Shulou(Shulou.com)06/01 Report--

The below article will explain how to configure a PKI server & client on cisco router. The demonstration is done in GNS3.

The below configuration has to be done for PKI server/client work.

A. The http server is enabled.

B. The time is synched via NTP (IMPORTNAT: if the CA server time is ahead of the client, the enrollment will fail.)

C. General key pair is generated.

D. Domain name is configured.

Conguration for Server:

R3 (config) # crypto pki server ROOT_CA

R3 (cs-server) # grant?

Auto Automatically grant incoming SCEP enrollment requests

None Automatically reject any incoming SCEP enrollment request

Ra-auto Automatically grant RA-authorized incoming SCEP enrollment request

R3 (cs-server) # grant auto

R3 (cs-server) # lifetime certificate?

Lifetime in days

R3 (cs-server) # lifetime certificate 365

R3 (cs-server) # issuer-name?

LINE Issuer name

R3 (cs-server) # issuer-name CN=R3.ine.com

R3 (config) # ip domain name ine.com

R3 (config) # do sh run | s pki

Crypto pki server ROOT_CA

No database archive

Issuer-name CN=R3.ine.com

Grant auto

Shutdown

R3 (config) # crypto pki server ROOT_CA

R3 (cs-server) # no shut

% Some server settings cannot be changed after CA certificate generation.

% Please enter a passphrase to protect the private key

% or type Return to exit

Password:

% Password must be more than 7 characters. Try again

% or type Return to exit

Password:

% Password must be more than 7 characters. Try again

% or type Return to exit

Password:

Re-enter password:

% Generating 1024 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 0 seconds)

R3#sh crypto pki certificates

CA Certificate

Status: Available

Certificate Serial Number (hex): 01

Certificate Usage: Signature

Issuer:

Cn=R3.ine.com

Subject:

Cn=R3.ine.com

Validity Date:

Start date: 06:25:29 UTC Jun 4 2018

End date: 06:25:29 UTC Jun 3 2021

Associated Trustpoints: ROOT_CA

R3# sh crypto pki server

Certificate Server ROOT_CA:

Status: disabled, HTTP Server is disabled!-- http is disabled

State: check failed

Server's configuration is locked (enter "shut" to unlock it)

Issuer name: CN=R3.ine.com

CA cert fingerprint: 36C67C4E 680217D5 46685CD3 D156DB53

Granting mode is: auto

Last certificate issued serial number (hex): 1

CA certificate expiration timer: 06:25:29 UTC Jun 3 2021

CRL NextUpdate timer: 12:25:29 UTC Jun 4 2018

Current primary storage dir: nvram:

Database Level: Minimum-no cert data written to storage

R3 (config) # ip http server

R3#sh crypto pki server

Certificate Server ROOT_CA:

Status: enabled

State: enabled

Server's configuration is locked (enter "shut" to unlock it)

Issuer name: CN=R3.ine.com

CA cert fingerprint: 36C67C4E 680217D5 46685CD3 D156DB53

Granting mode is: auto

Last certificate issued serial number (hex): 1

CA certificate expiration timer: 06:25:29 UTC Jun 3 2021

CRL NextUpdate timer: 12:25:29 UTC Jun 4 2018

Current primary storage dir: nvram:

Database Level: Minimum-no cert data written to storage

=

Configuration for client:

R1 (config) # crypt pki trustpoint R3

R1 (ca-trustpoint) # enrollment url http://150.1.3.3

R1 (config) # crypto key generate rsa general-keys label IPSEC_PKI modulus 1024

R1#sh crypto key mypubkey Rsa

% Key pair was generated at: 06:41:08 UTC Jun 4 2018

Key name: IPSEC_PKI

Key type: RSA KEYS

Storage Device: not specified

Usage: General Purpose Key

Key is not exportable.

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 008E0C3C

710703FC 85305724 AE36BEF7 B2BB2B9C C476C1B9 6C9E0EDB D6EB46CE AE288D33

C43FC774 3A3645F0 548BBAB1 13276648 5A48CE5F 80C22F0D 86AAD257 FECEA51B

EA02C095 D75A6D27 4800904C FBCCFB0F 09BF0818 E0D80746 23828207 7CEE568A

97DF1877 51775C35 21CC2748 FEB0CBFD 32F053EF 40F9F684 46664934 29020301 0001

% Key pair was generated at: 06:41:09 UTC Jun 4 2018

Key name: IPSEC_PKI.server

Key type: RSA KEYS

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A04028 2F345565

E9F379E3 27450DBC 5DF5306B 936966B0 CEABA54B 4F562A3A 0EE94A5A 2E5AE90E

AB61B02F 5D2C7E51 F42D2349 D79244B7 879F0A01 9A422745 8A791F4D 0EF83123

B26D4AB1 289D15E8 11791DCB 93C6FBF5 F29FE47A F25F9A54 FB020301 0001

Ringing sh run | s pki

Crypto pki trustpoint R3

Enrollment url http://150.1.3.3:80

Revocation-check crl!-- This is a lab environment, it is changed to NONE.

R1 (config) # crypto pki trustpoint R3

R1 (ca-trustpoint) # revocation-check none

R1 (ca-trustpoint) # rsakeypair IPSEC_PKI

DEBUGGING

R1#debug crypto pki transactions

Crypto PKI Trans debugging is on

R3#debug crypto pki server

Crypto PKI Certificate Server debugging is on

R1 (config) # crypto pki authenticate R3

Certificate has the following attributes:

Fingerprint MD5: 36C67C4E 680217D5 46685CD3 D156DB53

Fingerprint SHA1: 6679D074 81BDD9AF 948D8C98 2A1B3673 B586372A

% Do you accept this certificate? [yes/no]:

* Jun 4 06 Sending CA Certificate Request 49 42.534: CRYPTO_PKI:

GET / cgi-bin/pkiclient.exe?operation=GetCACert&message=R3 HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 150.1.3.3

Jun 4 06:49:42.534: CRYPTO_PKI: locked trustpoint R3, refcount is 1

Jun 4 06:49:42.535: CRYPTO_PKI: http connection opened

* Jun 4 06 49 42.535: CRYPTO_PKI: Sending HTTP message

* Jun 4 06 Reply HTTP header 49 42.535: CRYPTO_PKI:

HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 150.1.3.3

Jun 4 06:49:42.537: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0

Jun 4 06:49:42.537: CRYPTO_PKI: locked trustpoint R3, refcount is 1

Jun 4 06:49:42.550: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0

Jun 4 06:49:42.550: CRYPTO_PKI: Reply HTTP header:

HTTP/1.1 200 OK

Date: Mon, 04 Jun 2018 06:49:42 GMT

Server: cisco-IOS

Content-Type: application/x-x509-ca-cert

Expires: Mon, 04 Jun 2018 06:49:42 GMT

Last-Modified: Mon, 04 Jun 2018 06:49:42 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Accept-Ranges: none

Content-Type indicates we have received a CA certificate.

Jun 4 06:49:42.551: Received 519 bytes from server as CA certificate:

Jun 4 06:49:42.551: CRYPTO_PKI_SCEP: Client Sending GetCACaps request

Jun 4 06:49:42.551: CRYPTO_PKI: locked trustpoint R3, refcount is 1

Jun 4 06:49:42.552: CRYPTO_PKI: http connection opened

* Jun 4 06 49 42.552: CRYPTO_PKI: Sending HTTP message

* Jun 4 06 Reply HTTP header 49 42.552: CRYPTO_PKI:

HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 150.1.3.3

Jun 4 06:49:42.553: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0

Jun 4 06:49:42.553: CRYPTO_PKI: locked trustpoint R3, refcount is 1

Jun 4 06:49:42.564: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0

Jun 4 06:49:42.564: CRYPTO_PKI: Reply HTTP header:

HTTP/1.1 200 OK

Date: Mon, 04 Jun 2018 06:49:42 GMT

Server: cisco-IOS

Content-Type: application/x-pki-message

Expires: Mon, 04 Jun 2018 06:49:42 GMT

Last-Modified: Mon, 04 Jun 2018 06:49:42 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Accept-Ranges: none

CA_CAP_GET_NEXT_CA_CERT CA_CAP_RENEWAL CA_CAP_SHA_1 CA_CAP_SHA_256 CA_CAP_SHA_384 CA_CAP_SHA_512

Jun 4 06:49:42.564: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completed

Jun 4 06:49:42.564: CRYPTO_PKI: CA certificate received.

* Jun 4 06 CA certificate received 49 42.564: CRYPTO_PKI.

* Jun 4 06 crypto_pki_authenticate_tp_cert 49 42.565: CRYPTO_PKI:

* Jun 4 06 authentication status 49 42.565: CRYPTO_PKI: trustpoint R3 authentication status = 0

% Please answer 'yes' or' no'.

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

R1 (config) # crypto pki enroll R3

%

% Start certificate enrollment..

% Create a challenge password. You will need to verbally provide this

Password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: R1.ine.com

% Include the router serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 2048012

% Include an IP address in the subject name? [no]: yes

Enter Interface name or IP Address []: 150.1.1.1

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose R3' commandwill show the fingerprint.

R3 (config) #

Jun 4 06:49:42.542: CRYPTO_PKI_SCEP: CS received SCEP GetCACert request

Jun 4 06:49:42.542: CRYPTO_PKI_SCEP: CS sending CA certificate

Jun 4 06:49:42.544: CRYPTO_CS: CA certificate sent

Jun 4 06:49:42.561: CRYPTO_PKI_SCEP: CS received GetCACaps request

Jun 4 06 CA sending list of capabilites 49 4 2.561: CRYPTO_PKI_SCEP: CA sending list of capabilites (GetNextCACert Renewal SHA2 hashes)

Jun 4 06:49:42.562: CRYPTO_CS: Capabilities sent

R3 (config) #

Jun 4 06:53:08.454: CRYPTO_PKI_SCEP: CS received PKIOperation request

Jun 4 06:53:08.454: CRYPTO_CS: processing SCEP request, 2121 bytes

Jun 4 06:53:08.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1

Jun 4 06 scep msg type 53 15: 08.460: CRYPTO_CS: scep msg type-19

Jun 4 06 trans id 53 virtual 08.460: CRYPTO_CS: trans id-E98E01D5675545C286BA0F7719D0A62C

Jun 4 06:53:08.464: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1

Jun 4 06:53:08.464: CRYPTO_CS: received an enrollment request

Jun 4 06:53:08.464: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to trans id E98E01D5675545C286BA0F7719D0A62C

Jun 4 06 challenge 53 obtained from pkcs10 message is cisco123 08.464: CRYPTO_CS: Enrollment password (challenge)

Jun 4 06:53:08.464: CRYPTO_CS: No enrollment request in the erdbase corresponding to challenge cisco123

Jun 4 06:53:08.464: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to enrollment password cisco123

Jun 4 06:53:08.464: CRYPTO_CS: cert which signed the enrollment request is not an RA cert

Jun 4 06:53:08.464: CRYPTO_CS: checking policy for enrollment request ID=1

Jun 4 06:53:08.464: CRYPTO_CS: request has been authorized, transaction id=E98E01D5675545C286BA0F7719D0A62C

Jun 4 06:53:08.464: CRYPTO_CS: locking the CS

Jun 4 06:53:08.464: CRYPTO_CS: added key usage extension

* Jun 4 06 UTC Jun 53 Validity 08.464: CRYPTO_CS: Validity: 06:53:08 UTC Jun 4 2018-06:53:08 UTC Jun 4 2019

Jun 4 06:53:08.468: CRYPTO_CS: writing serial number 0x2.

Jun 4 06:53:08.468: CRYPTO_CS: file opened: nvram:ROOT_CA.ser

Jun 4 06:53:08.468: CRYPTO_CS: Writing 32 bytes to ser file

Jun 4 06:53:08.468: CRYPTO_CS: reqID=1 granted, fingerprint=B

Jun 4 06:53:08.468: CRYPTO_CS: unlocking the CS

Jun 4 06 CS Sending CertRep Response 53 virtual 08.468: CRYPTO_PKI_SCEP: CS Sending CertRep Response-GRANTED (E98E01D5675545C286BA0F7719D0A62C)

Jun 4 06:53:08.468: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1

R3 (config) #

Jun 4 06:53:08.478: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1

* Jun 4 0615 53 Jun 08.482: CRYPTO_CS: Certificate generated and sent to requestor

R1 (config) # do sh crypto pki certificates

Certificate

Status: Available

Certificate Serial Number (hex): 02

Certificate Usage: General Purpose

Issuer:

Cn=R3.ine.com

Subject:

Name: R1.ine.com

IP Address: 150.1.1.1

Serial Number: 2048012

SerialNumber=2048012+ipaddress=150.1.1.1+hostname=R1.ine.com

Validity Date:

Start date: 06:53:08 UTC Jun 4 2018

End date: 06:53:08 UTC Jun 4 2019

Associated Trustpoints: R3

CA Certificate

Status: Available

Certificate Serial Number (hex): 01

Certificate Usage: Signature

Issuer:

Cn=R3.ine.com

Subject:

Cn=R3.ine.com

Validity Date:

Start date: 06:25:29 UTC Jun 4 2018

End date: 06:25:29 UTC Jun 3 2021

Associated Trustpoints: R3

The below enrollment is done on an ASA, because the CA server time is ahead of ASA system time, the enrollment failed.

Asa1/act/pri (config) # crypto ca enroll R3

%

% Start certificate enrollment..

% Create a challenge password. You will need to verbally provide this

Password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password: *

Re-enter password: *

% The fully-qualified domain name in the certificate will be: asa1.ine.com

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 9APW6PPKHC0

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

Asa1/act/pri (config) #

Certificate is not valid yet.

The certificate enrollment request failed!

% ASA-3-717002: Certificate enrollment failed for trustpoint R3. Reason: Generic request failure.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.