|
|
This chapter describes Certification Authority (CA) interoperability commands.
Certification Authority (CA) interoperability is provided in support of the IP Security (IPSec) standard. CA interoperability permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
Without CA interoperability, Cisco IOS devices could not use CAs when deploying IPSec. CAs provide a manageable, scalable solution for IPSec networks.
Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring CA interoperability.
For configuration information, refer to the chapter "Configuring Certification Authority Interoperability" in the Security Configuration Guide.
To manually add certificates, use the certificate certificate chain configuration command. Use the no form of this command to delete your router's certificate or any RA certificates stored on your router.
certificate certificate-serial-number
certificate-serial-number | Specify the serial number of the certificate to add or delete. |
There are no defaults for this command.
Certificate chain configuration (config-cert-chain)
This command first appeared in Cisco IOS Release 11.3 T.
You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually only used to delete certificates.
myrouter# show crypto ca certificates
Certificate
Subject Name
Name: myrouter.companyx.com
IP Address: 10.0.0.1
Status: Available
Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF
Key Usage: General Purpose
CA Certificate
Status: Available
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Key Usage: Not Set
myrouter# configure terminal
myrouter(config)# crypto ca certificate chain myca
myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF
% Are you sure you want to remove the certificate [yes/no]? yes
% Be sure to ask the CA administrator to revoke this certificate. myrouter(config-cert-chain)# exit
myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
To allow other peers' certificates to still be accepted by your router even if the appropriate Certificate Revocation List (CRL) is not accessible to your router, use the crl optional ca-identity configuration command. Use the no form of the command to return to the default behavior in which CRL checking is mandatory before your router can accept a certificate.
crl optionalThere are no arguments or keywords with this command.
The router must have and check the appropriate CRL before accepting another IPSec peer's certificate.
Ca-identity configuration
This command first appeared in Cisco IOS Release 11.3 T.
When your router receives a certificate from a peer, it will download a Certificate Revocation List (CRL) from either the CA or a CRL distribution point as designated in the peer's certificate. Your router then checks the CRL to make sure the certificate the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.)
With CA systems that support Registration Authorities (RAs), multiple CRLs exist and the peer's certificate will indicate which CRL applies and should be downloaded by your router.
If your router does not have the applicable CRL and is unable to obtain one, your router will reject the peer's certificate---unless you include the crl optional command in your configuration. If you use the crl optional command, your router will still try to obtain a CRL, but if it cannot obtain a CRL it can accept the peer's certificate anyway.
When your router receives additional certificates from peers, your router will continue to attempt to download the appropriate CRL, even if it was previously unsuccessful, and even if the crl optional command is enabled. The crl optional command only specifies that when the router cannot obtain the CRL, the router is not forced to reject a peer's certificate outright.
crypto ca identity myca enrollment url http://ca_server enrollment retry-period 20 enrollment retry-count 100 crl optional
You can use the master indexes or search online to find documentation of related commands.
name | Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command. |
There are no defaults for this command.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the CA's self-signed certificate which contains the CA's public key. Because the the CA signs its own certificate, you should manually authenticate the CA's public key by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then RA signing and encryption certificates will be returned from the CA as well as the CA certificate.
This command is not saved to the router configuration. However, the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").
If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.
myrouter# crypto ca authenticate myca
Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no] y
myrouter#
You can use the master indexes or search online to find documentation of related commands.
crypto ca identity
show crypto ca certificates
name | Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command. |
There are no defaults for this command.
Global configuration.
This command first appeared in Cisco IOS Release 11.3 T.
This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.
myrouter# show crypto ca certificates
Certificate
Subject Name
Name: myrouter.companyx.com
IP Address: 10.0.0.1
Status: Available
Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF
Key Usage: General Purpose
CA Certificate
Status: Available
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Key Usage: Not Set
myrouter# configure terminal
myrouter(config)# crypto ca certificate chain myca
myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF
% Are you sure you want to remove the certificate [yes/no]? yes
% Be sure to ask the CA administrator to revoke this certificate. myrouter(config-cert-chain)# exit
myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
To specify that certificates and Certificate Revocation Lists (CRLs) should not be stored locally but retrieved from the CA when needed, use the crypto ca certificate query global configuration command. This command puts the router into query mode. Use the no form of this command to cause certificates and CRLs to be stored locally (the default).
crypto ca certificate queryThis command has no arguments or keywords.
Certificates and CRLs are stored locally in the router's NVRAM.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Normally, certain certificates and Certificate Revocation Lists (CRLs) are stored locally in the router's NVRAM, and each certificate and CRL uses a moderate amount of memory.
crypto ca certificate query
name | Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command. |
Normally, the router requests a new CRL only after the existing one expires.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command only if your CA does not support a Registration Authority (RA).
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives a peer's certificate after the applicable CRL has expired, it will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is not saved to the configuration.
The following example immediately downloads the latest CRL to your router.
crypto ca crl request
name | Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command. |
There are no defaults for this command.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each of your router's RSA key pairs; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto ca enroll command is not saved in the router configuration.
When you issue the crypto ca enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
myrouter(config)# crypto ca enroll myca
% % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: <mypassword>
Re-enter password: <mypassword>
% The subject name in the certificate will be: myrouter.companyx.com % Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 03433678 % Include an IP address in the subject name [yes/no]? yes
Interface: ethernet0/0
Request certificate from CA [yes/no]? yes
% Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. myrouter(config)#
Some time later, the router receives the certificate from the CA and displays this confirmation message:
myrouter(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210 %CRYPTO-6-CERTRET: Certificate received from Certificate Authority myrouter(config)#
If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority
The subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.domain.com." (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate Authority
You can use the master indexes or search online to find documentation of related commands.
To declare the CA your router should use, use the crypto ca identity global configuration command. Use the no form of this command to delete all identity information and certificates associated with the CA.
crypto ca identity name
name | Create a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. |
Your router does not know about any CA until you declare one with this command.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to declare a CA. Performing this command puts you into the ca-identity configuration mode, where you can specify characteristics for the CA with the following commands:
The following example declares a CA and identifies characteristics of the CA. In this example, the name "myca" is created for the CA, which is located at http://ca_server.
The CA does not use an RA or LDAP, and the CA's scripts are stored in the default location. This is the minimum possible configuration required to declare a CA.
crypto ca identity myca enrollment url http://ca_server
The following example declares a CA when the CA uses an RA. The CA's scripts are stored in the default location, and the CA uses the certificate enrollment protocol (CEP) instead of LDAP. This is the minimum possible configuration required to declare a CA that uses an RA.
crypto ca identity myca_with_ra enrollment url http://ca_server enrollment mode ra query url ldap://serverx
The following example declares a CA that uses an RA and a non-standard cgi-bin script location. This example also specifies a non-standard retry period and retry count, and permits the router to accept certificates when CRLs are not obtainable.
crypto ca identity myca_with_ra enrollment url http://companyx_ca/cgi-bin/somewhere/scripts.exe enrollment mode ra query url ldap://serverx enrollment retry-period 20 enrollment retry-count 100 crl optional
In the previous example, if the router does not receive a certificate back from the CA within 20 minutes of sending a certificate request, the router will resend the certificate request. The router will keep sending a certificate request every 20 minutes until a certificate is received or until 100 requests have been sent.
If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the non-standard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts.
You can use the master indexes or search online to find documentation of related commands.
enrollment url
enrollment mode ra
query url
enrollment retry-period
enrollment retry-count
crl optional
To generate RSA key pairs, use the crypto key generate rsa global configuration command.
crypto key generate rsa [usage-keys]
usage-keys | (Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair. |
RSA key pairs do not exist. If the usage-keys keyword is not used, general-purpose keys will be generated.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs---one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device).
There are two mutually-exclusive styles of RSA key pairs: special usage keys and general purpose keys. When you generate RSA key pairs, you will be prompted to select whether to generate special usage keys or general purpose keys.
If you generate special usage keys, two pairs of RSA keys will be generated. One pair will be used with any IKE policy that specifies RSA signatures as the authentication method, and the other pair used with any IKE policy that specifies RSA encrypted nonces as the authentication method. (You configure RSA signatures or RSA encrypted nonces in your IKE policies as described in the chapter "Configuring Internet Key Exchange Security Protocol" in the Security Configuration Guide.)
A CA is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA encrypted nonces. (However, you could specify more than one IKE policy, and have RSA signatures specified in one policy and RSA encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special usage keys. With special usage keys, each key is not unnecessarily exposed. (Without special usage keys, one key is used for both purposes, increasing that key's exposure.)
When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security, but takes longer to generate (see Table 28 for sample times) and takes longer to use. Below 512 is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024.)
| Modulus Length | ||||
|---|---|---|---|---|
| Router | 360 bits | 512 bits | 1024 bits | 2048 bits |
Cisco 2500 | 11 seconds | 20 seconds | 4 minutes, 38 seconds | longer than 1 hour |
Cisco 4700 | less than 1 second | 1 second | 4 seconds | 50 seconds |
This example generates special usage RSA keys.
myrouter(config)# crypto key generate rsa usage-keys
The name for the keys will be: myrouter.companyx.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK]. Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK]. myrouter(config)#
myrouter(config)# crypto key generate rsa
The name for the keys will be: myrouter.companyx.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK]. myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
show crypto key mypubkey rsa
To delete all of your router's RSA keys, use the crypto key zeroize rsa global configuration command.
crypto key zeroize rsaThere are no arguments or keywords for this command.
There are no defaults for this command.
Global configuration.
This command first appeared in Cisco IOS Release 11.3 T.
This command deletes all RSA keys that were previously generated by your router. If you issue this command, you must also perform two additional tasks:
This command is not saved to the configuration.
crypto key zeroize rsa crypto ca certificate chain no certificate
You can use the master indexes or search online to find documentation of related commands.
crypto ca certificate chain
certificate
This command has no arguments or keywords.
RA mode is turned off.
Ca-identity configuration
This command first appeared in Cisco IOS Release 11.3 T.
This command is required if your CA system provides a Registration Authority (RA). This command provides compatibility with RA systems.
crypto ca identity myca enrollment url http://ca_server enrollment mode ra query url ldap://serverx
You can use the master indexes or search online to find documentation of related commands.
number | Specify how many times the router will resend a certificate request when the router does not receive a certificate from the CA from the previous request. Specify from 1 to 100 retries. |
The router will send the CA another certificate request until a valid certificate is received (no limit to the number of retries).
Ca-identity configuration
This command first appeared in Cisco IOS Release 11.3 T.
After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period) the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (the retry count) is exceeded. By default, the router will keep sending requests forever, but you can change this to a finite number with this command.
A retry count of 0 indicates that there is no limit to the number of times the router should resend the certificate request. By default, the retry count is 0.
crypto ca identity myca enrollment url http://ca_server enrollment retry-period 10 enrollment retry-count 60
You can use the master indexes or search online to find documentation of related commands.
crypto ca identity
enrollment retry-period
minutes | Specify the number of minutes the router waits before resending a certificate request to the CA, when the router does not receive a certificate from the CA by the previous request. Specify from 1 to 60 minutes. By default, the router retries every 1 minute. |
The router will send the CA another certificate request every 1 minute until a valid certificate is received.
Ca-identity configuration
This command first appeared in Cisco IOS Release 11.3 T.
After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period) the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries is exceeded. (By default, the router will keep sending requests forever, but you can change this to a finite number of permitted retries with the enrollment retry-count command.)
Use the enrollment retry-period command to change the retry period from the default of 1 minute between retries.
This example declares a CA and changes the retry period to 5 minutes.
crypto ca identity myca enrollment url http://ca_server enrollment retry-period 5
You can use the master indexes or search online to find documentation of related commands.
crypto ca identity
enrollment retry-count
url | Specify the URL of the CA where your router should send certificate requests, for example, http://ca_server. This URL must be in the form of http://CA_name where CA_name is the CA's host DNS name or IP address. If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the non-standard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts. |
Your router does not know the CA URL until you specify it with this command.
Ca-identity configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to specify the CA's URL. This command is required when you declare a CA with the crypto ca identity command.
The URL must include the CA script location if the CA scripts are not loaded into the default cgi-script location. The CA administrator should be able to tell you where the CA scripts are located.
To change a CA's URL, repeat the enrollment url command to overwrite the older URL.
The following is an example of the absolute minimum configuration required to declare a CA.
crypto ca identity myca enrollment url http://ca_server
You can use the master indexes or search online to find documentation of related commands.
To specify LDAP protocol support, use the query url ca-identity configuration command. Use the no form of this command to remove the query URL from the configuration and specify the default query protocol, certificate enrollment protocol (CEP).
query url url
url | Specify the URL of the LDAP server; for example, ldap://another_server. This URL must be in the form of ldap://server_name where server_name is the host DNS name or IP address of the LDAP server. |
The router uses CEP.
Ca-identity configuration
This command first appeared in Cisco IOS Release 11.3 T.
This command is required if the CA supports a Registration Authority (RA) and the LDAP protocol; LDAP is a query protocol used when the router retrieves certificates and CRLs. The CA administrator should be able to tell you whether the CA supports LDAP or CEP; if the CA supports the LDAP protocol, the CA administrator can tell you the LDAP location where certificates and CRLs should be retrieved.
To change the query URL, repeat the query url command to overwrite the older URL.
This command is only valid if you also use the enrollment mode ra command.
The following is an example of a configuration required to declare a CA when the CA supports LDAP.
crypto ca identity myca enrollment url http://ca_server enrollment mode ra query url ldap://bobs_server
You can use the master indexes or search online to find documentation of related commands.
This command has no arguments or keywords.
EXEC
This command first appeared in Cisco IOS Release 11.3 T.
This command shows information about the following certificates:
The following is sample output from the show crypto ca certificates command after you authenticated the CA by requesting the CA's certificate and public key with the crypto ca authenticate command:
CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set
The CA certificate might show Key Usage as "Not Set."
The following is sample output from the show crypto ca certificates command, and shows the router's certificate and the CA's certificate. In this example, a single, general purpose RSA key pair was previously generated, and a certificate was requested but not received for that key pair:
Certificate
Subject Name
Name: myrouter.companyx.com
IP Address: 10.0.0.1
Serial Number: 04806682
Status: Pending
Key Usage: General Purpose
Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000
CA Certificate
Status: Available
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Key Usage: Not Set
Note that in the previous sample, the router's certificate Status shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.
The following is sample output from the show crypto ca certificates command, and shows two router's certificates and the CA's certificate. In this example, special usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair:
Certificate
Subject Name
Name: myrouter.companyx.com
IP Address: 10.0.0.1
Status: Available
Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95
Key Usage: Signature
Certificate
Subject Name
Name: myrouter.companyx.com
IP Address: 10.0.0.1
Status: Available
Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897
Key Usage: Encryption
CA Certificate
Status: Available
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Key Usage: Not Set
The following is sample output from the show crypto ca certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto ca authenticate command:
CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set RA Signature Certificate Status: Available Certificate Serial Number: 34BCF8A0 Key Usage: Signature RA KeyEncipher Certificate Status: Available Certificate Serial Number: 34BCF89F Key Usage: Encryption
You can use the master indexes or search online to find documentation of related commands.
crypto ca enroll
crypto ca authenticate
|
|