Hello, everyone! I need a bit of help with configuration of a Cisco router as a CA server. I'm trying to use only the router without the tftp server for my database and I can't seem to get it store database to the location that i specify with database url command. I've created a folder flash:/CA and after I issue a no shut command and the certificates are created, they are stored just directly in flash:. I even tried specifying the location for each filetype, but the result always comes back the same.
Here's why i'm trying to use a subfolder:
"The Flash filesystem is inefficient enough that using a router’s internal Flash memory resources allocates a large volume of storage space for small files. Testing has shown that creating a subdirectory in the Flash for CA Server database storage helps to address this issue to some degree, especially if more than 15–20 files will be stored in Flash."
1 -rw- 59490092 Jan 17 2014 16:30:34 +04:00 c2800nm-adventerprisek9-mz.124-24.T8.bin 2 drw- 0 Oct 3 2014 18:41:12 +04:00 CA
64016384 bytes total (4521984 bytes free) 34(config)# 34(config)# 34(config)#crypto pki server MY_CA 34(cs-server)#no shut Certificate server 'no shut' event has been queued for processing. 34(cs-server)# %Some server settings cannot be changed after CA certificate generation. % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Oct 8 08:19:53.057: %SSH-5-ENABLED: SSH 1.99 has been enabled 34(cs-server)#% Exporting Certificate Server signing certificate and keys...
Oct 8 08:19:56.389: %PKI-6-CS_ENABLED: Certificate server now enabled. 34(cs-server)#do sh run | s crypto pki server crypto pki server MY_CA database level names database archive pkcs12 password 7 121B0C1B105B33270B issuer-name CN=MY_CA,ou=LAB,c=ru grant auto hash sha512 lifetime crl 24 lifetime certificate 1 1 lifetime ca-certificate 1 12 auto-rollover 0 6 database url flash:/CA database url cnm flash:/CA database url crl flash:/CA database url crt flash:/CA database url p12 flash:/CA database url pem flash:/CA database url ser flash:/CA 34(cs-server)#do sh crypto pki server Certificate Server Sobin_CA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=MY_CA,ou=LAB,c=ru CA cert fingerprint: 206C137B 9D5F2B91 C557B08F 3453E5D2 Granting mode is: auto Last certificate issued serial number (hex): 1 CA certificate expiration timer: 00:19:53 MSK Oct 10 2014 CRL NextUpdate timer: 12:19:54 MSK Oct 9 2014 Current primary storage dir: flash:/CA Current storage dir for .cnm files: flash:/CA Current storage dir for .crl files: flash:/CA Current storage dir for .crt files: flash:/CA Current storage dir for .p12 files: flash:/CA Current storage dir for .pem files: flash:/CA Current storage dir for .ser files: flash:/CA Database Level: Names - subject name data written as <serialnum>.cnm Auto-Rollover configured, overlap period 0 days Autorollover timer: 18:19:53 MSK Oct 9 2014 34(cs-server)#do dir flash: Directory of flash:/
1 -rw- 59490092 Jan 17 2014 16:30:34 +04:00 c2800nm-adventerprisek9-mz.124-24.T8.bin 2 drw- 0 Oct 3 2014 18:41:12 +04:00 CA 7 -rw- 32 Oct 8 2014 12:19:54 +04:00 MY_CA.ser 3 -rw- 81 Oct 8 2014 12:19:52 +04:00 1.cnm 5 -rw- 247 Oct 8 2014 12:19:54 +04:00 MY_CA.crl 6 -rw- 1635 Oct 8 2014 12:19:54 +04:00 MY_CA_00008.p12
64016384 bytes total (4505600 bytes free) 34(cs-server)#
Hello, John. Thanks for the link, but it's not excatly what i'm trying to do. From what I read so far I've learned that saving the database to nvram is not scalable (unless it's minimal database level chosen as in your config), and placing your database to flash gives you ability to move your database to another router.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...