Friday, May 9, 2014

Configure 871w for Certificate Authority (CA) Server

I've configured my 871w router to be my root Certficate Authority (CA) / Public Key Infrastructure (PKI) server. Also, using the PKI solution helps provide a more scalable authentication for my VPN lab.


I performed the following tasks to implement a CA server on an IOS-based router:

871W#show run | inc ntp    // ENSURE NTP RUNS ON BOTH CA SERVER AND CLIENTS FOR CERT TO BE IN SYNC
ntp clock-period 17182401
ntp server 203.123.48.6
871W#show clock
10:37:49.407 SGT Sun Mar 9 2014

871W(config)#crypto key generate rsa ?
  encryption    Generate a general purpose RSA key pair for signing and encryption
  exportable    Allow the key to be exported
  general-keys  Generate a general purpose RSA key pair for signing and encryption
  label         Provide a label
  modulus       Provide number of modulus bits on the command line
  on            create key on specified device.
  signature     Generate a general purpose RSA key pair for signing and encryption
  storage       Store key on specified device
  usage-keys    Generate separate RSA key pairs for signing and encryption
  <cr>

871W(config)#crypto key generate rsa label ?
  WORD  RSA keypair label

871W(config)#crypto key generate rsa label VPN-KEY ?
  encryption    Generate a general purpose RSA key pair for signing and encryption
  exportable    Allow the key to be exported
  general-keys  Generate a general purpose RSA key pair for signing and encryption
  modulus       Provide number of modulus bits on the command line
  on            create key on specified device.
  signature     Generate a general purpose RSA key pair for signing and encryption
  storage       Store key on specified device
  usage-keys    Generate separate RSA key pairs for signing and encryption
  <cr>

871W(config)#crypto key generate rsa label VPN-KEY modulus ?
  <360-2048>  size of the key modulus [360-2048]

871W(config)#crypto key generate rsa label VPN-KEY modulus 1024 exportable   // RSA KEYS CAN BE EXPORTED IN PRIVACY ENHANCED MAIL (PEM) FORMAT

The name for the keys will be: VPN-KEY

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...[OK]

871W(config)#crypto key export rsa ?
  WORD  RSA key label

871W(config)#crypto key export rsa VPN-KEY ?
  pem  File type to export

871W(config)#crypto key export rsa VPN-KEY pem ?
  terminal  Export via the terminal (cut-and-paste)
  url       Export via the file systems

871W(config)#crypto key export rsa VPN-KEY pem terminal ?
  3des  Encrypt the private key with 3DES
  des   Encrypt the private key with DES

871W(config)#crypto key export rsa VPN-KEY pem terminal 3des ?
  LINE  Passphrase used to protect the private key

871W(config)#crypto key export rsa VPN-KEY pem terminal 3des cisco
% Passphrase is too short, needs to be at least 8 chars
871W(config)#crypto key export rsa VPN-KEY pem terminal 3des cisco123
% Key name: VPN-KEY
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZq+SNIRShVFMDYW0ebZRhhPQW
PwzB1g8+IneNAhbeWOrLG8TpNYBG8zX55iGK/xHZdL+RMeCEp2JtWfAfZ7oxoH6r
VUgQ6reI7Bpenc80PIoa8mt61cHShWJKfGGxvxrJHMSqTQnBRCpTlFhYpIgYorbm
UOBHFBibH6IXo03+BQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY----
-
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5D2BF9B679BF6C23

r0Qr9opRVvT9KuJxjIjVXQulGI4glBFQMBdbp2M2LcbUymMFh8P+YtQaf+0HAqZg
HhYl/YQd2i4N7BeyLhRR1/HlUhrTSLDRpzTFRBDPYiFd4mUgJc668uiq3TOd/gA1
W4SPmS8DBxUh4OQQS5SRsDJQ/LDoZhvU8O9yBvVrFC0UYue7EgobK/FgSS2UwYm8
BII2KT6cKFWnoqwBhqbowa+cYWGRFWAd4rpohbColZbL/0SEylPCBnSeR8JlPVxr
/d47gVH3/SX1LE+fxAp2zH6cnKgyRy2P5AG4Ux7gxmJrJb6j4w2u9Qpqua74de4e
GRdzCAsutCIiPdGl07WACCvPnas85fhfxB5XDYJZEuEqHs2QOUof4xcKh7vFnw1X
0J4J/OroV+HFf//n9KsuO1Q2gMZMOwvrN8Rm22GTPZWxa8gS4Sipa9H08+qUy9O1
afxl8/g2W9WxGlgerpFqlMgNQQC6RG5r1l0/VbwrrAvUBVSUJwYzhd3Vk2+ubLuZ
rCCm6SPEdVJ+EYTBCiPYrLdBhSgtyGOhBXLz6T6wvnIRMQjJrVnQ4uHoYphLkFYr
kTAOFH8g2Fj9zNbrpJVp0pXqPSusCvIzv43WGSavS2srovA8stLdYOKYKV3tHlYs
wvigYS5WX5iOf7Z6QLr9KWZiegssNpcHmYo0idD+YK3WBF0OMrt6WceYy5siWYYd
3h/a0Q7P+NR/Co3CTy+bks+wU+oBqFzOqzhfMH/olOXem3DwA4KL5R+POHc6l7ZA
6HewPmI6pfJsT/NNAjRLn8/pCFlIX3BcEhD47UYBJ4oaXlC1HU89dw==
-----END RSA PRIVATE KEY-----


871W(config)#do show crypto key mypubkey rsa
% Key pair was generated at: 04:02:21 SGT May 20 2010
Key name: TP-self-signed-593184536
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B636CD
  63236065 4243B8A4 6FB3C6CB 3C26214D C152A07F E91558D3 042AEACE 61DA605A
  DFB58A89 7E039325 68B4DDB2 2CEA9D29 DF64B7DB 47AC2EDF 817373C7 B1061E8C
  5DBF5089 FDCB40D6 005B32BA 32705838 A9F97F3D AB377608 411EC0A0 7EBC979C
  10AC0BB5 C66346BF D41819E5 06AFE357 DF9D5F17 BFC72237 E06D27EB 8B020301 0001
% Key pair was generated at: 10:25:14 SGT Mar 9 2014
Key name: TP-self-signed-593184536.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E56ABA 03F314E3
  DCB0301F 8D89F4FA 8B6423E3 708938A7 B64F1BDE 57B2F464 BE99EB09 70AEEB0C
  6CDF9303 65593F0F 34FAA8A2 685C1538 508E9115 928C76E9 ED683698 C4196DAF
  25AB29AC 7C0E67A5 D91436A2 99D1CB3B 8CE45877 B7D88E62 27020301 0001
% Key pair was generated at: 10:50:03 SGT Mar 9 2014
Key name: VPN-KEY
 Storage Device: not specified
 Usage: General Purpose Key
 Key is exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 0099ABE4
  8D2114A1 54530361 6D1E6D94 6184F416 3F0CC1D6 0F3E2277 8D0216DE 58EACB1B
  C4E93580 46F335F9 E6218AFF 11D974BF 9131E084 A7626D59 F01F67BA 31A07EAB
  554810EA B788EC1A 5E9DCF34 3C8A1AF2 6B7AD5C1 D285624A 7C61B1BF 1AC91CC4
  AA4D09C1 442A5394 5858A488 18A2B6E6 50E04714 189B1FA2 17A34DFE 05020301 0001

871W(config)#do sh run | inc ip http   // ENABLE HTTP SERVER FOR CLIENTS TO ENROLL
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000

871W(config)#crypto pki ?
  authenticate  Get the CA certificate
  certificate   Actions on certificates
  crl           Actions on certificate revocation lists
  enroll        Request a certificate from a CA
  export        Export certificate or PKCS12 file
  import        Import certificate or PKCS12 file
  profile       Define a certificate profile
  server        Enable IOS Certificate server
  token         Configure cryptographic token
  trustpoint    Define a CA trustpoint

871W(config)#crypto pki server ?
  WORD  Certificate Server Name

871W(config)#crypto pki server CA-SERVER   // CREATE PKI SERVER
871W(cs-server)#?
CA Server configuration commands:
  auto-rollover  Rollover the CA key and certificate
  cdp-url        CRL Distribution Point to be included in the issued certs
  database       Certificate Server database config parameters
  default        Set a command to its defaults
  exit           Exit from Certificate Server entry mode
  grant          Certificate granting options
  hash           Hash algorithm
  issuer-name    Issuer name
  lifetime       Lifetime parameters
  mode           Mode
  no             Negate a command or set its defaults
  shutdown       Shutdown the Certificate Server

871W(cs-server)#database ?
  archive   Backup Certificate Server Signing Certificate and Keys
  level     Level of data stored in database
  url       URL the Certificate Server database information will be written to
  username  Database username to access the primary network storage

871W(cs-server)#database url ?
  WORD  URL of primary storage location
  cnm   Storage location for name file (*.cnm)
  crl   Storage location for certificate revocation list (*.crl)
  crt   Storage location for issued certificates (*.crt)
  p12   Storage location for P12 archives (*.p12)
  pem   Storage location for PEM archives (*.pem)
  ser   Storage location for main database files (*.ser)

871W(cs-server)#database url nvram:
% Server database url was changed. You need to move the
% existing database to the new location.
871W(cs-server)#database level ?
  complete  Each issued certificate is saved to the database
  minimum   Minimum certificate info is saved to the database
  names     Certificate serial-number & subject name is saved to the database

871W(cs-server)#database level minimum
871W(cs-server)#issuer-name ?
  LINE  Issuer name

871W(cs-server)#issuer-name CN=lagura.com L=Home C=SG
871W(cs-server)#lifetime ?
  ca-certificate      Lifetime of the Certificate Server signing certificate
  certificate         Lifetime of certificates issued by this Certificate Server
  crl                 Lifetime of CRL's published by this Certificate Server
  enrollment-request  Lifetime of an Enrollment Request

871W(cs-server)#lifetime ca-certificate ?
  <0-1825>  Lifetime in days

871W(cs-server)#lifetime ca-certificate 1825  // 5 YEARS
871W(cs-server)#grant ?
  auto     Automatically grant incoming SCEP enrollment requests
  none     Automatically reject any incoming SCEP enrollment request
  ra-auto  Automatically grant RA-authorized incoming SCEP enrollment request

871W(cs-server)#grant auto
871W(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:cisco
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:cisco123

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.
871W(cs-server)#end

871W#show crypto pki certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 0x1
  Certificate Usage: Signature
  Issuer:
    cn=lagura.com L\=Home C\=SG
  Subject:
    cn=lagura.com L\=Home C\=SG
  Validity Date:
    start date: 11:12:52 SGT Mar 9 2014
    end   date: 11:12:52 SGT Mar 8 2019
  Associated Trustpoints: CA-SERVER

871W#show crypto pki trustpoints status
Trustpoint CA-SERVER:
  Issuing CA certificate configured:
    Subject Name:
     cn=lagura.com L\=Home C\=SG
    Fingerprint MD5: 83F908A6 9E7E0C70 E83BC30F 76BA0762
    Fingerprint SHA1: 8D49A6CB BAE7EFE8 D7A0D8C1 D4AA6599 0F9DE16D
  State:
    Keys generated ............. Yes (General Purpose, non-exportable)
    Issuing CA authenticated ....... Yes
    Certificate request(s) ..... None


I tested my ASA 5505 firewall to join the PKI and added a CA Truspoint via Simple Certificate Enrollment Protocol (SCEP).

871W#sh run | inc ntp
ntp clock-period 17182307
ntp server 203.123.48.6   // PUBLIC SG NTP
871W#show clock
11:22:53.941 SGT Sun Mar 9 2014   


ASA5505# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA5505# # show clock
17:14:01.949 UTC Sat Mar 8 2014
ASA5505# configure terminal
ASA5505(config)# ntp server ?

configure mode commands/options:
  Hostname or A.B.C.D  IP address of peer
ASA5505(config)# ntp server 192.168.1.1 ?

configure mode commands/options:
  key     Configure peer authentication key
  prefer  Prefer this peer when possible
  source  Interface for source address
  <cr>
ASA5505(config)# ntp server 192.168.1.1 source ?

configure mode commands/options:
Current available interface(s):
  inside   Name of interface Vlan1
  outside  Name of interface Vlan2
ASA5505(config)# ntp server 192.168.1.1 source outside   //  RUN NTP TO CA CLIENT TO SYNC CA CERT
ASA5505(config)# clock timezone ?

configure mode commands/options:
  WORD < 8 char  name of time zone
ASA5505(config)# clock timezone SGT 8
ASA5505(config)# show clock
11:24:05.533 SGT Sun Mar 9 2014
ASA5505(config)# show ntp status
Clock is synchronized, stratum 4, reference is 192.168.1.1
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d6c65d72.229a9871 (11:24:34.135 SGT Sun Mar 9 2014)
clock offset is 1.2502 msec, root delay is 108.67 msec
root dispersion is 3928.02 msec, peer dispersion is 3890.64 msec


Below are the screenshots in ASDM to configure NTP and add CA Certificates. Notice the Issued By and Expiry Date on the CA certificate details matched the CA server fields configured on the 871w router.






4 comments:

  1. John,
    Do you have a post on how to configure VPN client on your ASA firewall which is behind your Cisco 871w?
    Thanks,
    Jonathan

    ReplyDelete
    Replies
    1. Hi Jonathan,

      There are different kinds of VPN. Which one are you specifically referring to?

      I posted several VPNs on my other security blog. You could check it from there.

      Delete
  2. John,
    Thanks for the reply. Based on your network diagram for your home lab, I interested in the VPN on the ASA behind the 871w router. I haven't seen that Blog.
    Thanks,
    Jonathan

    ReplyDelete
  3. Hi John, any thoughts on this? Again, I'm looking at your network setup. If you were to setup AnyConnect VPN on your ASA which is behind your 871w router, how would you configure your Router and ASA to allow access.

    ReplyDelete