd:27:
af:c4:9e:c3:d4:8e:0a:e3:30:65:01:95:4b:be:24:
4c:27:c0:e6:ca:ca:1f:d9:00:df:f5:08:43:54:a5:
04:32:e2:68:85:e6:b6:9c:94:11:73:73:da:97:e8:
b2:87:e3:7a:86:4f:fa:86:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29
X509v3 Subject Key Identifier:
42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29
Signature Algorithm: md5WithRSAEncryption
01:a0:8c:0a:62:82:22:25:18:de:d8:9a:bf:8e:41:d8:e6:c2:
82:ff:49:df:2d:0a:b7:35:6c:f6:6a:cf:9c:ee:1d:33:cf:6f:
17:42:8e:72:bd:8a:9f:c8:7d:8c:57:22:36:64:9b:1f:eb:9f:
bf:90:8c:fb:7b:a7:43:76:2a:b0:cf:56:ae:d8:5c:61:47:d5:
81:31:a1:66:4a:b7:2a:12:12:87:59:58:79:b8:d2:ca:73:40:
78:9d:b3:87:81:6d:e8:78:42:e8:9b:3c:61:86:46:f2:72:ae:
db:dc:44:51:92:24:1f:fa:28:96:ef:12:ba:f3:7a:33:37:5c:
b1:39
Please note that the public key of CA decodes to.
You can find the public key in "show crypto key mypub rsa" output.
00:85:50:2a:9b:b0:b9:d7:9d:10:f6:a9:3e:18:03:
e7:53:9f:db:f4:69:b5:35:8b:4b:2d:6d:48:67:dc:
3b:79:b2:c2:3b:e4:aa:3a:92:b5:fd:32:25:de:19:
5e:be:cf:f0:db:53:63:d3:57:39:de:ac:0b:78:d5:
52:e3:0c:e4:e9:17:bc:a8:ba:ac:47:22:8d:fd:27:
af:c4:9e:c3:d4:8e:0a:e3:30:65:01:95:4b:be:24:
4c:27:c0:e6:ca:ca:1f:d9:00:df:f5:08:43:54:a5:
04:32:e2:68:85:e6:b6:9c:94:11:73:73:da:97:e8:
b2:87:e3:7a:86:4f:fa:86:d3
Note that keyid and subjet key identifier are the same. Since both are the same the certificate is self signed.
4. Getting a spoke up to speed.
Getting a spoke functional in terms of PKI will require two steps.
But also some basic preparation:
ntp server 192.168.5.1
hostname PINGER
ip domain-name cisco.com
crypto key generate rsa modulus 1024
Following this one should create a container for certificate - a trustpoint.
crypto pki trustpoint CISCO
enrollment terminal
subject-name CN=Pinger.cisco.com,OU=TAC
revocation-check crl
4.1 Authentication.
We need to specify which CA we can trust.
We'll use certificate from CA I just created.
First of you need to export it from CA itself. To do this you need to see the certificat associated with PKI server and export.
CAconfig)#do sh run | s crypto pki
crypto pki server cisco
database level complete
issuer-name CN=CA.cisco.com,OU=TAC
crypto pki trustpoint cisco
revocation-check crl
rsakeypair cisco
(...output ommited...)
CA(config)#crypto pki export cisco pem terminal
% The specified trustpoint is not enrolled (cisco).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xMTAxMzExNjIxMDJaFw0xNDAxMzAx
NjIxMDJaMCUxDDAKBgNVBAsTA1RBQzEVMBMGA1UEAxMMQ0EuY2lzY28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFUCqbsLnXnRD2qT4YA+dTn9v0abU1
i0stbUhn3Dt5ssI75Ko6krX9MiXeGV6+z/DbU2PTVznerAt41VLjDOTpF7youqxH
Io39J6/EnsPUjgrjMGUBlUu+JEwnwObKyh/ZAN/1CENUpQQy4miF5raclBFzc9qX
6LKH43qGT/qG0wIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBhjAfBgNVHSMEGDAWgBRCyCby7OybBWvo0N9L6tt/D5ZOKTAdBgNVHQ4EFgQU
Qsgm8uzsmwVr6NDfS+rbfw+WTikwDQYJKoZIhvcNAQEEBQADgYEAAaCMCmKCIiUY
3tiav45B2ObCgv9J3y0KtzVs9mrPnO4dM89vF0KOcr2Kn8h9jFciNmSbH+ufv5CM
+3unQ3YqsM9WrthcYUfVgTGhZkq3KhISh1lYebjSynNAeJ2zh4Ft6HhC6Js8YYZG
8nKu29xEUZIkH/oolu8SuvN6MzdcsTk=
-----END CERTIFICATE-----
PINGER(config)#crypto ca authenticate CISCO
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
(...lines ommited...)
8nKu29xEUZIkH/oolu8SuvN6MzdcsTk=
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: FB9ADAE5 23B823D4 8C029A58 3BBE7630
Fingerprint SHA1: 1676B7A7 2D8D0662 BD485DDD E3545BC6 CE7865BD
4.2 Actual enrollment
4.2.1 Generate a Certificate signing request (CSR):
PINGER(config)#crypto pki enroll CISCO
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=Pinger.cisco.com,OU=TAC
% The subject name in the certificate will include: PINGER.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 273278
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]:
% Skipping IP address
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIBujCCASMCAQAwWTEMMAoGA1UECxMDVEFDMRkwFwYDVQQDExBQaW5nZXIuY2lz
Y28uY29tMS4wDQYDVQQFEwYyNzMyNzgwHQYJKoZIhvcNAQkCFhBQSU5HRVIuY2lz
Y28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbNqBE3uduYMm747yK
lIgDFOVpN4VzpwkxXWkHVXR9kTum7UVWJ4MS2TNAptLc49NyP3mfLxL2XB5Gy9Cz
v3etCHaKqHYed5YEEzXUtF+du8kXA8WXeUT7+nVsHz41PoKlkOnechKTNNFAsEqg
pDfBSWGPWFPJ5yL3bpKBwEmvfwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNV
HQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEEBQADgYEAC3TLYyk44PCGkb3aZsz4sJjf
t6rg2RebkKII3a7HWoIQyArBm8zroTLmHdgWYbnYSKC+6zvzpyKah7cKdMEMmfqR
AVh+xcDfvNFK3NGk5mn30LWg7AM8PL8C6+7OV/Tg/pP2Q6c5m8GUEYMU+FUpnMyR
++GUaIla73DFFXY4W1E=
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
The CSR decodes to:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: OU=TAC, CN=Pinger.cisco.com/serialNumber=273278/unstructuredName=PINGER.cisco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
22:f7:6e:92:81:c0:49:af:7f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Signature Algorithm: md5WithRSAEncryption
0b:74:cb:63:29:38:e0:f0:86:91:bd:da:66:cc:f8:b0:98:df:
b7:aa:e0:d9:17:9b:90:a2:08:dd:ae:c7:5a:82:10:c8:0a:c1:
9b:cc:eb:a1:32:e6:1d:d8:16:61:b9:d8:48:a0:be:eb:3b:f3:
a7:22:9a:87:b7:0a:74:c1:0c:99:fa:91:01:58:7e:c5:c0:df:
bc:d1:4a:dc:d1:a4:e6:69:f7:d0:b5:a0:ec:03:3c:3c:bf:02:
eb:ee:ce:57:f4:e0:fe:93:f6:43:a7:39:9b:c1:94:11:83:14:
f8:55:29:9c:cc:91:fb:e1:94:68:89:5a:ef:70:c5:15:76:38:
5b:51
Let's verify the public key in this CSR.
Following is the public key on "PINGER" (checked via "show crypto key mypub rsa")
00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
22:f7:6e:92:81:c0:49:af:7f
They match.
Sidenote. Handling of your RSA keys.
Do not share your private key with anyone. Private key, as opposed to public one, should remain hidden.
If you need to transport the RSA keys over insecure medium make sure they are secured with password.
Example:
I'm securing my RSA keys associated with label "cisco" with passord of "cisco123".
Please also note that the public key is NOT protected.
CA(config)#crypto key export rsa cisco pem terminal 3des cisco123
% Key name: cisco
Usage: General Purpose Key
Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFUCqbsLnXnRD2qT4YA+dTn9v0
abU1i0stbUhn3Dt5ssI75Ko6krX9MiXeGV6+z/DbU2PTVznerAt41VLjDOTpF7yo
uqxHIo39J6/EnsPUjgrjMGUBlUu+JEwnwObKyh/ZAN/1CENUpQQy4miF5raclBFz
c9qX6LKH43qGT/qG0wIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,443BEA5AEE91B3DB
8a8Sfj+WaS8+ZXjTfjxHMjv857S89eBvF4h3LPBQjH96AEa7JN+VOJRvrNZC1YCM
m6Vlnf5wAs0koTpVXAvm/D4a8F9iO64xKAwISBMcbE88ZtGZBZtOzzkJzBy5F/Am
kJb7k8ClwEev8cXS7JzaA/cQd+SLI2IwWnKnLtxxZU0Fmn49jjpzpDqzcHuYb7G3
anCMWRWyusaL2wFWceupMVCGYqhyrZbmS0ogQlgDbqiVUfwumF+tP/cwjHCDH+qR
6RL6YASWaq+GKmHaCJhuLt1/cBXcKIQh0Ij1UzCEyoqrYGxC+nDVUynGH11nU2+g
8m+uzQ1GLSJK/i9FDedMw4ctbsZSz1hH246uiAFoZygBLLcSbynLw99CO29XKPbz
6FfArIHC0+4YXkHlPbRvJhHSTxabg16shd3Aq23sW6up11AUbTnHKPGS0eeZT1Om
I4InMxeMfARH7XMQW0E0s+oKqO5EMn8CF8Pu+IT3DJefnfvlneABBguR8aPbebB2
nZiQfz1033LpvZ6Ij8J/TTu8V2djT4weKtw24iFI7HMtmgjFmtejjESseBAsezDO
4Sz0gLvX+YbdqVqxfBlf5X32GlF/6ieV30fgvvx7v6OeYFG7BuJLkzKHpAI5/Mz3
5Lpzhc7**bleep**N3Xk3t25qqTZ5JkHU/29eBhzFAjZZT0vELcXT/yal6WFf0HGcTQku
EdxN+MIB5tmN+dpN+hEusKwgNfWovCiroouLBhmrYt9cxdsfQB94glLDB415OU2a
idkb8K08fhbQMZ/tkPdrXhaa6Lt2DcMD2ZiI4+0Jpe8=
-----END RSA PRIVATE KEY-----
4.2.2 Grant the certificate on CA:
Let's introduce the CSR into CA, so CA can sign it.
CA# crypto pki server cisco request pkcs10 terminal base64
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
MIIBujCCASMCAQAwWTEMMAoGA1UECxMDVEFDMRkwFwYDVQQDExBQaW5nZXIuY2lz
(.... lines ommited...)
++GUaIla73DFFXY4W1E=
quit
% Enrollment request pending, reqId=1
Let's grant the certificate request in CA.
CA#crypto pki server cisco grant 1
% Granted certificate:
MIICRjCCAa+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xMTAxMzExNzQ2MzJaFw0xMjAxMzEx
NzQ2MzJaMFkxDDAKBgNVBAsTA1RBQzEZMBcGA1UEAxMQUGluZ2VyLmNpc2NvLmNv
bTEuMA0GA1UEBRMGMjczMjc4MB0GCSqGSIb3DQEJAhYQUElOR0VSLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmzagRN7nbmDJu+O8ipSIAxTl
aTeFc6cJMV1pB1V0fZE7pu1FVieDEtkzQKbS3OPTcj95ny8S9lweRsvQs793rQh2
iqh2HneWBBM11LRfnbvJFwPFl3lE+/p1bB8+NT6CpZDp3nISkzTRQLBKoKQ3wUlh
j1hTyeci926SgcBJr38CAwEAAaNSMFAwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQY
MBaAFELIJvLs7JsFa+jQ30vq238Plk4pMB0GA1UdDgQWBBQ3qC/WLZtHT3ZgjhON
7JyRZ4h16zANBgkqhkiG9w0BAQQFAAOBgQBYtPIv3mL/rU4RpdZ/1iajlWC/XQ8v
RJW8Nf0QAFDQpnwxvX5qVTbKgpEYyi7KZAsr7LGbb0hElDp2QTpRFRWKvsJ9Rax/
vD7MsRhBE4SvEY6RxdoLQRL/0RVaynWH31X0NpUy1IBk84qOjaP9hEC64BZ5OWdJ
oS9erg6au5DTwg==
Which decodes to:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: OU=TAC, CN=CA.cisco.com
Validity
Not Before: Jan 31 17:46:32 2011 GMT
Not After : Jan 31 17:46:32 2012 GMT
Subject: OU=TAC, CN=Pinger.cisco.com/serialNumber=273278/unstructuredName=PINGER.cisco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
22:f7:6e:92:81:c0:49:af:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Authority Key Identifier:
keyid:42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29
X509v3 Subject Key Identifier:
37:A8:2F:D6:2D:9B:47:4F:76:60:8E:13:8D:EC:9C:91:67:88:75:EB
Signature Algorithm: md5WithRSAEncryption
58:b4:f2:2f:de:62:ff:ad:4e:11:a5:d6:7f:d6:26:a3:95:60:
bf:5d:0f:2f:44:95:bc:35:fd:10:00:50:d0:a6:7c:31:bd:7e:
6a:55:36:ca:82:91:18:ca:2e:ca:64:0b:2b:ec:b1:9b:6f:48:
44:94:3a:76:41:3a:51:15:15:8a:be:c2:7d:45:ac:7f:bc:3e:
cc:b1:18:41:13:84:af:11:8e:91:c5:da:0b:41:12:ff:d1:15:
5a:ca:75:87:df:55:f4:36:95:32:d4:80:64:f3:8a:8e:8d:a3:
fd:84:40:ba:e0:16:79:39:67:49:a1:2f:5e:ae:0e:9a:bb:90:
d3:c2
you will notice that public key is the one of client and not CA but the keyid is the one of CA.
It means that that CA, with this key identifier, signed this certificate.
4.2.3 Import the granted certificate:
PINGER(config)#crypto pki import CISCO certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIICRjCCAa+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
(....lines ommited....)
oS9erg6au5DTwg==
% Router Certificate successfully imported
5. Verification.
On PKI client.
PINGER#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 0x2
Certificate Usage: General Purpose
Issuer:
cn=CA.cisco.com
ou=TAC
Subject:
Name: PINGER.cisco.com
Serial Number: 273278
serialNumber=273278+hostname=PINGER.cisco.com
cn=Pinger.cisco.com
ou=TAC
Validity Date:
start date: 17:46:32 CET Jan 31 2011
end date: 17:46:32 CET Jan 31 2012
Associated Trustpoints: CISCO
CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=CA.cisco.com
ou=TAC
Subject:
cn=CA.cisco.com
ou=TAC
Validity Date:
start date: 16:21:02 CET Jan 31 2011
end date: 16:21:02 CET Jan 30 2014
Associated Trustpoints: CISCO
A trustpoint configured like this can be used to authenticate and validate IPSec and SSL sessions coming in.
6. SCEP enrollment process
Just so everyone can see how faster and easier SCEP is, I'm going to enroll a spoke with SCEP.
6.1 Preparation on IOS CA for quick deployment
CA(config)#ip http server
*Jan 31 18:48:49.314: %PKI-6-CS_ENABLED: Certificate server now enabled.
CA(config)#exit
CA# sh crypto pki server
Certificate Server cisco:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA.cisco.com,OU=TAC
CA cert fingerprint: FB9ADAE5 23B823D4 8C029A58 3BBE7630
Granting mode is: manual
Last certificate issued serial number: 0x2
CA certificate expiration timer: 16:21:02 CET Jan 30 2014
CRL NextUpdate timer: 22:21:02 CET Jan 31 2011
Current primary storage dir: nvram:
Current storage dir for .p12 files: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
Let's also make sure that certificates are granted automatically;
CAconfig)#crypto pki server cisco
CA(cs-server)#shut
Certificate server 'shut' event has been queued for processing.
CA(cs-server)#grant auto
CA(cs-server)#no shut
Certificate server 'no shut' event has been queued for processing.
*Jan 31 18:54:14.226: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
6.2 Let's enroll the the spoke:
Spoke config
Spoke_895(config)#do sh run | s crypto pki
crypto pki trustpoint cisco
enrollment url http://10.34.10.1:80
subject-name CN=Spoke.cisco.com,OU=TAC
revocation-check crl
source interface Ethernet1/0
auto-enroll
Let's see the process - please note that all I needed to do is type "yes".
Spoke_895(config)#crypto pki authenticate cisco
Certificate has the following attributes:
Fingerprint MD5: FB9ADAE5 23B823D4 8C029A58 3BBE7630
Fingerprint SHA1: 1676B7A7 2D8D0662 BD485DDD E3545BC6 CE7865BD
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Spoke_895(config)#%
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=Spoke.cisco.com,OU=TAC
% The subject name in the certificate will include: Spoke_895.cisco.com
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate cisco verbose' commandwill show the fingerprint.
*Jan 31 18:56:30.938: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint cisco
Spoke_895(config)#
*Jan 31 18:56:30.950: CRYPTO_PKI: Certificate Request Fingerprint MD5: 6BFE1B37 F3575C3A 178D1030 CA0390F9
*Jan 31 18:56:30.950: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 39C3BCDC 426E0733 8316CAA2 E1F5446C EEE959D3
Spoke_895(config)#
*Jan 31 18:56:33.250: %PKI-6-CERTRET: Certificate received from Certificate Authority
Spoke_895(config)#
*Jan 31 18:56:33.250: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
DONE!
6.3 SCEP enrollment verifications.
Spoke_895#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 0x3
Certificate Usage: General Purpose
Issuer:
cn=CA.cisco.com
ou=TAC
Subject:
Name: Spoke_895.cisco.com
hostname=Spoke_895.cisco.com
cn=Spoke.cisco.com
ou=TAC
Validity Date:
start date: 18:56:33 CET Jan 31 2011
end date: 18:56:33 CET Jan 31 2012
Associated Trustpoints: cisco
CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=CA.cisco.com
ou=TAC
Subject:
cn=CA.cisco.com
ou=TAC
Validity Date:
start date: 16:21:02 CET Jan 31 2011
end date: 16:21:02 CET Jan 30 2014
Associated Trustpoints: cisco
You are now ready to establish VPN between Pinger and Spoke_895.
7. Final configuration.
7.1 CA configuration
crypto pki server cisco
database level complete
issuer-name CN=CA.cisco.com,OU=TAC
grant auto
database url p12 nvram:
no shut
Following trustpoing is generated automatically.
crypto pki trustpoint cisco
revocation-check crl
rsakeypair cisco
7.2 Example spoke config
SCEP
crypto pki trustpoint cisco
enrollment url http://10.34.10.1:80
subject-name CN=Spoke.cisco.com,OU=TAC
revocation-check crl
source interface Ethernet1/0
auto-enroll
Non-scep
crypto pki trustpoint CISCO
enrollment terminal
subject-name CN=Pinger.cisco.com,OU=TAC
revocation-check crl
8. Further reading.
- Configuration guide - how to configure IOS CA.
- I used open ssl to decode part of this document:
- about PKI in general:
http://en.wikipedia.org/wiki/Public_key_infrastructure
- about SCEP:
http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol
9. Feedback
If you have any feedback or suggestions - leave a comment.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
One of the best explanations I've found.. Bravo !!
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thank you very much Marcin. This greatly helped me get up to speed with IOS CA!
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
awesome
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: