|
|
A PKI certificate system allows a tunnel peer to authenticate another, without having passwords or shared secrets to enter or maintain in a database. A shared secret is a password known by both sides that is used to encrypt and decrypt the data. Certificates are special encrypted text files that are generated by a trusted Certificate Authority (CA) that encrypt and decrypt the data.
This chapter describes:
 |
Note See the VPN 5000 Client User Guide for your platform for instructions on installing certificates on the client. |
A peer with its own CA-generated private certificate can be authenticated by other peers. A device that connects to the peer checks the validity of the certificate by comparing it with a public root certificate. The same CA generates the root certificate, which is available to all peers.
The VPN 5002 and 5008 concentrators support server-side authentication, where the concentrator has a private certificate (called a "server certificate" in this guide), and clients have a root certificate to authenticate the server.
Because the root certificate is the same for all users of a CA or CG, be sure to have a CA or CG for each domain of trust, such as a company. While the VPN 5002 or 5008 concentrator does not maintain a tunnel with a peer that does not specify a valid group name in the certificate, limiting the CA or CG's domain to related users and servers provides the best security.
Without certificates, when a client connects to the concentrator, the concentrator consults its internal user list or an external user authentication server, such as RADIUS. The concentrator or RADIUS server then requires a shared secret to establish the tunnel. RADIUS servers also require a password to authenticate the user on the RADIUS server.
Server-side certificate authentication replaces the shared secret portion of a RADIUS, SecurID, or other system authentication process. The internal user list still requires a shared secret.
With a certificate system, an unauthorized user would need physical access to a user's computer. A shared secret, on the other hand, requires only that one password be broken from any location.
This section describes how to make a VPN 5002 or 5008 concentrator the CG for your network, generate the root certificate, distribute the root certificate, and generate a server certificate for the CG itself.
Enter the following commands on the concentrator to make it a CG:
| Command | Purpose | |
|---|---|---|
Step 1 | configure Certif_(_IREFOBJ:1049590_ )_icates | Allows you to configure the Certificates section. |
Step 2 | CertificateGenerator = On | Makes the server a CG. |
Step 3 | ValidityPeriod = days | Sets the default validity period of CG- generated certificates, between 1 and 9999 days. 365 days is the default. You can override this value when you request a certificate using the certificate generate command. |
Step 4 | write | Writes the configuration to Flash memory. |
Step 5 | apply | Applies the changes to the runtime version, so you can create root and server certificates. |
The CG creates the root certificate, which identifies the CG. When you install the root certificate on each client, this certificate allows the client to verify the server certificate created by the CG.
To create a root certificate on a CG, complete the following steps:
Step 2 On the CG, enter:
certificate generate root key_length [locality city] [state state] [country country_code] [organization "organization_name"] [commonname "common_name"] [days validity_period]
| Option | Values |
|---|---|
key_length | 512, 1024, 2048, or 4096 Specifies the number of bits generated for the key. Cisco Systems recommends using a key length of 1024. Larger keys can take the system up to an hour to generate. |
city | A text string with no spaces identifying the city name where the CG resides. |
state | A text string with no spaces identifying the state or province name where the CG resides. |
country_code | A two letter country code where the CG resides. |
"organization _name" | A phrase, with spaces allowed, identifying the company name or other organization name. |
"common_ | A phrase, with spaces allowed, identifying the CG name, or a description of the certificate. If you do not specify the common name, the concentrator uses its device name and adds "CG," for example, VPN5008CG. |
validity_ | 1 to 9999 Specifies the validity period of the certificate. If you do not enter a value, the system uses the value you set for ValidityPeriod on the CG. |
For example:
certificate generate root 1024 locality boulder state co country USA organization "Cisco IT" commonname "Cisco Root Cert" days 120
|
Note The optional days, locality, state, country, organization, and commonname values do not need to match the values in the server certificates or requests for the certificate to be validated. |
After generating the root certificate, follow these steps to save the certificate in a text file for redistribution:
Depending on the key length, the server can take up to an hour to create the certificate in a background process. To determine if the generator is "idle" or "busy," enter the following command:
show certificate generator
The system log also documents a completed certificate with a notice level message. See the "Setting Logging Options" section for more information on viewing the log.
Step 2 View the root certificate by entering:
show certificate pem root [x509]
Where x509 displays the certificate in X.509 format instead of the default PKCS #7 format. The concentrator and VPN 5000 Client can import both formats.
The console displays the root certificate text.
Step 3 Select the text, making sure to select the entire block, including the last carriage return.
Selecting the last carriage return might require you to select the area in front of the following prompt.
Step 4 Copy the root certificate into a text file for distribution to clients.
See the VPN 5000 Client User Guide for your platform for instructions to install the root certificate on the client.
The CG can generate its own server certificate, which allows tunnel peers with root certificates to authenticate the CG. Other servers can request a certificate from the CG, which can approve or reject the request. See the "Requesting a Server Certificate" section to generate other server certificates.
Step 2 To generate the server certificate for the CG itself, enter:
certificate generate server key_length [locality city] [state state] [country country_code] [organization "organization_name"] [commonname "common_name"] [days validity_period]
See Table 11-1 for a description of the options. For example:
certificate generate server 1024 commonname "VPN 5002 Server"
|
Note The optional days, locality, state, country, organization, and commonname values do not need to match the values in the root certificate or requests for the certificate to be validated. |
Depending on the key length, the server can take up to an hour to create the certificate in a background process.
Step 3 To determine if the generator is "idle" or "busy," enter the following command:
show certificate generator
The system log also documents a completed request with a notice level message. See the "Setting Logging Options" section for more information on viewing the log.
To request a server certificate for a non-CG server, complete the steps in the following sections. A server certificate allows clients with root certificates to authenticate the server.
|
Note For a valid server certificate, you must follow these steps. For example, you cannot copy another server's certificate and paste it into your server; the certificate will not work. |
To request the certificate, follow these steps:
certificate generate request key_length [locality city] [state state] [country country_code] [organization "organization_name"] [commonname "common_name"] [days validity_period]
See Table 11-1 for a description of the options.
For example:
certificate generate request 1024 locality sanjose state ca country USA organization "Cisco" commonname "Cisco Server"
|
Note The optional days, locality, state, country, organization, and commonname values do not need to match the values in the root or server certificates for the certificate to be validated. |
Step 2 Wait for the request to be fulfilled.
Depending on the key length, the server can take up to an hour to create the request in a background process. To determine if the generator is "idle" or "busy," enter the following command:
show certificate generator
The system log also documents a completed request with a notice level message. See the "Setting Logging Options" section for more information on viewing the log.
Step 3 View the request by entering:
certificate request show
The console displays the request text in PKCS #10 and PEM format, as in the following example:
-----BEGIN CERTIFICATE REQUEST----- MIIBWjCBxAIBADAbMRkwFwYDVQQDExBCb2IncyBJbnRyYVBvcnQyMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDfEX5KdJyxKFJn2b0VLDd96YmYZSz9kyayugaW aWacZpOT4njtiSohK4OYavJkoJBuVjjiozfS03zA1U21xepwQqrzG0RZUKCPCnE0 sxIpGo0bcMQFGwmKQ5f6Oj1QKzy117EwQjvd8CciCM8ae+ugLlGd7eIj6LAcrcbM Z9lIVQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEALJndSfRXsuzqd4p+fCPrDacF BX8LnLpiw4hFX8Z4quSULAp2F6Sz3AUIe3muxhWpQkrYriT7ki5tD7nzhLWkzwGE aiRlhosfBBVA/5Wk/KXP9k8AyfHDSDdVGQRV19Qgu2ggmQI1P2tsJ6zM5GMr+9/T 389ZA4HO9kt8DA658w0= -----END CERTIFICATE REQUEST-----
Step 4 Select the text, making sure to select the entire block, including the last carriage return.
Selecting the last carriage return might require you to select the area in front of the following prompt.
Step 5 Copy the request text to the clipboard or into a text file in preparation for requesting a certificate from a CA or CG.
To request a server certificate from a CA, provide the request to the CA according to the CA's requirements. See "Installing a Certificate on a Server" section to install the server certificate.
To request the certificate from a CG, follow these steps:
certificate request import
The system prompts you to paste the request.
Step 2 Paste the request at the prompt, adding a period (.) on a separate line after the request, and press the Enter key.
Step 3 To view the identifier for your request, enter:
certificate request pending
The console shows a list of requests, each with an identifying number, as in the following example:
&& Ce nt er && Id 1 2 | Requested By /CN=Goldy's VPN 5000 /CN=Bob's VPN 5000 | Request Date Feb 17 15:02:35 2000 GMT Feb 18 11:05:27 2000 GMT |
Step 4 Note your identifier, and approve or reject the request:
certificate request reject identifier
certificate request approve identifier [days]
-----BEGIN PKCS7----- MIAGCSqGSIb3DQEHAqCAMIIB1wIBATEAMIAGCSqGSIb3DQEHAQAAoIIBvTCCAbkw ggFjoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAwZjELMAkGA1UEBhMCQVUxETAPBgNV BAgTCENvbG9yYWRvMRAwDgYDVQQHEwdCb3VsZGVyMRswGQYDVQQKExJDb21wYXRp YmxlIFN5c3RlbXMxFTATBgNVBAMTDEludHJhcG9ydCBDQTAeFw05OTEyMDEwMDEx MzFaFw05OTEyMzEwMDExMzFaMGYxCzAJBgNVBAYTAkFVMREwDwYDVQQIEwhDb2xv cmFkbzEQMA4GA1UEBxMHQm91bGRlcjEbMBkGA1UEChMSQ29tcGF0aWJsZSBTeXN0 ZW1zMRUwEwYDVQQDEwxJbnRyYXBvcnQgQ0EwWjALBgkqhkiG9w0BAQEDSwAwSAJB AKcGdw1H2Mr7ZMIflx8rWzb2S56WimZtO4mxcAoQa7yezyZ8cXN+o+QkvxsTLSsM 3YRHWE4voI6hIJbOG1gnUD0CAwEAATANBgkqhkiG9w0BAQQFAANBABnW5Np3La8t Z5P6Od3BDX7BKbefLMJXoDPN31cbAqy40L/WVwKKWGoD/M+QTrHKMt+T1RhlTr+Z Gl3QT4+6wPwxAAAAAAA= -----END PKCS7-----
Step 5 If you approved the request, select the text, making sure to select the entire block, including the last carriage return.
Selecting the last carriage return might require you to select the area in front of the following prompt.
Step 6 Copy the certificate text to the clipboard or into a text file in preparation for installing it on the server.
To install a server certificate on a non-CG server, follow these steps. See the "Requesting a Server Certificate" section for information about obtaining a server certificate.
certificate import
The system prompts you to paste the PEM-formatted X.509 or PKCS #7 certificate.
|
Note If you used a CA, make sure the header and footer of the certificate uses one of the following formats: -----BEGIN PKCS7----- ... -----END PKCS7----- or -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- |
Step 2 Copy the certificate from a CA or CG and paste it at the prompt, adding a period (.) on a separate line after the request, and press the Enter key.
The following sections describe how to verify, remove, and view certificates.
For a server with both a root certificate and a server certificate, for example the CG, you can verify that the server certificate is signed by the root certificate and has not expired by following these steps:
Step 2 Enter:
certificate verify
You receive either a message informing you of a failure and why verification failed, or a message confirming the successful verification.
To remove all certificates from a concentrator, enter:
certificate remove
View available certificates by entering:
show certificate installed
The console shows information about each certificate, as in the following example:
Root Certificate:Serial Number: 77:37:3a:33:37:3a:33:61:3a:33:33:3a:33:37:3a:33 Issuer: C=US,O=Cisco Systems,OU=SLP BU,L=Boulder,ST=Colorado Subject: C=US,O=Cisco Systems,OU=SLP BU,L=Boulder,ST=Colorado Validity
Not Before: Apr 21 00:00:00 2000 GMT Not After : Apr 20 23:59:59 2005 GMT
MD5 Fingerprint: B0:DD:DD:DE:13:29:3C:54:95:F7:BD:5C:B7:0C:CA:E6
Server Certificate:Serial Number: 37:37:3a:33:37:3a:33:61:3a:33:33:3a:33:37:3a:33 Issuer: C=US,O=Cisco Systems,OU=SLP BU,L=Boulder,ST=Colorado Subject: CN=IntraPortCarrier_A5C5C600 Validity
Not Before: Apr 24 00:00:00 2000 GMT Not After : Apr 24 23:59:59 2001 GMT
MD5 Fingerprint: 2A:93:5F:02:7A:9D:68:80:63:8E:29:68:DA:5A:9A:BD
View additional certificate details by entering:
show certificate details {root | server}
The console displays the certificate details for the selected certificate type. The following example shows a typical display:
Server Certificate:Version: 3 (0x2) Serial Number: 33:33:3a:33:33:3a:33:61:3a:33:33:3a:33:33:3a:33 Signature Algorithm: md5WithRSAEncryption Issuer: C=US,O=Cisco Systems,OU=SLP BU,L=Boulder,ST=Colorado Subject: CN=IntraPortCarrier_A5C5C600 Validity
Not Before: Apr 24 00:00:00 2000 GMT Not After : Apr 24 23:59:59 2001 GMT
MD5 Fingerprint: 2A:93:5F:02:7A:9D:68:80:63:8E:29:68:DA:5A:9A:BD Subject Public Key Info:Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit) Signature Algorithm: md5WithRSAEncryption01:0c:40:40:fb:84:e3:eb:49:f4:0b:da:69:f7:6d:cd:d1:16: ae:e9:d1:a9:f3:a1:b2:03:33:a8:3a:19:a1:4c:cc:1b:5e:e1: e9:a5:06:6b:02:c1:5d:6a:93:a2:60:a3:47:6c:5b:2b:2a:91: 9f:30:a7:76:77:ba:d4:84:d8:89:bd:b9:31:d2:1a:82:52:37: 14:24:4f:a5:23:bb:65:fb:3e:96:7e:17:50:87:de:7d:dd:a0: 21:30:80:4f:0b:26:87:7b:1a:84:a3:df:89:78:c9:dc:80:87: cd:a4:d8:f2:a2:e0:4b:0e:59:dd:36:59:3d:59:8f:d0:7e:b2: 2f:97
Posted: Wed Sep 27 10:12:26 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.