|
|
This chapter describes how to configure certification authority (CA) interoperability, which is provided in support of the IPSec. CA interoperability allows the PIX Firewall and CAs to communicate so that your PIX Firewall can obtain and use digital certificates from the CA.
For CA background information, see "About CA." For the CA interoperability examples, see "CA Configuration Examples."
For a complete description of the IPSec-related commands used in this chapter, see "Command Reference." For a complete description of the non-IPSec commands used in this chapter, refer to the "Command Reference" chapter within the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2.
This chapter includes the following sections:
 |
Note Be sure that the PIX Firewall clock is set to GMT, month, day, and year before configuring CA. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp. Cisco's PKI protocol uses the clock to make sure that a CRL is not expired. |
|
Note The lifetime of a certificate and the Certificate Revocation List (CRL) is checked in GMT time. If you are using IPSec with certificates, set the PIX Firewall clock to GMT to ensure that CRL checking works correctly. |
|
Note You need to have a CA available to your network before you configure CA. The CA must support Cisco's PKI protocol, the certificate enrollment protocol. |
hostname newname
For example:
hostname mypixfirewall
In this example, "mypixfirewall" is the name of a unique host in the domain.
Step 2 Configure the PIX Firewall domain name:
domain-name name
For example:
domain-name example.com
Step 3 Generate the PIX Firewall RSA key pair(s):
ca generate rsa key key_modulus_size
For example:
ca generate rsa key 512
In this example, one general purpose RSA key pair is to be generated. The other option is to generate two special-purpose keys. The selected size of the key modulus is 512.
Step 4 (Optional) View your RSA key pair(s):
show ca mypubkey rsa
The following is sample output from the show ca mypubkey rsa command:
show ca mypubkey rsa % Key pair was generated at: 15:34:55 Aug 05 1999 Key name: mypixfirewall.example.com Usage: General Purpose Key Key Data: 305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d 6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf 6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001
Step 5 Declare a CA:
ca identity ca_nickname ca_ipaddress[:ca_script_location] [ldap_ip address]
For example:
ca identity myca.example.com 209.165.202.130
In this example, 209.165.202.130 is the IP address of the CA. The CA name is myca.example.com.
|
Note The CA may require a particular name for you to use, such as its domain name. |
|
Note When using VeriSign as your CA, VeriSign assigns the CA name you are to use in your CA configuration. |
Step 6 Configure the parameters of communication between the PIX Firewall and the CA:
ca configure ca_nickname ca|ra retry_period retry_count[crloptional]
For example:
ca configure myca.example.com ca 1 20 crloptional
If the PIX Firewall does not receive a certificate from the CA within 1 minute (default) of sending a certificate request, it will resend the certificate request. The PIX Firewall will continue sending a certificate request every 1 minute until a certificate is received or until 20 requests have been sent. With the keyword crloptional included within the command statement, other peer's certificates can still be accepted by your PIX Firewall even if the CRL is not accessible to your PIX Firewall.
|
Note When using VeriSign as your CA, always use the crloptional option with the ca configure command. Without the crloptional option, an error occurs when the PIX Firewall validates the certificate during main mode, which causes the peer PIX Firewall to fail. This problem occurs because the PIX Firewall is not able to poll the CRL from the VeriSign CA. |
Step 7 Authenticate the CA by obtaining its public key and its certificate:
ca authenticate ca_nickname[fingerprint]
For example:
ca authenticate myca.example.com 0123 4567 89AB CDEF 0123
The fingerprint (0123 4567 89AB CDEF 0123 in the example) is optional and is used to authenticate the CA's public key within its certificate. The PIX Firewall will discard the CA certificate if the fingerprint that you included in the command statement is not equal to the fingerprint within the CA's certificate.
You also have the option to manually authenticate the public key by simply comparing the two fingerprints after you receive the CA's certificate rather than entering it within the command statement.
|
Note Depending on the CA you are using, you may need to ask your local CA administrator for this fingerprint. |
Step 8 Request signed certificates from your CA for all of your PIX Firewall's RSA key pairs. Before entering this command, contact your CA administrator because they will have to authenticate your PIX Firewall manually before granting its certificate(s).
ca enroll ca_nickname challenge_password[serial] [ipaddress]
For example:
ca enroll myca.example.com mypassword1234567 serial ipaddress
The keyword mypassword1234567 in the example is a password, which is not saved with the configuration. The options "serial" and "ipaddress" are included, which indicates the PIX Firewall unit's serial number and IP address will be included in the signed certificate.
|
Note The password is required in the event your certificate needs to be revoked, so it is crucial that you remember this password. Note it and store it in a safe place. |
The ca enroll command requests as many certificates as there are RSA key pairs. You will only need to perform this command once, even if you have special usage RSA key pairs.
|
Note If your PIX Firewall reboots after you issued the ca enroll command but before you received the certificate(s), you must reissue the command and notify the CA administrator. |
Step 9 Verify that the enrollment process was successful using the show ca certificate command:
show ca certificate
The following is sample output from the show ca certificate command including a PIX Firewall general purpose certificate and the RA and CA public-key certificates:
Subject Name
Name: mypixfirewall.example.com
IP Address: 192.150.50.110
Status: Available
Certificate Serial Number: 36f97573
Key Usage: General Purpose
RA Signature Certificate
Status: Available
Certificate Serial Number: 36f972f4
Key Usage: Signature
CA Certificate
Status: Available
Certificate Serial Number: 36f972e5
Key Usage: Not Set
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 36f972f3
Key Usage: Encryption
Step 10 Save your configuration:
ca save all write memory
After you configure CA interoperability, configure IKE and then IPSec. For IKE configuration, see "Configuring IKE." For IPSec configuration, see "Configuring IPSec."
Posted: Thu Aug 31 19:42:08 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.