Enrolling the Cisco ASA to a CA Using SCEP

Enrollment is the process of obtaining a certificate from a CA server. This section covers the necessary steps to configure and enroll a Cisco ASA to a CA server.

Generating the RSA Key Pair

Before starting the enrollment process, you must generate the RSA key pair with the crypto key generate rsa command. To generate the keys, you must first configure a host name and domain name. Example 17-1 demonstrates how to configure the Cisco ASA host name and domain name and generate the RSA key pair.

Example 17-1. Generating the RSA Key Pair

ASA(config)# hostname Chicago Chicago(config)# domain-name securemeinc.om Chicago(config)# crypto key generate rsa modulus 1024 INFO: The name for the keys will be: Keypair generation process begin.

Note

In Example 17-1, the name for the key pair is . The is replaced with a key pair label if configured.

Use the crypto key zeroize rsa command if an RSA key pair exists and a new pair needs to be regenerated. Example 17-2 demonstrates how to remove existing RSA key pairs.

Example 17-2. Removing Existing RSA Key Pair

Chicago(config)# crypto key zeroize rsa WARNING: All RSA keys will be removed. WARNING: All certs issued using these keys will also be removed. Do you really want to remove these keys? [yes/no]: yes

To verify the generation of the RSA key pair, use the show crypto key mypubkey rsa command. Example 17-3 shows the output of this command.

Example 17-3. Viewing RSA Key Pair Information

Chicago# show crypto key mypubkey rsa Key pair was generated at: 08:46:31 UTC Jul 10 2005 Key name: Usage: General Purpose Key Modulus Size (bits): 1024 Key Data: 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00f26be4 08b00ac5 fb06adda 7c7a2ae6 26c136ce 990f5612 41d6fa09 79ef251f d229dcc0 64bc15f8 1b3a4f1e 131f1765 866dfb3a bb8c3a59 f8605625 8e8ff0ca 90d291d0 75c753c3 dd5f55f3 6d49d774 523b9d8b 78ad05b4 efd75793 88ac9646 7e8c8816 017d464d 4a817041 a559dc63 2532c657 cc12373a c7b733f1 a50bdb82 61020301 0001

Note

The same RSA key pair is used for Secure Shell (SSH) connections to the security appliance.

 

Configuring a Trustpoint

The Cisco ASA certificate configuration commands are similar to Cisco IOS commands. The crypto ca trustpoint command declares the CA that your Cisco ASA should use and allows you to configure all the necessary certificate parameters. Invoking this command puts you in ca-trustpoint configuration mode, as shown in Example 17-4.

Example 17-4. Configuring a Trustpoint

Chicago# configure terminal Chicago(config)# crypto ca trustpoint CISCO Chicago(ca-trustpoint)#

Table 17-1 lists and describes all the ca-trustpoint subcommands.

Table 17-1. Enrollment Configuration Subcommands

Subcommand

Description

accept-subordinates

Allows the Cisco ASA to accept subordinate CA certificates

crl

CRL options (explained later in this chapter)

default

Returns all enrollment parameters to their default values

email

Used to enter the e-mail address to be used in the enrollment request

enrollment

Enrollment parameters:

retry Polling retry count and period

self Enrollment will generate a self-signed certificate

terminal Used for manual enrollment (cut-and-paste method)

url The URL of the CA server

fqdn

Includes fully qualified domain name

id-cert-issuer

Accepts ID certificates

ip-address

Includes IP address

keypair

Specifies the key pair whose public key is to be certified

password

Returns password

serial-number

Includes serial number

subject-name

Subject name

support_user_cert_validation

Validates remote user certificates using the configuration from this trustpoint, provided that this trustpoint is authenticated to the CA that issued the remote certificate

Figure 17-4 illustrates a topology that is used in the next example. A Cisco ASA is configured to enroll via SCEP to the CA server 209.165.202.130.

Figure 17-4. Enrollment via SCEP Example

Example 17-5 includes the Cisco ASA trustpoint configuration.

Example 17-5. Configuring the ASA to Enroll via SCEP

Chicago# configure terminal Chicago(config)# crypto ca trustpoint CISCO Chicago(ca-trustpoint)# enrollment url http://209.165.202.130/certsrv/mscep/ mscep.dll Chicago(ca-trustpoint)# enrollment retry count 3 Chicago(ca-trustpoint)# enrollment retry period 5 Chicago(ca-trustpoint)# fqdn Chicago.securemeinc.com Chicago(ca-trustpoint)# exit Chicago(config)# exit Chicago#

In Example 17-5, the Cisco ASA is configured with a trustpoint named CISCO. The enrollment url subcommand is used to declare the location of the CA server.

Note

In this example, the CA server is a Microsoft Windows CA Server with SCEP services. The complete URL is http://209.165.202.130/certsrv/mscep/mscep.dll.

The SCEP plug-in for Microsoft Windows can be downloaded from Microsoft's website at www.microsoft.com

The Cisco ASA is configured to retry three times in case the certificate is not successfully obtained from the CA Server. It is also configured to wait 5 minutes between each request to the CA. The fully qualified domain name (FQDN) used in the enrollment request is configured to be Chicago.securemeinc.com.

In this example, the Cisco ASA enrolls with the CA to use certificates for IPSec authentication. The Cisco ASA needs to obtain the CA certificate and request an ID certificate from the CA server. To obtain the CA certificate, use the crypto ca authenticate command. Example 17-6 demonstrates how to use this command to retrieve the CA certificate from the CA server.

Example 17-6. Obtaining the CA Certificate from the CA Server

Chicago# configure terminal Chicago(config)# crypto ca authenticate CISCO INFO: Certificate has the following attributes: Fingerprint: 3736ffc2 243ecf05 0c40f2fa 26820675 Do you accept this certificate? [yes/no]: yes

In Example 17-6, CISCO is the name of the previously configured trustpoint. After executing this command, the Cisco ASA establishes a TCP port 80 connection to the 209.165.202.130 CA server (via SCEP). While doing this transaction, the Cisco ASA prompts you to accept the certificate.

Note

The Cisco ASA also retrieves RA certificates from the server if an RA is used.

After the CA certificate is obtained from the CA server, use the crypto ca enroll command to generate an identity certificate request to the 209.165.202.130 CA server. Example 17-7 demonstrates how to use this command to obtain the ID certificate.

Note

The request is a PKCS#7 certificate request.

 

Example 17-7. Obtaining the ID Certificate from the CA Server

Chicago(config)# crypto ca enroll CISCO % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The fully-qualified domain name in the certificate will be: Chicago.securemeinc.com % Include the router serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority Chicago(config)# The certificate has been granted by CA!

The word CISCO is the name of the previously configured trustpoint. After invoking the crypto ca enroll command, the Cisco ASA asks you for a password to be used for this certificate. The Cisco ASA displays the FQDN to be used in the certificate. As shown in the third shaded line, the Cisco ASA asks if you would like to include its serial number in the subject name of the certificate. This is not selected in this example. The serial number is not used by IKE but may be used by the CA server to authenticate certificates or to associate a certificate with a particular device. If you are in doubt, ask your CA administrator if you need to include the serial number in your certificate request. In the fourth shaded line, the Cisco ASA finally asks if you would like to request the certificate from the CA. If your answer is yes and the subsequent request is successful, the message in the fifth shaded line is shown, indicating a successful certificate enrollment.

Use the show crypto ca certificates command to verify and display the root/CA and ID certificate information. Example 17-8 shows the output of this command.

Example 17-8. Output of show crypto ca certificates

Chicago# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 1c91af4500000000000d Certificate Usage: General Purpose Issuer: cn=SecuremeCAServer ou=ENGINEERING o=Secureme l=Chicago st=IL c=US ea=administrator@securemeinc.com Subject Name Name: Chicago.securemeinc.com Serial Number: hostname=Chicago.securemeinc.com CRL Distribution Point: http://chicago-ca.securemeinc.com/CertEnroll/SecuremeCAServer.crl Validity Date: start date: 02:58:05 UTC Sep 2 2005 end date: 03:08:05 UTC Sep 2 2007 Associated Trustpoints: CISCO ! CA Certificate Status: Available Certificate Serial Number: 225b38e6471fcca649427934cf289071 Certificate Usage: Signature Issuer: cn=SecuremeCAServer ou= ENGINEERING o=Secureme l=Chicago st=IL c=US ea=administrator@securemeinc.com Subject: cn=SecuremeCAServer ou=ENGINEERING o=Secureme l=Chicago st=IL c=US ea=administrator@securemeinc.com CRL Distribution Point: http://chicago-ca.securemeinc.com/CertEnroll/SecuremeCAServer.crl Validity Date: start date: 20:15:19 UTC Jun 25 2005 end date: 20:23:42 UTC Jun 25 2008 Associated Trustpoints: CISCO Chicago#

The certificate information is shown in Example 17-8 which includes the following:

This command is very useful for troubleshooting and verification purposes.

Категории