Downloads |
Table Of Contents
Certification Authority Interoperability
Overview of Certificate Authorities
Implementing IPSec Without CAs
How CA Certificates Are Used by IPSec Devices
About Registration Authorities
Manage NVRAM Memory Usage (Optional)
Configure the Router's Hostname and IP Domain Name
Declare a Certification Authority
Request Your Own Certificate(s)
Monitor and Maintain Certification Authority Interoperability
Request a Certificate Revocation List
Delete Certificates from the Configuration
show crypto key pubkey-chain rsa
Certification Authority Interoperability
Feature Summary
Certification Authority (CA) interoperability is provided in support of the IP Security (IPSec) standard. CA interoperability permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
For background and configuration information for IPSec, see the "IPSec Network Security" feature documentation.
Benefits
Without CA interoperability, Cisco IOS devices could not use CAs when deploying IPSec. CAs provide a manageable, scalable solution for IPSec networks. For details, see "Overview of Certificate Authorities."
Supported Standards
Cisco supports the following standards with this feature:
•
IPSec—IPSec—IP Security Protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
For more information on IPSec, see the "IPSec Network Security" feature documentation.
•
For more information on IKE, see the "Internet Key Exchange Security Protocol" feature documentation.
•
•
•
•
Restrictions
This feature is useful and should be configured only when you also configure both IPSec and IKE in your network.
Platforms
This feature is supported on these platforms:
•
•
•
•
•
•
•
•
Prerequisites
You need to have a Certification Authority (CA) available to your network before you configure this interoperability feature. The CA must support Cisco's PKI protocol, the certificate enrollment protocol (CEP).
Supported MIBs and RFCs
No new MIBs are supported by this feature.
This feature will support a number of RFCs which are currently under development.
IPSec is described by a collection of documents developed within the IETF IP Security Working Group (WG). The original set of WG documents are RFCs 1825-1829. These RFCs are being deprecated by the WG in favor of new Internet Drafts which are currently undergoing IETF Last Call.
For more information on IPSec, see the "IPSec Network Security" feature documentation.
Overview of Certificate Authorities
This section provides background information about CAs, including the following:
•
•
•
Purpose of CAs
CAs are responsible for managing certificate requests and issuing certificates to participating IPSec network devices. These services provide centralized key management for the participating devices.
CAs simplify the administration of IPSec network devices. You can use a CA with a network containing multiple IPSec-compliant devices such as routers.
Implementing IPSec Without CAs
Without a CA, if you want to enable IPSec services (such as encryption) between two Cisco routers, you must first ensure that each router has the other router's key (such as an RSA public key or a shared key). This requires that you manually perform one of the following:
•
•
Figure 1
Without a CA: Key Configuration Between Two Routers
In the above scenario, each router uses the other router's key to authenticate the identity of the other router; this authentication always occurs whenever IPSec traffic is exchanged between the two routers.
If you have multiple Cisco routers in a mesh topology, and wish to exchange IPSec traffic passing between all of those routers, you must first configure shared keys or RSP public keys between all of those routers:
Figure 2
Without a CA: Six 2-Part Key Configurations Required for Four IPSec Routers
Every time a new router is added to the IPSec network, you must configure keys between the new router and each of the existing routers. (In , four additional 2-part key configurations would be required to add a single encrypting router to the network).
Consequently, the more devices there are that require IPSec services, the more involved the key administration becomes. Obviously, this approach does not scale well for larger, more complex encrypting networks.
Implementing IPSec With CAs
With a CA, you do not need to configure keys between all of the encrypting routers. Instead, you individually enroll each participating router with the CA, requesting a certificate for the router. When this has been accomplished, each participating router can dynamically authenticate all of the other participating routers.
Figure 3
With a CA: Each Router Individually Makes Requests of the CA
To add a new IPSec router to the network, you only need to configure that new router to request a certificate from the CA, instead of making multiple key configurations with all the other existing IPSec routers.
How CA Certificates Are Used by IPSec Devices
When two IPSec routers want to exchange IPSec-protected traffic passing between them, they must first authenticate each other—otherwise, IPSec protection cannot occur.
Without a CA, a router authenticates itself to the remote router using either RSA encrypted nonces or pre-shared keys. Both methods require that keys must have been previously configured between the two routers.
With a CA, a router authenticates itself to the remote router by sending a certificate to the remote router and performing some public key cryptography. Each router must send its own unique certificate which was issued and validated by the CA. This process works because each router's certificate encapsulates the router's public key, each certificate is authenticated by the CA, and all participating routers recognize the CA as an authenticating authority.
Your router can continue sending its own certificate for multiple IPSec sessions, and to multiple IPSec peers, until the certificate expires. When its certificate expires, the router administrator must obtain a new one from the CA.
CAs can also revoke certificates for devices that will no longer participate in IPSec. Revoked certificates are not recognized as valid by other IPSec devices. Revoked certificates are listed in a Certificate Revocation List (CRL), which each peer may check before accepting another peer's certificate.
About Registration Authorities
Some CAs have a Registration Authority (RA) as part of their implementation. An RA is essentially a server that acts as a proxy for the CA so that CA functions can continue when the CA is offline.
Some of the configuration tasks described in this document differ slightly depending on whether your CA supports an RA or not.
Configuration Tasks
To enable your Cisco device to interoperate with a CA, complete the following configuration tasks:
•
•
•
•
•
Manage NVRAM Memory Usage (Optional)
Certificates and Certificate Revocation Lists (CRLs) are used by your router when a CA is used. Normally certain of these certificates and all CRLs are stored locally in the router's NVRAM, and each certificate and CRL uses a moderate amount of memory.
•
•
•
•
•
•
•
In some cases, storing these certificates and CRLs locally will not present a problem. However, in other cases, memory might become an issue—particularly if your CA supports an RA and a large number of CRLs end up being stored on your router.
To save NVRAM space, you can specify that certificates and CRLs should not be stored locally, but should be retrieved from the CA when needed. This will save NVRAM space but could result in a slight performance impact.
To specify that certificates and CRLs should not be stored locally on your router, but should be retrieved when required, turn on query mode by performing the following task in global configuration mode:
If you do not turn on query mode at this time, but later decide that you should, you can turn on query mode at that time even if certificates and CRLs have already been stored on your router. In this case, when you turn on query mode, the stored certificates and CRLs will be deleted from the router after you save your configuration. (If you copy your configuration to a TFTP site prior to turning on query mode, you will save any stored certificates and CRLs at the TFTP site.)
If you turn on query mode now, you can turn off query mode later if you wish. If you turn off query mode later, you could also perform the copy running-config startup-config command at that time to save all current certificates and CRLs to NVRAM (otherwise they could be lost during a reboot and would need to be retrieved the next time they were needed by your router).
Configure the Router's Hostname and IP Domain Name
You must configure the router's hostname and IP domain name if this has not already been done. This is required because the router assigns a fully qualified domain name (FQDN) to the keys and certificates used by IPSec, and the FQDN is based on the hostname and IP domain name you assign to the router. For example, a certificate is named "router20.companyx.com" based on a router hostname of "router20" and a router IP domain name of "companyx.com."
To configure the router's hostname and IP domain name, complete the following tasks in global configuration mode:
Configure the router's hostname.
hostname name
Configure the router's IP domain name.
ip domain-name name
Generate an RSA Key Pair
RSA key pairs are used to sign and encrypt IKE key management messages and are required before you can obtain a certificate for your router.
To generate an RSA key pair, perform the following task in global configuration mode:
Generate an RSA key pair.
Use the usage-keys keyword to specify special usage keys instead of general purpose keys. See the command description for an explanation of special usage vs. general purpose keys.
crypto key generate rsa [usage-keys]
Declare a Certification Authority
You should declare one Certification Authority (CA) to be used by your router.
To declare a CA, perform the following tasks starting in global configuration mode:
Declare a CA. (Create a name for the CA with this command.)
This command puts you into the ca-identity configuration mode.
crypto ca identity name
Specify the URL of the CA. (The URL should include any non-standard cgi-bin script location.)
enrollment url url
If your CA system provides a Registration Authority (RA), specify RA mode.
If your CA system provides an RA and supports the LDAP protocol, specify the location of the LDAP server.
query url url
(Optional) Specify a retry period.
After requesting a certificate, the router waits to receive a certificate from the CA. If the router doesn't receive a certificate within a period of time (the retry period) the router will send another certificate request.
You can change the retry period from the default of 1 minute.
enrollment retry-period minutes
(Optional) Specify how many times the router will continue to send unsuccessful certificate requests before giving up.
By default, the router will never give up trying.
enrollment retry-count count
(Optional) Specify that other peers' certificates can still be accepted by your router even if the appropriate CRL is not accessible to your router.
Exit ca-identity configuration mode.
exit
Authenticate the CA
The router needs to authenticate the CA. It does this by obtaining the CA's self-signed certificate which contains the CA's public key. Because the CA's certificate is self-signed (the CA signs its own certificate) the CA's public key should be manually authenticated by contacting the CA administrator when you perform this step.
To get the CA's public key, perform the following task in global configuration mode:
Get the CA's public key. Use the same name that you used when declaring the CA with the crypto ca identity command.
Request Your Own Certificate(s)
You need to obtain a signed certificate from the CA for each of your router's RSA key pairs. If you generated general purpose RSA keys, your router only has one RSA key pair and needs only one certificate. If you previously generated special usage RSA keys, your router has two RSA key pairs and needs two certificates.
To request signed certificates from the CA, perform the following task in global configuration mode:
Request certificates for all of your RSA key pairs.
This command causes your router to request as many certificates as there are RSA key pairs, so you only need to perform this command once, even if you have special usage RSA key pairs.
Note
crypto ca enroll name
Note
Save Your Configuration
Always remember to save your work when you make configuration changes.
Perform the copy running-config startup-config command to save your configuration—this command includes saving RSA keys to private NVRAM. RSA keys are not saved with your configuration when you perform a copy running-config rcp or copy running-config tftp (previously write network) command.
Monitor and Maintain Certification Authority Interoperability
The following tasks are optional, depending on your particular requirements:
•
•
•
Request a Certificate Revocation List
You can request a Certificate Revocation List (CRL) only if your CA does not support a Registration Authority (RA). The following description and task applies only when the CA does not support an RA.
When your router receives a certificate from a peer, your router will download a CRL from the CA. Your router then checks the CRL to make sure the certificate the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives a peer's certificate after the applicable CRL has expired, the router will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, you can request that the latest CRL be immediately downloaded to replace the old CRL.
To request immediate download of the latest CRL, perform the following task in global configuration mode:
Request an updated CRL.
This command replaces the currently stored CRL at your router with the newest version of the CRL.
Delete Your Router's RSA Keys
There might be circumstances where you would want to delete your router's RSA keys. For example, if you believe the RSA keys were compromised in some way and should no longer be used, you should delete the keys.
To delete all of your router's RSA keys, perform the following task in global configuration mode:
After you delete a router's RSA keys, you should also do these two additional tasks:
•
•
Delete Peer's Public Keys
There might be circumstances where you would want to delete other peer's RSA public keys from your router's configuration. For example, if you no longer trust the integrity of a peer's public key, you should delete the key.
To delete a peer's RSA public key, perform the following tasks starting in global configuration mode:
These commands are documented in the "Internet Key Exchange" feature documentation.
Delete Certificates from the Configuration
If the need arises, you can delete certificates that are saved at your router. Your router saves its own certificate(s), the CA's certificate, and any RA certificates (unless you put the router into query mode per the "Manage NVRAM Memory Usage (Optional)" section).
To delete your router's certificate or RA certificates from your router's configuration, perform the following tasks in global configuration mode:
View the certificates stored on your router; note (or copy) the serial number of the certificate you wish to delete.
Enter certificate chain configuration mode.
Delete the certificate.
no certificate certificate-serial-number
To delete the CA's certificate, you must remove the entire CA identity, which also removes all certificates associated with the CA—your router's certificate, the CA certificate, and any RA certificates.
To remove a CA identity, perform the following task in global configuration mode:
Delete all identity information and certificates associated with the CA.
no crypto ca identity name
View Keys and Certificates
To view keys and certificates, perform the following tasks in EXEC mode:
View your router's RSA public keys.
View a list of all the RSA public keys stored on your router. These include the public keys of peers who have sent your router their certificates during peer authentication for IPSec.
View details of a particular RSA public key stored on your router.
show crypto key pubkey-chain rsa [name key-name | address key-address]
View information about your certificate, the CA's certificate, and any RA certificates.
Configuration Examples
The following configuration is for a router named "myrouter." In this example IPSec is configured and the IKE protocol and CA interoperability are configured in support of IPSec.
In this example general purpose RSA keys were generated, but you will notice that the keys are not saved or displayed in the configuration.
Comments are included within the configuration to explain various commands.
!version 11.3no service password-encryptionservice udp-small-serversservice tcp-small-servers!! CA interoperability requires you to configure your router's hostname:hostname myrouter!enable secret 5 <removed>enable password <removed>!! CA interoperability requires you to configure your router's IP domain name:ip domain-name companyx.comip name-server 172.29.2.132ip name-server 192.168.30.32!! The following configures a transform set (part of IPSec configuration):crypto ipsec transform-set my-transformset esp-des esp-sha-hmac!! The following declares the CA. (In this example, the CA does not support an RA.)crypto ca identity mycaenrollment url http://ca_server!! The following shows the certificates and CRLs stored at the router, including! the CA certificate (shown first), the router's certificate (shown next)! and a CRL (shown last).crypto ca certificate chain myca! The following is the CA certificate! received via the `crypto ca authenticate' command:certificate ca 3051DF7169BEE31B821DFE4B3A338E5F30820182 3082012C A0030201 02021030 51DF7169 BEE31B82 1DFE4B3A 338E5F300D06092A 864886F7 0D010104 05003042 31163014 06035504 0A130D43 6973636F20537973 74656D73 3110300E 06035504 0B130744 65767465 73743116 3014060355040313 0D434953 434F4341 2D554C54 5241301E 170D3937 31323032 3031303632385A17 0D393831 32303230 31303632 385A3042 31163014 06035504 0A130D436973636F 20537973 74656D73 3110300E 06035504 0B130744 65767465 7374311630140603 55040313 0D434953 434F4341 2D554C54 5241305C 300D0609 2A864886F70D0101 01050003 4B003048 024100C1 B69D7BF6 34E4EE28 A84E0DC6 FCA4DEA804D89E50 C5EBE862 39D51890 D0D4B732 678BDBF2 80801430 E5E56E7C C126E2DDDBE9695A DF8E5BA7 E67BAE87 29375302 03010001 300D0609 2A864886 F70D010104050003 410035AA 82B5A406 32489413 A7FF9A9A E349E5B4 74615E05 058BA3CE7C5F00B4 019552A5 E892D2A3 86763A1F 2852297F C68EECE1 F41E9A7B 2F38D02AB1D2F817 3F7Bquit! The following is the router's certificate! received via the `crypto ca enroll' command:certificate 7D28D4659D22C49134B3D1A0C2C9C8FC308201A6 30820150 A0030201 0202107D 28D4659D 22C49134 B3D1A0C2 C9C8FC300D06092A 864886F7 0D010104 05003042 31163014 06035504 0A130D43 6973636F20537973 74656D73 3110300E 06035504 0B130744 65767465 73743116 3014060355040313 0D434953 434F4341 2D554C54 5241301E 170D3938 30343234 3030303030305A17 0D393930 34323432 33353935 395A302F 311D301B 06092A86 4886F70D01090216 0E73636F 742E6369 73636F2E 636F6D31 0E300C06 03550405 1305313741464230 5C300D06 092A8648 86F70D01 01010500 034B0030 48024100 A207ED75DE8A9BC4 980958B7 28ADF562 1371D043 1FC93C24 8E9F8384 4D1A2407 60CBD7ECB15BD782 A687CA49 883369BE B35A4219 8FE742B0 91CF76EE 07EC9E69 0203010001A33530 33300B06 03551D0F 04040302 05A03019 0603551D 11041230 10820E73636F742E 63697363 6F2E636F 6D300906 03551D13 04023000 300D0609 2A864886F70D0101 04050003 410085F8 A5AFA907 B38731A5 0195D921 D8C45EFD B6082C2804A88CEC E9EC6927 F24874E4 30C4D7E2 2686E0B5 77F197E4 F82A8BA2 1E03944D286B661F 0305DF5F 3CE7quit! The following is a CRL received by the router (via the router's own action):crl3081C530 71300D06 092A8648 86F70D01 01020500 30423116 30140603 55040A130D436973 636F2053 79737465 6D733110 300E0603 55040B13 07446576 7465737431163014 06035504 03130D43 4953434F 43412D55 4C545241 170D3938 3033323332333232 31305A17 0D393930 34323230 30303030 305A300D 06092A86 4886F70D01010205 00034100 7AA83057 AC5E5C65 B9812549 37F11B7B 5CA4CAED 830B3955A4DDD268 F567E29A E4B34691 C2162BD1 0540D7E6 5D6650D1 81DBBF1D 788F1DACBBF761B2 81FCC0F1quit!! The following is an IPSec crypto map (part of IPSec configuration):crypto map map-to-remotesite 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124!!interface Loopback0ip address 10.0.0.1 255.0.0.0!interface Tunnel0ip address 10.0.0.2 255.0.0.0ip mtu 1490no ip route-cacheno ip mroute-cachetunnel source 10.10.0.1tunnel destination 172.21.115.119!interface FastEthernet0/0ip address 172.21.115.118 255.255.255.240no ip mroute-cacheloopbackno keepaliveshutdownmedia-type MIIfull-duplex!! The IPSec crypto map is applied to interface Ethernet1/0:interface Ethernet1/0ip address 172.21.114.197 255.255.255.0bandwidth 128no keepaliveno fair-queueno cdp enablecrypto map map-to-remotesite!interface Ethernet1/1no ip addressno ip mroute-cacheshutdown!interface Ethernet1/2no ip addressshutdown!interface Ethernet1/3no ip addressshutdown!interface Serial3/0no ip addressshutdown!interface Serial3/1no ip addressshutdown!interface Serial3/2no ip addressshutdown!interface Serial3/3no ip addressshutdown!interface Serial4/0no ip addressshutdown!interface Serial4/1ip address 172.21.115.66 255.255.255.252!interface Serial4/2no ip addressshutdown!interface Serial4/3no ip addressshutdownclockrate 2015232!router eigrp 10passive-interface Ethernet1/0network 172.21.0.0no auto-summary!no ip classlessip route 10.0.0.1 255.255.255.255 Serial4/1ip route 10.60.0.0 255.0.0.0 10.10.0.2ip route 172.69.0.0 255.255.0.0 172.21.114.193ip route 172.21.114.3 255.255.255.255 10.1.1.1ip route 172.21.114.14 255.255.255.255 10.1.1.1ip route 172.21.114.69 255.255.255.255 Tunnel0ip route 172.21.114.89 255.255.255.255 10.10.0.2ip route 172.21.114.92 255.255.255.255 Tunnel0ip route 172.21.114.165 255.255.255.255 10.10.0.2ip route 172.21.114.170 255.255.255.255 10.10.0.2ip route 172.21.115.119 255.255.255.255 10.10.0.2access-list 100 permit ip host 172.21.114.197 host 172.21.114.204access-list 101 permit ip host 11.0.0.1 host 10.0.0.1access-list 102 permit ip 172.21.114.0 0.0.0.255 host 172.21.114.3access-list 102 permit ip 70.1.1.0 0.0.0.255 host 172.21.114.3access-list 102 permit ip 15.0.0.0 0.0.0.255 host 172.21.114.3access-list 104 permit ip host 172.21.114.197 host 172.21.114.14access-list 110 permit gre host 172.21.114.197 host 172.21.114.199access-list 114 permit ip host 172.21.114.199 host 172.21.114.163access-list 114 permit ip host 172.21.115.66 host 172.21.115.65access-list 122 permit ip host 172.21.115.66 host 172.21.115.65!! Access list 124 is the IPSec access list included in the IPSec crypto map.! This access list causes all traffic between hosts 172.21.114.197 and 172.21.114.196! to be protected by IPSec.access-list 124 permit ip host 172.21.114.197 host 172.21.114.196access-list 132 permit ip host 172.21.114.197 host 172.21.114.37access-list 141 permit ip host 172.21.114.197 host 172.21.114.196access-list 150 permit gre host 15.0.0.1 host 172.21.115.119access-list 180 permit ip host 70.1.1.1 host 60.1.1.1access-list 186 permit ip host 172.21.115.66 host 172.21.114.9!line con 0exec-timeout 0 0line aux 0line vty 0 4password mypasswordlogin!endCommand Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.3 command references.
•
certificate
To manually add certificates, use the certificate certificate chain configuration command. Use the no form of this command to delete your router's certificate or any RA certificates stored on your router.
certificate certificate-serial-number
no certificate certificate-serial-numberSyntax Description
Default
There are no defaults for this command.
Command Mode
Certificate chain configuration (config-cert-chain)
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually only used to delete certificates.
Example
The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted.
myrouter# show crypto ca certificatesCertificateSubject NameName: myrouter.companyx.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: 0123456789ABCDEF0123456789ABCDEFKey Usage: General PurposeCA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not Setmyrouter# configure terminalmyrouter(config)# crypto ca certificate chain mycamyrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF% Are you sure you want to remove the certificate [yes/no]? yes% Be sure to ask the CA administrator to revoke this certificate.myrouter(config-cert-chain)# exitmyrouter(config)#Related Commands
crl optional
To allow other peers' certificates to still be accepted by your router even if the appropriate Certificate Revocation List (CRL) is not accessible to your router, use the crl optional ca-identity configuration command. Use the no form of the command to return to the default behavior in which CRL checking is mandatory before your router can accept a certificate.
crl optional
no crl optionalSyntax Description
There are no arguments or keywords with this command.
Default
The router must have and check the appropriate CRL before accepting another IPSec peer's certificate.
Command Mode
Ca-identity configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
When your router receives a certificate from a peer, your router will download a Certificate Revocation List (CRL) from either the CA or a CRL distribution point as designated in the peer's certificate. Your router then checks the CRL to make sure the certificate the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.)
With CA systems that support Registration Authorities (RAs), multiple CRLs exist and the peer's certificate will indicate which CRL applies and should be downloaded by your router.
When an IPSec peer sends your router a certificate, if your router does not have the applicable CRL and is unable to obtain the applicable CRL, your router will reject the peer's certificate—unless you include the crl optional command in your configuration. If you use the crl optional command, your router will still try to obtain a CRL, but if it cannot obtain a CRL it can accept the peer's certificate anyway.
When your router receives additional certificates from peers, your router will continue to attempt to download the appropriate CRL, even if it was previously unsuccessful, and even if the crl optional command is enabled. The crl optional command only specifies that when the router cannot obtain the CRL, the router is not forced to reject a peer's certificate outright.
Example
The following example declares a CA and permits your router to accept certificates when CRLs are not obtainable. This example also specifies a non-standard retry period and retry count.
crypto ca identity mycaenrollment url http://ca_serverenrollment retry-period 20enrollment retry-count 100crl optionalRelated Commands
crypto ca authenticate
To authenticate the CA (by getting the CA's certificate), use the crypto ca authenticate global configuration command.
crypto ca authenticate name
Syntax Description
name
Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Default
There are no defaults for this command.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the CA's self-signed certificate which contains the CA's public key. Because the CA's certificate is self-signed (the CA signs its own certificate) you should manually authenticate the CA's public key by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then RA signing and encryption certificates will be returned from the CA as well as the CA certificate.
This command is not saved to the router configuration. However, the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").
If the CA does not respond by a timeout period after this command is issued, the terminal control will simply be returned so it will not be tied up. If this happens you must re-enter the command.
Example
In this example, the router requests the CA's certificate. The CA sends its certificate and the router prompts the administrator to verify the CA's certificate by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
myrouter# crypto ca authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123Do you accept this certificate? [yes/no] ymyrouter#Related Commands
crypto ca identity
show crypto ca certificatescrypto ca certificate chain
To enter the certificate chain configuration mode, use the crypto ca certificate chain global configuration command. (You need to be in certificate chain configuration mode to delete certificates.)
crypto ca certificate chain name
Syntax Description
name
Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Default
There are no defaults for this command.
Command Mode
Global configuration.
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.
Example
The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted.
myrouter# show crypto ca certificatesCertificateSubject NameName: myrouter.companyx.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: 0123456789ABCDEF0123456789ABCDEFKey Usage: General PurposeCA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not Setmyrouter# configure terminalmyrouter(config)# crypto ca certificate chain mycamyrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF% Are you sure you want to remove the certificate [yes/no]? yes% Be sure to ask the CA administrator to revoke this certificate.myrouter(config-cert-chain)# exitmyrouter(config)#Related Commands
crypto ca certificate query
To specify that certificates and Certificate Revocation Lists (CRLs) should not be stored locally but retrieved from the CA when needed, use the crypto ca certificate query global configuration command. This command puts the router into query mode. Use the no form of this command to cause certificates and CRLs to be stored locally (the default).
crypto ca certificate query
no crypto ca certificate querySyntax Description
This command has no arguments or keywords.
Default
Certificates and CRLs are stored locally in the router's NVRAM.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
Normally, certain certificates and Certificate Revocation Lists (CRLs) are stored locally in the router's NVRAM, and each certificate and CRL uses a moderate amount of memory.
To save NVRAM space, you can use this command to put the router into query mode, which prevents certificates and CRLs from being stored locally; instead, they are retrieved from the CA when needed. This will save NVRAM space but could result in a slight performance impact.
Examples
This example prevents certificates and CRLs from being stored locally on the router; instead, they are retrieved from the CA when needed.
crypto ca certificate querycrypto ca crl request
To request that a new Certificate Revocation List (CRL) be obtained immediately from the CA, use the crypto ca crl request global configuration command. Use this command only when your CA does not support a Registration Authority (RA).
crypto ca crl request name
Syntax Description
name
Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
.
Default
Normally, the router requests a new CRL only after the existing one expires.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
Use this command only if your CA does not support a Registration Authority (RA).
A CRL lists all the network's devices' certificates that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IPSec traffic with your router.
The first time your router receives a certificate from a peer, your router will download a CRL from the CA. Your router then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives a peer's certificate after the applicable CRL has expired, the router will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is never saved to the configuration.
Example
The following example immediately downloads the latest CRL to your router.
crypto ca crl requestcrypto ca enroll
To obtain your router's certificate(s) from the CA, use the crypto ca enroll global configuration command. Use the no form of this command to delete a current enrollment request.
crypto ca enroll name
no crypto ca enroll nameSyntax Description
name
Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Default
There are no defaults for this command.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each of your router's RSA key pairs; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto ca enroll command is never saved in the router configuration.
Note
Responding to Prompts
When you issue the crypto ca enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IPSec or IKE but is used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command (see the "IPSec Network Security" feature documentation).
Example
In this example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
myrouter(config)# crypto ca enroll myca%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password: <mypassword>Re-enter password: <mypassword>% The subject name in the certificate will be: myrouter.companyx.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 03433678% Include an IP address in the subject name [yes/no]? yesInterface: ethernet0/0Request certificate from CA [yes/no]? yes% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.myrouter(config)#Some time later, the router receives the certificate from the CA and displays this confirmation message:
myrouter(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210%CRYPTO-6-CERTRET: Certificate received from Certificate Authoritymyrouter(config)#If necessary, the router administrator could verify the displayed Fingerprint with the CA administrator.
If there had been a problem with the certificate request and the certificate was not granted, the following message would have been displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate AuthorityThe subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.companyx.com." (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRelated Commands
crypto ca identity
To declare the CA your router should use, use the crypto ca identity global configuration command. Use the no form of this command to delete all identity information and certificates associated with the CA.
crypto ca identity name
no crypto ca identity nameSyntax Description
name
Create a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.)
Default
Your router does not know about any CA until you declare one with this command.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to declare a CA. Performing this command puts you into the ca-identity configuration mode, where you can specify characteristics for the CA with the following commands:
•
•
•
•
•
•
