IOS CA Server and Cisco Secure ACS

According to CCIE Security Proctor Yusuf Bhaiji in his recent Ask The Expert Q&A , the Microsoft CA server is no longer on the lab.  He also names IOS as the Certificate Authority server in the Security Lab.  It also leaves a remote possibility that an ASA could be used as a CA server.  Additionally Bhaiji notes that there will be no direct access to the ACS server.  Certain scenarios could require a certificate be placed on the ACS server so how is this possible?  This post will outline installing a certificate on an ACS server without direct access.  We will use an IOS based CA server to demonstrate.

We will start by configuring the Certificate Authority (CA) on our router.  There are only a few commands necessary to achieve this.  The first step is to create our key pair.  The router would do this for us, but if we create it with the same label as the CA, we can mark it as exportable.  This is important in case we want to back it up.

 

MyCA(config)#ip domain-name mylab.com
MyCA(config)#crypto key generate rsa general-keys modulus 1024 label MyCA exportable

 

The name for the keys will be: MyCA
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable…[OK]

MyCA#show crypto key mypubkey rsa

% Key pair was generated at: 12:44:14 UTC Aug 22 2009
Key name: MyCA
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B74654
1261FF2F 557761EC 069F5D23 E02625E7 B7D1004E F2A87678 2C121F77 242CFE3C
58500DCC 2F9C3F16 B06773CA CEF6C7AC 21C48BF7 FC7EB304 E9E8A9A3 EE23F4BC
2F7A7822 F137D3E0 74E56752 73219727 A390AEFD 65B478D1 C00FF2AA 750D303D
4D48E15D 2C5DAF06 6BD079A9 8D9B6A11 0D302D50 E2C9EDAC 5145F9F7 7F020301 0001
% Key pair was generated at: 12:44:14 UTC Aug 22 2009

Before we start, let’s get an idea of what files are stored on NVRAM.  This is the default storage location for the certificates and it would be nice to see what files are added as we configure the services and issue certificates.

MyCA#dir nvram:

Directory of nvram:/
477  -rw-        1601                    <no date>  startup-config
478  —-          24                    <no date>  private-config
479  -rw-        1601                    <no date>  underlying-config
1  —-           4                    <no date>  rf_cold_starts
2  -rw-           0                    <no date>  ifIndex-table
3  —-          48                    <no date>  persistent-data
4  -rw-        2945                    <no date>  cwmp_inventory

Now we can start configuring the CA Server.

 

Prerequisite–“ip http server”

 

crypto pki server MyCA
database level complete
issuer-name cn=MyCA, dc=mylab, dc=com
hash sha1
lifetime crl 96
lifetime ca-certificate 365
lifetime enrollment-request 48
cdp-url http://10.1.1.150/cgi-bin/pkiclient.exe?GetCRL

 

Tip–To use the “?” in IOS, first press ctrl-v.

 

Note: The CDP url is the url stored in the certificate for checking the certificate revocation list.  If we had only IOS  (SCEP) clients, we could have used http://10.1.1.150/MyCA.crl  The above URL is found in the PKI section of the documentation for “Configuring Secure Connectivity”.  Also, it is a good idea to do a “show crypto pki server MyCA” to verify that the CA is up and running.

Let’s go ahead and copy the CA’s Root Certificate to the ACS server.  We may be used to having access to the storage on the ACS server.  However, there is a TFTP server daemon installed and listening.  All files that are copied to the server will be found in the “c:\program files\cattools3\tftp” directory.  So we will simply tftp the ROOT cert to the server and pull from this directory from the ACS web interface.

MyCA(config)#crypto pki export MyCA pem url tftp://10.1.1.100/MyCA.pem.ca

% The specified trustpoint is not enrolled (MyCA).
% Only export the CA certificate in PEM format.
% Exporting CA certificate…
Address or name of remote host [10.1.1.100]?
Destination filename [MyCA.pem.ca]?
Writing file to tftp://10.1.1.100/MyCA.pem.ca

Now we can go to the ACS server and import the root certificate.  Go to System Configuration > ACS Certificate Setup > ACS Certification Authority Setup.  Enter the path the the CA Certification.  In our case it is “c:\program files\cattools3\tftp/MyCA.pem.ca”.   Choose Submit.

Now let’s generate a Certificate Signing Request on the ACS server.  Go to Configuration > ACS Certificate Setup > Generate Certificate Signing Request.  For the subject use a valid LDAP format.  I used CN=acs.mylab.com.  For the private key and password, just remember where you specify the file and what password you used.  Set the key length and digest that you desired.  Choose submit.

We need to copy the resulting Certificate Signing request to our clipboard so we can paste it into the router terminal.  Simply highlight the request, right click and choose copy.

We can now make the certificate request to our IOS based CA server. As you can see below, the CSR eventually gets pasted straigth into the terminal window.

 

MyCA#crypto pki server MyCA request pkcs10 terminal pem

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or “quit” on a line by itself.

 

—–BEGIN CERTIFICATE REQUEST—–
MIICwjCCAaoCAQAwGDEWMBQGA1UEAxMNYWNzLm15bGFiLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALooBj/jYF0kLqsdzlmrjYKfFBihINjM7lgJ
y90lzwin54YhIWoYDD+8MMaahPJgvkxryv/oSdTIaX+zH/l3O7H/hmJ4BOfqQTcX
1Euh6HFxYvN+SRRryS+pjgpQMSqKD96xAJJnrbhWMBGES1tQ9k2dc/UjWSeEHUPV
3a/DOWnBxJGQK7szr97oj9zqox+mCa8ZPE/+gw5KAWkbqJzDAIshgF8goiENA7qS
nn29kAGSxsEQ/+QGD6w+Ijqsd92Jbpn3pt+5tlfP5N/goWgccp82ycuuBzHpNeHA
DYNSDDjJmflE+NkD3hYdPoalY/NqxxXNl7BjUA19tbFDBnAy+scCAwEAAaBlMGMG
CSqGSIb3DQEJDjFWMFQwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBTaOaPuXmtLDTJV
v++VYBiQr9gHCTATBgNVHSUEDDAKBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMC
BkAwDQYJKoZIhvcNAQEFBQADggEBALb95m/P2cXwqUZ1M/HkwqdljDcH0JlOA9Jl
VifYLRnyb1Xfri5/0mTMwWBtbfB9Rql/vCeI3viqSrSiCauhskd0mynFxUPnRahh
qF2F+SHjC9B74pm9Kelb4OUTQkOpeHnY370hnsX6vd9Uo+7Wj3RpOr6VO/5YzOlq
ZYO7S4DgF9Q3UuypB4/mB3TL2bDP9KieIbeMuqf4c7mb3T7kITVf8q/htFo4ZUSX
Hwv8E0XPDOCay85vNzBVOA8axvAA5Vv5yKWWL4hIf6aLESZwXTYu9WAGQDk13Ybe
Q4ttBFWORz4UMcqacHUNqRlEu6HrYrAfbH76bxESwQBxejDaS+g=
—–END CERTIFICATE REQUEST—–
% Enrollment request pending, reqId=1

 

See what’s in nvram again, so we will know what is new.

MyCA#dir nvram:\

Directory of nvram:/

477  -rw-        1601                    <no date>  startup-config
478  —-          24                    <no date>  private-config
479  -rw-        1601                    <no date>  underlying-config
1  —-           4                    <no date>  rf_cold_starts
2  -rw-           0                    <no date>  ifIndex-table
3  —-          48                    <no date>  persistent-data
4  -rw-        2945                    <no date>  cwmp_inventory
5  -rw-         595                    <no date>  1.crt
6  -rw-          79                    <no date>  1.cnm
7  -rw-          32                    <no date>  MyCA.ser
8  -rw-         258                    <no date>  MyCA.crl
9  -rw-        1643                    <no date>  MyCA_00001.p12

 

If we didn’t catch the certificate request ID from a a couple of commands back, we can check the state of pending requests.

MyCA#show crypto pki server MyCA requests

 

<—snip—>

Router certificates requests:
ReqID  State      Fingerprint                      SubjectName
————————————————————–
1      pending    6EB2ED7003C84D58C30CB68B41BB99B1 cn=acs.mylab.com

The next step is to grant the certificate.

MyCA#crypto pki server MyCA grant 1

% Granted certificate:
—–BEGIN CERTIFICATE—–
<–snip–we’ll just copy it from nvram–>

—–END CERTIFICATE—–

If we look at NVRAM again, we should see the new certificate stored as a file.

 

MyCA#dir nvram:\

 

Directory of nvram:/

477  -rw-        1601                    <no date>  startup-config
478  —-          24                    <no date>  private-config
479  -rw-        1601                    <no date>  underlying-config
1  —-           4                    <no date>  rf_cold_starts
2  -rw-           0                    <no date>  ifIndex-table
3  —-          48                    <no date>  persistent-data
4  -rw-        2945                    <no date>  cwmp_inventory
5  -rw-          32                    <no date>  CA.ser
6  -rw-         595                    <no date>  1.crt
7  -rw-          79                    <no date>  1.cnm
8  -rw-         760                    <no date>  2.crt
9  -rw-          72                    <no date>  2.cnm
10  -rw-          32                    <no date>  MyCA.ser
11  -rw-         258                    <no date>  MyCA.crl
12  -rw-        1643                    <no date>  MyCA_00001.p12

Next we need to copy the certificate to the ACS server.  This is the file the was newly created above.

MyCA#copy nvram:/2.crt tftp://10.1.1.100/2.crt

Address or name of remote host [10.1.1.100]?
Destination filename [2.crt]?
!!

Back on the ACS server, we can now install the Certificate.  Go to System Configuration > ACS Certificate Setup > Install ACS Certificate.  The private key path should be set as it was originally.  However, we will need to input our password.  Additionally, we will need to type the full path to our certificate file.  My path was “c:\program files\cattools3\2.crt”.  Choose submit.

Restart the ACS services for the new Certificate to be applied and that is really about it.  While working with PKI in general can be quite confusing, this is not that difficult of a task.  However, failure to practice it a time or two prior to taking the lab may result in having to redo your work a couple of times.  I certainly hope you have found this useful.  If you have further comments, feel free to share them below.

 

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

One Response to IOS CA Server and Cisco Secure ACS

  1. EAP-TTLS says:

    As noted companies will deploy access points with SSID assignments that define logical wireless networks. The access point SSID will then be mapped to a VLAN on the wired network that segments traffic from specific groups as they would with the conventional wired network. Wireless deployments with multiple VLANs will then configure 802.1q or ISL Trunking between access point and Ethernet switch.

Comments are closed.