CA Server config on ASR 1k:
###########################
ntp server 9.27.14.135
ip http server
crypto key generate rsa modulus 1024 label ASR_CA_KEY exportable
crypto key export rsa ASR_CA_KEY pem url nvram: 3des cisco123
crypto pki server cisco
database level complete
no database archive
issuer-name CN=CA.cisco.com,OU=TAC
grant auto
Download CA certificate and import to ISE as trusted certificate
crypto pki export cisco pem terminal
Client config:
###############
ntp server 9.27.14.135
ip http server
crypto key generate rsa modulus 1024 label SPOKE_KEY exportable
crypto ca trustpoint cisco
enrollment url http://9.27.14.135:80
subject-name CN=Spoke.cisco.com,OU=TAC
revocation-check crl
auto-enroll
exit
crypto pki authenticate cisco
######################################################################################
CA Server logs:
AAA_UUT_ASR(config)#crypto key zeroize rsa ASR_CA_KEY
% Keys to be removed are named 'ASR_CA_KEY'.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#$generate rsa modulus 1024 label ASR_CA_KEY exportable
The name for the keys will be: ASR_CA_KEY
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#crypto key export rsa ASR_CA_KEY pem url nvram: 3des cisco$
% Key name: ASR_CA_KEY
Usage: General Purpose Key
Exporting public key...
Destination filename [ASR_CA_KEY.pub]?
Writing file to nvram:ASR_CA_KEY.pub
Exporting private key...
Destination filename [ASR_CA_KEY.prv]?
Writing file to nvram:ASR_CA_KEY.prv
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#do show run | s crypto
AAA_UUT_ASR(config)#crypto pki server cisco
AAA_UUT_ASR(cs-server)# database level complete
AAA_UUT_ASR(cs-server)# no database archive
AAA_UUT_ASR(cs-server)# issuer-name CN=CA.cisco.com,OU=TAC
AAA_UUT_ASR(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Certificate Server enabled.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#shut
Certificate server 'shut' event has been queued for processing.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#gra
AAA_UUT_ASR(cs-server)#grant au
AAA_UUT_ASR(cs-server)#grant auto
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#no shut
Certificate server 'no shut' event has been queued for processing.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#do show crypto pki server
Certificate Server cisco:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA.cisco.com,OU=TAC
CA cert fingerprint: 3AD4C4B7 9BBC8735 ACD8F5BF 8842B95B
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 15:12:23 UTC Sep 19 2019
CRL NextUpdate timer: 21:12:30 UTC Sep 19 2016
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR#show run | s crypto
crypto pki server cisco
database level complete
no database archive
issuer-name CN=CA.cisco.com,OU=TAC
grant auto
crypto pki trustpoint cisco
revocation-check crl
rsakeypair cisco
crypto pki certificate chain cisco
certificate ca 01
30820223 3082018C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
25310C30 0A060355 040B1303 54414331 15301306 03550403 130C4341 2E636973
636F2E63 6F6D301E 170D3136 30393138 32323132 32335A17 0D313930 39313832
32313232 335A3025 310C300A 06035504 0B130354 41433115 30130603 55040313
0C43412E 63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
818D0030 81890281 8100A4A0 6D117950 649A5D19 330FC3AA 5A71BD23 5B887343
92CE154A A2B600B1 E2439D5D 95739605 1A1F13BB 5628AA17 6EA5A9E8 890C905D
A073D5D3 27D76509 1697BE53 31DC1AEF C264C74B DF64C7FF 846979F4 286F9DED
A092B29C 7E220EF6 7CABFD79 67DAE9DC 5DBE5289 5CFBEDCD 992D1C7F 13B39B46
2FB1E8D4 B75D9432 FA090203 010001A3 63306130 0F060355 1D130101 FF040530
030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
14019B3D 9A21C288 8781A56F DA73ADAD 0EBF57AB 93301D06 03551D0E 04160414
019B3D9A 21C28887 81A56FDA 73ADAD0E BF57AB93 300D0609 2A864886 F70D0101
04050003 81810018 C376715A 5CE20C23 91D7B3C9 771C1BDF E5F20DED 37486819
143781D4 14187BC2 894DEC6A 9C39DA24 33B4B9A9 6D6D16FC 11A52BF7 2C2D37D8
DCF961D7 81124F99 FC11BD9C 1F1E277A AF6B6728 1727BCC9 1363DD59 F06AAA35
2E94C00D 68AF67C3 93C3151A 1CC291C6 5AEF22FC 8E962785 AE3E6679 6E357850
29E27FA0 67FD00
quit
AAA_UUT_ASR#
#########################################################################################
AAA_EDISON(config)#crypto ca trustpoint cisco
AAA_EDISON(ca-trustpoint)#enrollment url http://9.27.14.135:80
AAA_EDISON(ca-trustpoint)#subject-name CN=Spoke.cisco.com,OU=TAC
AAA_EDISON(ca-trustpoint)#revocation-check crl
AAA_EDISON(ca-trustpoint)#auto-enroll
AAA_EDISON(ca-trustpoint)#exit
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#crypto pki authenticate cisco
Certificate has the following attributes:
Fingerprint MD5: 3AD4C4B7 9BBC8735 ACD8F5BF 8842B95B
Fingerprint SHA1: 80259439 3C6ECA01 BFE5D908 A4189328 16F55C17
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
Sep 19 15:18:50.257: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint cisco
Sep 19 15:18:50.281: CRYPTO_PKI: Certificate Request Fingerprint MD5: FE8F9DB3 AEC3DEA9 CF8A747B E4B42F00
Sep 19 15:18:50.282: CRYPTO_PKI: Certificate Request Fingerprint SHA1: D09B976F DB0025D2 4F46ECD7 6D80E32D 76F9525C
Sep 19 15:18:55.784: %PKI-6-CERTRET: Certificate received from Certificate Authority
Sep 19 15:18:55.784: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#^Z
AAA_EDISON#
AAA_EDISON#
AAA_EDISON#wr
Sep 19 15:19:28.449: %SYS-5-CONFIG_I: Configured from console by client1 on console
Building configuration...
[OK]
AAA_EDISON#
AAA_EDISON#
###########################
ntp server 9.27.14.135
ip http server
crypto key generate rsa modulus 1024 label ASR_CA_KEY exportable
crypto key export rsa ASR_CA_KEY pem url nvram: 3des cisco123
crypto pki server cisco
database level complete
no database archive
issuer-name CN=CA.cisco.com,OU=TAC
grant auto
Download CA certificate and import to ISE as trusted certificate
crypto pki export cisco pem terminal
Client config:
###############
ntp server 9.27.14.135
ip http server
crypto key generate rsa modulus 1024 label SPOKE_KEY exportable
crypto ca trustpoint cisco
enrollment url http://9.27.14.135:80
subject-name CN=Spoke.cisco.com,OU=TAC
revocation-check crl
auto-enroll
exit
crypto pki authenticate cisco
######################################################################################
CA Server logs:
AAA_UUT_ASR(config)#crypto key zeroize rsa ASR_CA_KEY
% Keys to be removed are named 'ASR_CA_KEY'.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#$generate rsa modulus 1024 label ASR_CA_KEY exportable
The name for the keys will be: ASR_CA_KEY
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#crypto key export rsa ASR_CA_KEY pem url nvram: 3des cisco$
% Key name: ASR_CA_KEY
Usage: General Purpose Key
Exporting public key...
Destination filename [ASR_CA_KEY.pub]?
Writing file to nvram:ASR_CA_KEY.pub
Exporting private key...
Destination filename [ASR_CA_KEY.prv]?
Writing file to nvram:ASR_CA_KEY.prv
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#do show run | s crypto
AAA_UUT_ASR(config)#crypto pki server cisco
AAA_UUT_ASR(cs-server)# database level complete
AAA_UUT_ASR(cs-server)# no database archive
AAA_UUT_ASR(cs-server)# issuer-name CN=CA.cisco.com,OU=TAC
AAA_UUT_ASR(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Certificate Server enabled.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#shut
Certificate server 'shut' event has been queued for processing.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#gra
AAA_UUT_ASR(cs-server)#grant au
AAA_UUT_ASR(cs-server)#grant auto
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#no shut
Certificate server 'no shut' event has been queued for processing.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#do show crypto pki server
Certificate Server cisco:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA.cisco.com,OU=TAC
CA cert fingerprint: 3AD4C4B7 9BBC8735 ACD8F5BF 8842B95B
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 15:12:23 UTC Sep 19 2019
CRL NextUpdate timer: 21:12:30 UTC Sep 19 2016
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR#show run | s crypto
crypto pki server cisco
database level complete
no database archive
issuer-name CN=CA.cisco.com,OU=TAC
grant auto
crypto pki trustpoint cisco
revocation-check crl
rsakeypair cisco
crypto pki certificate chain cisco
certificate ca 01
30820223 3082018C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
25310C30 0A060355 040B1303 54414331 15301306 03550403 130C4341 2E636973
636F2E63 6F6D301E 170D3136 30393138 32323132 32335A17 0D313930 39313832
32313232 335A3025 310C300A 06035504 0B130354 41433115 30130603 55040313
0C43412E 63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
818D0030 81890281 8100A4A0 6D117950 649A5D19 330FC3AA 5A71BD23 5B887343
92CE154A A2B600B1 E2439D5D 95739605 1A1F13BB 5628AA17 6EA5A9E8 890C905D
A073D5D3 27D76509 1697BE53 31DC1AEF C264C74B DF64C7FF 846979F4 286F9DED
A092B29C 7E220EF6 7CABFD79 67DAE9DC 5DBE5289 5CFBEDCD 992D1C7F 13B39B46
2FB1E8D4 B75D9432 FA090203 010001A3 63306130 0F060355 1D130101 FF040530
030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
14019B3D 9A21C288 8781A56F DA73ADAD 0EBF57AB 93301D06 03551D0E 04160414
019B3D9A 21C28887 81A56FDA 73ADAD0E BF57AB93 300D0609 2A864886 F70D0101
04050003 81810018 C376715A 5CE20C23 91D7B3C9 771C1BDF E5F20DED 37486819
143781D4 14187BC2 894DEC6A 9C39DA24 33B4B9A9 6D6D16FC 11A52BF7 2C2D37D8
DCF961D7 81124F99 FC11BD9C 1F1E277A AF6B6728 1727BCC9 1363DD59 F06AAA35
2E94C00D 68AF67C3 93C3151A 1CC291C6 5AEF22FC 8E962785 AE3E6679 6E357850
29E27FA0 67FD00
quit
AAA_UUT_ASR#
#########################################################################################
AAA_EDISON(config)#crypto ca trustpoint cisco
AAA_EDISON(ca-trustpoint)#enrollment url http://9.27.14.135:80
AAA_EDISON(ca-trustpoint)#subject-name CN=Spoke.cisco.com,OU=TAC
AAA_EDISON(ca-trustpoint)#revocation-check crl
AAA_EDISON(ca-trustpoint)#auto-enroll
AAA_EDISON(ca-trustpoint)#exit
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#crypto pki authenticate cisco
Certificate has the following attributes:
Fingerprint MD5: 3AD4C4B7 9BBC8735 ACD8F5BF 8842B95B
Fingerprint SHA1: 80259439 3C6ECA01 BFE5D908 A4189328 16F55C17
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
Sep 19 15:18:50.257: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint cisco
Sep 19 15:18:50.281: CRYPTO_PKI: Certificate Request Fingerprint MD5: FE8F9DB3 AEC3DEA9 CF8A747B E4B42F00
Sep 19 15:18:50.282: CRYPTO_PKI: Certificate Request Fingerprint SHA1: D09B976F DB0025D2 4F46ECD7 6D80E32D 76F9525C
Sep 19 15:18:55.784: %PKI-6-CERTRET: Certificate received from Certificate Authority
Sep 19 15:18:55.784: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#^Z
AAA_EDISON#
AAA_EDISON#
AAA_EDISON#wr
Sep 19 15:19:28.449: %SYS-5-CONFIG_I: Configured from console by client1 on console
Building configuration...
[OK]
AAA_EDISON#
AAA_EDISON#
