|
|
This document describes the Trusted Root Certification Authority feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so on.
This document includes the following sections:
This feature also provides support to other public key applications when different roots are needed to authenticate different components.
This feature allows two or more Cisco routers enrolled under different domains (different CAs) to verify each other's identity when using Internet Key Exchange (IKE) to set up IP Security (IPSec) tunnels.
Through Simple Certificate Enrollment Protocol (SCEP), each router is configured with a CA (the enrollment CA). The CA issues a certificate to the router that is signed with the private key of the CA. To verify the certificates of peers in the same domain, the router is also configured with the root certificate of the enrollment CA.
To verify the certificate of a peer from a different domain, the root certificate of the enrollment CA in the domain of the peer must be configured securely in the router.
During IKE phase one signature verification, the initiator will send the responder a list of its CA certificates. The responder should send the certificate issued by one of the CAs in the list. If the certificate is verified, the router saves the public key contained in the certificate on its public key ring.
 |
Note Certificate revocation list (CRL) checking invalidates and removes expired public keys. |
This feature requires the following components:
You can obtain a root certificate by using either Simple Certificate Enrollment Protocol (SCEP) or TFTP.
If the CA server supports SCEP, the best way to obtain the root certificate is by issuing the SCEP GetCACert command. To ensure the authenticity of the root certificate, the router administrator is expected to compare the root certificate fingerprint with the image in the server administrator. The fingerprint of the root certificate is an MD5 hash of the complete root certificate.
If the CA server does not support SCEP, TFTP may be used to obtain the root certificate. In this mode, an authenticated root certificate is stored as a file on the TFTP server.
 |
Caution The TFTP server must be secured so that the downloading of the root certificate is not subject to any attack. |
Root certificates obtained from CA servers are saved in NVRAM. If the NVRAM is too small, only the fingerprint of the root certificate will be saved in NVRAM. If you would like the root certificate to be queried when the router reboots, you must enter the crl query command at this point.
|
Note A root CA server is identified by its name. A record that saves the configuration parameters for the given root is associated with each root. The configuration parameters consist of the protocols, the network connection information, the fingerprint of the root certificate, the subject name of the root certificate, and an authentication context, which is used to verify any certificate issued by the given root. |
All the root certificates are saved in RAM after the router has been initialized.
With the introduction of the Trusted Root Certification Authority feature, Virtual Private Network (VPN) users can establish trust by one domain and easily and securely distribute it to other domains. Thus, the required private communication channel between entities authenticated under different domains can occur.
All roots and the identity CA must be top level.
Cisco IOS PKI Enrollment Protocol contains features and technologies that are related to Trusted Root Certification Authority.
The following documents provide information related to the Trusted Root Certification Authority feature:
This feature should run on all platforms that support VPN technology.
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Your CA server must support SCEP or TFTP.
See the following sections for configuration tasks for the Trusted Root Certification Authority feature. Each task in the list is indicated as optional or required.
To configure a trusted root, enter the following commands beginning in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#crypto ca trusted-root name | Configures a root with a selected name and enters trusted root configuration mode. |
Step 2 | Router(ca-root)# | (Optional) Queries the CRL published by the configured root with the LDAP1 URL. |
Step 3 | Router(ca-root)# | (Optional) Exits trusted root configuration mode. |
Step 4 | Router(config)# | (Optional) Enters certificate authority identity configuration mode. |
Step 5 | Router(ca-identity)# | (Optional) Allows other peer certificates to be accepted by your router even if the appropriate CRL is not accessible to your router. |
Step 6 | Router(ca-identity)# | (Optional) Exits certificate authority identity configuration mode. |
Step 7 | Router(config)# | (Optional) Enters trusted root configuration mode. |
Step 8 | Router(ca-root)#
or Router(ca-root)# | Uses CEP,2 with the given identity and URL, to get a root certificate. or |
Step 9 | Router(ca-root)# | Defines the HTTP proxy server for getting a root certificate. |
| 1LDAP = Lightweight Directory Access Protocol. 2CEP = Cisco Enrollment Protocol. |
To get the root certificate of a CA, enter the following global configuration command:
| Command | Purpose |
|---|---|
Router(config)#crypto ca authenticate name | Authenticates the CA (by getting the certificate of the CA from the trusted root). |
To display the roots configured in the router, use the show crypto ca roots EXEC command.
To display the roots configured in the router, use the following EXEC command:
| Command | Purpose |
|---|---|
Router#show crypto ca roots | Displays the roots configured in the router. |
This section provides the following configuration examples:
The following example configures "griffin" as a trusted root. The "Griffin" trusted root is installed on the "megatron" server. The CEP protocol and the root proxy URL are used to obtain the root certificate.
crypto ca trusted-root griffinroot CEP http://griffin:80 root proxy http://megatron:8080
! crypto ca authenticate griffin Root certificate MD5 finger print: 8B4EC8C1 9308376F A0253C2A 34112AA6 % Do you accept this certificate? [yes/no]:y
The following example configures "banana" as a trusted root. Using TFTP, "banana" is installed on the "strawberry" server, and the filename is "ca-cert/banana".
crypto ca trusted-root bananaroot tftp strawberry ca-cert/banana
! crypto ca authenticate banana Loading ca-cert/banana from 10.4.9.10 (via Ethernet0):! [OK - 785/4096 bytes] ! ! Root certificate MD5 finger print: F3F53FFB 925D052F 0C801EE7 89774ED3 % Do you accept this certificate? [yes/no]:y Root certificate accepted.
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
To query the certificate revocation list (CRL) published by the configured root with the Lightweight Directory Access Protocol URL, use the crl query trusted root configuration command. To remove the crl query LDAP URL, use the no form of this command.
crl query ldap url
Syntax Description
ldap url Specifies the LDAP URL published by the configured root; for example, ldap://another_server.
Defaults
No default behavior or values.
Command Modes
Trusted root configuration
Command History
12.1(1)T This command was introduced.
Release
Modification
Usage Guidelines
Use this command to query the CRL published by the configured trusted root. You should check the CRL to ensure that the certificate of the peer has not been revoked.
|
Note The URL used to query the CRL must be an LDAP URL. |
|
Note After you enter this command, an entry is created in the router for the root subject-name command. The entry is based on information contained in the router. |
Examples
In the following example, the ldap://ciscoca-ultra URL is used to query the CRL, which is published by the configured trusted root "netscape":
crypto ca trusted-root netscaperoot CEP http://ciscoca-ultra:80 crl query ldap://ciscoca-ultra
Related Commands
crl optional Allows other peer certificates to be accepted by your router even if the appropriate CRL is not accessible to your router. crypto ca identity Declares the CA that your router should use. Configures a trusted root. Defines the CEP protocol, which gets the root certificate of a given CA. Defines the HTTP proxy server for getting the root certificate of a CA. Defines the TFTP protocol, which gets the root certificate of a given CA.
Command
Description
To configure a trusted root, use the crypto ca trusted-root global configuration command. To deconfigure a trusted root, use the no form of this command.
crypto ca trusted-root name
Syntax Description
name Creates a name for the trusted root.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.1(1)T This command was introduced.
Release
Modification
Usage Guidelines
This command allows you to configure a trusted root with a selected name. You want to configure a trusted root so that your router can verify certificates issued to peers. Thus, your router does not have to enroll with the CA that issued the certificates to the peers.
You can specify characteristics for the trusted root with the following commands:
Examples
The following example shows configuring a trusted root. In this example, the name "netscape" is created for the trusted root.
crypto ca trusted-root netscape
Related Commands
crl optional Allows other peer certificates to be accepted by your router even if the appropriate CRL is not accessible to your router. Uses the LDAP URL to query the CRL published by the configured root. crypto ca authenticate Authenticates the CA (by getting the certificate of a CA). crypto ca identity Declares the CA that your router should use. Defines the CEP protocol, which gets the root certificate of a given CA. Defines the HTTP proxy server for getting the root certificate of a CA. Defines the TFTP protocol, which gets the root certificate of a given CA.
Command
Description
To define the Cisco Enrollment Protocol (CEP), which gets the root certificate of a given CA, use the root CEP trusted root configuration command.
root CEP url
Syntax Description
url Specifies the given URL of the configured root.
Defaults
No default behavior or values.
Command Modes
Trusted root configuration
Command History
12.1(1)T This command was introduced.
Release
Modification
Usage Guidelines
After configuring a trusted root, use this command to get the root certificate of a given CA using the CEP protocol. To ensure authenticity of the root certificate, the router administrator is expected to compare the root certificate fingerprint with the image in the server administrator. The fingerprint of the root certificate is an MD5 hash of the complete root certificate.
Examples
The following example shows defining CEP as the desired protocol to get the root certificate of the CA. In this example, the URL is defined as "http://ciscoca-ultra:80".
crypto ca trusted-root netscaperoot CEP http://ciscoca-ultra:80
Related Commands
Uses the LDAP URL to query the CRL published by the configured root. crypto ca identity Declares the CA that your router should use. Configures a trusted root. Defines the HTTP proxy server for getting the root certificate of a CA. Defines the TFTP protocol, which gets the root certificate of a given CA.
Command
Description
To define the Hypertext Transfer Protocol proxy server for getting the root certificate, use the root PROXY trusted root configuration command.
root PROXY url
Syntax Description
url Specifies the URL of the HTTP proxy server; for example, http://proxy_server.
Defaults
No default behavior or values.
Command Modes
Trusted root configuration
Command History
12.1(1)T This command was introduced.
Release
Modification
Usage Guidelines
After configuring a trusted root and defining the protocol, use this command to define the HTTP proxy server for getting the given root certificate of a certification authority.
Examples
The following example defines the HTTP proxy server for getting the root certificate of a CA. In this example, Cisco Enrollment Protocol is the defined protocol, and the HTTP proxy server is "megatron."
crypto ca trusted-root griffinroot CEP http://griffin:80 root proxy http://megatron:8080
Related Commands
Uses the LDAP URL to query the CRL published by the configured root. crypto ca identity Declares the CA that your router should use. Configures a trusted root. Defines the CEP protocol, which gets the root certificate of a given CA. Defines the TFTP protocol, which gets the root certificate of a given CA.
Command
Description
To define the TFTP protocol, which gets the root certificate of a given certification authority, use the root TFTP trusted root configuration command.
root TFTP server-hostname filename
Syntax Description
server-hostname Creates a name for the server. filename Creates a name for the file that will store the root certificate.
Defaults
No default behavior or values.
Command Modes
Trusted root configuration
Command History
12.1(1)T This command was introduced.
Release
Modification
Usage Guidelines
After configuring a trusted root, use this command to get the root certificate of a given CA using the TFTP protocol. This command enables an authenticated root certificate to be stored as a file on the TFTP server.
|
Note This command should be used if your CA server does not support Cisco Enrollment Protocol. |
Examples
The following example shows defining TFTP as the desired protocol to get the root certificate of a CA. In this example, the name "banana" is created for the trusted root, "strawberry" is the server hostname, and "ca-cert/banana" is the filename where the root certificate is stored.
crypto ca trusted-root bananaroot tftp strawberry ca-cert/banana
Related Commands
Uses the LDAP URL to query the CRL published by the configured root. crypto ca identity Declares the CA that your router should use. Configures a trusted root. Defines the CEP protocol, which gets the root certificate of a given CA. Defines the HTTP proxy server for getting the root certificate of a CA.
Command
Description
To display the roots configured in the router, use the show crypto ca roots EXEC configuration command.
show crypto ca rootsSyntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
12.1(1)T This command was introduced.
Release
Modification
Examples
The following is sample output of the show crypto ca roots command:
Router#show crypto ca roots Root netscape:Subject Name: CN=Certificate Manager OU=On 07/01 O=cisco C=US Serial Number:01 Certificate configured. Root identity:netscape CEP URL:http://cisco-ultra CRL query url: ldap://cisco-ultra
Related Commands
crypto ca authenticate Authenticates the CA (by getting the certificate of a CA). crypto ca identity Declares the CA that your router should use. Configures a trusted root. Defines the CEP protocol, which gets the root certificate of a given CA. Defines the HTTP proxy server for getting the root certificate of a CA. Defines the TFTP protocol, which gets the root certificate of a given CA.
Command
Description
CA—Certification Authority. A service responsible for managing certificate requests and issuing certificates to participating IPSec network devices. This service is explicitly entrusted by the receiver to validate identities and to create digital certificates. This service provides centralized key management for the participating devices.
Certification Authority—See CA.
IKE—Internet Key Exchange. A hybrid protocol that implements Oakley key exchange and Skeme key exchange inside the ISAKMP framework. While IKE can be used with other protocols, its initial implementation is with IPSec. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router/firewall/host must be able to verify the identity of its peer. This can be done by manually entering pre shared keys into both hosts or by a CA service.
Internet Key Exchange—See IKE.
IPSec—IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
IP Security—See IPSec.
MD5—Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework.
Message Digest 5—See MD5.
peer—A router or device that participates as an endpoint in IPSec and IKE.
PKI—public key infrastructure. Provides trusted and efficient key and certificate management to support security protocols such as IPSec.
public key infrastructure—See PKI.
root CA—The ultimate CA, which signs the certificates of the subordinate CAs. The root CA has a self-signed certificate that contains its own public key.
Posted: Fri Sep 8 10:14:11 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.