Recent topic I've been dealing with is certificates. I'll assume here that everyone knows what a certificate and how PKI works.
This is useful for CCIE Security study.
First step is to setup a CA server.
And what's easier then setting it up on IOS router? Frankly many things ... so let's have a look on how it's done.
First of all generate RSA keys - I'd suggest to used named keys, general-purpose and exportable, usually over 1024 bytes (SSH v2 requires over 786 byte key size).
Let's do this:
--------------------------------------------------
Router>
Router>ena
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname CA
CA(config)#ip domain-name cisco.com
CA(config)#crypto key generate rsa modulus 1024 general-keys exportable label cisco
The name for the keys will be: cisco
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...[OK]
CA(config)#
*Dec 26 19:17:22.167: %SSH-5-ENABLED: SSH 1.99 has been enabled
CA(config)#cry key export rsa cisco pem url nvram: 3des cisco123
% Key name: cisco
Usage: General Purpose Key
Exporting public key...
Destination filename [cisco.pub]?
Writing file to nvram:cisco.pub
Exporting private key...
Destination filename [cisco.prv]?
Writing file to nvram:cisco.prv
--------------------------------------------------
We can finally get to setup the CA server. It's very easy to set is up.
Create PKI server, " no shut" it and enable http server:
--------------------------------------------------
CA(config)#cry pki server CA
CA(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
CA(cs-server)#exit
CA(config)#ip http server
*Dec 26 19:21:36.715: %PKI-6-CS_ENABLED: Certificate server now enabled.
CA(config)#do sh cry pki server
Certificate Server CA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA
CA cert fingerprint: 35035E5A 8C43B8EB 16A63A47 B65526F7
Granting mode is: manual
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 19:21:23 CET Dec 25 2012
CRL NextUpdate timer: 01:21:23 CET Dec 27 2009
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
--------------------------------------------------
From now on you can point anything SCEP capable to http://{IP_address_of_CA_router}:80.
But to o honest a CA server configured like this is not that functional. It will work, it has sane defaults, but it's best tweak it a bit. Here's a set I would recommend (for closed deployment, no access from outside).
--------------------------------------------------
crypto pki server CA
database level complete
database archive pem password 7 01100F175804575D72
issuer-name cn=CA.cisco.com,OU=LAB
grant auto rollover ca-cert
cdp-url http://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL
--------------------------------------------------
Why the interesting cdp url? Non-SCEP clients eager to get CRL.
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1193861
Note: you will need to do ctrl+v before putting in "?" sign in the URL.
Last step, how to configure SUB CA to this CA server?
--------------------------------------------------
crypto pki server SUBCA
database level complete
database archive pem password 7 045802150C2E1D1C5A
issuer-name cn=SUBCA1.cisco.com,ou=LAB
grant auto rollover ca-cert
mode sub-cs
shutdown
crypto pki trustpoint SUBCA
enrollment url http://10.0.0.1:80
revocation-check crl
--------------------------------------------------
Note: you should only unshut the subca once the enrollment url is specified.
The subca will automatically enroll to CA - depending on version you might need or not to grant the subca certificate on CA server.
Note: If you configured enrollment url under trustpoint it is expected that a query for SCEP capability will be done when a certificate is used. If this is not desired (issues with delays etc), you can change enrollment url to enrollment terminal to make sure this is not done.
1 comment:
Jammy Monkey Casino - jtmhub.com
Jammy 인천광역 출장안마 Monkey Casino. JAMMY MONOPOLY Casino has 여주 출장샵 the biggest and 문경 출장마사지 most attractive welcome bonus offers 익산 출장샵 and 서울특별 출장샵 offers in the world.
Post a Comment