Downloads |
Table Of Contents
Persistent Self-Signed Certificates
Prerequisites for Persistent Self-Signed Certificates
Restrictions for Persistent Self-Signed Certificates
Information About Persistent Self-Signed Certificates
Feature Overview of Persistent Self-Signed Certificates
Benefits of Persistent Self-Signed Certificates
How to Configure a Persistent Self-Signed Certificate
Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters
Configuration Examples for Persistent Self-Signed Certificates
Creating a Persistent Self-Signed Certificate: Example
Enabling the HTTPS Server: Example
Verifying the Configuration: Example
Persistent Self-Signed Certificates
The Persistent Self-Signed Certificates feature saves a certificate generated by a secure HTTP (HTTPS) server for the Secure Sockets Layer (SSL) handshake in a router's startup configuration.
Feature History for Persistent Self-Signed Certificates
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Persistent Self-Signed Certificates
•
•
•
•
Prerequisites for Persistent Self-Signed Certificates
You must load an image that supports SSL.
Restrictions for Persistent Self-Signed Certificates
You can configure only one trustpoint for a persistent self-signed certificate.
Information About Persistent Self-Signed Certificates
To use the Persistent Self-Signed Certificates feature, you need to understand the following concepts:
•
•
Feature Overview of Persistent Self-Signed Certificates
Cisco IOS software has an HTTPS server that allows access to web-based management pages using a secure SSL connection. SSL requires the server to have an X.509 certificate that is sent to the client (web browser) during the SSL handshake to establish a secure connection between the server and the client (Figure 1).
Figure 1 Sample Topology
The client expects the SSL server's certificate to be verifiable using a certificate the client already possesses.
If Cisco IOS software does not have a certificate that the HTTPS server can use, the server generates a self-signed certificate by calling a public key infrastructure (PKI) application programming interface (API). When the client receives this self-signed certificate and is unable to verify it, intervention is needed. The client asks you if the certificate should be accepted and saved for future use. If you accept the certificate, the SSL handshake continues.
Future SSL handshakes between the same client and the server use the same certificate. However, if the router is reloaded, the self-signed certificate is lost. The HTTPS server must then create a new self-signed certificate. This new self-signed certificate does not match the previous certificate so you are once again asked to accept it.
Requesting acceptance of the router's certificate each time that the router reloads can be annoying and may present an opportunity for an attacker to substitute an unauthorized certificate during the time that you are being asked to accept the certificate.
The Persistent Self-Signed Certificates feature overcomes all these limitations by saving a certificate in the router's startup configuration.
Benefits of Persistent Self-Signed Certificates
Enhanced Security
Having a persistent self-signed certificate stored in the router's startup configuration (NVRAM) lessens the opportunity for an attacker to substitute an unauthorized certificate because the browser is able to compare the certificate offered by the router with the previously saved certificate and warn you if the certificate has changed.
Ease of Use
Having a persistent self-signed certificate stored in the router's startup configuration eliminates the user intervention that was necessary to accept the certificate every time that the router reloads.
Improved Performance
Because user intervention is no longer necessary to accept the certificate, the secure connection process is faster.
How to Configure a Persistent Self-Signed Certificate
Note
This section contains the following procedures:
•
•
•
Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters
Perform the following task to configure a trustpoint and specify self-signed certificate parameters.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Enabling the HTTPS Server
Perform the following task to enable the HTTPS server.
Prerequisites
To specify parameters, you must create a trustpoint and configure it. To use default values, delete any existing self-signed trustpoints. Deleting all self-signed trustpoints causes the HTTPS server to generate a persistent self-signed certificate using default values as soon as it is enabled.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Note
Verifying the Configuration
Perform the following task to verify that a self-signed certificate and a trustpoint have been created.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuration Examples for Persistent Self-Signed Certificates
This section contains the following configuration examples:
•
•
•
Creating a Persistent Self-Signed Certificate: Example
In the following example, a trustpoint named local is declared, its enrollment is requested, and a self-signed certificate with an IP address is generated:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto pki trustpoint localRouter(ca-trustpoint)# enrollment selfsignedRouter(ca-trustpoint)# endRouter# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto pki enroll localNov 29 20:51:13.067: %SSH-5-ENABLED: SSH 1.99 has been enabledNov 29 20:51:13.267: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair% Include the router serial number in the subject name? [yes/no]: yes% Include an IP address in the subject name? [no]: yesEnter Interface name or IP Address[]: ethernet 0Generate Self Signed Router Certificate? [yes/no]: yesRouter Self Signed Certificate successfully created
Note
Enabling the HTTPS Server: Example
In the following example, the HTTPS server is enabled and a default trustpoint is generated since one was not previously configured:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip http secure-server% Generating 1024 bit RSA keys ...[OK]*Dec 21 19:14:15.421:%PKI-4-NOAUTOSAVE:Configuration was modified. Issue "write memory" to save new certificateRouter(config)#
Note
The following message also appears:
*Dec 21 19:14:10.441:%SSH-5-ENABLED:SSH 1.99 has been enabledRouter(config)#
Note
Verifying the Configuration: Example
The following example displays information about the self-signed certificate that you just created:
Router# show crypto pki certificatesRouter Self-Signed CertificateStatus: AvailableCertificate Serial Number: 01Certificate Usage: General PurposeIssuer:cn=IOS-Self-Signed-Certificate-3326000105Subject:Name: IOS-Self-Signed-Certificate-3326000105cn=IOS-Self-Signed-Certificate-3326000105Validity Date:start date: 19:14:14 GMT Dec 21 2004end date: 00:00:00 GMT Jan 1 2020Associated Trustpoints: TP-self-signed-3326000105
Note
The following example displays information about the key pair corresponding to the self-signed certificate:
Router# show crypto key mypubkey rsa% Key pair was generated at: 19:14:10 GMT Dec 21 2004Key name: TP-self-signed-3326000105Usage: General Purpose KeyKey is not exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B88F706BC78B6D 67D6CFF3 135C1D91 8F360292 CA44A032 5AC1A8FD 095E4865 F8C95A2BBFD1C2B7 E64A3804 9BBD7326 207BD456 19BAB78B D075E78E 00D2560C B09289AE6DECB8B0 6672FB3A 5CDAEE92 9D4C4F71 F3BCB269 214F6293 4BA8FABF 9486BCFC2B941BCA 550999A7 2EFE12A5 6B7B669A 2D88AB77 39B38E0E AA23CB8C B7020301 0001% Key pair was generated at: 19:14:13 GMT Dec 21 2004Key name: TP-self-signed-3326000105.serverUsage: Encryption KeyKey is not exportable.Key Data:307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C5680E 89777B42463E5783 FE96EA9E F446DC7B 70499AF3 EA266651 56EE29F4 5B003D93 2FC9F81D8A46E12F 3FBAC2F3 046ED9DD C5F27C20 1BBA6B9B 08F16E45 C34D6337 F863D60534E30F0E B4921BC5 DAC9EBBA 50C54AA0 BF551BDD 88453F50 61020301 0001Router#
Note
The following example displays information about the trustpoint named local:
Router# show crypto pki trustpointsTrustpoint local:Subject Name:serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.comSerial Number: 01Persistent self-signed certificate trust pointAdditional References
The following sections provide references related to the Persistent Self-Signed Certificates feature.
Related Documents
Security commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Security features including trustpoints, certificate enrollment, and authentication
RSA key pairs
Multiple RSA Key Pair Support feature module, Release 12.2(8)T
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents new and modified commands.
New Commands
Modified Commands
crypto pki enroll
To obtain the certificate(s) for your router from the certificate authority (CA), use the crypto pki enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.
crypto pki enroll name
no crypto pki enroll name
Syntax Description
name
Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command requests certificates from the CA for all of your router's Rivest, Shamir, and Adelmen (RSA) key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general purpose keys, this command obtains the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command obtains two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you are unable to complete this command; instead, you are prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto pki enroll command is not saved in the router configuration.
Note
Responding to Prompts
When you issue the crypto pki enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange, but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
Examples
In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
Router(config)# crypto pki enroll myca%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password: <mypassword>Re-enter password: <mypassword>% The subject name in the certificate will be: myrouter.example.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 03433678% Include an IP address in the subject name [yes/no]? yesInterface: ethernet0/0Request certificate from CA [yes/no]? yes% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto pki certificates' command will also show the fingerprint.Some time later, the router receives the certificate from the CA and displays the following confirmation message:
Router(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRouter(config)#If necessary, the router administrator can verify the displayed fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate AuthorityThe subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRelated Commands
crypto pki trustpoint
To declare the trustpoint that your router should use, use the crypto pki trustpoint command in global configuration mode. To delete all identity information and certificates associated with the trustpoint, use the no form of this command.
crypto pki trustpoint name
no crypto pki trustpoint name
Syntax Description
name
Creates a name for the trustpoint. (If you previously declared the trustpoint and just want to update its characteristics, specify the name you previously created.)
Defaults
Your router does not recognize any trustpoints until you declare a trustpoint using this command.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto pki trustpoint command to declare a trustpoint, which can be a self-signed root certificate authority (CA) or a subordinate CA. Issuing the crypto pki trustpoint command puts you in ca-trustpoint configuration mode.
You can specify characteristics for the trustpoint using the following subcommands:
•
•
•
•
•
•
•
•
The following example shows how to declare the CA named ka and specify enrollment and CRL parameters:
crypto pki trustpoint kaenrollment url http://kahului:80The following example shows a certificate-based ACL with the label Group defined in a crypto pki certificate map command and included in the match certificate subcommand of the crypto pki trustpoint command:
crypto pki certificate map Group 10subject-name co ou=WANsubject-name co o=Cisco!crypto pki trustpoint pki1match certificate GroupThe following example shows a self-signed certificate being designated for a trustpoint named local using the enrollment selfsigned subcommand of the crypto pki trustpoint command:
crypto pki trustpoint localenrollment selfsignedRelated Commands
enrollment selfsigned
To specify self-signed enrollment for a trustpoint, use the enrollment selfsigned command in ca-trustpoint configuration mode. To delete self-signed enrollment from a trustpoint, use the no form of this command.
enrollment selfsigned
no enrollment selfsigned
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
ca-trustpoint configuration
Command History
Usage Guidelines
Before you can use the enrollment selfsigned command, you must enable the crypto pki trustpoint command, which defines the trustpoint and enters ca-trustpoint configuration mode.
If you do not use this command, you should specify another enrollment method for the router by using an enrollment command such as enrollment url or enrollment terminal.
Examples
The following example shows a self-signed certificate being designated for a trustpoint named local:
crypto pki trustpoint localenrollment selfsignedRelated Commands
show crypto pki certificates
To display information about your certificate, the certification authority certificate, and any registration authority certificates, use the show crypto pki certificates command in privileged EXEC mode.
show crypto pki certificates [trustpoint-name [verbose]]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command shows information about the following certificates:
•
•
•
•
Examples
The following is sample output from the show crypto pki certificates command after you authenticated the CA by requesting the certificate of the CA and public key with the crypto pki authenticate command:
CA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetThe CA certificate might show Key Usage as "Not Set."
The following is sample output from the show crypto pki certificates command, and it shows the certificate of the router and the certificate of the CA. In this example, a single, general-purpose Rivest, Shamir, and Adelman (RSA) key pair was previously generated, and a certificate was requested but not received for that key pair.
CertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Serial Number: 04806682Status: PendingKey Usage: General PurposeFingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000CA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetNote that in the previous sample, the certificate status of the router shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.
The following is sample output from the show crypto pki certificates command, and it shows the certificates of two routers and the certificate of the CA. In this example, special-usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair.
CertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: 428125BDA34196003F6C78316CD8FA95Key Usage: SignatureCertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: AB352356AFCD0395E333CCFD7CD33897Key Usage: EncryptionCA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetThe following is sample output from the show crypto pki certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto pki authenticate command.
CA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetRA Signature CertificateStatus: AvailableCertificate Serial Number: 34BCF8A0Key Usage: SignatureRA KeyEncipher CertificateStatus: AvailableCertificate Serial Number: 34BCF89FKey Usage: EncryptionThe following is sample output from the show crypto pki certificates command using the optional trustpoint-name argument and verbose keyword. The output shows the certificate of a router and the certificate of the CA. In this example, general-purpose RSA key pairs were previously generated, and a certificate was requested and received for the key pair.
CertificateStatus: AvailableVersion: 3Certificate Serial Number: 18C1EE03000000004CBDCertificate Usage: General PurposeIssuer:cn=msca-rootou=pki msca-rooto=ciscol=santa cruz2st=CAc=USea=user@example.comSubject:Name: myrouter.example.comhostname=myrouter.example.comCRL Distribution Points:http://msca-root/CertEnroll/msca-root.crlValidity Date:start date: 19:50:40 GMT Oct 5 2004end date: 20:00:40 GMT Oct 12 2004Subject Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (360 bit)Signature Algorithm: SHA1 with RSA EncryptionFingerprint MD5: 2B5F53E6 E3E892E6 3A9D3706 01261F10Fingerprint SHA1: 315D127C 3AD34010 40CE7F3A 988BBDA5 CD528824X509v3 extensions:X509v3 Key Usage: A0000000Digital SignatureKey EnciphermentX509v3 Subject Key ID: D156E92F 46739CBA DFE66D2D 3559483E B41ECCF4X509v3 Authority Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9Authority Info Access:Associated Trustpoints: msca-rootKey Label: myrouter.example.comCA CertificateStatus: AvailableVersion: 3Certificate Serial Number: 1244325DE0369880465F977A18F61CA8Certificate Usage: SignatureIssuer:cn=msca-rootou=pki msca-rooto=ciscol=santa cruz2st=CAc=USea=user@example.comSubject:cn=msca-rootou=pki msca-rooto=ciscol=santa cruz2st=CAc=USea=user@example.comCRL Distribution Points:http://msca-root.example.com/CertEnroll/msca-root.crlValidity Date:start date: 22:19:29 GMT Oct 31 2002end date: 22:27:27 GMT Oct 31 2017Subject Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (512 bit)Signature Algorithm: SHA1 with RSA EncryptionFingerprint MD5: 84E470A2 38176CB1 AA0476B9 C0B4F478Fingerprint SHA1: 0F57170C 654A5D7D 10973553 EFB0F94F 2FAF9837X509v3 extensions:X509v3 Key Usage: C6000000Digital SignatureNon RepudiationKey Cert SignCRL SignatureX509v3 Subject Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9X509v3 Basic Constraints:CA: TRUEAuthority Info Access:Associated Trustpoints: msca-rootThe following example shows that a self-signed certificate has been created using a user-defined trustpoint:
Router Self-Signed CertificateStatus: AvailableCertificate Serial Number: 01Certificate Usage: General PurposeIssuer:serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.comSubject:Name: router.cisco.comIP Address: 10.3.0.18Serial Number: C63EBBE9serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.comValidity Date:start date: 20:51:40 GMT Nov 29 2004end date: 00:00:00 GMT Jan 1 2020Associated Trustpoints: localRelated Commands
show crypto pki trustpoints
To display the trustpoints that are configured in the router, use the show crypto pki trustpoints command in privileged or user EXEC mode.
show crypto pki trustpoints [status | label [status]]
Syntax Description
Defaults
If the label argument (trustpoint name) is not specified, command output is displayed for all trustpoints.
Command Modes
Privileged EXEC
User EXECCommand History
Usage Guidelines
If you enter the show crypto ca roots command, it will have the same effect as entering the show crypto pki trustpoints command.
Examples
The following is sample output from the show crypto pki trustpoints command:
Router# show crypto pki trustpointsTrustpoint bo:Subject Name:CN = bomborra Certificate ManagerO = cisco.comC = USSerial Number:01Certificate configured.CEP URL:http://bomborraCRL query url:ldap://bomborraThe following is sample output from the show crypto pki trustpoints command when a persistent self-signed certificate has been configured:
Router# show crypto pki trustpointsTrustpoint local:Subject Name:serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.comSerial Number: 01Persistent self-signed certificate trust pointThe following output using the status keyword shows that the trustpoint is configured in query mode and is currently trying to query the certificates (the certificate authority (CA) certificate and the router certificate are both pending):
Router# show crypto pki trustpoints statusTrustpoint yni:Issuing CA certificate pending:Subject Name:cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=USFingerprint: C21514AC 12815946 09F635ED FBB6CF31Router certificate pending:Subject Name:hostname=trance.cisco.com,o=cisco.comNext query attempt:52 secondsThe following output using the status keyword shows that the trustpoint has been authenticated:
<
