Solved: Client PKI trustpoint name?

fsebera · ‎10-26-2010

I have two lab routers R1 g0/0 connected directly to R2 g0/0.

I have IPsec with preshared keys configured and all is working well.

I just finished configuring R1 as the PKI CA server and created a better priority isakmp policy to be used when certificates are finally configured between R1 and R2.

My next task is to setup R1 also as a PKI client.

I ran crypto key generate rsa general-keys modulus 512 - all good, no problems yet.

Now I need to create a trustpoint for the CA server and this is my question -

What name can I use - meaning do I have to use the same name as the CA server [R1-CA] or any other ol name is fine?

My config for R1 below.

Thanks again - I will get this working soon - I hope!

Frank

R1#sh run
boot system flash:c2800nm-advsecurityk9-mz.151-2.T1.bin
!
clock timezone EST -5 0
clock summer-time EST recurring
!
ip source-route
!
ip cef
!
ip domain name TEST.LAB
ip host R1 192.168.1.1
ip host R2 192.168.1.2
!
crypto pki server R1-CA
database level complete
issuer-name cn=R1-CA OU=Point-to-point
database url pem flash:
crypto pki token default removal timeout 0
!
crypto pki trustpoint R1-CA
revocation-check crl
rsakeypair R1-CA
!
crypto pki certificate chain R1-CA
certificate ca 01
3Y82YA98 3Y82YA42 AYY3Y2YA Y2Y2YAYA 3YYDY6Y9 2A864886 F7YDYAYA Y4Y5YY3Y
223A2Y3Y AEY6Y355 Y4Y3A3A7 523A2D43 4A2Y4F55 3D5Y6F69 6E742D74 6F2D7Y6F
696E743Y AEA7YD3A 3Y3A3Y32 363A3335 3835325A A7YD3A33 3A3Y3235 3A333538
35325A3Y 223A2Y3Y AEY6Y355 Y4Y3A3A7 523A2D43 4A2Y4F55 3D5Y6F69 6E742D74
6F2D7Y6F 696E743Y 5C3YYDY6 Y92A8648 86F7YDYA YAYAY5YY Y34BYY3Y 48Y24AYY
B5467D77 A2FYA8A2 YC3ABAFY [Not the real key] 8976CBA5 C3522D4F E43629EY
YC9C5AB8 F397F99F 7E83AYA6 36A2A526 BF2B8552 4A9F4CC3 AAY6EY4F 4B6AE4AD
Y2Y3YAYY YAA3633Y 6A3YYFY6 Y355ADA3 YAYAFFY4 Y53YY3YA YAFF3YYE Y6Y355AD
YFYAYAFF Y4Y4Y3Y2 YA863YAF Y6Y355AD 23Y4A83Y A68YA4CE FCCC6448 DFF9B52A
6BC29CBD BF3DAA93 D6DBAA3Y ADY6Y355 ADYEY4A6 Y4A4CEFC CC6448DF F9B52A6B
C29CBDBF 3DAA93D6 DBAA3YYD Y6Y92A86 4886F7YD YAYAY4Y5 YYY34AYY 28A92EC2
AEBYE76D 9A5AA4D2 7529FAA4 B44CC6CB 8773E5EA 894A48E6 E6C6A3B4 598B8734
2A32F838 3424DY46 3C74BY6C AAAB8AFD 926YFCAA B5C87AA5 92BC4Y38
        quit
!
crypto isakmp policy 10
encr 3des
group 2
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 5
.
.
. bla bla bla

Yudong Wu · ‎10-26-2010

You should use the different name. The trustpoint with the same name is created by CA server automatically and you should not change it.

crypto pki server cisco1
database level complete
issuer-name CN=cisco1.cisco.com L=RTP C=US
lifetime crl 24
lifetime certificate 200
lifetime ca-certificate 365
cdp-url http://192.168.1.2/cisco1cdp.cisco1.crl
!
crypto pki trustpoint cisco1
revocation-check crl
rsakeypair cisco1
!
crypto pki trustpoint test <<<<<< This is trustpoint which is used for get cert from local CA server
enrollment url http://192.168.1.2:80
ip-address 192.168.1.2
revocation-check none

bhnd-7600#sh cry ca cert
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
    cn=cisco1.cisco.com L=RTP C=US
Subject:
    cn=cisco1.cisco.com L=RTP C=US
Validity Date:
    start date: 17:34:02 UTC Oct 26 2010
    end   date: 17:34:02 UTC Oct 26 2011
Associated Trustpoints: test cisco1

Certificate
Subject:
    Name: bhnd-7600.cisco.com
    IP Address: 192.168.1.2
   Status: Pending
   Key Usage: General Purpose
   Certificate Request Fingerprint MD5: 439016A1 EF93250E 5F870E5F 13DAADA3
   Certificate Request Fingerprint SHA1: 26CC73B3 8AECADD0 C5045B45 3BDC0A8F B636451E
   Associated Trustpoint: test

View solution in original post

Yudong Wu · ‎10-26-2010

You should use the different name. The trustpoint with the same name is created by CA server automatically and you should not change it.

crypto pki server cisco1
database level complete
issuer-name CN=cisco1.cisco.com L=RTP C=US
lifetime crl 24
lifetime certificate 200
lifetime ca-certificate 365
cdp-url http://192.168.1.2/cisco1cdp.cisco1.crl
!
crypto pki trustpoint cisco1
revocation-check crl
rsakeypair cisco1
!
crypto pki trustpoint test <<<<<< This is trustpoint which is used for get cert from local CA server
enrollment url http://192.168.1.2:80
ip-address 192.168.1.2
revocation-check none

bhnd-7600#sh cry ca cert
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
    cn=cisco1.cisco.com L=RTP C=US
Subject:
    cn=cisco1.cisco.com L=RTP C=US
Validity Date:
    start date: 17:34:02 UTC Oct 26 2010
    end   date: 17:34:02 UTC Oct 26 2011
Associated Trustpoints: test cisco1

Certificate
Subject:
    Name: bhnd-7600.cisco.com
    IP Address: 192.168.1.2
   Status: Pending
   Key Usage: General Purpose
   Certificate Request Fingerprint MD5: 439016A1 EF93250E 5F870E5F 13DAADA3
   Certificate Request Fingerprint SHA1: 26CC73B3 8AECADD0 C5045B45 3BDC0A8F B636451E
   Associated Trustpoint: test

fsebera · ‎10-26-2010

Thank you - ... and in fact when I tried to use the CA server trustpoint I received an error:

R1(config)#crypto pki trustpoint R1-CA
% You are not supposed to change the configuration of this
% trustpoint. It is being used by the IOS CA server.

As you pointed out, a new name is required

R1(config)#crypto pki trustpoint R1-peer

R1(ca-trustpoint)#enrollment url http://192.168.1.1:80

R1(ca-trustpoint)#auto-enroll 70

R1(ca-trustpoint)#exit

Thanks again

Frank