Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server (CCIE Notes)


Cisco IOS CA server configuration:

mkdir flash:/CISCO_CA

conf terminal
ip http server
ip domain name networkology.net
crypto key generate rsa modulus 1024 label CISCO_CA
crypto pki server CISCO_CA
 issuer-name CISCO_CA
 database archive pem password cisco123
 grant auto
 lifetime certificate 365 
 lifetime ca-certificate 1095
 database url pem disk0:/CISCO_CA
 no shutdown
 exit
Notes:-
– Certificate server must use the same name as the key pair.
– Default CA certificate lifetime 3 years and the default certificate lifetime is 1 year.
– Cisco IOS CA Server only supports enrollments done via Simple Certificate Enrollment Protocol (SCEP). For this to work, the built-in HTTP server must be enabled.
– 3 database levels, Minimum (default), Names and Complete.
– Use NTP to make sure the time is in sync with the enrolling parties.

Verification:

R1#show crypto pki server
Certificate Server CISCO_CA:
 Status: enabled
 State: enabled
 Server's configuration is locked (enter "shut" to unlock it)
 Issuer name: CN=CISCO_CA
 CA cert fingerprint: C97FDB7A 470C2204 24DC2935 02A03BE2 
 Granting mode is: auto
 Last certificate issued serial number (hex): 3
 CA certificate expiration timer: 18:48:07 UTC Jun 24 2018
 CRL NextUpdate timer: 00:48:08 UTC Jun 26 2013
 Current primary storage dir: nvram:
 Current storage dir for .pem files: disk0:/CISCO_CA
 Database Level: Minimum - no cert data written to storage

R1#show crypto pki certificates 
CA Certificate
 Status: Available
 Certificate Serial Number (hex): 01
 Certificate Usage: Signature
 Issuer: 
 cn=CISCO_CA
 Subject: 
 cn=CISCO_CA
 Validity Date: 
 start date: 18:48:07 UTC Jun 25 2013
 end date: 18:48:07 UTC Jun 24 2018
 Associated Trustpoints: CISCO_CA 
 Storage: nvram:CISCO_CA#1CA.cer

Cisco ASA enrollment to the Cisco IOS CA Server:

crypto key generate rsa modulus 1024
!
domain-name networkology.net
crypto ca trustpoint CISCO_CA
 id-usage ssl-ipsec
 subject-name CN=asa1, C=IN
 fqdn asa1.networkology.net
 enrollment url http://10.1.1.1:80
 exit
crypto ca authenticate CISCO_CA
crypto ca enroll CISCO_CA
Notes:-
– You may have to allow SCEP communication if there is an intermediary firewall between the Cisco ASA and the Cisco IOS CA Server. SCEP uses HTTP protocol for communication.
– Make sure the CA server is enabled. (no shutdown)
– Use NTP to make sure the time is in sync with the Cisco IOS CA Server.

Verification:

ASA-FW1# show crypto ca trustpoints 
Trustpoint CISCO_CA:
 Subject Name: 
 cn=CISCO_CA
 Serial Number: 01
 Certificate configured.
 CEP URL: http://10.1.1.1

ASA-FW1# show crypto ca certificates
Certificate
 Status: Available
 Certificate Serial Number: 04
 Certificate Usage: General Purpose
 Public Key Type: RSA (1024 bits)
 Signature Algorithm: MD5 with RSA Encryption
 Issuer Name: 
 cn=CISCO_CA
 Subject Name:
 hostname=asa1.networkology.net
 cn=ASA1
 c=IN
 Validity Date: 
 start date: 20:26:13 UTC Jun 25 2013
 end date: 20:26:13 UTC Jun 24 2014
 Associated Trustpoints: CISCO_CA 

CA Certificate
 Status: Available
 Certificate Serial Number: 01
 Certificate Usage: Signature
 Public Key Type: RSA (1024 bits)
 Signature Algorithm: MD5 with RSA Encryption
 Issuer Name: 
 cn=CISCO_CA
 Subject Name: 
 cn=CISCO_CA
 Validity Date: 
 start date: 18:48:07 UTC Jun 25 2013
 end date: 18:48:07 UTC Jun 24 2016
 Associated Trustpoints: CISCO_CA

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

 

Advertisements

One thought on “Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server (CCIE Notes)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s