Guest

Cisco IOS Software Releases 12.4 Mainline

Backup and Restore an IOS CA Server Configuration Example

Cisco - Backup and Restore an IOS CA Server Configuration Example

Document ID: 82153

Updated: Mar 06, 2007

   Print

Introduction

This document describes how to backup and restore an IOS® Certificate Authority (CA) server for Cisco IOS software.

Refer to Configure and Enroll a Cisco VPN 3000 Concentrator to a Cisco IOS Router as a CA Server in order to learn more about how to configure a Cisco IOS router as a CA server.

Prerequisites

Requirements

Plan Your PKI Before You Configure the Certificate Server

Before you configure a Cisco IOS certificate server, it is important that you have planned for and chosen appropriate values for the settings you intend to use within your PKI (such as certificate lifetimes and certificate revocation list (CRL) lifetimes). After the settings are configured in the certificate server and certificates are granted, settings cannot be changed without having to reconfigure the certificate server and re-enrolling the peers. For information on certificate server default settings and recommended settings, refer to Certificate Server Default Values and Recommended Values.

Enable the HTTP Server

The certificate server supports Simple Certificate Enrollment Protocol (SCEP) over HTTP. The HTTP server must be enabled on the router for the certificate server to use SCEP. (In order to enable the HTTP server, use the ip http server command.) The certificate server automatically enables or disables SCEP services after the HTTP server is enabled or disabled. If the HTTP server is not enabled, only manual PKCS10 enrollment is supported.

Reliable Time Services

Time services must be running on the router because the certificate server must have reliable time knowledge. If a hardware clock is unavailable, the certificate server depends on manually configured clock settings, such as Network Time Protocol (NTP). Refer to the Setting Time and Calendar Services section of the Cisco IOS Configuration Fundamentals Configuration Guide for more information on NTP. If there is not a hardware clock or the clock is invalid, this message displays at bootup:

% Time has not been set. Cannot start the Certificate server.

After the clock is set, the certificate server automatically switches to running status.

Components Used

The information in this document is based on the Cisco 3600 Router with Cisco IOS Software Release 12.4(8).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Backup the IOS CA Server

At initial certificate server setup, you can enable the CA certificate and the CA key to be automatically archived so that they can be restored later if either the original copy or the original configuration is lost.

When the certificate server is turned on the first time, the CA certificate and CA key are generated. If automatic archive is also enabled, the CA certificate and the CA key is exported (archived) to the server database. The archive can be in PKCS12 or privacy-enhanced mail (PEM) format.

Note: 

  • This CA key backup file is extremely important and should be moved immediately to another secured place.

  • This archiving action occurs only one time. Only the CA key that is manually generated and marked exportable or automatically generated by the certificate server is archived (this key is marked non-exportable).

  • Auto-archival does not occur if you generate the CA key manually and mark it "non-exportable."

  • In addition to the CA certificate and CA key archive file, you should also regularly back up the serial file (.ser) and the CRL file (.crl). The serial file and the CRL file are both critical for CA operation if you need to restore your certificate server.

Note: It is not possible to manually back up a server that uses non-exportable RSA keys or manually generated non-exportable RSA keys. Although automatically generated RSA keys are marked as non-exportable, they are automatically archived once.

Example:

  • PEM Format—Create the CA and backup the files from non-volatile RAM (NVRAM) (to the TFTP server in this case):

    
    !--- Create a server named CA.
    
    Router(config)#crypto pki server CA
    
    !--- Archive in the PEM format with the encryption key as cisco123.
    
    Router(cs-server)#database archive pem password cisco123
    
    !--- Lifetime of the certificates issued by this certificate server in days.
    
    Router(cs-server)#lifetime certificate 1095
    
    !--- Lifetime of the certificate server signing certificate in days.
    
    Router(cs-server)#lifetime ca-certificate 1825
    
    !--- Lifetime of the CRLs published by this certificate server in hours.
    
    Router(cs-server)#lifetime crl 24
    Router(cs-server)#no shutdown
    
    %Some server settings cannot be changed after CA certificate generation.
    % Generating 1024 bit RSA keys, keys will be non-exportable...
    Feb 21 17:39:36.916: crypto_engine: generate public/private keypair [OK]
    Feb 21 17:39:48.808: crypto_engine: generate public/private keypair
    Feb 21 17:39:48.812: %SSH-5-ENABLED: SSH 1.99 has been enabled
    Feb 21 17:39:48.812: crypto_engine: public key sign % Exporting 
    Certificate Server signite and keys...
    
    % Certificate Server enabled.
    Router(cs-server)#
    Feb 21 17:39:54.064: crypto_engine: public key verify
    
    Router#dir nvram:
    Directory of nvram:/
    
    
    !--- Output is suppressed.
    
        6  -rw-          32                    <no date>  CA.ser
        7  -rw-         212                    <no date>  CA.crl
        8  -rw-        1702                    <no date>  CA.pem
    
    129016 bytes total (116676 bytes free)
    
    
    !--- Backup the three files to the TFTP server. 
    
    Router#copy nvram:CA.ser tftp://172.16.1.100/backup.ser 
    Router#copy nvram:CA.crl tftp://172.16.1.100/backup.crl
    Router#copy nvram:CA.pem tftp://172.16.1.100/backup.pem
    
  • PKCS12 Format—Create the CA and backup the files from NVRAM (to the TFTP server in this case).

    Router (config)#crypto pki server CA
    Router (cs-server)#database archive pkcs12 password cisco123
    Router(cs-server)#lifetime certificate 1095
    Router(cs-server)#lifetime ca-certificate 1825
    Router(cs-server)#lifetime crl 24
    Router(cs-server)#no shutdown
    % Generating 1024 bit RSA keys ...[OK]
    % Ready to generate the CA certificate.
    % Some server settings cannot be changed after CA certificate generation.
    Are you sure you want to do this? [yes/no]: y
    % Exporting Certificate Server signing certificate and keys...
    ! Note that you are not being prompted for a password.
    % Certificate Server enabled.
    Router (cs-server)# end
    Router#dir nvram:
    Directory of nvram:/
       125   -rw-         1693             <no date>   startup-config
       126   ----            5             <no date>   private-config
         1   -rw-           32             <no date>   CA.ser
         2   -rw-          214             <no date>   CA.crl
    
    !--- Note that the next line indicates that the format is PKCS12.
    
        3   -rw-         1499             <no date>   CA.p12
    
    Router#copy nvram:CA.ser tftp://172.16.1.100/backup.ser 
    Router#copy nvram:CA.crl tftp://172.16.1.100/backup.crl
    Router#copy nvram:CA.p12 tftp://172.16.1.100/backup.p12
    

Restore the IOS CA Server

In order to restore the CA server, you need to restore the .ser and .crl files, recreate the server, and import the data from the PEM file (PEM format) or the p12 file (PKCS12 format).

In our lab scenario, the no crypto pki server CA command is used to remove the certificate server configuration from the router.

Example:

  • PEM Format—Allows you to view the PEM file so that you can copy and paste the certificate and key later using the more CA.pem command.

    This example shows that restoration is from a PEM archive and that the database URL is nvram:

    Router#copy tftp://172.16.1.100/backup.ser nvram:CA.ser
    Destination filename [CA.ser]?
    32 bytes copied in 1.320 secs (24 bytes/sec)
    Router#copy tftp://172.16.1.100/backup.crl nvram:CA.crl
    Destination filename [CA.crl]?
    214 bytes copied in 1.324 secs (162 bytes/sec)
    Router#configure terminal
    
    !--- Because the CA certificate has digital signature usage, you need to 
    !--- import using the "usage-keys" keyword.
    
    
    !--- This is the command you use to import the certificate 
    !--- via the terminal with encryption key cisco123.
    
    Router (config)#crypto ca import CA pem usage-keys terminal cisco123
    % Enter PEM-formatted CA certificate.
    % End with a blank line or "quit" on a line by itself.
    
    !--- Copy and paste the CERTIFICATE from the pem file, 
    !--- followed by quit.
    
    
    -----BEGIN CERTIFICATE-----
    MIIB9zCCAWCgAwIBAgIBATANBgkqhkiG9w0BAQQFADAPMQ0wCwYDVQQDEwRteWNz
    MB4XDTA0MDkwMjIxMDI1NloXDTA3MDkwMjIxMDI1NlowDzENMAsGA1UEAxMEbXlj
    czCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGnnDXJbpDDQwCuKGs5Zg2rc
    K7ZJauSUotTmWYQvNx+ZmWrUs5/j9Ee5FV2YonirGBQ9mc6u163kNlrIPFck062L
    GpahBhNmKDgod1o2PHTnRlZpEZNDIqU2D3hACgByxPjrY4vUnccV36ewLnQnYpp8
    szEu7PYTJr5dU5ltAekCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
    Af8EBAMCAYYwHwYDVR0jBBgwFoAUaEEQwYKCQ1dm9+wLYBKRTlzxaDIwHQYDVR0O
    BBYEFGhBEMGCgkNXZvfsC2ASkU5c8WgyMA0GCSqGSIb3DQEBBAUAA4GBAHyhiv2C
    mH+vswkBjRA1Fzzk8ttu9s5kwqG0dXp25QRUWsGlr9nsKPNdVKt3P7p0A/KochHe
    eNiygiv+hDQ3FVnzsNv983le6O5jvAPxc17RO1BbfNhqvEWMsXdnjHOcUy7XerCo
    +bdPcUf/eCiZueH/BEy/SZhD7yovzn2cdzBN
    -----END CERTIFICATE-----
    quit
    
    !--- Copy and paste the PRIVATE KEY from the pem file, 
    !--- followed by quit.
    
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,5053DC842B04612A
    1CnlF5Pqvd0zp2NLZ7iosxzTy6nDeXPpNyJpxB5q+V29IuY8Apb6TlJCU7YrsEB/
    nBTK7K76DCeGPlLpcuyEI171QmkQJ2gA0QhC0LrRo09WrINVH+b4So/y7nffZkVb
    p2yDpZwqoJ8cmRH94Tie0YmzBtEh6ayOud11z53qbrsCnfSEwszt1xrW1MKrFZrk
    /fTy6loHzGFzl3BDj4r5gBecExwcPp74ldHO+Ld4Nc9egG8BYkeBCsZZOQNVhXLN
    I0tODOs6hP915zb6OrZFYv0NK6grTBO9D8hjNZ3U79jJzsSP7UNzIYHNTzRJiAyu
    i56Oy/iHvkCSNUIK6zeIJQnW4bSoM1BqrbVPwHU6QaXUqlNzZ8SDtw7ZRZ/rHuiD
    RTJMPbKquAzeuBss1132OaAUJRStjPXgyZTUbc+cWb6zATNws2yijPDTR6sRHoQL
    47wHMr2Yj80VZGgkCSLAkL88ACz9TfUiVFhtfl6xMC2yuFl+WRk1XfF5VtWe5Zer
    3Fn1DcBmlF7O86XUkiSHP4EV0cI6n5ZMzVLx0XAUtdAl1gD94y1V+6p9PcQHLyQA
    pGRmj5IlSFw90aLafgCTbRbmC0ChIqHy91UFa1ub0130+yu7LsLGRlPmJ9NE61JR
    bjRhlUXItRYWY7C4M3m/0wz6fmVQNSumJM08RHq6lUB3olzIgGIZlZkoaESrLG0p
    qq2AENFemCPF0uhyVS2humMHjWuRr+jedfc/IMl7sLEgAdqCVCfV3RZVEaNXBud1
    4QjkuTrwaTcRXVFbtrVioT/puyVUlpA7+k7w+F5TZwUV08mwvUEqDw==
    -----END RSA PRIVATE KEY-----
    quit
    
    
    !--- Copy and paste again the CERTIFICATE from the pem file, 
    !--- followed by quit.
    
    -----BEGIN CERTIFICATE-----
    MIIB9zCCAWCgAwIBAgIBATANBgkqhkiG9w0BAQQFADAPMQ0wCwYDVQQDEwRteWNz
    MB4XDTA0MDkwMjIxMDI1NloXDTA3MDkwMjIxMDI1NlowDzENMAsGA1UEAxMEbXlj
    czCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGnnDXJbpDDQwCuKGs5Zg2rc
    K7ZJauSUotTmWYQvNx+ZmWrUs5/j9Ee5FV2YonirGBQ9mc6u163kNlrIPFck062L
    GpahBhNmKDgod1o2PHTnRlZpEZNDIqU2D3hACgByxPjrY4vUnccV36ewLnQnYpp8
    szEu7PYTJr5dU5ltAekCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
    Af8EBAMCAYYwHwYDVR0jBBgwFoAUaEEQwYKCQ1dm9+wLYBKRTlzxaDIwHQYDVR0O
    BBYEFGhBEMGCgkNXZvfsC2ASkU5c8WgyMA0GCSqGSIb3DQEBBAUAA4GBAHyhiv2C
    mH+vswkBjRA1Fzzk8ttu9s5kwqG0dXp25QRUWsGlr9nsKPNdVKt3P7p0A/KochHe
    eNiygiv+hDQ3FVnzsNv983le6O5jvAPxc17RO1BbfNhqvEWMsXdnjHOcUy7XerCo
    +bdPcUf/eCiZueH/BEy/SZhD7yovzn2cdzBN
    -----END CERTIFICATE-----
    quit 
    
    !--- When you are prompted for the encryption key, 
    !--- enter quit to skip this step.
    
    quit
    
    
    Router (config)#crypto pki server CA
    Router (cs-server)#database url nvram:
    
    !--- Fill in any CS configuration here.
    
    Router (cs-server)#no shutdown
    % Certificate Server enabled.
    Router (cs-server)#end
    
    Router#show crypto pki server
    Certificate Server CA:
        Status: enabled
        Server's current state: enabled
        Issuer name: CN=CA
        CA cert fingerprint: F04C2B75 E0243FBC 19806219 B1D77412 
        Granting mode is: manual
        Last certificate issued serial number: 0x2
        CA certificate expiration timer: 21:02:55 GMT Sep 2 2007
        CRL NextUpdate timer: 21:02:58 GMT Sep 9 2004
        Current storage dir: nvram:
    Database Level: Minimum - no cert data written to storage 
  • PKCS12 format—This example shows that restoration is from a PKCS12 archive and that the database URL is NVRAM (the default).

    Router#copy tftp://172.16.1.100/backup.ser nvram:CA.ser
    Destination filename [CA.ser]? 
    32 bytes copied in 1.320 secs (24 bytes/sec)
    Router#copy tftp://172.16.1.100/backup.crl nvram:CA.crl
    Destination filename [CA.crl]? 
    214 bytes copied in 1.324 secs (162 bytes/sec)
    Router#configure terminal
    Router (config)#crypto pki import CA pkcs12 tftp://172.16.1.100/backup.p12 
                  cisco123
    Source filename [backup.p12]? 
    CRYPTO_PKI: Imported PKCS12 file successfully.
    
    Router (config)#crypto pki server CA
    
    !--- Fill in any CS configuration here.
    
    Router (cs-server)#no shutdown
    % Certificate Server enabled.
    Router (cs-server)#end
    Router#show crypto pki server 
    Certificate Server CA:
        Status: enabled
        Server's current state: enabled
        Issuer name: CN=CA
        CA cert fingerprint: 34885330 B13EAD45 196DA461 B43E813F 
        Granting mode is: manual
        Last certificate issued serial number: 0x1
        CA certificate expiration timer: 01:49:13 GMT Aug 28 2007
        CRL NextUpdate timer: 01:49:16 GMT Sep 4 2004
        Current storage dir: nvram:
        Database Level: Minimum - no cert data written to storage

Verify

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

The show crypto pki server command shows information about the certification server.

Router#show crypto pki server
Certificate Server CA:
    Status: enabled
    Server's current state: enabled
    Issuer name: CN=CA
    CA cert fingerprint: F04C2B75 E0243FBC 19806219 B1D77412 
    Granting mode is: manual
    Last certificate issued serial number: 0x2
    CA certificate expiration timer: 21:02:55 GMT Sep 2 2007
    CRL NextUpdate timer: 21:02:58 GMT Sep 9 2004
    Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage 

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Mar 06, 2007
Document ID: 82153