Security

Cisco IOS Router CA Server and Client configuration

J Jaime Herrera
Posted onJul 15, 2019 at 8:11 AM
Updated onUpdated on Jul 15, 2019 at 1:11 AM

In this post router R-CA will be our CA Server and R-Client will request a certificate from R-CA.

R-CA – Certificate Authority Configuration

crypto key generate rsa label CA modulus 1024
!
crypto pki server CA-Server
 database level complete
 no database archive
 issuer-name CN=r-ca O=lab.local
 grant auto

R-Client(config)#crypto pki authenticate R-Client

!!!Session output!!!

R-CA(config)#crypto key generate rsa label CA modulus 1024
The name for the keys will be: CA

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

R-CA(config)#
*Jul 15 06:27:12.382: %SSH-5-ENABLED: SSH 1.99 has been enabled

R-CA(config)#ip http server

R-CA(config)#crypto pki ?
server        Enable IOS Certificate server

R-CA(config)#crypto pki server CA-Server
R-CA(cs-server)#database level complete
  database       Certificate Server database config parameters
  level     Level of data stored in database
  complete  Each issued certificate is saved to the database

R-CA(cs-server)#issuer-name CN=r-ca O=lab.local

R-CA(cs-server)#grant auto
%PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
  grant          Certificate granting options
  auto     Automatically grant incoming SCEP enrollment requests

R-CA(cs-server)#no shutdown 
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: Cisco321

Re-enter password: Cisco321
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
%PKI-6-CS_ENABLED: Certificate server now enabled.

CA Server Verification

R-CA#show crypto pki server 
Certificate Server CA-Server:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=r-ca O=lab.local
    CA cert fingerprint: AFEFAF66 AC1A75AC 03C10C66 EF097925 
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 23:39:26 UTC Jul 13 2022
    CRL NextUpdate timer: 05:39:29 UTC Jul 15 2019
    Current primary storage dir: nvram:
    Database Level: Complete - all issued certs written as <serialnum>.cer

R-Client Configuration

R-Client(config)#ip name-server 172.16.10.1
R-Client(config)#ip domain name lab.local

crypto pki trustpoint R-Client
 enrollment url http://172.16.10.1:80
 ip-address 172.16.20.1
 revocation-check none
 source interface Loopback1
 rsakeypair R-Client

R-Client(config)#crypto pki authenticate R-Client

R-Client(config)#crypto pki enroll R-Client

!!!Session output!!!

crypto key generate rsa label R-Client modulus 1024

R-Client(config)#crypto pki trustpoint R-Client
  trustpoint    Define a CA trustpoint

R-Client(ca-trustpoint)#enrollment url http://172.16.10.1:80
  enrollment        Enrollment parameters
  url         CA server enrollment URL
  http:       Enroll via http: file system

R-Client(ca-trustpoint)#ip-address 172.16.20.1
  ip-address        include ip address

R-Client(ca-trustpoint)#revocation-check none
  revocation-check  Revocation checking options
  none  Ignore revocation check

R-Client(ca-trustpoint)#source interface loopback 1
  source            Specify source

R-Client(ca-trustpoint)#rsakeypair R-Client
  rsakeypair        Specify rsakeypair for this identity

  R-Client(config)#crypto pki authenticate R-Client
  authenticate  Get the CA certificate
Certificate has the following attributes:
       Fingerprint MD5: AFEFAF66 AC1A75AC 03C10C66 EF097925 
      Fingerprint SHA1: 0708F7E8 117142FE F580C327 7EEAB5C3 57BCC690 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

R-Client(config)#crypto pki enroll R-Client
  enroll        Request a certificate from a CA
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: Cisco321
Re-enter password: Cisco321

% The subject name in the certificate will include: R-Client.lab.local
% Include the router serial number in the subject name? [yes/no]: no
% The IP address in the certificate is 172.16.20.1

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose R-Client' commandwill show the fingerprint.

R-Client(config)#
Jul 15 00:02:21.560: CRYPTO_PKI:  Certificate Request Fingerprint MD5: A59B6B3F 41D2F1E7 59845816 1E7AEBF1 
Jul 15 00:02:21.563: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 439D8A96 16F2CC69 559DDE48 7E800FE3 70F764E9 
Jul 15 00:02:24.234: %PKI-6-CERTRET: Certificate received from Certificate Authority

R-Client Verification

R-Client#show crypto pki certificates 
Certificate
  Status: Available
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer: 
    cn=r-ca O=lab.local
  Subject:
    Name: R-Client.lab.local
    IP Address: 172.16.20.1
    ipaddress=172.16.20.1+hostname=R-Client.lab.local
  Validity Date: 
    start date: 00:02:21 UTC Jul 15 2019
    end   date: 00:02:21 UTC Jul 14 2020
  Associated Trustpoints: R-Client 

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=r-ca O=lab.local
  Subject: 
    cn=r-ca O=lab.local
  Validity Date: 
    start date: 23:39:26 UTC Jul 14 2019
    end   date: 23:39:26 UTC Jul 13 2022
  Associated Trustpoints: R-Client