Saturday, December 26, 2009


Recent topic I've been dealing with is certificates. I'll assume here that everyone knows what a certificate and how PKI works.

This is useful for CCIE Security study.

First step is to setup a CA server.

And what's easier then setting it up on IOS router? Frankly many things ... so let's have a look on how it's done.

First of all generate RSA keys - I'd suggest to used named keys, general-purpose and exportable, usually over 1024 bytes (SSH v2 requires over 786 byte key size).

Let's do this:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname CA
CA(config)#ip domain-name
CA(config)#crypto key generate rsa modulus 1024 general-keys exportable label cisco
The name for the keys will be: cisco
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...[OK]
*Dec 26 19:17:22.167: %SSH-5-ENABLED: SSH 1.99 has been enabled
CA(config)#cry key export rsa cisco pem url nvram: 3des cisco123
% Key name: cisco
Usage: General Purpose Key
Exporting public key...
Destination filename []?
Writing file to
Exporting private key...
Destination filename [cisco.prv]?
Writing file to nvram:cisco.prv

We can finally get to setup the CA server. It's very easy to set is up.
Create PKI server, " no shut" it and enable http server:
CA(config)#cry pki server CA
CA(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
CA(config)#ip http server
*Dec 26 19:21:36.715: %PKI-6-CS_ENABLED: Certificate server now enabled.
CA(config)#do sh cry pki server
Certificate Server CA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA
CA cert fingerprint: 35035E5A 8C43B8EB 16A63A47 B65526F7
Granting mode is: manual
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 19:21:23 CET Dec 25 2012
CRL NextUpdate timer: 01:21:23 CET Dec 27 2009
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage

From now on you can point anything SCEP capable to http://{IP_address_of_CA_router}:80.

But to o honest a CA server configured like this is not that functional. It will work, it has sane defaults, but it's best tweak it a bit. Here's a set I would recommend (for closed deployment, no access from outside).
crypto pki server CA
database level complete
database archive pem password 7 01100F175804575D72
grant auto rollover ca-cert
cdp-url http://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL
Why the interesting cdp url? Non-SCEP clients eager to get CRL.

Note: you will need to do ctrl+v before putting in "?" sign in the URL.

Last step, how to configure SUB CA to this CA server?
crypto pki server SUBCA
database level complete
database archive pem password 7 045802150C2E1D1C5A
grant auto rollover ca-cert
mode sub-cs
crypto pki trustpoint SUBCA
enrollment url
revocation-check crl
Note: you should only unshut the subca once the enrollment url is specified.
The subca will automatically enroll to CA - depending on version you might need or not to grant the subca certificate on CA server.

Note: If you configured enrollment url under trustpoint it is expected that a query for SCEP capability will be done when a certificate is used. If this is not desired (issues with delays etc), you can change enrollment url to enrollment terminal to make sure this is not done.

No comments: