Usually if we mention about Public Key Infrastructure we think about external Certificate Authority like Verisign or GoDaddy. It turns out, there is a SCEP protocol that enables us running our own CA in Cisco environment and that certificates we may use during ISAKMP IKEv1 or IKv2 authentication.
Firstly, let’s recall what are Digital Certificates and what they do during authentication process.
Digital Certificate is nothing more than a proove that we are actually what we are, certified by the independent 3rd party. Digital Certificate contains information like:
Subject Name, Issuer Name, Serial Number, Version, Validity Period, Digital Signature
(generated using Private Key of the Issuer and message digest- HASH, digital signature including Public Key of the Issuer), SIgnature Algorithm and Public Key of the Subject.
How authentication via Digital Certificates works?
Let’s use a simple example:
1. CA has it own Digital Certificate
2. R1 ask CA for a copy of its Digital Certificate in order to authenticate Certificate Authority. This Digital Certificate including CA Public Key which is necessary to verify Digital Signature
3. R1 with Digital Certificate of CA ask CA for its own Identity Certificate in order to get one, has to first generate the pair of private/public keys. R1 sends to CA its Public Key with its credentials and attributes. This process is called “Enrollment”.
4. CA verifies credentials and data that R1 sent and checks that R1 is in fact R1 before issue Digital Certificate for R1
5. If everything is all right CA issues Digital Certificate for R1 that is signed with CA Digital Signature (HASH encrypted with Private Key)
6. Now, 2 routers that are going to authenticate themselves via Digital Certificates are exchanging their Digital Certificates with CA signatures
7. Because R1 and R2 have authenticated themselves with CA and got a copy of its Digital Certificate which includes CA Public Key, they can verify Digital Signatures of CA in Digital Certificates that they have exchanged
8. R1 and R2 extract their Public Key from Digital Certificates. This Public Keys R1 and R2 will be using to decrypt data that have been encrypted with Private Key of R1 and R2.
Simple Certificate Enrollment Protocol easily enables us deployment of Cerificate Authority in quick way on Cisco routers.
Let’s see how to implement CA and enroll the router R1 to obtain its own Digital Certificate
Before we start configure we have to make sure that there is the same date and time one each router, we also have to configure ip domain-name and hostname on the CA
We have to enable SCEP by enabling http server
ip http server
Then we have to generate RSA private/public key pair
crypto key generate rsa general-keys label ROOT-CA-KEY modulus 1024 exportable
We create PKI trustpoint and point out what key pair we will be using with its
crypto pki trustpoint ROOT-CA
Now we specify PKI server name
crypto pki server ROOT-CA
we specify issuer name according with LDAP Attributes:
CN=commonName , o=organizationName, c=country
issuer-name CN=ROOT-CA, o=itbundle.net, c=IR
The default place of storage of certificates is NVRAM, we may also specify
how much of data we want to store
database level complete
We configure the hash using to sign certificate
Lifetimes for : CA certificate, Client certificate and for CRL
lifetime ca-certificate 3600
lifetime certificate 1825
lifetime crl 336
We don’t want to issue the certifiacte automatically without assistance of administrator
no grant auto
We just enable CA server by:
Let’s verify if our CA server works by issuing command “show crypto pki server”
show crypto pki server ROOT-CA requests
Client certificate enrollment configuration:
We generate Private/Public RSA key pair
crypto key generate rsa label R1keypair modulus 1024
We specify the trustpoint
crypto pki trustpoint ROOT-CA
Because we use SCEP we are allowed to enroll straight via HTTP protocol
enrollment url http://126.96.36.199
We sepcify our name that will appear in the certificate request
subject-name CN=R1, o=itbundle.net
We point out the key pair that we are going to use and checking of certificate revocation of the peer.
Now we are ready to enroll, firstly we have to get CA Identity Certificate
crypto pki authenticate ROOT-CA
And we enrolll for our own Digital Certificate
crypto pki enroll ROOT-CA
Now, let’s see pending certyficate requests on CA:
and let’s grant certificate to R1with number 1
crypto pki server ROOT-CA grant 1
and let’s check our brand new granmted certificate on R1