Downloads |
Table Of Contents
Certificate Enrollment Enhancements
Supported Standards, MIBs, and RFCs
Configuring Router Certificate Fields
Autoenrollment Configuration Example
Certificate Enrollment Enhancements
Feature History
This feature module describes the Certificate Enrollment Enhancements feature in Cisco IOS Release 12.2(8)T. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The Certificate Enrollment Enhancements feature introduces five new subcommands to the crypto ca trustpoint command—ip-address (ca-trustpoint), password (ca-trustpoint), serial-number (ca-trustpoint), subject-name, and usage. These commands provide new options for certificate requests and allow users to specify fields in the configuration instead of having to go through prompts. (However, the prompting behavior remains the default if this feature is not enabled.) Thus, users can preload all necessary information into the configuration, allowing each router to obtain its certificate automatically when it is booted.
Note
Note
Benefits
The Certificate Enrollment Enhancements feature facilitates the implementation of certificate automatic enrollment.
Related Documents
•
•
•
•
Supported Platforms
This feature runs on all platforms that support IP Security (IPSec) and public key infrastrsucture (PKI).
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
None
Prerequisites
Before you can configure router certificate fields, you must enable the crypto ca trustpoint command, which declares the CA that your router should use and enters ca-trustpoint configuration mode.
Configuration Tasks
See the following sections for configuration tasks for the Certificate Enrollment Enhancements feature. Each task in the list is identified as either required or optional.
•
•
Configuring Router Certificate Fields
To preload all necessary information into the configuration for certificate requests, use the following commands in ca-trustpoint configuration mode. After these commands are enabled, you will not be prompted for the attributes during enrollment for the trustpoint.
Verifying Enrollment Options
To verify CA information and autoenrollment options, use any of the following EXEC commands:
Configuration Examples
This section provides the following configuration example:
•
Autoenrollment Configuration Example
The following example shows how to configure the router to autoenroll with a CA on startup and how to specify all necessary enrollment information in the configuration:
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0serial-number noneusage ikeauto-enroll regeneratepassword revokemersa-key frog 2048!crypto ca certificate chain frogcertificate ca 0B30820293 3082023D A0030201 0202010B 300D0609 2A864886 F70D0101 0405003079310B30 09060355 04061302 5553310B 30090603 55040813 02434131 153013060355040A 130C4369 73636F20 53797374 656D3120 301E0603 55040B13 177375626F726420 746F206B 6168756C 75692049 50495355 31243022 06035504 03131B796E692D75 31302043 65727469 66696361 7465204D 616E6167 6572301E 170D303030373134 32303536 32355A17 0D303130 37313430 31323834 335A3032 310E300C06035504 0A130543 6973636F 3120301E 06092A86 4886F70D 01090216 11706B692D343562 2E636973 636F2E63 6F6D305C 300D0609 2A864886 F70D0101 010500034B003048 024100B3 0512A201 3B4243E1 378A9703 8AC5E3CE F77AF987 B5A422C415E947F6 70997393 70CF34D6 63A86B9C 4347A81A 0551FC02 ABA62360 01EF7DD26C136AEB 3C6C3902 03010001 A381F630 81F3300B 0603551D 0F040403 020520301C060355 1D110415 30138211 706B692D 3435622E 63697363 6F2E636F 6D301D0603551D0E 04160414 247D9558 169B9A21 23D289CC 2DDA2A9A 4F77C616 301F0603551D2304 18301680 14BD742C E892E819 1D551D91 683F6DB2 D8847A6C 733081850603551D 1F047E30 7C307AA0 3CA03AA4 38303631 0E300C06 0355040A 1305436973636F31 24302206 03550403 131B796E 692D7531 30204365 72746966 6963617465204D61 6E616765 72A23AA4 38303631 0E300C06 0355040A 13054369 73636F3124302206 03550403 131B796E 692D7531 30204365 72746966 69636174 65204D616E616765 72300D06 092A8648 86F70D01 01040500 03410015 BC7CECF9 696697DFE887007F 7A8DA24F 1ED5A785 C5C60452 47860061 0C18093D 08958A77 5737246B0A25550A 25910E27 8B8B428E 32F8D948 3DD1784F 954C70quitCommand Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•
ip-address (ca-trustpoint)
To specify a dotted IP address or an interface that will be included as "unstructuredAddress" in the certificate request, use the ip-address command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.
ip-address {ip-address | interface | none]
no ip-address
Syntax Description
Defaults
An IP address is not configured. You are prompted for the IP address during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue this command, you must enable the crypto ca | pki trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode. The ip-address command is a subcommand that allows you to specify a certificate enrollment parameter.
Use the ip-address command to include the IP address of the specified interface in the certificate request or to specify that an IP address should not be included in the certificate request.
If this command is enabled, you will not be prompted for an IP address during certificate enrollment.
Examples
The following example shows how to include the IP address of the ethernet-0 interface in the certificate request for the trustpoint "frog":
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0The following example shows that an IP address is not to be included in the certificate request:
crypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn noneip-address nonesubject-name CN=subject1, OU=PKI, O=Cisco Systems, C=USRelated Commands
password (ca-trustpoint)
To specify the revocation password for the certificate, use the password command in ca-trustpoint configuration mode. To erase any stored passwords, use the no form of this command.
password string
no password
Syntax Description
Defaults
You are prompted for the password during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue the password command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
This command allows you to specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the router.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example shows how to specify the password "revokme" for the certificate request:
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0auto-enroll regeneratepassword revokmeRelated Commands
serial-number (ca-trustpoint)
To specify whether the router serial number should be included in the certificate request, use the serial-number command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.
serial-number [none]
no serial-number
Syntax Description
Defaults
Not configured. You will be prompted for the serial number during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue the serial-number command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
Use this command to specify the router serial number in the certificate request, or use the none keyword to specify that a serial number should not be included in the certificate request.
Examples
The following example shows how to omit a serial number from the "root" certificate request:
crypto ca trustpoint rootenrollment url http://10.3.0.7:80ip-address nonefqdn noneserial-number nonesubject-name CN=jack, OU=PKI, O=Cisco Systems, C=UScrypto ca trustpoint rootenrollment url http://10.3.0.7:80serial-numberRelated Commands
subject-name
To specify the subject name in the certificate request, use the subject-name command in ca-trustpoint configuration mode. To clear any subject name from the configuration, use the no form of this command.
subject-name [x.500-name]
no subject-name x.500-name
Syntax Description
Defaults
If the x-500-name argument is not specified, the fully qualified domain name (FQDN), which is the default subject name, will be used.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue the subject-name command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
subject-name is an attribute that can be set for autoenrollment; thus, issuing this command prevents you from being prompted for a subject name during enrollment.
Examples
The following example shows how to specify the subject name for the "frog" certificate:
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0auto-enroll regeneratepassword revokmeRelated Commands
usage
To specify the intended use for the certificate, use the usage command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.
usage method1 [method2, [method3]]
no usage method1 [method2, [method3]]
Syntax Description
method1
[method2 [method3]]The intended use for the certificate; the available options are ike, ssl-client, and ssl-server.
You must choose at least one method, and you may choose all three methods.
Defaults
ike
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue the usage command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
This command may be used as a hint to set or clear key usage or other attributes in the certificate request.
Examples
The following example shows how to specify the certificate named "frog" for Internet Key Exchange (IKE):
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0usage ikeauto-enroll regeneratepassword revokemersa-key frog 2048Related Commands
Glossary
certification authority (CA)—A service responsible for managing certificate requests and issuing certificates to participating IPSec network devices. This service provides centralized key management for the participating devices and is explicitly entrusted by the receiver to validate identities and to create digital certificates.
enrollment—The process of obtaining a new certificate from a CA.
Internet Key Exchange (IKE)—A hybrid protocol that implements Oakley key exchange and Skeme key exchange inside the ISAKMP framework. Although IKE can be used with other protocols, its initial implementation is with IPSec. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
IP Security (IPSec)—A framework of open standards developed by the Internet Engineering Task Force (IETF). IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices ("peers"), such as Cisco routers.
peer certificate—The certificate presented by a peer, which contains the peer's public key and is signed by the peer's identity CA.
public key infrastructure (PKI)—Provides trusted and efficient key and certificate management to support security protocols such as IPSec.
registration authority (RA)—A server that acts as a proxy for the CA so that CA functions can continue when the CA is offline.
RSA keys—RSA keys come in pairs—one public key and one private key—and are used to sign and encrypt IKE key management messages and are required before you can obtain a certificate for your router.
trustpoint ca—A CA that combines and replaces the functionality of the identity CA (which uses its own certificate to sign the certificate of a router, thereby validating the identity of the router) and root CA (which has a self-signed certificate that contains its own public key).
