the below article will explain how to configure a PKI server & client on cisco router. The demonstration is done in GNS3.
-
The below configuration has to be done for PKI server/client work. a. The http server is enabled. b. The time is synched via NTP (IMPORTNAT: if the CA server time is ahead of the client, the enrollment will fail.) c. general key pair is generated. d. Domain name is configured.
-
Conguration for Server: R3(config)#crypto pki server ROOT_CA R3(cs-server)#grant ? auto Automatically grant incoming SCEP enrollment requests none Automatically reject any incoming SCEP enrollment request ra-auto Automatically grant RA-authorized incoming SCEP enrollment request
R3(cs-server)#grant auto R3(cs-server)#lifetime certificate ? <0-7305> Lifetime in days
R3(cs-server)#lifetime certificate 365
R3(cs-server)#issuer-name ? LINE Issuer name
R3(cs-server)#issuer-name CN=R3.ine.com
R3(config)#ip domain name ine.com
R3(config)#do sh run | s pki crypto pki server ROOT_CA no database archive issuer-name CN=R3.ine.com grant auto shutdown
R3(config)#crypto pki server ROOT_CA R3(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password: % Password must be more than 7 characters. Try again % or type Return to exit Password: % Password must be more than 7 characters. Try again % or type Return to exit Password:
Re-enter password: % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds)
R3#sh crypto pki certificates CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=R3.ine.com Subject: cn=R3.ine.com Validity Date: start date: 06:25:29 UTC Jun 4 2018 end date: 06:25:29 UTC Jun 3 2021 Associated Trustpoints: ROOT_CA
R3# sh crypto pki server Certificate Server ROOT_CA: ** Status: disabled, HTTP Server is disabled !-- http is disabled** State: check failed Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=R3.ine.com CA cert fingerprint: 36C67C4E 680217D5 46685CD3 D156DB53 Granting mode is: auto Last certificate issued serial number (hex): 1 CA certificate expiration timer: 06:25:29 UTC Jun 3 2021 CRL NextUpdate timer: 12:25:29 UTC Jun 4 2018 Current primary storage dir: nvram: Database Level: Minimum - no cert data written to storage
R3(config)#ip http server
R3#sh crypto pki server Certificate Server ROOT_CA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=R3.ine.com CA cert fingerprint: 36C67C4E 680217D5 46685CD3 D156DB53 Granting mode is: auto Last certificate issued serial number (hex): 1 CA certificate expiration timer: 06:25:29 UTC Jun 3 2021 CRL NextUpdate timer: 12:25:29 UTC Jun 4 2018 Current primary storage dir: nvram: Database Level: Minimum - no cert data written to storage
===============================================
Configuration for client:
R1(config)#crypt pki trustpoint R3
R1(ca-trustpoint)#enrollment url http://150.1.3.3
R1(config)#crypto key generate rsa general-keys label IPSEC_PKI modulus 1024
R1#sh crypto key mypubkey Rsa % Key pair was generated at: 06:41:08 UTC Jun 4 2018 Key name: IPSEC_PKI Key type: RSA KEYS Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 008E0C3C 710703FC 85305724 AE36BEF7 B2BB2B9C C476C1B9 6C9E0EDB D6EB46CE AE288D33 C43FC774 3A3645F0 548BBAB1 13276648 5A48CE5F 80C22F0D 86AAD257 FECEA51B EA02C095 D75A6D27 4800904C FBCCFB0F 09BF0818 E0D80746 23828207 7CEE568A 97DF1877 51775C35 21CC2748 FEB0CBFD 32F053EF 40F9F684 46664934 29020301 0001 % Key pair was generated at: 06:41:09 UTC Jun 4 2018 Key name: IPSEC_PKI.server Key type: RSA KEYS Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A04028 2F345565 E9F379E3 27450DBC 5DF5306B 936966B0 CEABA54B 4F562A3A 0EE94A5A 2E5AE90E AB61B02F 5D2C7E51 F42D2349 D79244B7 879F0A01 9A422745 8A791F4D 0EF83123 B26D4AB1 289D15E8 11791DCB 93C6FBF5 F29FE47A F25F9A54 FB020301 0001
R1# sh run | s pki crypto pki trustpoint R3 enrollment url http://150.1.3.3:80 revocation-check crl !-- This is a lab environment, it is changed to NONE.
R1(config)#crypto pki trustpoint R3 R1(ca-trustpoint)#revocation-check none R1(ca-trustpoint)#rsakeypair IPSEC_PKI
- DEBUGGING
R1#debug crypto pki transactions Crypto PKI Trans debugging is on R3#debug crypto pki server Crypto PKI Certificate Server debugging is on
R1(config)#crypto pki authenticate R3 Certificate has the following attributes: Fingerprint MD5: 36C67C4E 680217D5 46685CD3 D156DB53 Fingerprint SHA1: 6679D074 81BDD9AF 948D8C98 2A1B3673 B586372A
% Do you accept this certificate? [yes/no]: *Jun 4 06:49:42.534: CRYPTO_PKI: Sending CA Certificate Request: GET /cgi-bin/pkiclient.exe?operation=GetCACert&message=R3 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI) Host: 150.1.3.3
*Jun 4 06:49:42.534: CRYPTO_PKI: locked trustpoint R3, refcount is 1 *Jun 4 06:49:42.535: CRYPTO_PKI: http connection opened *Jun 4 06:49:42.535: CRYPTO_PKI: Sending HTTP message
*Jun 4 06:49:42.535: CRYPTO_PKI: Reply HTTP header: HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI) Host: 150.1.3.3
*Jun 4 06:49:42.537: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0 *Jun 4 06:49:42.537: CRYPTO_PKI: locked trustpoint R3, refcount is 1 *Jun 4 06:49:42.550: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0 *Jun 4 06:49:42.550: CRYPTO_PKI: Reply HTTP header: HTTP/1.1 200 OK Date: Mon, 04 Jun 2018 06:49:42 GMT Server: cisco-IOS Content-Type: application/x-x509-ca-cert Expires: Mon, 04 Jun 2018 06:49:42 GMT Last-Modified: Mon, 04 Jun 2018 06:49:42 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Accept-Ranges: none
Content-Type indicates we have received a CA certificate.
*Jun 4 06:49:42.551: Received 519 bytes from server as CA certificate: *Jun 4 06:49:42.551: CRYPTO_PKI_SCEP: Client Sending GetCACaps request *Jun 4 06:49:42.551: CRYPTO_PKI: locked trustpoint R3, refcount is 1 *Jun 4 06:49:42.552: CRYPTO_PKI: http connection opened *Jun 4 06:49:42.552: CRYPTO_PKI: Sending HTTP message
*Jun 4 06:49:42.552: CRYPTO_PKI: Reply HTTP header: HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI) Host: 150.1.3.3
*Jun 4 06:49:42.553: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0 *Jun 4 06:49:42.553: CRYPTO_PKI: locked trustpoint R3, refcount is 1 *Jun 4 06:49:42.564: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0 *Jun 4 06:49:42.564: CRYPTO_PKI: Reply HTTP header: HTTP/1.1 200 OK Date: Mon, 04 Jun 2018 06:49:42 GMT Server: cisco-IOS Content-Type: application/x-pki-message Expires: Mon, 04 Jun 2018 06:49:42 GMT Last-Modified: Mon, 04 Jun 2018 06:49:42 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Accept-Ranges: none
CA_CAP_GET_NEXT_CA_CERT CA_CAP_RENEWAL CA_CAP_SHA_1 CA_CAP_SHA_256 CA_CAP_SHA_384 CA_CAP_SHA_512 *Jun 4 06:49:42.564: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completed *Jun 4 06:49:42.564: CRYPTO_PKI: CA certificate received. *Jun 4 06:49:42.564: CRYPTO_PKI: CA certificate received.
*Jun 4 06:49:42.565: CRYPTO_PKI: crypto_pki_authenticate_tp_cert()
*Jun 4 06:49:42.565: CRYPTO_PKI: trustpoint R3 authentication status = 0
% Please answer 'yes' or 'no'.
% Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.
R1(config)#crypto pki enroll R3 % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.
Password: Re-enter password:
% The subject name in the certificate will include: R1.ine.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 2048012 % Include an IP address in the subject name? [no]: yes Enter Interface name or IP Address[]: 150.1.1.1 Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose R3' commandwill show the fingerprint.
R3(config)# *Jun 4 06:49:42.542: CRYPTO_PKI_SCEP: CS received SCEP GetCACert request *Jun 4 06:49:42.542: CRYPTO_PKI_SCEP: CS sending CA certificate *Jun 4 06:49:42.544: CRYPTO_CS: CA certificate sent *Jun 4 06:49:42.561: CRYPTO_PKI_SCEP: CS received GetCACaps request *Jun 4 06:49:42.561: CRYPTO_PKI_SCEP: CA sending list of capabilites (GetNextCACert Renewal SHA2 hashes) *Jun 4 06:49:42.562: CRYPTO_CS: Capabilities sent R3(config)# *Jun 4 06:53:08.454: CRYPTO_PKI_SCEP: CS received PKIOperation request *Jun 4 06:53:08.454: CRYPTO_CS: processing SCEP request, 2121 bytes *Jun 4 06:53:08.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1 *Jun 4 06:53:08.460: CRYPTO_CS: scep msg type - 19 *Jun 4 06:53:08.460: CRYPTO_CS: trans id - E98E01D5675545C286BA0F7719D0A62C *Jun 4 06:53:08.464: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1 *Jun 4 06:53:08.464: CRYPTO_CS: received an enrollment request *Jun 4 06:53:08.464: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to trans id E98E01D5675545C286BA0F7719D0A62C *Jun 4 06:53:08.464: CRYPTO_CS: Enrollment password (challenge) obtained from pkcs10 message is cisco123 *Jun 4 06:53:08.464: CRYPTO_CS: No enrollment request in the erdbase corresponding to challenge cisco123 *Jun 4 06:53:08.464: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to enrollment password cisco123 *Jun 4 06:53:08.464: CRYPTO_CS: cert which signed the enrollment request is not an RA cert *Jun 4 06:53:08.464: CRYPTO_CS: checking policy for enrollment request ID=1 *Jun 4 06:53:08.464: CRYPTO_CS: request has been authorized, transaction id=E98E01D5675545C286BA0F7719D0A62C *Jun 4 06:53:08.464: CRYPTO_CS: locking the CS *Jun 4 06:53:08.464: CRYPTO_CS: added key usage extension *Jun 4 06:53:08.464: CRYPTO_CS: Validity: 06:53:08 UTC Jun 4 2018-06:53:08 UTC Jun 4 2019
*Jun 4 06:53:08.468: CRYPTO_CS: writing serial number 0x2. *Jun 4 06:53:08.468: CRYPTO_CS: file opened: nvram:ROOT_CA.ser *Jun 4 06:53:08.468: CRYPTO_CS: Writing 32 bytes to ser file *Jun 4 06:53:08.468: CRYPTO_CS: reqID=1 granted, fingerprint=B *Jun 4 06:53:08.468: CRYPTO_CS: unlocking the CS *Jun 4 06:53:08.468: CRYPTO_PKI_SCEP: CS Sending CertRep Response - GRANTED(E98E01D5675545C286BA0F7719D0A62C) *Jun 4 06:53:08.468: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1 R3(config)# *Jun 4 06:53:08.478: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1 *Jun 4 06:53:08.482: CRYPTO_CS: Certificate generated and sent to requestor
R1(config)#do sh crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 02 Certificate Usage: General Purpose Issuer: cn=R3.ine.com Subject: Name: R1.ine.com IP Address: 150.1.1.1 Serial Number: 2048012 serialNumber=2048012+ipaddress=150.1.1.1+hostname=R1.ine.com Validity Date: start date: 06:53:08 UTC Jun 4 2018 end date: 06:53:08 UTC Jun 4 2019 Associated Trustpoints: R3
CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=R3.ine.com Subject: cn=R3.ine.com Validity Date: start date: 06:25:29 UTC Jun 4 2018 end date: 06:25:29 UTC Jun 3 2021 Associated Trustpoints: R3
- The below enrollment is done on a ASA, because the CA server time is ahead of ASA system time, the enrollment failed.
asa1/act/pri(config)# crypto ca enroll R3 % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: ******** Re-enter password: ********
% The fully-qualified domain name in the certificate will be: asa1.ine.com
% Include the device serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 9APW6PPKHC0
Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority asa1/act/pri(config)# Certificate is not valid yet. The certificate enrollment request failed! %ASA-3-717002: Certificate enrollment failed for trustpoint R3. Reason: Generic request failure.
