Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2473
Views
6
Helpful
3
Replies

Cisco IOS CA database url

IrinaFinogenova
Level 1
Level 1

‎10-08-2014 01:27 AM

Hello, everyone!
I need a bit of help with configuration of a Cisco router as a CA server. I'm trying to use only the router without the tftp server for my database and I can't seem to get it store database to the location that i specify with database url command. I've created a folder flash:/CA and after I issue a no shut command and the certificates are created, they are stored just directly in flash:. I even tried specifying the location for each filetype, but the result always comes back the same.

Here's why i'm trying to use a subfolder:

"The Flash filesystem is inefficient enough that using a router’s internal Flash memory resources allocates a large volume of storage space for
small files. Testing has shown that creating a subdirectory in the Flash for CA Server database storage helps to address this issue to some
degree, especially if more than 15–20 files will be stored in Flash."

Source http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/public-key-infrastructure-pki/product_data_sheet0900aecd80313df0.pdf

 

And here's my config and show commands output:

34(config)#do dir flash:
Directory of flash:/

    1  -rw-    59490092  Jan 17 2014 16:30:34 +04:00  c2800nm-adventerprisek9-mz.124-24.T8.bin
    2  drw-           0   Oct 3 2014 18:41:12 +04:00  CA

64016384 bytes total (4521984 bytes free)
34(config)#  
34(config)#
34(config)#crypto pki server MY_CA
34(cs-server)#no shut
Certificate server 'no shut' event has been queued for processing.
34(cs-server)#
%Some server settings cannot be changed after CA certificate generation.
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Oct  8 08:19:53.057: %SSH-5-ENABLED: SSH 1.99 has been enabled
34(cs-server)#% Exporting Certificate Server signing certificate and keys...

Oct  8 08:19:56.389: %PKI-6-CS_ENABLED: Certificate server now enabled.
34(cs-server)#do sh run | s crypto pki server
crypto pki server MY_CA
 database level names
 database archive pkcs12 password 7 121B0C1B105B33270B
 issuer-name CN=MY_CA,ou=LAB,c=ru
 grant auto
 hash sha512
 lifetime crl 24
 lifetime certificate 1 1
 lifetime ca-certificate 1 12
 auto-rollover 0 6
 database url flash:/CA
 database url cnm flash:/CA
 database url crl flash:/CA
 database url crt flash:/CA
 database url p12 flash:/CA
 database url pem flash:/CA
 database url ser flash:/CA
34(cs-server)#do sh crypto pki server
Certificate Server Sobin_CA:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=MY_CA,ou=LAB,c=ru
    CA cert fingerprint: 206C137B 9D5F2B91 C557B08F 3453E5D2
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 00:19:53 MSK Oct 10 2014
    CRL NextUpdate timer: 12:19:54 MSK Oct 9 2014
    Current primary storage dir: flash:/CA
    Current storage dir for .cnm files: flash:/CA
    Current storage dir for .crl files: flash:/CA
    Current storage dir for .crt files: flash:/CA
    Current storage dir for .p12 files: flash:/CA
    Current storage dir for .pem files: flash:/CA
    Current storage dir for .ser files: flash:/CA
    Database Level: Names - subject name data written as <serialnum>.cnm
    Auto-Rollover configured, overlap period 0 days
    Autorollover timer: 18:19:53 MSK Oct 9 2014
34(cs-server)#do dir flash:
Directory of flash:/

    1  -rw-    59490092  Jan 17 2014 16:30:34 +04:00  c2800nm-adventerprisek9-mz.124-24.T8.bin
    2  drw-           0   Oct 3 2014 18:41:12 +04:00  CA
    7  -rw-          32   Oct 8 2014 12:19:54 +04:00  MY_CA.ser
    3  -rw-          81   Oct 8 2014 12:19:52 +04:00  1.cnm
    5  -rw-         247   Oct 8 2014 12:19:54 +04:00  MY_CA.crl
    6  -rw-        1635   Oct 8 2014 12:19:54 +04:00  MY_CA_00008.p12

64016384 bytes total (4505600 bytes free)
34(cs-server)#

 

What am i doing wrong?

Labels:
0 Helpful
3 Replies 3

johnlloyd_13
Level 9
Level 9

‎10-10-2014 01:27 AM

hi,

have you tried using the command database url nvram:?

please see helpful link/steps when i created a CA server on my IOS router:

http://wannabelab.blogspot.com/2014/05/configure-871w-for-certificate.html

IrinaFinogenova
Level 1
Level 1
In response to johnlloyd_13

‎10-13-2014 04:24 AM

Hello, John. Thanks for the link, but it's not excatly what i'm trying to do. From what I read so far I've learned that saving the database to nvram is not scalable (unless it's minimal database level chosen as in your config), and placing your database to flash gives you ability to move your database to another router.

0 Helpful

IrinaFinogenova
Level 1
Level 1

‎08-13-2015 07:12 AM

The solution was very simple:

when configuring the path to the location you just have to put another slash / after the name of the directory where you want to store the database and certificates.

 database url flash:/CA/

 crypto pki certificate storage flash:/CA/

And after you start your server the database files will be there where you expect them to be - in the folder CA.

Note that after you change the existing config you\ll be issued a warning:

% Server database url was changed. You need to move the
% existing database to the new location.

So, you'll need to move the database files to the new location. But all the new certificates will be stored in the specified location.

34#dir flash:/CA
Directory of flash:/CA/

   37  -rw-          33  Dec 12 2014 16:05:46 +03:00  MY_CA.ser
   38  -rw-          79  Dec 12 2014 16:06:20 +03:00  1.cnm
   39  -rw-         513  Dec 12 2014 16:06:34 +03:00  MY_CA.crl
   40  -rw-         148  Dec 12 2014 16:06:46 +03:00  2.cnm
   41  -rw-        1627  Dec 12 2014 16:07:02 +03:00  MY_CA_00015.p12
   ...

Customers Also Viewed These Support Documents