cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2567
Views
0
Helpful
2
Replies
Highlighted
Beginner

PKI - IOS CS with auto-rollover and auto-enroll

Hi,

I need to set up a PKI with IOS based CA and RA for SCEP enrollment of router certificates. One requirement is that the router and the CAs never be touched  any more after initially deployed and provided with a certificate. Another requirement is the secure enrollment of router CSRs, of course. I thought I could do this using the features auto rollover and auto enrollment together with the Secure Device Provisioning feature taking advantage of existing certificates. I've built a lab and I'm experimenting for quite a long time, but neither the auto rollover (of the RA) nor the auto enrollment of the client routers work.

1) The first problem is that, on the CA, the certificate for the RA won't be issued automatically. That makes auto rollover impossible. I tried to make it work with the commands 'grant auto' and 'grant auto rollover ra-cert', but the CA won't do anything on its own. It says it, too, in the output of 'sh cry pki server': Granting mode is: auto for RA-authorized requests, manual otherwise.

Here's the relevant config of the CA (timers have been tweaked in order to fit the lab requirements):
----- BEGIN CONFIG -----
crypto pki server ios-ca
database level complete
database archive pkcs12 password 7 replaced
issuer-name CN=replaced
grant auto rollover ra-cert
grant ra-auto
hash sha1
lifetime crl 3
lifetime certificate 2
lifetime ca-certificate 3
lifetime enrollment-request 1
cdp-url http://your.http.server/ios-ca.crl
auto-rollover 1 12
database url tftp://your.tftp.server
crypto pki trustpoint ios-ca
subject-name CN=replaced
revocation-check crl
rsakeypair ios-ca 1024

----- END CONFIG -----

2) The second question is how I deploy SDP to make secure auto enrollment for CA clients possible. I don't need the initial provisioning thing with the six web pages, though, I only need auto enrollment when an existing certificate is going to expire.

This is the config of the RA:
----- BEGIN CONFIG -----
crypto pki server ios-ra
database archive pkcs12 password 7 replaced
issuer-name CN=replaced
lifetime enrollment-request 1
mode ra
auto-rollover 1 12
database url flash:
crypto pki trustpoint ios-ra
enrollment url http://your.ca:80
serial-number none
fqdn none
ip-address none
fingerprint 02C9019F5E3CD250FE69BF8037C5E030
subject-name CN=replaced
revocation-check crl
rsakeypair ios-ra 1024
regenerate
crypto provisioning registrar
pki-server ios-ra
authentication trustpoint ios-ra

----- END CONFIG -----

The config of the CA client is like follows:
----- BEGIN CONFIG -----
crypto pki trustpoint ios-ca
enrollment mode ra
enrollment url http://your.ra:80
serial-number
fqdn noneb
ip-address none
password 7 062329726A195D3852354A585E57780F06
fingerprint 02C9019F5E3CD250FE69BF8037C5E030
subject-name CN=replaced
revocation-check crl
rsakeypair wh-gw-01 1024
auto-enroll 50 regenerate
crypto provisioning petitioner
trustpoint ios-ca
trustpoint signing ios-ca

----- END CONFIG -----

And just to make it clear, manual enrollment of client routers works fine with and without one-time-password using the 'grant ra-auto' command on the CA.

The CA and the RA have software version 12.4(15)T14, if that matters.

Thanks,

Peter

2 REPLIES 2
Highlighted
Enthusiast

What is the cn name of the ra server? For the grant ra-auto command to work, you have to include "cn=ioscs RA" or "ou=ioscs RA" in the subject name of the RA certificate. Could you confirm if this is how it is configured?


Highlighted

Hi,

that's no problem, that part works.

Thanks,

Peter

Content for Community-Ad