This How To discusses how to set up one Cisco Router as a PKI Server and one Cisco Router as a client.
That’s right, you can set up a Cisco router as a Certificate Authority (CA) and then set up other routers as clients to use that CA to authenticate on your network. The advantage of doing this is pretty simple, no routers that are not part of your network can authenticate using these certificates for control plane protocols and other IKE circumstances.
Set Up of the PKI Server
In order to set up the PKI Server as a CA, make sure the clock is set, and begin first by turning on the HTTP capability of the router:
Cell_Router_CAServer# config t
Cell_Router_CAServer(config)# ip http server
Now, we need to initiate the server:
Cell_Router_CAServer(config)# crypto pki server CA
Cell_Router_CAServer(cs-server)# issuer-name CN=CA,O=cellstream.com
Cell_Router_CAServer(cs-server)# grant auto
Cell_Router_CAServer(cs-server)# no shutdown
%PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type return to exit.
Password:
At this prompt enter a key or passphrase (it will not display on the screen)
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
% Exporting Certificate Server signing certificate and keys…
% Certificate Server enabled.
Cell_Router_CAServer(cs-server)#
%SSH-5-ENABLED: SSH 1.99 has been enabled
Cell_Router_CAServer(cs-server)#
%PKI-6-CS_ENABLED: Certificate Server now enabled.
Cell_Router_CAServer(cs-server)# end
Cell_Router_CAServer#
The server is ready and you can verify it with a “show crypto pki server” if you want.
Cell_Router_CAServer#show crypto pki server
Certificate Server CA:
Status: enabled
Server’s configuration is locked (enter “shut” to unlock it)
Issuer name: CN=CA,O=cellstream.com
CA cert fingerprint: D852D4D7 351389A5 78AA238A 219C77B7
Granting mode is: auto
Last certificate issued serial number: 0x1
CA certificate expiration timer: 09:28:08 PDT Aug 15 2017
CRL NextUpdate timer: 15:28:08 PDT Aug 16 2014
Current storage dir: nvram:
Database Level: Minimum – no cert data written to storage
Setting Up Other Routers as Clients
Once again, make sure the clock is properly set.
Always make sure the other routers have connectivity to the server. You can check this with a ping to the Server loopback address or something similar.
Cell_Router1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/39/60 ms
Cell_Router1#
Now lets look at the command to configure the client:
Cell_Router1# config t
Cell_Router1(config)# crypto key generate rsa general-keys label Cell_Router1 modulus 2048
The name for the keys will be: Cell_Router1
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, the keys will be non-exportable…[OK]
Cell_Router1(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled
Cell_Router1(config)#
Great. the next step is to tell Router1 about the trustpoint:
Cell_Router1(config)# crypto pki trustpoint Cell-Trusted-CA
Cell_Router1(ca-trustpoint)# enrollment url http://192.168.1.1 !this is the IP address of the CA server router
You can specify Key Pairs, and other options as well:
Cell_Router1(ca-trustpoint)# rsakeypair R1.cellstream.com
Cell_Router1(ca-trustpoint)# fqdn R1.cellstream.com
Cell_Router1(ca-trustpoint)# subject-name CN=R1, O=cellstream.com
Cell_Router1(ca-trustpoint)# revocation-check none
Cell_Router1(ca-trustpoint)# exit
Cell_Router1(config)#
With everything in place, it is time to actually get a certificate. On the client issue the following command:
Cell_Router1(config)#crypto pki authenticate Cell-Trusted-CA
If everything works you should get (your attributes will be unique of course):
Certificate has the following attributes:
Fingerprint MD5: D852D4D7 351389A5 78AA238A 219C77B7
Fingerprint SHA1: 85978CB3 14FF7D48 0C8B8723 337AA4EE 2975E5F1
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Cell_Router1(config)#
You can verify the certificate with the following show command:
Cell_Router1(config)#do show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=CA
o=cellstream.com
Subject:
cn=CA
o=cellstream.com
Validity Date:
start date: 09:28:09 PDT Aug 16 2014
end date: 09:28:09 PDT Aug 15 2017
Associated Trustpoints: Cell-Trusted-CA
Cell_Router1(config)#
Now that we have a certificate we can enroll with that certificate:
Cell_Router1(config)#crypto pki enroll Cell-Trusted-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
At this point you need to enter the password created on the Server. It will not be displayed on the screen.
Aug 16 15:51:59.739: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
And renter the password, again it will not be displayed. If the password is correct, you will get the following. Answer the yes/no questions as shown, or as you prefer:
% The subject name in the certificate will include: CN=R1, O=cellstream.com
% The subject name in the certificate will include: R1.cellstream.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FF1045C5
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The ‘show crypto ca certificate Cell-Trusted-CA verbose’ command will show the fingerprint.
Cell_Router1(config)#
CRYPTO_PKI: Certificate Request Fingerprint MD5: D123DE99 D23544D1 715A12B9 219B5502
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 100BCEF0 94D0E6B9 0D558ECD BF14EBAD 4777FED3
Cell_Router1(config)#
Aug 16 15:52:33.363: %PKI-6-CERTRET: Certificate received from Certificate Authority
Cell_Router1(config)#
You can verify certificates on the client with the following show command:
Cell_Router1#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=CA
o=cellstream.com
Subject:
Name: R1.cellstream.com
Serial Number: FF1045C5
serialNumber=FF1045C5+hostname=R1.cellstream.com
cn=R1
o=cellstream.com
Validity Date:
start date: 09:52:16 PDT Aug 16 2014
end date: 09:52:16 PDT Aug 16 2015
Associated Trustpoints: Cell-Trusted-CA
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=CA
o=cellstream.com
Subject:
cn=CA
o=cellstream.com
Validity Date:
start date: 09:28:09 PDT Aug 16 2014
end date: 09:28:09 PDT Aug 15 2017
Associated Trustpoints: Cell-Trusted-CA
Cell_Router1#
That’s it! We hope this helps.