I've configured my 871w router to be my root Certficate Authority (CA) / Public Key Infrastructure (PKI) server. Also, using the PKI solution helps provide a more scalable authentication for my VPN lab.
I performed the following tasks to implement a CA server on an IOS-based router:
871W#show run | inc ntp // ENSURE NTP RUNS ON BOTH CA SERVER AND CLIENTS FOR CERT TO BE IN SYNC
ntp clock-period 17182401
ntp server 203.123.48.6
871W#show clock
10:37:49.407 SGT Sun Mar 9 2014
871W(config)#crypto key generate rsa ?
encryption Generate a general purpose RSA key pair for signing and encryption
exportable Allow the key to be exported
general-keys Generate a general purpose RSA key pair for signing and encryption
label Provide a label
modulus Provide number of modulus bits on the command line
on create key on specified device.
signature Generate a general purpose RSA key pair for signing and encryption
storage Store key on specified device
usage-keys Generate separate RSA key pairs for signing and encryption
<cr>
871W(config)#crypto key generate rsa label ?
WORD RSA keypair label
871W(config)#crypto key generate rsa label VPN-KEY ?
encryption Generate a general purpose RSA key pair for signing and encryption
exportable Allow the key to be exported
general-keys Generate a general purpose RSA key pair for signing and encryption
modulus Provide number of modulus bits on the command line
on create key on specified device.
signature Generate a general purpose RSA key pair for signing and encryption
storage Store key on specified device
usage-keys Generate separate RSA key pairs for signing and encryption
<cr>
871W(config)#crypto key generate rsa label VPN-KEY modulus ?
<360-2048> size of the key modulus [360-2048]
871W(config)#crypto key generate rsa label VPN-KEY modulus 1024 exportable // RSA KEYS CAN BE EXPORTED IN PRIVACY ENHANCED MAIL (PEM) FORMAT
The name for the keys will be: VPN-KEY
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...[OK]
871W(config)#crypto key export rsa ?
WORD RSA key label
871W(config)#crypto key export rsa VPN-KEY ?
pem File type to export
871W(config)#crypto key export rsa VPN-KEY pem ?
terminal Export via the terminal (cut-and-paste)
url Export via the file systems
871W(config)#crypto key export rsa VPN-KEY pem terminal ?
3des Encrypt the private key with 3DES
des Encrypt the private key with DES
871W(config)#crypto key export rsa VPN-KEY pem terminal 3des ?
LINE Passphrase used to protect the private key
871W(config)#crypto key export rsa VPN-KEY pem terminal 3des cisco
% Passphrase is too short, needs to be at least 8 chars
871W(config)#crypto key export rsa VPN-KEY pem terminal 3des cisco123
% Key name: VPN-KEY
Usage: General Purpose Key
Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZq+SNIRShVFMDYW0ebZRhhPQW
PwzB1g8+IneNAhbeWOrLG8TpNYBG8zX55iGK/xHZdL+RMeCEp2JtWfAfZ7oxoH6r
VUgQ6reI7Bpenc80PIoa8mt61cHShWJKfGGxvxrJHMSqTQnBRCpTlFhYpIgYorbm
UOBHFBibH6IXo03+BQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5D2BF9B679BF6C23
r0Qr9opRVvT9KuJxjIjVXQulGI4glBFQMBdbp2M2LcbUymMFh8P+YtQaf+0HAqZg
HhYl/YQd2i4N7BeyLhRR1/HlUhrTSLDRpzTFRBDPYiFd4mUgJc668uiq3TOd/gA1
W4SPmS8DBxUh4OQQS5SRsDJQ/LDoZhvU8O9yBvVrFC0UYue7EgobK/FgSS2UwYm8
BII2KT6cKFWnoqwBhqbowa+cYWGRFWAd4rpohbColZbL/0SEylPCBnSeR8JlPVxr
/d47gVH3/SX1LE+fxAp2zH6cnKgyRy2P5AG4Ux7gxmJrJb6j4w2u9Qpqua74de4e
GRdzCAsutCIiPdGl07WACCvPnas85fhfxB5XDYJZEuEqHs2QOUof4xcKh7vFnw1X
0J4J/OroV+HFf//n9KsuO1Q2gMZMOwvrN8Rm22GTPZWxa8gS4Sipa9H08+qUy9O1
afxl8/g2W9WxGlgerpFqlMgNQQC6RG5r1l0/VbwrrAvUBVSUJwYzhd3Vk2+ubLuZ
rCCm6SPEdVJ+EYTBCiPYrLdBhSgtyGOhBXLz6T6wvnIRMQjJrVnQ4uHoYphLkFYr
kTAOFH8g2Fj9zNbrpJVp0pXqPSusCvIzv43WGSavS2srovA8stLdYOKYKV3tHlYs
wvigYS5WX5iOf7Z6QLr9KWZiegssNpcHmYo0idD+YK3WBF0OMrt6WceYy5siWYYd
3h/a0Q7P+NR/Co3CTy+bks+wU+oBqFzOqzhfMH/olOXem3DwA4KL5R+POHc6l7ZA
6HewPmI6pfJsT/NNAjRLn8/pCFlIX3BcEhD47UYBJ4oaXlC1HU89dw==
-----END RSA PRIVATE KEY-----
871W(config)#do show crypto key mypubkey rsa
% Key pair was generated at: 04:02:21 SGT May 20 2010
Key name: TP-self-signed-593184536
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B636CD
63236065 4243B8A4 6FB3C6CB 3C26214D C152A07F E91558D3 042AEACE 61DA605A
DFB58A89 7E039325 68B4DDB2 2CEA9D29 DF64B7DB 47AC2EDF 817373C7 B1061E8C
5DBF5089 FDCB40D6 005B32BA 32705838 A9F97F3D AB377608 411EC0A0 7EBC979C
10AC0BB5 C66346BF D41819E5 06AFE357 DF9D5F17 BFC72237 E06D27EB 8B020301 0001
% Key pair was generated at: 10:25:14 SGT Mar 9 2014
Key name: TP-self-signed-593184536.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E56ABA 03F314E3
DCB0301F 8D89F4FA 8B6423E3 708938A7 B64F1BDE 57B2F464 BE99EB09 70AEEB0C
6CDF9303 65593F0F 34FAA8A2 685C1538 508E9115 928C76E9 ED683698 C4196DAF
25AB29AC 7C0E67A5 D91436A2 99D1CB3B 8CE45877 B7D88E62 27020301 0001
% Key pair was generated at: 10:50:03 SGT Mar 9 2014
Key name: VPN-KEY
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 0099ABE4
8D2114A1 54530361 6D1E6D94 6184F416 3F0CC1D6 0F3E2277 8D0216DE 58EACB1B
C4E93580 46F335F9 E6218AFF 11D974BF 9131E084 A7626D59 F01F67BA 31A07EAB
554810EA B788EC1A 5E9DCF34 3C8A1AF2 6B7AD5C1 D285624A 7C61B1BF 1AC91CC4
AA4D09C1 442A5394 5858A488 18A2B6E6 50E04714 189B1FA2 17A34DFE 05020301 0001
871W(config)#do sh run | inc ip http // ENABLE HTTP SERVER FOR CLIENTS TO ENROLL
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
871W(config)#crypto pki ?
authenticate Get the CA certificate
certificate Actions on certificates
crl Actions on certificate revocation lists
enroll Request a certificate from a CA
export Export certificate or PKCS12 file
import Import certificate or PKCS12 file
profile Define a certificate profile
server Enable IOS Certificate server
token Configure cryptographic token
trustpoint Define a CA trustpoint
871W(config)#crypto pki server ?
WORD Certificate Server Name
871W(config)#crypto pki server CA-SERVER // CREATE PKI SERVER
871W(cs-server)#?
CA Server configuration commands:
auto-rollover Rollover the CA key and certificate
cdp-url CRL Distribution Point to be included in the issued certs
database Certificate Server database config parameters
default Set a command to its defaults
exit Exit from Certificate Server entry mode
grant Certificate granting options
hash Hash algorithm
issuer-name Issuer name
lifetime Lifetime parameters
mode Mode
no Negate a command or set its defaults
shutdown Shutdown the Certificate Server
871W(cs-server)#database ?
archive Backup Certificate Server Signing Certificate and Keys
level Level of data stored in database
url URL the Certificate Server database information will be written to
username Database username to access the primary network storage
871W(cs-server)#database url ?
WORD URL of primary storage location
cnm Storage location for name file (*.cnm)
crl Storage location for certificate revocation list (*.crl)
crt Storage location for issued certificates (*.crt)
p12 Storage location for P12 archives (*.p12)
pem Storage location for PEM archives (*.pem)
ser Storage location for main database files (*.ser)
871W(cs-server)#database url nvram:
% Server database url was changed. You need to move the
% existing database to the new location.
871W(cs-server)#database level ?
complete Each issued certificate is saved to the database
minimum Minimum certificate info is saved to the database
names Certificate serial-number & subject name is saved to the database
871W(cs-server)#database level minimum
871W(cs-server)#issuer-name ?
LINE Issuer name
871W(cs-server)#issuer-name CN=lagura.com L=Home C=SG
871W(cs-server)#lifetime ?
ca-certificate Lifetime of the Certificate Server signing certificate
certificate Lifetime of certificates issued by this Certificate Server
crl Lifetime of CRL's published by this Certificate Server
enrollment-request Lifetime of an Enrollment Request
871W(cs-server)#lifetime ca-certificate ?
<0-1825> Lifetime in days
871W(cs-server)#lifetime ca-certificate 1825 // 5 YEARS
871W(cs-server)#grant ?
auto Automatically grant incoming SCEP enrollment requests
none Automatically reject any incoming SCEP enrollment request
ra-auto Automatically grant RA-authorized incoming SCEP enrollment request
871W(cs-server)#grant auto
871W(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:cisco
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:cisco123
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.
871W(cs-server)#end
871W#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=lagura.com L\=Home C\=SG
Subject:
cn=lagura.com L\=Home C\=SG
Validity Date:
start date: 11:12:52 SGT Mar 9 2014
end date: 11:12:52 SGT Mar 8 2019
Associated Trustpoints: CA-SERVER
871W#show crypto pki trustpoints status
Trustpoint CA-SERVER:
Issuing CA certificate configured:
Subject Name:
cn=lagura.com L\=Home C\=SG
Fingerprint MD5: 83F908A6 9E7E0C70 E83BC30F 76BA0762
Fingerprint SHA1: 8D49A6CB BAE7EFE8 D7A0D8C1 D4AA6599 0F9DE16D
State:
Keys generated ............. Yes (General Purpose, non-exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... None
I tested my ASA 5505 firewall to join the PKI and added a CA Truspoint via Simple Certificate Enrollment Protocol (SCEP).
871W#sh run | inc ntp
ntp clock-period 17182307
ntp server 203.123.48.6 // PUBLIC SG NTP
871W#show clock
11:22:53.941 SGT Sun Mar 9 2014
ASA5505# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA5505# # show clock
17:14:01.949 UTC Sat Mar 8 2014
ASA5505# configure terminal
ASA5505(config)# ntp server ?
configure mode commands/options:
Hostname or A.B.C.D IP address of peer
ASA5505(config)# ntp server 192.168.1.1 ?
configure mode commands/options:
key Configure peer authentication key
prefer Prefer this peer when possible
source Interface for source address
<cr>
ASA5505(config)# ntp server 192.168.1.1 source ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# ntp server 192.168.1.1 source outside // RUN NTP TO CA CLIENT TO SYNC CA CERT
ASA5505(config)# clock timezone ?
configure mode commands/options:
WORD < 8 char name of time zone
ASA5505(config)# clock timezone SGT 8
ASA5505(config)# show clock
11:24:05.533 SGT Sun Mar 9 2014
ASA5505(config)# show ntp status
Clock is synchronized, stratum 4, reference is 192.168.1.1
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d6c65d72.229a9871 (11:24:34.135 SGT Sun Mar 9 2014)
clock offset is 1.2502 msec, root delay is 108.67 msec
root dispersion is 3928.02 msec, peer dispersion is 3890.64 msec
Below are the screenshots in ASDM to configure NTP and add CA Certificates. Notice the Issued By and Expiry Date on the CA certificate details matched the CA server fields configured on the 871w router.
I performed the following tasks to implement a CA server on an IOS-based router:
871W#show run | inc ntp // ENSURE NTP RUNS ON BOTH CA SERVER AND CLIENTS FOR CERT TO BE IN SYNC
ntp clock-period 17182401
ntp server 203.123.48.6
871W#show clock
10:37:49.407 SGT Sun Mar 9 2014
871W(config)#crypto key generate rsa ?
encryption Generate a general purpose RSA key pair for signing and encryption
exportable Allow the key to be exported
general-keys Generate a general purpose RSA key pair for signing and encryption
label Provide a label
modulus Provide number of modulus bits on the command line
on create key on specified device.
signature Generate a general purpose RSA key pair for signing and encryption
storage Store key on specified device
usage-keys Generate separate RSA key pairs for signing and encryption
<cr>
871W(config)#crypto key generate rsa label ?
WORD RSA keypair label
871W(config)#crypto key generate rsa label VPN-KEY ?
encryption Generate a general purpose RSA key pair for signing and encryption
exportable Allow the key to be exported
general-keys Generate a general purpose RSA key pair for signing and encryption
modulus Provide number of modulus bits on the command line
on create key on specified device.
signature Generate a general purpose RSA key pair for signing and encryption
storage Store key on specified device
usage-keys Generate separate RSA key pairs for signing and encryption
<cr>
871W(config)#crypto key generate rsa label VPN-KEY modulus ?
<360-2048> size of the key modulus [360-2048]
871W(config)#crypto key generate rsa label VPN-KEY modulus 1024 exportable // RSA KEYS CAN BE EXPORTED IN PRIVACY ENHANCED MAIL (PEM) FORMAT
The name for the keys will be: VPN-KEY
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...[OK]
871W(config)#crypto key export rsa ?
WORD RSA key label
871W(config)#crypto key export rsa VPN-KEY ?
pem File type to export
871W(config)#crypto key export rsa VPN-KEY pem ?
terminal Export via the terminal (cut-and-paste)
url Export via the file systems
871W(config)#crypto key export rsa VPN-KEY pem terminal ?
3des Encrypt the private key with 3DES
des Encrypt the private key with DES
871W(config)#crypto key export rsa VPN-KEY pem terminal 3des ?
LINE Passphrase used to protect the private key
871W(config)#crypto key export rsa VPN-KEY pem terminal 3des cisco
% Passphrase is too short, needs to be at least 8 chars
871W(config)#crypto key export rsa VPN-KEY pem terminal 3des cisco123
% Key name: VPN-KEY
Usage: General Purpose Key
Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZq+SNIRShVFMDYW0ebZRhhPQW
PwzB1g8+IneNAhbeWOrLG8TpNYBG8zX55iGK/xHZdL+RMeCEp2JtWfAfZ7oxoH6r
VUgQ6reI7Bpenc80PIoa8mt61cHShWJKfGGxvxrJHMSqTQnBRCpTlFhYpIgYorbm
UOBHFBibH6IXo03+BQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5D2BF9B679BF6C23
r0Qr9opRVvT9KuJxjIjVXQulGI4glBFQMBdbp2M2LcbUymMFh8P+YtQaf+0HAqZg
HhYl/YQd2i4N7BeyLhRR1/HlUhrTSLDRpzTFRBDPYiFd4mUgJc668uiq3TOd/gA1
W4SPmS8DBxUh4OQQS5SRsDJQ/LDoZhvU8O9yBvVrFC0UYue7EgobK/FgSS2UwYm8
BII2KT6cKFWnoqwBhqbowa+cYWGRFWAd4rpohbColZbL/0SEylPCBnSeR8JlPVxr
/d47gVH3/SX1LE+fxAp2zH6cnKgyRy2P5AG4Ux7gxmJrJb6j4w2u9Qpqua74de4e
GRdzCAsutCIiPdGl07WACCvPnas85fhfxB5XDYJZEuEqHs2QOUof4xcKh7vFnw1X
0J4J/OroV+HFf//n9KsuO1Q2gMZMOwvrN8Rm22GTPZWxa8gS4Sipa9H08+qUy9O1
afxl8/g2W9WxGlgerpFqlMgNQQC6RG5r1l0/VbwrrAvUBVSUJwYzhd3Vk2+ubLuZ
rCCm6SPEdVJ+EYTBCiPYrLdBhSgtyGOhBXLz6T6wvnIRMQjJrVnQ4uHoYphLkFYr
kTAOFH8g2Fj9zNbrpJVp0pXqPSusCvIzv43WGSavS2srovA8stLdYOKYKV3tHlYs
wvigYS5WX5iOf7Z6QLr9KWZiegssNpcHmYo0idD+YK3WBF0OMrt6WceYy5siWYYd
3h/a0Q7P+NR/Co3CTy+bks+wU+oBqFzOqzhfMH/olOXem3DwA4KL5R+POHc6l7ZA
6HewPmI6pfJsT/NNAjRLn8/pCFlIX3BcEhD47UYBJ4oaXlC1HU89dw==
-----END RSA PRIVATE KEY-----
871W(config)#do show crypto key mypubkey rsa
% Key pair was generated at: 04:02:21 SGT May 20 2010
Key name: TP-self-signed-593184536
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B636CD
63236065 4243B8A4 6FB3C6CB 3C26214D C152A07F E91558D3 042AEACE 61DA605A
DFB58A89 7E039325 68B4DDB2 2CEA9D29 DF64B7DB 47AC2EDF 817373C7 B1061E8C
5DBF5089 FDCB40D6 005B32BA 32705838 A9F97F3D AB377608 411EC0A0 7EBC979C
10AC0BB5 C66346BF D41819E5 06AFE357 DF9D5F17 BFC72237 E06D27EB 8B020301 0001
% Key pair was generated at: 10:25:14 SGT Mar 9 2014
Key name: TP-self-signed-593184536.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E56ABA 03F314E3
DCB0301F 8D89F4FA 8B6423E3 708938A7 B64F1BDE 57B2F464 BE99EB09 70AEEB0C
6CDF9303 65593F0F 34FAA8A2 685C1538 508E9115 928C76E9 ED683698 C4196DAF
25AB29AC 7C0E67A5 D91436A2 99D1CB3B 8CE45877 B7D88E62 27020301 0001
% Key pair was generated at: 10:50:03 SGT Mar 9 2014
Key name: VPN-KEY
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 0099ABE4
8D2114A1 54530361 6D1E6D94 6184F416 3F0CC1D6 0F3E2277 8D0216DE 58EACB1B
C4E93580 46F335F9 E6218AFF 11D974BF 9131E084 A7626D59 F01F67BA 31A07EAB
554810EA B788EC1A 5E9DCF34 3C8A1AF2 6B7AD5C1 D285624A 7C61B1BF 1AC91CC4
AA4D09C1 442A5394 5858A488 18A2B6E6 50E04714 189B1FA2 17A34DFE 05020301 0001
871W(config)#do sh run | inc ip http // ENABLE HTTP SERVER FOR CLIENTS TO ENROLL
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
871W(config)#crypto pki ?
authenticate Get the CA certificate
certificate Actions on certificates
crl Actions on certificate revocation lists
enroll Request a certificate from a CA
export Export certificate or PKCS12 file
import Import certificate or PKCS12 file
profile Define a certificate profile
server Enable IOS Certificate server
token Configure cryptographic token
trustpoint Define a CA trustpoint
871W(config)#crypto pki server ?
WORD Certificate Server Name
871W(config)#crypto pki server CA-SERVER // CREATE PKI SERVER
871W(cs-server)#?
CA Server configuration commands:
auto-rollover Rollover the CA key and certificate
cdp-url CRL Distribution Point to be included in the issued certs
database Certificate Server database config parameters
default Set a command to its defaults
exit Exit from Certificate Server entry mode
grant Certificate granting options
hash Hash algorithm
issuer-name Issuer name
lifetime Lifetime parameters
mode Mode
no Negate a command or set its defaults
shutdown Shutdown the Certificate Server
871W(cs-server)#database ?
archive Backup Certificate Server Signing Certificate and Keys
level Level of data stored in database
url URL the Certificate Server database information will be written to
username Database username to access the primary network storage
871W(cs-server)#database url ?
WORD URL of primary storage location
cnm Storage location for name file (*.cnm)
crl Storage location for certificate revocation list (*.crl)
crt Storage location for issued certificates (*.crt)
p12 Storage location for P12 archives (*.p12)
pem Storage location for PEM archives (*.pem)
ser Storage location for main database files (*.ser)
871W(cs-server)#database url nvram:
% Server database url was changed. You need to move the
% existing database to the new location.
871W(cs-server)#database level ?
complete Each issued certificate is saved to the database
minimum Minimum certificate info is saved to the database
names Certificate serial-number & subject name is saved to the database
871W(cs-server)#database level minimum
871W(cs-server)#issuer-name ?
LINE Issuer name
871W(cs-server)#issuer-name CN=lagura.com L=Home C=SG
871W(cs-server)#lifetime ?
ca-certificate Lifetime of the Certificate Server signing certificate
certificate Lifetime of certificates issued by this Certificate Server
crl Lifetime of CRL's published by this Certificate Server
enrollment-request Lifetime of an Enrollment Request
871W(cs-server)#lifetime ca-certificate ?
<0-1825> Lifetime in days
871W(cs-server)#lifetime ca-certificate 1825 // 5 YEARS
871W(cs-server)#grant ?
auto Automatically grant incoming SCEP enrollment requests
none Automatically reject any incoming SCEP enrollment request
ra-auto Automatically grant RA-authorized incoming SCEP enrollment request
871W(cs-server)#grant auto
871W(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:cisco
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:cisco123
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.
871W(cs-server)#end
871W#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=lagura.com L\=Home C\=SG
Subject:
cn=lagura.com L\=Home C\=SG
Validity Date:
start date: 11:12:52 SGT Mar 9 2014
end date: 11:12:52 SGT Mar 8 2019
Associated Trustpoints: CA-SERVER
871W#show crypto pki trustpoints status
Trustpoint CA-SERVER:
Issuing CA certificate configured:
Subject Name:
cn=lagura.com L\=Home C\=SG
Fingerprint MD5: 83F908A6 9E7E0C70 E83BC30F 76BA0762
Fingerprint SHA1: 8D49A6CB BAE7EFE8 D7A0D8C1 D4AA6599 0F9DE16D
State:
Keys generated ............. Yes (General Purpose, non-exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... None
I tested my ASA 5505 firewall to join the PKI and added a CA Truspoint via Simple Certificate Enrollment Protocol (SCEP).
871W#sh run | inc ntp
ntp clock-period 17182307
ntp server 203.123.48.6 // PUBLIC SG NTP
871W#show clock
11:22:53.941 SGT Sun Mar 9 2014
ASA5505# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA5505# # show clock
17:14:01.949 UTC Sat Mar 8 2014
ASA5505# configure terminal
ASA5505(config)# ntp server ?
configure mode commands/options:
Hostname or A.B.C.D IP address of peer
ASA5505(config)# ntp server 192.168.1.1 ?
configure mode commands/options:
key Configure peer authentication key
prefer Prefer this peer when possible
source Interface for source address
<cr>
ASA5505(config)# ntp server 192.168.1.1 source ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# ntp server 192.168.1.1 source outside // RUN NTP TO CA CLIENT TO SYNC CA CERT
ASA5505(config)# clock timezone ?
configure mode commands/options:
WORD < 8 char name of time zone
ASA5505(config)# clock timezone SGT 8
ASA5505(config)# show clock
11:24:05.533 SGT Sun Mar 9 2014
ASA5505(config)# show ntp status
Clock is synchronized, stratum 4, reference is 192.168.1.1
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d6c65d72.229a9871 (11:24:34.135 SGT Sun Mar 9 2014)
clock offset is 1.2502 msec, root delay is 108.67 msec
root dispersion is 3928.02 msec, peer dispersion is 3890.64 msec
Below are the screenshots in ASDM to configure NTP and add CA Certificates. Notice the Issued By and Expiry Date on the CA certificate details matched the CA server fields configured on the 871w router.