1 2 Previous Next 16 Replies Latest reply: Jul 27, 2009 12:10 AM by Paul Stewart - CCIE Security RSS

    IOS CA Server Question

    Paul Stewart  -  CCIE Security

      ccDoes anyone know of an example of using an IOS CA with manual/terminal based enrollment and authentication.  For example, if you wanted to create a csr from an ACS server, then what would be the process requesting the certificate?

        • 2. Re: IOS CA Server Question

          Hi Paul


          Did you see http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00807be6bc.shtml


          I started typing it but it needs a NTP source (NTP Master did the trick) and HTTP. I was thinking of using it for DMVPN. Have a look and if you can get it working let me know. As you know I know zero about security so I assumed I was the problem not wiki.


          Regards Conwyn

          • 3. Re: IOS CA Server Question
            Paul Stewart  -  CCIE Security



            I plan to lab that DMVPN solution in a few days.  I have definitely requested a certificate from one router acting as a client to another router acting as a CA server.  That article should work well.  I will try to post back after I lab it up.




            I looked at that article.  It is exactly the opposite of what I want to do.  I have actually done that with a router acting as a client to a CA server running in Windows.


            What I want to do is to make the request from a non SCEP client.  For example, a Cisco ACS server generates and displays the csr.  There is no SCEP enrollment option.  I just think if it is possible, it could be fair game for the IE lab.

            • 4. Re: IOS CA Server Question

              That url i posted is a cisco router requesting certificate by terminal not scep

              • 5. Re: IOS CA Server Question

                May be you are looking at the url on the post.  Ok let me paste it here


                Manual Certificate Request


                on the cisco ca server


                cry pki export newca pem terminal


                will display the ca certificate. copy this without the header and paste on the client


                cry pki authen (truspoint) is entered.


                cry pki enrol ((trustpoint) on client will display pkcs10 requst. copy this without the header and paste on the ca server after the command below.
                on the server in the global mode enter


                Cry pki ser newca request pkcs10 ter


                paste the client displayed pkcs10 file without the header and hit the enter key.


                it will display the granted certificate. Copy this and paste on the client by entering
                cry pki import newlab certificate on the client (no certificate header too)


                make sure the time on your cisco are in sync with the CA


                for the ACS it can generate a pem file and you can import certificate .



                • 6. Re: IOS CA Server Question
                  Paul Stewart  -  CCIE Security

                  Thanks.  You are absolutely correct.  I had read that article, however I hadn't read it close enough.  Thanks for being persistent with me.

                  • 7. Re: IOS CA Server Question

                    Hi Paul


                    On the example I cited the hub has http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00807be6bc.shtml


                    certificate ca 01    3082022F

                    certificate 02        30820213

                    certificate ca 01   3082022F


                    In the spoke

                    certificate 03 30820210

                    certificate ca 01 3082022F


                    I assume you copy and paste 1 or 3 to 5    but from where does cert 03  come.

                    Please excuse my zero knowledge. Do Cisco do a certs for dummies

                    I found http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080210cdc.shtml



                    Regards Conwyn

                    • 8. Re: IOS CA Server Question
                      Paul Stewart  -  CCIE Security



                      The concept of the CA server is separate from that of the DMVPN hub.  It could certainly be the hub that is running the CA server though.  With PKI on these routers, you need to do two things from the CA clients.  First you authenticate it, in other words, you trust the the CA server.  The second thing you need to do is to enroll.  This is actually getting the CA server to sign the public key from the CA Client.  This way the clients all can trust each other by the fact that they trust the CA server, and the server signed all of the other public keys.


                      I wish I could give you more than that, and I truly wished that Cisco had a CA Servers for dummies.  RSA Press actually has a good book on PKI.  However, it is one of those things that is really hard to get your mind fully around.

                      • 9. Re: IOS CA Server Question

                        Hi Paul


                        In their HUB and SPOKE example Dynamic LAN  both the hub and spoke enrole with the CA because they want to talk to each other but I can not see where either generate the RSA keys and when I tried it I got a message about keys mis-match.

                        Regards Conwyn

                        • 10. Re: IOS CA Server Question
                          Paul Stewart  -  CCIE Security

                          The CA Servers Keys were generated, exported and reimported.  This is done to make the key exportable, although seems kludgy IMHO. Then on the non CA server (CA client), the key was generated in its respective step 1.

                          • 11. Re: IOS CA Server Question

                            Hi Paul


                            Given your explaination and my use of GNS. I think I understand.


                            The first thing you need is NTP. So NTP Master ( on the hub and NTP SERVER on the spoke(

                            IP HTTP SERVER is required.

                            Next  on hub

                            crypto key generate rsa general-keys label cisco1 exportable

                            crypto pki server cisco1
                            database url nvram:

                            issuer-name CN=cisco1.cisco.com L=RTP C=US

                            no shutdown

                            Next on hub

                            ntp server
                            ip domain-name cisco.com
                            crypto key generate rsa
                            crypto ca trustpoint cisco
                            enrollment retry count 5
                            enrollment retry period 3
                            enrollment url
                            revocation-check none
                            crypto ca authenticate cisco
                            crypto ca enroll cisco


                            And that was OK so back to hub


                            crypto pki trustpoint iosca
                            enrollment url
                            revocation-check none
                            crypto ca authenticate iosca
                            crypto ca enroll isoca


                            This time it auto generated the RSA key


                            So having got that bit working mainly thanks to you we can focus on the challenge of making the DMVPN Hub the CA and the DMVPN spokes using it.


                            So basically the isakmp-profile l2lvpn -> ca trust point defined in dynamic dynmap and crypto map -> dynmap and int -> crypto map


                            So in DMVPN world we do not use int crypto


                            crypto isakmp policy 10
                            encr aes
                            authentication pre-share
                            group 2
                            lifetime 120
                            crypto isakmp key cisco123 address
                            crypto isakmp invalid-spi-recovery
                            crypto isakmp nat keepalive 10
                            crypto ipsec transform-set T1 esp-aes esp-md5-hmac
                            mode transport
                            crypto ipsec profile P1
                            set transform-set T1

                            tunnel protection ipsec profile P1
                            So if you do not mind me asking how do I replace cisco123 with certificate logic.


                            Two further questions obviously I  can not have any old router coming over the Internet and saying give me a cert so I assume we configure at base before shipping to location. Secondly DMVPN faces the Internet so the traffic coming in has to be tightly controlled we now have to  also permit NTP traffic and HTTP traffic so I assume we just have to be careful out there. Once again thank you Paul


                            Regards Conwyn

                            • 12. Re: IOS CA Server Question
                              Paul Stewart  -  CCIE Security

                              NTP is not technically a requirement, but is certainly a good idea. Certificates have dates and the time should be synchronized so they all know what is a valid certificate.  On the other concern, you can disable auto-enrollment and use the "crypto pki server <MYCA> grant #" command.  This is definitely a good idea.  However, if you do this, you need to keep up with when certificates expire.  I'm thinking they will not auto-update if auto-enrollment is disabled.


                              Again, I am a bit green on this particular subject as well (especially using an IOS based CA server), so don't use me as your sole resource for recommendations.

                              • 13. Re: IOS CA Server Question

                                Hi Paul


                                Please everybody remember Conwyn knows nothing about security so here is a basic question.


                                To use CA server you either connect via http or do it manually. I think having http facing the big bad Internet maybe a bad idea.


                                So how do I manually sign a certificate.


                                I guess on the spoke I generate keys. Copy from hub and paste to hub/CA server. Run a signing command and then copy it back to the hub with a accepting command. Can you translate this into simple Cisco for me please. I have googled but obviously not with the correct search words.


                                Regards Conwyn

                                • 14. Re: IOS CA Server Question
                                  Paul Stewart  -  CCIE Security

                                  Conwyn always says he knows nothing about security, but I'm certain that is not true.  In any case, CA Services in IOS makes me feel like I know nothing about security either, as does some of the the other crazy stuff that I've been labbing up lately.  Anyway, I didn't have any rack time scheduled to day, and I completely ran out of time yesterday.  None the less, I wanted to provide a sample of a manual enrollment like you were enquiring about.  My client is actually a ASA instead of an IOS device.  There may be minor configuration changes necessary to make it work with an IOS based client.


                                  Also, be forewarned that I have not done a good job explaining this.  I am still struggling a bit with this myself.


                                  Configure the CA Server


                                  On the CA Server


                                  //I like to get everything in one subdir, so let's create one


                                  mkdir flash:cert


                                  //generate the keys, this will happen automatically, but if you

                                  //create them, they can be marked exportable and you can have

                                  //a disaster recovery plan.  Also note, if you use usage keys,

                                  //instead of general there are pairs generated


                                  crypto key generate rsa general-keys modulus 1024 label MYCA exportable


                                  //go ahead and export a key pair

                                  crypto key export rsa MYCA pem url flash:cert 3des mypassmypass


                                  //hook the key label to the trustpoing

                                  //the trustpoint will be in common with

                                  //the server label


                                  crypto pki trustpoint MYCA
                                  rsakeypair MYCA


                                  //build the server


                                  crypto pki server MYCA
                                  database url flash:cert
                                  database level complete
                                  no grant auto
                                  issuer-name cn=MYSERVER,dc=myhouse,dc=com
                                  lifetime certificate 365
                                  no shut

                                  //take a look at the server

                                  //make sure it is "enabled"

                                  show crypto pki server


                                  Now let's exchange the certs

                                  On the CA Client(s)


                                  Mine is an ASA so ca will need to be substituted with PKI and
                                  you will find various other minor changes necessary for IOS.


                                  //generate the keys

                                  crypto key generate rsa general-keys  label ToMYCA modulus 1024


                                  //configure the trustpoint

                                  //the enrollment terminal

                                  //shows the csr in the terminal

                                  //window instead of using scep

                                  crypto ca trustpoint ToMYCA
                                  enrollment terminal
                                  keypair ToMYCA
                                  fqdn ciscoasa.asa.com


                                  To authenticate the server, connect to the
                                  SERVER and grab its CA Cert.  Not this is
                                  exec mode, not global config.


                                  //copy output to your clipboard
                                  crypto pki export MYCA pem terminal



                                  Then back on the client


                                  //enter the command below then
                                  //paste from clipboard


                                  crypto ca authenticate ToMYCA


                                  Then generate a certificate signing request from the client.


                                  //enter the command below and
                                  //copy the csr to the clipboard


                                  crypto ca authenticate ToMYCA




                                  Back on the server


                                  //enter the command below then
                                  //paste the csr from the client


                                  crypto pki server MYCA request pkcs10 terminal pem


                                  //enter the command below and note the
                                  //pending request number


                                  show crypto pki server MYCA requests


                                  //grant the request
                                  //copy the cert
                                  crypto pki server MYCA grant <#>




                                  Back on the client, import the cert


                                  //enter the command below and paste
                                  //the copied certificate
                                  crypto ca import ToMYCA certificate

                                  1 2 Previous Next