Table Of Contents
Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
Prerequisites for Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
Information About Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
Secure Connections, Clocks, and Expired Certificates
Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
of a Valid PeerSkipping the AAA Check of the Certificate
Hub Router At a Central Site: Example
Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
The Using Certificate ACLs to Ignore Revocation Check and Expired Certificates feature allows a certificate that meets specified criteria to be accepted regardless of the validity period of the certificate, or if the certificate meets the specified criteria, revocation checking does not have to be performed. Certificate access control lists (ACLs) are used to specify the criteria that the certificate must meet to be accepted or to avoid revocation checking. In addition, if authentication, authorization, and accounting (AAA) communication is protected by a certificate, this feature provides for the AAA checking of the certificate to be ignored.
This feature can be used for routers that do not have a time-of-year clock.
Feature History for Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
•
Prerequisites for Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
•
•
•
Information About Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
Before configuring the Using Certificate ACLs to Ignore Revocation Check and Expired Certificates feature, you should understand the following concepts:
•
•
Secure Connections, Clocks, and Expired Certificates
Routers provide secure communications between sites by setting up an IP Security (IPSec) tunnel between themselves and the routers at other sites. To ease the configuration and management of these routers, it is desirable to use International Organization for Standardization (ISO) X.509 standard certificates for authenticating each router. Doing so requires that the router have an accurate local clock or that a service such as Network Time Protocol (NTP) be used to set the clock of the router.
To maintain security, it is often desirable to have the router access an NTP server over a secure connection. However, the secure connection cannot be established until the router knows the correct time. A similar dilemma exists when the revocation status of the certificate of a peer has to be checked: The server providing revocation information may be reachable only via a secure tunnel that cannot be set up because the certificate of the peer cannot be validated.
Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
of a Valid PeerThe Using Certificate ACLs to Ignore Revocation Check and Expired Certificates feature allows you to configure your router so that the revocation check and expired certificates of a valid peer can be ignored. This configuration allows a certificate that meets specified criteria to be accepted regardless of the validity period of the certificate, or if the certificate meets specified criteria, revocation checking does not have to be performed. This feature can also be used when the communication with the AAA server is protected with a certificate and you want to skip the certificate check.
Ignoring Revocation Lists
To allow a trustpoint to enforce certificate revocation lists (CRLs) except for specific certificates, use CLI to enter the match certificate command with the skip revocation-check keyword. This type of enforcement is most useful in a hub-and-spoke configuration in which you also want to allow direct spoke-to-spoke connections. In pure hub-and-spoke configurations, all spokes connect only to the hub, so CRL checking is necessary only on the hub. If one spoke communicates directly with another spoke, the CRLs must be checked. However, if the trustpoint is configured to require CRLs, the connection to the hub to retrieve the CRL usually cannot be made because the CRL is available only via the connection hub.
Ignoring Expired Certificates
To configure your router to ignore expired certifications, enter the match certificate command with the allow expired-certificate keyword. This command has the following purposes:
•
•
Note
•
Skipping the AAA Check of the Certificate
If the communication with an AAA server is protected with a certificate, and you want to skip the AAA check of the certificate, use the match certificate command with the skip authorization-check keyword. For example, if a Virtual Private Network (VPN) tunnel is configured so that all AAA traffic goes over that tunnel, and the tunnel is protected with a certificate, you can use the match certificate command with the skip authorization-check keyword to skip the certificate check so that the tunnel can be established.
The match certificate command and the skip authorization-check keyword should be configured after public key infrastructure (PKI) integration with an AAA server is configured.
How to Configure Your Router to Use Certificate ACLs
to Ignore Revocation Check and Expired CertificatesThis section provides the following procedures:
•
Configuring a Router to Use Certificate ACLs to Ignore Revocation Check and Expired Certificates: Overview
To configure your router to use certificate ACLs to ignore revocation check and expired certificates, perform the following steps. To specifically configure a router to define a certificate map, create a trustpoint, and use certificate ACLs to ignore revocation check and expired certificates, see the "Configuring a Router to Use Certificate ACLs to Ignore Revocation Check and Expired Certificates: Router Configuration" section.
Step 1
Step 2
Step 3
Step 4
Configuring a Router to Use Certificate ACLs to Ignore Revocation Check and Expired Certificates: Router Configuration
To define a certificate map, create a trustpoint, and configure a router to use certificate ACLs to ignore revocation check and expired certificates, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Troubleshooting Tips
Carefully check your configuration. Verify that the certificate map properly matches the certificate or certificates that should be allowed or the AAA checks that should be skipped. In a controlled environment, try modifying the certificate map and determine what is not working as expected.
What to Do Next
Monitor to ensure that unexpected certificates do not match the certificate map. If you are skipping expired certificates or AAA checks to temporarily work around a problem (for example, a peer has an expired certificate or AAA is configured incorrectly), the original problem should be fixed.
Configuration Examples for Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
•
Hub Router At a Central Site: Example
The following example shows a hub router at a central site that is providing connectivity for several branch offices to the central site.
The branch offices are also able to communicate directly with each other using additional IPSec tunnels between the branch offices.
The CA publishes CRLs on an HTTP server at the central site. The central site checks CRLs for each peer when setting up an IPSec tunnel with that peer.
The example does not show the IPSec configuration—only the PKI-related configuration is shown.
Home Office Hub Configuration
crypto pki trustpoint VPN-GWenrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dllserial-number nonefqdn noneip-address nonesubject-name o=Home Office Inc,cn=Central VPN Gatewayrevocation-check crlCentral Site Hub Router
Router# show crypto ca certificateCertificateStatus: AvailableCertificate Serial Number: 2F62BE14000000000CA0Certificate Usage: General PurposeIssuer:cn=Central Certificate Authorityo=Home Office IncSubject:Name: Central VPN Gatewaycn=Central VPN Gatewayo=Home Office IncCRL Distribution Points:http://ca.home-office.com/CertEnroll/home-office.crlValidity Date:start date: 00:43:26 GMT Sep 26 2003end date: 00:53:26 GMT Sep 26 2004renew date: 00:00:00 GMT Jan 1 1970Associated Trustpoints: VPN-GWCA CertificateStatus: AvailableCertificate Serial Number: 1244325DE0369880465F977A18F61CA8Certificate Usage: SignatureIssuer:cn=Central Certificate Authorityo=Home Office IncSubject:cn=Central Certificate Authorityo=Home Office IncCRL Distribution Points:http://ca.home-office.com/CertEnroll/home-office.crlValidity Date:start date: 22:19:29 GMT Oct 31 2002end date: 22:27:27 GMT Oct 31 2017Associated Trustpoints: VPN-GWTrustpoint on the Branch Office Router
crypto pki trustpoint home-officeenrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dllserial-number nonefqdn noneip-address nonesubject-name o=Home Office Inc,cn=Branch 1revocation-check crlA certificate map is entered on the branch office router.
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.branch1(config)# crypto pki certificate map central-site 10branch1(ca-certificate-map)#The output from the show certificate command on the central site hub router shows that the certificate was issued by the following:
cn=Central Certificate Authority
o=Home Office Inc
These two lines are combined into one line using a comma (,) to separate them, and the original lines are added as the first criteria for a match.
Router (ca-certificate-map)# issuer-name co cn=Central Certificate Authority, ou=Home Office Inc!The above line wrapped but should be shown on one line with the line above it.The same combination is done for the subject name from the certificate on the central site router (note that the line that begins with "Name:" is not part of the subject name and must be ignored when creating the certificate map criteria). This is the subject name to be used in the certificate map.
cn=Central VPN Gateway
o=Home Office Inc
Router (ca-certificate-map)# subject-name eq cn=central vpn gateway, o=home office incNow the certificate map is added to the trustpoint that was configured earlier.
Router (ca-certificate-map)# crypto pki trustpoint home-officeRouter (ca-trustpoint)# match certificate central-site skip revocation-checkRouter (ca-trustpoint)# exitRouter (config)# exitThe configuration is checked (most of configuration is not shown).
Router# write term!Many lines left out...crypto pki trustpoint home-officeenrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dllserial-number nonefqdn noneip-address nonesubject-name o=Home Office Inc,cn=Branch 1revocation-check crlmatch certificate central-site skip revocation-check!!crypto pki certificate map central-site 10issuer-name co cn = Central Certificate Authority, ou = Home Office Incsubject-name eq cn = central vpn gateway, o = home office inc!many lines left outNote that the user-name and subject-name lines have been reformatted to make them consistent for later matching with the certificate of the peer.
If the branch office is checking the AAA, the trustpoint will have lines similar to the following (refer to PKI Integration with AAA Server for configuration details):
crypto pki trustpoint home-officeauth list allow_listauth user subj commonnameAfter the certificate map has been defined as was done above, the following command is added to the trustpoint to skip AAA checking for the central site hub.
match certificate central-site skip authorization-checkIn both cases, the branch site router has to establish an IPSec tunnel to the central site to check CRLs or to contact the AAA server. However, without the match certificate command and central-site skip authorization-check (argument and keyword), the branch office cannot establish the tunnel until it has checked the CRL or the AAA server. (The tunnel will not be established unless the match certificate command and central-site skip authorization-check argument and keyword are used.)
The match certificate command and allow expired-certificate keyword would be used at the central site if the router at a branch site had an expired certificate and it had to establish a tunnel to the central site to renew its certificate.
Trustpoint on the Central Site Router
crypto pki trustpoint VPN-GWenrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dllserial-number nonefqdn noneip-address nonesubject-name o=Home Office Inc,cn=Central VPN Gatewayrevocation-check crlTrustpoint on the Branch 1 Site Router
Router# show crypto ca certificateCertificateStatus: AvailableCertificate Serial Number: 2F62BE14000000000CA0Certificate Usage: General PurposeIssuer:cn=Central Certificate Authorityo=Home Office IncSubject:Name: Branch 1 Sitecn=Branch 1 Siteo=Home Office IncCRL Distribution Points:http://ca.home-office.com/CertEnroll/home-office.crlValidity Date:start date: 00:43:26 GMT Sep 26 2003end date: 00:53:26 GMT Oct 3 2003renew date: 00:00:00 GMT Jan 1 1970Associated Trustpoints: home-officeCA CertificateStatus: AvailableCertificate Serial Number: 1244325DE0369880465F977A18F61CA8Certificate Usage: SignatureIssuer:cn=Central Certificate Authorityo=Home Office IncSubject:cn=Central Certificate Authorityo=Home Office IncCRL Distribution Points:http://ca.home-office.com/CertEnroll/home-office.crlValidity Date:start date: 22:19:29 GMT Oct 31 2002end date: 22:27:27 GMT Oct 31 2017Associated Trustpoints: home-officeA certificate map is entered on the central site router.
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router (config)# crypto pki certificate map branch1 10Router (ca-certificate-map)# issuer-name co cn=Central Certificate Authority, ou=Home Office Inc!The above line wrapped but should be part of the line above it.Router (ca-certificate-map)# subject-name eq cn=Brahcn 1 Site,o=home office incThe certificate map is added to the trustpoint.
Router (ca-certificate-map)# crypto pki trustpoint VPN-GWRouter (ca-trustpoint)# match certificate branch1 allow expired-certificateRouter (ca-trustpoint)# exitRouter (config) #exitThe configuration should be checked (most of the configuration is not shown).
Router# write term!many lines left outcrypto pki trustpoint VPN-GWenrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dllserial-number nonefqdn noneip-address nonesubject-name o=Home Office Inc,cn=Central VPN Gatewayrevocation-check crlmatch certificate branch1 allow expired-certificate!!crypto pki certificate map central-site 10issuer-name co cn = Central Certificate Authority, ou = Home Office Incsubject-name eq cn = central vpn gateway, o = home office inc! many lines left outThe match certificate command and branch1 allow expired-certificate (argument and keyword) and the certificate map should be removed as soon as the branch router has a new certificate.
Additional References
The following sections provide references related to Using Certificate ACLs to Ignore Revocation Check and Expired Certificates.
Related Documents
AAA
"Authentication, Authorization, and Accounting (AAA)" section of Cisco IOS Security Configuration Guide
Encryption
"IP Security and Encryption" section of Cisco IOS Security Configuration Guide
Firewalls
"Traffic Filtering and Firewalls" section of Cisco IOS Security Configuration Guide
Security commands
Cisco IOS Security Command Reference, Release 12.3T
PKI integration with an AAA server
Standards
MIBs
RFCs
Technical Assistance
Command Reference
This section documents the following modified command. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
match certificate
To associate a certificate-based access control list (ACL) that is defined with the crypto ca certificate map command, use the match certificate command in ca-trustpoint configuration mode. To remove the association, use the no form of this command.
match certificate certificate-map-label [allow expired-certificate | skip revocation-check | skip authorization-check]
no match certificate certificate-map-label [allow expired-certificate | skip revocation-check | skip authorization-check]
Syntax Description
Defaults
If this command is not configured, no default match certificate is configured. Each of the allow expired-certificate, skip revocation-check, and skip authorization-check keywords have a default (see the Syntax Description section).
Command Modes
Ca-trustpoint configuration
Command History
12.2(15)T
This command was introduced.
12.3(4)T
The allow expired-certificate, skip revocation-check, and skip authorization-check keywords were added.
Usage Guidelines
The match certificate command associates the certificate-based ACL defined with the crypto ca certificate map command to the trustpoint. The certificate-map-label argument in the match certificate command must match the label argument specified in a previously defined crypto ca certificate map command.
The certificate map with the label certificate-map-label must be defined before it can be used with the match certificate subcommand.
A certificate referenced in a match certificate command may not be deleted until all references to the certificate map are removed from configured trustpoints (that is, no match certificate commands can reference the certificate map being deleted).
When the certificate of a peer has been verified, the certificate-based ACL as specified by the certificate map is checked. If the certificate of the peer matches the certificate ACL, or a certificate map is not associated with the trustpoint used to verify the certificate of the peer, the certificate of the peer is considered valid.
If the certificate map does not have any attributes defined, the certificate is rejected.
Using the allow expired-certificate Keyword
The allow expired-certificate keyword has two purposes:
•
•
Note
•
Using the skip revocation-check Keyword
The type of enforcement provided using the skip revocation-check keyword is most useful in a hub-and-spoke configuration in which you also want to allow direct spoke-to-spoke connections. In pure hub-and-spoke configurations, all spokes connect only to the hub, so CRL checking is necessary only on the hub. If one spoke communicates directly with another spoke, the CRLs must be checked. However, if the trustpoint is configured to require CRLs, the connection to the hub to retrieve the CRL usually cannot be made because the CRL is available only via the connection hub.
Using the skip authorization-check Keyword
If the communication with an AAA server is protected with a certificate, and you want to skip the AAA check of the certificate, use the skip authorization-check keyword. For example, if a Virtual Private Network (VPN) tunnel is configured so that all AAA traffic goes over that tunnel, and the tunnel is protected with a certificate, you can use the skip authorization-check keyword to skip the certificate check so that the tunnel can be established.
The skip authorization-check keyword should be configured after PKI integration with an AAA server is configured.
Examples
The following example shows a certificate-based ACL with the label "Group" defined in a crypto ca certificate map command and included in the match certificate command:
crypto ca certificate map Group 10subject-name co ou=WANsubject-name co o=Cisco!crypto ca trustpoint pkimatch certificate GroupThe following example shows a configuration for a central site using the allow expired-certificate keyword. The router at a branch site has an expired certificate named "branch1" and has to establish a tunnel to the central site to renew its certificate.
crypto pki trustpoint VPN-GWenrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dllserial-number nonefqdn noneip-address nonesubject-name o=Home Office Inc,cn=Central VPN Gatewayrevocation-check crlmatch certificate branch1 allow expired-certificateThe following example shows a branch office configuration using the skip revocation-check keyword. The trustpoint is being allowed to enforce CRLs except for "central-site" certificates.
crypto pki trustpoint home-officeenrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dllserial-number nonefqdn noneip-address nonesubject-name o=Home Office Inc,cn=Branch 1revocation-check crlmatch certificate central-site skip revocation-checkThe following example shows a branch office configuration using the skip authorization-check keyword. The trustpoint is being allowed to skip AAA checking for the central site.
crypto pki trustpoint home-officeauth list allow_listauth user subj commonnamematch certificate central-site skip authorization-checkRelated Commands
crypto ca certificate map
Defines certificate-based ACLs.
crypto ca trustpoint
Declares the CA that your router should use.
Glossary
CA—See certificate authority.
certificate—Data encoded according to the International Organization for Standardization (ISO) X.509 standard and cryptographically signed. The data consists of at least a description of the owner of the certificate, a description of the server that signed the certificate, a validity period (start and end dates) and the public key of the owner of the certificate. The certificate serves to associate the owner of the certificate with the public key of the owner.
certificate authority—Server that cryptographically signs a certificate. A device may later cryptographically validate the certificate.
certificate map—Set of configuration parameters that list fields in a certificate and match criteria to be used when processing a certificate. If the fields within a certificate match the specified criteria, an action may be taken.
certificate validation—Checking that a certificate is issued by a trusted CA server, is not revoked, and has the attributes appropriate for the intended use and that the current time falls within the validity time period of the certificate.
Note
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
