Cisco ISO based CA (Certificate Authority) IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates in environments where PKI is needed for security reasons. In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.
Figure 1 Certificate
Authority
Supported Standards Cisco supports the following standards with this feature: •
•
IPSec- IP Security Protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses Internet Key Exchange to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. Internet Key Exchange (IKE)- A hybrid protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association Key Management Protocol (ISAKMP) framework. Although IKE can be used with other protocols, its initial implementation is with the
Cisco ISO based CA (Certificate Authority)
• • • •
IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations. Public-Key Cryptography Standard #7 (PKCS #7)- A standard from RSA Data Security, Inc., used to encrypt and sign certificate enrollment messages. Public-Key Cryptography Standard #10 (PKCS #10)- A standard syntax from RSA Data Security, Inc. for certificate requests. RSA Keys- RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA keys come in pairs: one public key and one private key. X.509v3 certificates- Certificate support that allows the IPSec-protected network to scale by providing the equivalent of a digital ID card to each device. When two devices wish to communicate, they exchange digital certificates to prove their identity (thus removing the need to manually exchange public keys with each peer or to manually specify a shared key at each peer). These certificates are obtained from a certification authority (CA). X.509 is part of the X.500 standard of the ITU.
Open source implementations There exist several open source implementations of certificate authority software. Common to all is that they provide the necessary services to issue, revoke and manage digital certificates. Some open source implementations are: • • • • • • • • • •
DogTag EJBCA gnoMint OpenCA OpenSSL, an SSL/TLS library that comes with tools allowing its use as a simple certificate authority EasyRSA, OpenVPN's command line CA utilities using OpenSSL. r509 TinyCA, which is a perl gui on top of some CPAN modules. XCA Automated Certificate Management Environment (ACME), Let's Encrypt's protocol for communications between its certificate authority and servers. Let's Encrypt also provides nodeacme, a Node.js implementation of ACME, and lets-encrypt-preview, a Python-based test implementation of server certificate management software using the ACME protocol.
Use the Third-Party SSL Certificate? To assist in understanding the process of installing a third-party SSL certificate, we have outlined the steps to be taken by yourself, HostGator and the certificate issuer. If you are a more visual person, then the flow chart below See Below may help your understanding.
Cisco ISO based CA (Certificate Authority)
Figure 2 Flow Chart
1. Fill out the Certificate Signing Request Form (CSR). (Note: Please note that all information on the CSR page MUST match the WHOIS information for that domain; otherwise the SSL will not be issued.) 2. HostGator will email you the CSR and RSA Key that you will need for the following steps. Please keep this e-mail; without the information contained within, the following steps cannot be completed. 3. Purchase your SSL certificate (if you haven't already) and send the certificate issuer the CSR we sent you in step 2. (The certificate issuer does not need nor want the RSA Key.) 4. The certificate issuer will generate and return an SSL Certificate as well as an SSL CA Certificate (Trusted Authority) (sometimes called a "CA Bundle"). These two pieces of information will be
Cisco ISO based CA (Certificate Authority) encrypted text documents. Typically, they will be provided via email as compressed (zipped) attachments. 5. Now that you have the SSL certificate and the SSL CA certificate, you are ready to fill out the SSL installation form. When you received the results for your CSR form, we provided you with the RSA Private Key to submit on the installation form. Once you complete this form, click Submit to complete your request. 6. Pay the HostGator invoice for installing the SSL Certificate. (Installation is free if you have a managed Dedicated Server; $10 otherwise.)
Cisco ISO based CA (Certificate Authority) CA Configuration
Figure 3 Topology
(Note: 1. R2 should reachable to R3. 2. NTP running between R1, R2, and R3. 3. R1 assume as ISP.) R1 crypto key generate rsa label cisco general-keys exportable modulus 1024 crypto key export rsa cisco pem url nvram: 3des Cisco123 crypto pki server ciscopki grant auto issuer-name CN=cisco.com DN=.com L=GR C=IN lifetime certificate 90 lifetime ca-certificate 365
Cisco ISO based CA (Certificate Authority) lifetime crl 24 database level minimum database url nvram: no shut exit ip http server R2 crypto pki trustpoint ciscopki enrollment url http://101.1.1.1:80 revocation-check none revocation-check crl none exit crypto pki authenticate ciscopki crypto pki enroll ciscopki
crypto isakmp policy 10 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800 exit crypto ipsec transform-set tset esp-sha-hmac esp-aes exit ip access-list extended VPN permit ip host 192.168.1.100 host 192.168.2.100 exit crypto map CMAP 10 ipsec-isakmp set transform-set tset set peer 102.1.1.100 match address VPN exit int f0/0
Cisco ISO based CA (Certificate Authority) crypto map CMAP exit R3 crypto pki trustpoint ciscopki enrollment url http://101.1.1.1:80 revocation-check none revocation-check crl none exit crypto pki authenticate ciscopki crypto pki enroll ciscopki crypto isakmp policy 10 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800 exit crypto ipsec transform-set tset esp-sha-hmac esp-aes exit ip access-list extended VPN permit ip host 192.168.2.100 host 192.168.1.100 exit
crypto map CMAP 10 ipsec-isakmp set transform-set tset set peer 101.1.1.100 match address VPN exit int f0/0 crypto map CMAP exit
Cisco ISO based CA (Certificate Authority) Deleting RSA Keys from Your Router Router(config)# crypto key zeroize rsa Deletes all of your router's RSA keys.
Deleting Certificates from the Configuration R1# show crypto ca certificates R1(config)# crypto ca certificate chain name R1(config-cert-cha)# no certificate certificate-serial-number To delete the CA's certificate, you must remove the entire CA identity, which also removes all certificates associated with the CA—your router's certificate, the CA certificate, and any RA certificates. To remove a CA identity, use the following command in global configuration mode: R1(config)# no crypto ca identity name
Viewing Keys and Certificates Displays your router's RSA public keys. R1# show crypto key mypubkey rsa Displays a list of all the RSA public keys stored on your router. These include the public keys of peers who have sent your router their certificates during peer authentication for IPSec. R1# show crypto key pubkey-chain rsa Displays details of a particular RSA public key stored on your router. R1# show crypto key pubkey-chain rsa [name key-name | address key-address] Displays information about your certificate, the CA's certificate, and any RA certificates. R1# show crypto ca certificates Displays the CA roots configured in the router. R1# show crypto ca roots (Note: This command can be implemented only when multiple CAs are configured in the router.)