The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Public Key Infrastructure (PKI) support on the Cisco 1000 Series Connected Grid Routers (hereafter referred to as the Cisco CG-OS router). PKI allows the Cisco CG-OS router to obtain and use digital certificates for secure communication in the network.
This chapter includes the following sections:
This section provides information about PKI and includes the following topics:
Certificate authorities (CAs) manage certificate requests and issue certificates to participating entities such as hosts, network devices, or users. The CAs provide centralized key management for the participating entities.
Digital signatures, based on public key cryptography, digitally authenticate devices and individual users. In public key cryptography, such as the RSA encryption system, each device or user has a key-pair that contains both a private key and a public key. The private key is kept secret and is known only to the owning device or user. However, the public key is known to everybody. Anything encrypted with one of the keys can be de-encrypted with the other. A signature is formed when data is encrypted with a sender’s private key. The receiver verifies the signature by de-encrypting the message with the sender’s public key. This process relies on the receiver having a copy of the sender’s public key and knowing with a high degree of certainty that it really does belong to the sender and not to someone pretending to be the sender.
Digital certificates link the digital signature to the sender. A digital certificate contains information to identify a user or device, such as the name, serial number, company, department, or IP address. It also contains a copy of the entity’s public key. The CA that signs the certificate is a third party that the receiver explicitly trusts to validate identities and to create digital certificates.
To validate the signature of the CA, the receiver must first know the CA’s public key. Typically this process is handled out of band or through an operation done at installation. For instance, most web browsers are configured with the public keys of several CAs by default.
The PKI trust model is hierarchical with multiple configurable trusted CAs. You can configure each participating device with a list of trusted CAs so that a peer certificate obtained during the security protocol exchanges can be authenticated if it was issued by one of the locally trusted CAs. The
Cisco CG-OS software locally stores the self-signed root certificate of the trusted CA (or certificate chain for a subordinate CA). The process of securely obtaining a trusted CA root certificate (or the entire chain in the case of a subordinate CA) and storing it locally is called
CA authentication
.
The information about a trusted CA that you have configured is called the trustpoint and the CA itself is called a trustpoint CA . This information consists of a CA certificate (or certificate chain in case of a subordinate CA) and certificate revocation checking information.
The Cisco CG-OS router can also enroll with a trustpoint to obtain an identity certificate to associate with a key-pair. This trustpoint is called an identity CA .
You can obtain an identity certificate by generating one or more RSA key-pairs and associating each RSA key-pair with a trustpoint CA where the Cisco CG-OS router intends to enroll. The Cisco CG-OS router needs only one identity per CA, which consists of one key-pair and one identity certificate per CA.
The Cisco CG-OS software allows you to generate RSA key-pairs with a configurable key size (or modulus). The default key size is 2048 bits. You can also configure an RSA key-pair label. The default key label is the device fully qualified domain name (FQDN).
The following list summarizes the relationship between trustpoints, RSA key-pairs, and identity certificates:
The Cisco CG-OS router can trust multiple CAs by configuring multiple trustpoints and associating each with a distinct CA. With multiple trusted CAs, you do not have to enroll a device with the specific CA that issued the certificate to a peer. Instead, you can configure the device with multiple trusted CAs that the peer trusts. The Cisco CG-OS router can then use a configured trusted CA to verify certificates received from a peer that were not issued by the same CA defined in the identity of the peer device.
Enrollment is the process of obtaining an identity certificate for the device that is used for applications, in this case the Cisco CG-OS router, and the certificate authority (CA).
Cisco recommends that you employ an intermediate router such as the Cisco 3945 Integrated Services Router (Cisco ISR) as the Registration Authority (functioning as a CA proxy) for obtaining certificates for the Cisco CG-OS router from the CA.
The Cisco CG-OS router performs the following steps when performing the PKI enrollment process:
1. Generates an RSA private and public key-pair.
2. Generates a certificate request in standard format and forwards it to the CA.
Note The CA administrator might be required to manually approve the enrollment request at the CA server when the request is received by the CA.
3. Receives the issued certificate back from the CA, signed with the private key of the CA.
4. Writes the certificate into a nonvolatile storage area on the Cisco CG-OS router.
Multiple identity CAs enable the Cisco CG-OS router to enroll with more than one trustpoint, which results in multiple identity certificates, each from a distinct CA. With this feature, the Cisco CG-OS router can participate in applications with many peers using certificates issued by CAs that are acceptable to those peers.
The multiple RSA key-pair feature allows the Cisco CG-OS router to maintain a distinct key-pair for each CA with which it is enrolled. It can match policy requirements for each CA without conflicting with the requirements specified by the other CAs, such as the key length. The Cisco CG-OS router can generate multiple RSA key-pairs and associate each key-pair with a distinct trustpoint. Thereafter, when enrolling with a trustpoint, the associated key-pair is used to construct the certificate request.
PKI support on a Cisco CG-OS router can verify peer certificates. The Cisco CG-OS software verifies certificates received from peers during security exchanges for applications. The applications verify the validity of the peer certificates. The Cisco CG-OS software performs the following steps when verifying peer certificates:
1. Verifies that the peer certificate is issued by one of the locally-trusted CAs.
2. Verifies that the peer certificate is valid (not expired) with respect to current time.
As part of the CA authentication and enrollment process, the subordinate CA certificate (or certificate chain) and identity certificates can be imported in standard PEM (base64) format.
The complete identity information in a trustpoint can be exported to a file in the password-protected PKCS#12 standard format. It can be later imported to the same device (for example, after a system crash) or to a replacement device. The information in a PKCS#12 file consists of the RSA key-pair, the identity certificate, and the CA certificate (or chain).
You must configure the Registration Authority (RA) to proxy for the CA server before you configure the Cisco CG-OS router. (See Configuring the Registration Authority.)
The maximum number of key-pairs you can configure on the Cisco CG-OS router is 16.
The maximum number of trustpoints you can declare on the Cisco CG-OS router is 16.
The maximum number of identify certificates you can configure on the Cisco CG-OS router is 16.
The maximum number of certificates in a CA certificate chain is 10.
The maximum number of trustpoints you can authenticate to a specific CA is 10.
When generating certificates for the Cisco CG-OS router, a different RSA key-pair must be defined for the registration authority (RA) and the certification authority (CA).
Table 6-1 lists the default settings for PKI parameters.
The Cisco CG-OS router supports the following types of certificate enrollment:
This section describes the process of configuring the Cisco CG-OS router to communicate and exchange certificates with a Windows CA server to allow automatic enrollment of certificates.
Additionally, this section provides details on how to configure a Cisco ISR to serve as Registration Authority (RA) and proxy for the Windows CA server (which is the Cisco recommended configuration). This section does not provide details on configuring the Windows CA server.
This section includes the following topics:
You must configure the hostname and IP domain name of the Cisco CG-OS router if you have not yet configured it because the Cisco CG-OS software uses the fully qualified domain name (FQDN) of the Cisco CG-OS router as the subject in the identity certificate. Additionally, the Cisco CG-OS software uses the device FQDN as a default key label when you do not specify a label during key-pair generation. For example, a certificate named DeviceA.example.com is based on a device hostname of DeviceA and a device IP domain name of example.com.
You must configure the hostname and IP domain name for both the Cisco CG-OS router and the Registration Authority.
This example shows how to configure the hostname and IP domain name for the Cisco CG-OS router.
Specifies the use of a RA as the trustpoint source for the Cisco CG-OS router and the system that authenticates the certificate for the Cisco CG-OS router.
Configure the router acting as the RA. (See Configuring the Registration Authority .)
Configure the server acting as the CA. (See your Windows server manual.)
This example shows how to create an enrollment profile for the RA on the Cisco CG-OS router.
Tip When you do not configure the RSA public and private key-pair, the Cisco CG-OS router automatically generates the key-pair with a default length of 2048 bits. In this case, the key-pair is non-exportable and the PKS#12 format cannot be used for backup and restore. If you want to set a default length other than 2048 bits and want to have an exportable key-pair, follow the steps in this section.
The Cisco CG-OS router can generate RSA key-pairs to sign and/or encrypt and de-encrypt the security payload during security protocol exchanges for applications. The RSA key-pair must be generated for the Cisco CG-OS router before obtaining a certificate for the Cisco CG-OS router.
Create the enrollment profile. (See Creating an Enrollment Profile on the Cisco CG-OS Router.)
Defines the trustpoint for all services requiring secure communications. This trustpoint will be used by the Cisco CG-OS router to obtain its certificates from the RA.
Configure the RA. (See Configuring the Registration Authority.)
Generate the key-pair for the Cisco CG-OS router. (See Generating an RSA Public and Private Key-Pair on the Cisco CG-OS Router.)
Declares a trustpoint that the Cisco CG-OS router can trust and enters trustpoint configuration mode. name –Alphanumeric, case sensitive, string with a maximum length of 64 characters. Note The maximum number of trustpoints that you can configure on the Cisco CG-OS router is 16. |
||
Ensures that the RA requests the RA mode Certificate Service (CS) certificate from the CA server. |
||
Enter the key-pair name generated for the Cisco CG-OS router and RA. (See Generating a RSA Public and Private Key-Pair on the RA.) |
||
Includes the serial number of the Cisco CG-OS router in the certificate. Note This command is only applicable to SCEP auto-enrollment. |
||
Configures the IP address of the Cisco CG-OS router that is included in the certificate request. |
||
Configures an additional user to be defined in the certificate request during enrollment. |
||
Defines the number of times that the Cisco CG-OS router attempts to contact the RA for CA authentication and enrollment before reporting a failed enrollment. retry-count –Range of values is 1 to 10. Default value is 3. |
||
Defines the period of time (in seconds) between the retry attempts of the Cisco CG-OS router to contact the RA for CA authentication. retry-period –Range of values is 1 to 10 seconds. Default value is 5 seconds. |
||
Configures the expected thumbprint of the CA server certificate. Note Thumbprint information is found in the Certificate > Details window of the Windows CA Server. Matching is performed during CA authentication and enrollment without the need for user intervention. Note The Cisco CG-OS router only supports SHA1 fingerprints. |
||
Exits the trustpoint configuration mode and returns the |
This example shows how to create a trustpoint for the Cisco CG-OS router.
Configure the RA. (See Configuring the Registration Authority.)
Generate the key-pair for the Cisco CG-OS router. (See Generating an RSA Public and Private Key-Pair on the Cisco CG-OS Router.)
Create a trustpoint for the Cisco CG-OS router. (See Creating a Trustpoint on the Cisco CG-OS Router.)
Enroll the Cisco CG-OS router with the RA Serving as CA Proxy. (See Configuring the Registration Authority.)
This example shows how to configure the Cisco CG-OS router to authenticate with the CA server and its certificates.
To enroll the Cisco CG-OS Router to the CA, enter the following command.
The RA proxies as a CA server on behalf of the Cisco CG-OS router to obtain its certificates from the CA server.
Tip This section provides the tasks necessary to configure a Cisco ISR to serve as the Registration Authority (RA). If you already have a RA configured or are going to use a different system for the RA, then you do not need to complete the tasks in this section.
Note For more information on the Cisco ISR, refer to the following URL: http://www.cisco.com/en/US/products/ps10536/index.html
Tip The Cisco ISR (recommended system for RA) operates with Cisco IOS rather than the Cisco CG-OS software so the command syntax differs for some configurations.
You must configure the hostname and IP domain name of the RA router if it is not yet configured.
To configure the hostname and IP domain name for the Cisco ISR using Cisco IOS, follow these steps:
Configures the RA to acts as a proxy for the CA server on behalf of the Cisco CG-OS router.
Enrolls with the CA server on behalf of the Cisco CG-OS router to obtain the certificates from the CA server.
This example shows how to enroll the RA with the CA server to obtain certificates for the
Cisco CG-OS router.
The RSA key-pair provides secure communication between the RA and the CA server.
The RA can generate RSA key-pairs to sign and/or encrypt and de-encrypt the security payload during security protocol exchanges for applications.
Note The RSA key-pair must be generated for the RA before obtaining a certificate for the RA.
Note When configuring the RSA key-pair and CA trustpoint name, you must use the same name within the RA to ensure that the certificate is generated and associated correctly.
Define the trustpoint (secure credentials) for all services requiring secure communications. (See Creating an Enrollment Profile on the RA.)
Defines the trustpoint (secure credentials) for all services requiring secure communications. This trustpoint will be used by the RA to obtain certificates for the Cisco CG-OS router from the CA server.
Generate the RSA key-pair for the RA router. (See Generating a RSA Public and Private Key-Pair on the RA.)
Declares a trustpoint that the device should trust and enters trustpoint configuration mode. name –Alphanumeric, case sensitive, string with a maximum length of 64 characters. Note The maximum number of trustpoints that you can configure on a device is 16. |
||
Ensures that the RA router requests the RA mode Certificate Service (CS) certificate from the CA server. |
||
Defines the address of the CA server. |
||
Includes the serial number of the RA in the certificate. Note This command is only applicable to SCEP auto-enrollment. |
||
Defines the thumbprint of the CA server. Information is found in the Certificate > Details window of the CA Server. |
||
(Optional) Invalidates revocation of compromised certificates. |
||
Enter the RSA key-pair name generated for the RA and CA. (See Generating a RSA Public and Private Key-Pair on the RA.) |
||
(Optional) Displays information on any configured trustpoints. |
||
(Optional) Copies the running configuration to the startup configuration. |
Generate the RSA key-pair for the RA. (See Generating a RSA Public and Private Key-Pair on the RA.)
Create a trustpoint. (See Creating a Trustpoint for the RA.)
Identifies the PKI server that was configured previously. (See Configuring the RA as Proxy for the CA Server.) |
||
The Cisco CG-OS software supports certificate retrieval and enrollment using manual cut-and-paste. Cut-and-paste enrollment means that you must use a terminal to cut-and-paste the certificate requests and resulting certificates sent between the Cisco CG-OS router and the CA.
You must perform the following steps when using cut-and-paste in the manual enrollment process:
1. Create an enrollment certificate request, which the Cisco CG-OS router displays in base64-encoded text form.
2. Cut-and-paste the encoded certificate request text in an e-mail or in a web form and send it to the CA.
3. Receive the issued certificate (in base64-encoded text form) from the CA in an e-mail or in a web browser download.
4. Cut-and-paste the issued certificate into the Cisco CG-OS router using the certificate import facility.
This section describes the tasks that you must perform to allow the Cisco CG-OS router to assign digital certificates to itself by using manual cut-and-paste, and includes the following topics:
Defines the trustpoint (secure credentials) for all services requiring secure communications.
This example shows how to create a trustpoint for the Cisco CG-OS router using manual cut-and-paste enrollment.
The configuration process of trusting a CA is complete only when the CA is authenticated to the
Cisco CG-OS router. You must authenticate your Cisco CG-OS router to the CA by obtaining the self-signed certificate of the CA in PEM format, which contains the public key of the CA. Because the certificate of the CA is self-signed (the CA signs its own certificate) the public key of the CA should be authenticated by contacting the CA administrator to compare the fingerprint of the CA certificate.
Note In order to have a valid certificate, you must know the identity of the root CA even if there are intermediate servers in the path. The full path is identified as the certificate chain. The maximum number of certificates in a CA certificate chain is 10. Be sure that you cut-and-past the full certificate chain.
Create a trustpoint. (See Creating a Trustpoint.)
This example shows how to authenticate a CA.
Generate an RSA key-pair. (See Generating an RSA Public and Private Key-Pair.)
You must generate a request to obtain identity certificates from the associated trustpoint CA for each of the RSA key-pairs of the Cisco CG-OS router. You must then cut-and-paste the displayed request into an e-mail or in a website form for the CA.
Create an association with the CA. (See Associating the RSA Key-Pair to the Trustpoint.)
You can receive the identity certificate from the CA by email or through a web browser in base64 encoded text form. You must install the identity certificate from the CA by cutting and pasting the encoded text.
Generate a certificate request and verify receipt of the signed certificate from the CA.
This example shows how to install the identify certificate named CGRca into the Cisco CG-OS router.
You can import the certificate and RSA key-pair to recover from a system crash on your Cisco CG-OS router or when you replace equipment on your Cisco CG-OS router.
Note You can use only the bootflash:filename format when specifying the import URL.
Ensure that the trustpoint is empty by checking that no RSA key-pair is associated with it and no CA is associated with the trustpoint using CA authentication.
You can ensure that the trustpoint configuration persists across reboots of the Cisco CG-OS router.
The trustpoint configuration is a normal system configuration that persists across system reboots only if you copy it explicitly to the startup configuration. The certificates and RSA key-pairs associated with a trustpoint are automatically persistent if you have already copied the trustpoint configuration in the startup configuration. Conversely, if the trustpoint configuration is not copied to the startup configuration, the certificates and RSA key-pairs associated with it are not persistent since they require the corresponding trustpoint configuration after a reboot.
Always copy the running configuration to the startup configuration to ensure that the configured certificates and RSA key-pairs are persistent. Also, save the running configuration after deleting a certificate or key-pair to ensure that the deletions permanent.
The certificates associated with a trustpoint automatically become persistent when imported (that is, without explicitly copying to the startup configuration) if the specific trustpoint is already saved in startup configuration.
Cisco recommends that you create a password protected backup of the identity certificates and save it to an external server. (See Exporting Identity Information in PKCS#12 Format.)
Note Copying the configuration to an external server includes the certificates and RSA key-pairs.
You can export the identity certificate along with the RSA key-pair and CA certificate (or the entire chain in the case of a subordinate CA) of a trustpoint to a PKCS#12 file for backup purposes. You can import the certificate and RSA key-pair to recover from a system crash on your device.
Note You can use only the bootflash:filename format when specifying the export URL.
Generate an exportable RSA key-pair. (See Generating an RSA Public and Private Key-Pair on the Cisco CG-OS Router.)
Authenticate the CA. (See Authenticating the CA.)
Install an identity certificate. (See Installing Identity Certificates.)
You can delete the CA certificates and identity certificates that are configured in a trustpoint. You must first delete the CA certificates, followed by the identity certificate. After deleting the identity certificate, you can disassociate the RSA key-pair from a trustpoint. You must delete certificates to remove expired or revoked certificates, certificates that have compromised (or suspected to be compromised) RSA key-pairs, or CAs that are no longer trusted.
You can delete the RSA key-pairs on the Cisco CG-OS router when you believe the integrity of the RSA key-pairs are compromised or should no longer be used.
Note After you delete RSA key-pairs from the Cisco CG-OS router, ask the CA administrator to revoke the certificates of the Cisco CG-OS router at the CA. You must supply the challenge password that was created when the certificates were originally created. (See Generating Certificate Requests.)