The solution was very simple

IrinaFinogenova · ‎10-08-2014

Hello, everyone!
I need a bit of help with configuration of a Cisco router as a CA server. I'm trying to use only the router without the tftp server for my database and I can't seem to get it store database to the location that i specify with database url command. I've created a folder flash:/CA and after I issue a no shut command and the certificates are created, they are stored just directly in flash:. I even tried specifying the location for each filetype, but the result always comes back the same.

Here's why i'm trying to use a subfolder:

"The Flash filesystem is inefficient enough that using a router’s internal Flash memory resources allocates a large volume of storage space for
small files. Testing has shown that creating a subdirectory in the Flash for CA Server database storage helps to address this issue to some
degree, especially if more than 15–20 files will be stored in Flash."

Source http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/public-key-infrastructure-pki/product_data_sheet0900aecd80313df0.pdf

And here's my config and show commands output:

34(config)#do dir flash:
Directory of flash:/

1 -rw- 59490092 Jan 17 2014 16:30:34 +04:00 c2800nm-adventerprisek9-mz.124-24.T8.bin
2 drw- 0 Oct 3 2014 18:41:12 +04:00 CA

64016384 bytes total (4521984 bytes free)
34(config)#
34(config)#
34(config)#crypto pki server MY_CA
34(cs-server)#no shut
Certificate server 'no shut' event has been queued for processing.
34(cs-server)#
%Some server settings cannot be changed after CA certificate generation.
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Oct 8 08:19:53.057: %SSH-5-ENABLED: SSH 1.99 has been enabled
34(cs-server)#% Exporting Certificate Server signing certificate and keys...

Oct 8 08:19:56.389: %PKI-6-CS_ENABLED: Certificate server now enabled.
34(cs-server)#do sh run | s crypto pki server
crypto pki server MY_CA
database level names
database archive pkcs12 password 7 121B0C1B105B33270B
issuer-name CN=MY_CA,ou=LAB,c=ru
grant auto
hash sha512
lifetime crl 24
lifetime certificate 1 1
lifetime ca-certificate 1 12
auto-rollover 0 6
database url flash:/CA
database url cnm flash:/CA
database url crl flash:/CA
database url crt flash:/CA
database url p12 flash:/CA
database url pem flash:/CA
database url ser flash:/CA
34(cs-server)#do sh crypto pki server
Certificate Server Sobin_CA:
    Status: enabled
    State: enabled
    Server's configuration is locked (enter "shut" to unlock it)
    Issuer name: CN=MY_CA,ou=LAB,c=ru
    CA cert fingerprint: 206C137B 9D5F2B91 C557B08F 3453E5D2
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 00:19:53 MSK Oct 10 2014
    CRL NextUpdate timer: 12:19:54 MSK Oct 9 2014
    Current primary storage dir: flash:/CA
    Current storage dir for .cnm files: flash:/CA
    Current storage dir for .crl files: flash:/CA
    Current storage dir for .crt files: flash:/CA
    Current storage dir for .p12 files: flash:/CA
    Current storage dir for .pem files: flash:/CA
    Current storage dir for .ser files: flash:/CA
    Database Level: Names - subject name data written as <serialnum>.cnm
    Auto-Rollover configured, overlap period 0 days
    Autorollover timer: 18:19:53 MSK Oct 9 2014
34(cs-server)#do dir flash:
Directory of flash:/

    1 -rw-    59490092 Jan 17 2014 16:30:34 +04:00 c2800nm-adventerprisek9-mz.124-24.T8.bin
    2 drw-           0   Oct 3 2014 18:41:12 +04:00 CA
    7 -rw-          32   Oct 8 2014 12:19:54 +04:00 MY_CA.ser
    3 -rw-          81   Oct 8 2014 12:19:52 +04:00 1.cnm
    5 -rw-         247   Oct 8 2014 12:19:54 +04:00 MY_CA.crl
    6 -rw-        1635   Oct 8 2014 12:19:54 +04:00 MY_CA_00008.p12

64016384 bytes total (4505600 bytes free)
34(cs-server)#

What am i doing wrong?

johnlloyd_13 · ‎10-10-2014

hi,

have you tried using the command database url nvram:?

please see helpful link/steps when i created a CA server on my IOS router:

http://wannabelab.blogspot.com/2014/05/configure-871w-for-certificate.html

IrinaFinogenova · ‎10-13-2014

Hello, John. Thanks for the link, but it's not excatly what i'm trying to do. From what I read so far I've learned that saving the database to nvram is not scalable (unless it's minimal database level chosen as in your config), and placing your database to flash gives you ability to move your database to another router.

IrinaFinogenova · ‎08-13-2015

The solution was very simple:

when configuring the path to the location you just have to put another slash / after the name of the directory where you want to store the database and certificates.

database url flash:/CA/

crypto pki certificate storage flash:/CA/

And after you start your server the database files will be there where you expect them to be - in the folder CA.

Note that after you change the existing config you\ll be issued a warning:

% Server database url was changed. You need to move the
% existing database to the new location.

So, you'll need to move the database files to the new location. But all the new certificates will be stored in the specified location.

34#dir flash:/CA
Directory of flash:/CA/

   37 -rw-          33 Dec 12 2014 16:05:46 +03:00 MY_CA.ser
   38 -rw-          79 Dec 12 2014 16:06:20 +03:00 1.cnm
   39 -rw-         513 Dec 12 2014 16:06:34 +03:00 MY_CA.crl
   40 -rw-         148 Dec 12 2014 16:06:46 +03:00 2.cnm
   41 -rw-        1627 Dec 12 2014 16:07:02 +03:00 MY_CA_00015.p12
   ...

Cisco IOS CA database url