|< Day Day Up >|
Enrolling the Cisco ASA to a CA Using SCEP
Enrollment is the process of obtaining a certificate from a CA server. This section covers the necessary steps to configure and enroll a Cisco ASA to a CA server.
Generating the RSA Key Pair
Before starting the enrollment process, you must generate the RSA key pair with the crypto key generate rsa command. To generate the keys, you must first configure a host name and domain name. Example 17-1 demonstrates how to configure the Cisco ASA host name and domain name and generate the RSA key pair.
Example 17-1. Generating the RSA Key Pair
ASA(config)# hostname Chicago Chicago(config)# domain-name securemeinc.om Chicago(config)# crypto key generate rsa modulus 1024 INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin.
In Example 17-1, the name for the key pair is <Default-RSA-Key>. The <Default-RSA-Key> is replaced with a key pair label if configured.
Use the crypto key zeroize rsa command if an RSA key pair exists and a new pair needs to be regenerated. Example 17-2 demonstrates how to remove existing RSA key pairs.
Example 17-2. Removing Existing RSA Key Pair
Chicago(config)# crypto key zeroize rsa WARNING: All RSA keys will be removed. WARNING: All certs issued using these keys will also be removed. Do you really want to remove these keys? [yes/no]: yes
To verify the generation of the RSA key pair, use the show crypto key mypubkey rsa command. Example 17-3 shows the output of this command.
Example 17-3. Viewing RSA Key Pair Information
Chicago# show crypto key mypubkey rsa Key pair was generated at: 08:46:31 UTC Jul 10 2005 Key name: <Default-RSA-Key> Usage: General Purpose Key Modulus Size (bits): 1024 Key Data: 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00f26be4 08b00ac5 fb06adda 7c7a2ae6 26c136ce 990f5612 41d6fa09 79ef251f d229dcc0 64bc15f8 1b3a4f1e 131f1765 866dfb3a bb8c3a59 f8605625 8e8ff0ca 90d291d0 75c753c3 dd5f55f3 6d49d774 523b9d8b 78ad05b4 efd75793 88ac9646 7e8c8816 017d464d 4a817041 a559dc63 2532c657 cc12373a c7b733f1 a50bdb82 61020301 0001
The same RSA key pair is used for Secure Shell (SSH) connections to the security appliance.
Configuring a Trustpoint
The Cisco ASA certificate configuration commands are similar to Cisco IOS commands. The crypto ca trustpoint command declares the CA that your Cisco ASA should use and allows you to configure all the necessary certificate parameters. Invoking this command puts you in ca-trustpoint configuration mode, as shown in Example 17-4.
Example 17-4. Configuring a Trustpoint
Chicago# configure terminal Chicago(config)# crypto ca trustpoint CISCO Chicago(ca-trustpoint)#
Table 17-1 lists and describes all the ca-trustpoint subcommands.
Figure 17-4 illustrates a topology that is used in the next example. A Cisco ASA is configured to enroll via SCEP to the CA server 126.96.36.199.
Figure 17-4. Enrollment via SCEP Example
Example 17-5 includes the Cisco ASA trustpoint configuration.
Example 17-5. Configuring the ASA to Enroll via SCEP
Chicago# configure terminal Chicago(config)# crypto ca trustpoint CISCO Chicago(ca-trustpoint)# enrollment url http://188.8.131.52/certsrv/mscep/ mscep.dll Chicago(ca-trustpoint)# enrollment retry count 3 Chicago(ca-trustpoint)# enrollment retry period 5 Chicago(ca-trustpoint)# fqdn Chicago.securemeinc.com Chicago(ca-trustpoint)# exit Chicago(config)# exit Chicago#
In Example 17-5, the Cisco ASA is configured with a trustpoint named CISCO. The enrollment url subcommand is used to declare the location of the CA server.
In this example, the CA server is a Microsoft Windows CA Server with SCEP services. The complete URL is http://184.108.40.206/certsrv/mscep/mscep.dll.
The SCEP plug-in for Microsoft Windows can be downloaded from Microsoft's website at www.microsoft.com
The Cisco ASA is configured to retry three times in case the certificate is not successfully obtained from the CA Server. It is also configured to wait 5 minutes between each request to the CA. The fully qualified domain name (FQDN) used in the enrollment request is configured to be Chicago.securemeinc.com.
In this example, the Cisco ASA enrolls with the CA to use certificates for IPSec authentication. The Cisco ASA needs to obtain the CA certificate and request an ID certificate from the CA server. To obtain the CA certificate, use the crypto ca authenticate command. Example 17-6 demonstrates how to use this command to retrieve the CA certificate from the CA server.
Example 17-6. Obtaining the CA Certificate from the CA Server
Chicago# configure terminal Chicago(config)# crypto ca authenticate CISCO INFO: Certificate has the following attributes: Fingerprint: 3736ffc2 243ecf05 0c40f2fa 26820675 Do you accept this certificate? [yes/no]: yes
In Example 17-6, CISCO is the name of the previously configured trustpoint. After executing this command, the Cisco ASA establishes a TCP port 80 connection to the 220.127.116.11 CA server (via SCEP). While doing this transaction, the Cisco ASA prompts you to accept the certificate.
The Cisco ASA also retrieves RA certificates from the server if an RA is used.
After the CA certificate is obtained from the CA server, use the crypto ca enroll command to generate an identity certificate request to the 18.104.22.168 CA server. Example 17-7 demonstrates how to use this command to obtain the ID certificate.
The request is a PKCS#7 certificate request.
Example 17-7. Obtaining the ID Certificate from the CA Server
Chicago(config)# crypto ca enroll CISCO % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The fully-qualified domain name in the certificate will be: Chicago.securemeinc.com % Include the router serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority Chicago(config)# The certificate has been granted by CA!
The word CISCO is the name of the previously configured trustpoint. After invoking the crypto ca enroll command, the Cisco ASA asks you for a password to be used for this certificate. The Cisco ASA displays the FQDN to be used in the certificate. As shown in the third shaded line, the Cisco ASA asks if you would like to include its serial number in the subject name of the certificate. This is not selected in this example. The serial number is not used by IKE but may be used by the CA server to authenticate certificates or to associate a certificate with a particular device. If you are in doubt, ask your CA administrator if you need to include the serial number in your certificate request. In the fourth shaded line, the Cisco ASA finally asks if you would like to request the certificate from the CA. If your answer is yes and the subsequent request is successful, the message in the fifth shaded line is shown, indicating a successful certificate enrollment.
Use the show crypto ca certificates command to verify and display the root/CA and ID certificate information. Example 17-8 shows the output of this command.
Example 17-8. Output of show crypto ca certificates
Chicago# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 1c91af4500000000000d Certificate Usage: General Purpose Issuer: cn=SecuremeCAServer ou=ENGINEERING o=Secureme l=Chicago st=IL c=US firstname.lastname@example.org Subject Name Name: Chicago.securemeinc.com Serial Number: hostname=Chicago.securemeinc.com CRL Distribution Point: http://chicago-ca.securemeinc.com/CertEnroll/SecuremeCAServer.crl Validity Date: start date: 02:58:05 UTC Sep 2 2005 end date: 03:08:05 UTC Sep 2 2007 Associated Trustpoints: CISCO ! CA Certificate Status: Available Certificate Serial Number: 225b38e6471fcca649427934cf289071 Certificate Usage: Signature Issuer: cn=SecuremeCAServer ou= ENGINEERING o=Secureme l=Chicago st=IL c=US email@example.com Subject: cn=SecuremeCAServer ou=ENGINEERING o=Secureme l=Chicago st=IL c=US firstname.lastname@example.org CRL Distribution Point: http://chicago-ca.securemeinc.com/CertEnroll/SecuremeCAServer.crl Validity Date: start date: 20:15:19 UTC Jun 25 2005 end date: 20:23:42 UTC Jun 25 2008 Associated Trustpoints: CISCO Chicago#
The certificate information is shown in Example 17-8 which includes the following:
This command is very useful for troubleshooting and verification purposes.
|< Day Day Up >|