Cisco: PKI SCEP

From Eric's wiki
Jump to: navigation, search

Server

crypto pki server CiscoCA
 database level complete
 issuer-name CN=MyCiscoCA,OU=VPN,O=lab,C=NL
 grant auto
 hash sha256
 lifetime crl 5
 lifetime ca-certificate 3650
 database url flash:/CiscoCA
!
crypto pki trustpoint CiscoCA
 revocation-check crl
 rsakeypair CiscoCA
!
crypto pki certificate chain CiscoCA
 certificate ca 01
  xxxxxxxx
        quit
!
ip http server

Client

crypto pki trustpoint CiscoCA
 enrollment url http://192.168.2.77:80
 usage ike
 serial-number
 fqdn spoke spoke.frotmail.lan
 subject-name CN=spoke1,OU=VPN,O=Frotmail,C=NL
 revocation-check crl
 auto-enroll
 authorization username subjectname all
 certificate chain flash:ca.crt
 hash sha256
!
crypto pki certificate chain CiscoCA
 certificate 02
  xxxxxxxx
        quit
 certificate ca 01
  xxxxxxxx
        quit
spoke1(config)#crypto pki authenticate CiscoCA
Certificate has the following attributes:
       Fingerprint MD5: 56684161 5F41B059 144AA0CF D2A7BF97
       Fingerprint SHA1: 09DD5795 345BAE1C 80AD7B76 8E3AAF04 911359A0

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
spoke1(config)#crypto pki enroll CiscoCA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
*Apr 13 19:52:52.787:  RSA key size needs to be atleast 768 bits for ssh version 2
*Apr 13 19:52:52.787: %SSH-5-ENABLED: SSH 1.5 has been enabled
*Apr 13 19:52:52.787: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:

% The subject name in the certificate will include: CN=spoke1,OU=VPN,O=Frotmail,C=NL
% The subject name in the certificate will include: spoke spoke.frotmail.lan
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FCZ113120JP
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CiscoCA' commandwill show the fingerprint.

*Apr 13 19:53:14.319: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 286C8259 1DF7BD25 22A984F9 4D8C952E
*Apr 13 19:53:14.319: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: A6EBCE0F 40164BD8 D6F9A4E5 325BF320 640E54FA
*Apr 13 19:53:16.327: %PKI-6-CERTRET: Certificate received from Certificate Authority
spoke1#show crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer:
    cn=MyCiscoCA
    ou=VPN
    o=lab
    c=NL
  Subject:
    Name: spoke spoke.frotmail.lan
    Serial Number: FCZ113120JP
    serialNumber=FCZ113120JP+hostname=spoke spoke.frotmail.lan
    cn=spoke1
    ou=VPN
    o=Frotmail
    c=NL
  Validity Date:
    start date: 18:37:18 UTC Apr 13 2014
    end   date: 18:37:18 UTC Apr 13 2015
  Associated Trustpoints: CiscoCA

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=MyCiscoCA
    ou=VPN
    o=lab
    c=NL
  Subject:
    cn=MyCiscoCA
    ou=VPN
    o=lab
    c=NL 
  Validity Date:
    start date: 18:27:35 UTC Apr 13 2014
    end   date: 18:27:35 UTC Apr 10 2024
  Associated Trustpoints: CiscoCA