Using PKI with a third party certificate with cisco routers

Submitted by reuben on Wed, 21/06/2006 - 20:52

I've spent a few hours working on this one lately, and thought for future reference I would document it here.  The process itself is quite straightforward, but as with all things PKI related, you MUST have files and certificates in the right format and make sure that you follow certain steps in order, else it just won't work (and may not even tell you why).

PKI certificates are useful for a number of things, I need mine for WebVPN, but you also use it for https management to your router and I believe you can use it for IPSec using certificates instead of shared keys.

Firstly, you need to be running an IOS image which supports crypto.  I am using an ADVSECURITY-K9 image on my router.

Then create a trustpoint.  A trustpoint is basically a certificate authority who you trust, and it is called a trustpoint because you implicitly trust this authority.  The idea is that by trusting a given self-signed certificate, then your PKI system will automatically trust any other certificates signed with that trusted certificate.
A trustpoint certificate is a self-signed certificate, hence the name trustpoint, since it does not rely on the trust of anyone else or other party.

Paste this into your router, changing anything in [HERE] to be whatever is appropriate for you.  For example for me I need to change fqdn [FQDN.MYROUTER.ME] to be fqdn router.reub.net

router(config)crypto pki trustpoint cacert.org
router(ca-trustpoint)#enrollment terminal pem
router(ca-trustpoint)#fqdn [FQDN.MYROUTER.ME]
router(ca-trustpoint)#subject-name C=[COUNTRY], ST=[STATE] O=[DOMAIN], OU=[MY ROLE], CN=[FQDN.MYROUTER.ME]/emailAddress=[MY EMAIL ADDRESS]
router(ca-trustpoint)#revocation-check none
router(ca-trustpoint)#rsakeypair [FQDN.MYROUTER.ME] 1024

Then create some RSA keys.  First start by wiping any old keys you have, so that you are starting on a clean slate:

router(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]:

Choose yes.  If you have a reason to keep a particular RSA key you have already got in the router you may wish to skip this step.

Now create the keys:

router(config)#crypto key generate rsa general-keys label [FQDN.MYROUTER.ME] export modulus 1024

Being able to export your public and private key is good if you can keep it secure.  It means that you can continue to use that key in the future if your router gets replaced or hardware corrupted or wiped.

The next step is to import the trustpoint root certificate.  In my case I use www.cacert.org, and I can find their root certificate on their homepage.

crypto pki authenticate cacert.org
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<certificate content here>
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
      Fingerprint MD5: <actual finger print>
      Fingerprint SHA1: <actual finger print>
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
test-router(config)#

Your trustpoint is now set up.

Next step is to create a CSR (certificate signing request):

router(config)#crypto pki enroll cacert.org
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=router.reub.net
% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIBgDCB6gIBADAPMQ0wCwYDVQQDEwR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GN
[snip]
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
router(config)#

This csr is what you submit to your CA.  They sign it, and return a signed certificate to you which you then enter like this:

router(config)#crypto pki import cacert.org certificate
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<paste the certificate content here>
-----END CERTIFICATE-----
% Router Certificate successfully imported
test-router(config)#

You should now be set to go.

I suggest you back up your public and private keys, and your certificate csr and signed certificate in case you ever need to reload them:

router(config)#crypto key export rsa

and

router(config)#crypto pki export 


Other useful commands are:

router#show crypto pki certificates 
router#show crypto key mypubkey rsa 

Useful links:
http://www.cisco.com/en/US/partner/products/ps6635/products_white_paper0900aecd8029d630.shtml