If you have not already created the PKI CA or Certificate Authority, this needs to be done first.
The first thing that needs to happen is that the spoke or client needs to generate an RSA keypair of at leat 1024 bits in length that can be referenced from the trustpoint later on.
Once this occurs, SSHv2 will be enabled.
The CA server certificate will need to be exported and then used for the certificate chain. There are two parts, the CA certificate and then the identity certificate. The CA certificate is authenticated and added to the certificate chain. Next we need to generate a CSR or Certificate Signing request that will be signed by the CA to generate the identity certificate. The granted identity certificate is then imported by the device for later use.
Spoke or client that needs the certificate enrollment
CSR9
crypto key generate rsa label PKI modulus 1024
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
%SSH-5-ENABLED: SSH 1.99 has been enabled
crypto pki trustpoint PKI_TP
enrollment terminal
fqdn csr9.sn.com
subject-name cn=csr9.sn.com
revocation-check none
rsakeypair PKI
The CA certificate is exported by the CA server in a PEM format via the terminal so that it can be copied and pasted into the terminal of the device or client.
ISP2
crypto pki export PKI_SERVER pem terminal
% The specified trustpoint is not enrolled (PKI_SERVER).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICAzCCAWygAwIBAgIBATANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwMjI0OVoXDTIyMDkxNTAwMjI0OVowFTETMBEGA1UE
AwwKUEtJX1NFUlZFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyuTmc6CP
Nar6Omh+PsVgpqLCD8dbqM/OyQTAmge48Id4zRM8IbjpsAg4lKO67NTkabvFXsH2
ABECQM54trrGApB5M8UaOrUAYIsLj9kTMN7kcYTXCuPYd8B6dRKTBxk41TfNaqgn
w6ddkUFJZMKCMTNKcAF7wFRK61RKqpVeo4UCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUyC0Vt2kHgTaLLaYWqNlJ
yXUJuIEwHQYDVR0OBBYEFMgtFbdpB4E2iy2mFqjZScl1CbiBMA0GCSqGSIb3DQEB
BAUAA4GBAAfhv1pwesmpNw+H8UJa8PGzW8rpdYSjYRsQsAgFkYMBKQd2wxg0qJwg
od0ejtlcW6NH37qrGbcdoQjOVSQZG7DZz0BmC6F1kukI9M1gGan3dYAx8ySdXjte
p6vICERaLpCaM4IZeqvbIm7hs5u+jUSzSvAxqOFmTuENPP3n8f8q
-----END CERTIFICATE-----
The exported CA certificate is then pasted into the terminal of the client.
CSR9(config)#crypto pki authenticate PKI_TP
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICAzCCAWygAwIBAgIBATANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwMjI0OVoXDTIyMDkxNTAwMjI0OVowFTETMBEGA1UE
AwwKUEtJX1NFUlZFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyuTmc6CP
Nar6Omh+PsVgpqLCD8dbqM/OyQTAmge48Id4zRM8IbjpsAg4lKO67NTkabvFXsH2
ABECQM54trrGApB5M8UaOrUAYIsLj9kTMN7kcYTXCuPYd8B6dRKTBxk41TfNaqgn
w6ddkUFJZMKCMTNKcAF7wFRK61RKqpVeo4UCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUyC0Vt2kHgTaLLaYWqNlJ
yXUJuIEwHQYDVR0OBBYEFMgtFbdpB4E2iy2mFqjZScl1CbiBMA0GCSqGSIb3DQEB
BAUAA4GBAAfhv1pwesmpNw+H8UJa8PGzW8rpdYSjYRsQsAgFkYMBKQd2wxg0qJwg
od0ejtlcW6NH37qrGbcdoQjOVSQZG7DZz0BmC6F1kukI9M1gGan3dYAx8ySdXjte
p6vICERaLpCaM4IZeqvbIm7hs5u+jUSzSvAxqOFmTuENPP3n8f8q
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 9D44063E 0B8B19AF 40043472 B4CF587C
Fingerprint SHA1: 8929B289 5D589904 BCEA6F93 862C8C8C CBF818A0
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
We see that the certificate was successfully added and imported.
CSR9(config)#crypto pki enroll PKI_TP
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=csr9.sn.com
% The subject name in the certificate will include: csr9.sn.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIBkjCB/AIBADAyMRQwEgYDVQQDEwtjc3I5LnNuLmNvbTEaMBgGCSqGSIb3DQEJ
AhYLY3NyOS5zbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzIglus
kwBcQ1cYNUha+86FxydDdNZB2CtGOKLzhSwln4de36Zi5qivoC70/dNWtrUFu7x1
oUgAsFlHpGen+VozCGZEAseq7zAXfrQHRJbflzZdYatMeVD1heD8RiiORFjXZ1lC
KrlJcg8WkuFypCXOYe18hVgNezEyq1bjo40RAgMBAAGgITAfBgkqhkiG9w0BCQ4x
EjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAx8YOzha59krki
XehPomhj8TlAhtBAMEGvEXog0E42nPE6zi6vHj7p2ppJYmpjeplmG8TkDsAk8RuF
q/vfzWmGnQsAUvZoz3rmdrLMxZFI0ARjFae3zOSfZzSWMUKhmPnP6zyJJk3mNiYr
922jgUOdfb+zEqpm80taIPn7DUYUeQ==
---End - This line not part of the certificate request---
The client then generates the CSR or Certificate signing request that will eventually create the identity certificate.
ISP2#crypto pki server PKI_SERVER request pkcs10 terminal base64
PKCS10 request in base64 or pem
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
MIIBkjCB/AIBADAyMRQwEgYDVQQDEwtjc3I5LnNuLmNvbTEaMBgGCSqGSIb3DQEJ
AhYLY3NyOS5zbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzIglus
kwBcQ1cYNUha+86FxydDdNZB2CtGOKLzhSwln4de36Zi5qivoC70/dNWtrUFu7x1
oUgAsFlHpGen+VozCGZEAseq7zAXfrQHRJbflzZdYatMeVD1heD8RiiORFjXZ1lC
KrlJcg8WkuFypCXOYe18hVgNezEyq1bjo40RAgMBAAGgITAfBgkqhkiG9w0BCQ4x
EjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAx8YOzha59krki
XehPomhj8TlAhtBAMEGvEXog0E42nPE6zi6vHj7p2ppJYmpjeplmG8TkDsAk8RuF
q/vfzWmGnQsAUvZoz3rmdrLMxZFI0ARjFae3zOSfZzSWMUKhmPnP6zyJJk3mNiYr
922jgUOdfb+zEqpm80taIPn7DUYUeQ==
quit
The above copied and pasted certificate contents are identical to the contents of the CSR, this is where the identity certificate is created.
% Granted certificate:
MIICDzCCAXigAwIBAgIBAzANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwNTkyMFoXDTIwMDkxNTAwNTkyMFowMjEUMBIGA1UE
AxMLY3NyOS5zbi5jb20xGjAYBgkqhkiG9w0BCQIWC2Nzcjkuc24uY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8yIJbrJMAXENXGDVIWvvOhccnQ3TWQdgr
Rjii84UsJZ+HXt+mYuaor6Au9P3TVra1Bbu8daFIALBZR6Rnp/laMwhmRALHqu8w
F360B0SW35c2XWGrTHlQ9YXg/EYojkRY12dZQiq5SXIPFpLhcqQlzmHtfIVYDXsx
MqtW46ONEQIDAQABo1IwUDAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUyC0V
t2kHgTaLLaYWqNlJyXUJuIEwHQYDVR0OBBYEFMt0hJ5Lpd9cCH0Rik+G83xu+iEf
MA0GCSqGSIb3DQEBBAUAA4GBAExYZ4llWfMaha6el/XgDZC1Q2eTt9wVdt9j/ngN
DkrXLiEJaxTkgRuhx9pW0ZzO8wYBjfH0pRwy90XkpIVUAnau9n6K02z3KaoQGnFJ
bNbDy1P+HvYx3D4543s/v/yQ8t77DaeBXP1mz0x4WxU2sF43dsi5KnmXaraJwNTd
EwU+
The granted identity certificate has been generated and can now be imported by the client.
CSR9(config)#crypto pki import PKI_TP certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIICDzCCAXigAwIBAgIBAzANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwNTkyMFoXDTIwMDkxNTAwNTkyMFowMjEUMBIGA1UE
AxMLY3NyOS5zbi5jb20xGjAYBgkqhkiG9w0BCQIWC2Nzcjkuc24uY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8yIJbrJMAXENXGDVIWvvOhccnQ3TWQdgr
Rjii84UsJZ+HXt+mYuaor6Au9P3TVra1Bbu8daFIALBZR6Rnp/laMwhmRALHqu8w
F360B0SW35c2XWGrTHlQ9YXg/EYojkRY12dZQiq5SXIPFpLhcqQlzmHtfIVYDXsx
MqtW46ONEQIDAQABo1IwUDAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUyC0V
t2kHgTaLLaYWqNlJyXUJuIEwHQYDVR0OBBYEFMt0hJ5Lpd9cCH0Rik+G83xu+iEf
MA0GCSqGSIb3DQEBBAUAA4GBAExYZ4llWfMaha6el/XgDZC1Q2eTt9wVdt9j/ngN
DkrXLiEJaxTkgRuhx9pW0ZzO8wYBjfH0pRwy90XkpIVUAnau9n6K02z3KaoQGnFJ
bNbDy1P+HvYx3D4543s/v/yQ8t77DaeBXP1mz0x4WxU2sF43dsi5KnmXaraJwNTd
EwU+
quit
% Router Certificate successfully imported
The identity certificate is now imported and ready for use. This can be used for PKI based authentication for VPNs, Identity management and other authentication needs. We're going to use it for Site to Site, DMVPN, FlexVPN, GETVPN, EzVPN and Remote Access VPNs.
CSR9#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=PKI_SERVER
Subject:
Name: csr9.sn.com
hostname=csr9.sn.com
cn=csr9.sn.com
Validity Date:
start date: 00:59:20 UTC Sep 16 2019
end date: 00:59:20 UTC Sep 15 2020
Associated Trustpoints: PKI_TP
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=PKI_SERVER
Subject:
cn=PKI_SERVER
Validity Date:
start date: 00:22:49 UTC Sep 16 2019
end date: 00:22:49 UTC Sep 15 2022
Associated Trustpoints: PKI_TP
You see two different certificates, making a certificate chain, the top portion is the identity certificate that CSR9 can use for PKI based VPNs we'll be testing out. Eventually all VPN enabled devices, routers and firewalls will have a signed certificate to leverage for PKI testing.
Specifically with remote access VPNs, like SSL VPN (clientless) and AnyConnect VPN (client), the trustpoint will be tied to the outside interface and will be used to present the identity certificate to the device/user that is attempting to connect.
The first thing that needs to happen is that the spoke or client needs to generate an RSA keypair of at leat 1024 bits in length that can be referenced from the trustpoint later on.
Once this occurs, SSHv2 will be enabled.
The CA server certificate will need to be exported and then used for the certificate chain. There are two parts, the CA certificate and then the identity certificate. The CA certificate is authenticated and added to the certificate chain. Next we need to generate a CSR or Certificate Signing request that will be signed by the CA to generate the identity certificate. The granted identity certificate is then imported by the device for later use.
Spoke or client that needs the certificate enrollment
CSR9
crypto key generate rsa label PKI modulus 1024
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
%SSH-5-ENABLED: SSH 1.99 has been enabled
crypto pki trustpoint PKI_TP
enrollment terminal
fqdn csr9.sn.com
subject-name cn=csr9.sn.com
revocation-check none
rsakeypair PKI
The CA certificate is exported by the CA server in a PEM format via the terminal so that it can be copied and pasted into the terminal of the device or client.
ISP2
crypto pki export PKI_SERVER pem terminal
% The specified trustpoint is not enrolled (PKI_SERVER).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICAzCCAWygAwIBAgIBATANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwMjI0OVoXDTIyMDkxNTAwMjI0OVowFTETMBEGA1UE
AwwKUEtJX1NFUlZFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyuTmc6CP
Nar6Omh+PsVgpqLCD8dbqM/OyQTAmge48Id4zRM8IbjpsAg4lKO67NTkabvFXsH2
ABECQM54trrGApB5M8UaOrUAYIsLj9kTMN7kcYTXCuPYd8B6dRKTBxk41TfNaqgn
w6ddkUFJZMKCMTNKcAF7wFRK61RKqpVeo4UCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUyC0Vt2kHgTaLLaYWqNlJ
yXUJuIEwHQYDVR0OBBYEFMgtFbdpB4E2iy2mFqjZScl1CbiBMA0GCSqGSIb3DQEB
BAUAA4GBAAfhv1pwesmpNw+H8UJa8PGzW8rpdYSjYRsQsAgFkYMBKQd2wxg0qJwg
od0ejtlcW6NH37qrGbcdoQjOVSQZG7DZz0BmC6F1kukI9M1gGan3dYAx8ySdXjte
p6vICERaLpCaM4IZeqvbIm7hs5u+jUSzSvAxqOFmTuENPP3n8f8q
-----END CERTIFICATE-----
The exported CA certificate is then pasted into the terminal of the client.
CSR9(config)#crypto pki authenticate PKI_TP
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICAzCCAWygAwIBAgIBATANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwMjI0OVoXDTIyMDkxNTAwMjI0OVowFTETMBEGA1UE
AwwKUEtJX1NFUlZFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyuTmc6CP
Nar6Omh+PsVgpqLCD8dbqM/OyQTAmge48Id4zRM8IbjpsAg4lKO67NTkabvFXsH2
ABECQM54trrGApB5M8UaOrUAYIsLj9kTMN7kcYTXCuPYd8B6dRKTBxk41TfNaqgn
w6ddkUFJZMKCMTNKcAF7wFRK61RKqpVeo4UCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUyC0Vt2kHgTaLLaYWqNlJ
yXUJuIEwHQYDVR0OBBYEFMgtFbdpB4E2iy2mFqjZScl1CbiBMA0GCSqGSIb3DQEB
BAUAA4GBAAfhv1pwesmpNw+H8UJa8PGzW8rpdYSjYRsQsAgFkYMBKQd2wxg0qJwg
od0ejtlcW6NH37qrGbcdoQjOVSQZG7DZz0BmC6F1kukI9M1gGan3dYAx8ySdXjte
p6vICERaLpCaM4IZeqvbIm7hs5u+jUSzSvAxqOFmTuENPP3n8f8q
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 9D44063E 0B8B19AF 40043472 B4CF587C
Fingerprint SHA1: 8929B289 5D589904 BCEA6F93 862C8C8C CBF818A0
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
We see that the certificate was successfully added and imported.
CSR9(config)#crypto pki enroll PKI_TP
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=csr9.sn.com
% The subject name in the certificate will include: csr9.sn.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIBkjCB/AIBADAyMRQwEgYDVQQDEwtjc3I5LnNuLmNvbTEaMBgGCSqGSIb3DQEJ
AhYLY3NyOS5zbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzIglus
kwBcQ1cYNUha+86FxydDdNZB2CtGOKLzhSwln4de36Zi5qivoC70/dNWtrUFu7x1
oUgAsFlHpGen+VozCGZEAseq7zAXfrQHRJbflzZdYatMeVD1heD8RiiORFjXZ1lC
KrlJcg8WkuFypCXOYe18hVgNezEyq1bjo40RAgMBAAGgITAfBgkqhkiG9w0BCQ4x
EjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAx8YOzha59krki
XehPomhj8TlAhtBAMEGvEXog0E42nPE6zi6vHj7p2ppJYmpjeplmG8TkDsAk8RuF
q/vfzWmGnQsAUvZoz3rmdrLMxZFI0ARjFae3zOSfZzSWMUKhmPnP6zyJJk3mNiYr
922jgUOdfb+zEqpm80taIPn7DUYUeQ==
---End - This line not part of the certificate request---
The client then generates the CSR or Certificate signing request that will eventually create the identity certificate.
ISP2#crypto pki server PKI_SERVER request pkcs10 terminal base64
PKCS10 request in base64 or pem
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
MIIBkjCB/AIBADAyMRQwEgYDVQQDEwtjc3I5LnNuLmNvbTEaMBgGCSqGSIb3DQEJ
AhYLY3NyOS5zbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzIglus
kwBcQ1cYNUha+86FxydDdNZB2CtGOKLzhSwln4de36Zi5qivoC70/dNWtrUFu7x1
oUgAsFlHpGen+VozCGZEAseq7zAXfrQHRJbflzZdYatMeVD1heD8RiiORFjXZ1lC
KrlJcg8WkuFypCXOYe18hVgNezEyq1bjo40RAgMBAAGgITAfBgkqhkiG9w0BCQ4x
EjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAx8YOzha59krki
XehPomhj8TlAhtBAMEGvEXog0E42nPE6zi6vHj7p2ppJYmpjeplmG8TkDsAk8RuF
q/vfzWmGnQsAUvZoz3rmdrLMxZFI0ARjFae3zOSfZzSWMUKhmPnP6zyJJk3mNiYr
922jgUOdfb+zEqpm80taIPn7DUYUeQ==
quit
The above copied and pasted certificate contents are identical to the contents of the CSR, this is where the identity certificate is created.
% Granted certificate:
MIICDzCCAXigAwIBAgIBAzANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwNTkyMFoXDTIwMDkxNTAwNTkyMFowMjEUMBIGA1UE
AxMLY3NyOS5zbi5jb20xGjAYBgkqhkiG9w0BCQIWC2Nzcjkuc24uY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8yIJbrJMAXENXGDVIWvvOhccnQ3TWQdgr
Rjii84UsJZ+HXt+mYuaor6Au9P3TVra1Bbu8daFIALBZR6Rnp/laMwhmRALHqu8w
F360B0SW35c2XWGrTHlQ9YXg/EYojkRY12dZQiq5SXIPFpLhcqQlzmHtfIVYDXsx
MqtW46ONEQIDAQABo1IwUDAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUyC0V
t2kHgTaLLaYWqNlJyXUJuIEwHQYDVR0OBBYEFMt0hJ5Lpd9cCH0Rik+G83xu+iEf
MA0GCSqGSIb3DQEBBAUAA4GBAExYZ4llWfMaha6el/XgDZC1Q2eTt9wVdt9j/ngN
DkrXLiEJaxTkgRuhx9pW0ZzO8wYBjfH0pRwy90XkpIVUAnau9n6K02z3KaoQGnFJ
bNbDy1P+HvYx3D4543s/v/yQ8t77DaeBXP1mz0x4WxU2sF43dsi5KnmXaraJwNTd
EwU+
The granted identity certificate has been generated and can now be imported by the client.
CSR9(config)#crypto pki import PKI_TP certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIICDzCCAXigAwIBAgIBAzANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwNTkyMFoXDTIwMDkxNTAwNTkyMFowMjEUMBIGA1UE
AxMLY3NyOS5zbi5jb20xGjAYBgkqhkiG9w0BCQIWC2Nzcjkuc24uY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8yIJbrJMAXENXGDVIWvvOhccnQ3TWQdgr
Rjii84UsJZ+HXt+mYuaor6Au9P3TVra1Bbu8daFIALBZR6Rnp/laMwhmRALHqu8w
F360B0SW35c2XWGrTHlQ9YXg/EYojkRY12dZQiq5SXIPFpLhcqQlzmHtfIVYDXsx
MqtW46ONEQIDAQABo1IwUDAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUyC0V
t2kHgTaLLaYWqNlJyXUJuIEwHQYDVR0OBBYEFMt0hJ5Lpd9cCH0Rik+G83xu+iEf
MA0GCSqGSIb3DQEBBAUAA4GBAExYZ4llWfMaha6el/XgDZC1Q2eTt9wVdt9j/ngN
DkrXLiEJaxTkgRuhx9pW0ZzO8wYBjfH0pRwy90XkpIVUAnau9n6K02z3KaoQGnFJ
bNbDy1P+HvYx3D4543s/v/yQ8t77DaeBXP1mz0x4WxU2sF43dsi5KnmXaraJwNTd
EwU+
quit
% Router Certificate successfully imported
The identity certificate is now imported and ready for use. This can be used for PKI based authentication for VPNs, Identity management and other authentication needs. We're going to use it for Site to Site, DMVPN, FlexVPN, GETVPN, EzVPN and Remote Access VPNs.
CSR9#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=PKI_SERVER
Subject:
Name: csr9.sn.com
hostname=csr9.sn.com
cn=csr9.sn.com
Validity Date:
start date: 00:59:20 UTC Sep 16 2019
end date: 00:59:20 UTC Sep 15 2020
Associated Trustpoints: PKI_TP
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=PKI_SERVER
Subject:
cn=PKI_SERVER
Validity Date:
start date: 00:22:49 UTC Sep 16 2019
end date: 00:22:49 UTC Sep 15 2022
Associated Trustpoints: PKI_TP
You see two different certificates, making a certificate chain, the top portion is the identity certificate that CSR9 can use for PKI based VPNs we'll be testing out. Eventually all VPN enabled devices, routers and firewalls will have a signed certificate to leverage for PKI testing.
Specifically with remote access VPNs, like SSL VPN (clientless) and AnyConnect VPN (client), the trustpoint will be tied to the outside interface and will be used to present the identity certificate to the device/user that is attempting to connect.