Cisco: PKI SCEP
Jump to navigation
Jump to search
Server
crypto pki server CiscoCA database level complete issuer-name CN=MyCiscoCA,OU=VPN,O=lab,C=NL grant auto hash sha256 lifetime crl 5 lifetime ca-certificate 3650 database url flash:/CiscoCA ! crypto pki trustpoint CiscoCA revocation-check crl rsakeypair CiscoCA ! crypto pki certificate chain CiscoCA certificate ca 01 xxxxxxxx quit ! ip http server
Client
crypto pki trustpoint CiscoCA enrollment url http://192.168.2.77:80 usage ike serial-number fqdn spoke spoke.frotmail.lan subject-name CN=spoke1,OU=VPN,O=Frotmail,C=NL revocation-check crl auto-enroll authorization username subjectname all certificate chain flash:ca.crt hash sha256 ! crypto pki certificate chain CiscoCA certificate 02 xxxxxxxx quit certificate ca 01 xxxxxxxx quit
spoke1(config)#crypto pki authenticate CiscoCA Certificate has the following attributes: Fingerprint MD5: 56684161 5F41B059 144AA0CF D2A7BF97 Fingerprint SHA1: 09DD5795 345BAE1C 80AD7B76 8E3AAF04 911359A0 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. spoke1(config)#crypto pki enroll CiscoCA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: *Apr 13 19:52:52.787: RSA key size needs to be atleast 768 bits for ssh version 2 *Apr 13 19:52:52.787: %SSH-5-ENABLED: SSH 1.5 has been enabled *Apr 13 19:52:52.787: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % The subject name in the certificate will include: CN=spoke1,OU=VPN,O=Frotmail,C=NL % The subject name in the certificate will include: spoke spoke.frotmail.lan % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: FCZ113120JP % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose CiscoCA' commandwill show the fingerprint. *Apr 13 19:53:14.319: CRYPTO_PKI: Certificate Request Fingerprint MD5: 286C8259 1DF7BD25 22A984F9 4D8C952E *Apr 13 19:53:14.319: CRYPTO_PKI: Certificate Request Fingerprint SHA1: A6EBCE0F 40164BD8 D6F9A4E5 325BF320 640E54FA *Apr 13 19:53:16.327: %PKI-6-CERTRET: Certificate received from Certificate Authority
spoke1#show crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 02 Certificate Usage: General Purpose Issuer: cn=MyCiscoCA ou=VPN o=lab c=NL Subject: Name: spoke spoke.frotmail.lan Serial Number: FCZ113120JP serialNumber=FCZ113120JP+hostname=spoke spoke.frotmail.lan cn=spoke1 ou=VPN o=Frotmail c=NL Validity Date: start date: 18:37:18 UTC Apr 13 2014 end date: 18:37:18 UTC Apr 13 2015 Associated Trustpoints: CiscoCA CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=MyCiscoCA ou=VPN o=lab c=NL Subject: cn=MyCiscoCA ou=VPN o=lab c=NL Validity Date: start date: 18:27:35 UTC Apr 13 2014 end date: 18:27:35 UTC Apr 10 2024 Associated Trustpoints: CiscoCA