Enrolling the Cisco ASA to a CA Using SCEP

Enrollment is the process of obtaining a certificate from a CA server. This section covers the necessary steps to configure and enroll a Cisco ASA to a CA server.

Generating the RSA Key Pair

Before starting the enrollment process, you must generate the RSA key pair with the crypto key generate rsa command. To generate the keys, you must first configure a host name and domain name. Example 17-1 demonstrates how to configure the Cisco ASA host name and domain name and generate the RSA key pair.

Example 17-1. Generating the RSA Key Pair

ASA(config)# hostname Chicago

Chicago(config)# domain-name securemeinc.om

Chicago(config)# crypto key generate rsa modulus 1024

INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin.

Use the crypto key zeroize rsa command if an RSA key pair exists and a new pair needs to be regenerated. Example 17-2 demonstrates how to remove existing RSA key pairs.

Example 17-2. Removing Existing RSA Key Pair

Chicago(config)# crypto key zeroize rsa

WARNING: All RSA keys will be removed.

WARNING: All certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

To verify the generation of the RSA key pair, use the show crypto key mypubkey rsa command. Example 17-3 shows the output of this command.

Example 17-3. Viewing RSA Key Pair Information

Chicago# show crypto key mypubkey rsa

Key pair was generated at: 08:46:31 UTC Jul 10 2005

Key name: <Default-RSA-Key>

 Usage: General Purpose Key

 Modulus Size (bits): 1024

 Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00f26be4

  08b00ac5 fb06adda 7c7a2ae6 26c136ce 990f5612 41d6fa09 79ef251f d229dcc0

  64bc15f8 1b3a4f1e 131f1765 866dfb3a bb8c3a59 f8605625 8e8ff0ca 90d291d0

  75c753c3 dd5f55f3 6d49d774 523b9d8b 78ad05b4 efd75793 88ac9646 7e8c8816

  017d464d 4a817041 a559dc63 2532c657 cc12373a c7b733f1 a50bdb82 61020301 0001

Configuring a Trustpoint

The Cisco ASA certificate configuration commands are similar to Cisco IOS commands. The crypto ca trustpoint command declares the CA that your Cisco ASA should use and allows you to configure all the necessary certificate parameters. Invoking this command puts you in ca-trustpoint configuration mode, as shown in Example 17-4.

Example 17-4. Configuring a Trustpoint

Chicago# configure terminal

Chicago(config)# crypto ca trustpoint CISCO

Chicago(ca-trustpoint)#

Table 17-1 lists and describes all the ca-trustpoint subcommands.

Table 17-1. Enrollment Configuration Subcommands

Subcommand	Description
accept-subordinates	Allows the Cisco ASA to accept subordinate CA certificates
crl	CRL options (explained later in this chapter)
default	Returns all enrollment parameters to their default values
email	Used to enter the e-mail address to be used in the enrollment request
enrollment	Enrollment parameters: retry� Polling retry count and period self� Enrollment will generate a self-signed certificate terminal� Used for manual enrollment (cut-and-paste method) url� The URL of the CA server
fqdn	Includes fully qualified domain name
id-cert-issuer	Accepts ID certificates
ip-address	Includes IP address
keypair	Specifies the key pair whose public key is to be certified
password	Returns password
serial-number	Includes serial number
subject-name	Subject name
support_user_cert_validation	Validates remote user certificates using the configuration from this trustpoint, provided that this trustpoint is authenticated to the CA that issued the remote certificate

Figure 17-4 illustrates a topology that is used in the next example. A Cisco ASA is configured to enroll via SCEP to the CA server 209.165.202.130.

Example 17-5 includes the Cisco ASA trustpoint configuration.

Example 17-5. Configuring the ASA to Enroll via SCEP

Chicago# configure terminal

Chicago(config)# crypto ca trustpoint CISCO

Chicago(ca-trustpoint)# enrollment url http://209.165.202.130/certsrv/mscep/

  mscep.dll

Chicago(ca-trustpoint)# enrollment retry count 3

Chicago(ca-trustpoint)# enrollment retry period 5

Chicago(ca-trustpoint)# fqdn Chicago.securemeinc.com

Chicago(ca-trustpoint)# exit

Chicago(config)# exit

Chicago#

In Example 17-5, the Cisco ASA is configured with a trustpoint named CISCO. The enrollment url subcommand is used to declare the location of the CA server.

The Cisco ASA is configured to retry three times in case the certificate is not successfully obtained from the CA Server. It is also configured to wait 5 minutes between each request to the CA. The fully qualified domain name (FQDN) used in the enrollment request is configured to be Chicago.securemeinc.com.

In this example, the Cisco ASA enrolls with the CA to use certificates for IPSec authentication. The Cisco ASA needs to obtain the CA certificate and request an ID certificate from the CA server. To obtain the CA certificate, use the crypto ca authenticate command. Example 17-6 demonstrates how to use this command to retrieve the CA certificate from the CA server.

Example 17-6. Obtaining the CA Certificate from the CA Server

Chicago# configure terminal

Chicago(config)# crypto ca authenticate CISCO

INFO: Certificate has the following attributes:

Fingerprint:     3736ffc2 243ecf05 0c40f2fa 26820675

Do you accept this certificate? [yes/no]: yes

In Example 17-6, CISCO is the name of the previously configured trustpoint. After executing this command, the Cisco ASA establishes a TCP port 80 connection to the 209.165.202.130 CA server (via SCEP). While doing this transaction, the Cisco ASA prompts you to accept the certificate.

After the CA certificate is obtained from the CA server, use the crypto ca enroll command to generate an identity certificate request to the 209.165.202.130 CA server. Example 17-7 demonstrates how to use this command to obtain the ID certificate.

Example 17-7. Obtaining the ID Certificate from the CA Server

Chicago(config)# crypto ca enroll CISCO

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

Password:

Re-enter password:

% The fully-qualified domain name in the certificate will be:

Chicago.securemeinc.com

% Include the router serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

Chicago(config)# The certificate has been granted by CA!

The word CISCO is the name of the previously configured trustpoint. After invoking the crypto ca enroll command, the Cisco ASA asks you for a password to be used for this certificate. The Cisco ASA displays the FQDN to be used in the certificate. As shown in the third shaded line, the Cisco ASA asks if you would like to include its serial number in the subject name of the certificate. This is not selected in this example. The serial number is not used by IKE but may be used by the CA server to authenticate certificates or to associate a certificate with a particular device. If you are in doubt, ask your CA administrator if you need to include the serial number in your certificate request. In the fourth shaded line, the Cisco ASA finally asks if you would like to request the certificate from the CA. If your answer is yes and the subsequent request is successful, the message in the fifth shaded line is shown, indicating a successful certificate enrollment.

Use the show crypto ca certificates command to verify and display the root/CA and ID certificate information. Example 17-8 shows the output of this command.

Example 17-8. Output of show crypto ca certificates

Chicago# show crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: 1c91af4500000000000d

  Certificate Usage: General Purpose

  Issuer:

    cn=SecuremeCAServer

    ou=ENGINEERING

    o=Secureme

    l=Chicago

    st=IL

    c=US

    ea=administrator@securemeinc.com

  Subject Name

    Name: Chicago.securemeinc.com

    Serial Number:

    hostname=Chicago.securemeinc.com

  CRL Distribution Point:

    http://chicago-ca.securemeinc.com/CertEnroll/SecuremeCAServer.crl

  Validity Date:

    start date: 02:58:05 UTC Sep 2 2005

    end   date: 03:08:05 UTC Sep 2 2007

  Associated Trustpoints: CISCO

!

CA Certificate

  Status: Available

  Certificate Serial Number: 225b38e6471fcca649427934cf289071

  Certificate Usage: Signature

  Issuer:

    cn=SecuremeCAServer

    ou= ENGINEERING

    o=Secureme

    l=Chicago

    st=IL

    c=US

    ea=administrator@securemeinc.com

  Subject:

    cn=SecuremeCAServer

    ou=ENGINEERING

    o=Secureme

    l=Chicago

    st=IL

    c=US

    ea=administrator@securemeinc.com

  CRL Distribution Point:

    http://chicago-ca.securemeinc.com/CertEnroll/SecuremeCAServer.crl

  Validity Date:

    start date: 20:15:19 UTC Jun 25 2005

    end   date: 20:23:42 UTC Jun 25 2008

  Associated Trustpoints: CISCO

Chicago#

The certificate information is shown in Example 17-8 which includes the following:

• The status of each certificate

• The certificate usage

• The issuer distinguished name (DN) information (i.e., organization, organizational unit, locality, etc.)

• CRL distribution point (CDP)

• The validity period of each certificate

• The trustpoint associated to the certificate

This command is very useful for troubleshooting and verification purposes.