Cisco ISO based CA (Certificate Authority)

Download

IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates in environments where PKI is needed for security reasons.

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.

CA (Certificate Authority)

Supported Standards

Cisco supports the following standards with this feature:

• IPSec- IP Security Protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses Internet Key Exchange to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
• Internet Key Exchange (IKE)- A hybrid protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association Key Management Protocol (ISAKMP) framework. Although IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
• Public-Key Cryptography Standard #7 (PKCS #7)- A standard from RSA Data Security, Inc., used to encrypt and sign certificate enrollment messages.
• Public-Key Cryptography Standard #10 (PKCS #10)- A standard syntax from RSA Data Security, Inc. for certificate requests.
• RSA Keys- RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA keys come in pairs: one public key and one private key.
• X.509v3 certificates- Certificate support that allows the IPSec-protected network to scale by providing the equivalent of a digital ID card to each device. When two devices wish to communicate, they exchange digital certificates to prove their identity (thus removing the need to manually exchange public keys with each peer or to manually specify a shared key at each peer). These certificates are obtained from a certification authority (CA). X.509 is part of the X.500 standard of the ITU.

Open source implementations

There exist several open source implementations of certificate authority software. Common to all is that they provide the necessary services to issue, revoke and manage digital certificates.

Some open source implementations are:

• DogTag
• EJBCA
• gnoMint
• OpenCA
• OpenSSL, an SSL/TLS library that comes with tools allowing its use as a simple certificate authority
• EasyRSA, OpenVPN's command line CA utilities using OpenSSL.
• r509
• TinyCA, which is a perl gui on top of some CPAN modules.
• XCA
• Automated Certificate Management Environment (ACME), Let's Encrypt's protocol for communications between its certificate authority and servers. Let's Encrypt also provides node-acme, a Node.js implementation of ACME, and lets-encrypt-preview, a Python-based test implementation of server certificate management software using the ACME protocol.

Use the Third-Party SSL Certificate?

To assist in understanding the process of installing a third-party SSL certificate, we have outlined the steps to be taken by yourself, HostGator and the certificate issuer.  If you are a more visual person, then the flow chart below See Below may help your understanding.

CA (Certificate Authority) Flow Chat

1. Fill out the Certificate Signing Request Form (CSR). (Note: Please note that all information on the CSR page MUST match the WHOIS information for that domain; otherwise the SSL will not be issued.)
2. HostGator will email you the CSR and RSA Key that you will need for the following steps.  Please keep this e-mail; without the information contained within, the following steps cannot be completed.
3. Purchase your SSL certificate (if you haven't already) and send the certificate issuer the CSR we sent you in step 2.  (The certificate issuer does not need nor want the RSA Key.)
4. The certificate issuer will generate and return an SSL Certificate as well as an SSL CA Certificate (Trusted Authority) (sometimes called a "CA Bundle"). These two pieces of information will be encrypted text documents. Typically, they will be provided via email as compressed (zipped) attachments.
5. Now that you have the SSL certificate and the SSL CA certificate, you are ready to fill out the SSL installation form. When you received the results for your CSR form, we provided you with the RSA Private Key to submit on the installation form. Once you complete this form, click Submit to complete your request.
6. Pay the HostGator invoice for installing the SSL Certificate.  (Installation is free if you have a managed Dedicated Server; $10 otherwise.)

CA Configuration

Topology

(Note: 1. R2 should reachable to R3.

2. NTP running between R1, R2, and R3.

3. R1 assume as ISP.)

R1

crypto key generate rsa label cisco general-keys exportable modulus 1024

crypto key export rsa cisco pem url nvram: 3des Cisco123

crypto pki server ciscopki

  grant auto

  issuer-name CN=cisco.com DN=.com L=GR C=IN

  lifetime certificate 90

  lifetime ca-certificate 365

  lifetime crl 24

  database level minimum

  database url nvram:

  no shut

  exit

ip http server

R2

crypto pki trustpoint ciscopki

 enrollment url  http://101.1.1.1:80

 revocation-check none

 revocation-check crl none

 exit

crypto pki authenticate ciscopki

crypto pki enroll ciscopki

crypto isakmp policy 10

  authentication rsa-sig

  encryption aes

  hash sha

  group 5

  lifetime 1800

  exit

crypto ipsec transform-set tset esp-sha-hmac esp-aes

  exit

ip access-list extended VPN

  permit ip host 192.168.1.100 host 192.168.2.100

  exit

crypto map CMAP 10 ipsec-isakmp

  set transform-set tset

  set peer 102.1.1.100

  match address VPN

  exit

int f0/0

  crypto map CMAP

  exit

R3

crypto pki trustpoint ciscopki

 enrollment url  http://101.1.1.1:80

 revocation-check none

 revocation-check crl none

 exit

crypto pki authenticate ciscopki

crypto pki enroll ciscopki

crypto isakmp policy 10

  authentication rsa-sig

  encryption aes

  hash sha

  group 5

  lifetime 1800

  exit

crypto ipsec transform-set tset esp-sha-hmac esp-aes

  exit

ip access-list extended VPN

  permit ip host 192.168.2.100 host 192.168.1.100

  exit

crypto map CMAP 10 ipsec-isakmp

  set transform-set tset

  set peer 101.1.1.100

  match address VPN

  exit

int f0/0

  crypto map CMAP

  exit

Deleting RSA Keys from Your Router

Router(config)# crypto key zeroize rsa

Deletes all of your router's RSA keys.

Deleting Certificates from the Configuration

R1# show crypto ca certificates

R1(config)# crypto ca certificate chain name

R1(config-cert-cha)# no certificate certificate-serial-number

To delete the CA's certificate, you must remove the entire CA identity, which also removes all certificates associated with the CA—your router's certificate, the CA certificate, and any RA certificates.

To remove a CA identity, use the following command in global configuration mode:

R1(config)# no crypto ca identity name

Viewing Keys and Certificates

Displays your router's RSA public keys.

R1# show crypto key mypubkey rsa

Displays a list of all the RSA public keys stored on your router. These include the public keys of peers who have sent your router their certificates during peer authentication for IPSec.

R1# show crypto key pubkey-chain rsa

Displays details of a particular RSA public key stored on your router.

R1# show crypto key pubkey-chain rsa [name key-name | address key-address]

Displays information about your certificate, the CA's certificate, and any RA certificates.

R1# show crypto ca certificates

Displays the CA roots configured in the router.

R1# show crypto ca roots

(Note: This command can be implemented only when multiple CAs are configured in the router.)

----

@NetwaxLab