Solved: HA PKI infrastructure for GET VPN

Xavier Lloyd · ‎09-10-2012

Hi all,

I am trying to set up a get vpn with a highly available IOS PKI infrastructure. I can't however, use SCTP w/HSRP because one of the CA routers is at the DC and the other is at the DR and the link between them is layer 3. I wish I could configure HSRP on a loopback interface .

My first thought that I tested and that works is using the "database archive" command under the pki server config, and exporting it to the other CA server router. I would then advertise the same loopback ip address with a /32 mask and allow routing to do the failover between identical CA servers. The problem is that I don't think it is very elegant, and we lose out on the CRL replication. The CRL isn't considered critical for the deployment, but I'd like to have it if possible. Also, having the CRL hosted external to the whole infrastructure isn't an option.

Are there any other options that will work for my setup?

Regards,

Xavier

Marcin Latosiewicz · ‎09-11-2012

Xavier,

You can use old style redundancy:

1) Configured both routers as separate CAs. Enroll all GM/KS to both CAs - i.e. mesh.

2) Configure both routers to be sub-CA for a root CA. Enroll GMs to subCAs, you can validate certificates enrolled to different subCAs by using certificate chaining.

In fact the only path you need PKI for IKE is between KS and GM during registarion, so you job could be simplified, by using CA service on KSs - although GETVPN DIG mentions it's for small scale deployments only.

M

View solution in original post

Marcin Latosiewicz · ‎09-11-2012

Xavier,

You can use old style redundancy:

1) Configured both routers as separate CAs. Enroll all GM/KS to both CAs - i.e. mesh.

2) Configure both routers to be sub-CA for a root CA. Enroll GMs to subCAs, you can validate certificates enrolled to different subCAs by using certificate chaining.

In fact the only path you need PKI for IKE is between KS and GM during registarion, so you job could be simplified, by using CA service on KSs - although GETVPN DIG mentions it's for small scale deployments only.

M

Xavier Lloyd · ‎09-11-2012

Thanks for the reply Marcin! I already plan to use the KS's as CAs so I was on the right track.

I understand your first part about configuring a mesh PKI, but I'm not so clear on the second point. You're saying I should have one root CA and two sub-CAs, and enroll each GM to both sub-CAs?

Is there any special config to for certificate chaining? I had configured this in a lab by having 5 routers. 1 root CA, 2 sub CAs and 2 other routers. I enrolled RouterA in subCA1 and RouterB in subCA2 and when I set up a site to site VPN using rsa-sig as the authentication method, they complained about bad certificates.

I deleted the subCA config I was using but I can replicate some of it out of my head so forgive any errors:

Root CA:

cry pki server rootca

grant auto

issuer-name CN=Root CA Server

no shut

Sub CA1:

cry pki trustpoint sub1

enrollment url http://rootcaIP:80

cry pki server sub1

grant auto

issuer-name CN= Subordinate CA 1

no shut

Sub CA2:

cry pki trustpoint sub2

enrollment url http://rootcaIP:80

cry pki server sub2

grant auto

issuer-name CN= Subordinate CA 2

no shut

Is there some config that I'm missing to enable the certificate chaining?

Marcin Latosiewicz · ‎09-11-2012

Xavier,

On sub CAs in PKI server config you need "mode sub-cs" - and you need to do it before enrollment.

Regarding chaining (proper term "chain validation", sorry)

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-4t/sec-cfg-auth-rev-cert.html#GUID-5C83F4D5-39D1-434F-B2C8-F4C68D01773E

you just need one more command and have root CA cert:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-4t/sec-cfg-auth-rev-cert.html#GUID-32E3577F-F44D-423B-A756-BC1D24AA934F

Xavier Lloyd · ‎09-11-2012

Ah yes, I did use the mode sub-cs command.

I'll take a look at these docs, thanks much Marcin!

Xavier Lloyd · ‎09-11-2012

Ok so based on the second document, my sub CA config should look like this:

Sub CA1:

crypto pki trustpoint sub1

enrollment url http://rootcaIP:80

crypto pki server sub1

grant auto

mode sub-cs

chain-validation continue [trustpointname]

issuer-name CN= Subordinate CA 1

no shut

Now should [trustpointname] be "sub1" or should I create another trustpoint (eg "rootca") and use that? Would the sub1 trustpoint with the same enrollment url be necessary then?

crypto pki trustpoint rootca

enrollment url http://rootcaIP:80

crypto pki trustpoint sub1

enrollment url http://rootcaIP:80

crypto pki server sub1

grant auto

mode sub-cs

chain-validation continue rootca

issuer-name CN= Subordinate CA 1

no shut

Marcin Latosiewicz · ‎09-12-2012

Xavier,

You need to chain only on spokes performing IKE sooo KS and GM in this case.

So I think you will need to on both is:

Chain trustpoint containing identity certificate enrolled to sub-CA with root CA trustpoint.

Xavier Lloyd · ‎09-12-2012

Ok just for one final clarification:

On all GMs and KSs, for each trustpoint, I'm supposed to stick a "chain-validation continue rootca" command?

This holds true even if I haven't defined a rootca trustpoint on the router itself?

Marcin Latosiewicz · ‎09-12-2012

Xavier,

You will need to authenticate the root CA on all the devices.

I.e node 1 trusts CA1 ---> CA1 is signed by root CA

node 2 trusts CA1 ---> CA2 is signed by root CA

So we can establish that node 1 and node 2 can trust each other based on mutual trust for root CA, extended by appropriate CAs.

So you will needs to chain GM's identity cert signed by subSA to root's certificate.

KS will need to perform self-enrollment and do there same where you chains the new trustpoint containing both identity and subCA cert to rootCA.

Makes sense? It's late so I might not be making proper sense.

Marcin

Xavier Lloyd · ‎09-12-2012

So i need to authenticate and enroll or just authenticate all nodes to the root?

Marcin Latosiewicz · ‎09-12-2012

well you need to authenticate and enroll to subCA, authenticate to rootCA.

Thus forming a chaing of Indentity signed by subCA -> subCA signed by root CA -> root CA

Xavier Lloyd · ‎09-12-2012

ok so my root ca looks like this

cry pki server rootca

cry pki trustpoint rootca

no shut rootca server

----------------------------------------------------------------

my subordinate looks like this

cry pki trust rootca

enroll url http://rootip:80

cry pki server sub1

mode sub-cs

cry pki trust sub1

enroll url http://rootip:80

chain-validation continue rootca

cry pki trust sub1trust

enroll url http://sub1ip:80

authenticate rootca

enroll rootca

no shut sub1

authenticate sub1trust

enroll sub1trust

no shut sub1 server

----------------------------------------------------------------

and my branch router looks like this

cry pki trust rootca

enroll url http://rootip:80

cry pki trust sub1

enroll url http://sub1ip:80

chain-validation continue rootca

authenticate root

authenticate sub1

enroll sub1

----------------------------------------------------------------

How does all this look? Anything uneccessary or incorrect?

Is chain-validation where it is supposed to be?

Does the subordinate need to enroll in itself (since it is the KS in the GETVPN as well)

Any other comments?