In this post router R-CA will be our CA Server and R-Client will request a certificate from R-CA.

R-CA – Certificate Authority Configuration
R-Client(config)#crypto key generate rsa label CA modulus 1024 ! crypto pki server CA-Server database level complete no database archive issuer-name CN=r-ca O=lab.local grant auto R-Client(config)#crypto pki authenticate R-Client !!!Session output!!! R-CA(config)#crypto key generate rsa label CA modulus 1024 The name for the keys will be: CA % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) R-CA(config)# *Jul 15 06:27:12.382: %SSH-5-ENABLED: SSH 1.99 has been enabled R-CA(config)#ip http server R-CA(config)#crypto pki ? server Enable IOS Certificate server R-CA(config)#crypto pki server CA-Server R-CA(cs-server)#database level complete database Certificate Server database config parameters level Level of data stored in database complete Each issued certificate is saved to the database R-CA(cs-server)#issuer-name CN=r-ca O=lab.local R-CA(cs-server)#grant auto %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted. grant Certificate granting options auto Automatically grant incoming SCEP enrollment requests R-CA(cs-server)#no shutdown %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password: Cisco321 Re-enter password: Cisco321 % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) %PKI-6-CS_ENABLED: Certificate server now enabled.
CA Server Verification
R-CA#show crypto pki server Certificate Server CA-Server: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=r-ca O=lab.local CA cert fingerprint: AFEFAF66 AC1A75AC 03C10C66 EF097925 Granting mode is: auto Last certificate issued serial number (hex): 1 CA certificate expiration timer: 23:39:26 UTC Jul 13 2022 CRL NextUpdate timer: 05:39:29 UTC Jul 15 2019 Current primary storage dir: nvram: Database Level: Complete - all issued certs written as <serialnum>.cer
R-Client Configuration
R-Client(config)#ip name-server 172.16.10.1 R-Client(config)#ip domain name lab.local crypto pki trustpoint R-Client enrollment url http://172.16.10.1:80 ip-address 172.16.20.1 revocation-check none source interface Loopback1 rsakeypair R-Client R-Client(config)#crypto pki authenticate R-Client R-Client(config)#crypto pki enroll R-Client !!!Session output!!! crypto key generate rsa label R-Client modulus 1024 R-Client(config)#crypto pki trustpoint R-Client trustpoint Define a CA trustpoint R-Client(ca-trustpoint)#enrollment url http://172.16.10.1:80 enrollment Enrollment parameters url CA server enrollment URL http: Enroll via http: file system R-Client(ca-trustpoint)#ip-address 172.16.20.1 ip-address include ip address R-Client(ca-trustpoint)#revocation-check none revocation-check Revocation checking options none Ignore revocation check R-Client(ca-trustpoint)#source interface loopback 1 source Specify source R-Client(ca-trustpoint)#rsakeypair R-Client rsakeypair Specify rsakeypair for this identity R-Client(config)#crypto pki authenticate R-Client authenticate Get the CA certificate Certificate has the following attributes: Fingerprint MD5: AFEFAF66 AC1A75AC 03C10C66 EF097925 Fingerprint SHA1: 0708F7E8 117142FE F580C327 7EEAB5C3 57BCC690 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. R-Client(config)#crypto pki enroll R-Client enroll Request a certificate from a CA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Cisco321 Re-enter password: Cisco321 % The subject name in the certificate will include: R-Client.lab.local % Include the router serial number in the subject name? [yes/no]: no % The IP address in the certificate is 172.16.20.1 Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose R-Client' commandwill show the fingerprint. R-Client(config)# Jul 15 00:02:21.560: CRYPTO_PKI: Certificate Request Fingerprint MD5: A59B6B3F 41D2F1E7 59845816 1E7AEBF1 Jul 15 00:02:21.563: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 439D8A96 16F2CC69 559DDE48 7E800FE3 70F764E9 Jul 15 00:02:24.234: %PKI-6-CERTRET: Certificate received from Certificate Authority
R-Client Verification
R-Client#show crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 02 Certificate Usage: General Purpose Issuer: cn=r-ca O=lab.local Subject: Name: R-Client.lab.local IP Address: 172.16.20.1 ipaddress=172.16.20.1+hostname=R-Client.lab.local Validity Date: start date: 00:02:21 UTC Jul 15 2019 end date: 00:02:21 UTC Jul 14 2020 Associated Trustpoints: R-Client CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=r-ca O=lab.local Subject: cn=r-ca O=lab.local Validity Date: start date: 23:39:26 UTC Jul 14 2019 end date: 23:39:26 UTC Jul 13 2022 Associated Trustpoints: R-Client