Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
1
Replies

Hierarchical PKI with certificate chaining

Go to solution
JUANNN
Spotlight
Spotlight

‎02-26-2025 06:41 PM - edited ‎02-26-2025 06:44 PM

Hello,

I am currently working on the following lab:JUANNN_1-1740621044833.png

In red I surrounded the part of the topology that I am having trouble with. All routers are NTP synched and HTTP Server enabled. 

I want to configure certificate chaining on the MARKETING  department. The MARKETING_SUB-CA router acts as a SUB-CA for the MARKETING department, and is authenticated and enrolled with the CA-ROOT router. Therefore, the MARKETING_SUB-CA router has 2 certificates installed:

- A CA Certificate issued by CA-ROOT

- An ID Certificate issued by the CA-ROOT

Below is the PKI configuration of the CA-ROOT trustpoint on MARKETING_SUB-CA router: (I enrolled, it worked, all good)

JUANNN_2-1740622360427.png

So far so good. The MARKETING_SUB-CA Certificate Server is the one that processes all enrollments from the MARKETING SPOKES, reducing load of the CA-ROOT (in a multiple spoke scenario). For that, here is the configuration that I used for the Certificate Server on MARKETING_SUB-CA: (

JUANNN_3-1740622435597.png

However, the command mode sub-cs does NOT allow the Certificate Server to generate a CA Certificate (is this normal, since is a SUB-CA?). I tried removing it and then the CS is allowed to generate one. However, removing it works for hierarchical PKI without certificate chaining. What I want is Hierarchical PKI with certificate chaining.

The book PKI UNCOVERED by Cisco Press says that the MARKETING_SPOKE should be authenticated with a CA-ROOT trustpoint and enrolled with a MARKETING_SUB-CA trustpoint. That way, the spoke will end up having 3 certificates, and 1 of them will be the CA-ROOT CA Certificate. In consequence, the issuer name will end up matching when using certificates (CA-ROOT is the shared CA) for authentication over IKE (with certificate maps) because IKE performs certificate chaining by default (ID CERT issued by SUB-CA to SPOKE -> ID CERT issued by CA-ROOT to SUB-CA) (here is a screenshot from the book example):

JUANNN_0-1740623667497.png

I cannot achieve this on my MARKETING_SPOKE router. I used the following configuration:

JUANNN_1-1740623775672.png

When I authenticate the CA-ROOT trustpoint, it works and I am able to get the CA-ROOT CA Certificate.

JUANNN_3-1740624001802.png

But then I am NOT able to get the ID Certificates from the SUB-CA because it does not let me enroll to the SUB-CA:

JUANNN_2-1740623886453.png

The book says to use the command chain-validation continue CA-ROOT, which I did, to indicate the SUB-CA trustpoint that its authentication is done by authenticating the CA-ROOT trustpoint (please correct if this wrong). 

Anyones knows what I did wrong in the configs? How can I get the 2 ID Certificates installed on the SPOKE?

Thanks, any help is truly appreciated,

Juan

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JUANNN
Spotlight
Spotlight

‎04-02-2025 05:54 PM - edited ‎04-02-2025 05:56 PM

Hello everyone,

I achieved a solution, I posted in https://learningnetwork.cisco.com/s/question/0D56e0000EBtH1KCQV/hierarchical-pki-with-certificate-chaining

 

I hope it can help others,

Thanks,

Juan

View solution in original post

0 Helpful
1 Reply 1

Go to solution
JUANNN
Spotlight
Spotlight

‎04-02-2025 05:54 PM - edited ‎04-02-2025 05:56 PM

Hello everyone,

I achieved a solution, I posted in https://learningnetwork.cisco.com/s/question/0D56e0000EBtH1KCQV/hierarchical-pki-with-certificate-chaining

 

I hope it can help others,

Thanks,

Juan

0 Helpful
Customers Also Viewed These Support Documents