Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

PKI Certificate Manual Enrollment

If you have not already created the PKI CA or Certificate Authority, this needs to be done first.
The first thing that needs to happen is that the spoke or client needs to generate an RSA keypair of at leat 1024 bits in length that can be referenced from the trustpoint later on.

Once this occurs, SSHv2 will be enabled.

The CA server certificate will need to be exported and then used for the certificate chain. There are two parts, the CA certificate and then the identity certificate. The CA certificate is authenticated and added to the certificate chain. Next we need to generate a CSR or Certificate Signing request that will be signed by the CA to generate the identity certificate. The granted identity certificate is then imported by the device for later use.

Spoke or client that needs the certificate enrollment
CSR9
crypto key generate rsa label PKI modulus 1024
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
%SSH-5-ENABLED: SSH 1.99 has been enabled

crypto pki trustpoint PKI_TP
 enrollment terminal
 fqdn csr9.sn.com
 subject-name cn=csr9.sn.com
 revocation-check none
 rsakeypair PKI


The CA certificate is exported by the CA server in a PEM format via the terminal so that it can be copied and pasted into the terminal of the device or client.

ISP2
crypto pki export PKI_SERVER pem terminal
% The specified trustpoint is not enrolled (PKI_SERVER).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICAzCCAWygAwIBAgIBATANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwMjI0OVoXDTIyMDkxNTAwMjI0OVowFTETMBEGA1UE
AwwKUEtJX1NFUlZFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyuTmc6CP
Nar6Omh+PsVgpqLCD8dbqM/OyQTAmge48Id4zRM8IbjpsAg4lKO67NTkabvFXsH2
ABECQM54trrGApB5M8UaOrUAYIsLj9kTMN7kcYTXCuPYd8B6dRKTBxk41TfNaqgn
w6ddkUFJZMKCMTNKcAF7wFRK61RKqpVeo4UCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUyC0Vt2kHgTaLLaYWqNlJ
yXUJuIEwHQYDVR0OBBYEFMgtFbdpB4E2iy2mFqjZScl1CbiBMA0GCSqGSIb3DQEB
BAUAA4GBAAfhv1pwesmpNw+H8UJa8PGzW8rpdYSjYRsQsAgFkYMBKQd2wxg0qJwg
od0ejtlcW6NH37qrGbcdoQjOVSQZG7DZz0BmC6F1kukI9M1gGan3dYAx8ySdXjte
p6vICERaLpCaM4IZeqvbIm7hs5u+jUSzSvAxqOFmTuENPP3n8f8q
-----END CERTIFICATE-----

The exported CA certificate is then pasted into the terminal of the client.

CSR9(config)#crypto pki authenticate PKI_TP    

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICAzCCAWygAwIBAgIBATANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwMjI0OVoXDTIyMDkxNTAwMjI0OVowFTETMBEGA1UE
AwwKUEtJX1NFUlZFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyuTmc6CP
Nar6Omh+PsVgpqLCD8dbqM/OyQTAmge48Id4zRM8IbjpsAg4lKO67NTkabvFXsH2
ABECQM54trrGApB5M8UaOrUAYIsLj9kTMN7kcYTXCuPYd8B6dRKTBxk41TfNaqgn
w6ddkUFJZMKCMTNKcAF7wFRK61RKqpVeo4UCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUyC0Vt2kHgTaLLaYWqNlJ
yXUJuIEwHQYDVR0OBBYEFMgtFbdpB4E2iy2mFqjZScl1CbiBMA0GCSqGSIb3DQEB
BAUAA4GBAAfhv1pwesmpNw+H8UJa8PGzW8rpdYSjYRsQsAgFkYMBKQd2wxg0qJwg
od0ejtlcW6NH37qrGbcdoQjOVSQZG7DZz0BmC6F1kukI9M1gGan3dYAx8ySdXjte
p6vICERaLpCaM4IZeqvbIm7hs5u+jUSzSvAxqOFmTuENPP3n8f8q
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
       Fingerprint MD5: 9D44063E 0B8B19AF 40043472 B4CF587C 
      Fingerprint SHA1: 8929B289 5D589904 BCEA6F93 862C8C8C CBF818A0 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

We see that the certificate was successfully added and imported. 

CSR9(config)#crypto pki enroll PKI_TP
% Start certificate enrollment .. 

% The subject name in the certificate will include: cn=csr9.sn.com
% The subject name in the certificate will include: csr9.sn.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: 
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIBkjCB/AIBADAyMRQwEgYDVQQDEwtjc3I5LnNuLmNvbTEaMBgGCSqGSIb3DQEJ
AhYLY3NyOS5zbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzIglus
kwBcQ1cYNUha+86FxydDdNZB2CtGOKLzhSwln4de36Zi5qivoC70/dNWtrUFu7x1
oUgAsFlHpGen+VozCGZEAseq7zAXfrQHRJbflzZdYatMeVD1heD8RiiORFjXZ1lC
KrlJcg8WkuFypCXOYe18hVgNezEyq1bjo40RAgMBAAGgITAfBgkqhkiG9w0BCQ4x
EjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAx8YOzha59krki
XehPomhj8TlAhtBAMEGvEXog0E42nPE6zi6vHj7p2ppJYmpjeplmG8TkDsAk8RuF
q/vfzWmGnQsAUvZoz3rmdrLMxZFI0ARjFae3zOSfZzSWMUKhmPnP6zyJJk3mNiYr
922jgUOdfb+zEqpm80taIPn7DUYUeQ==

---End - This line not part of the certificate request---

The client then generates the CSR or Certificate signing request that will eventually create the identity certificate.

ISP2#crypto pki server PKI_SERVER request pkcs10 terminal base64 
PKCS10 request in base64 or pem

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
MIIBkjCB/AIBADAyMRQwEgYDVQQDEwtjc3I5LnNuLmNvbTEaMBgGCSqGSIb3DQEJ
AhYLY3NyOS5zbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzIglus
kwBcQ1cYNUha+86FxydDdNZB2CtGOKLzhSwln4de36Zi5qivoC70/dNWtrUFu7x1
oUgAsFlHpGen+VozCGZEAseq7zAXfrQHRJbflzZdYatMeVD1heD8RiiORFjXZ1lC
KrlJcg8WkuFypCXOYe18hVgNezEyq1bjo40RAgMBAAGgITAfBgkqhkiG9w0BCQ4x
EjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAx8YOzha59krki
XehPomhj8TlAhtBAMEGvEXog0E42nPE6zi6vHj7p2ppJYmpjeplmG8TkDsAk8RuF
q/vfzWmGnQsAUvZoz3rmdrLMxZFI0ARjFae3zOSfZzSWMUKhmPnP6zyJJk3mNiYr
922jgUOdfb+zEqpm80taIPn7DUYUeQ==
quit

The above copied and pasted certificate contents are identical to the contents of the CSR, this is where the identity certificate is created.

% Granted certificate:
MIICDzCCAXigAwIBAgIBAzANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwNTkyMFoXDTIwMDkxNTAwNTkyMFowMjEUMBIGA1UE
AxMLY3NyOS5zbi5jb20xGjAYBgkqhkiG9w0BCQIWC2Nzcjkuc24uY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8yIJbrJMAXENXGDVIWvvOhccnQ3TWQdgr
Rjii84UsJZ+HXt+mYuaor6Au9P3TVra1Bbu8daFIALBZR6Rnp/laMwhmRALHqu8w
F360B0SW35c2XWGrTHlQ9YXg/EYojkRY12dZQiq5SXIPFpLhcqQlzmHtfIVYDXsx
MqtW46ONEQIDAQABo1IwUDAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUyC0V
t2kHgTaLLaYWqNlJyXUJuIEwHQYDVR0OBBYEFMt0hJ5Lpd9cCH0Rik+G83xu+iEf
MA0GCSqGSIb3DQEBBAUAA4GBAExYZ4llWfMaha6el/XgDZC1Q2eTt9wVdt9j/ngN
DkrXLiEJaxTkgRuhx9pW0ZzO8wYBjfH0pRwy90XkpIVUAnau9n6K02z3KaoQGnFJ
bNbDy1P+HvYx3D4543s/v/yQ8t77DaeBXP1mz0x4WxU2sF43dsi5KnmXaraJwNTd
EwU+

The granted identity certificate has been generated and can now be imported by the client.

CSR9(config)#crypto pki import PKI_TP certificate 

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

MIICDzCCAXigAwIBAgIBAzANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTE5MDkxNjAwNTkyMFoXDTIwMDkxNTAwNTkyMFowMjEUMBIGA1UE
AxMLY3NyOS5zbi5jb20xGjAYBgkqhkiG9w0BCQIWC2Nzcjkuc24uY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8yIJbrJMAXENXGDVIWvvOhccnQ3TWQdgr
Rjii84UsJZ+HXt+mYuaor6Au9P3TVra1Bbu8daFIALBZR6Rnp/laMwhmRALHqu8w
F360B0SW35c2XWGrTHlQ9YXg/EYojkRY12dZQiq5SXIPFpLhcqQlzmHtfIVYDXsx
MqtW46ONEQIDAQABo1IwUDAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUyC0V
t2kHgTaLLaYWqNlJyXUJuIEwHQYDVR0OBBYEFMt0hJ5Lpd9cCH0Rik+G83xu+iEf
MA0GCSqGSIb3DQEBBAUAA4GBAExYZ4llWfMaha6el/XgDZC1Q2eTt9wVdt9j/ngN
DkrXLiEJaxTkgRuhx9pW0ZzO8wYBjfH0pRwy90XkpIVUAnau9n6K02z3KaoQGnFJ
bNbDy1P+HvYx3D4543s/v/yQ8t77DaeBXP1mz0x4WxU2sF43dsi5KnmXaraJwNTd
EwU+
quit
% Router Certificate successfully imported

The identity certificate is now imported and ready for use. This can be used for PKI based authentication for VPNs, Identity management and other authentication needs. We're going to use it for Site to Site, DMVPN, FlexVPN, GETVPN, EzVPN and Remote Access VPNs.

CSR9#show crypto pki certificates 
Certificate
  Status: Available
  Certificate Serial Number (hex): 03
  Certificate Usage: General Purpose
  Issuer: 
    cn=PKI_SERVER
  Subject:
    Name: csr9.sn.com
    hostname=csr9.sn.com
    cn=csr9.sn.com
  Validity Date: 
    start date: 00:59:20 UTC Sep 16 2019
    end   date: 00:59:20 UTC Sep 15 2020
  Associated Trustpoints: PKI_TP 

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=PKI_SERVER
  Subject: 
    cn=PKI_SERVER
  Validity Date: 
    start date: 00:22:49 UTC Sep 16 2019
    end   date: 00:22:49 UTC Sep 15 2022
  Associated Trustpoints: PKI_TP 

You see two different certificates, making a certificate chain, the top portion is the identity certificate that CSR9 can use for PKI based VPNs we'll be testing out. Eventually all VPN enabled devices, routers and firewalls will have a signed certificate to leverage for PKI testing.

Specifically with remote access VPNs, like SSL VPN (clientless) and AnyConnect VPN (client), the trustpoint will be tied to the outside interface and will be used to present the identity certificate to the device/user that is attempting to connect. 
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto