How to setup PKI CA Server and client "how to" document
After a long time, many documents and even many more Internet web searches, I have figured out how to setup Cisco PKI CA server and clients.
I have this documented STEP-BY-STEP.
I start off with Crypto preshared-keys and then migrate to RSA-Signatures.
Before I waste your time posting it, just wanted to ensure someone would find this useful.
If you would like this document, drop me a note here and I'll paste it in.
Thanks for all the help each of you have provided
This is my attempt to give back!!!
This is the first page.
BTW, no charge.
OBJECTIVE: R1 as PKI CA Server and Client and R2 as PKI Client
This setup starts with two Cisco routers configured with pre-shared keys. The link is a single broadcast domain, no tunnels or Telcos or Internet clouds involved. Once communications is tested and verified with pre-shared keys, migration to PKI RSA-Signatures is provided.
Router-1 will be setup as a PKI CA server; the PKI CA server validates and grants certificates. Router-1 will also be setup as a PKI client, receives its’ certificates from the PKI CA server which just happens to be the same physical router, Rotuer-1. Router-2 is setup as a PKI client, receives its’ certificates from PKI CA server, Router-1.
In case you haven’t figured this out, there are only 2 routers and a single cat-5 Ethernet cable involved here and nothing else except IOS c2800nm-advsecurityk9-mz.151-2.T1.bin.
If you don’t want to have an operational setup using pre-shared keys to validate configurations along the way, just skip to the configuring PKI CA server section and follow the step by step CLI directions and provided output.
If you want to run through the setup of a PKI client a second time, we clear router-2 and start over with different values. This is demonstrated following the successful setup of the PKI CA server and PKI clients.
If you just want the quick list of CLI commands for setting up basic PKI between two Cisco routers jump to the very end.
Re: How to setup PKI CA Server and client "how to" document
It looks like people might benefit from this. I can't promise it will be the most read document on the forums but it's definetly something other might use.
Before posting I'd strongly suggest to make sure you utilize formatting and provide some structure.
In case of document like this I'd stick to following structure (attached below) - this is one of the templetes we're encouraged to use.
If you have your observations or something you'd recommend (and why!), I'd leave it to a blog post.
This document provides a sample configuration for ... (this introduction should provide a description of the subject matter and any contextual information describing a real-world scenario in which this information might be used).
There are no specific requirements for this document.
Ensure that you meet these requirements before you attempt this configuration:
This section describes the information you need to configure the features described in this document.
This document uses this network setup:
This document uses these configurations:
Use this section to confirm that your configuration works properly.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :