HTTPS API - TrustSec Environment Download PKI Question

austinkuklok35 — Thu, 29 Jun 2023 14:31:30 GMT

Hello,

I am at an impasse when it comes to deploying HTTPS API for Environment Data Download.

We have configured our Windows Sub CA with NDES which allows us to use SCEP for certificate enrollment for our trustpoint. When specifying the fingerprint of the CA the trustpoint successfully authenticates. Without the fingerprint config option the authentication request fails with a message to provide the fingerprint.

commands used when failing.

crypto pki trustpoint NDES1

enrollmet url *URL of NDES Server*

revocation-check crl

end

crypto authenticate NDES1

Commands used when working.

crypto pki trustpoint NDES1

enrollmet url *URL of NDES Server*

fingerprint *Fingerprint of SubCA cert*

revocation-check crl

end

crypto authenticate NDES1

When thinking about this so that it is set it and forget it, if we were to configure certificate re-enrollment you would still need to configure the fingerprint of the CA. When that subca cert changes the fingerprint of the ca will change causing all of our switching infrastructure to no longer access the PSNs over HTTPS. We have a switching infrastructure of around ~500 devices. Is it the thought that every time your CA expires you have to manually touch every switch? or is there a configuration that I am failing to see?

any tips or suggestions helps.

Thanks!

Re: HTTPS API - TrustSec Environment Download PKI Question

hslai — Mon, 03 Jul 2023 21:17:53 GMT

@austinkuklok35

This appears expected and the CA certificates usually last for a number of years.

Security and VPN Configuration Guide, Cisco IOS XE 17.x / Chapter: Configuring Certificate Enrollment for a PKI / Authentication of the CA says,

Authentication of the CA

The certificate of the CA must be authenticated before the device will be issued its own certificate and before certificate enrollment can occur. Authentication of the CA typically occurs only when you initially configure PKI support at your router. To authenticate the CA, issue the crypto pki authenticate command, which authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA.

Authentication via the fingerprint Command

...

If a fingerprint is not preentered for a trustpoint, and if the authentication request is interactive, you must verify the fingerprint that is displayed during authentication of the CA certificate. If the authentication request is noninteractive, the certificate will be rejected without a preentered fingerprint.

topic Re: HTTPS API - TrustSec Environment Download PKI Question in Network Access Control

HTTPS API - TrustSec Environment Download PKI Question

Re: HTTPS API - TrustSec Environment Download PKI Question

Authentication of the CA

Authentication via the fingerprint Command