Cisco IOS Certificate Server set-up and client enrolment (GNS3 Lab)

A quick step by step overview of how to configure the certificate server on a Cisco IOS device.

The certificate server functionality was added in version 12.3(4). It is only available in in security images or higher. We can use this functionality to provide scalable authentication for VPN set-ups.

These are the seven basic steps that are needed to configure a fictional root certificate server on the CA IOS device shown in the topology below. If you would like to try yourself the initial GNS3 net file is [here] which includes all the basic config. The lab was made using 3600 routers running Version 12.4(16a) of IOS.

Certificate Server

Step Description
1 RSA key pair
2 PKI Trustpoint
3 Certificate Server
4 Issuing Policy
5 CRL
6 SCEP
7 Enable the Certificate server

1. RSA Key Pair – First step is to generate a private/public key pair on the CA router. The private key will be used to sign “user” certificates and the public key will distributed and used to verify certificates. In the example below our keys are labelled CE-Key.

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#crypto key generate rsa usage-keys label CA-Key modulus 2048 exportable
The name for the keys will be: CA-Key

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...[OK]
% Generating 2048 bit RSA keys, keys will be exportable...[OK]

2. PKI Trustpoint – The trustpoint configures what key pair will be used within the certificate server.

CA(config)#crypto pki trustpoint CA-Server
CA(ca-trustpoint)#rsakeypair CA-Key

3. Certificate Server – Now we create and configure the actual certificate server. We configure it using the same name as the trustpoint from step 2. Then we configure a local location for the database (this can be remote) and set the database storage level to complete. Finally we configure the X.500 name information using the X.500 distinguished name (DN) format.

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#crypto pki server CA-Server
CA(cs-server)#database url flash:/CA-Server
CA(cs-server)#database level ?
  complete  Each issued certificate is saved to the database
  minimum   Minimum certificate info is saved to the database
  names     Certificate serial-number & subject name is saved to the database

CA(cs-server)#database level complete
CA(cs-server)#issuer-name C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN=m00nie.com VPN

4. Issuing Policy – We can either manually grant all certificate requests or automattically grant all requests. We will configure a password to provide some additional authentication when users try to enrol. First we configure sha-1 as the hash algorithm used to sign the certificates with (MD5 is the default). We configure the lifetime of the certificate servers signing certificate (5 years) when this expires all issued certificates are invalidated and users will have to re-enrol. Now we configure the lifetime of client issued certificates after which clients will have to re-enrol. Both lifetimes are counted in days.

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#crypto pki server CA-Server
CA(cs-server)#hash sha1
CA(cs-server)#lifetime ca-certificate 1825
CA(cs-server)#lifetime certificate 730
CA(cs-server)#no grant auto

5. CRL – Now we define the revocation policy used to create and maintain the Certificate Revocation List (CRL). In this example we configure the CRL to only be valid for an hour (the minimum) and publish the CRL on the router itself using the cdp-url http://MYROUTERIP/cgi-bin/pkiclient.exe?operation=GetCRL command. Note – to enter the “?” you may need to press “Ctrl+V” before entering it!!

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#crypto pki server CA-Server
CA(cs-server)#lifetime crl 1
CA(cs-server)#cdp-url http://1.1.1.1/cgi-bin/pkiclient.exe?operation=GetCRL

6. SCEP – To ease admin burden and provide scalability we “configure” the use of Simple Certificate Enrollment Protocol (SCEP). This is done by enabling the IOS HTTP server.

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#ip http server

7. Enable Certificate server – Finally we enable the certificate server now that all the prereqisits have been configured 🙂 First we must ensure that the time of the Certificate Server is correct! In this example we configure the CA router as a NTP master then enable the server. Well configured and synchronised time on all devices is very important in a PKI environment!!

CA(config)#clock timezone GMT 0 0
CA(config)#ntp master
CA(config)#crypto pki server CA-Server
CA(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:

Re-enter password:

%Some server settings cannot be changed after CA certificate generation.
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.

Now the Certificate server is configured and running 🙂 We can validate this with the show crypto pki server command.

CA#show crypto pki server
Certificate Server CA-Server:
    Status: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN=m00nie.com VPN
    CA cert fingerprint: 042C977E 813C0A67 87D794DF C16B10C2
    Granting mode is: manual
    Last certificate issued serial number: 0x1
    CA certificate expiration timer: 02:27:25 GMT Feb 28 2007
    CRL NextUpdate timer: 03:27:25 GMT Mar 1 2002
    Current storage dir: flash:/CA-Server
    Database Level: Complete - all issued certs written as <serialnum>.cer
CA#

Just to note that any further changes will require the certificate server to be shutdown.

Client Enrolment

Step Description
1 RSA key pair
2 PKI Trustpoint / SCEP
3 CA certificate installation
4 Erollment Request

1. RSA key pair – Much the same as on the CA router generate a public/private key pair.

VPN_Guy#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
VPN_Guy(config)#crypto key generate rsa general-keys label VPN-Key modulus 2048 exportable
The name for the keys will be: VPN-Key

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...[OK]

*Mar  1 04:34:57.814: %SSH-5-ENABLED: SSH 1.99 has been enabled

2. PKI Trustpoint / SCEP – Now we need to configure the trustpoint to tell the client how we would like it to enrol. Its worth defining the source IP for this enrollment to avoid issues (See comments below and thanks for Joshua for pointing out :))

VPN_Guy(config)#crypto pki trustpoint CA-Server
VPN_Guy(ca-trustpoint)#source interface Loopback0
VPN_Guy(ca-trustpoint)#enrollment url http://1.1.1.1
VPN_Guy(ca-trustpoint)#revocation-check crl
VPN_Guy(ca-trustpoint)#fqdn VPN_Guy.m00nie.com
VPN_Guy(ca-trustpoint)#subject-name CN=VPN_Guy,OU=X.509,O=m00nieCo,C=UK
VPN_Guy(ca-trustpoint)#rsakeypair VPN-Key

3. CA certificate – Now we need to install the CA server certificate (and verify it).

VPN_Guy(config)#crypto pki authenticate CA-Server
Certificate has the following attributes:
       Fingerprint MD5: 042C977E 813C0A67 87D794DF C16B10C2
      Fingerprint SHA1: 8B182326 5FD01A2A 67572725 D3667D64 73FE9D30

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

verify the fingerprint against the output of show crypto pki server on the Certificate server.

CA#show crypto pki server
 ..
    CA cert fingerprint: 042C977E 813C0A67 87D794DF C16B10C2
..

4. Enrolment request – Now we simple enrol with the certificate server.

 VPN_Guy(config)#crypto pki enroll CA-Server

Then on the CA router

CA#crypto pki server CA-Server info requests
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
1      granted    BE142DCED9C067269D1F4E740C34B77F hostname=VPN_Guy.m00nie.com,cn=VPN_Guy,ou=X.509,o=m00nieCo,c=UK

And grant the request like with the command crypto pki server CA-Server grant 1.

Now we can confirm that the VPN_Guy router has the signed certificate returned from the Certificate server

VPN_Guy#show crypt pk certificates
Certificate
  Status: Available
  Certificate Serial Number: 02
  Certificate Usage: General Purpose
  Issuer:
    c=UK
    l=m00nietown
    o=m00nieCo
    ou=x.509 certs
    cn=m00nie.com VPN
  Subject:
    Name: VPN_Guy.m00nie.com
    hostname=VPN_Guy.m00nie.com
    cn=VPN_Guy
    ou=X.509
    o=m00nieCo
    c=UK
  CRL Distribution Points:
    http://1.1.1.1/cgi-bin/pkiclient.exeoperation=GetCRL
  Validity Date:
    start date: 00:19:30 UTC Mar 1 2002
    end   date: 00:19:30 UTC Feb 29 2004
  Associated Trustpoints: CA-Server

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    c=UK
    l=m00nietown
    o=m00nieCo
    ou=x.509 certs
    cn=m00nie.com VPN
  Subject:
    c=UK
    l=m00nietown
    o=m00nieCo
    ou=x.509 certs
    cn=m00nie.com VPN
  Validity Date:
    start date: 00:05:27 UTC Mar 1 2002
    end   date: 00:05:27 UTC Feb 28 2007
  Associated Trustpoints: CA-Server

Now we have a signed certificate installed and ready to use!

m00nie 😀

Comments

  • Thank you very much, amazing tutorial. I have one question. I followed your steps. Everything worked. I saved my work, closed GNS3.

    I opened GNS3 again and my CA server would not work. I tried to re-generate rsa key, re-did the config, did not work. I had to create a whole new CA-server in order to continue with my work.

    Any idea why I was not able to reenable the CA server after I closed and reopened GNS3?

    Thank you very much.

  • Hi Robert

    Glad you found it of some use 🙂
    I did have some problems around the flash storage and gns3. Maybe just saving the config on the device then restarting and trying show crypto pki server would shed some light on why the CA server isnt starting?
    Cheers

    m00nie

  • i followed exacltly ur steps,but the hub device got the following promt”IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 10.0.13.2 “,i don’t know why

  • hi, I tried step by step. but for client enrollment, at step 3 “crypto pki authenticate CA-Server”. I am getting the following error ” % Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0 ” . Any idea ?

  • Here is who you fix {Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0 ” . Any idea ?} in the client trustpoint config make sure your source interface is defined

    crypto pki trustpoint CA
    source interface Loopback0

    This is what solved it for me.

  • Hello m00nie
    This is a great example and I’m looking forward to doing the lab tomorrow as I am not too familiar with PKI.
    One question… how would I renew the CA certificate on the CA Server itself so it doesn’t go beyond the validity date? In production we have a CA server with a CA certificate that expires soon and we would like to renew (or replace?) without the remote routers losing connection. Thanks!

  • Hi econnolly319

    I think if this is the root CA for you the only choice would be to reissue new certificates too all users (from your new CA) 🙁 If its not the root CA you should be able to start a phased migration towards a new root/intermediate 🙂
    Cheers

    m00nie

  • Hello m00nie

    just in case anyone cares…
    Labbed up our production setup as best as possible and testing the “rollover” command…
    crypto pki server servername rollover

    This created a “rollover cert” that takes over the second the current cert expires
    If you do a show crypto pki certificate you will see the current ca cert and another one labeled “rollover”

    This also created a rollover ca cert on the remote routers, also with a start date that begins the second the current certificate expires

    So far tests look good. As soon as the cert expires, the old one goes away on the ca server and remote routers, and the new one takes over without disruption of the dmvpn tunnel

Leave a Reply