![]() ![]() Note -to enter the "?" you may need to press "Ctrl+V" before entering it!! CA#conf t In this example we configure the CRL to only be valid for an hour (the minimum) and publish the CRL on the router itself using the cdp-url command. Now we define the revocation policy used to create and maintain the Certificate Revocation List (CRL). CA#conf tĬA(cs-server)#lifetime ca-certificate 1825 Now we configure the lifetime of client issued certificates after which clients will have to re-enroll. We configure the lifetime of the certificate servers signing certificate (5 years) when this expires all issued certificates are invalidated and users will have to re-enroll. First we configure sha-1 as the hash algorithm used to sign the certificates with (MD5 is the default). We will configure a password to provide some additional authentication when users try to enroll. We can either manually grant all certificate requests or automatically grant all requests. Names Certificate serial-number & subject name is saved to the databaseĬA(cs-server)#issuer-name C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN= VPN Minimum Minimum certificate info is saved to the database CA#conf tĬA(cs-server)#database url flash:/CA-ServerĬomplete Each issued certificate is saved to the database Finally we configure the X.500 name information using the X.500 distinguished name (DN) format. Then we configure a local location for the database (this can be remote) and set the database storage level to complete. We configure it using the same name as the trustpoint from step 2. Now we create and configure the actual certificate server. CA(config)#crypto pki trustpoint CA-Server The trustpoint configures what key pair will be used within the certificate server. % Generating 2048 bit RSA keys, keys will be exportable. End with CNTL/Z.ĬA(config)#crypto key generate rsa usage-keys label CA-Key modulus 2048 exportable ![]() CA#conf tĮnter configuration commands, one per line. In the example below our keys are labelled CE-Key. The private key will be used to sign "user" certificates and the public key will distributed and used to verify certificates. Certificate Server Stepįirst step is to generate a private/public key pair on the CA router. The lab was made using 3600 routers running Version 12.4(16a) of IOS. If you would like to try yourself the initial GNS3 net file is which includes all the basic config. These are the seven basic steps that are needed to configure a fictional root certificate server on the CA IOS device shown in the topology below. We can use this functionality to provide scalable authentication for VPN set-ups. It is only available in in security images or higher. The certificate server functionality was added in version 12.3(4). A quick step by step overview of how to configure the certificate server on a Cisco IOS device. ![]()
0 Comments
Leave a Reply. |