06-28-2013 05:02 AM
Hi,
I have to configure following security scenario:
On CISCO:
- Add CA server(CA1) certificate which certificates peer host
- Add CISCO certificate retreived from CA server (CA2)
So I used following:
crypto pki trustpoint CA_ROOT
enrollment terminal
usage ssl-server
revocation-check none
and manually done authentification of CA server (CA1) certificate.
This is how it looks like:
AS67129(config)#crypto pki authenticate CA_ROOT
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIB5zCCAZGgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBKMREwDwYDVQQKEwhFcmlj
c3NvbjEPMA0GA1UECxMGQUwvRVRFMSQwIgYDVQQDExtURVNUIENBIGZvciBDUFAg
U0NFUCBzZXJ2ZXIwHhcNMDkxMDIyMDgzNzQxWhcNMTkxMDIwMDgzNzQxWjBYMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLRXJpY3Nzb24gQUIxDzANBgNVBAsTBkFML0VU
RTEiMCAGA1UEAxMZU3ViQ0EgZm9yIENQUCBTQ0VQIFNlcnZlcjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA3bR1yEyvrYDafqGSxZTUNcHW8OozdNO4ZKoMFZww
4twVoC3mBvQxOYvEcC8YFgtxZVVynLzL1j/rEVyCIuGaTj5X7fNc9N7qDZMq1XQ/
HY8t+aBesvwrzjPKjt7rQ2P90B4w4uEjImGTyhmlGRlFx6XKz1ISMvGK+GLDtFlU
XqMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJxunpng
k6diona1Bn65ToH5nu67D4N/PlABuFy86PhN9UyY+bHockyspoGDmgHle1zX1b2i
nSGRkopq2MDqM3s=
-----END CERTIFICATE-----
quit
Trustpoint 'CA_ROOT' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: CF5E3F6A 6BD0F348 3612B785 1259241C
Fingerprint SHA1: 389FE1A7 CF3DD551 3C484EF1 BAC5DD28 1525F43A
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Is it needed now running command:
crypto pki import CA_ROOT certificate
What is the difference between authenticate and import ?
Result of this import command is that certificate is not signed by CISCO's private key.
Currently private key for CISCO not exists.
Imported certificate is generated by SCEP server which will provide certificate for peer host in
IpSec tunnel setup.
Thanks
Renato
Solved! Go to Solution.
07-01-2013 01:06 AM
Hi Renato.
The command crypto pki authenticate CA_ROOT is to authenticate the certification authority (CA) (by getting the certificate of the CA)
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you enter this command.
In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router(config)# crypto pki authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y#
crypto pki import name certificate is to import the identity certificate on the router.
Here is the link taht you can follow
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.html#wp1044348
HTH
Regards
Raj Kumar
Please rate all helpful posts
07-01-2013 01:06 AM
Hi Renato.
The command crypto pki authenticate CA_ROOT is to authenticate the certification authority (CA) (by getting the certificate of the CA)
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you enter this command.
In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router(config)# crypto pki authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y#
crypto pki import name certificate is to import the identity certificate on the router.
Here is the link taht you can follow
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.html#wp1044348
HTH
Regards
Raj Kumar
Please rate all helpful posts
07-04-2013 05:44 AM
Hi Raj Kumar,
Thank You on the explanation. It helped me a lot since I've never been working with certificates on CISCO.
I finally managed to add certificates on my CISCO 2951 router.
Many thanks
BR
Renato
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide