Hello blog readers! This post assumes a CCNP Security level of knowledge.
In this post – we will construct a lab that includes an IOS-based CA server. It is very helpful for the lab exam to know the in and outs of these devices in the event you need to set one up and deploy certificates to devices in your environment. Our practice topology is simple, proving once again that you do not need to go crazy with hardware purchases in order to really get some great practice in.
The 10.10.10.0/24 network is the inside (security-level 100) and the 192 network is the outside (security-level 100).
Our first step is to ensure the the HTTP server is running on R1 and can be reached by the outside. This is to enable SCEP enrollment. Lets configure that and test through the ASA.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip http server R1(config)#do show ip http server status HTTP server status: Enabled HTTP server port: 80 ...
Now lets punch the appropriate hole in the ASA.
ASA1# conf t ASA1(config)# access-list OI permit tcp any any eq 80 ASA1(config)# access-group OI in interface outside
Notice that I am lazy and brief with my naming convention in the interest of being very fast in the lab exam.
Let’s test the IP HTTP server access from the outside R2 device and confirm the access through the ASA.
R2 and ASA1:
R2#telnet 10.10.10.100 80 Trying 10.10.10.100, 80 ... Open
ASA1# show conn detail TCP outside:192.168.1.100/13660 inside:10.10.10.100/80, flags UB, idle 51s, uptime 2m52s, timeout 1h0m, bytes 0
So far so good!
Now we need NTP so that R1 can have the correct time. Time is critical for the CA server so that it can correctly provide and revoke certificates. Let me make R2 an NTP master, R1 the client of this correct time, and then punch the appropriate hole in the ASA.
R1, R2, and ASA1:
R2#show clock *18:02:55.995 UTC Tue Jul 2 2013 R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ntp master 3
ASA1(config)# access-list OI permit udp any any eq ntp
R1#show clock *18:05:12.047 UTC Tue Jul 2 2013 R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ntp server 192.168.1.100 R1(config)#end R1# *Jul 2 18:05:24.879: %SYS-5-CONFIG_I: Configured from console by console R1#show ntp assoc R1#show ntp associations address ref clock st when poll reach delay offset disp ~192.168.1.100 127.127.1.1 3 1 64 1 23.920 171.968 7937.5 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured R1#
The NTP takes forever to sync, but just ensure the WHEN field is incrementing. This will tell you that you are communicating successfully through the ASA and that you will sync eventually.
The certificate server requires an RSA key pair. This is actually created automatically when you enable the CA server, but it is highly likely that you will need to create your own with specifics outlined in your lab. Here is an example on R1:
R1(config)#crypto key generate rsa label ciscoca exportable modulus 2048
Well, finally, now we get to create the CA server itself now that the infrastructure is in place. In the exam environment, there could be a TON of different parameters specified that you would have to match exactly. I will do an example here of setting several such as the certificate server certificate archive file location in PEM format, the issuer name, the various lifetimes, etc.
R1(config)#crypto pki server ciscoca R1(cs-server)#issuer-name CN=cool, O=Cisco, C=US R1(cs-server)#database url pem nvram: R1(cs-server)#database username JOHNS password CISCO R1(cs-server)#lifetime certificate 20 R1(cs-server)#lifetime ca-certificate 10 R1(cs-server)#lifetime crl 5 R1(cs-server)#no shutdown %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password: Re-enter password: % Exporting Certificate Server signing certificate and keys... % Certificate Server enabled. R1(cs-server)# *Jul 2 19:01:02.747: %PKI-6-CS_ENABLED: Certificate server now enabled.
R1#show crypto pki server Certificate Server ciscoca: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=cool, O=Cisco, C=US CA cert fingerprint: E835AF87 A3769876 39C409F2 FFC77F6E Granting mode is: manual Last certificate issued serial number (hex): 1 CA certificate expiration timer: 19:01:02 UTC Jul 12 2013 CRL NextUpdate timer: 00:01:02 UTC Jul 3 2013 Current primary storage dir: nvram: Current storage dir for .pem files: nvram: Database Level: Minimum - no cert data written to storage
Thank you so much for joining me in this blog post. In later posts – we will actually use this CA server we worked so hard on! Notice that the setup itself should amount to easy points as long as we read carefully.