Tuesday, October 18, 2016

Crypto PKI config

CA Server config on ASR 1k:
###########################
ntp server 9.27.14.135
ip http server

crypto key generate rsa modulus 1024 label ASR_CA_KEY exportable

crypto key export rsa ASR_CA_KEY pem url nvram: 3des cisco123

crypto pki server cisco
 database level complete
 no database archive
 issuer-name CN=CA.cisco.com,OU=TAC
 grant auto

Download CA certificate and import to ISE as trusted certificate
crypto pki export cisco pem terminal

Client config:
###############
ntp server 9.27.14.135
ip http server

crypto key generate rsa modulus 1024 label SPOKE_KEY exportable

crypto ca trustpoint cisco
enrollment url http://9.27.14.135:80
subject-name CN=Spoke.cisco.com,OU=TAC
revocation-check crl
auto-enroll
exit

crypto pki authenticate cisco
######################################################################################

CA Server logs:

AAA_UUT_ASR(config)#crypto key zeroize rsa ASR_CA_KEY
% Keys to be removed are named 'ASR_CA_KEY'.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#$generate rsa modulus 1024 label ASR_CA_KEY exportable  
The name for the keys will be: ASR_CA_KEY

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)

AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#crypto key export rsa ASR_CA_KEY pem url nvram: 3des cisco$
% Key name: ASR_CA_KEY
   Usage: General Purpose Key
Exporting public key...
Destination filename [ASR_CA_KEY.pub]?
Writing file to nvram:ASR_CA_KEY.pub
Exporting private key...
Destination filename [ASR_CA_KEY.prv]?
Writing file to nvram:ASR_CA_KEY.prv
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#do show run | s crypto
AAA_UUT_ASR(config)#crypto pki server cisco
AAA_UUT_ASR(cs-server)# database level complete
AAA_UUT_ASR(cs-server)# no database archive
AAA_UUT_ASR(cs-server)# issuer-name CN=CA.cisco.com,OU=TAC
AAA_UUT_ASR(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

% Certificate Server enabled.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#shut
Certificate server 'shut' event has been queued for processing.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#gra
AAA_UUT_ASR(cs-server)#grant au
AAA_UUT_ASR(cs-server)#grant auto
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#no shut
Certificate server 'no shut' event has been queued for processing.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#do show crypto pki server
Certificate Server cisco:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=CA.cisco.com,OU=TAC
    CA cert fingerprint: 3AD4C4B7 9BBC8735 ACD8F5BF 8842B95B
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 15:12:23 UTC Sep 19 2019
    CRL NextUpdate timer: 21:12:30 UTC Sep 19 2016
    Current primary storage dir: nvram:
    Database Level: Complete - all issued certs written as <serialnum>.cer
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR#show run | s crypto
crypto pki server cisco
 database level complete
 no database archive
 issuer-name CN=CA.cisco.com,OU=TAC
 grant auto
crypto pki trustpoint cisco
 revocation-check crl
 rsakeypair cisco
crypto pki certificate chain cisco
 certificate ca 01
  30820223 3082018C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  25310C30 0A060355 040B1303 54414331 15301306 03550403 130C4341 2E636973
  636F2E63 6F6D301E 170D3136 30393138 32323132 32335A17 0D313930 39313832
  32313232 335A3025 310C300A 06035504 0B130354 41433115 30130603 55040313
  0C43412E 63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 8100A4A0 6D117950 649A5D19 330FC3AA 5A71BD23 5B887343
  92CE154A A2B600B1 E2439D5D 95739605 1A1F13BB 5628AA17 6EA5A9E8 890C905D
  A073D5D3 27D76509 1697BE53 31DC1AEF C264C74B DF64C7FF 846979F4 286F9DED
  A092B29C 7E220EF6 7CABFD79 67DAE9DC 5DBE5289 5CFBEDCD 992D1C7F 13B39B46
  2FB1E8D4 B75D9432 FA090203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  14019B3D 9A21C288 8781A56F DA73ADAD 0EBF57AB 93301D06 03551D0E 04160414
  019B3D9A 21C28887 81A56FDA 73ADAD0E BF57AB93 300D0609 2A864886 F70D0101
  04050003 81810018 C376715A 5CE20C23 91D7B3C9 771C1BDF E5F20DED 37486819
  143781D4 14187BC2 894DEC6A 9C39DA24 33B4B9A9 6D6D16FC 11A52BF7 2C2D37D8
  DCF961D7 81124F99 FC11BD9C 1F1E277A AF6B6728 1727BCC9 1363DD59 F06AAA35
  2E94C00D 68AF67C3 93C3151A 1CC291C6 5AEF22FC 8E962785 AE3E6679 6E357850
  29E27FA0 67FD00
        quit
AAA_UUT_ASR#

#########################################################################################

AAA_EDISON(config)#crypto ca trustpoint cisco
AAA_EDISON(ca-trustpoint)#enrollment url http://9.27.14.135:80
AAA_EDISON(ca-trustpoint)#subject-name CN=Spoke.cisco.com,OU=TAC
AAA_EDISON(ca-trustpoint)#revocation-check crl
AAA_EDISON(ca-trustpoint)#auto-enroll
AAA_EDISON(ca-trustpoint)#exit
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#crypto pki authenticate cisco
Certificate has the following attributes:
       Fingerprint MD5: 3AD4C4B7 9BBC8735 ACD8F5BF 8842B95B
      Fingerprint SHA1: 80259439 3C6ECA01 BFE5D908 A4189328 16F55C17

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
Sep 19 15:18:50.257: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint cisco
Sep 19 15:18:50.281: CRYPTO_PKI:  Certificate Request Fingerprint MD5: FE8F9DB3 AEC3DEA9 CF8A747B E4B42F00
Sep 19 15:18:50.282: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: D09B976F DB0025D2 4F46ECD7 6D80E32D 76F9525C
Sep 19 15:18:55.784: %PKI-6-CERTRET: Certificate received from Certificate Authority
Sep 19 15:18:55.784: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#^Z
AAA_EDISON#
AAA_EDISON#
AAA_EDISON#wr
Sep 19 15:19:28.449: %SYS-5-CONFIG_I: Configured from console by client1 on console
Building configuration...
[OK]
AAA_EDISON#
AAA_EDISON#

Configure_CA_cert_to_ISE

1. Generate a CSR from ISE
2. Save the CSR in.pem format
3. Follow below step

AAA_UUT_ASR#crypto pki server cisco request pkcs10 terminal pem            
PKCS10 request in base64 or pem

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIDEDCCAfgCAQAwZjEbMBkGA1UEAxMSUkFEU2VjLnBvbGFyaXMuY29tMQwwCgYD
VQQLEwNBQUExEDAOBgNVBAoTB3BvbGFyaXMxDDAKBgNVBAcTA0JMUjEMMAoGA1UE
CBMDS0FSMQswCQYDVQQGEwJJTjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMYSOEQ7Yg+0dxyaT3cGw/x3K0wSaABn/xO4kvF9M7WTxluztBrhOtLCZSsN
X+142RGW1HBYo3KDYQKot2Upff8WaRK5G+lZu/GUW5nNdhfGeEJHvPOd21DQV2sd
WMGjVwv7sVScfTCr40jp1t9wVK3Y9ag4/fSVgje0ybc/2PnssHd08UIJaOQ0idZI
HByuCnlKUK266xYoF/IPi3CeZzk1eCjrTyY8Wb+e79gH1MjoOGz0PlxuLIzvpOpX
mUPbUdAPicARIRruWCERpyH+ZhNt4Sz/rM/qsOFHPCZUubn59cDEJrsmVRS7hcCB
0lA8ZqvKz5tAsbTgDuiwlhJMsI0CAwEAAaBlMGMGCSqGSIb3DQEJDjFWMFQwCwYD
VR0PBAQDAgXgMB0GA1UdDgQWBBTaOaPuXmtLDTJVv++VYBiQr9gHCTATBgNVHSUE
DDAKBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQELBQAD
ggEBALUCoU+8+TlmojJYjH+aWq/60o0joEvFixAM3NksWADRdKCk9CQYgVM9zNOa
DXh0RUNhD43gNQ8Jwe8icKkIhPFXnrtPRVpUV1/t3cs1lbKcjZHrKt4d/x4znxEI
75aGuvXDVm1AqzZzCf63IoV6aK+zXYrXHQpNnZAdGBF2tgFHE5+h3wqhv+Hefv+B
UDHD69MsfvzDp2WgjS6KjT1eURd4y0mZ5JgHlReaQhrEW9uehfab5QIxVAonMml3
a3FDrA+KxQrHvh9SQIRZejR9i/imL6FpxaEmpza6xob24kR5/VoGT3Fr2aRI7gu9
EfHccmSQ0RZxVNiZEJsO9W0l0S4=
-----END CERTIFICATE REQUEST-----

% Granted certificate:
-----BEGIN CERTIFICATE-----
MIIC6TCCAlKgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xNjA5MjgxOTI1MDBaFw0xNzA5Mjgx
OTI1MDBaMGYxGzAZBgNVBAMTElJBRFNlYy5wb2xhcmlzLmNvbTEMMAoGA1UECxMD
QUFBMRAwDgYDVQQKEwdwb2xhcmlzMQwwCgYDVQQHEwNCTFIxDDAKBgNVBAgTA0tB
UjELMAkGA1UEBhMCSU4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG
EjhEO2IPtHccmk93BsP8dytMEmgAZ/8TuJLxfTO1k8Zbs7Qa4TrSwmUrDV/teNkR
ltRwWKNyg2ECqLdlKX3/FmkSuRvpWbvxlFuZzXYXxnhCR7zzndtQ0FdrHVjBo1cL
+7FUnH0wq+NI6dbfcFSt2PWoOP30lYI3tMm3P9j57LB3dPFCCWjkNInWSBwcrgp5
SlCtuusWKBfyD4twnmc5NXgo608mPFm/nu/YB9TI6Dhs9D5cbiyM76TqV5lD21HQ
D4nAESEa7lghEach/mYTbeEs/6zP6rDhRzwmVLm5+fXAxCa7JlUUu4XAgdJQPGar
ys+bQLG04A7osJYSTLCNAgMBAAGjZDBiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
A1UdDwQEAwIF4DAfBgNVHSMEGDAWgBQBmz2aIcKIh4Glb9pzra0Ov1erkzAdBgNV
HQ4EFgQUY6Rk95CJvaL5jj1UDvrUCAP2hNEwDQYJKoZIhvcNAQEEBQADgYEASKNu
ckM9C3VVow6CdtyoMYbjZ4jcU5JoMl2PCczDKhKVEN5eVbCjUPaxZir+yO2fnwin
FEQO94JzGaMiO3I9AcPoDg2Y0i6haTj3MT8S9aAFgqlgCCe0Af34DzSAjgFfOGGJ
5MSaTTyejM7igt6Wu9yQKMV8bwlniuIsQRk7y4k=
-----END CERTIFICATE-----

AAA_UUT_ASR#

4. Save the certificate to a file
5. Under CSR tab in ISE, select the CSR and click on "Bind certificate"
6. Upload the certificate saved in step 4 and select "EAP-TLS and RADIUS-DTLS"
7. Execute below command on CA Server to export the CA certificate

AAA_UUT_ASR(config)#crypto pki export cisco pem terminal
% The specified trustpoint is not enrolled (cisco).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xNjA5MTgyMjEyMjNaFw0xOTA5MTgy
MjEyMjNaMCUxDDAKBgNVBAsTA1RBQzEVMBMGA1UEAxMMQ0EuY2lzY28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkoG0ReVBkml0ZMw/DqlpxvSNbiHND
ks4VSqK2ALHiQ51dlXOWBRofE7tWKKoXbqWp6IkMkF2gc9XTJ9dlCRaXvlMx3Brv
wmTHS99kx/+EaXn0KG+d7aCSspx+Ig72fKv9eWfa6dxdvlKJXPvtzZktHH8Ts5tG
L7Ho1LddlDL6CQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBhjAfBgNVHSMEGDAWgBQBmz2aIcKIh4Glb9pzra0Ov1erkzAdBgNVHQ4EFgQU
AZs9miHCiIeBpW/ac62tDr9Xq5MwDQYJKoZIhvcNAQEEBQADgYEAGMN2cVpc4gwj
kdezyXccG9/l8g3tN0hoGRQ3gdQUGHvCiU3sapw52iQztLmpbW0W/BGlK/csLTfY
3Plh14EST5n8Eb2cHx4neq9rZygXJ7zJE2PdWfBqqjUulMANaK9nw5PDFRocwpHG
Wu8i/I6WJ4WuPmZ5bjV4UCnif6Bn/QA=
-----END CERTIFICATE-----

AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#

8. Save above certificate and add it under "Trusted certificates" in ISE