IOS version#
Not all versions of IOS have the relevant ‘crypto’ features. You must install a firmware image with the “Certification Authority Interoperability” feature.
SCEP support for the CA subsystem was tested on a Cisco 2611 router running the following version of IOS:
IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.2(40), RELEASE SOFTWARE (fc1)
Preparation#
Your router must be configured with an IP address, DNS server, and routing information. The router’s date/time must be correct. Also, the router’s hostname and dnsname must be configured. See Configuring Cisco Router.
Certificate Enrollment#
Our router’s hostname is scep.
Log into the router’s console, you’ll see the following prompt:
scep>
Now run the following commands in sequence:
Enable Privileged Commands:
scep> enable
Enter Configuration Mode:
scep# conf t
Set up a CA identity:
scep(config)# crypto ca identity CA
scep(ca-identity)# enrollment url http://enroll.example.com:9080/ca/cgi-bin
scep(ca-identity)# crl optional
scep(ca-identity)# exit
Get the CA’s certificate:
scep(config)# crypto ca authenticate CA
Certificate has the following attributes:
Fingerprint: 145E3825 31998BA7 F001EA9A B4001F57
% Do you accept this certificate? [yes/no]: yes
Generate rsa key pair:
scep(config)# crypto key generate rsa
The name for the keys will be: scep.dsdev.sjc.redhat.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
Generating RSA keys ...
[OK]
Enroll:
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
% The subject name in the certificate will be: scep.dsdev.sjc.redhat.com
% The serial number in the certificate will be: 57DE391C
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
% Fingerprint: D89DB555 E64CC2F7 123725B4 3DBDF263
Exit from conf mode:
scep(config)# exit
Show certificates:
scep# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 0C
Key Usage: General Purpose
Issuer:
CN = Certificate Authority
O = Sfbay Red hat Domain 20070111d12
Subject Name Contains:
Name: scep.dsdev.sjc.redhat.com
IP Address: 10.14.1.94
Serial Number: 57DE391C
Validity Date:
start date: 21:42:40 UTC Jan 12 2007
end date: 21:49:50 UTC Dec 31 2008
Associated Identity: CA
CA Certificate
Status: Available
Certificate Serial Number: 01
Key Usage: Signature
Issuer:
CN = Certificate Authority
O = Sfbay Red hat Domain 20070111d12
Subject:
CN = Certificate Authority
O = Sfbay Red hat Domain 20070111d12
Validity Date:
start date: 21:49:50 UTC Jan 11 2007
end date: 21:49:50 UTC Dec 31 2008
Associated Identity: CA
Removing Keys#
Zeroize keys (necessary to re-enroll):
scep(config)# crypto key zeroize rsa
% Keys to be removed are named scep.dsdev.sjc.redhat.com.
Do you really want to remove these keys? [yes/no]: yes
Removing CA Identity#
scep(config)# no crypto ca identity CA
% Removing an identity will destroy all certificates received from
the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.
No enrollment sessions are currently active.
Working with Chained (Subordinate) CAs#
Before running the ‘crypto ca authenticate’ command above, you must import all certificates in the chain, starting with the root. In conf mode (Note: the following example has only two CAs in the chain, therefore the root starts at 1, and the subordinate CA is 0),
Note: The following URLs in the example are for enrollment via an RA. If you want to bypass RA and directly talk to CA or subordinate CA, you need to change the URLs to point to them, e.g.:
enrollment url http://paw.sfbay.redhat.com:9280/ca/cgi-bin
Example to enroll via an RA to a subordinate CA:
scep(config)# crypto ca trusted-root 1
scep(ca-root)# root CEP http://paw.sfbay.redhat.com:12888/ee/scep/pkiclient.cgi
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 1
scep(config)# crypto ca trusted-root 0
scep(ca-root)# root CEP http://paw.sfbay.redhat.com:12888/ee/scep/pkiclient.cgi
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 0
In the above example, if your CA certs do not have CRL distribution point extension in them, you must turn off the CRL requirement:
scep(ca-root)# crl optional
Set up a CA identity:
scep(config)# crypto ca identity CA
scep(ca-identity)# enrollment url http://paw.sfbay.redhat.com:12888/ee/scep/pkiclient.cgi
scep(ca-identity)# crl optional
scep(ca-identity)# exit
Submit enrollment request to subordinate CA in this example:
scep(config)# crypto ca authenticate CA
scep(config)# crypto ca enroll CA
Debugging#
The router will provide additional debugging during SCEP operations if you execute the following debug statements.
scep# debug crypto pki callbacks
Crypto PKI callbacks debugging is on
scep# debug crypto pki messages
Crypto PKI Msg debugging is on
scep# debug crypto pki transactions
Crypto PKI Trans debugging is on
scep# debug crypto verbose
verbose debug output debugging is on
Troubleshooting#
If you see the following when you do “crypto ca authenticate CA” that means the router clock is not in sync with the current time (example).
% CA Cert not yet valid or is expired -
start date: 17:00:43 UTC Jun 14 2007
end date: 17:00:43 UTC Jun 3 2009
% Error processing Certificate Authority certificate.
Run the following to see the current time (example):
scep#show clock
*18:41:44.303 UTC Sun Mar 7 1993
To set the clock (example):
scep#clock set ?
hh:mm:ss Current Time
scep#clock set 11:42:00 ?
<1-31> Day of the month
MONTH Month of the year
scep#clock set 11:42:00 20 ?
MONTH Month of the year
scep#clock set 11:42:00 20 June ?
<1993-2035> Year
scep#clock set 11:42:00 20 June 2007
scep#show clock
11:42:02.676 UTC Wed Jun 20 2007
scep#