5.7. Enrolling a Certificate on a Cisco Router
Simple Certificate Enrollment Protocol (SCEP), designed by Cisco, is a way for a router to communicate a certificate issuing authority, such as a CA, to enroll certificates for the router.
Normally, a router installer enters the CA's URL and a challenge password (also called a one-time PIN) into the router and issues a command to initiate the enrollment. The router then communicates with the CA over SCEP to generate, request, and retrieve the certificate. The router can also check the status of a pending request using SCEP.
5.7.1. Enabling SCEP Enrollments
For security reasons, SCEP enrollments are disabled by default in the CA. To allow routers to be enrolled, SCEP enrollments must be manually enabled for the CA.
- Stop the CA server, so that you can edit the configuration files.
pki-server stop instance_name
- Open the CA's
CS.cfg
file.vim
/var/lib/pki/instance_name/ca/conf/CS.cfg
- Set the
ca.scep.enable
to true. If the parameter is not present, then add a line with the parameter.ca.scep.enable=true
- Restart the CA server.
pki-server start instance_name
5.7.2. Configuring Security Settings for SCEP
Several different parameters allow administrators to set specific security requirements for SCEP connections, such as not using the same certificate for enrollment authentication and regular certificate enrollments, or setting allowed encryption algorithms to prevent downgrading the connection strength. These parameters are listed in Table 5.1, “Configuration Parameters for SCEP Security”.
Parameter | Description |
---|---|
ca.scep.encryptionAlgorithm | Sets the default or preferred encryption algorithm. |
ca.scep.allowedEncryptionAlgorithms | Sets a comma-separated list of allowed encryption algorithms. |
ca.scep.hashAlgorithm | Sets the default or preferred hash algorithm. |
ca.scep.allowedHashAlgorithms | Sets a comma-separated list of allowed hash algorithms. |
ca.scep.nickname | Gives the nickname of the certificate to use for SCEP communication. The default is to use the CA's key pair and certificate unless this parameter is set. |
ca.scep.nonceSizeLimit | Sets the maximum nonce size, in bytes, allowed for SCEP requests. The default is 16 bytes. |
To set security settings for connections for SCEP enrollments:
- Stop the CA server, so that you can edit the configuration files.
pki-server stop instance_name
- Open the CA's
CS.cfg
file.vim
/var/lib/pki/instance_name/ca/conf/CS.cfg
- Set the desired security parameters, as listed in Table 5.1, “Configuration Parameters for SCEP Security”. If the parameter is not already present, then add it to the
CS.cfg
file.ca.scep.encryptionAlgorithm=DES3 ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.hashAlgorithm=SHA1 ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ca.scep.nickname=Server-Cert ca.scep.nonceSizeLimit=20
- Restart the CA server.
pki-server start instance_name
5.7.3. Configuring a Router for SCEP Enrollment
Note
Not all versions of router IOS have the relevant crypto features. Make sure that the firmware image has the Certification Authority Interoperability feature. Certificate System SCEP support was tested on a Cisco 2611 router running IOS C2600 Software (C2600-JK9S-M), version 12.2(40), RELEASE SOFTWARE (fc1).
Before enrolling SCEP certificates on the router, make sure that the router is appropriately configured:
- The router must be configured with an IP address, DNS server, and routing information.
- The router's date/time must be correct.
- The router's hostname and dnsname must be configured.
See the router documentation for instructions on configuring the router hardware.
5.7.4. Generating the SCEP Certificate for a Router
The following procedure details how to generate the SCEP certificate for a router.
- Pick a random PIN.
- Add the PIN and the router's ID to the
flatfile.txt
file so that the router can authenticate directly against the CA. For example:vim /var/lib/pki/instance_name/ca/conf/flatfile.txt UID:172.16.24.238 PWD:Uojs93wkfd0IS
Be sure to insert an empty line after thePWD
line.The router's IP address can be an IPv4 address or an IPv6 address.Using flat file authentication is described in Section 10.2.4, “Configuring Flat File Authentication”. - Log into the router's console. For this example, the router's name is
scep
:scep>
- Enable privileged commands.
scep> enable
- Enter configuration mode.
scep# conf t
- Import the CA certificate for every CA in the certificate chain, starting with the root. For example, the following command sequence imports two CA certificates in the chain into the router:
scep(config)# crypto ca trusted-root1 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 1 scep(config)# crypto ca trusted-root0 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 0
- Set up a CA identity, and enter the URL to access the SCEP enrollment profile. For example, for the CA:
scep(config)# crypto ca identity CA scep(ca-identity)# enrollment url http://server.example.com:8080/ca/cgi-bin scep(ca-identity)# crl optional
- Get the CA's certificate.
scep(config)# crypto ca authenticate CA Certificate has the following attributes: Fingerprint: 145E3825 31998BA7 F001EA9A B4001F57 % Do you accept this certificate? [yes/no]: yes
- Generate RSA key pair.
scep(config)# crypto key generate rsa The name for the keys will be: scep.server.example.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating RSA keys ... [OK]
- Lastly, generate the certificate on the router.
scep(config)# crypto ca enroll CA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: secret Re-enter password: secret % The subject name in the certificate will be: scep.server.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 57DE391C % Include an IP address in the subject name? [yes/no]: yes % Interface: Ethernet0/0 % Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. % Fingerprint:D89DB555 E64CC2F7 123725B4 3DBDF263 Jan 12 13:41:17.348: %CRYPTO-6-CERTRET: Certificate received from Certificate
- Close configuration mode.
scep(config)# exit
- To make sure that the router was properly enrolled, list all of the certificates stored on the router.
scep# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 0C Key Usage: General Purpose Issuer: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Subject Name Contains: Name: scep.server.example.com IP Address: 10.14.1.94 Serial Number: 57DE391C Validity Date: start date: 21:42:40 UTC Jan 12 2007 end date: 21:49:50 UTC Dec 31 2008 Associated Identity: CA CA Certificate Status: Available Certificate Serial Number: 01 Key Usage: Signature Issuer: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Subject: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Validity Date: start date: 21:49:50 UTC Jan 11 2007 end date: 21:49:50 UTC Dec 31 2008 Associated Identity: CA
5.7.5. Working with Subordinate CAs
Before a router can authenticate to a CA, every CA certificate in the CA's certificate chain must be imported into the router, starting with the root. For example, the following command sequence imports two CA certificates in the chain into the router:
scep(config)# crypto ca trusted-root1 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 1 scep(config)# crypto ca trusted-root0 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 0
If the CA certificates do not have the CRL distribution point extension set, turn off the CRL requirement by setting it to
optional
:
scep(ca-root)# crl optional
After that, set up the CA identity as described in Section 5.7.4, “Generating the SCEP Certificate for a Router”.
5.7.6. Re-enrolling a Router
Before a router can be re-enrolled with new certificates, the existing configuration has to be removed.
- Remove (zeroize) the existing keys.
scep(config)# crypto key zeroize rsa % Keys to be removed are named scep.server.example.com. Do you really want to remove these keys? [yes/no]: yes
- Remove the CA identity.
scep(config)# no crypto ca identity CA % Removing an identity will destroy all certificates received from the related Certificate Authority. Are you sure you want to do this? [yes/no]: yes % Be sure to ask the CA administrator to revoke your certificates. No enrollment sessions are currently active.
5.7.7. Enabling Debugging
The router provides additional debugging during SCEP operations by enabling the debug statements.
scep# debug crypto pki callbacks
Crypto PKI callbacks debugging is onscep# debug crypto pki messages
Crypto PKI Msg debugging is onscep# debug crypto pki transactions
Crypto PKI Trans debugging is onscep#debug crypto verbose
verbose debug output debugging is on
5.7.8. Issuing ECC Certificates with SCEP
By default, an ECC CA does not support SCEP out of box. However, it is possible to work around it by using a designated RSA certificate to handle each of the following two areas:
- encryption/decryption cert - designate an RSA cert having encryption/decryption capability; (scepRSAcert in the following example)
- signature cert - get an RSA cert to use on the client side for signing purpose instead of self-signed; (signingCert cert in the following example)
For example, with scepRSAcert cert being the encrypt/decrypt cert, and signingCert being the signing cert:
sscep enroll -c ca.crt -e scepRSAcert.crt -k local.key -r local.csr -K sign.key -O sign.crt -E 3des -S sha256 -l cert.crt -u 'http://example.example.com:8080/ca/cgi-bin/pkiclient.exe'