{"id":110,"date":"2015-04-29T09:28:29","date_gmt":"2015-04-29T09:28:29","guid":{"rendered":"http:\/\/www.balajibandi.com\/blog\/?p=110"},"modified":"2022-05-28T20:29:56","modified_gmt":"2022-05-28T19:29:56","slug":"cisco-ios-certificate-server-set-up-and-client-enrolment-gns3-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=110","title":{"rendered":"Cisco IOS Certificate Server set-up and client enrolment."},"content":{"rendered":"

A quick step-by-step overview of how to configure the certificate server on a Cisco IOS device.<\/p>\n

The certificate server functionality was added in version 12.3(4). It is only available in security images or higher. We can use this functionality to provide scalable authentication for VPN set-ups.<\/p>\n

These are the seven basic steps that are needed to configure a fictional root certificate server on the CA IOS device shown in the topology below.<\/p>\n

Certificate Server<\/h3>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
Step<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
1<\/td>\nRSA key pair<\/td>\n<\/tr>\n
2<\/td>\nPKI Trustpoint<\/td>\n<\/tr>\n
3<\/td>\nCertificate Server<\/td>\n<\/tr>\n
4<\/td>\nIssuing Policy<\/td>\n<\/tr>\n
5<\/td>\nCRL<\/td>\n<\/tr>\n
6<\/td>\nSCEP<\/td>\n<\/tr>\n
7<\/td>\nEnable the Certificate server<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

1. RSA Key Pair<\/strong> \u2013 The first step is to generate a private\/public key pair on the CA router. The private key will be used to sign \u201cuser\u201d certificates and the public key will be distributed and used to verify certificates. In the example below our keys are labeled CE-Key.<\/p>\n

CA#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nCA(config)#crypto key generate rsa usage-keys label CA-Key modulus 2048 exportable\nThe name for the keys will be: CA-Key\n\n% The key modulus size is 2048 bits\n% Generating 2048 bit RSA keys, keys will be exportable...[OK]\n% Generating 2048 bit RSA keys, keys will be exportable...[OK]<\/pre>\n
2. PKI Trustpoint<\/strong> \u2013 The trustpoint configures what key pair will be used within the certificate server.<\/p>\n
CA(config)#crypto pki trustpoint CA-Server\nCA(ca-trustpoint)#rsakeypair CA-Key<\/pre>\n
3. Certificate Server<\/strong> \u2013 Now we create and configure the actual certificate server. We configure it using the same name as the trustpoint from step 2. Then we configure a local location for the database (this can be remote) and set the database storage level to complete. Finally, we configure the X.500 name information using the X.500 distinguished name (DN) format.<\/p>\n
CA#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nCA(config)#crypto pki server CA-Server\nCA(cs-server)#database url flash:\/CA-Server\nCA(cs-server)#database level ?\n  complete  Each issued certificate is saved to the database\n  minimum   Minimum certificate info is saved to the database\n  names     Certificate serial-number & subject name is saved to the database\n\nCA(cs-server)#database level complete\nCA(cs-server)#issuer-name C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN=m00nie.com VPN<\/pre>\n
4. Issuing Policy<\/strong> \u2013 We can either manually grant all certificate requests or automatically grant all requests. We will configure a password to provide some additional authentication when users try to enroll. First, we configure sha-1 as the hash algorithm used to sign the certificates with (MD5 is the default). We configure the lifetime of the certificate servers’ signing certificate (5 years) when this expires all issued certificates are invalidated and users will have to re-enroll. Now we configure the lifetime of client-issued certificates after which clients will have to re-enroll. Both lifetimes are counted in days.<\/p>\n
CA#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nCA(config)#crypto pki server CA-Server\nCA(cs-server)#hash sha1\nCA(cs-server)#lifetime ca-certificate 1825\nCA(cs-server)#lifetime certificate 730\nCA(cs-server)#no grant auto<\/pre>\n
5. CRL<\/strong> \u2013 Now we define the revocation policy used to create and maintain the Certificate Revocation List (CRL). In this example, we configure the CRL to only be valid for an hour (the minimum) and publish the CRL on the router itself using the cdp-url http:\/\/MYROUTERIP\/cgi-bin\/pkiclient.exe?operation=GetCRL\u00a0<\/code>command. Note \u2013\u00a0<\/strong>to enter the \u201c?\u201d you may need to press \u201cCtrl+V\u201d before entering it!!<\/p>\n
CA#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nCA(config)#crypto pki server CA-Server\nCA(cs-server)#lifetime crl 1\nCA(cs-server)#cdp-url http:\/\/1.1.1.1\/cgi-bin\/pkiclient.exe?operation=GetCRL<\/pre>\n
6. SCEP<\/strong> \u2013 To ease admin burden and provide scalability we \u201cconfigure\u201d the use of Simple Certificate Enrollment Protocol (SCEP). This is done by enabling the IOS HTTP server.<\/p>\n
CA#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nCA(config)#ip http server<\/pre>\n
7. Enable Certificate server<\/strong> \u2013 Finally we enable the certificate server now that all the prerequisites have been configured First we must ensure that the time of the Certificate Server is correct! We configure the CA router as a NTP master then enable the server in this example. Well configured and synchronized time on all devices is very important in a PKI environment!!<\/p>\n
CA(config)#clock timezone GMT 0 0\nCA(config)#ntp master\nCA(config)#crypto pki server CA-Server\nCA(cs-server)#no shutdown\n%Some server settings cannot be changed after CA certificate generation.\n% Please enter a passphrase to protect the private key\n% or type Return to exit\nPassword:\n% Password must be more than 7 characters. Try again\n% or type Return to exit\nPassword:\n\nRe-enter password:\n\n%Some server settings cannot be changed after CA certificate generation.\n% Exporting Certificate Server signing certificate and keys...\n\n% Certificate Server enabled.<\/pre>\n
Now the Certificate server is configured and running We can validate this with the show crypto pki server<\/code> command.<\/p>\n
CA#show crypto pki server\nCertificate Server CA-Server:\n    Status: enabled\n    Server's configuration is locked  (enter \"shut\" to unlock it)\n    Issuer name: C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN=m00nie.com VPN\n    CA cert fingerprint: 042C977E 813C0A67 87D794DF C16B10C2\n    Granting mode is: manual\n    Last certificate issued serial number: 0x1\n    CA certificate expiration timer: 02:27:25 GMT Feb 28 2007\n    CRL NextUpdate timer: 03:27:25 GMT Mar 1 2002\n    Current storage dir: flash:\/CA-Server\n    Database Level: Complete - all issued certs written as <serialnum>.cer\nCA#<\/pre>\n
Just to note that any further changes will require the certificate server to be shutdown.<\/p>\n
Client\u00a0Enrolment<\/h3>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n
Step<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
1<\/td>\nRSA key pair<\/td>\n<\/tr>\n
2<\/td>\nPKI Trustpoint \/ SCEP<\/td>\n<\/tr>\n
3<\/td>\nCA certificate installation<\/td>\n<\/tr>\n
4<\/td>\nErollment Request<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
1. RSA key pair<\/strong> \u2013 Much the same as on the CA router generate a public\/private key pair.<\/p>\n
VPN_Guy#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nVPN_Guy(config)#crypto key generate rsa general-keys label VPN-Key modulus 2048 exportable\nThe name for the keys will be: VPN-Key\n\n% The key modulus size is 2048 bits\n% Generating 2048 bit RSA keys, keys will be exportable...[OK]\n\n*Mar  1 04:34:57.814: %SSH-5-ENABLED: SSH 1.99 has been enabled<\/pre>\n
2. PKI Trustpoint \/ SCEP<\/strong> \u2013 Now we need to configure the trustpoint to tell the client how we would like it to enrol.<\/p>\n
VPN_Guy(config)#crypto pki trustpoint CA-Server\nVPN_Guy(ca-trustpoint)#enrollment url http:\/\/1.1.1.1\nVPN_Guy(ca-trustpoint)#revocation-check crl\nVPN_Guy(ca-trustpoint)#fqdn VPN_Guy.m00nie.com\nVPN_Guy(ca-trustpoint)#subject-name CN=VPN_Guy,OU=X.509,O=m00nieCo,C=UK\nVPN_Guy(ca-trustpoint)#rsakeypair VPN-Key<\/pre>\n
3. CA certificate<\/strong> \u2013 Now we need to install the CA server certificate (and verify it).<\/p>\n
VPN_Guy(config)#crypto pki authenticate CA-Server\nCertificate has the following attributes:\n       Fingerprint MD5: 042C977E 813C0A67 87D794DF C16B10C2\n      Fingerprint SHA1: 8B182326 5FD01A2A 67572725 D3667D64 73FE9D30\n\n% Do you accept this certificate? [yes\/no]: yes\nTrustpoint CA certificate accepted.<\/pre>\n
verify the fingerprint against the output of show crypto pki server<\/code> on the Certificate server.<\/p>\n
CA#show crypto pki server\n ..\n    CA cert fingerprint: 042C977E 813C0A67 87D794DF C16B10C2\n..<\/pre>\n
4.\u00a0Enrolment\u00a0request<\/strong> \u2013 Now we simple enrol with the certificate server.<\/p>\n
\u00a0VPN_Guy(config)#crypto pki enroll CA-Server<\/pre>\n
Then on the CA router<\/p>\n
CA#crypto pki server CA-Server info requests\nEnrollment Request Database:\n\nSubordinate CA certificate requests:\nReqID  State      Fingerprint                      SubjectName\n--------------------------------------------------------------\n\nRA certificate requests:\nReqID  State      Fingerprint                      SubjectName\n--------------------------------------------------------------\n\nRouter certificates requests:\nReqID  State      Fingerprint                      SubjectName\n--------------------------------------------------------------\n1      granted    BE142DCED9C067269D1F4E740C34B77F hostname=VPN_Guy.m00nie.com,cn=VPN_Guy,ou=X.509,o=m00nieCo,c=UK<\/pre>\n
And grant the request like with the command\u00a0crypto pki server CA-Server grant 1<\/code>.<\/p>\n
Now we can confirm that the VPN_Guy router has the signed certificate returned from the Certificate server<\/p>\n
VPN_Guy#show crypt pk certificates\nCertificate\n  Status: Available\n  Certificate Serial Number: 02\n  Certificate Usage: General Purpose\n  Issuer:\n    c=UK\n    l=m00nietown\n    o=m00nieCo\n    ou=x.509 certs\n    cn=m00nie.com VPN\n  Subject:\n    Name: VPN_Guy.m00nie.com\n    hostname=VPN_Guy.m00nie.com\n    cn=VPN_Guy\n    ou=X.509\n    o=m00nieCo\n    c=UK\n  CRL Distribution Points:\n    http:\/\/1.1.1.1\/cgi-bin\/pkiclient.exeoperation=GetCRL\n  Validity Date:\n    start date: 00:19:30 UTC Mar 1 2002\n    end   date: 00:19:30 UTC Feb 29 2004\n  Associated Trustpoints: CA-Server\n\nCA Certificate\n  Status: Available\n  Certificate Serial Number: 01\n  Certificate Usage: Signature\n  Issuer:\n    c=UK\n    l=m00nietown\n    o=m00nieCo\n    ou=x.509 certs\n    cn=m00nie.com VPN\n  Subject:\n    c=UK\n    l=m00nietown\n    o=m00nieCo\n    ou=x.509 certs\n    cn=m00nie.com VPN\n  Validity Date:\n    start date: 00:05:27 UTC Mar 1 2002\n    end   date: 00:05:27 UTC Feb 28 2007\n  Associated Trustpoints: CA-Server<\/pre>\n
Now we have a signed certificate installed and ready to use!<\/p>\n
Happy Labbbing !!!!!<\/p>\n","protected":false},"excerpt":{"rendered":"
A quick step-by-step overview of how to configure the certificate server on a Cisco IOS device. The certificate server functionality was added in version 12.3(4). It is only available in security images or higher. We can use this functionality to provide scalable authentication for VPN set-ups. These are the seven basic steps that are needed […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,8],"tags":[],"class_list":["post-110","post","type-post","status-publish","format-standard","hentry","category-cisco","category-gns"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=110"}],"version-history":[{"count":2,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/110\/revisions"}],"predecessor-version":[{"id":1589,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/110\/revisions\/1589"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}