Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

IOS CA - basic deployment; certificate enrollment and signing process.

     

     


    1. Purpose of this document

    This document is intended as an introduction to how to implement basic deployment of IOS CA and understand the process behind certificate enrollment.

     

    2. What is IOS CA?

    IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates in environments where PKI is needed for security reasons.

    A typical scenario would be a VPN between two or more hosts and this is why the document is in this section of forums.

     

    Please note that for the purpose of this exercise I will focus on manual deployment, rather than using SCEP.

    SCEP is the more efficient and automatic way to deploy and maintain certificates and will be showcased in section 6.

     

    During this exercise I'm using an older version of IOS - 12.4(15)T.

     

    3. Configuration

     

    For purpose of this exercise I'm using  a very basic configuration.

     

    ntp server 192.168.5.1

    hostname CA

    ip domain-name cisco.com

    crypto key generate rsa modulus 1024 label cisco exportable

    crypto key export rsa cisco perm url nvram: 3des cisco123

     

    crypto pki server cisco
    database level complete
    issuer-name CN=CA.cisco.com,OU=TAC

    no shut
    %Some server settings cannot be changed after CA certificate generation.
    % Please enter a passphrase to protect the private key
    % or type Return to exit
    Password: cisco123

    Re-enter password: cisco123
    % Exporting Certificate Server signing certificate and keys...

     

    Let's have a look at CA certificate:

     

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
            Signature Algorithm: md5WithRSAEncryption
            Issuer: OU=TAC, CN=CA.cisco.com
            Validity
                Not Before: Jan 31 16:21:02 2011 GMT
                Not After : Jan 30 16:21:02 2014 GMT
            Subject: OU=TAC, CN=CA.cisco.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):

                        00:85:50:2a:9b:b0:b9:d7:9d:10:f6:a9:3e:18:03:
                        e7:53:9f:db:f4:69:b5:35:8b:4b:2d:6d:48:67:dc:
                        3b:79:b2:c2:3b:e4:aa:3a:92:b5:fd:32:25:de:19:
                        5e:be:cf:f0:db:53:63:d3:57:39:de:ac:0b:78:d5:
                        52:e3:0c:e4:e9:17:bc:a8:ba:ac:47:22:8d:fd:27:
                        af:c4:9e:c3:d4:8e:0a:e3:30:65:01:95:4b:be:24:
                        4c:27:c0:e6:ca:ca:1f:d9:00:df:f5:08:43:54:a5:
                        04:32:e2:68:85:e6:b6:9c:94:11:73:73:da:97:e8:
                        b2:87:e3:7a:86:4f:fa:86:d3

                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Key Usage: critical
                    Digital Signature, Certificate Sign, CRL Sign
                X509v3 Authority Key Identifier:
                    keyid:42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29

                X509v3 Subject Key Identifier:
                    42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29
        Signature Algorithm: md5WithRSAEncryption
            01:a0:8c:0a:62:82:22:25:18:de:d8:9a:bf:8e:41:d8:e6:c2:
            82:ff:49:df:2d:0a:b7:35:6c:f6:6a:cf:9c:ee:1d:33:cf:6f:
            17:42:8e:72:bd:8a:9f:c8:7d:8c:57:22:36:64:9b:1f:eb:9f:
            bf:90:8c:fb:7b:a7:43:76:2a:b0:cf:56:ae:d8:5c:61:47:d5:
            81:31:a1:66:4a:b7:2a:12:12:87:59:58:79:b8:d2:ca:73:40:
            78:9d:b3:87:81:6d:e8:78:42:e8:9b:3c:61:86:46:f2:72:ae:
            db:dc:44:51:92:24:1f:fa:28:96:ef:12:ba:f3:7a:33:37:5c:
            b1:39

     

    Please note that the public key of CA decodes to.

    You can find the public key in "show crypto key mypub rsa" output.

       00:85:50:2a:9b:b0:b9:d7:9d:10:f6:a9:3e:18:03:
        e7:53:9f:db:f4:69:b5:35:8b:4b:2d:6d:48:67:dc:
        3b:79:b2:c2:3b:e4:aa:3a:92:b5:fd:32:25:de:19:
        5e:be:cf:f0:db:53:63:d3:57:39:de:ac:0b:78:d5:
        52:e3:0c:e4:e9:17:bc:a8:ba:ac:47:22:8d:fd:27:
        af:c4:9e:c3:d4:8e:0a:e3:30:65:01:95:4b:be:24:
        4c:27:c0:e6:ca:ca:1f:d9:00:df:f5:08:43:54:a5:
        04:32:e2:68:85:e6:b6:9c:94:11:73:73:da:97:e8:
        b2:87:e3:7a:86:4f:fa:86:d3

    Note that keyid and subjet key identifier are the same. Since both are the same the certificate is self signed.

    4. Getting a spoke up to speed.

     

    Getting a spoke functional in terms of PKI will require two steps.

    But also some basic preparation:

     

    ntp server 192.168.5.1

    hostname PINGER

    ip domain-name cisco.com

    crypto key generate rsa modulus 1024

     

    Following this one should create a container for certificate - a trustpoint.

    crypto pki trustpoint CISCO
    enrollment terminal
    subject-name CN=Pinger.cisco.com,OU=TAC
    revocation-check crl

     

    4.1 Authentication.


    We need to specify which CA we can trust.

    We'll use certificate from CA I just created.

     

    First of you need to export it from CA itself. To do this you need to see the certificat associated with PKI server and export.

    CAconfig)#do sh run | s crypto pki
    crypto pki server cisco
    database level complete
    issuer-name CN=CA.cisco.com,OU=TAC
    crypto pki trustpoint cisco
    revocation-check crl
    rsakeypair cisco

    (...output ommited...)

    CA(config)#crypto pki export cisco pem terminal
    % The specified trustpoint is not enrolled (cisco).
    % Only export the CA certificate in PEM format.
    % CA certificate:
    -----BEGIN CERTIFICATE-----
    MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
    FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xMTAxMzExNjIxMDJaFw0xNDAxMzAx
    NjIxMDJaMCUxDDAKBgNVBAsTA1RBQzEVMBMGA1UEAxMMQ0EuY2lzY28uY29tMIGf
    MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFUCqbsLnXnRD2qT4YA+dTn9v0abU1
    i0stbUhn3Dt5ssI75Ko6krX9MiXeGV6+z/DbU2PTVznerAt41VLjDOTpF7youqxH
    Io39J6/EnsPUjgrjMGUBlUu+JEwnwObKyh/ZAN/1CENUpQQy4miF5raclBFzc9qX
    6LKH43qGT/qG0wIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
    AwIBhjAfBgNVHSMEGDAWgBRCyCby7OybBWvo0N9L6tt/D5ZOKTAdBgNVHQ4EFgQU
    Qsgm8uzsmwVr6NDfS+rbfw+WTikwDQYJKoZIhvcNAQEEBQADgYEAAaCMCmKCIiUY
    3tiav45B2ObCgv9J3y0KtzVs9mrPnO4dM89vF0KOcr2Kn8h9jFciNmSbH+ufv5CM
    +3unQ3YqsM9WrthcYUfVgTGhZkq3KhISh1lYebjSynNAeJ2zh4Ft6HhC6Js8YYZG
    8nKu29xEUZIkH/oolu8SuvN6MzdcsTk=
    -----END CERTIFICATE-----

    PINGER(config)#crypto ca authenticate CISCO

    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself

    -----BEGIN CERTIFICATE-----
    MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
    (...lines ommited...)
    8nKu29xEUZIkH/oolu8SuvN6MzdcsTk=
    -----END CERTIFICATE-----
    quit
    Certificate has the following attributes:
           Fingerprint MD5: FB9ADAE5 23B823D4 8C029A58 3BBE7630
          Fingerprint SHA1: 1676B7A7 2D8D0662 BD485DDD E3545BC6 CE7865BD

     

     

    4.2 Actual enrollment

    4.2.1 Generate a Certificate signing request (CSR):

    PINGER(config)#crypto pki enroll CISCO
    % Start certificate enrollment ..

    % The subject name in the certificate will include: CN=Pinger.cisco.com,OU=TAC
    % The subject name in the certificate will include: PINGER.cisco.com
    % Include the router serial number in the subject name? [yes/no]: yes
    % The serial number in the certificate will be: 273278
    % Include an IP address in the subject name? [no]: yes
    Enter Interface name or IP Address[]:
    % Skipping IP address

    Display Certificate Request to terminal? [yes/no]: yes
    Certificate Request follows:

    MIIBujCCASMCAQAwWTEMMAoGA1UECxMDVEFDMRkwFwYDVQQDExBQaW5nZXIuY2lz
    Y28uY29tMS4wDQYDVQQFEwYyNzMyNzgwHQYJKoZIhvcNAQkCFhBQSU5HRVIuY2lz
    Y28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbNqBE3uduYMm747yK
    lIgDFOVpN4VzpwkxXWkHVXR9kTum7UVWJ4MS2TNAptLc49NyP3mfLxL2XB5Gy9Cz
    v3etCHaKqHYed5YEEzXUtF+du8kXA8WXeUT7+nVsHz41PoKlkOnechKTNNFAsEqg
    pDfBSWGPWFPJ5yL3bpKBwEmvfwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNV
    HQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEEBQADgYEAC3TLYyk44PCGkb3aZsz4sJjf
    t6rg2RebkKII3a7HWoIQyArBm8zroTLmHdgWYbnYSKC+6zvzpyKah7cKdMEMmfqR
    AVh+xcDfvNFK3NGk5mn30LWg7AM8PL8C6+7OV/Tg/pP2Q6c5m8GUEYMU+FUpnMyR
    ++GUaIla73DFFXY4W1E=

    ---End - This line not part of the certificate request---

    Redisplay enrollment request? [yes/no]: no

     

    The CSR decodes to:

     

    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: OU=TAC, CN=Pinger.cisco.com/serialNumber=273278/unstructuredName=PINGER.cisco.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
                        88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
                        74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
                        d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
                        d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
                        35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
                        75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
                        d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
                        22:f7:6e:92:81:c0:49:af:7f

                    Exponent: 65537 (0x10001)
            Attributes:
            Requested Extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
        Signature Algorithm: md5WithRSAEncryption
            0b:74:cb:63:29:38:e0:f0:86:91:bd:da:66:cc:f8:b0:98:df:
            b7:aa:e0:d9:17:9b:90:a2:08:dd:ae:c7:5a:82:10:c8:0a:c1:
            9b:cc:eb:a1:32:e6:1d:d8:16:61:b9:d8:48:a0:be:eb:3b:f3:
            a7:22:9a:87:b7:0a:74:c1:0c:99:fa:91:01:58:7e:c5:c0:df:
            bc:d1:4a:dc:d1:a4:e6:69:f7:d0:b5:a0:ec:03:3c:3c:bf:02:
            eb:ee:ce:57:f4:e0:fe:93:f6:43:a7:39:9b:c1:94:11:83:14:
            f8:55:29:9c:cc:91:fb:e1:94:68:89:5a:ef:70:c5:15:76:38:
            5b:51

     

    Let's verify the public key in this CSR.

    Following is the public key on "PINGER" (checked via "show crypto key mypub rsa")

     

       00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
        88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
        74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
        d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
        d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
        35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
        75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
        d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
        22:f7:6e:92:81:c0:49:af:7f

    They match.

     

    Sidenote. Handling of your RSA keys.

     

    Do not share your private key with anyone. Private key, as opposed to public one, should remain hidden.

    If you need to transport the RSA keys over insecure medium make sure they are secured with password.

     

    Example:

    I'm securing my RSA keys associated with label "cisco" with passord of "cisco123".

    Please also note that the public key is NOT protected.

    CA(config)#crypto key export rsa cisco pem terminal 3des cisco123
    % Key name: cisco
       Usage: General Purpose Key
       Key data:
    -----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFUCqbsLnXnRD2qT4YA+dTn9v0
    abU1i0stbUhn3Dt5ssI75Ko6krX9MiXeGV6+z/DbU2PTVznerAt41VLjDOTpF7yo
    uqxHIo39J6/EnsPUjgrjMGUBlUu+JEwnwObKyh/ZAN/1CENUpQQy4miF5raclBFz
    c9qX6LKH43qGT/qG0wIDAQAB
    -----END PUBLIC KEY-----
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,443BEA5AEE91B3DB

     

    8a8Sfj+WaS8+ZXjTfjxHMjv857S89eBvF4h3LPBQjH96AEa7JN+VOJRvrNZC1YCM
    m6Vlnf5wAs0koTpVXAvm/D4a8F9iO64xKAwISBMcbE88ZtGZBZtOzzkJzBy5F/Am
    kJb7k8ClwEev8cXS7JzaA/cQd+SLI2IwWnKnLtxxZU0Fmn49jjpzpDqzcHuYb7G3
    anCMWRWyusaL2wFWceupMVCGYqhyrZbmS0ogQlgDbqiVUfwumF+tP/cwjHCDH+qR
    6RL6YASWaq+GKmHaCJhuLt1/cBXcKIQh0Ij1UzCEyoqrYGxC+nDVUynGH11nU2+g
    8m+uzQ1GLSJK/i9FDedMw4ctbsZSz1hH246uiAFoZygBLLcSbynLw99CO29XKPbz
    6FfArIHC0+4YXkHlPbRvJhHSTxabg16shd3Aq23sW6up11AUbTnHKPGS0eeZT1Om
    I4InMxeMfARH7XMQW0E0s+oKqO5EMn8CF8Pu+IT3DJefnfvlneABBguR8aPbebB2
    nZiQfz1033LpvZ6Ij8J/TTu8V2djT4weKtw24iFI7HMtmgjFmtejjESseBAsezDO
    4Sz0gLvX+YbdqVqxfBlf5X32GlF/6ieV30fgvvx7v6OeYFG7BuJLkzKHpAI5/Mz3
    5Lpzhc7**bleep**N3Xk3t25qqTZ5JkHU/29eBhzFAjZZT0vELcXT/yal6WFf0HGcTQku
    EdxN+MIB5tmN+dpN+hEusKwgNfWovCiroouLBhmrYt9cxdsfQB94glLDB415OU2a
    idkb8K08fhbQMZ/tkPdrXhaa6Lt2DcMD2ZiI4+0Jpe8=
    -----END RSA PRIVATE KEY-----

     

     

    4.2.2 Grant the certificate on CA:

     

    Let's introduce the CSR into CA, so CA can sign it.

    CA# crypto pki server cisco request pkcs10 terminal base64
    % Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
    % End with a blank line or "quit" on a line by itself.
    MIIBujCCASMCAQAwWTEMMAoGA1UECxMDVEFDMRkwFwYDVQQDExBQaW5nZXIuY2lz
    (.... lines ommited...)
    ++GUaIla73DFFXY4W1E=
    quit
    % Enrollment request pending, reqId=1

    Let's grant the certificate request in CA.

    CA#crypto pki server cisco grant 1
    % Granted certificate:
    MIICRjCCAa+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
    FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xMTAxMzExNzQ2MzJaFw0xMjAxMzEx
    NzQ2MzJaMFkxDDAKBgNVBAsTA1RBQzEZMBcGA1UEAxMQUGluZ2VyLmNpc2NvLmNv
    bTEuMA0GA1UEBRMGMjczMjc4MB0GCSqGSIb3DQEJAhYQUElOR0VSLmNpc2NvLmNv
    bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmzagRN7nbmDJu+O8ipSIAxTl
    aTeFc6cJMV1pB1V0fZE7pu1FVieDEtkzQKbS3OPTcj95ny8S9lweRsvQs793rQh2
    iqh2HneWBBM11LRfnbvJFwPFl3lE+/p1bB8+NT6CpZDp3nISkzTRQLBKoKQ3wUlh
    j1hTyeci926SgcBJr38CAwEAAaNSMFAwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQY
    MBaAFELIJvLs7JsFa+jQ30vq238Plk4pMB0GA1UdDgQWBBQ3qC/WLZtHT3ZgjhON
    7JyRZ4h16zANBgkqhkiG9w0BAQQFAAOBgQBYtPIv3mL/rU4RpdZ/1iajlWC/XQ8v
    RJW8Nf0QAFDQpnwxvX5qVTbKgpEYyi7KZAsr7LGbb0hElDp2QTpRFRWKvsJ9Rax/
    vD7MsRhBE4SvEY6RxdoLQRL/0RVaynWH31X0NpUy1IBk84qOjaP9hEC64BZ5OWdJ
    oS9erg6au5DTwg==

     

    Which decodes to:

     

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 2 (0x2)
            Signature Algorithm: md5WithRSAEncryption
           Issuer: OU=TAC, CN=CA.cisco.com
            Validity
                Not Before: Jan 31 17:46:32 2011 GMT
                Not After : Jan 31 17:46:32 2012 GMT
            Subject: OU=TAC, CN=Pinger.cisco.com/serialNumber=273278/unstructuredName=PINGER.cisco.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                       00:9b:36:a0:44:de:e7:6e:60:c9:bb:e3:bc:8a:94:
                        88:03:14:e5:69:37:85:73:a7:09:31:5d:69:07:55:
                        74:7d:91:3b:a6:ed:45:56:27:83:12:d9:33:40:a6:
                        d2:dc:e3:d3:72:3f:79:9f:2f:12:f6:5c:1e:46:cb:
                        d0:b3:bf:77:ad:08:76:8a:a8:76:1e:77:96:04:13:
                        35:d4:b4:5f:9d:bb:c9:17:03:c5:97:79:44:fb:fa:
                        75:6c:1f:3e:35:3e:82:a5:90:e9:de:72:12:93:34:
                        d1:40:b0:4a:a0:a4:37:c1:49:61:8f:58:53:c9:e7:
                        22:f7:6e:92:81:c0:49:af:7f

                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Authority Key Identifier:
                    keyid:42:C8:26:F2:EC:EC:9B:05:6B:E8:D0:DF:4B:EA:DB:7F:0F:96:4E:29

                X509v3 Subject Key Identifier:
                    37:A8:2F:D6:2D:9B:47:4F:76:60:8E:13:8D:EC:9C:91:67:88:75:EB
        Signature Algorithm: md5WithRSAEncryption
            58:b4:f2:2f:de:62:ff:ad:4e:11:a5:d6:7f:d6:26:a3:95:60:
            bf:5d:0f:2f:44:95:bc:35:fd:10:00:50:d0:a6:7c:31:bd:7e:
            6a:55:36:ca:82:91:18:ca:2e:ca:64:0b:2b:ec:b1:9b:6f:48:
            44:94:3a:76:41:3a:51:15:15:8a:be:c2:7d:45:ac:7f:bc:3e:
            cc:b1:18:41:13:84:af:11:8e:91:c5:da:0b:41:12:ff:d1:15:
            5a:ca:75:87:df:55:f4:36:95:32:d4:80:64:f3:8a:8e:8d:a3:
            fd:84:40:ba:e0:16:79:39:67:49:a1:2f:5e:ae:0e:9a:bb:90:
            d3:c2

     

    you will notice that public key is the one of client and not CA but the keyid is the one of CA.

    It means that that CA, with this key identifier, signed this certificate.

     

    4.2.3 Import the granted certificate:

    PINGER(config)#crypto pki import CISCO certificate

     

    Enter the base 64 encoded certificate.
    End with a blank line or the word "quit" on a line by itself

     

    MIICRjCCAa+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
    (....lines ommited....)
    oS9erg6au5DTwg==

     

    % Router Certificate successfully imported

     

    5. Verification.

     

    On PKI client.

     

    PINGER#sh crypto pki certificates
    Certificate
      Status: Available
      Certificate Serial Number: 0x2
      Certificate Usage: General Purpose
      Issuer:
        cn=CA.cisco.com
        ou=TAC
      Subject:
        Name: PINGER.cisco.com
        Serial Number: 273278
        serialNumber=273278+hostname=PINGER.cisco.com
        cn=Pinger.cisco.com
        ou=TAC
      Validity Date:
        start date: 17:46:32 CET Jan 31 2011
        end   date: 17:46:32 CET Jan 31 2012
      Associated Trustpoints: CISCO

    CA Certificate
      Status: Available
      Certificate Serial Number: 0x1
      Certificate Usage: Signature
      Issuer:
        cn=CA.cisco.com
        ou=TAC
      Subject:
        cn=CA.cisco.com
        ou=TAC
      Validity Date:
        start date: 16:21:02 CET Jan 31 2011
        end   date: 16:21:02 CET Jan 30 2014
      Associated Trustpoints: CISCO

     

    A trustpoint configured like this can be used to authenticate and validate IPSec and SSL sessions coming in.

     

    6. SCEP enrollment process

     

    Just so everyone can see how faster and easier SCEP is, I'm going to enroll a spoke with SCEP.

     

    6.1 Preparation on IOS CA for quick deployment

    CA(config)#ip http server
    *Jan 31 18:48:49.314: %PKI-6-CS_ENABLED: Certificate server now enabled.
    CA(config)#exit

    CA# sh crypto pki server
    Certificate Server cisco:
        Status: enabled
        State: enabled
        Server's configuration is locked  (enter "shut" to unlock it)
        Issuer name: CN=CA.cisco.com,OU=TAC
        CA cert fingerprint: FB9ADAE5 23B823D4 8C029A58 3BBE7630
        Granting mode is: manual
        Last certificate issued serial number: 0x2
        CA certificate expiration timer: 16:21:02 CET Jan 30 2014
        CRL NextUpdate timer: 22:21:02 CET Jan 31 2011
        Current primary storage dir: nvram:
        Current storage dir for .p12 files: nvram:
        Database Level: Complete - all issued certs written as <serialnum>.cer

    Let's also make sure that certificates are granted automatically;

    CAconfig)#crypto pki server cisco
    CA(cs-server)#shut
    Certificate server 'shut' event has been queued for processing.
    CA(cs-server)#grant auto
    CA(cs-server)#no shut
    Certificate server 'no shut' event has been queued for processing.
    *Jan 31 18:54:14.226: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.

     

     

    6.2 Let's enroll the the spoke:

    Spoke config

    Spoke_895(config)#do sh run | s crypto pki
    crypto pki trustpoint cisco
    enrollment url http://10.34.10.1:80
    subject-name CN=Spoke.cisco.com,OU=TAC
    revocation-check crl
    source interface Ethernet1/0
    auto-enroll

     

    Let's see the process - please note that all I needed to do is type "yes".

    Spoke_895(config)#crypto pki authenticate cisco
    Certificate has the following attributes:
           Fingerprint MD5: FB9ADAE5 23B823D4 8C029A58 3BBE7630
          Fingerprint SHA1: 1676B7A7 2D8D0662 BD485DDD E3545BC6 CE7865BD

    % Do you accept this certificate? [yes/no]: yes
    Trustpoint CA certificate accepted.
    Spoke_895(config)#%
    % Start certificate enrollment ..

     

    % The subject name in the certificate will include: CN=Spoke.cisco.com,OU=TAC
    % The subject name in the certificate will include: Spoke_895.cisco.com
    % Certificate request sent to Certificate Authority
    % The 'show crypto ca certificate cisco verbose' commandwill show the fingerprint.

     

    *Jan 31 18:56:30.938: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint cisco
    Spoke_895(config)#
    *Jan 31 18:56:30.950: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 6BFE1B37 F3575C3A 178D1030 CA0390F9
    *Jan 31 18:56:30.950: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 39C3BCDC 426E0733 8316CAA2 E1F5446C EEE959D3
    Spoke_895(config)#
    *Jan 31 18:56:33.250: %PKI-6-CERTRET: Certificate received from Certificate Authority
    Spoke_895(config)#
    *Jan 31 18:56:33.250: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate

     

    DONE!

     

    6.3 SCEP enrollment verifications.

     

    Spoke_895#sh crypto pki certificates
    Certificate
      Status: Available
      Certificate Serial Number: 0x3
      Certificate Usage: General Purpose
      Issuer:
        cn=CA.cisco.com
        ou=TAC
      Subject:
        Name: Spoke_895.cisco.com
        hostname=Spoke_895.cisco.com
        cn=Spoke.cisco.com
        ou=TAC
      Validity Date:
        start date: 18:56:33 CET Jan 31 2011
        end   date: 18:56:33 CET Jan 31 2012
      Associated Trustpoints: cisco

    CA Certificate
      Status: Available
      Certificate Serial Number: 0x1
      Certificate Usage: Signature
      Issuer:
        cn=CA.cisco.com
        ou=TAC
      Subject:
        cn=CA.cisco.com
        ou=TAC
      Validity Date:
        start date: 16:21:02 CET Jan 31 2011
        end   date: 16:21:02 CET Jan 30 2014
      Associated Trustpoints: cisco


    You are now ready to establish VPN between Pinger and Spoke_895.

     

    7. Final configuration.


    7.1 CA configuration

    crypto pki server cisco
    database level complete
    issuer-name CN=CA.cisco.com,OU=TAC
    grant auto
    database url p12 nvram:

    no shut

     

    Following trustpoing is generated automatically.

     

    crypto pki trustpoint cisco
    revocation-check crl
    rsakeypair cisco

     

     

     

    7.2 Example spoke config

     

    SCEP

    crypto pki trustpoint cisco
    enrollment url http://10.34.10.1:80
    subject-name CN=Spoke.cisco.com,OU=TAC
    revocation-check crl
    source interface Ethernet1/0
    auto-enroll

    Non-scep

    crypto pki trustpoint CISCO
    enrollment terminal
    subject-name CN=Pinger.cisco.com,OU=TAC
    revocation-check crl

     

    8. Further reading.

    - Configuration guide - how to configure IOS CA.

    http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html

    - I used open ssl to decode part of this document:

    http://www.openssl.org/

    - about PKI in general:

    http://en.wikipedia.org/wiki/Public_key_infrastructure

    - about SCEP:

    http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol

     

    9. Feedback

    If you have any feedback or suggestions - leave a comment.

    Version history
    Revision #:
    2 of 2
    Last update:
    ‎08-29-2017 02:37 AM
    Updated by:
     
    Labels (1)
    Contributors
    Comments
    Bronze

    One of the best explanations I've found.. Bravo !!

    New Member

    Thank you very much Marcin.  This greatly helped me get up to speed with IOS CA!

    Cisco Employee

    awesome