Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
1
Helpful
1
Replies

HTTPS API - TrustSec Environment Download PKI Question

austinkuklok35
Level 1
Level 1

‎06-29-2023 07:31 AM

Hello,

I am at an impasse when it comes to deploying HTTPS API for Environment Data Download.

We have configured our Windows Sub CA with NDES which allows us to use SCEP for certificate enrollment for our trustpoint. When specifying the fingerprint of the CA the trustpoint successfully authenticates. Without the fingerprint config option the authentication request fails with a message to provide the fingerprint.

commands used when failing.

crypto pki trustpoint NDES1

enrollmet url *URL of NDES Server*

revocation-check crl

end

crypto authenticate NDES1

 

Commands used when working.

crypto pki trustpoint NDES1

enrollmet url *URL of NDES Server*

fingerprint *Fingerprint of SubCA cert*

revocation-check crl

end

crypto authenticate NDES1

 

When thinking about this so that it is set it and forget it, if we were to configure certificate re-enrollment you would still need to configure the fingerprint of the CA. When that subca cert changes the fingerprint of the ca will change causing all of our switching infrastructure to no longer access the PSNs over HTTPS. We have a switching infrastructure of around ~500 devices. Is it the thought that every time your CA expires you have to manually touch every switch? or is there a configuration that I am failing to see?

any tips or suggestions helps.

Thanks!

 

 

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎07-03-2023 02:17 PM - edited ‎07-03-2023 02:17 PM

@austinkuklok35 

This appears expected and the CA certificates usually last for a number of years.

Security and VPN Configuration Guide, Cisco IOS XE 17.x / Chapter: Configuring Certificate Enrollment for a PKI / Authentication of the CA says,

Authentication of the CA

The certificate of the CA must be authenticated before the device will be issued its own certificate and before certificate enrollment can occur. Authentication of the CA typically occurs only when you initially configure PKI support at your router. To authenticate the CA, issue the crypto pki authenticate command, which authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA.

Authentication via the fingerprint Command

...

If a fingerprint is not preentered for a trustpoint, and if the authentication request is interactive, you must verify the fingerprint that is displayed during authentication of the CA certificate. If the authentication request is noninteractive, the certificate will be rejected without a preentered fingerprint.

 

Customers Also Viewed These Support Documents