IOS CA Servers for Fun and Profit!

Hello blog readers! This post assumes a CCNP Security level of knowledge.

In this post – we will construct a lab that includes an IOS-based CA server. It is very helpful for the lab exam to know the in and outs of these devices in the event you need to set one up and deploy certificates to devices in your environment. Our practice topology is simple, proving once again that you do not need to go crazy with hardware purchases in order to really get some great practice in.

cert

R1–Gi1/0—–10.10.10.0/24—–Gi1–ASA1–Gi0—–192.168.1.0/24—–Gi1/0–R2

The 10.10.10.0/24 network is the inside (security-level 100) and the 192 network is the outside (security-level 100).

Our first step is to ensure the the HTTP server is running on R1 and can be reached by the outside. This is to enable SCEP enrollment. Lets configure that and test through the ASA.

R1:

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip http server
R1(config)#do show ip http server status
HTTP server status: Enabled
HTTP server port: 80
...

Now lets punch the appropriate hole in the ASA.

ASA1:

ASA1# conf t
ASA1(config)# access-list OI permit tcp any any eq 80
ASA1(config)# access-group OI in interface outside

Notice that I am lazy and brief with my naming convention in the interest of being very fast in the lab exam.

Let’s test the IP HTTP server access from the outside R2 device and confirm the access through the ASA.

R2 and ASA1:

R2#telnet 10.10.10.100 80
Trying 10.10.10.100, 80 ... Open
ASA1# show conn detail
TCP outside:192.168.1.100/13660 inside:10.10.10.100/80,
flags UB, idle 51s, uptime 2m52s, timeout 1h0m, bytes 0

So far so good!

Now we need NTP so that R1 can have the correct time. Time is critical for the CA server so that it can correctly provide and revoke certificates. Let me make R2 an NTP master, R1 the client of this correct time, and then punch the appropriate hole in the ASA.

R1, R2, and ASA1:

R2#show clock 
*18:02:55.995 UTC Tue Jul 2 2013
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ntp master 3
ASA1(config)# access-list OI permit udp any any eq ntp
R1#show clock
*18:05:12.047 UTC Tue Jul 2 2013
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ntp server 192.168.1.100
R1(config)#end
R1#
*Jul 2 18:05:24.879: %SYS-5-CONFIG_I: Configured from console by console
R1#show ntp assoc
R1#show ntp associations
address ref clock st when poll reach delay offset disp
 ~192.168.1.100 127.127.1.1 3 1 64 1 23.920 171.968 7937.5
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#

The NTP takes forever to sync, but just ensure the WHEN field is incrementing. This will tell you that you are communicating successfully through the ASA and that you will sync eventually.

The certificate server requires an RSA key pair. This is actually created automatically when you enable the CA server, but it is highly likely that you will need to create your own with specifics outlined in your lab. Here is an example on R1:

R1:

R1(config)#crypto key generate rsa label ciscoca exportable modulus 2048

Well, finally, now we get to create the CA server itself now that the infrastructure is in place. In the exam environment, there could be a TON of different parameters specified that you would have to match exactly. I will do an example here of setting several such as the certificate server certificate archive file location in PEM format, the issuer name, the various lifetimes, etc.

R1:

R1(config)#crypto pki server ciscoca
R1(cs-server)#issuer-name CN=cool, O=Cisco, C=US 
R1(cs-server)#database url pem nvram:
R1(cs-server)#database username JOHNS password CISCO
R1(cs-server)#lifetime certificate 20
R1(cs-server)#lifetime ca-certificate 10
R1(cs-server)#lifetime crl 5
R1(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password: 
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.
R1(cs-server)#
*Jul 2 19:01:02.747: %PKI-6-CS_ENABLED: Certificate server now enabled.

R1#show crypto pki server
Certificate Server ciscoca:
 Status: enabled
 State: enabled
 Server's configuration is locked (enter "shut" to unlock it)
 Issuer name: CN=cool, O=Cisco, C=US
 CA cert fingerprint: E835AF87 A3769876 39C409F2 FFC77F6E 
 Granting mode is: manual
 Last certificate issued serial number (hex): 1
 CA certificate expiration timer: 19:01:02 UTC Jul 12 2013
 CRL NextUpdate timer: 00:01:02 UTC Jul 3 2013
 Current primary storage dir: nvram:
 Current storage dir for .pem files: nvram:
 Database Level: Minimum - no cert data written to storage

Thank you so much for joining me in this blog post. In later posts – we will actually use this CA server we worked so hard on! Notice that the setup itself should amount to easy points as long as we read carefully.

5 thoughts on “IOS CA Servers for Fun and Profit!

  1. I guess your LAB experience right !!!! It is tough to handle everything in less time like 8 hours !!!! Too much.

  2. It is not too much – you just need to be very very proficient and fast at all tasks on the blueprint. If you are not – you must be very fast at research and implementation from the DOC-CD as well.

  3. Interesting blog! Is your theme custom made or
    did you download it from somewhere? A design like yours with a few simple
    tweeks would really make my blog shine. Please let me know where you got your theme.
    Bless you

Leave a Reply

Your email address will not be published.