This module describes the different methods available for certificate enrollment and how to set up each method for a participating PKI peer. Certificate enrollment, which is the process of obtaining a certificate from a certification authority (CA), occurs between the end host that requests the certificate and the CA. Each peer that participates in the public key infrastructure (PKI) must enroll with a CA.
Note
Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the
Next Generation Encryption (NGE) white paper.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for PKI Certificate Enrollment
Before configuring peers for certificate enrollment, you should have the following items:
A generated
Rivest, Shamir, and Adelman (RSA)
key pair to enroll and a PKI in which to enroll.
An authenticated CA.
Familiarity with the module "Cisco IOS PKI Overview: Understanding and Planning a PKI."
Note
As of Cisco IOS Release 12.3(7)T, all commands that begin with "cryptoca" have been changed to begin with "cryptopki." Although the router will still accept cryptoca commands, all output will be be displayed cryptopki.
Information About Certificate Enrollment for a PKI
A CA is an entity that issues digital certificates that other parties can use. It is an example of a trusted third party. CAs are characteristic of many PKI schemes.
A CA manages certificate requests and issues certificates to participating network devices. These services provide centralized key management for the participating devices to validate identities and to create digital certificates. Before any PKI operations can begin, the CA generates its own public key pair and creates a self-signed CA certificate; thereafter, the CA can sign certificate requests and begin peer enrollment for the PKI.
You can use the Cisco IOS certificate server or a CA provided by a third-party CA vendor.
Framework for Multiple CAs
A PKI can be set up in a hierarchical framework to support multiple CAs. At the top of the hierarchy is a root CA, which holds a self-signed certificate. The trust within the entire hierarchy is derived from the RSA key pair of the root CA. The subordinate CAs within the hierarchy can be enrolled with either the root CA or with another subordinate CA. Multiple tiers of CAs are configured by either the root CA or with another subordinate CA. Within a hierarchical PKI, all enrolled peers can validate the certificate of one another if the peers share a trusted root CA certificate or a common subordinate CA.
When to Use Multiple CAs
Multiple CAs provide users with added flexibility and reliability. For example, subordinate CAs can be placed in branch offices while the root CA is at the office headquarters. Also, different granting policies can be implemented per CA, so you can set up one CA to automatically grant certificate requests while another CA within the hierarchy requires each certificate request to be manually granted.
Scenarios in which at least a two-tier CA is recommended are as follows:
Large and very active networks in which a large number of certificates are revoked and reissued. A multiple tier CA helps to control the size of the certificate revocation lists (CRLs).
When online enrollment protocols are used, the root CA can be kept offline except to issue subordinate CA certificates. This scenario provides added security for the root CA.
Authentication of the CA
The certificate of the CA must be authenticated before the device will be issued its own certificate and before certificate enrollment can occur. Authentication of the CA typically occurs only when you initially configure PKI support at your router. To authenticate the CA, issue the cryptopkiauthenticate command, which authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA.
Authentication via the fingerprint Command
Cisco IOS Release 12.3(12) and later releases allow you to issue the fingerprint command t
o preenter a fingerprint that can be matched against the fingerprint of a CA certificate during authentication.
If a fingerprint is not preentered for a trustpoint, and if the authentication request is interactive, you must verify the fingerprint that is displayed during authentication of the CA certificate. If the authentication request is noninteractive, the certificate will be rejected without a preentered fingerprint.
Note
If the authentication request is made using the command-line interface (CLI), the request is an interactive request. If the authentication request is made using HTTP or another management tool, the request is a noninteractive request.
Supported Certificate Enrollment Methods
Cisco IOS software supports the following methods to obtain a certificate from a CA:
Simple Certificate Enrollment Protocol (SCEP)--A Cisco-developed enrollment protocol that uses HTTP to communicate with the CA or registration authority (RA). SCEP is the most commonly used method for sending and receiving requests and certificates.
Note
To take advantage of automated certificate and key rollover functionality, you must be running a CA that supports rollover and SCEP must be used as your client enrollment method.
If you are running a Cisco IOS CA, you must be running Cisco IOS Release 12.4(2)T or a later release for rollover support.
PKCS12--The router imports certificates in PKCS12 format from an external server.
IOS File System (IFS)--The router uses any file system that is supported by Cisco IOS software (such as TFTP, FTP, flash, and NVRAM) to send a certificate request and to receive the issued certificate. Users may enable IFS certificate enrollment when their CA does not support SCEP.
Note
Prior to Cisco IOS Release 12.3(4)T, only the TFTP file system was supported within IFS.
Manual cut-and-paste--The router displays the certificate request on the console terminal, allowing the user to enter the issued certificate on the console terminal. A user may manually cut-and-paste certificate requests and certificates when there is no network connection between the router and CA.
Enrollment profiles--The router sends HTTP-based enrollment requests directly to the CA server instead of to the RA-mode certificate server (CS). Enrollment profiles can be used if a CA server does not support SCEP.
Self-signed certificate enrollment for a trustpoint--The secure HTTP (HTTPS) server generates a self-signed certificate that is to be used during the secure socket layer (SSL) handshake, establishing a secure connection between the HTTPS server and the client. The self-signed certificate is then saved in the router's startup configuration (NVRAM). The saved, self-signed certificate can then be used for future SSL handshakes, eliminating the user intervention that was necessary to accept the certificate every time the router reloaded.
Note
To take advantage of autoenrollment and autoreenrollment, do not use either TFTP or manual cut-and-paste enrollment as your enrollment method. Both TFTP and manual cut-and-paste enrollment methods are manual enrollment processes, requiring user input.
Cisco IOS Suite-B Support for Certificate Enrollment for a PKI
Suite-B requirements comprise of four user interface suites of cryptographic algorithms for use with IKE and IPSec that are described in RFC 4869. Each suite consists of an encryption algorithm, a digital signature algorithm, a key agreement algorithm, and a hash or message digest algorithm.
Suite-B adds the following support for the certificate enrollment for a PKI:
Elliptic Curve Digital Signature Algorithm (ECDSA) (256-bit and 384-bit curves) is used for the signature operation within X.509 certificates.
PKI support for validation of for X.509 certificates using ECDSA signatures.
PKI support for generating certificate requests using ECDSA signatures and for importing the issued certificates into IOS.
See the Configuring Security for VPNs with IPsec feature module for more detailed information about Cisco IOS Suite-B support.
Registration Authorities
A Cisco IOS certificate server can be configured to run in RA mode. An RA offloads authentication and authorization responsibilities from a CA. When the RA receives a SCEP or manual enrollment request, the administrator can either reject or grant it on the basis of local policy. If the request is granted, it will be forwarded to the issuing CA, and the CA can be configured to automatically generate the certificate and return it to the RA. The client can later retrieve the granted certificate from the RA.
Automatic Certificate Enrollment
Automatic certificate enrollment allows the CA client to automatically request a certificate from its CA sever. This automatic router request eliminates the need for operator intervention when the enrollment request is sent to the CA server. Automatic enrollment is performed on startup for any trustpoint CA that is configured and that does not have a valid client certificate. When the certificate expires, a new certificate is automatically requested.
Note
When automatic enrollment is configured, clients automatically request client certificates. The CA server performs its own authorization checks; if these checks include a policy to automatically issue certificates, all clients will automatically receive certificates, which is not very secure. Thus, automatic certificate enrollment should be combined with additional authentication and authorization mechanisms (such as Secure Device Provisioning (SDP), leveraging existing certificates, and one-time passwords).
Automated Client Certificate and Key Rollover
By default, the automatic certificate enrollment function requests a new client certificate and keys from the CS before the client's current certificate expires. Certificate and key rollover allows the certificate renewal rollover request to be made before the certificate expires by retaining the current key and certificate until the new, or rollover, certificate is available. After a specified amount of time, the rollover certificate and keys will become the active certificate and keys. The expired certificate and keys are immediately deleted upon rollover and removed from the certificate chain and CRL.
The setup for automatic rollover is twofold: CA clients must be automatically enrolled and the client's CAs must be automatically enrolled and have the
auto-rollover command enabled. For more information on configuring your CA servers for automatic certificate rollover see the section "Automatic CA Certificate and Key Rollover" in the chapter "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment " of the
Public Key Infrastructure Configuration Guide.
An optional renewal percentage parameter can be used with the
auto-enroll command to allow a new certificate to be requested when a specified percentage of the lifetime of the certificate has passed. For example, if the renewal percentage is configured as 90 and the certificate has a lifetime of one year, a new certificate is requested 36.5 days before the old certificate expires. In order for automatic rollover to occur, the renewal percentage must be less than 100.The specified percent value must not be less than 10. If a client certificate is issued for less than the configured validity period due to the impending expiration of the CA certificate, the rollover certificate will be issued for the balance of that period. A minimum of 10 percent of the configured validity period, with an absolute minimum of 3 minutes, is required to allow rollover enough time to function.
Tip
If CA autoenrollment is not enabled, you may manually initiate rollover on an existing client with the
cryptopkienroll command if the expiration time of the current client certificate is equal to or greater than the expiration time of the corresponding CA certificate. The client will initiate the rollover process, which occurs only if the server is configured for automated rollover and has an available rollover server certificate.
Note
A key pair is also sent if configured by the
auto-enrollre-generate command and keyword. It is recommended that a new key pair be issued for security reasons.
Certificate Enrollment Profiles
Certificate enrollment profiles allow users to specify certificate authentication, enrollment, and reenrollment parameters when prompted. The values for these parameters are referenced by two templates that make up the profile. One template contains parameters for the HTTP request that is sent to the CA server to obtain the certificate of the CA (also known as certificate authentication); the other template contains parameters for the HTTP request that is sent to the CA for certificate enrollment.
Configuring two templates enables users to specify different URLs or methods for certificate authentication and enrollment; for example, authentication (getting the certificate of the CA) can be performed via TFTP (using the authenticationurl command) and enrollment can be performed manually (using the enrollmentterminal command).
Prior to Cisco IOS Release 12.3(11)T, certificate requests could be sent only in a PKCS10 format; however, an additional parameter was added to the profile, allowing users to specify the PKCS7 format for certificate renewal requests.
Note
A single enrollment profile can have up to three separate sections for each task--certificate authentication, enrollment, and reenrollment.
How to Configure Certificate Enrollment for a PKI
This section contains the following enrollment option procedures. If you configure enrollment or autoenrollment (the first task), you cannot configure manual certificate enrollment. Also, if you configure TFTP or manual cut-and-paste certificate enrollment, you cannot configure autoenrollment, autoreenrollment, an enrollment profile, nor can you utilize the automated CA certificate rollover capability.
Configuring Certificate Enrollment or Autoenrollment
Perform this task to configure certificate enrollment or autoenrollment for clients participating in your PKI.
Before You Begin
Before configuring automatic certificate enrollment requests, you should ensure that all necessary enrollment information is configured.
Prerequisites for Enabling Automated Client Certificate and Key Rollover
CA client support for certificate rollover is automatically enabled when using autoenrollment. For automatic CA certificate rollover to run successfully, the following prerequisites are applicable:
Your network devices must support shadow PKI.
Your clients must be running Cisco IOS Release 12.4(2)T or a later release.
The client's CS must support automatic rollover. See the section "Automatic CA Certificate and Key Rollover" in the chapter "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment " of the
Public Key Infrastructure Configuration Guide for more information on CA server automatic rollover configuration.
Prerequisites for Specifying Autoenrollment Initial Key Generation Location
To specify the location of the autoenrollment initial key generation, you must be running Cisco IOS Release 12.4(11)T or a later release.
Note
RSA Key Pair Restriction for Autoenrollment
Trustpoints configured to generate a new key pair using the
regenerate command or the
regenerate keyword of the
auto-enroll command must not share key pairs with other trustpoints. To give each trustpoint its own key pair, use the
rsakeypair command in ca-trustpoint configuration mode. Sharing key pairs among regenerating trustpoints is not supported and will cause loss of service on some of the trustpoints because of key and certificate mismatches.
Restrictions for Automated Client Certificate and Key Rollover
In order for clients to run automatic CA certificate rollover successfully, the following restrictions are applicable:
SCEP must be used to support rollover. Any device that enrolls with the PKI using an alternative to SCEP as the certificate management protocol or mechanism (such as enrollment profiles, manual enrollment, or TFTP enrollment) will not be able to take advantage of the rollover functionality provided by SCEP.
If the configuration cannot be saved to the startup configuration after a shadow certificate is generated, rollover will not occur.
Specifies the URL of the CA on which your router should send certificate requests.
mode--Specifies RA mode if your CA system provides an RA.
retryperiodminutes--Specifies the wait period between certificate request retries. The default is 1 minute between retries.
retrycountnumber-- Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. (Specify from 1 to 100 retries.)
urlurl-- URL of the file system where your router should send certificate requests. An IPv6 address can be added in the URL enclosed in brackets. For example: http:// [2001:DB8:1:1::1]:80. For more enrollment method options, see the
enrollment url (ca-trustpoint) command page.
pem-- Adds privacy-enhanced mail (PEM) boundaries to the certificate request.
Note
An enrollment method other than TFTP or manual cut-and-paste must be configured to support autoenrollment.
Step 5
eckeypairlabel
Example:
Router(ca-trustpoint)# eckeypair Router_1_Key
(Optional) Configures the trustpoint to use an Elliptic Curve (EC) key on which certificate requests are generated using ECDSA signatures. The
label argument specifies the EC key label that is configured using the
cryptokeygeneratersa or
cryptokeygenerateeckeysize command in global configuration mode. See the Configuring Internet Key Exchange for IPsec VPNs feature module for more information.
Note
If an ECDSA signed certificate is imported without a trustpoint configuration, then the label defaults to the FQDN value.
Step 6
subject-name [x.500-name]
Example:
Router(ca-trustpoint)# subject-name cat
(Optional) Specifies the requested subject name that will be used in the certificate request.
x.500-name--If it is not specified, the fully qualified domain name (FQDN), which is the default subject name, will be used.
Step 7
vrfvrf-name
Example:
Router(ca-trustpoint)# vrf myvrf
(Optional) Specifies the the VRF instance in the public key infrastructure (PKI) trustpoint to be used for enrollment, certificate revocation list (CRL) retrieval, and online certificate status protocol (OCSP) status.
Step 8
ip-address {ip-address |
interface |
none}
Example:
Router(ca-trustpoint)# ip address 192.168.1.66
(Optional) Includes the IP address of the specified interface in the certificate request.
Issue the
ip-address argument to specify either an IPv4 or IPv6 address.
Issue the
interface argument to specify an interface on the router.
Issue the
none keyword if no IP address should be included.
Note
If this command is enabled, you will not be prompted for an IP address during enrollment for this trustpoint.
Step 9
serial-number [none]
Example:
Router(ca-trustpoint)# serial-number
(Optional) Specifies the router serial number in the certificate request, unless the
none keyword is issued.
Issue the
none keyword to specify that a serial number will not be included in the certificate request.
Step 10
auto-enroll [percent] [regenerate]
Example:
Router(ca-trustpoint)# auto-enroll regenerate
(Optional) Enables autoenrollment, allowing the client to automatically request a rollover certificate from the CA.
If autoenrollment is not enabled, the client must be manually re-enrolled in your PKI upon certificate expiration.
By default, only t he Domain Name System (DNS) name of the router is included in the certificate.
Use the
percent argument to specify that a new certificate will be requested after the percentage of the lifetime of the current certificate is reached.
Use the
regenerate keyword to generate a new key for the certificate even if a named key already exists.
Note
If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable: "! RSA key pair associated with trustpoint is exportable."
Note
It is recommended that a new key pair be generated for security reasons.
Step 11
usagemethod1 [method2 [method3]]
Example:
Router(ca-trustpoint)# usage ssl-client
(Optional) Specifies the intended use for the certificate.
Available options are
ike,
ssl-client, and
ssl-server; the default is
ike.
Step 12
passwordstring
Example:
Router(ca-trustpoint)# password string1
(Optional) Specifies the revocation password for the certificate.
If this command is enabled, you will not be prompted for a password during enrollment for this trustpoint.
Note
When SCEP is used, this password can be used to authorize the certificate request--often via a one-time password or similar mechanism.
Step 13
rsakeypairkey-labelkey-sizeencryption-key-size]]
Example:
Router(ca-trustpoint)# rsakeypair cat
(Optional) Specifies which key pair to associate with the certificate.
A key pair with the
key-label argument will be generated during enrollment if it does not already exist or if the
auto-enrollregenerate command was issued.
Specify the
key-size argument for generating the key, and specify the
encryption-key-size argument to request separate encryption, signature keys, and certificates.
Note
If this command is not enabled, the FQDN key pair is used.
(Optional) Specifies a fingerprint that can be matched against the fingerprint of a CA certificate during authentication.
Note
If the fingerprint is not provided and authentication of the CA certificate is interactive, the fingerprint will be displayed for verification.
Step 15
ondevicename:
Example:
Router(ca-trustpoint)# on usbtoken0:
(Optional) Specifies that RSA keys will be created on the specified device upon autoenrollment initial key generation.
Devices that may be specified include NVRAM, local disks, and Universal Serial Bus (USB) tokens. USB tokens may be used as cryptographic devices in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication to be performed on the token.
Step 16
exit
Example:
Router(ca-trustpoint)# exit
Exits ca-trustpoint configuration mode and returns to global configuration mode.
Step 17
cryptopkiauthenticatename
Example:
Router(config)# crypto pki authenticate mytp
Retrieves the CA certificate and authenticates it.
Check the certificate fingerprint if prompted.
Note
This command is optional if the CA certificate is already loaded into the configuration.
(Optional) Copies the running configuration to the NVRAM startup configuration.
Note
Autoenrollment will not update NVRAM if the running configuration has been modified but not written to NVRAM.
Step 20
showcryptopkicertificates
Example:
Router# show crypto pki certificates
(Optional) Displays information about your certificates, including any rollover certificates.
Configuring Manual Certificate Enrollment
Manual certificate enrollment can be set up via TFTP or the manual cut-and-paste method. Both options can be used if your CA does not support SCEP or if a network connection between the router and CA is not possible. Perform one of the following tasks to set up manual certificate enrollment:
PEM-Formatted Files for Certificate Enrollment Request
Using PEM-formatted files for certificate requests can be helpful for customers who are using terminal or profile-based enrollment to request certificates from their CA server. Customers using PEM-formatted files can directly use existing certificates on their routers.
Restrictions for Manual Certificate Enrollment
SCEP Restriction
We do not recommend switching URLs if SCEP is used; that is, if the enrollment URL is "http://myca," do not change the enrollment URL after getting the CA certificate and before enrolling the certificate. A user can switch between TFTP and manual cut-and-paste.
Key Regeneration Restriction
Do not regenerate the keys manually using the cryptokeygenerate command; key regeneration will occur when the cryptopkienrollcommand is issued if the regenerate keyword is specified.
Configuring Cut-and-Paste Certificate Enrollment
Perform this task to configure cut-and-paste certificate enrollment. This task helps you to configure manual certificate enrollment via the cut-and-paste method for peers participating in your PKI.
SUMMARY STEPS
1.enable
2.configureterminal
3.cryptopkitrustpointname
4.enrollmentterminalpem
5.fingerprintca-fingerprint
6.exit
7.cryptopkiauthenticatename
8.
crypto pki enroll name
9.
crypto pki import name certificate
10.exit
11.showcryptopkicertificates
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
cryptopkitrustpointname
Example:
Router(config)# crypto pki trustpoint mytp
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.
Step 4
enrollmentterminalpem
Example:
Router(ca-trustpoint)# enrollment terminal
Specifies the manual cut-and-paste certificate enrollment method.
The certificate request will be displayed on the console terminal so that it may be manually copied (or cut).
pem--Configures the trustpoint to generate PEM-formatted certificate requests to the console terminal.
(Optional) Specifies a fingerprint that can be matched against the fingerprint of a CA certificate during authentication.
Note
If the fingerprint is not provided, it will be displayed for verification.
Step 6
exit
Example:
Router(ca-trustpoint)# exit
Exits ca-trustpoint configuration mode and returns to global configuration mode.
Step 7
cryptopkiauthenticatename
Example:
Router(config)# crypto pki authenticate mytp
Retrieves the CA certificate and authenticates it.
Step 8
crypto pki enroll name
Example:
Router(config)# crypto pki enroll mytp
Generates certificate request and displays the request for copying and pasting into the certificate server.
You are prompted for enrollment information, such as whether to include the router FQDN and IP address in the certificate request. You are also given the choice about displaying the certificate request to the console terminal.
The base-64 encoded certificate with or without PEM headers as requested is displayed.
Imports a certificate manually at the console terminal (pasting).
The base-64 encoded certificate is accepted from the console terminal and inserted into the internal certificate database.
Note
You must enter this command twice if usage keys, a signature key, and an encryption key are used. The first time the command is entered, one of the certificates is pasted into the router. The second time the command is entered, the other certificate is pasted into the router. It does not matter which certificate is pasted first.
Note
Some CAs ignore the usage key information in the certificate request and issue general purpose usage certificates. If this applies to the certificate authority you are using, import the general purpose certificate. The router will not use one of the two key pairs generated.
Step 10
exit
Example:
Router(config)# exit
Exits global configuration mode.
Step 11
showcryptopkicertificates
Example:
Router# show crypto pki certificates
(Optional) Displays information about your certificates, the certificates of the CA, and RA certificates.
Configuring TFTP Certificate Enrollment
Perform this task to configure TFTP certificate enrollment. This task helps you to configure manual certificate enrollment using a TFTP server.
Before You Begin
You must know the correct URL to use if you are configuring certificate enrollment via TFTP.
The router must be able to write a file to the TFTP server for the cryptopkienroll command.
If you are using a file specification with the enrollment command, the file must contain the CA certificate either in binary format or be base-64 encoded.
You must know if your CA ignores key usage information in a certificate request and issues only a general purpose usage certificate.
Caution
Some TFTP servers require that the file must exist on the server before it can be written.
Most TFTP servers require files that can be written over. This requirement may pose a risk because any router or other device may write or overwrite the certificate request; thus, the replacement certificate request will not be used by the CA administrator, who must first check the enrollment request fingerprint before granting the certificate request.
Specifies TFTP as the enrollment method to send the enrollment request and to retrieve the CA certificate and router certificate and any optional parameters.
Note
For TFTP enrollment, the URL must be configured as a TFTP URL, tftp://example_tftp_url.
An optional file specification filename may be included in the TFTP URL. If the file specification is not included, the FQDN will be used. If the file specification is included, the router will append the extension ".ca" to the specified filename.
(Optional) Specifies the fingerprint of the CA certificate received via an out-of-band method from the CA administrator.
Note
If the fingerprint is not provided, it will be displayed for verification.
Step 6
exit
Example:
Router(ca-trustpoint)# exit
Exits ca-trustpoint configuration mode and returns to global configuration mode.
Step 7
cryptopkiauthenticatename
Example:
Router(config)# crypto pki authenticate mytp
Retrieves the CA certificate and authenticates it from the specified TFTP server.
Step 8
crypto pki enroll name
Example:
Router(config)# crypto pki enroll mytp
Generates certificate request and writes the request out to the TFTP server.
You are prompted for enrollment information, such as whether to include the router FQDN and IP address in the certificate request. You are queried about whether to display the certificate request to the console terminal.
The filename to be written is appended with the extension ".req". For usage keys, a signature key and an encryption key, two requests are generated and sent. The usage key request filenames are appended with the extensions "-sign.req" and "-encr.req", respectively.
Imports a certificate via TFTP at the console terminal, which retrieves the granted certificate.
The router will attempt to retrieve the granted certificate via TFTP using the same filename used to send the request, except the extension is changed from ".req" to ".crt". For usage key certificates, the extensions "-sign.crt" and "-encr.crt" are used.
The router will parse the received files, verify the certificates, and insert the certificates into the internal certificate database on the router.
Note
Some CAs ignore the usage key information in the certificate request and issue general purpose usage certificates. If your CA ignores the usage key information in the certificate request, only import the general purpose certificate. The router will not use one of the two key pairs generated.
Step 10
exit
Example:
Router(config)# exit
Exits global configuration mode.
Step 11
showcryptopkicertificates
Example:
Router# show crypto pki certificates
(Optional) Displays information about your certificates, the certificates of the CA, and RA certificates.
Certifying a URL Link for Secure Communication with a Trend Micro Server
Perform this task to certify a link used in URL filtering that allows secure communication with a Trend Micro Server.
Note
Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the
Next Generation Encryption (NGE) white paper.
12. Copy the following block of text containing the base 64 encoded CA certificate and paste it at the prompt.
13. Enter
yes to accept this certificate.
14.serial-number
15.revocation-checknone
16.end
17.trmregister
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
clocksethh:mm:ssdatemonthyear
Example:
Router# clock set 23:22:00 22 Dec 2009
Sets the clock on the router.
Step 3
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 4
clocktimezonezone hours-offset [minutes-offset ]
Example:
Router(config)# clock timezone PST -08
Sets the time zone.
The
zone argument is the name of the time zone (typically a standard acronym). The
hours-offset argument is the number of hours the time zone is different from Universal Time Coordinated (UTC). The
minutes-offset argument is the number of minutes the time zone is different from UTC.
Note
The
minutes-offsetargument of the
clocktimezone command is available for those cases where a local time zone is a percentage of an hour different from UTC or Greenwich Mean Time (GMT). For example, the time zone for some sections of Atlantic Canada (AST) is UTC-3.5. In this case, the necessary command would be
clocktimezoneAST-330.
Router(config)# crypto key generate rsa general-keys modulus general
Generates the crypto keys.
The
general-keys keyword specifies that a general purpose key pair is generated, which is the default.
The
modulus keyword and
modulus-size argument specify the IP size of the key modulus. By default, the modulus of a CA key is 1024 bits. Choose the size of the key modulus in the range of 360 to 2048 for your general purpose keys. If you choose a key modulus value greater than 512, the router may require a few minutes to process the command.
Note
The name for the general keys that are generated are based on the domain name that is configured in Step 7. For example, the keys will be called "example.com."
Step 9
cryptopkitrustpointname
Example:
Router(config)# crypto pki trustpoint mytp
Declares the CA that your router should use and enters ca-trustpoint configuration mode.
Note
Effective with Cisco IOS Release 12.3(8)T, the
cryptopkitrustpoint command replaced the
cryptocatrustpoint command.
Step 10
enrollmentterminal
Example:
Router(ca-trustpoint)# enrollment terminal
Specifies the manual cut-and-paste certificate enrollment method.
The certificate request will be displayed on the console terminal so that you may manually copy (or cut).
Step 11
cryptocaauthenticatename
Example:
Router(ca-trustpoint)# crypto ca authenticate mytp
Takes the name of the CA as the argument and authenticates it.
The following command output displays:
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself.
Step 12
Copy the following block of text containing the base 64 encoded CA certificate and paste it at the prompt.
The SSL protocol can be used to establish a secure connection between an HTTPS server and a client (web browser). During the SSL handshake, the client expects the SSL server's certificate to be verifiable using a certificate the client already possesses.
If Cisco IOS software does not have a certificate that the HTTPS server can use, the server generates a self-signed certificate by calling a PKI application programming interface (API). When the client receives this self-signed certificate and is unable to verify it, intervention is needed. The client asks you if the certificate should be accepted and saved for future use. If you accept the certificate, the SSL handshake continues.
Future SSL handshakes between the same client and the server use the same certificate. However, if the router is reloaded, the self-signed certificate is lost. The HTTPS server must then create a new self-signed certificate. This new self-signed certificate does not match the previous certificate, so you are once again asked to accept it.
Requesting acceptance of the router's certificate each time that the router reloads may present an opportunity for an attacker to substitute an unauthorized certificate when you are being asked to accept the certificate. Persistent self-signed certificates overcome all these limitations by saving a certificate in the router's startup configuration.
Restrictions
You can configure only one trustpoint for a persistent self-signed certificate.
Note
Do not change the IP domain name or the hostname of the router after creating the self-signed certificate. Changing either name triggers the regeneration of the self-signed certificate and overrides the configured trustpoint. WebVPN ties the SSL trustpoint name to the WebVPN gateway configuration. If a new self-signed certificate is triggered, then the new trustpoint name does not match the WebVPN configuration, causing the WebVPN connections to fail.
Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters
Perform the following task to configure a trustpoint and specify self-signed certificate parameters.
(Optional) Specifies which key pair to associate with the certificate.
The value for the key-label argument will be generated during enrollment if it does not already exist or if the auto-enrollregenerate command was issued.
Specify a value for the key-size argument for generating the key, and specify a value for the encryption-key-size argument to request separate encryption, signature keys, and certificates.
Note
If this command is not enabled, the FQDN key pair is used.
Step 7
cryptopkienrollname
Example:
Router(ca-trustpoint)# crypto pki enroll local
Tells the router to generate the persistent self-signed certificate.
Router# show crypto pki certificates local verbose
Displays information about your certificate, the certification authority certificate, and any registration authority certificates.
Step 10
showcryptopkitrustpoints[status | label [status]]
Example:
Router# show crypto pki trustpoints status
Displays the trustpoints that are configured in the router.
Enabling the HTTPS Server
Perform the following task to enable the HTTPS server.
Before You Begin
To specify parameters, you must create a trustpoint and configure it. To use default values, delete any existing self-signed trustpoints. Deleting all self-signed trustpoints causes the HTTPS server to generate a persistent self-signed certificate using default values as soon as the server is enabled.
SUMMARY STEPS
1.enable
2.configureterminal
3.iphttpsecure-server
4.end
5.copysystem:running-confignvram:startup-config
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
iphttpsecure-server
Example:
Router(config)# ip http secure-server
Enables the HTTPS web server.
Note
A key pair (modulus 1024) and a certificate are generated.
Saves the self-signed certificate and the HTTPS server in enabled mode.
Configuring a Certificate Enrollment Profile for Enrollment or Reenrollment
Perform this task to configure a certificate enrollment profile for enrollment or reenrollment. This task helps you to configure an enrollment profile for certificate enrollment or reenrollment of a router with a Cisco IOS CA that is already enrolled with a third-party vendor CA.
Enable a router that is enrolled with a third-party vendor CA to use its existing certificate to enroll with the Cisco IOS certificate server so the enrollment request is automatically granted. To enable this functionality, you must issue the
enrollmentcredential command. Also, you cannot configure manual certificate enrollment.
Before You Begin
Perform the following tasks at the client router before configuring a certificate enrollment profile for the client router that is already enrolled with a third-party vendor CA so that the router can reenroll with a Cisco IOS certificate server:
Defined a trustpoint that points to the third-party vendor CA.
Authenticated and enrolled the client router with the third-party vendor CA.
Note
To use certificate profiles, your network must have an HTTP interface to the CA.
If an enrollment profile is specified, an enrollment URL may not be specified in the trustpoint configuration. Although both commands are supported, only one command can be used at a time in a trustpoint.
Because there is no standard for the HTTP commands used by various CAs, the user is required to enter the command that is appropriate to the CA that is being used.
>
SUMMARY STEPS
1.enable
2.configureterminal
3.cryptopkitrustpointname
4. enrollment profile label
5.exit
6.cryptopkiprofileenrollmentlabel
7.Do one of the following:
authenticationurlurl
authenticationterminal
8.authenticationcommand
9.Do one of the following:
enrollmenturlurl
enrollmentterminal
10.enrollmentcredentiallabel
11.enrollmentcommand
12.parameternumber {valuevalue |
promptstring}
13.exit
14.showcryptopkicertificates
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
cryptopkitrustpointname
Example:
Router(config)# crypto pki trustpoint Entrust
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.
Step 4
enrollment profile label
Example:
Router(ca-trustpoint)# enrollment profile E
Specifies that an enrollment profile is to be used for certificate authentication and enrollment.
Step 5
exit
Example:
Router(ca-trustpoint)# exit
Exits ca-trustpoint configuration mode.
Step 6
cryptopkiprofileenrollmentlabel
Example:
Router(config)# crypto pki profile enrollment E
Defines an enrollment profile and enters ca-profile-enroll configuration mode.
label--Name for the enrollment profile; the enrollment profile name must match the name specified in the
enrollmentprofile command.
Specifies the URL of the CA server to which to send certificate authentication requests.
url--URL of the CA server to which your router should send authentication requests. If you are using HTTP, the URL should read "http://CA_name," where CA_name is the host DNS name or IP address of the CA. If you are using TFTP, the URL should read "tftp://certserver/file_specification." (If the URL does not include a file specification, the FQDN of the router will be used.)
If you configured the router to reenroll with a Cisco IOS CA, you should configure the Cisco IOS certificate server to accept enrollment requests only from clients already enrolled with the specified
third-party vendor CA
trustpoint to take advantage of this functionality. For more information, see the module "
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment."
Configuration Examples for PKI Certificate Enrollment Requests
Configuring Certificate Enrollment or Autoenrollment Example
The following example shows the configuration for the "mytp-A" certificate server and its associated trustpoint, where RSA keys generated by the initial autoenrollment for the trustpoint will be stored on a USB token, "usbtoken0":
crypto pki server mytp-A
database level complete
issuer-name CN=company, L=city, C=country
grant auto
! Specifies that certificate requests will be granted automatically.
!
crypto pki trustpoint mytp-A
revocation-check none
rsakeypair myTP-A
storage usbtoken0:
! Specifies that keys will be stored on usbtoken0:.
on usbtoken0:
! Specifies that keys generated on initial auto enroll will be generated on and stored on! usbtoken0:
Configuring Autoenrollment Example
The following example shows how to configure the router to automatically enroll with a CA on startup, enabling automatic rollover, and how to specify all necessary enrollment information in the configuration:
In this example, keys are neither regenerated nor rolled over.
Configuring Certificate Autoenrollment with Key Regeneration Example
The following example shows how to configure the router to automatically enroll with the CA named "trustme1" on startup and enable automatic rollover. The regenerate keyword is issued, so a new key will be generated for the certificate and reissued when the automatic rollover process is initiated. The renewal percentage is configured as 90 so if the certificate has a lifetime of one year, a new certificate is requested 36.5 days before the old certificate expires. The changes made to the running configuration are saved to the NVRAM startup configuration because autoenrollment will not update NVRAM if the running configuration has been modified but not written to NVRAM.
Configuring Cut-and-Paste Certificate Enrollment Example
The following example shows how to configure certificate enrollment using the manual cut-and-paste enrollment method:
Router(config)#
crypto pki trustpoint TP
Router(ca-trustpoint)#
enrollment terminal
Router(ca-trustpoint)#
crypto pki authenticate TP
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICNDCCAd6gAwIBAgIQOsCmXpVHwodKryRoqULV7jANBgkqhkiG9w0BAQUFADA5
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJ
bXNjYS1yb290MB4XDTAyMDIxNDAwNDYwMVoXDTA3MDIxNDAwNTQ0OFowOTELMAkG
A1UEBhMCVVMxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxEjAQBgNVBAMTCW1zY2Et
cm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCix8nIGFg+wvy3BjFbVi25wYoG
K2N0HWWHpqxFuFhqyBnIC0OshIn9CtrdN3JvUNHr0NIKocEwNKUGYmPwWGTfAgMB
AAGjgcEwgb4wCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
FKIacsl6dKAfuNDVQymlSp7esf8jMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9t
c2NhLXJvb3QvQ2VydEVucm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8v
XFxtc2NhLXJvb3RcQ2VydEVucm9sbFxtc2NhLXJvb3QuY3JsMBAGCSsGAQQBgjcV
AQQDAgEAMA0GCSqGSIb3DQEBBQUAA0EAeuZkZMX9qkoLHfETYTpVWjZPQbBmwNRA
oJDSdYdtL3BcI/uLL5q7EmODyGfLyMGxuhQYx5r/40aSQgLCqBq+yg==
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint: D6C12961 CD78808A 4E02193C 0790082A
% Do you accept this certificate? [yes/no]:
y
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)#
crypto pki enroll TP
% Start certificate enrollment..
% The subject name in the certificate will be:
Router.example.com
% Include the router serial number in the subject name? [yes/no]:
n
% Include an IP address in the subject name? [no]:
n
Display Certificate Request to terminal? [yes/no]:
y
Signature key certificate request -
Certificate Request follows:
MIIBhTCB7wIBADAlMSMwIQYJKoZIhvcNAQkCFhRTYW5kQmFnZ2VyLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxdhXFDiWAn/hIZs9zfOtssKA
daoWYu0ms9Fe/Pew01dh14vXdxgacstOs2Pr5wk6jLOPxpvxOJPWyQM6ipLmyVxv
ojhyLTrVohrh6Dnqcvk+G/5ohss9o9RxvONwx042pQchFnx9EkMuZC7evwRxJEqR
mBHXBZ8GmP3jYQsjS8MCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/
BAQDAgeAMA0GCSqGSIb3DQEBBAUAA4GBAMT6WtyFw95POY7UtF+YIYHiVRUf4SCq
hRIAGrljUePLo9iTqyPU1Pnt8JnIZ5P5BHU3MfgP8sqodaWub6mubkzaohJ1qD06
O87fnLCNid5Tov5jKogFHIki2EGGZxBosUw9lJlenQdNdDPbJc5LIWdfDvciA6jO
Nl8rOtKnt8Q+
!
!
!
Redisplay enrollment request? [yes/no]:
Encryption key certificate request -
Certificate Request follows:
MIIBhTCB7wIBADAlMSMwIQYJKoZIhvcNAQkCFhRTYW5kQmFnZ2VyLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwG60QojpDbzbKnyj8FyTiOcv
THkDP7XD4vLT1XaJ409z0gSIoGnIcdFtXhVlBWtpq3/O9zYFXr1tH+BMCRQi3Lts
0IpxYa3D9iFPqev7SPXpsAIsY8a6FMq7TiwLObqiQjLKL4cbuV0Frjl0Yuv5A/Z+
kqMOm7c+pWNWFdLe9lsCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/
BAQDAgUgMA0GCSqGSIb3DQEBBAUAA4GBACF7feURj/fJMojPBlR6fa9BrlMJx+2F
H91YM/CIiz2n4mHTeWTWKhLoT8wUfa9NGOk7yi+nF/F7035twLfq6n2bSCTW4aem
8jLMMaeFxwkrV/ceQKrucmNC1uVx+fBy9rhnKx8j60XE25tnp1U08r6om/pBQABU
eNPFhozcaQ/2
!
!
!
Redisplay enrollment request? [yes/no]:
n
Router(config)#
crypto pki import TP certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIIDajCCAxSgAwIBAgIKFN7C6QAAAAAMRzANBgkqhkiG9w0BAQUFADA5MQswCQYD
VQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1y
b290MB4XDTAyMDYwODAxMTY0MloXDTAzMDYwODAxMjY0MlowJTEjMCEGCSqGSIb3
DQEJAhMUU2FuZEJhZ2dlci5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMXYVxQ4lgJ/4SGbPc3zrbLCgHWqFmLtJrPRXvz3sNNXYdeL13cYGnLL
TrNj6+cJOoyzj8ab8TiT1skDOoqS5slcb6I4ci061aIa4eg56nL5Phv+aIbLPaPU
cbzjcMdONqUHIRZ8fRJDLmQu3r8EcSRKkZgR1wWfBpj942ELI0vDAgMBAAGjggHM
MIIByDALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFL8Quz8dyz4EGIeKx9A8UMNHLE4s
MHAGA1UdIwRpMGeAFKIacsl6dKAfuNDVQymlSp7esf8joT2kOzA5MQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1yb290
ghA6wKZelUfCh0qvJGipQtXuMCIGA1UdEQEB/wQYMBaCFFNhbmRCYWdnZXIuY2lz
Y28uY29tMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9tc2NhLXJvb3QvQ2VydEVu
cm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8vXFxtc2NhLXJvb3RcQ2Vy
dEVucm9sbFxtc2NhLXJvb3QuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDA/BggrBgEF
BQcwAoYzaHR0cDovL21zY2Etcm9vdC9DZXJ0RW5yb2xsL21zY2Etcm9vdF9tc2Nh
LXJvb3QuY3J0MEEGCCsGAQUFBzAChjVmaWxlOi8vXFxtc2NhLXJvb3RcQ2VydEVu
cm9sbFxtc2NhLXJvb3RfbXNjYS1yb290LmNydDANBgkqhkiG9w0BAQUFAANBAJo2
r6sHPGBdTQX2EDoJpR/A2UHXxRYqVSHkFKZw0z31r5JzUM0oPNUETV7mnZlYNVRZ
CSEX/G8boi3WOjz9wZo=
% Router Certificate successfully imported
Router(config)#
crypto pki import TP cert
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIIDajCCAxSgAwIBAgIKFN7OBQAAAAAMSDANBgkqhkiG9w0BAQUFADA5MQswCQYD
VQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1y
b290MB4XDTAyMDYwODAxMTY0NVoXDTAzMDYwODAxMjY0NVowJTEjMCEGCSqGSIb3
DQEJAhMUU2FuZEJhZ2dlci5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMButEKI6Q282yp8o/Bck4jnL0x5Az+1w+Ly09V2ieNPc9IEiKBpyHHR
bV4VZQVraat/zvc2BV69bR/gTAkUIty7bNCKcWGtw/YhT6nr+0j16bACLGPGuhTK
u04sCzm6okIyyi+HG7ldBa45dGLr+QP2fpKjDpu3PqVjVhXS3vZbAgMBAAGjggHM
MIIByDALBgNVHQ8EBAMCBSAwHQYDVR0OBBYEFPDO29oRdlEUSgBMg6jZR+YFRWlj
MHAGA1UdIwRpMGeAFKIacsl6dKAfuNDVQymlSp7esf8joT2kOzA5MQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1yb290
ghA6wKZelUfCh0qvJGipQtXuMCIGA1UdEQEB/wQYMBaCFFNhbmRCYWdnZXIuY2lz
Y28uY29tMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9tc2NhLXJvb3QvQ2VydEVu
cm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8vXFxtc2NhLXJvb3RcQ2Vy
dEVucm9sbFxtc2NhLXJvb3QuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDA/BggrBgEF
BQcwAoYzaHR0cDovL21zY2Etcm9vdC9DZXJ0RW5yb2xsL21zY2Etcm9vdF9tc2Nh
LXJvb3QuY3J0MEEGCCsGAQUFBzAChjVmaWxlOi8vXFxtc2NhLXJvb3RcQ2VydEVu
cm9sbFxtc2NhLXJvb3RfbXNjYS1yb290LmNydDANBgkqhkiG9w0BAQUFAANBAHaU
hyCwLirUghNxCmLzXRG7C3W1j0kSX7a4fX9OxKR/Z2SoMjdMNPPyApuh8SoT2zBP
ZKjZU2WjcZG/nZF4W5k=
% Router Certificate successfully imported
You can verify that the certificate was successfully imported by issuing the showcryptopkicertificates command:
Router# show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 14DECE05000000000C48
Certificate Usage: Encryption
Issuer:
CN = TPCA-root
O = Company
C = US
Subject:
Name: Router.example.com
OID.1.2.840.113549.1.9.2 = Router.example.com
CRL Distribution Point:
http://tpca-root/CertEnroll/tpca-root.crl
Validity Date:
start date: 18:16:45 PDT Jun 7 2002
end date: 18:26:45 PDT Jun 7 2003
renew date: 16:00:00 PST Dec 31 1969
Associated Trustpoints: TP
Certificate
Status: Available
Certificate Serial Number: 14DEC2E9000000000C47
Certificate Usage: Signature
Issuer:
CN = tpca-root
O = company
C = US
Subject:
Name: Router.example.com
OID.1.2.840.113549.1.9.2 = Router.example.com
CRL Distribution Point:
http://tpca-root/CertEnroll/tpca-root.crl
Validity Date:
start date: 18:16:42 PDT Jun 7 2002
end date: 18:26:42 PDT Jun 7 2003
renew date: 16:00:00 PST Dec 31 1969
Associated Trustpoints: TP
CA Certificate
Status: Available
Certificate Serial Number: 3AC0A65E9547C2874AAF2468A942D5EE
Certificate Usage: Signature
Issuer:
CN = tpca-root
O = Company
C = US
Subject:
CN = tpca-root
O = company
C = US
CRL Distribution Point:
http://tpca-root/CertEnroll/tpca-root.crl
Validity Date:
start date: 16:46:01 PST Feb 13 2002
end date: 16:54:48 PST Feb 13 2007
Associated Trustpoints: TP
Configuring Manual Certificate Enrollment with Key Regeneration Example
The following example shows how to regenerate new keys with a manual certificate enrollment from the CA named "trustme2":
Creating and Verifying a Persistent Self-Signed Certificate Example
The following example shows how to declare and enroll a trustpoint named "local" and generate a self-signed certificate with an IP address:
crypto pki trustpoint local
enrollment selfsigned
end
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
crypto pki enroll local
Nov 29 20:51:13.067: %SSH-5-ENABLED: SSH 1.99 has been enabled
Nov 29 20:51:13.267: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]: ethernet 0
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
Note
A router can have only one self-signed certificate. If you attempt to enroll a trustpoint configured for a self-signed certificate and one already exists, you receive a notification and are asked if you want to replace it. If so, a new self-signed certificate is generated to replace the existing one.
The following example shows how to enable the HTTPS server and generate a default trustpoint because one was not previously configured:
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ip http secure-server
% Generating 1024 bit RSA keys ...[OK]
*Dec 21 19:14:15.421:%PKI-4-NOAUTOSAVE:Configuration was modified. Issue "write memory" to save new certificate
Router(config)#
Note
You need to save the configuration to NVRAM if you want to keep the self-signed certificate and have the HTTPS server enabled following router reloads.
The following message also appears:
*Dec 21 19:14:10.441:%SSH-5-ENABLED:SSH 1.99 has been enabled
Note
Creation of the key pair used with the self-signed certificate causes the Secure Shell (SSH) server to start. This behavior cannot be suppressed. You may want to modify your Access Control Lists (ACLs) to permit or deny SSH access to the router. You can use the ipsshrsakeypair-nameunexisting-key-pair-name command to disable the SSH server.
Verifying the Self-Signed Certificate Configuration Example
The following example displays information about the self-signed certificate that you just created:
Router# show crypto pki certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-3326000105
Subject:
Name: IOS-Self-Signed-Certificate-3326000105
cn=IOS-Self-Signed-Certificate-3326000105
Validity Date:
start date: 19:14:14 GMT Dec 21 2004
end date: 00:00:00 GMT Jan 1 2020
Associated Trustpoints: TP-self-signed-3326000105
Note
The number 3326000105 is the router's serial number and varies depending on the router's actual serial number.
The following example displays information about the key pair corresponding to the self-signed certificate:
The second key pair with the name TP-self-signed-3326000105.server is the SSH key pair and is generated when any key pair is created on the router and SSH starts up.
The following example displays information about the trustpoint named "local":
Router# show crypto pki trustpoints
Trustpoint local:
Subject Name:
serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.example.com
Serial Number: 01
Persistent self-signed certificate trust point
Configuring Direct HTTP Enrollment Example
The following example show how to configure an enrollment profile for direct HTTP enrollment with a CA server:
crypto pki trustpoint Entrust
enrollment profile E
serial
crypto pki profile enrollment E
authentication url http://entrust:81
authentication command GET /certs/cacert.der
enrollment url http://entrust:81/cda-cgi/clientcgi.exe
enrollment command POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
parameter 1 value aaaa-bbbb-cccc
parameter 2 value 5001
Additional References
Related Documents
Related Topic
Document Title
USB token RSA operations: Benefits of using USB tokens
"Storing PKI Credentials" module in the Cisco IOS Security Configuration Guide: Secure Connectivity
USB token RSA operations: Certificate server configuration
"Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity
See the "Generating a Certificate Server RSA Key Pair" section, the "Configuring a Certificate Server Trustpoint" section, and related examples.
Overview of PKI, including RSA keys, certificate enrollment, and CAs
" Cisco IOS PKI Overview: Understanding and Planning a PKI
"module in the Cisco IOS Security Configuration Guide: Secure Connectivity
Secure Device Provisioning: functionality overview and configuration tasks
" Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI " module in the Cisco IOS Security Configuration Guide: Secure Connectivity
RSA key generation and deployment
" Deploying RSA Keys Within a PKI " module in the Cisco IOS Security Configuration Guide: Secure Connectivity
Cisco IOS certificate server overview information and configuration tasks
" Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment " module in the Cisco IOS Security Configuration Guide: Secure Connectivity
Setting up and using a USB token
" Storing PKI Credentials " module in the Cisco IOS Security Configuration Guide: Secure Connectivity
Cisco IOS security commands
Cisco IOS Security Command Reference
Suite-B ESP transforms
Configuring Security for VPNs with IPsec feature module.
Suite-B SHA-2 family (HMAC variant) and Elliptic Curve (EC) key pair configuration.
Configuring Internet Key Exchange for IPsec VPNs feature module.
Suite-B Integrity algorithm type transform configuration.
Configuring Internet Key Exchange Version 2 (IKEv2) feature module.
Suite-B Elliptic Curve Digital Signature Algorithm (ECDSA) signature (ECDSA-sig) authentication method configuration for IKEv2.
Configuring Internet Key Exchange Version 2 (IKEv2) feature module.
Suite-B Elliptic curve Diffie-Hellman (ECDH) support for IPsec SA negotiation
Configuring Internet Key Exchange for IPsec VPNs and Configuring Internet Key Exchange Version 2 (IKEv2) feature modules.
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for PKI Certificate Enrollment
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1
Feature Information for PKI Certificate Enrollment
Feature Name
Releases
Feature Information
Cisco IOS USB Token PKI Enhancements--Phase 2
12.4(11)T
This feature enhances USB token functionality by using the USB token as a cryptographic device. USB tokens may be used for RSA operations such as key generation, signing, and authentication.
The following section provides information about this feature:
This document describes the use of utilizing USB tokens for RSA operations during initial autoenrollment for a trustpoint. For other documents on this topic, see the "Feature Information for PKI Certificate Enrollment" section.
Certificate Authority Key Rollover
12.4(2)T
This feature introduces the ability for root CAs to roll over expiring CA certificates and keys and to have these changes propagate through the PKI network without manual intervention.
The following sections provide information about this feature:
The following commands were introduced or modified by this feature:
auto-rollover,
cryptopkicertificatechain,cryptopkiexportpem,cryptopkiserver,cryptopkiserverinforequest,showcryptopkicertificates,showcryptopkiserver,
showcryptopkitrustpoint.
Certificate Autoenrollment
12.2(8)T
This feature introduces certificate autoenrollment, which allows the router to automatically request a certificate from the CA that is using the parameters in the configuration.
The following sections provide information about this feature:
The following commands were introduced by this feature:
auto-enroll,
rsakeypair,
showcryptocatimers.
Certificate Enrollment Enhancements
12.2(8)T
This feature introduces five new
cryptocatrustpointcommands that provide new options for certificate requests and allow users to specify fields in the configuration instead of having to go through prompts.
The following section provides information about this feature:
The following commands were introduced by this feature:
ip-address(ca-trustpoint),
password(ca-trustpoint),
serial-number,
subject-name,
usage.
Direct HTTP Enrollment with CA Servers
12.3(4)T
This feature allows users to configure an enrollment profile if their CA server does not support SCEP and they do not want to use an RA-mode CS. The enrollment profile allows users to send HTTP requests directly to the CA server instead of to an RA-mode CS.
The following sections provide information about this feature:
The following commands were introduced by this feature:
authenticationcommand,
authenticationterminal,
authenticationurl,
cryptocaprofileenrollment,
enrollmentcommand,
enrollmentprofile,
enrollmentterminal,
enrollmenturl,
parameter.
Import of RSA Key Pair and Certificates in PEM Format
12.3(4)T
This feature allows customers to issue certificate requests and receive issued certificates in PEM-formatted files.
The following section provides information about this feature:
The following commands were modified by this feature:
enrollment,
enrollmentterminal.
Key Rollover for Certificate Renewal
12.3(7)T
This feature allows the certificate renewal request to be made before the certificate expires and retains the old key and certificate until the new certificate is available.
The following sections provide information about this feature:
This feature allows users to generate a certificate request and accept CA certificates and the router's certificates via a TFTP server or manual cut-and-paste operations.
The following sections provide information about this feature:
The following commands were introduced or modified by this feature:
cryptocaimport,
enrollment,
enrollmentterminal.
Multiple-Tier CA Hierarchy
12.2(15)T
This enhancement enables users to set up a PKI in a hierarchical framework to support multiple CAs. Within a hierarchical PKI, all enrolled peers can validate the certificate of one another as long as the peers share a trusted root CA certificate or a common subordinate CA.
The following section provides information about this enhancement:
This is a minor enhancement. Minor enhancements are not typically listed in Feature Navigator.
Persistent Self-Signed Certificates
12.2(33)SXH 12.2(33)SRA 12.3(14)T
This feature allows the HTTPS server to generate and save a self-signed certificate in the router startup configuration. Thus, future SSL handshakes between the client and the HTTPS server can use the same self-signed certificate without user intervention.
The following sections provide information about this feature:
The following commands were introduced or modified by this feature:
enrollmentselfsigned,
showcryptopkicertificates,
showcryptopkitrustpoints.
PKI Status
12.3(11)T
This enhancement adds the
status keyword to the
showcryptopkitrustpoints command, which allows you to display the current status of the trustpoint. Prior to this enhancement, you had to issue the
showcryptopkicertificates and the
showcryptopkitimers commands for the current status.
The following section provides information about this enhancement:
The following commands were introduced by this feature:
enrollmentcredential,
grantautotrustpoint.
Trustpoint CLI
12.2(8)T
This feature introduces the
cryptopkitrustpoint command, which adds support for trustpoint CAs.
Suite-B support in IOS SW crypto
15.1(2)T
Suite-B adds the following support for certificate enrollment for a PKI:
Elliptic Curve Digital Signature Algorithm (ECDSA) (256 bit and 384 bit curves) is used for the signature operation within X.509 certificates.
PKI support for validation of for X.509 certificates using ECDSA signatures.
PKI support for generating certificate requests using ECDSA signatures and for importing the issued certificates into IOS.
Suite-B requirements comprise of four user interface suites of cryptographic algorithms for use with IKE and IPSec that are described in RFC 4869. Each suite consists of an encryption algorithm, a digital signature algorithm, a key agreement algorithm, and a hash or message digest algorithm. See the Configuring Security for VPNs with IPsec feature module for more detailed information about Cisco IOS Suite-B support.
Public Key Infrastructure (PKI) IPv6 Support for VPN Solutions
15.2(1)T
The
enrollment url (ca-trustpoint) command was modified to allow the specification of an IPv6 address in the URL for the CA.
The
ip-address (ca-trustpoint) command was modified to allow the specification of an IPv6 address that is included as "unstructuredAddress" in the certificate request.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks . Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.