Wednesday, 26 December 2012

Implementing your own CA server on a IOS Router



Why is this useful ?

  • It can help you practice PKI in a lab environment . Ex : VPNs (Ipsec or SSL)
  • You can use it on a small Intranet to secure your network


Studying for the CCNA Security Certification there are labs for VPNs that a CA server was required
for authentication with rsa digital certificates. When you want to practice at home you will need a CA Server to practice your skills.
To do that you can use various ways , in a lab the best way is to use an IOS router for the CA Server role .


What do you need :

  • GNS 3
  • IOS Image
  • a brain



Lets put all the pieces together

You will need to create 1 router : You can name it CA or anything you like.


First we need to configure the CA Router to actually act as a CA Server:


! Make sure you configure the time before proceeding if not the CA
! server will not work. On a production environment NTP is prefered.
CA#clock set 20:09:9 26 DEC 2012

CA#configure terminal
 ! Enable http server
CA(config)#ip http server
 ! Setup the PKI service , the MY-CA it is a name
CA(config)#crypto pki server MY-CA
! set your lifetime values for the CA and the certificate it self
! the value for your lifetime is in days . 
CA(cs-server)#lifetime ca-certificate 600
CA(cs-server)#lifetime certificate 600
! Available options include :
! CN=Common Name,L=Location,C=Country
CA(cs-server)#issuer-name CN=LOCAL C=LAB
! the command above may be different depending on the IOS used
! specify where the database will be located
CA(cs-server)#database url pem flash:/MY-CA
! enable automatic certificate enrollment 
CA(cs-server)#grant auto
! Activate the PKI Server
CA(cs-server)#no shutdown
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
CA(cs-server)#end
CA#copy run start




 Now you have a CA Server to use for your labs !

Here is an example how to use your New CA services on a router :

R1#clock set 20:09:9 26 DEC 2012
R1#configure terminal
R1(config)#ip domain-name lab.com
R1(config)#crypto key generate rsa
The name for the keys will be: R1.lab.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.


How many bits in the modulus [512]: 1024
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#crypto ca trustpoint MY-CA
R1(ca-trustpoint)#subject-name CN=LOCAL C=LAB
R1(ca-trustpoint)#enrollment url http://13.0.0.2:80
R1(ca-trustpoint)#exit
R1(config)#crypto ca authenticate MY-CA
Certificate has the following attributes:
Fingerprint MD5: 57B7D70D 1092F7F2 B690B0D8 B03DC946
Fingerprint SHA1: 41CA2E7C D5B8112F 39287279 EDC06E73 FB0C010B


% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R1(config)#crypto ca enroll MY-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.


Password:
Re-enter password:


% The subject name in the certificate will include: CN=LOCAL C=LAB
% The subject name in the certificate will include: R1.lab.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate MY-CA verbose' commandwill show the fingerprint.


Dec 26 20:59:19.095: CRYPTO_PKI: Certificate Request Fingerprint MD5: 6BA37CCE 404F5058 CB41348C 2201AF76
Dec 26 20:59:19.095: CRYPTO_PKI: Certificate Request Fingerprint SHA1: B71A47B3 865E327C 8835EE1A 4FEED9E2 AA61EB17
R1(config)#end
R1#wr

If you wish to know more visit this link

No comments:

Post a Comment