Table Of Contents
Configuring the WebVPN Services Module
Configuring Address Resolution
Assigning Hostnames to IP Addresses
Configuring the Virtual Gateway
Configuring End User Authentication
Configuring the Virtual Context
Configuring SSL Policy (Optional)
Configuring TCP Policy (Optional)
Configuring Public Key Infrastructure
Configuring Keys and Certificates
Verifying Certificates and Trustpoints
Backing Up Keys and Certificates
Monitoring and Maintaining Keys and Certificates
Assigning a Certificate to a WebVPN Gateway and Context
Automatic Certificate Renewal and Enrollment
Configuring the WebVPN Services Module
This chapter describes how to configure the WebVPN Services Module from the command-line interface (CLI) of the module:
•
Configuring Address Resolution
•
•
•
•
Configuring Address Resolution
Each unique IP address can have an associated hostname. The Cisco IOS software maintains a cache of hostname-to-address mappings for use by the connect, telnet, and ping EXEC commands, and related Telnet support operations. This cache speeds the process of converting names to addresses.
IP defines a naming scheme that allows a device to be identified by its location in the IP. This is a hierarchical naming scheme that provides for domains. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco is a commercial organization that the IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, the File Transfer Protocol (FTP) system, for example, is identified as ftp.cisco.com.
To keep track of domain names, IP has defined the concept of a name server, whose job is to hold a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, then specify a name server, and enable the Domain Naming System (DNS), which is the global naming scheme of the Internet that uniquely identifies network devices.
These tasks are described in the following sections:
•
A VPN routing and forwarding (VRF) instance consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine the information that goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a Provider Edge router.
To enable the VRF-aware DNS feature, configure the following in global configuration mode:
•
•
•
Optionally, you can also configure a VRF specific default domain name or domain list with the ip domain name vrf name command or ip domain list vrf name command.
Assigning Hostnames to IP Addresses
The Cisco IOS software maintains a table of hostnames and their corresponding addresses, also called a hostname-to-address mapping. Higher-layer protocols such as Telnet use hostnames to identify network devices (hosts). The router and other network devices must be able to associate hostnames with IP addresses to communicate with other IP devices. Hostnames and IP addresses can be associated with one another through static or dynamic means.
Manually assigning hostnames to addresses is useful when dynamic mapping is not available.
To assign hostnames to addresses, perform this task in global configuration mode:
Specifying the Domain Name
You can specify a default domain name that the Cisco IOS software will use to complete domain name requests. You can specify either a single domain name or a list of domain names. Any IP hostname that does not contain a domain name will have the domain name that you specify appended to it before being added to the host table.
To specify a domain name or names, perform one of the following tasks in global configuration mode:
The following example establishes a domain list with several alternate domain names:
Router(config)#ip domain list csi.comRouter(config)#ip domain list telecomprog.eduRouter(config)# ip domain list merit.eduSpecifying a Name Server
To specify one or more hosts (up to six) that can function as a name server to supply name information for the DNS, perform the following task in global configuration mode:
Specifies one or more hosts that supply name information.
Enabling the DNS
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can assign device names that uniquely identify your devices within the entire internetwork. The global naming scheme of the Internet, the DNS, accomplishes this task. This service is enabled by default.
To reenable DNS if it has been disabled, perform the following task in global configuration mode:
A cache of hostname-to-address mappings is used by connect, telnet, ping, trace, write net, and configure net EXEC commands to speed the process of converting names to addresses. The commands used in this example specify the form of dynamic name lookup to be used. Static name lookup also can be configured.
The following example configures the hostname-to-address mapping process. IP DNS-based translation is specified, the addresses of the name servers are specified, and the default domain name is given.
Router(config)# ip domain lookupRouter(config)# ip name-server 131.108.1.111 131.108.1.2Router(config)# ip domain name cisco.comConfiguring the Virtual Gateway
You define the virtual gateway using the webvpn gateway gateway_name command. The gateway is referenced in the WebVPN context.
To configure virtual gateway services, perform this task:
Step 1
Defines the name of the virtual gateway service.
Note
Step 2
Defines the virtual IP address and port number for which the WebVPN Services Module is the proxy. The default for port is 443.
Note
Step 3
webvpn(config-webvpn-gateway)# http-redirect [port port]Specifies that the HTTP port (the default port is 80) is open and that any HTTP connections to the virtual gateway is directed to use secure HTTP (HTTPS).
Step 4
(Optional) Applies a TCP policy. See the "Configuring TCP Policy (Optional)" section for TCP policy parameters. The TCP policy affects only client-side connections.
Step 5
(Optional) Applies an SSL policy. See the "Configuring SSL Policy (Optional)" section for SSL policy parameters. The SSL policy affects only client-side connections.
Step 6
webvpn(config-webvpn-gateway)# ssl trustpoint trustpoint_labelApplies a trustpoint configuration to the WebVPN gateway6 . You can import the test certificate embedded on the module; see "Importing the Embedded Test Certificate."
Note
Step 7
(Optional) Specifies the hostname that is used in the URL and cookie mangling process. In the load-balancing configuration, the hostname specified is the virtual gateway IP address configured on the load-balancing device.
Step 8
webvpn(config-webvpn-gateway)# inservicePuts the gateway in service.
1 Configure the mask address to specify a wildcard proxy service. You must enter the secondary keyword to configure a wildcard proxy service.
2 When you enter the secondary keyword, the WebVPN Services Module does not respond to ARP requests of the virtual IP address.
3 You can enter the secondary keyword when the WebVPN Services Module is used in a standalone configuration or when the WebVPN Services Module is used as a real server on a load balancer (like the CSM) configured in dispatch mode (MAC address rewrite).
4 You can enter the secondary keyword if you configure multiple devices using the same virtual IP address. The virtual IP address can be any legal IP address and does not have to be in the VLAN (subnet) connected to the WebVPN Services Module.
5 If you create a policy without specifying any parameters, the policy is created using the default values.
6 If the key (modulus) size is other than 512, 768, 1024, 1536, or 2048, you will receive an error and the trustpoint configuration is not applied. Replace the key by generating a key (using the same key_label) and specifying a supported modulus size, and then repeat Step 6.
Configuring End User Authentication
For more detailed information on configuring RADIUS, refer to the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.2 at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfrad.htm
Table 3-1 shows information on the WebVPN RADIUS attribute-value pairs.
Note
webvpn:urllist-name=cisco
webvpn:nbnslist-name=cifs
webvpn:default-domain=cisco.com
Table 3-1 WebVPN RADIUS Attribute-Value Pairs
addr (Framed-IP-Address1 )
ipaddr
IP_address
addr-pool
string
name
banner
string
citrix-enabled
integer
0 (disable)
1 (enable)20
default-domain
string
dns-servers
ipaddr
IP_address
dpd-client-timeout
integer (seconds)
0 (disabled)-3600
300
dpd-gateway-timeout
integer (seconds)
0 (disabled)-3600
300
file-access
integer
0 (disable)
1 (enable) 20
file-browse
integer
0 (disable)
1 (enable) 20
file-entry
integer
0 (disable)
1 (enable) 20
hide-urlbar
integer
0 (disable)
1 (enable) 20
home-page
string
idletime (Idle-Timeout 1)
integer (seconds)
0-3600
2100
ie-proxy-exception
string
DNS_name
ipaddr
IP_address
ie-proxy-server
ipaddr
IP_address
inacl
integer
1-199,
1300-2699string
name
keep-svc-installed
integer
0 (disable)
1 (enable) 21
nbnslist-name
string
name
netmask (Framed-IP-Netmask 1)
ipaddr
IP_address_mask
port-forward-name
string
name
primary-dns
ipaddr
IP_address
rekey-interval
integer (seconds)
0-43200
21600
secondary-dns
ipaddr
IP_address
split-dns
string
split-exclude3
ipaddr ipaddr
IP_address IP_address_mask
word
local-lans
split-include 3
ipaddr ipaddr
IP_address IP_address_mask
svc-enabled4
integer
0 (disable)
1 (enable) 20
svc-ie-proxy-policy
word
none, auto, bypass-local
svc-required 4
integer
0 (disable)
1 (enable) 20
timeout (Session-Timeout 1)
integer (seconds)
1-1209600
43200
urllist-name
string
name
user-vpn-group
string
name
wins-server-primary
ipaddr
IP_address
wins-servers
ipaddr
IP_address
wins-server-secondary
ipaddr
IP_address
1 Standard IETF RADIUS attributes.
2 Any integer other than 0 enables this feature.
3 You can specify either split-include or split-exclude, but you cannot specify both options.
4 You can specify either svc-enable or svc-required, but you cannot specify both options.
Configuring the Virtual Context
You define the virtual context using the webvpn context command. The virtual context links the previously configured address resolution, gateway, and authentication configurations.
To configure clientless mode, configure the URL lists and the group policy. To access e-mail using Outlook Web Access (OWA), configure the URL list to point to the Microsoft Exchange server (for example, http://ipaddr/exchange).
To configure thin-client mode, configure the list of ports to forward and the group policy.
To configure file sharing using the Common Internet File System (CIFS), configure the NetBIOS name service (NBNS) list, the server address, and the group policy.
To configure virtual context, perform this task:
Step 1
Enters the WebVPN context subcommand mode. The optional VPN service name name is used to specify a WebVPN instance.
Step 2
webvpn(config-webvpn-context)# gateway gateway-name {virtual-host virtual-host-name|domain-name domain-name}Specifies the corresponding virtual gateway instance configured on the secure gateway and the mapping methods (for example, IP address, URL, and domain name). The gateway-name parameter should match one of the virtual gateways configured on the system. The domain-name parameter is an ASCII string, which is used to specify a corporate-specific domain name (for example, cisco.com) for the virtual WebVPN instance.
Step 3
Enables the Cisco Secure Desktop (CSD) and allows you to configure the setting for the secure desktop using the CSD Manager.
Note
Step 4
Specifies the NAT addresses to be used in opening a server connection. The addresses specified in the nat-address command must match one of the subnets configured on the WebVPN subinterfaces.
Note
Step 5
Enters url submode and allows you to configure the list of URLs that display on the portal web page. See the "Configuring Clientless Mode" section for information on configuring the URL entries.
Step 6
Enters port-fwd submode and allows you to configure the list of ports to which the end user has access. See the "Configuring Thin-Client Mode" section for information on configuring port forwarding.
Step 7
webvpn(config-webvpn-context)# policy group default-policy-nameEnters the group submode and allows you to configure group policy settings. See the "Configuring Group Policy" section for detailed information on configuring group policy settings, and see the "Configuring Tunnel Mode" section for detailed information on configuring tunnel mode using group policy settings.
Step 8
webvpn(config-webvpn-context)# policy ssl policy-name(Optional) Specifies the SSL policy that the SSL protocol uses. The SSL policy affects only server-side connections.
Step 9
(Optional) Specifies the TCP policy that the TCP protocol uses. The TCP policy affects only server-side connections.
Step 10
Specifies the HTML title string in the browser title and on the title bar. The string is limited to 255 characters. The default string is "WebVPN Service."
Step 11
webvpn(config-webvpn-context)# login-message stringSpecifies the text that prompts the end user to log in. The string is limited to 255 characters. The default string is "Please enter your username and password."
Step 12
Specifies the custom logo image that is displayed on the login and portal pages. The filename is a file that is uploaded by the administrator to the security gateway.
Step 13
Specifies the color of the title bars on the login, home, and file-access portal pages. The default color is purple. For information on valid color values, see "Color Names and RGB Color Values."
Step 14
Specifies the color of the secondary title bars on the login, home, and file-access portal pages. The default color is purple. For information on valid color values, see "Color Names and RGB Color Values."
Step 15
Specifies the color of the text of the title bars on the portal page. The default value is white.
Step 16
Specifies the color of the text of the secondary bars on the portal page. The default value is black.
Step 17
webvpn(config-webvpn-context)# aaa authentication [domain domain-name]|[list list-name]Configures the authentication parameters. Specify either the domain to be used for authentication or an authentication list.
Step 18
webvpn(config-webvpn-context)# default-group-policy policySpecifies the default group policy that the virtual WebVPN context instance uses. See the "Configuring Group Policy" section for information on group policies.
Step 19
webvpn(config-webvpn-context)# vrf-name vrf-nameSpecifies the VRF domain configured for the virtual WebVPN context.
Step 20
webvpn(config-webvpn-context)# max-users numberSpecifies the maximum number of client connections that are allowed to be open for the given virtual WebVPN context (per VRF domain).
Step 21
webvpn(config-webvpn-context)# nbns-list nameCreates the NBNS list name and enters nbmslist submode. See the "Configuring File Sharing Using CIFS" section for information on configuring file sharing.
Step 22
webvpn(config-webvpn-context)# ssl authenticate verify {all|none}Configures the peer certificate verification behavior. This behavior applies to the SSL server certificate when the WebVPN Services Module tries to connect to an HTTPS server.
•
•
Step 23
webvpn(config-webvpn-context)# charset-encoding {shift-jis|iso-8859-1}(Optional) Enables support for Japanese Shift-JIS encoding in the WebVPN gateway. The default value is iso-8859-1.
Step 24
Puts the context in service.
Configuring CSD
Cisco Secure Desktop (CSD) provides a consistent and reliable means of eliminating all traces of sensitive data by providing a single, secure location for session activity and removal on the client system. CSD ensures that cookies, browser history, temporary files, and downloaded content do not remain on a system after a remote user has logged out or after an SSL VPN session has timed out. CSD increases protection against data theft and client system malware (malicious software) by encrypting all data and files associated with or downloaded during the SSL VPN session.
The CSD Manager lets you build and manage the following security components for deployment to your end users:
•
Typical location types include work, home, and insecure (such as a Web cafe). You can use Secure Desktop Manager to define as many locations as needed, and each location can have different settings and options that make up its security profile. Windows locations allow deployment of the secure desktop functions on a location-specific basis.
•
•
•
This section provides a overview of the steps required to install CSD and configure secure desktop settings. For detailed CSD configuration information, refer to the CSD documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/csd/csd31/index.htm
Follow these steps to install CSD and configure secure desktop settings:
Step 1
Step 2
Step 3
Step 4
webvpn(config-webvpn-context)# csd enableStep 5
For detailed CSD configuration information, refer to the CSD documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/csd/csd31/index.htm
Step 6
webvpn(config-webvpn-context)# inserviceAfter you have put the context in service, end users can download and install the CSD to their PC.
Configuring Clientless Mode
In clientless mode, you configure an end user portal page that displays all URLs displayed as hotlinks. The HTML interface visible to these WebVPN end users varies depending on the values that you set here. End users see a customized home page (portal page) that includes only those features that you enable.
The types of servers you configure here include web servers that provide the following resources:
•
•
•
Note
The portal page for end users who are not members of a group displays all servers that you configure here. If you do not configure any servers or URLs, no servers or URLs are displayed on the portal page, although end users can still access the servers by entering the URL from the toolbar.
To configure the URL lists, perform this task:
Specifying no removes the matching line from the configuration; the URL does not need to be included. Specifying no url-list listname removes the given list from the configuration.
This example shows how to configure URL lists:
webvpn(config-webvpn-context)# url-list ciscowebvpn(config-webvpn-url)# url-text cisco url-value http://cisco.comwebvpn(config-webvpn-url)# url-text CNN url-value http://cnn.comwebvpn(config-webvpn-url)# url-text yahoo url-value http://yahoo.comwebvpn(config-webvpn-url)# url-text payroll url-value http://10.1.2.215/payrollwebvpn(config-webvpn-url)# url-text finance url-value https://finance.cisco.comwebvpn(config-webvpn-url)# url-text "OWA server" url-value http://mail.cisco.com/exchangewebvpn(config-webvpn-url)# url-text "CitrixFarm" url-value http://10.1.2.10/Citrix/MetaFrame/default/default.aspxwebvpn(config-webvpn-url)# exitwebvpn(config-webvpn-context)#Configuring File Sharing Using CIFS
This section describe how to configure NetBIOS Name Service (NBNS) servers that the WebVPN Services Module queries to map a NetBIOS name to an IP address.
WebVPN requires NetBIOS to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server that you specify corresponds to a specific NetBIOS name that identifies a resource on the network.
To make NBNS operational, you must configure at least one NetBIOS server (host). You can configure up to three NBNS servers for redundancy. The first available server on the list acts as the backup if the active server fails.
Note
To configure the NBNS server for file sharing, perform this task:
Step 1
webvpn(config-webvpn-context)# nbns-list nameCreates an NBNS list name and enters nbmslist submode.
Step 2
webvpn(config-webvpn-nbnslist)# nbns-server ip_addr [master] [timeout timeout][retry retries]Specifies a NetBIOS name service (NBNS) list and server address for Common Internet File System (CIFS) name resolution. You can configure up to three servers.
Note
The ip_addrs specifies the primary domain controller (PDC) on a Windows network.
The master keyword indicates that this is a master browser. Do not enter the master keyword if this a Windows Internet Naming Service (WINS) server.
The timeout value specifies the initial time in seconds to wait for a response to an NBNS query before sending the query to the next server. The default timeout value is 2 seconds; the range is from 1 to 30 seconds.
The retries value specifies the number of times to retry sending a NBNS query to the configured servers, in order. This value represents the number of times to cycle through the list of servers before returning an error. The default retries value is 2; the range is 0 to 10 retries.
Step 3
Returns to context submode.
Step 4
Specifies the group policy name and enters the group subcommand mode. See the "Configuring Group Policy" section for additional information on configuring group policy settings.
Step 5
webvpn(config-webvpn-group)# nbns-list nameSpecifies the previously defined NBNS list.
Note
Step 6
webvpn(config-webvpn-group)# functions {file-access | file-browse | file-entry}Specifies the following functions:
file-access—Enables the end user to access the file servers that are listed on the home page. This keyword is disabled by default. Disabling file-access removes the file-browse and file-entry configuration.
file-browse—Enables the end user to browse file servers. This keyword is disabled by default.
Note
file-entry—Enables the end user to enter file servers or shares directly. This keyword is disabled by default.
Note
Step 7
Returns to context submode.
Step 8
Specifies the default group policy.
Step 9
Specifies the corresponding virtual gateway instance configured on the secure gateway and the mapping methods. The gateway-name parameter should match one of the virtual gateways configured on the system. The domain-name parameter is an ASCII string, which is used to specify a corporate-specific domain name (for example, cisco.com) for the virtual WebVPN instance.
Step 10
Puts the context in service.
This example shows how to configure the context for file sharing:
webvpn(config)# webvpn context c1webvpn(config-webvpn-context)# nbns-list list2webvpn(config-webvpn-nbnslist)# nbns-server 10.1.1.2webvpn(config-webvpn-nbnslist)# exitwebvpn(config-webvpn-context)# policy group p1webvpn(config-webvpn-group)# nbns-list "list2"webvpn(config-webvpn-group)# functions file-acsesswebvpn(config-webvpn-group)# functions file-browsewebvpn(config-webvpn-group)# functions file-entrywebvpn(config-webvpn-group)# exitwebvpn(config-webvpn-context)# default-group-policy p1webvpn(config-webvpn-context)# gateway g1 domain example.comwebvpn(config-webvpn-context)# inserviceConfiguring Thin-Client Mode
Thin-client mode, also called TCP port forwarding, provides access for remote end users to client and server applications that communicate over known, fixed TCP ports. Remote end users can use client applications that are installed on their local PC and securely access remote servers that support those applications.
Cisco has tested the following applications:
•
•
•
•
•
•
•
•
Other TCP-based applications may also work, but Cisco has not tested them.
Thin-client mode requires installing Sun Microsystems Java Runtime Environment and configuring applications on the end user's PC. Both require administrator permissions. It is unlikely that end users will be able to use applications when they connect from public remote systems, such as Internet kiosks or web cafes.
Note
You provide mapping information that the WebVPN Services Module adds to the Hosts file on an end user's PC as the application opens. This mapping information allows the PC to connect to the server at the central site that supports the desired application.
Port forwarding can work only if the applications on remote servers are uniquely identified and reachable either by hostname or by IP address and port. We recommend that you use hostnames. See the "Using Hostnames Versus IP Addresses" section for usage guidelines.
Port forwarding entries are configured in port-fwd submode. Multiple entries may be specified for a given listname. The listname is provided to group the port forwarding entries into a list that can be applied to a username or group policy.
To configure thin-client mode by specifying port forwarding settings, perform this task:
Step 1
Specifies a name for a list of forwarded ports and enters WebVPN port-fwd submode. The maximum length of the listname is 63 characters.
Step 2
Specifies global access to TCP-based applications for WebVPN end users.
For the end user's PC, configure the local TCP port for the application as follows:
•
•
For the server that the end user needs to access, configure the remote server and remote TCP port as follows:
•
•
The description parameter allows for an application name or short description to display on the end user applet window.
Step 3
Exits WebVPN port-fwd submode and returns to WebVPN context submode.
This example shows how to configure port forwarding:
webvpn(config-webvpn-context)# port-forward abcwebvpn(config-webvpn-port-fwd)# local-port 25 remote-server "mailman" remote-port 25 description "SMTP server"webvpn(config-webvpn-port-fwd)# local-port 110 remote-server "pop3-ny" remote-port 110 description "POP3-server"webvpn(config-webvpn-port-fwd)# local-port 143 remote-server "imap-ny" remote-port 143 description "IMAP server"webvpn(config-webvpn-port-fwd)# exitwebvpn(config-webvpn-context)#Guidelines for Local Ports
When the Java applet is downloaded to start port forwarding mode on end user systems that run on Windows 2000 or XP, the hosts file (located at C:\WINNT\system32\drivers\etc\hosts) is backed up as hosts.webvpn. The Java applet then adds a mapping in the hosts file for each port forwarding entry that you configured in the port forwarding list assigned to the end user.
For example, for the following configuration:
port-forward "cisco"local-port 25 remote-server "mailman" remote-port 25 description "smtp"local-port 23 remote-server "pc46" remote-port 23 description "telnet"local-port 110 remote-server "sjcd-2" remote-port 110 description "pop3"the Java applet maps "mailman" to 127.0.0.2, "pc46" to 127.0.0.3, and "sjcd-2" to 127.0.0.4 in the client's host file. The Java applet then listens on the remote port for 127.0.0.2:25, 127.0.0.3:23, and 127.0.0.4:110 on the end user's PC.
Because the mapping is done and the Java applet listens on the required ports, you do not need to change the client applications. For example, the client can still create a Telnet connection to host pc46 (telnet pc46), but the Telnet connection actually goes through the Java applet and is secure.
The above configuration assumes that there are no local servers running on ports 23, 25, and 110. But if the end user's PC is running an application on any of the ports before the applet is downloaded (for example, a Telnet server running on the client PC listening on port 23), the applet then tries to run on 127.0.0.1:local-port. This situation creates two possible scenarios:
•
local-port 23 remote-server "pc46" remote-port 23 description "telnet"Port forwarding fails since the port forwarding entry is unusable by the user.
•
local-port 1230 remote-server "pc46" remote-port 23 description "telnet"Port forwarding succeeds because no applications are running in port 1230 in the client PC. In this scenario, if the end user wants to open a Telnet connection to host pc46, the end user has to enter telnet 127.0.0.1 1230. Whenever the Java applet listens on the local port, you need to modify the client application to communicate with 127.0.0.1:local-port.
The Java applet also listens on 127.0.0.1:local-port when you configure the remote-server's IP address in the port forwarding entry instead of the hostname, as follows:
local-port 1230 remote-server 19.0.0.1 remote-port 23 description "telnet"The above configuration results in the Java applet listening to 127.0.0.1:1230. If the end user wants to open a Telnet connection to 19.0.0.1, the user needs to enter telnet 127.0.0.1:1230.
See the "Using Hostnames Versus IP Addresses" section for usage guidelines.
Note
Using Hostnames Versus IP Addresses
When you use a hostname to identify a remote server, the Java applet modifies the hosts file (assuming that the operating system is Windows and you have administrative privileges on the PC) to create an entry for each application server. For example, when you configure your first port forwarding remote server with hostname johndoew2ksrv, the Java applet creates a backup copy of the original hosts file, and then modifies the hosts file to include a WebVPN entry that maps johndoew2ksrv to a loopback IP address of 127.0.0.2. If your second port forwarding entry is NotesServer, the Java applet adds an entry that maps NotesServer to 127.0.0.3 to the hosts file. These entries are then associated with the real remote application ports. Each entry is unique because the loopback address that the Java applet assigns is unique.
When you use an IP address to identify the remote server, the Java applet does not back up or modify the hosts file. It assigns each server with the loopback IP address of 127.0.0.1 and the TCP port that is configured as the local TCP port. Because the assigned IP address is always 127.0.0.1, each entry must have a unique local TCP port to differentiate applications.
You configure client applications to communicate to a server address. When you use the hostname and remote TCP port, addressing information for application servers is the same regardless of the end user's location. When you use an IP address and local TCP port, addressing information changes as the end user changes locations. You have to reconfigure client applications on end users' PCs.
Configuring Tunnel Mode
Note
Note
This section shows how to configure tunnel mode by specifying an IP local address pool, a WebVPN context, and a WebVPN group policy.
In tunnel mode, the gateway supplies an SSL VPN client (SVC) IP address to each of the end users that are logged into the gateway. Enter the ip local pool command to configure the local IP address pool to supply the SVC IP addresses.
To configure tunnel mode, perform this task:
Step 1
webvpn(config)# ip local pool pool-name start-range end-rangeSpecfies the IP address pool to be used by the WebVPN Services Module for supplying an IP address for each SVC.
Note
Step 2
webvpn(config)# webvpn context context-nameSpecifies the WebVPN context to be used in the configuration.
Step 3
Specifies the group policy name and enters the group subcommand mode.
Step 4
webvpn(config-webvpn-group)# functions {svc-enabled | svc-required}Enables tunnel mode for this group policy. Tunnel mode is disabled by default.
svc-enabled—Enables the user of the group to use tunnel mode. If the SVC fails to install on the end user's PC, the end user can continue to use clientless mode or thin-client mode.
svc-required—Tunnel mode is required. If the SVC fails to install on the end user's PC, the end user cannot use other modes.
Step 5
webvpn(config-webvpn-group)# svc dpd interval {client | gateway} timeoutSpecifies the dead peer detection (DPD) interval values for the gateway or the client, if tunnel-mode WebVPN is enabled for the user or group.
The timeout parameter specifies the timeout value in seconds. The DPD timer is used to determine if a DPD packet needs to be sent to the peer. The DPD timer is reset every time a Cisco SSL Tunnel Protocol (CSTP) frame is received from the peer. When either the gateway or the client does not receive a DPD response, the default is disabled for gateway and client.
Valid values for the DPD interval for client and gateway are 0 (disabled) to 3600 seconds.
Step 6
Configures the local IP address pool to supply the SVC IP addresses.
Step 7
webvpn(config-webvpn-group)# svc dns-server {primary ip_addr | secondary ip_addr}Specifies the primary and secondary DNS servers for web browsing. After the SVC is installed, the active web browser is deactivated and a new browser is launched. The DNS server information specified here is for the newly launched browser. Once the connection is closed, the previous DNS settings are reapplied.
Step 8
Specifies the URL of the web page that is displayed when the end user logs in. The url specifies the path of the URL. The maximum length for the URL is 255 characters. This setting is disabled by default.
Step 9
webvpn(config-webvpn-group)# svc wins-server {primary ip_addr | secondary ip_addr}Specifies the primary and secondary WINS servers.
Step 10
webvpn(config-webvpn-group)# svc default-domain default-domain-nameSpecifies the default domain used for the group.
Step 11
Specifies that the SVC remains installed on the end user client PC after the connection is closed. By keeping the SVC installed on the end user PC, the end user does not have to download the SVC again when a new connection is established.
The no version of this command uninstalls the VPN client and removes the downloaded setup file after the tunnel is terminated.
Step 12
webvpn(config-webvpn-group)# svc rekey [time interval] [method {new-tunnel | ssl}]Specifies when the VPN client rekeys the SSL tunnel and the rekey method used by the WebVPN client. Rekeying is disabled by default. If rekeying is enabled, the default method is ssl.
Valid values for time interval are 0 to 43200 seconds; the default is 3600 (1 hour).
The method new-tunnel keyword terminates the existing tunnel and requests a new tunnel.
The method ssl keyword triggers the SVC to renegotioate SSL security parameters without terminating the existing tunnel.
Step 13
webvpn(config-webvpn-group)# svc split [dns string]{[include ip-address netmask]|[exclude ip-address netmask|local-lans]}Specifies whether all traffic is tunneled to the private network (include) or if traffic destined for an external (nonprivate) network is sent directly to the external website (exclude).
Note
The include keyword allows you to specify the traffic that is tunneled; all other traffic is not tunneled through the internal network.
The exclude keyword allows you to specify the traffic that is sent directly to an external website without being tunneled through the internal network; all other traffic is tunneled.
The exclude local-lans keyword specifies that the end user's local LAN is excluded from being tunneled.
Step 14
webvpn(config-webvpn-group)# svc msie-proxy [exception exception-string]|[server {ip-address|dns_name}: port]|[option {none | auto | bypass-local}]Specifies the Microsoft Internet Explorer (MSIE) browser proxy settings.
Note
The exception keyword specifies a single DNS name or IP address for traffic that is not sent through a proxy. This keyword is disabled by default.
The server keyword specifies an IP address or DNS name, optionally followed by a colon and port number, that is used by all the proxy setting in the browser (HTTP, Secure, FTP, Gopher) except Socks. This keyword is disabled by default.
The option none keyword specifies that the browser does not use a proxy. This setting is the default.
The option auto keyword specifies that the browser proxy settings are automatically detected.
The option bypass-local keyword specifies that the local addresses bypass the proxy.
Step 15
webvpn(config-webvpn-group)# filter tunnel {name | acl_list}Defines the name of the network-level access lists used for the group policy.
Configuring Policies
See the "Configuring the Virtual Gateway" section for procedures for applying policies to a WebVPN gateway.
This section describes how to configure the following policies:
•
•
Configuring Group Policy
Note
Note
To configure various group policy parameters, perform this task:
Configuring SSL Policy (Optional)
The SSL policy template allows you to define parameters associated with the SSL stack.
One of the parameters you can configure is the SSL close-protocol behavior, which specifies that each of the SSL peers should send a close-notify alert and receive a close-notify alert before closing the connection properly. If the SSL connection is not closed properly, the session is removed so that the peers cannot use same SSL session ID in future SSL connections.
However, many SSL implementations do not follow the SSL close-protocol strictly (for example, an SSL peer sends a close-notify alert but does not wait for the close-notify alert from the remote SSL peer before closing the connection).
When an SSL peer initiates the close-connection sequence, the WebVPN Services Module strictly expects a close-notify alert message. If an SSL peer does not send a close-notify alert, the WebVPN Services Module removes the session from the session cache so that the same session ID cannot be used for future SSL connections.
When the WebVPN Services Module initiates the close connection sequence, you can configure the following close-protocol options:
•
•
•
If you do not associate an SSL policy with a particular proxy server, the proxy server enables all the supported cipher suites and protocol versions by default.
To define an SSL policy, perform this task:
Step 1
Defines SSL policy templates.
Step 2
webvpn(config-ssl-policy)# cipher {rsa-with-rc4-128-md5 | rsa-with-rc4-128-sha | rsa-with-des-cbc-sha | rsa-with-3des-ede-cbc-sha | others...}
Configures a list of cipher-suite names acceptable to the proxy server. The cipher-suite names follow the same convention as that of existing SSL stacks.
Step 3
Specifies the version of the SLL protocol (SSL2.0, SSL3.0, TLS1.0) in the ClientHello message. TLS rollback is disabled by default.
When you configure the current keyword, the SSL protocol version can be either the maximum supported version or the negotiated version.
When you configure the any keyword, the SSL protocol version is not checked at all.
Note
Step 4
webvpn(config-ssl-policy)# version {ssl3 | tls1 | all}Defines the various protocol versions supported by the proxy server.
Step 5
webvpn(config-ssl-policy)# timeout handshake timeConfigures how long the module keeps the connection in handshake phase. The valid range is from 0 to 65535 seconds.
Step 6
webvpn(config-ssl-policy)# close-protocol {strict | none}Configures the SSL close-protocol behavior. Close-protocol is disabled by default.
Step 7
Enables the session-caching feature. Session caching is enabled by default.
Step 8
Configures the amount of time that an entry is kept in the session cache. The valid range is from 1 to 72000 seconds.
Note
Note
Step 9
webvpn(config-ssl-policy)# session-cache size size(Optional) Specifies the size of the session cache 1. The valid range is from 1 to 262143 entries.
Note
1 When the absolute keyword is configured, the session entry is not reused until the configured session timeout expires. When absolute is configured, the number of session entries required is equal to (new_connection_rate * absolute_timeout). Depending on the timeout configuration and the new connection rate, the number of session entries might be very large. In this case, you can limit the number of session entries used by configuring the session-cache size.
Configuring TCP Policy (Optional)
The TCP policy template allows you to define parameters associated with the TCP stack.
To define a TCP policy template, perform this task:
Step 1
Defines TCP policy templates. All defaults are assumed unless otherwise specified.
Step 2
Configures the maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates.
Note
Step 3
Configures the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
Step 4
Configures the amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
Step 5
Configures the amount of time, in seconds, that an established connection can be inactive. The default is 600 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
Step 6
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
Step 7
Configures the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
Step 8
Configures the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
Step 9
Forwards the type of service (ToS) value to all packets within a flow.
Note
Note
Step 10
Enables the Nagle algorithm.
When you enable the nagle keyword, small amounts of data that are written by the application is queued into the connection-send queue but is not sent until one of the following situations occurs:
•
•
When you disable the nagle keyword, queueing of data does not occur. All data that is written by the application is sent immediately.
Nagle is enabled by default.
Step 11
Specifies the number of full-sized segments that must be received before a window-update ACK is sent. Valid values for packets are 1 to 10; the default value is 2.
Step 12
webvpn(config-tcp-policy)# delay-ack-timeout timerSpecifies the amount of time before a window-update ACK is sent.
If the number of full-sized segments (as specified in the delayed-ack-threshold command) is not received before this timer expires, then an ACK is sent acknowledging all data received up to this point, but the window is not updated. Valid values for timer are 50 to 500 milliseconds; the default value is 200.
1 If fragmentation occurs, decrease the MSS value until there is no fragmentation.
Configuring Public Key Infrastructure
The WebVPN Services Module uses the SSL protocol to enable secure transactions of data through privacy, authentication, and data integrity; the protocol relies upon certificates, public keys, and private keys.
The certificates, which are similar to digital ID cards, verify the identity of the server to the clients and the clients to the server. The certificates, which are issued by certificate authorities, include the name of the entity to which the certificate was issued, the entity's public key, and the time stamps that indicate the certificate's expiration date.
Public and private keys are the ciphers that are used to encrypt and decrypt information. The public key is shared without any restrictions, but the private key is never shared. Each public-private key pair works together; data that is encrypted with the public key can only be decrypted with the corresponding private key.
Each WebVPN module supports up to 64 gateways. Each gateway acts as an HTTPS server. You must configure a pair of keys for each gateway in order to apply for a certificate for authentication.
We recommend that the certificates be stored in NVRAM so the module does not need to query the certificate authority at startup to obtain the certificates or to automatically enroll. See the "Saving Your Configuration" section for more information.
When users try to access an HTTPS site through the gateway portal page, the WebVPN Services Module acts as an SSL client and needs to authenticate the certificate that it received from that site. The start time, end time, and the signature on the certificate are validated.
Note
A valid certificate may have been revoked if the key pair has been compromised. If revocation check is necessary, the WebVPN Services Module downloads the certificate revocation list (CRL) from the certificate authority and looks up the serial number of the certificate received.
The certificate can also be filtered by matching certain certificate attribute values with access control list (ACL) maps. Only authenticated certificates that are issued by trusted certificate authorities are accepted.
Note
These sections describe how to configure the public key infrastructure (PKI):
•
•
•
•
•
•
Configuring Keys and Certificates
You can configure keys and certificates using one of the following methods:
•
–
–
–
–
See the "Configuring the Trustpoint Using SCEP" section for details.
•
–
–
–
–
–
See the "Manual Certificate Enrollment" section for details.
•
–
–
See the "Importing and Exporting Key Pairs and Certificates" section for details.
An external PKI system is a server or a PKI administration system that generates key pairs and enrolls for certificates from a certificate authority or a key and certificate archival system. The Public-Key Cryptography Standards (PKCS) specifies the transfer syntax for personal identity information, including the private keys and certificates. This information is packaged into an encrypted file. To open the encrypted file, you must know a pass phrase. The encryption key is derived from the pass phrase.
Note
Configuring the Trustpoint Using SCEP
To configure a trustpoint using SCEP, complete the following tasks:
•
Generating RSA Key Pairs
Note
RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Aldeman. The RSA algorithm is widely used by certificate authorities and SSL servers to generate key pairs. Each certificate authority and each SSL server has its own RSA key pair. The SSL server sends its public key to the certificate authority when enrolling for a certificate. The SSL server uses the certificate to prove its identity to clients when setting up the SSL session.
The SSL server keeps the private key in a secure storage and sends only the public key to the certificate authority, which uses its private key to sign the certificate that contains the server's public key and other identifying information about the server.
Each certificate authority keeps the private key secret and uses the private key to sign certificates for its subordinate certificate authorities and SSL servers. The certificate authority has a certificate that contains its public key.
The certificate authorities form a hierarchy of one or more levels. The top-level certificate authority is called the root certificate authority. The lower level certificate authorities are called intermediate or subordinate certificate authorities. The root certificate authority has a self-signed certificate, and it signs the certificate for the next level subordinate certificate authority, which in turn signs the certificate for the next lower level certificate authority, and so on. The lowest level certificate authority signs the certificate for the SSL server.
Note
These certificates form a chain with the server certificate at the bottom and the root certificate authority's self-signed certificate at the top. Each signature is formed by using the private key of the issuing certificate authority to encrypt a hash digest of the certificate body. The signature is attached to the end of the certificate body to form the complete certificate.
When setting up an SSL session, the SSL server sends its certificate chain to the client. The client verifies the signature of each certificate up the chain by retrieving the public key from the next higher-level certificate to decrypt the signature attached to the certificate body. The decryption result is compared with the hash digest of the certificate body. Verification terminates when one of the certificate authority certificates in the chain matches one of the trusted certificate authority certificates stored in the client's own database.
If the top-level certificate authority certificate is reached in the chain, and there is no match of trusted self-signed certificates, the client may terminate the session or prompt the user to view the certificates and determine if they can be trusted.
After the SSL authenticates the server, it uses the public key from the server certificate to encrypt a secret and send it over to the server. The SSL server uses its private key to decrypt the secret. Both sides use the secret and two random numbers they exchanged to generate the key material required for the rest of the SSL session for data encryption, decryption, and integrity checking.
Note
When you generate general-purpose keys, only one pair of RSA keys is generated. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate. We recommend that you specify a name for the key pairs.
Note
To generate RSA key pairs, perform this task:
Generates RSA key pairs.
1 The exportable keyword specifies that the key is allowed to be exported. You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
Note
This example shows how to generate general-purpose RSA keys:
webvpn(config)# crypto key generate rsa general-keys label kp1 exportableThe name for the keys will be: kp1Choose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]: 1024Generating RSA keys.... [OK].
Note
Declaring the Trustpoint
You should declare one trustpoint to be used by the WebVPN Services Module for each certificate.
To declare the trustpoint that your module uses and specify characteristics for the trustpoint, perform this task beginning in global configuration mode:
Step 1
Declares the trustpoint that your module should use. Enabling this command puts you in ca-trustpoint configuration mode.
Step 2
Specifies which key pair to associate with the certificate.
Step 3
webvpn(ca-trustpoint)# enrollment [mode ra] [retry [period minutes] [count count]] url urlSpecifies the enrollment parameters for your certificate authority.
Step 4
webvpn(ca-trustpoint)# ip-address server_ip_addr(Optional) Specifies the IP address of the WebVPN gateway that will use this certificate2 .
Step 5
webvpn(ca-trustpoint)# password password(Optional) Configures a challenge password.
Step 6
webvpn(ca-trustpoint)# revocation-check method1 [method2[method3]](Optional) Specifies how to check the revocation status of a certificate.
The available methods are as follows:
•
•
•
If a second and third method are specified, each method will be used only if the previous method returns an error, such as a server being down.
Step 7
(Optional) Configures the hostname of the WebVPN gateway5 .
Step 8
Exits ca-trustpoint configuration mode.
1 The trustpoint-label should match the key-label of the keys; however, this is not a requirement.
2 Some web browsers compare the IP address in the SSL server certificate with the IP address that might appear in the URL. If the IP addresses do not match, the browser may display a dialog box and ask the client to accept or reject this certificate.
3 For example, subject-name CN=server1.domain2.com, where server1 is the name of the SSL server that appears in the URL. The subject-name command uses the Lightweight Directory Access Protocol (LDAP) format.
4 Arguments specified in the subject name must be enclosed in quotation marks if they contain a comma. For example, O="Cisco, Inc."
5 Some browsers compare the CN field of the subject name in the SSL server certificate with the hostname that might appear in the URL. If the names do not match, the browser may display a dialog box and ask the client to accept or reject the certificate. Also, some browsers will reject the SSL session setup and silently close the session if the CN field is not defined in the certificate.
This example shows how to declare the trustpoint PROXY1 and verify connectivity:
webvpn(config)# crypto pki trustpoint PROXY1webvpn(ca-trustpoint)# rsakeypair PROXY1webvpn(ca-trustpoint)# enrollment url http://exampleCA.cisco.comwebvpn(ca-trustpoint)# revocation-check nonewebvpn(ca-trustpoint)# subject-name C=US, ST=California, L=San Jose, O=Cisco, OU=Lab,CN=host1.cisco.comwebvpn(ca-trustpoint)# endwebvpn# ping example.cisco.comType escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 mswebvpn#Obtaining the Certificate Authority Certificate
For each trustpoint, you must obtain a certificate that contains the public key of the certificate authority; multiple trustpoints can use the same certificate authority.
Note
To obtain the certificate that contains the public key of the certificate authority, perform this task in global configuration mode:
This example shows how to obtain the certificate of the certificate authority:
webvpn(config)# crypto pki authenticate PROXY1Certificate has the following attributes:Fingerprint: A8D09689 74FB6587 02BFE0DC 2200B38A% Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.webvpn(config)# endwebvpn#Requesting a Certificate
You must obtain a signed certificate from the certificate authority for each trustpoint.
To request signed certificates from the certificate authority, perform this task in global configuration mode:
Requests a certificate for the trustpoint.
1 You have the option to create a challenge password that is not saved with the configuration. This password is required in the event that your certificate needs to be revoked, so you must remember this password.
Note
This example shows how to request a certificate:
webvpn(config)# crypto pki enroll PROXY1%% Start certificate enrollment..% The subject name in the certificate will be: C=US; ST=California; L=San Jose; O=Cisco; OU=Lab; CN=host1.cisco.com% The subject name in the certificate will be: host.cisco.com% The serial number in the certificate will be: 00000000% The IP address in the certificate is 10.0.0.1% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto pki certificate' command will also show the fingerprint.Fingerprint: 470DE382 65D8156B 0F84C2AF 4538B913webvpn(config)# endAfter you configure the trustpoint, see the "Verifying Certificates and Trustpoints" section to verify the certificate and trustpoint information.
Example of Three-Tier Certificate Authority Enrollment
The WebVPN Services Module supports up to eight levels of certificate authority (one root certificate authority and up to seven subordinate certificate authorities).
The following example shows how to configure three levels of certificate authority:
•
webvpn(onfig)# crypto key generate rsa general-keys label key1 exportableThe name for the keys will be:key1Choose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]•
webvpn(config)# crypto pki trustpoint 3tier-rootwebvpn(ca-trustpoint)# enrollment url tftp://10.1.1.1webvpn(ca-trustpoint)#webvpn(ca-trustpoint)# exitwebvpn(config)# crypto pki trustpoint 3tier-sub1webvpn(ca-trustpoint)# enrollment url tftp://10.1.1.2webvpn(ca-trustpoint)#webvpn(ca-trustpoint)# exitwebvpn(config)# crypto pki trustpoint tp-proxy1webvpn(ca-trustpoint)# enrollment url tftp://10.1.1.3webvpn(ca-trustpoint)# serial-numberwebvpn(ca-trustpoint)# password ciscowebvpn(ca-trustpoint)# subject CN=ste.cisco.comwebvpn(ca-trustpoint)# rsakeypair key1webvpn(ca-trustpoint)# showenrollment url tftp://10.1.1.3serial-numberpassword 7 02050D480809subject-name CN=ste.cisco.comrsakeypair key1endwebvpn(ca-trustpoint)# exit•
webvpn(config)# crypto pki authenticate 3tier-rootCertificate has the following attributes:Fingerprint:84E470A2 38176CB1 AA0476B9 C0B4F478% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.webvpn(config)#webvpn(config)# crypto pki authenticate 3tier-sub1Certificate has the following attributes:Fingerprint:FE89FB0D BF8450D7 9934C926 6C66708DCertificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.webvpn(config)#webvpn(config)# crypto pki authenticate tp-proxy1Certificate has the following attributes:Fingerprint:6E53911B E29AE44C ACE773E7 26A098C3Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.•
webvpn(config)# crypto pki enroll tp-proxy1%% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be:ste.% The subject name in the certificate will be:ste.% The serial number in the certificate will be:B0FFF0C2% Include an IP address in the subject name? [no]:Request certificate from CA? [yes/no]:yes% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto pki certificate' command will also show the fingerprint.webvpn(config)# Fingerprint: 74390E57 26F89436 6FC52ABE 24E23CD9webvpn(config)#*Apr 18 05:10:20.963:%CRYPTO-6-CERTRET:Certificate received from Certificate AuthorityManual Certificate Enrollment
The Manual Certificate Enrollment (TFTP and cut-and-paste) feature allows you to generate a certificate request and accept certificate authority certificates as well as router certificates. These tasks are accomplished with a TFTP server or manual cut-and-paste operations. You may want to use TFTP or manual cut-and-paste enrollment in the following situations:
•
•
Configure the Manual Certificate Enrollment (TFTP and cut-and-paste) feature as described at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftmancrt.htm
Note
For example, in a three-tier certificate authority hierarchy (root CA, subordinate CA1, and subordinate CA2), when you import the subordinate CA1 certificate, enter the revocation-check none command for all the trustpoints associated with root CA. Similarly, when you import the subordinate CA2 certificate, enter the revocation-check none command for all the trustpoints associated with root CA and subordinate CA1.
After you successfully import the certificate, you can restore the original CRL options on the trustpoints.Example 1: Configuring Certificate Enrollment Using TFTP (One-Tier Certificate Authority)
1.
webvpn# configure terminalEnter configuration commands, one per line. End with CNTL/Z.webvpn(config)# crypto pki trustpoint tftp_examplewebvpn(ca-trustpoint)# enrollment url tftp://10.1.1.2/win2kwebvpn(ca-trustpoint)# rsakeypair pair3webvpn(ca-trustpoint)# exit2.
webvpn(config)# crypto pki enroll tftp_example% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be: ssl-proxy.cisco.com% The subject name in the certificate will be: ssl-proxy.cisco.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 00000000% Include an IP address in the subject name? [no]:Send Certificate Request to tftp server? [yes/no]: yes% Certificate request sent to TFTP Server% The certificate request fingerprint will be displayed.% The 'show crypto pki certificate' command will also show the fingerprint.webvpn(config)# Fingerprint: D012D925 96F4B5C9 661FEC1E 207786B7!!3.
webvpn(config)# crypto pki auth tftp_exampleLoading win2k.ca from 10.1.1.2 (via Ethernet0/0.168): ![OK - 1436 bytes]Certificate has the following attributes:Fingerprint: 2732ED87 965F8FEB F89788D4 914B877D% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.webvpn(config)#4.
webvpn(config)# crypto pki import tftp_example cert% The fully-qualified domain name in the certificate will be: ssl-proxy.cisco.comRetrieve Certificate from tftp server? [yes/no]: yes% Request to retrieve Certificate queuedwebvpn(config)#Loading win2k.crt from 10.1.1.2 (via Ethernet0/0.168): ![OK - 2112 bytes]webvpn(config)#*Apr 15 12:02:33.535: %CRYPTO-6-CERTRET: Certificate received from Certificate Authoritywebvpn(config)#Example 2: Configuring Certificate Enrollment Using Cut-and-Paste (One-Tier Certificate Authority)
1.
webvpn(config)# crypto key generate rsa general-keys label CSR-key exportableThe name for the keys will be:CSR-keyChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]2.
webvpn(config)# crypto pki trustpoint CSR-TPwebvpn(ca-trustpoint)# rsakeypair CSR-keywebvpn(ca-trustpoint)# serialwebvpn(ca-trustpoint)# subject-name CN=abc, OU=hss, O=ciscowebvpn(ca-trustpoint)# enrollment terminalwebvpn(ca-trustpoint)# exit3.
webvpn(config)# crypto pki enroll CSR-TP% Start certificate enrollment ..% The subject name in the certificate will be:CN=abc, OU=hss, O=cisco% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.com% The subject name in the certificate will be:ssl-proxy.cisco.com% The serial number in the certificate will be:B0FFF22E% Include an IP address in the subject name? [no]:noDisplay Certificate Request to terminal? [yes/no]:yesCertificate Request follows:MIIBwjCCASsCAQAwYTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEMMAoGA1UEAxMDYWJjMTMwDwYDVQQFEwhCMEZGRjIyRTAgBgkqhkiG9w0BCQIWE3NzbC1wcm94eS5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALt7O6tt30lBVVK1qAE/agsuzIaa15YZft3bDb9t3pPncKh0ivBTgVKpJiLPWGZPjdbtejxQtYSF77R1pmhK0WSKPuu7fJPYr/Cbo80OUzkRAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQQFAAOBgQC2GIX06/hihXHADA5sOpxgLsO1rMP8PF4bZDdlpWLVBSOrp4S1L7hH9P2NY9rgZAJhDTRfGGm179JYGOtUuCyPYPkpb0S5VGTUrHvvUWekleKq2d91kfgbkRmJmHBaB2Ev5DNBcV11SIMXRULG7oUafU6sxnDWqbMseToF4WrLPg==---End - This line not part of the certificate request---Redisplay enrollment request? [yes/no]:no4.
webvpn(config)# crypto pki authenticate CSR-TPEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIICxzCCAjCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJjYTAeFw0wMzA2MjYyMjM4MDlaFw0wODEyMTYyMjM4MDlaMFIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMTAmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcG9ObqOLmf0cASkF48jz8X7ZQxT1H68OQKNC3ks95vkGbOAa/1/R4ACQ3s9iPkcGQVqi4Dv8/iNG/1mQo8HBwtR9VgG0l8IGBbuiZdlarYnQHUz6Bm/HzE1RXVOY/VmyPOVevYy8/cYhwx/xOE9BYQOyP15Chi8nhIS5F+WWoHQIDAQABo4GsMIGpMB0GA1UdDgQWBBS4Y+/lSXKDrw5N5m/tgCzu/W81PDB6BgNVHSMEczBxgBS4Y+/lSXKDrw5N5m/tgCzu/W81PKFWpFQwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCY2GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQB/rPdLFVuycbaJQucdFQG7kl/XBNI7aY3IL3Lkeumt/nXD+eCnRpYE5WWY8X1Aizqnj4bqFdqPqYdD7Lg8viwqm2tQmU6zCsdaKhL1J7FCWbfs2+Z5oNV2Vsqx0Ftnf8en/+HtyS2AdXHreThfgkXz3euXD0ISMFVKRy81o4EdzA==-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:B8B35B00 095573D0 D3B8FA03 B6CA8934% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedwebvpn(config)#5.
webvpn(config)# crypto pki import CSR-TP certificate% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.comEnter the base 64 encoded certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIB7TCCAVYCAQQwDQYJKoZIhvcNAQEEBQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCY2EwHhcNMDMxMTIwMDAxMzE2WhcNMDQxMTE5MDAxMzE2WjAsMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALt7O6tt30lBVVK1qAE/agsuzIaa15YZft3bDb9t3pPncKh0ivBTgVKpJiLPWGZPjdbtejxQksuSY589V+GMDrO9B4Sxn+5Np2bQmd745NvI4gorNRvXcdjmE+/SzE+bBSBcKAwNtYSF77R1pmhK0WSKPuu7fJPYr/Cbo80OUzkRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAjqJ9378P6Gz69Ykplw06Powp+2rbe2iFBrE1xE09BL6G6vzcBQgb5W4uwqxe7SIHrHsS0/7Be3zeJnlOseWx/KVj7I02iPgrwUa9DLavwrTyaa0KtTpti/i5nIwTNh5xkp2bBJQikD4TEK7HAvXfHQ9SyB3YZJk/Bjp6/eFHEfU=-----END CERTIFICATE-----% Router Certificate successfully importedwebvpn(config)#^ZExample 3: Configuring Certificate Enrollment Using TFTP (Three-Tier Certificate Authority)
1.
webvpn(config)# crypto key generate rsa general-keys label test-3tier exportableThe name for the keys will be:test-3tierChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]2.
webvpn(config)# crypto pki trustpoint test-3tierwebvpn(ca-trustpoint)# serial-numberwebvpn(ca-trustpoint)# password ciscowebvpn(ca-trustpoint)# subject CN=test-3tier, OU=hss, O=Ciscowebvpn(ca-trustpoint)# rsakeypair test-3tierwebvpn(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-3tierwebvpn(ca-trustpoint)# exit3.
webvpn(config)# crypto pki enroll test-3tier%% Start certificate enrollment ..% The subject name in the certificate will be:CN=test-3tier, OU=hss, O=Cisco% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.com% The subject name in the certificate will be:ssl-proxy.cisco.com% The serial number in the certificate will be:B0FFF22E% Include an IP address in the subject name? [no]:Send Certificate Request to tftp server? [yes/no]:yes% Certificate request sent to TFTP Server% The certificate request fingerprint will be displayed.% The 'show crypto pki certificate' command will also show the fingerprint.webvpn(config)# Fingerprint: 19B07392 319B2ACF F8FABE5C 52798971webvpn(config)#!!4.
5.
webvpn(config)# crypto pki trustpoint test-1tierwebvpn(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-1tierwebvpn(ca-trustpoint)# revocation-check nonewebvpn(ca-trustpoint)# exitwebvpn(config)# crypto pki authenticate test-1tierLoading test-1tier.ca from 10.1.1.3 (via Ethernet0/0.172):![OK - 1046 bytes]Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.webvpn(config)# crypto pki trustpoint test-2tierwebvpn(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-2tierwebvpn(ca-trustpoint)# revocation-check nonewebvpn(ca-trustpoint)# exitwebvpn(config)# crypto pki authenticate test-2tierLoading test-2tier.ca from 10.1.1.3 (via Ethernet0/0.172):![OK - 1554 bytes]Certificate has the following attributes:Fingerprint:50A986F6 B471B82D E11B71FE 436A9BE6Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.webvpn(config)# crypto pki authenticate test-3tierLoading test-3tier.ca from 10.1.1.3 (via Ethernet0/0.172):![OK - 1545 bytes]Certificate has the following attributes:Fingerprint:2F2E44AC 609644FA 5B4B6B26 FDBFE569Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.6.
webvpn(config)# crypto pki import test-3tier certificate% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.comRetrieve Certificate from tftp server? [yes/no]:yes% Request to retrieve Certificate queuedwebvpn(config)#Loading test-3tier.crt from 10.1.1.3 (via Ethernet0/0.172):![OK - 1608 bytes]webvpn(config)#*Nov 25 21:52:36.299:%CRYPTO-6-CERTRET:Certificate received from Certificate Authoritywebvpn(config)# ^ZExample 4: Configuring Certificate Enrollment Using Cut-and-Paste (Three-Tier Certificate Authority)
1.
webvpn(config)# crypto key generate rsa general-keys label tp-proxy1 exportableThe name for the keys will be:tp-proxy1Choose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]2.
webvpn(config)# crypto pki trustpoint tp-proxy1webvpn(ca-trustpoint)# enrollment terwebvpn(ca-trustpoint)# rsakeypair tp-proxy1webvpn(ca-trustpoint)# serialwebvpn(ca-trustpoint)# subject-name CN=testwebvpn(ca-trustpoint)# exit3.
webvpn(config)# crypto pki enroll tp-proxy1% Start certificate enrollment ..% The subject name in the certificate will be:CN=test% The fully-qualified domain name in the certificate will be:ssl-proxy.% The subject name in the certificate will be:ssl-proxy.% The serial number in the certificate will be:B0FFF14D% Include an IP address in the subject name? [no]:noDisplay Certificate Request to terminal? [yes/no]:yesCertificate Request follows:MIIBnDCCAQUCAQAwOzENMAsGA1UEAxMEdGVzdDEqMA8GA1UEBRMIQjBGRkYxNEQwFwYJKoZIhvcNAQkCFgpzc2wtcHJveHkuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFx1ol9IXoAx4fyUhaXH6s4p5t9soIZ1gvLtVX6Fp6zfuX47os5TGJH/IXzV9B4e5Kv+wlMD0AvTh+/tvyAP3TMpCdpHYosd2VaTIgExpHf4M5Ruh8IebVKV25rraIpNiS0PvPLFcrw4UfJVNpsc2XBxBhpT+FS9y67LqlhfSN4wIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEEBQADgYEAkOIjd1KNJdKLMf33YELRd3MW/ujJIuiT1J8RYVbw1eE8JQf68TTdKiYqzQcoMgspez3vSPxXFZ/c6naXdVyrTikTX3GZ1mu+UOvV6/Jaf5QcXa9tAi3fgyguV7jQMPjkQj2GrwhXjcqZGOMBh6Kq6s5UPsIDgrL036I42B6B3EQ=---End - This line not part of the certificate request---Redisplay enrollment request? [yes/no]:no4.
5.
a.
Note
webvpn(config)# crypto pki trustpoint 3tier-rootwebvpn(ca-trustpoint)# enrollment terminalwebvpn(ca-trustpoint)# crl opwebvpn(ca-trustpoint)# exitwebvpn(config)# crypto pki trustpoint 3tier-sub1webvpn(ca-trustpoint)# enrollment terminalwebvpn(ca-trustpoint)# crl opwebvpn(ca-trustpoint)# exitb.
webvpn(config)# crypto pki authenticate 3tier-rootEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedc.
webvpn(config)# crypto pki authenticate 3tier-sub1Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIETzCCA/mgAwIBAgIKGj0cBwAAAAAADjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMzIyMDQyMVoXDTA0MTExMzIyMTQyMVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMS1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDcvV48nC2uukoSyGJ/GymCIEXZzMSzpbkYS7eWPaZYyiJDhCIKuUsMgFDRNfMQmUSArcWmPizFZc9PFumDa03vAgMBAAGjggJpMIICZTAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUWaaNN2U14BaBoU9mY+ncuHpP920wCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wga4GA1UdIwSBpjCBo4AUJgYtQFMo130SBSiceehK9seDRrGheaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQHEwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UEAxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCEGnVMc1P4ve4Q5mUWCdWwXAwgZcGA1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL3NpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28tbDhqNm9ocG5yXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL2Npc2NvLWw4ajZvaHBucl9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXGNpc2NvLWw4ajZvaHBucl9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcnQwDQYJKoZIhvcNAQEFBQADQQA6kAV3Jx/BOr2hlSp9ER36ZkDJNIW93gNt2MkpcA07RmcrHln6q5RJ9WbvTxFnONdgpsag1EcOwn97XErHZ2ow-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:50A986F6 B471B82D E11B71FE 436A9BE6Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.% Certificate successfully importedd.
webvpn(config)# crypto pki authenticate tp-proxy1Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIESTCCA/OgAwIBAgIKHyiFxAAAAAAABjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhMB4XDTAzMTExMzIyMjI1MloXDTA0MTExMzIyMTQyMVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMi1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC7ChZc0NYLBHf1sr/3Z4y6w5WoeioIpCOCSydhnbd5wnwuethoyStVt9lr6i61jWKld68Z8EoTg71daiV/WR/HAgMBAAGjggJjMIICXzAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU6FmJopqqzpbFMj6TaB2/wjlWlqEwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wgagGA1UdIwSBoDCBnYAUWaaNN2U14BaBoU9mY+ncuHpP922heaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQHEwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UEAxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCCho9HAcAAAAAAA4wgZcGA1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28tZzI1dWE2bzRlXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXN1YjEtY2EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL2Npc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qtc3ViMS1jYS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWcyNXVhNm80ZVxDZXJ0RW5yb2xsXGNpc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qtc3ViMS1jYS5jcnQwDQYJKoZIhvcNAQEFBQADQQCieB8rvVCqVF2cFw9/v51jGn7LQ6pUGT3bMRbOrgQKytTz/Yx09156nYZHrvVuLzmzz5CriI2saVx+q1Tarwil-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:2F2E44AC 609644FA 5B4B6B26 FDBFE569Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.% Certificate successfully importede.
webvpn(config)# crypto pki import tp-proxy1 certificate% The fully-qualified domain name in the certificate will be:ssl-proxy.Enter the base 64 encoded certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIENTCCA9+gAwIBAgIKLmibDwAAAAAACDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIyLWNhMB4XDTAzMTExOTIzNDUzNVoXDTA0MTExMzIyMTQyMVowPTERMA8GA1UEBRMIQjBGRkYxNEQxGTAXBgkqhkiG9w0BCQITCnNzbC1wcm94eS4xDTALBgNVBAMTBHRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXHWiX0hegDHh/JSFpcfqzinm32yghnWC8u1VfoWnrN+5fjuizlMYkf8hfNX0Hh7kq/7CUwAf8EBAMCBaAwHQYDVR0OBBYEFCXlzcYHyo1PNbfubnivi8d2VO22MIGoBgNVHSMEgaAwgZ2AFOhZiaKaqs6WxTI+k2gdv8I5VpahoXmkdzB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhggofKIXEAAAAAAAGMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1vam14Y25jenYvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtc3ViMi1jYS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLW9qbXhjbmN6dlxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1zdWIyLWNhLmNybDCByAYIKwYBBQUHAQEEgbswgbgwWQYIKwYBBQUHMAKGTWh0dHA6Ly9jaXNjby1vam14Y25jenYvQ2VydEVucm9sbC9jaXNjby1vam14Y25jenZfc2ltcHNvbi1kZXZ0ZXN0LXN1YjItY2EuY3J0MFsGCCsGAQUFBzAChk9maWxlOi8vXFxjaXNjby1vam14Y25jenZcQ2VydEVucm9sbFxjaXNjby1vam14Y25jenZfc2ltcHNvbi1kZXZ0ZXN0LXN1YjItY2EuY3J0MA0GCSqGSIb3DQEBBQUAA0EAtbxmUBOxZ/hcrCc3hY7pa6q/LmLonXSL8cjAbV2I7A5QGYaNi5k98FlEz1WOxW0J2C3/YsvIf4dYpsQWdKRJbQ==-----END CERTIFICATE-----% Router Certificate successfully importedwebvpn(config)#^ZImporting and Exporting Key Pairs and Certificates
You can import and export key pairs and certificates using either the PKCS12 file format or privacy-enhanced mail (PEM) file format.
This section descrbies how to import or export key pairs and certificates:
•
•
Note
Note
For example, in a three-tier certificate authority hierarchy (root CA, subordinate CA1, and subordinate CA2), when you import the subordinate CA1 certificate, enter the revocation-check none command for all the trustpoints associated with root CA. Similarly, when you import the subordinate CA2 certificate, enter the revocation-check none command for all the trustpoints associated with root CA and subordinate CA1.
After you successfully import the certificate, you can restore the original CRL options on the trustpoints.Importing and Exporting a PKCS12 File
You can use an external PKI system to generate a PKCS12 file and then import this file to the WebVPN Services Module.
Note
Note
To import or export a PKCS12 file, perform this task:
webvpn(config)# crypto pki {import | export} trustpoint_label pkcs12 {scp:| ftp:| nvram:| rcp:| tftp:} [pkcs12_filename1 ] pass_phrase2
Imports or exports a PKCS12 file.
Note
1 If you do not specify the pkcs12_filename value, you will be prompted to accept the default filename (the default filename is the trustpoint_label value) or enter the filename. For ftp: or tftp:, include the full path in the pkcs12_filename value.
2 You will receive an error if you enter the pass phrase incorrectly.
This example shows how to import a PKCS12 file using SCP:
webvpn(config)# crypto pki import TP2 pkcs12 scp: sky is blueAddress or name of remote host []? 10.1.1.1Source username [ssl-proxy]? admin-1Source filename [TP2]? /users/admin-1/pkcs12/TP2.p12Password:passwordSending file modes:C0644 4379 TP2.p12!webvpn(config)#*Aug 22 12:30:00.531:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.webvpn(config)#This example shows how to export a PKCS12 file using SCP:
webvpn(config)# crypto pki export TP1 pkcs12 scp: sky is blueAddress or name of remote host []? 10.1.1.1Destination username [ssl-proxy]? admin-1Destination filename [TP1]? TP1.p12Password:Writing TP1.p12 Writing pkcs12 file to scp://admin-1@10.1.1.1/TP1.p12Password:!CRYPTO_PKI:Exported PKCS12 file successfully.webvpn(config)#This example shows how to import a PKCS12 file using FTP:
webvpn(config)# crypto pki import TP2 pkcs12 ftp: sky is blueAddress or name of remote host []? 10.1.1.1Source filename [TP2]? /admin-1/pkcs12/PK-1024Loading /admin-1/pkcs12/PK-1024 ![OK - 4339/4096 bytes]webvpn(config)#This example shows how to export a PKCS12 file using FTP:
webvpn(config)# crypto pki export TP1 pkcs12 ftp: sky is blueAddress or name of remote host []? 10.1.1.1Destination filename [TP1]? /admin-1/pkcs12/PK-1024Writing pkcs12 file to ftp://10.1.1.1//admin-1/pkcs12/PK-1024Writing /admin-1/pkcs12/PK-1024 !!CRYPTO_PKI:Exported PKCS12 file successfully.webvpn(config)#After you import the PKCS12 file, see the "Verifying Certificates and Trustpoints" section to verify the certificate and trustpoint information.
Importing and Exporting PEM Files
Note
Note
Note
To import or export PEM files, perform one of these tasks:
webvpn(config)# crypto pki import trustpoint_label pem [exportable] {terminal | url {scp:| ftp:| nvram:| rcp:| tftp:} | usage-keys} pass_phrase1 ,2
Imports PEM files.
Note
webvpn(config)# crypto pki export trustpoint_label pem {terminal | url {scp:| ftp:| nvram:| rcp:| tftp:} [des | 3des] pass_phrase 1, 2
Exports PEM files.
Note
1 You will receive an error if you enter the pass phrase incorrectly.
2 A pass phrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the pass phrase. A PEM file containing a certificate is not encrypted and is not protected by a pass phrase.
This example shows how to import PEM files using TFTP:
Note
webvpn(config)# crypto pki import TP5 pem url tftp://10.1.1.1/TP5 password% Importing CA certificate...Address or name of remote host [10.1.1.1]?Destination filename [TP5.ca]?Reading file from tftp://10.1.1.1/TP5.caLoading TP5.ca from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1976 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.prv]?Reading file from tftp://10.1.1.1/TP5.prvLoading TP5.prv from 10.1.1.1 (via Ethernet0/0.168): ![OK - 963 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.crt]?Reading file from tftp://10.1.1.1/TP5.crtLoading TP5.crt from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1692 bytes]% PEM files import succeeded.webvpn(config)#endwebvpn#*Apr 11 15:11:29.901: %SYS-5-CONFIG_I: Configured from console by consoleThis example shows how to export PEM files using TFTP:
webvpn(config)# crypto pki export TP5 pem url tftp://10.1.1.1/tp99 3des password% Exporting CA certificate...Address or name of remote host [10.1.1.1]?Destination filename [tp99.ca]?% File 'tp99.ca' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.ca!% Key name: key1Usage: General Purpose Key% Exporting private key...Address or name of remote host [10.1.1.1]?Destination filename [tp99.prv]?% File 'tp99.prv' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.prv!% Exporting router certificate...Address or name of remote host [10.1.1.1]?Destination filename [tp99.crt]?% File 'tp99.crt' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.crt!webvpn(config)#After you import the PEM files, see the "Verifying Certificates and Trustpoints" section to verify the certificate and trustpoint information.
Example of Importing PEM Files for Three Levels of Certificate Authority
In this section, the root certificate authority certificate (Tier 1) and intermediate certificate authority certificate (Tier 2) are obtained using the cut-and-paste option of the offline enrollment. The intermediate certificate authority certificate (Tier 3), private keys, and router certificate are obtained by importing PEM files.
1.
webvpn(config)# crypto pki trustpoint 3tier-rootwebvpn(ca-trustpoint)# enrollment terminalwebvpn(ca-trustpoint)# revocation-check nonewebvpn(ca-trustpoint)# exitwebvpn(config)# crypto pki authenticate 3tier-rootEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully imported2.
webvpn(config)# crypto pki trustpoint 3tier-subca1webvpn(ca-trustpoint)# enroll terminalwebvpn(ca-trustpoint)# revocation-check nonewebvpn(ca-trustpoint)# exitwebvpn(config)# crypto pki authenticate 3tier-subca1Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIETzCCA/mgAwIBAgIKGj0cBwAAAAAADjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMzIyMDQyMVoXDTA0MTExMzIyMTQyMVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMS1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDcvV48nC2uukoSyGJ/GymCIEXZzMSzpbkYS7eWPaZYyiJDhCIKuUsMgFDRNfMQmUSArcWmPizFZc9PFumDa03vAgMBAAGjggJpMIICZTAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUWaaNN2U14BaBoU9mY+ncuHpP920wCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wga4GA1UdIwSBpjCBo4AUJgYtQFMo130SBSiceehK9seDRrGheaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQHEwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UEAxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCEGnVMc1P4ve4Q5mUWCdWwXAwgZcGA1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL3NpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28tbDhqNm9ocG5yXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL2Npc2NvLWw4ajZvaHBucl9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXGNpc2NvLWw4ajZvaHBucl9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcnQwDQYJKoZIhvcNAQEFBQADQQA6kAV3Jx/BOr2hlSp9ER36ZkDJNIW93gNt2MkpcA07RmcrHln6q5RJ9WbvTxFnONdgpsag1EcOwn97XErHZ2ow-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:50A986F6 B471B82D E11B71FE 436A9BE6Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.% Certificate successfully imported3.
webvpn(config)# crypto pki import tp-proxy1 pem terminal cisco% Enter PEM-formatted CA certificate.% End with a blank line or "quit" on a line by itself.-----BEGIN CERTIFICATE-----MIIESTCCA/OgAwIBAgIKHyiFxAAAAAAABjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhMB4XDTAzMTExMzIyMjI1MloXDTA0MTExMzIyMTQyMVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMi1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC7ChZc0NYLBHf1sr/3Z4y6w5WoeioIpCOCSydhnbd5wnwuethoyStVt9lr6i61jWKld68Z8EoTg71daiV/WR/HAgMBAAGjggJjMIICXzAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU6FmJopqqzpbFMj6TaB2/wjlWlqEwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wgagGA1UdIwSBoDCBnYAUWaaNN2U14BaBoU9mY+ncuHpP922heaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQHEwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UEAxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCCho9HAcAAAAAAA4wgZcGA1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28tZzI1dWE2bzRlXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXN1YjEtY2EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL2Npc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qtc3ViMS1jYS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWcyNXVhNm80ZVxDZXJ0RW5yb2xsXGNpc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qtc3ViMS1jYS5jcnQwDQYJKoZIhvcNAQEFBQADQQCieB8rvVCqVF2cFw9/v51jGn7LQ6pUGT3bMRbOrgQKytTz/Yx09156nYZHrvVuLzmzz5CriI2saVx+q1Tarwil-----END CERTIFICATE-----% Enter PEM-formatted encrypted private key.% End with "quit" on a line by itself.-----BEGIN RSA PRIVATE KEY-----Proc-Type:4,ENCRYPTEDDEK-Info:DES-EDE3-CBC,F0D3269840071CF8gQb9JMplIE5AEdhumLuBFWT53k+L/EGLhFfQn/roPlEOiIGEB6y3DeYNN/xZSiy3JOHN0kh8Wjw3pshrdNVcoQj2X7BPI+YOipok40WOk5J/+dnRLwMjv+rl0tr+LcCknBdR8zIOkOJObULLUOXFBM7oB3Dsk4Y3FBv8EAR3AdQiZjevau4FIyQn+JfVZy+JwctmvZnX0c0fevPsgID4dCPkeY6+I0DkxMyRiuyn+wIrJw1xVA2VIOrRJojBNlRu6/APef8JwpfnNcgpcLYt/4Q+3Yjl9EfRLjgiL6eSRki/6K5lrV3eKbwOTyjvXq5hG0Q6dtNEoIvOg1Vad0CXeL+TxJ4ySq4E63OxIHkclDBsusGoUGLoZ+OtaxApAZ+5WbKqR+ND1LlPmS8/ZL9LMPhUh9eOqZJjJTe6NbxY7jeNHjAmpP7/WpB2f2kV/LZgn2AV4GALBZtqXtreGiayZzXpEA5J00lbzRZWf9JHA1diz/unW00/GH9LvCqA9O15YJGCrRMI9US7MWm8kIkiJqNgLtbPad5cOaieQe+Kncgcm18Hc7pfhDwXGG4RS40xTSV/kIR4Gi7h8Lu71wZKTaWYHBPTUyTIpNsFUEdvItHXOSBw2LWNWzdYgpGoMT/tryuu0lAC9YdBalAxY0DaqqpuXKzxfiw5QDbqZWVq3qAxXfLAtTgu/gFCuFQvbBGl87H1C+nOQUq2nkpMpHZLsl3V0w/2yqg+q6rUydANFF+a5vRaLgX/PGms92ZkZUdPZ5qeKJmoURSlMYxDuhQDl93RYxXJxOYIYrCrI/QaBpIH6QvUH60wWA==-----END RSA PRIVATE KEY-----quit% Enter PEM-formatted certificate.% End with a blank line or "quit" on a line by itself.-----BEGIN CERTIFICATE-----MIIEXTCCBAegAwIBAgIKTJOcWgAAAAAACTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIyLWNhMB4XDTAzMTEyNTIwMjExMFoXDTA0MTExMzIyMTQyMVowPjERMA8GA1UEBRMIQjBGRkYyMkUxKTAnBgkqhkiG9w0BCQITGnNpbXBzb24tNjUwOS1zdGUuY2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkhRKm38hSF7l0WXlYm8ixs2Hz/yjNw7tchtRPIp0qCTJKW00gzZpp8dqaNi3s2GVVWb+tCgsol0MZLIkyoj/9vT9MC7Zo3LOxYy9kD+6M9peUWMT4JLSD4Exzxsd87JpP1bo0o8WhYjvMor/bL30sW8ly2RH2vppEMn9eLEN0vwIDAQABo4ICajCCAmYwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBSx6uQ2sARlcjzhBSiMu7xeu1n6AjCBqAYDVR0jBIGgMIGdgBToWYmimqrOlsUyPpNoHb/COVaWoaF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMS1jYYIKHyiFxAAAAAAABjAoBgNVHREBAf8EHjAcghpzaW1wc29uLTY1MDktc3RlLmNpc2NvLmNvbTCBlwYDVR0fBIGPMIGMMEOgQaA/hj1odHRwOi8vY2lzY28tb2pteGNuY3p2L0NlcnRFbnJvbGwvc2ltcHNvbi1kZXZ0ZXN0LXN1YjItY2EuY3JsMEWgQ6BBhj9maWxlOi8vXFxjaXNjby1vam14Y25jenZcQ2VydEVucm9sbFxzaW1wc29uLWRldnRlc3Qtc3ViMi1jYS5jcmwwgcgGCCsGAQUFBwEBBIG7MIG4MFkGCCsGAQUFBzAChk1odHRwOi8vY2lzY28tb2pteGNuY3p2L0NlcnRFbnJvbGwvY2lzY28tb2pteGNuY3p2X3NpbXBzb24tZGV2dGVzdC1zdWIyLWNhLmNydDBbBggrBgEFBQcwAoZPZmlsZTovL1xcY2lzY28tb2pteGNuY3p2XENlcnRFbnJvbGxcY2lzY28tb2pteGNuY3p2X3NpbXBzb24tZGV2dGVzdC1zdWIyLWNhLmNydDANBgkqhkiG9w0BAQUFAANBABFh7XeLwvfBtjAR+e5OaUH5KTGJDbeJppOmMFXnFakpgWop9Qg4cHRCQq7V0pAWiA6VtJOmpYgEIVNTAzAAHR4=-----END CERTIFICATE-----% PEM files import succeeded.webvpn(config)# ^Zwebvpn#*Dec 4 18:11:49.850:%SYS-5-CONFIG_I:Configured from console by consolewebvpn#4.
webvpn# show crypto pki certificates tp-proxy1CertificateStatus:AvailableCertificate Serial Number:04A0147B00000000010ECertificate Usage:General PurposeIssuer:CN = sub3caC = USSubject:Name:ssl-proxy.Serial Number:B0FFF0C2OID.1.2.840.113549.1.9.2 = ssl-proxy.OID.2.5.4.5 = B0FFF0C2CRL Distribution Point:http://sample.cisco.com/sub3ca.crlValidity Date:start date:18:04:09 UTC Jan 23 2003end date:21:05:17 UTC Dec 12 2003renew date:00:00:00 UTC Apr 1 2003Associated Trustpoints:tp-proxy1CA CertificateStatus:AvailableCertificate Serial Number:6D1E6B0F000000000007Certificate Usage:SignatureIssuer:CN = subtestC = USSubject:CN = sub3caC = USCRL Distribution Point:http://sample.cisco.com/subtest.crlValidity Date:start date:22:22:52 UTC Mar 28 2003end date:21:05:17 UTC Dec 12 2003Associated Trustpoints:tp-proxy1webvpn# show crypto pki certificates 3tier-subca1CA CertificateStatus:AvailableCertificate Serial Number:29A47DEF0000000004E9Certificate Usage:SignatureIssuer:CN = 6ebf9b3e-9a6d-4400-893c-dd85dcfe911bC = USSubject:CN = subtestC = USCRL Distribution Point:http://sample.cisco.com/6ebf9b3e-9a6d-4400-893c-dd85dcfe911b.crlValidity Date:start date:20:55:17 UTC Dec 12 2002end date:21:05:17 UTC Dec 12 2003Associated Trustpoints:3tier-sub1webvpn# show crypto pki certificates 3tier-rootCA CertificateStatus:AvailableCertificate Serial Number:7FD5B209B5C2448C47F77F140625D265Certificate Usage:SignatureIssuer:CN = 6ebf9b3e-9a6d-4400-893c-dd85dcfe911bC = USSubject:CN = 6ebf9b3e-9a6d-4400-893c-dd85dcfe911bC = USCRL Distribution Point:http://sample.cisco.com/6ebf9b3e-9a6d-4400-893c-dd85dcfe911b.crlValidity Date:start date:00:05:32 UTC Jun 13 2002end date:00:11:58 UTC Jun 13 2004Associated Trustpoints:3tier-rootVerifying Certificates and Trustpoints
To verify information about your certificates and trustpoints, perform this task in EXEC mode:
Sharing Keys and Certificates
The WebVPN Services Module supports the sharing of the same key pair by multiple certificates. However, this is not a good practice because if one key pair is compromised, all the certificates must be revoked and replaced.
Because WebVPN gateways are added and removed at different times, the certificates also expire at different times. Some certificate authorities require you to refresh the key pair at the time of renewal. If certificates share one key pair, you need to renew the certificates at the same time. In general, it is easier to manage certificates if each certificate has its own key pair.
The WebVPN Services Module does not impose any restrictions on sharing certificates among multiple WebVPN gateways and multiple WebVPN Services Modules. The same trustpoint can be assigned to multiple WebVPN gateways.
From a business point of view, the certificate authority may impose restrictions (for example, on the number of servers in a server farm that can use the same certificate). There may be contractual or licensing agreements regarding certificate sharing. Consult with the certificate authority or the legal staff regarding business contractual aspects.
In practice, some web browsers compare the subject name of the server certificate with the hostname or the IP address that appears on the URL. If the subject name does not match the hostname or IP address, a dialog box appears, prompting the user to verify and accept the certificate. To avoid this step, limit the sharing of certificates based on the hostname or IP address.
Saving Your Configuration
Caution
Always remember to save your work when you make configuration changes.
To save your configuration to NVRAM, perform this task:
Note
The automatic backup of the configuration to NVRAM feature automatically backs up the last saved configuration. If the current write process fails, the configuration is restored to the previous configuration automatically.
Verifying the Saved Configuration
To verify the saved configuration, perform this task:
Step 1
Displays the startup configuration.
Step 2
Displays the names and sizes of the files in NVRAM.
Erasing the Saved Configuration
To erase a saved configuration, perform one of these tasks:
Note
Caution
Backing Up Keys and Certificates
If an event occurs that interrupts the process of saving the keys and certificates to NVRAM (for example, a power failure), you could lose the keys and certificates that are being saved. You can obtain public keys and certificates from the certificate authority. However, you cannot recover private keys.
If a secure server is available, back up key pairs and the associated certificate chain by exporting each trustpoint to a PKCS12 file. You can then import the PKCS12 files to recover the keys and certificates.
Security Guidelines
When backing up keys and certificates, observe the following guidelines:
•
•
•
•
Monitoring and Maintaining Keys and Certificates
This section describes the following optional tasks:
•
•
•
Deleting RSA Keys from the WebVPN Services Module
Caution
Under certain circumstances you might want to delete the RSA keys from a module. For example, if you believe the RSA keys were compromised in some way and should no longer be used, you should delete the keys.
To delete all RSA keys from the module, perform this task in global configuration mode:
After you delete the RSA keys from a module, complete these two additional tasks:
•
•
Viewing Keys and Certificates
To view keys and certificates, perform one of these tasks:
Deleting Certificates from the Configuration
The WebVPN Services Module saves its own certificates and the certificate of the certificate authority. You can delete certificates that are saved on the module.
To delete the certificate from the module configuration, perform this task in global configuration mode:
Assigning a Certificate to a WebVPN Gateway and Context
When you enter the ssl trustpoint trustpoint_label subcommand (under the webvpn gateway gateway_name command), you assign a certificate to the specified WebVPN gateway. You can enter the ssl trustpoint subcommand multiple times for the gateway.
If the trustpoint label is modified, the gateway is momentarily taken out of service during the transition. Existing connections continue to use the old certificate until the connections are closed or cleared. New connections use the certificate from the new trustpoint, and the service is available again.
However, if the new trustpoint does not have a certificate yet, the operational status of the service remains down. New connections are not established until the new certificate is available. If the certificate is deleted by entering the no ssl trustpoint subcommand, the existing connections continue to use the certificate until the connections are closed or cleared. Although the certificate is obsolete, it is not removed from the WebVPN gateway until all connections are closed or cleared.
Note
This example shows how to assign a trustpoint to a gateway:
webvpn# configure terminalEnter configuration commands, one per line. End with CNTL/Z.webvpn(config)# webvpn gateway gw1webvpn(config-webvpn-gateway)# ip address 10.1.1.2webvpn(config-webvpn-gateway)# ssl trustpoint tp-1webvpn(config-webvpn-gateway)# endwebvpn#webvpn# show webvpn gateway gw1Admin Status: upOperation Status: upIP: 10.1.1.2, port: 443TCP Policy not configuredSSL Policy not configuredSSL Trustpoint: tp-1Certificate chain for new connections:Certificate:Key Label: tp-1, 1024-bit, not exportableKey Timestamp: 12:09:27 UTC Dec 25 2004Serial Number: 0FE5Root CA Certificate:Serial Number: 01rsa-general-purpose certificateCertificate chain completewebvpn#This example shows how to change a trustpoint for a WebVPN gateway:
Note
webvpn# configure terminalEnter configuration commands, one per line. End with CNTL/Z.webvpn(config)# webvpn gateway gw1webvpn(config-webvpn-gateway)# ssl trustpoint tp-2webvpn(config-webvpn-gateway)# endwebvpn#webvpn# show webvpn gateway gw1Admin Status: upOperation Status: upIP: 10.1.1.2, port: 443TCP Policy not configuredSSL Policy not configuredSSL Trustpoint: tp-2Certificate chain for new connections:Certificate:Key Label: tp-2, 1024-bit, not exportableKey Timestamp: 12:09:27 UTC Dec 25 2004Serial Number: 0FE5Root CA Certificate:Serial Number: 01rsa-general-purpose certificateCertificate chain completewebvpn#Renewing a Certificate
Some certificate authorities require you to generate a new key pair to renew a certificate, while other certificate authorities allow you to use the key pair of the expiring certificate to renew a certificate. Both cases are supported on the WebVPN Services Module.
The SSL server certificates usually expire in one or two years. Graceful rollover of certificates avoids sudden loss of services.
This example shows that gateway gw2 is assigned trustpoint t2:
webvpn# configure terminalEnter configuration commands, one per line. End with CNTL/Z.webvpn(config)# webvpn gateway gw2webvpn(config-gateway)# ssl trustpoint t2webvpn(config-gateway)# endwebvpn#webvpn# show webvpn gateway gw2Admin Status: upOperation Status: upIP: 2.100.100.202, port: 443TCP Policy not configuredSSL Policy not configuredSSL Trustpoint: t2Certificate chain for new connections:Certificate:Key Label: k2, 1024-bit, not exportableKey Timestamp: 18:38:53 UTC Jan 24 2005Serial Number: 67A6Root CA Certificate:Serial Number: 01rsa-general-purpose certificateCertificate chain completeThis example shows that the key pair for trustpoint t2 is refreshed, and the old certificate is deleted from the Cisco IOS database. Graceful rollover starts automatically for gateway gw2.
webvpn# configure terminalEnter configuration commands, one per line. End with CNTL/Z.webvpn(config)# crypto key generate rsa general-keys label k2 exportable% You already have RSA keys defined named k2.% Do you really want to replace them? [yes/no]:yesChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]*May 7 17:47:10.718: %WEBVPN-6-PKI_CERT_ROLLOVER_BEGIN: The process of rolling over the certificate without the sudden loss of services has begun for the proxy service: gw2, trustpoint: t2webvpn(config)#endwebvpn# show show webvpn gateway gw2Admin Status:upOperation Status:upIP: 2.100.100.202, port: 443TCP Policy not configuredSSL Policy not configuredSSL Trustpoint: t2Certificate chain in graceful rollover, being renewed:Certificate:Key Label:k2 1024-bit, exportableKey Timestamp: 17:47:10 UTC May 7 2005Serial Number:47AFRoot CA Certificate:Serial Number:01rsa-general-purpose certificateServer certificate in graceful rolloverThis example shows that existing and new connections use the old certificate until trustpoint t2 reenrolls. After trustpoint t2 reenrolls, new connections use the new certificate; existing connections continue to use the old certificate until the connections are closed.
webvpn# configure terminalEnter configuration commands, one per line. End with CNTL/Z.webvpn(config)# crypto pki enroll t2%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The subject name in the certificate will be: CN=2.100.100.202% The fully-qualified domain name will not be included in the certificate Request certificate from CA? [yes/no]: y% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto pki certificate' command will also show the fingerprint.CRYPTO_PKI: Fingerprint: 36DC4511 CE0353DB A7194317 E2D10481May 7 18:34:22.967: %PKI-6-CERTRET: Certificate received from Certificate AuthorityMay 7 18:34:24.195: %WEBVPN-6-PKI_SERVICE_CERT_INSTALL: Proxy: gw2, Trustpoint: t2, Key: k2, Serial#: 47AF, Index: 4May 7 18:34:24.203: %WEBVPN-6-PKI_CERT_ROLLOVER_END: The process of rolling over the certificate without the sudden loss of services has ended for the proxy service: gw2, trustpoint: t2webvpn(config)# endwebvpn# show show webvpn gateway gw2Admin Status: upOperation Status: upIP: 2.100.100.202, port: 443TCP Policy not configuredSSL Policy not configuredSSL Trustpoint: t2Obsolete certificate chain for old connections:Certificate:Key Label: k2, 1024-bit, not exportableKey Timestamp: 18:38:53 UTC Jan 24 2005Serial Number: 67A6Root CA Certificate:Serial Number: 01Certificate chain for new connections:Certificate:Key Label: k2, 1024-bit, exportableKey Timestamp: 17:47:10 UTC May 7 2005Serial Number: 47AFRoot CA Certificate:Serial Number: 01rsa-general-purpose certificateCertificate chain completeMay 7 18:34:44.191: %WEBVPN-6-PKI_SERVICE_CERT_DELETE: Proxy: gw2, Trustpoint: t2, Key: k2, Serial#: 67A6, Index: 0This example shows that the obsolete certificate is removed after all of the existing connections are closed.
webvpn# show show webvpn gateway gw2IP: 2.100.100.202, port: 443TCP Policy not configuredSSL Policy not configuredSSL Trustpoint: t2Certificate chain for new connections:Certificate:Key Label: k2, 1024-bit, exportableKey Timestamp: 17:47:10 UTC May 7 2005Serial Number: 47AFRoot CA Certificate:Serial Number: 01rsa-general-purpose certificateCertificate chain completeAutomatic Certificate Renewal and Enrollment
When you configure automatic enrollment, the WebVPN Services Module automatically requests a certificate from the certificate authority that is using the parameters in the configuration.
You can configure the certificate to automatically renew after a specified percentage of the validity time has passed. For example, if the certificate is valid for 300 days, and you specify renewal_percent as 80, the certificate automatically renews after 240 days have passed since the start validity time of the certificate.
Note
To enable automatic enrollment and renewal and to display timer information, perform this task:
This example shows how to enable auto enrollment and auto renewal:
webvpn# configure terminalEnter configuration commands, one per line. End with CNTL/Z.webvpn(config)# crypto pki trustpoint tk21webvpn(ca-trustpoint)# auto-enroll 90webvpn(ca-trustpoint)# endwebvpn# show crypto pki timersPKI Timers| 44.306| 44.306 RENEW tp-new|255d 5:28:32.348 RENEW tk21webvpn#
