Beruflich Dokumente
Kultur Dokumente
Introduction
Prerequisites
Requirements
Components Used
Network Diagram
Conventions
Generate and Export the RSA Key Pair for the Certificate Server
Export the Generated Key Pair
Verify the Generated Key Pair
Enable the HTTP Server on the Router
Enable and Configure the CA Server on the Router
Configure and Enroll the Second IOS Router (R2) to the Certificate Server
Verify
Troubleshoot
NetPro Discussion Forums − Featured Conversations
Related Information
Introduction
This document describes how to configure a Cisco IOS® router as a Certificate Authority (CA) server.
Additionally, it illustrates how to enroll another Cisco IOS router to obtain a root and ID certificate for IPsec
authentication from the CA server.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
• Two Cisco 2600 Series Routers that run Cisco IOS Software Release 12.3(4)T3.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Network Diagram
This document uses this network setup:
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Generate and Export the RSA Key Pair for the Certificate
Server
The first step is to generate the RSA key pair that the Cisco IOS CA server uses. On the router (R1), generate
the RSA keys as this output shows:
R1(config)#
*Jan 22 09:51:46.116: %SSH−5−ENABLED: SSH 1.99 has been enabled
Note: You must use the same name for the key pair (key−label) that you plan to use for the certificate server
(via the crypto pki server cs−label command covered later).
R1(config)#crypto key export rsa cisco1 pem url nvram: 3des cisco123
If you use a TFTP server, you can re−import the generated key pair as this command shows:
crypto key import rsa key−label pem [usage−keys] {terminal | url url} [exportable] passphra
Note: If you do not want the key to be exportable from your certificate server, import it back to the certificate
server after it has been exported as a non−exportable key pair. This way, the key cannot be taken off again.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
1. It is very important to remember that the certificate server must use the same name as the key pair you
just manually generated.
After you have enabled a certificate server, you can use the preconfigured default values or specify
values via CLI for the functionality of the certificate server.
2. The database url command specifies the location where all database entries for the CA server are
written out. If this command is not specified, all database entries are written to Flash.
This command controls what type of data is stored in the certificate enrollment database:
Valid values range from 1 day to 1825 days. The default CA certificate lifetime is three years and the
default certificate lifetime is one year. The maximum certificate lifetime is one month less than the
lifetime of the CA certificate. For example:
R1(cs−server)#lifetime crl 24
7. Define a Certificate−Revocation−List Distribution Point (CDP) to use in the certificates that are
issued by the certificate server.
The URL must be an HTTP URL. For example, our server had an IP address of 172.18.108.26:
R1(cs−server)#cdp−url http://172.18.108.26/cisco1cdp.cisco1.crl
8. Issue the no shutdown command in order to enable the CA server:
R1(cs−server)#no shutdown
Note: Issue this command only after you have completely configured your certificate server.
Use the hostname command in order to configure the hostname of the router to be R2:
Router(config)#hostname R2
R2(config)#
Notice that the hostname of the router changed immediately after you entered the hostname
command.
Use the ip domain−name command in order to configure the domain name on the router:
Use the crypto key generate rsa command in order to generate the R2 key pair:
Note: The crypto ca trustpoint command unifies the existing crypto ca identity command and
crypto ca trusted−root command, thereby providing combined functionality under a single
command.
3. Use the crypto ca authenticate cisco command (cisco is the trustpoint label) in order to retrieve the
root certificate from the CA server:
After successfully enrolling to the Cisco IOS CA server, you should see the issued certificates by
using the command show crypto ca certificates. This is the output of the command. The command
displays the detailed certificate information, which correspond with the parameters configured in the
Cisco IOS CA server:
hostname(config)#write memory
6. Enter this command in order to save the configuration:
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
Note: Only one OTP is valid at a time. If a second OTP is generated, the previous OTP is no longer
valid.
• crypto pki server cs−label revoke certificate−serial−number Revokes a certificate based on its
serial number.
• crypto pki server cs−label request pkcs10 {url url | terminal} [pem]Manually adds either the
base64 or PEM PKCS10 certificate enrollment request to the request database.
• crypto pki server cs−label info crlDisplays information regarding the status of the current CRL.
• crypto pki server cs−label info request Displays all outstanding certificate enrollment requests.
See the Verify the Generated Key Pair section of this document for additional verification information.
Troubleshoot
Refer to IP Security Troubleshooting − Understanding and Using debug Commands for troubleshooting
information.
Note: In many situations, you can solve the problems when you delete and re−define the CA server.
Related Information
• IPsec Negotiation/IKE Protocols
• Technical Support & Documentation − Cisco Systems
All contents are Copyright © 2006−2007 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.