Configuring the SSL Services
Available Languages
Table Of Contents
Configuring SSL Services Secure Transactions
Configuring the Public Key Infrastructure
Configuring the Keys and the Certificates
Configuring the Trustpoint Using SCEP
Importing and Exporting the Key Pairs and Certificates
Importing the PEM Files for Three Levels of Certificate Authority
Verifying the Certificates and the Trustpoints
Sharing the Keys and the Certificates
Configuring a Root CA (Trusted Root)
Verifying the Saved Configuration
Erasing the Saved Configuration
Backing Up the Keys and the Certificates
Monitoring and Maintaining the Keys and Certificates
Deleting the RSA Keys from the Module
Displaying the Keys and Certificates
Deleting the Certificates from the Configuration
Assigning a Certificate to a Proxy Service
Configuring the Automatic Certificate Renewal and Enrollment
Enabling the Key and Certificate History
Configuring the Certificate Expiration Warning
Configuring the Certificate Authentication
Client Certificate Authentication
Server Certificate Authentication
Entering the X.500 CDP Information
Displaying the CRL Information
Certificate Security Attribute-Based Access Control
Configuring SSL Services Secure Transactions
This chapter describes how to configure the CSM-S from the command line interface (CLI) of the module and contains these sections:
•
Configuring the Public Key Infrastructure
•
Configuring the Public Key Infrastructure
The SSL daughter card on the CSM-S uses the SSL protocol to enable secure transactions of data through privacy, authentication, and data integrity; the protocol relies upon certificates, public keys, and private keys.
The certificates, which are similar to digital ID cards, verify the identity of the server to the clients and the clients to the server. The certificates, which are issued by certificate authorities, include the name of the entity to which the certificate was issued, the entity's public key, and the time stamps that indicate the certificate's expiration date.
The public and private keys are the ciphers that are used to encrypt and decrypt information. The public key is shared without any restrictions, but the private key is never shared. Each public-private key pair works together; data that is encrypted with the public key can only be decrypted with the corresponding private key.
Each SSL daughter card acts as an SSL proxy for up to 256 SSL clients and servers. You must configure a pair of keys for each client or server in order to apply for a certificate for authentication.
We recommend that the certificates be stored in NVRAM so the module does not need to query the certificate authority at startup to obtain the certificates or to automatically enroll. See the "Configuring a Root CA (Trusted Root)" section for more information.
The SSL daughter card authenticates certificates that it receives from external devices when you configure the SSL daughter card as an SSL server and you configure the server proxy to authenticate the client certificate, or when you configure the SSL daughter card as an SSL client. The SSL daughter card validates the start time, end time, and the signature on the certificate received.
A valid certificate may have been revoked if the key pair has been compromised. If a revocation check is necessary, the SSL daughter card downloads the certificate revocation list (CRL) from the certificate authority and looks up the serial number of the certificate received. See the "Certificate Revocation List" section for information on CRLs.
The certificate can also be filtered by matching certain certificate attribute values with access control list (ACL) maps. Only authenticated certificates that are issued by trusted certificate authorities are accepted. See the "Certificate Security Attribute-Based Access Control" section for information on ACLs.
Note
However, the SSL daughter card cannot verify that the sender of the certificate is the expected end user or host of the communication session. To authenticate the end user or host, additional validation is necessary during the data phase, using a username and password, bank account number, credit card number, or mother's maiden name.
If the certificate sender is an SSL client, the SSL daughter card can extract attributes from the client certificate and insert these attributes into the HTTP header during the data phase. The server system that receives these headers can further examine the subject name of the certificate and other attributes and then determine the authenticity of the end user or host. See the "HTTP Header Insert" section on page 10-14 for information on configuring HTTP header insertion. See the "Client Certificate Authentication" section for information on configuring client certificate authentication.
These sections describe how to configure the public key infrastructure (PKI):
•
•
•
•
•
•
•
•
•
•
Configuring the Keys and the Certificates
You can configure keys and certificates using one of the following methods:
•
–
–
–
–
See the "Configuring the Trustpoint Using SCEP" section for details.
•
–
–
–
–
–
See the "Manual Certificate Enrollment" section for details.
•
–
–
See the "Importing and Exporting the Key Pairs and Certificates" section for details.
An external PKI system is a server or a PKI administration system that generates key pairs and enrolls for certificates from a certificate authority or a key and certificate archival system. The Public-Key Cryptography Standards (PKCS) specifies the transfer syntax for personal identity information, including the private keys and certificates. This information is packaged into an encrypted file. To open the encrypted file, you must know a pass phrase. The encryption key is derived from the pass phrase.
Note
See Figure 8-1 for an overview on configuring keys and certificates.
Figure 8-1 Key and Certificate Configuration Overview
Configuring the Trustpoint Using SCEP
To configure a trustpoint using SCEP, complete the following tasks:
•
Generating the RSA Key Pairs
Note
RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Aldeman. The RSA algorithm is widely used by the certificate authorities and the SSL servers to generate key pairs. Each certificate authority and each SSL server has its own RSA key pair. The SSL server sends its public key to the certificate authority when enrolling for a certificate. The SSL server uses the certificate to prove its identity to clients when setting up the SSL session.
The SSL server keeps the private key in a secure storage and sends only the public key to the certificate authority, which uses its private key to sign the certificate that contains the server's public key and other identifying information about the server.
Each certificate authority keeps the private key secret and uses the private key to sign certificates for its subordinate certificate authorities and SSL servers. The certificate authority has a certificate that contains its public key.
The certificate authorities form a hierarchy of one or more levels. The top-level certificate authority is called the root certificate authority. The lower level certificate authorities are called the intermediate or subordinate certificate authorities. The root certificate authority has a self-signed certificate, and it signs the certificate for the next level subordinate certificate authority, which signs the certificate for the next lower level certificate authority, and so on. The lowest level certificate authority signs the certificate for the SSL server.
Note
These certificates form a chain with the server certificate at the bottom and the root certificate authority's self-signed certificate at the top. Each signature is formed by using the private key of the issuing certificate authority to encrypt a hash digest of the certificate body. The signature is attached to the end of the certificate body to form the complete certificate.
When setting up an SSL session, the SSL server sends its certificate chain to the client. The client verifies the signature of each certificate up the chain by retrieving the public key from the next higher-level certificate to decrypt the signature attached to the certificate body. The decryption result is compared with the hash digest of the certificate body. Verification terminates when one of the certificate authority certificates in the chain matches one of the trusted certificate authority certificates stored in the client's own database.
If the top-level certificate authority certificate is reached in the chain, and there is no match of trusted self-signed certificates, the client may terminate the session or prompt the user to view the certificates and determine if they can be trusted.
After the SSL client authenticates the server, it uses the public key from the server certificate to encrypt a secret and send it over to the server. The SSL server uses its private key to decrypt the secret. Both sides use the secret and two random numbers they exchanged to generate the key material required for the rest of the SSL session for data encryption, decryption, and integrity checking.
Note
When you generate general-purpose keys, only one pair of RSA keys is generated. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate. We recommend that you specify a name for the key pairs.
Note
To generate the RSA key pairs, perform this task:
Generates RSA key pairs.
1 The exportable keyword specifies that the key is allowed to be exported. You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
Note
This example shows how to generate special-usage RSA keys:
crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys.Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys.Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].This example shows how to generate general-purpose RSA keys:
Note
ssl-proxy(config)# crypto key generate rsa general-keys label kp1 exportableThe name for the keys will be: kp1Choose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]: 1024Generating RSA keys.... [OK].
Note
Declaring the Trustpoint
You should declare one trustpoint to be used by the module for each certificate.
To declare the trustpoint that your module uses and specify characteristics for the trustpoint, perform this task beginning in global configuration mode:
Step 1
Declares the trustpoint that your module should use. Enabling this command puts you in ca-trustpoint configuration mode.
Step 2
Specifies which key pair to associate with the certificate.
Step 3
ssl-proxy(ca-trustpoint)# enrollment [mode ra] [retry [period minutes] [count count]] url urlSpecifies the enrollment parameters for your certificate authority.
Step 4
ssl-proxy(ca-trustpoint)# ip-address server_ip_addr(Optional) Specifies the IP address of the proxy service that will use this certificate2 .
Step 5
ssl-proxy(ca-trustpoint)# crl [best-effort | optional | query host:[port]](Optional) Specifies how this trustpoint looks up a certificate revocation list when validating a certificate associated with this trustpoint.
See the "Certificate Revocation List" section for information on CRLs.
Step 6
(Optional) Configures the host name of the proxy service5 .
Step 7
ssl-proxy(ca-trustpoint)# password password(Optional) Configures a challenge password.
Step 8
Exits ca-trustpoint configuration mode.
1 The trustpoint-label should match the key-label of the keys; however, this is not a requirement.
2 Some web browsers compare the IP address in the SSL server certificate with the IP address that might appear in the URL. If the IP addresses do not match, the browser may display a dialog box and ask the client to accept or reject this certificate.
3 For example, subject-name CN=server1.domain2.com, where server1 is the name of the SSL server that appears in the URL. The subject-name command uses the Lightweight Directory Access Protocol (LDAP) format.
4 Arguments specified in the subject name must be enclosed in quotation marks if they contain a comma. For example, O="Cisco, Inc."
5 Some browsers compare the CN field of the subject name in the SSL server certificate with the host name that might appear in the URL. If the names do not match, the browser may display a dialog box and ask the client to accept or reject the certificate. Also, some browsers will reject the SSL session setup and silently close the session if the CN field is not defined in the certificate.
This example shows how to declare the trustpoint PROXY1 and verify connectivity:
ssl-proxy(config)# crypto ca trustpoint PROXY1ssl-proxy(ca-trustpoint)# rsakeypair PROXY1ssl-proxy(ca-trustpoint)# enrollment url http://exampleCA.cisco.comssl-proxy(ca-trustpoint)# ip-address 10.0.0.1ssl-proxy(ca-trustpoint)# password passwordssl-proxy(ca-trustpoint)# crl optionalssl-proxy(ca-trustpoint)# serial-numberssl-proxy(ca-trustpoint)# subject-name C=US; ST=California; L=San Jose; O=Cisco; OU=Lab;CN=host1.cisco.comssl-proxy(ca-trustpoint)# endssl-proxy# ping example.cisco.comType escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 msssl-proxy#Obtaining the Certificate Authority Certificate
For each trustpoint, you must obtain a certificate that contains the public key of the certificate authority; multiple trustpoints can use the same certificate authority.
Note
To obtain the certificate that contains the public key of the certificate authority, perform this task in global configuration mode:
This example shows how to obtain the certificate of the certificate authority:
ssl-proxy(config)# crypto ca authenticate PROXY1Certificate has the following attributes:Fingerprint: A8D09689 74FB6587 02BFE0DC 2200B38A% Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.ssl-proxy(config)# endssl-proxy#Requesting a Certificate
You must obtain a signed certificate from the certificate authority for each trustpoint.
To request signed certificates from the certificate authority, perform this task in global configuration mode:
Requests a certificate for the trustpoint.
1 You have the option to create a challenge password that is not saved with the configuration. This password is required if your certificate needs to be revoked, so you must remember this password.
Note
This example shows how to request a certificate:
ssl-proxy(config)# crypto ca enroll PROXY1%% Start certificate enrollment..% The subject name in the certificate will be: C=US; ST=California; L=San Jose; O=Cisco; OU=Lab; CN=host1.cisco.com% The subject name in the certificate will be: host.cisco.com% The serial number in the certificate will be: 00000000% The IP address in the certificate is 10.0.0.1% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.Fingerprint: 470DE382 65D8156B 0F84C2AF 4538B913ssl-proxy(config)# endAfter you configure the trustpoint, see the "Verifying the Certificates and the Trustpoints" section to verify the certificate and trustpoint information.
Example of Three-Tier Certificate Authority Enrollment
The SSL daughter card supports up to eight levels of certificate authority (one root certificate authority and up to seven subordinate certificate authorities).
This example shows how to configure three levels of certificate authority:
Generating the Keys
ssl-proxy(onfig)# crypto key generate rsa general-keys label key1 exportableThe name for the keys will be:key1Choose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]Defining the Trustpoints
ssl-proxy(config)# crypto ca trustpoint 3tier-rootssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.1ssl-proxy(ca-trustpoint)#ssl-proxy(ca-trustpoint)# exitssl-proxy(config)# crypto ca trustpoint 3tier-sub1ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.2ssl-proxy(ca-trustpoint)#ssl-proxy(ca-trustpoint)# exitssl-proxy(config)# crypto ca trustpoint tp-proxy1ssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.3ssl-proxy(ca-trustpoint)# serial-numberssl-proxy(ca-trustpoint)# password ciscossl-proxy(ca-trustpoint)# subject CN=ste.cisco.comssl-proxy(ca-trustpoint)# rsakeypair key1ssl-proxy(ca-trustpoint)# showenrollment url tftp://10.1.1.3serial-numberpassword 7 02050D480809subject-name CN=ste.cisco.comrsakeypair key1endssl-proxy(ca-trustpoint)# exitAuthenticating the Three Certificate Authorities (One Root And Two Subordinate Certificate Authorities)
ssl-proxy(config)# crypto ca authenticate 3tier-rootCertificate has the following attributes:Fingerprint:84E470A2 38176CB1 AA0476B9 C0B4F478% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.ssl-proxy(config)#ssl-proxy(config)# crypto ca authenticate 3tier-sub1Certificate has the following attributes:Fingerprint:FE89FB0D BF8450D7 9934C926 6C66708DCertificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.ssl-proxy(config)#ssl-proxy(config)# crypto ca authenticate tp-proxy1Certificate has the following attributes:Fingerprint:6E53911B E29AE44C ACE773E7 26A098C3Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.Enrolling with the Third Level Certificate Authority
ssl-proxy(config)# crypto ca enroll tp-proxy1%% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be:ste.% The subject name in the certificate will be:ste.% The serial number in the certificate will be:B0FFF0C2% Include an IP address in the subject name? [no]:Request certificate from CA? [yes/no]:yes% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.ssl-proxy(config)# Fingerprint: 74390E57 26F89436 6FC52ABE 24E23CD9ssl-proxy(config)#*Apr 18 05:10:20.963:%CRYPTO-6-CERTRET:Certificate received from Certificate AuthorityManual Certificate Enrollment
The Manual Certificate Enrollment (TFTP and cut-and-paste) feature allows you to generate a certificate request and accept certificate authority certificates as well as router certificates. These tasks are accomplished with a TFTP server or manual cut-and-paste operations. You may want to use TFTP or manual cut-and-paste enrollment in the following situations:
•
•
Configure the Manual Certificate Enrollment (TFTP and cut-and-paste) feature as described at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftmancrt.htm
Note
For example, in a three-tier certificate authority hierarchy (root CA, subordinate CA1, and subordinate CA2), when you import the subordinate CA1 certificate, enter the crl optional command for all the trustpoints associated with root CA. Similarly, when you import the subordinate CA2 certificate, enter the crl optional command for all the trustpoints associated with root CA and subordinate CA1.
After you successfully import the certificate, you can restore the original CRL options on the trustpoints.
Configuring a Certificate Enrollment Using TFTP (One-Tier Certificate Authority)
To configure the certificate enrollment using TFTP, perform these steps:
Step 1
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)# crypto ca trustpoint tftp_examplessl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.2/win2kssl-proxy(ca-trustpoint)# rsakeypair pair3ssl-proxy(ca-trustpoint)# exitStep 2
ssl-proxy(config)# crypto ca enroll tftp_example% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be: ssl-proxy.cisco.com% The subject name in the certificate will be: ssl-proxy.cisco.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 00000000% Include an IP address in the subject name? [no]:Send Certificate Request to tftp server? [yes/no]: yes% Certificate request sent to TFTP Server% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.ssl-proxy(config)# Fingerprint: D012D925 96F4B5C9 661FEC1E 207786B7!!Step 3
ssl-proxy(config)# crypto ca auth tftp_exampleLoading win2k.ca from 10.1.1.2 (via Ethernet0/0.168): ![OK - 1436 bytes]Certificate has the following attributes:Fingerprint: 2732ED87 965F8FEB F89788D4 914B877D% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.ssl-proxy(config)#Step 4
ssl-proxy(config)# crypto ca import tftp_example cert% The fully-qualified domain name in the certificate will be: ssl-proxy.cisco.comRetrieve Certificate from tftp server? [yes/no]: yes% Request to retrieve Certificate queuedssl-proxy(config)#Loading win2k.crt from 10.1.1.2 (via Ethernet0/0.168): ![OK - 2112 bytes]ssl-proxy(config)#*Apr 15 12:02:33.535: %CRYPTO-6-CERTRET: Certificate received from Certificate Authorityssl-proxy(config)#
Configuring a Certificate Enrollment Using Cut-and-Paste (One-Tier Certificate Authority)
To configure the certiciate enrollment using cut-and-paste, perform these steps:
Step 1
ssl-proxy(config)# crypto key generate rsa general-keys label CSR-key exportableThe name for the keys will be:CSR-keyChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]Step 2
ssl-proxy(config)# crypto ca trustpoint CSR-TPssl-proxy(ca-trustpoint)# rsakeypair CSR-keyssl-proxy(ca-trustpoint)# serialssl-proxy(ca-trustpoint)# subject-name CN=abc, OU=hss, O=ciscossl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# exita.
ssl-proxy(config)# crypto ca enroll CSR-TP% Start certificate enrollment ..% The subject name in the certificate will be:CN=abc, OU=hss, O=cisco% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.com% The subject name in the certificate will be:ssl-proxy.cisco.com% The serial number in the certificate will be:B0FFF22E% Include an IP address in the subject name? [no]:noDisplay Certificate Request to terminal? [yes/no]:yesCertificate Request follows:MIIBwjCCASsCAQAwYTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEMMAoGA1UEAxMDYWJjMTMwDwYDVQQFEwhCMEZGRjIyRTAgBgkqhkiG9w0BCQIWE3NzbC1wcm94eS5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALt7O6tt30lBVVK1qAE/agsuzIaa15YZft3bDb9t3pPncKh0ivBTgVKpJiLPWGZPjdbtejxQtYSF77R1pmhK0WSKPuu7fJPYr/Cbo80OUzkRAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQQFAAOBgQC2GIX06/hihXHADA5sOpxgLsO1rMP8PF4bZDdlpWLVBSOrp4S1L7hH9P2NY9rgZAJhDTRfGGm179JYGOtUuCyPYPkpb0S5VGTUrHvvUWekleKq2d91kfgbkRmJmHBaB2Ev5DNBcV11SIMXRULG7oUafU6sxnDWqbMseToF4WrLPg==---End - This line not part of the certificate request---Redisplay enrollment request? [yes/no]:noStep 3
ssl-proxy(config)# crypto ca authenticate CSR-TPEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIICxzCCAjCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJjYTAeFw0wMzA2MjYyMjM4MDlaFw0wODEyMTYyMjM4MDlaMFIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMTAmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcG9ObqOLmf0cASkF48jz8X7ZQxT1H68OQKNC3ks95vkGbOAa/1/R4ACQ3s9iPkcGQVqi4Dv8/iNG/1mQo8HBwtR9VgG0l8IGBbuiZdlarYnQHUz6Bm/HzE1RXVOY/VmyPOVevYy8/cYhwx/xOE9BYQOyP15Chi8nhIS5F+WWoHQIDAQABo4GsMIGpMB0GA1UdDgQWBBS4Y+/lSXKDrw5N5m/tgCzu/W81PDB6BgNVHSMEczBxgBS4Y+/lSXKDrw5N5m/tgCzu/W81PKFWpFQwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCY2GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQB/rPdLFVuycbaJQucdFQG7kl/XBNI7aY3IL3Lkeumt/nXD+eCnRpYE5WWY8X1Aizqnj4bqFdqPqYdD7Lg8viwqm2tQmU6zCsdaKhL1J7FCWbfs2+Z5oNV2Vsqx0Ftnf8en/+HtyS2AdXHreThfgkXz3euXD0ISMFVKRy81o4EdzA==-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:B8B35B00 095573D0 D3B8FA03 B6CA8934% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedssl-proxy(config)#Step 4
ssl-proxy(config)# crypto ca import CSR-TP certificate% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.comEnter the base 64 encoded certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIB7TCCAVYCAQQwDQYJKoZIhvcNAQEEBQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCY2EwHhcNMDMxMTIwMDAxMzE2WhcNMDQxMTE5MDAxMzE2WjAsMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALt7O6tt30lBVVK1qAE/agsuzIaa15YZft3bDb9t3pPncKh0ivBTgVKpJiLPWGZPjdbtejxQksuSY589V+GMDrO9B4Sxn+5Np2bQmd745NvI4gorNRvXcdjmE+/SzE+bBSBcKAwNtYSF77R1pmhK0WSKPuu7fJPYr/Cbo80OUzkRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAjqJ9378P6Gz69Ykplw06Powp+2rbe2iFBrE1xE09BL6G6vzcBQgb5W4uwqxe7SIHrHsS0/7Be3zeJnlOseWx/KVj7I02iPgrwUa9DLavwrTyaa0KtTpti/i5nIwTNh5xkp2bBJQikD4TEK7HAvXfHQ9SyB3YZJk/Bjp6/eFHEfU=-----END CERTIFICATE-----% Router Certificate successfully importedssl-proxy(config)#^Z
Configuring a Certificate Enrollment Using TFTP (Three-Tier Certificate Authority)
To configure certificate enrollment using TFTP, perform these steps:
Step 1
ssl-proxy(config)# crypto key generate rsa general-keys label test-3tier exportableThe name for the keys will be:test-3tierChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]Step 2
ssl-proxy(config)# crypto ca trustpoint test-3tierssl-proxy(ca-trustpoint)# serial-numberssl-proxy(ca-trustpoint)# password ciscossl-proxy(ca-trustpoint)# subject CN=test-3tier, OU=hss, O=Ciscossl-proxy(ca-trustpoint)# rsakeypair test-3tierssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-3tierssl-proxy(ca-trustpoint)# exitStep 3
ssl-proxy(config)# crypto ca enroll test-3tier%% Start certificate enrollment ..% The subject name in the certificate will be:CN=test-3tier, OU=hss, O=Cisco% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.com% The subject name in the certificate will be:ssl-proxy.cisco.com% The serial number in the certificate will be:B0FFF22E% Include an IP address in the subject name? [no]:Send Certificate Request to tftp server? [yes/no]:yes% Certificate request sent to TFTP Server% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.ssl-proxy(config)# Fingerprint: 19B07392 319B2ACF F8FABE5C 52798971ssl-proxy(config)#!!Step 4
Step 5
ssl-proxy(config)# crypto ca trustpoint test-1tierssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-1tierssl-proxy(ca-trustpoint)# crl optionalssl-proxy(ca-trustpoint)# exitssl-proxy(config)# crypto ca authenticate test-1tierLoading test-1tier.ca from 10.1.1.3 (via Ethernet0/0.172):![OK - 1046 bytes]Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.ssl-proxy(config)# crypto ca trustpoint test-2tierssl-proxy(ca-trustpoint)# enrollment url tftp://10.1.1.3/test-2tierssl-proxy(ca-trustpoint)# crl optionalssl-proxy(ca-trustpoint)# exitssl-proxy(config)# crypto ca authenticate test-2tierLoading test-2tier.ca from 10.1.1.3 (via Ethernet0/0.172):![OK - 1554 bytes]Certificate has the following attributes:Fingerprint:50A986F6 B471B82D E11B71FE 436A9BE6Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.ssl-proxy(config)# crypto ca authenticate test-3tierLoading test-3tier.ca from 10.1.1.3 (via Ethernet0/0.172):![OK - 1545 bytes]Certificate has the following attributes:Fingerprint:2F2E44AC 609644FA 5B4B6B26 FDBFE569Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.Step 6
ssl-proxy(config)# crypto ca import test-3tier certificate% The fully-qualified domain name in the certificate will be:ssl-proxy.cisco.comRetrieve Certificate from tftp server? [yes/no]:yes% Request to retrieve Certificate queuedssl-proxy(config)#Loading test-3tier.crt from 10.1.1.3 (via Ethernet0/0.172):![OK - 1608 bytes]ssl-proxy(config)#*Nov 25 21:52:36.299:%CRYPTO-6-CERTRET:Certificate received from Certificate Authorityssl-proxy(config)# ^Z
Configuring a Certificate Enrollment Using Cut-and-Paste (Three-Tier Certificate Authority)
To configure a certificate enrollment using cut-and-paste, perform these steps:
Step 1
ssl-proxy(config)# crypto key generate rsa general-keys label tp-proxy1 exportableThe name for the keys will be:tp-proxy1Choose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]Step 2
ssl-proxy(config)# crypto ca trustpoint tp-proxy1ssl-proxy(ca-trustpoint)# enrollment terssl-proxy(ca-trustpoint)# rsakeypair tp-proxy1ssl-proxy(ca-trustpoint)# serialssl-proxy(ca-trustpoint)# subject-name CN=testssl-proxy(ca-trustpoint)# exitStep 3
ssl-proxy(config)# crypto ca enroll tp-proxy1% Start certificate enrollment ..% The subject name in the certificate will be:CN=test% The fully-qualified domain name in the certificate will be:ssl-proxy.% The subject name in the certificate will be:ssl-proxy.% The serial number in the certificate will be:B0FFF14D% Include an IP address in the subject name? [no]:noDisplay Certificate Request to terminal? [yes/no]:yesCertificate Request follows:MIIBnDCCAQUCAQAwOzENMAsGA1UEAxMEdGVzdDEqMA8GA1UEBRMIQjBGRkYxNEQwFwYJKoZIhvcNAQkCFgpzc2wtcHJveHkuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFx1ol9IXoAx4fyUhaXH6s4p5t9soIZ1gvLtVX6Fp6zfuX47os5TGJH/IXzV9B4e5Kv+wlMD0AvTh+/tvyAP3TMpCdpHYosd2VaTIgExpHf4M5Ruh8IebVKV25rraIpNiS0PvPLFcrw4UfJVNpsc2XBxBhpT+FS9y67LqlhfSN4wIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEEBQADgYEAkOIjd1KNJdKLMf33YELRd3MW/ujJIuiT1J8RYVbw1eE8JQf68TTdKiYqzQcoMgspez3vSPxXFZ/c6naXdVyrTikTX3GZ1mu+UOvV6/Jaf5QcXa9tAi3fgyguV7jQMPjkQj2GrwhXjcqZGOMBh6Kq6s5UPsIDgrL036I42B6B3EQ=---End - This line not part of the certificate request---Redisplay enrollment request? [yes/no]:noStep 4
Step 5
a.
Note
ssl-proxy(config)# crypto ca trustpoint 3tier-rootssl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# crl opssl-proxy(ca-trustpoint)# exitssl-proxy(config)# crypto ca trustpoint 3tier-sub1ssl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# crl opssl-proxy(ca-trustpoint)# exitb.
ssl-proxy(config)# crypto ca authenticate 3tier-rootEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedc.
ssl-proxy(config)# crypto ca authenticate 3tier-sub1Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIETzCCA/mgAwIBAgIKGj0cBwAAAAAADjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMzIyMDQyMVoXDTA0MTExMzIyMTQyMVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMS1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDcvV48nC2uukoSyGJ/GymCIEXZzMSzpbkYS7eWPaZYyiJDhCIKuUsMgFDRNfMQmUSArcWmPizFZc9PFumDa03vAgMBAAGjggJpMIICZTAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUWaaNN2U14BaBoU9mY+ncuHpP920wCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wga4GA1UdIwSBpjCBo4AUJgYtQFMo130SBSiceehK9seDRrGheaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQHEwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UEAxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCEGnVMc1P4ve4Q5mUWCdWwXAwgZcGA1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL3NpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28tbDhqNm9ocG5yXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL2Npc2NvLWw4ajZvaHBucl9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXGNpc2NvLWw4ajZvaHBucl9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcnQwDQYJKoZIhvcNAQEFBQADQQA6kAV3Jx/BOr2hlSp9ER36ZkDJNIW93gNt2MkpcA07RmcrHln6q5RJ9WbvTxFnONdgpsag1EcOwn97XErHZ2ow-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:50A986F6 B471B82D E11B71FE 436A9BE6Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.% Certificate successfully importedd.
ssl-proxy(config)# crypto ca authenticate tp-proxy1Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIESTCCA/OgAwIBAgIKHyiFxAAAAAAABjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhMB4XDTAzMTExMzIyMjI1MloXDTA0MTExMzIyMTQyMVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMi1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC7ChZc0NYLBHf1sr/3Z4y6w5WoeioIpCOCSydhnbd5wnwuethoyStVt9lr6i61jWKld68Z8EoTg71daiV/WR/HAgMBAAGjggJjMIICXzAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU6FmJopqqzpbFMj6TaB2/wjlWlqEwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wgagGA1UdIwSBoDCBnYAUWaaNN2U14BaBoU9mY+ncuHpP922heaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQHEwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UEAxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCCho9HAcAAAAAAA4wgZcGA1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28tZzI1dWE2bzRlXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXN1YjEtY2EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL2Npc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qtc3ViMS1jYS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWcyNXVhNm80ZVxDZXJ0RW5yb2xsXGNpc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qtc3ViMS1jYS5jcnQwDQYJKoZIhvcNAQEFBQADQQCieB8rvVCqVF2cFw9/v51jGn7LQ6pUGT3bMRbOrgQKytTz/Yx09156nYZHrvVuLzmzz5CriI2saVx+q1Tarwil-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:2F2E44AC 609644FA 5B4B6B26 FDBFE569Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.% Certificate successfully importede.
ssl-proxy(config)# crypto ca import tp-proxy1 certificate% The fully-qualified domain name in the certificate will be:ssl-proxy.Enter the base 64 encoded certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIENTCCA9+gAwIBAgIKLmibDwAAAAAACDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIyLWNhMB4XDTAzMTExOTIzNDUzNVoXDTA0MTExMzIyMTQyMVowPTERMA8GA1UEBRMIQjBGRkYxNEQxGTAXBgkqhkiG9w0BCQITCnNzbC1wcm94eS4xDTALBgNVBAMTBHRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXHWiX0hegDHh/JSFpcfqzinm32yghnWC8u1VfoWnrN+5fjuizlMYkf8hfNX0Hh7kq/7CUwAf8EBAMCBaAwHQYDVR0OBBYEFCXlzcYHyo1PNbfubnivi8d2VO22MIGoBgNVHSMEgaAwgZ2AFOhZiaKaqs6WxTI+k2gdv8I5VpahoXmkdzB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhggofKIXEAAAAAAAGMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1vam14Y25jenYvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtc3ViMi1jYS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLW9qbXhjbmN6dlxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1zdWIyLWNhLmNybDCByAYIKwYBBQUHAQEEgbswgbgwWQYIKwYBBQUHMAKGTWh0dHA6Ly9jaXNjby1vam14Y25jenYvQ2VydEVucm9sbC9jaXNjby1vam14Y25jenZfc2ltcHNvbi1kZXZ0ZXN0LXN1YjItY2EuY3J0MFsGCCsGAQUFBzAChk9maWxlOi8vXFxjaXNjby1vam14Y25jenZcQ2VydEVucm9sbFxjaXNjby1vam14Y25jenZfc2ltcHNvbi1kZXZ0ZXN0LXN1YjItY2EuY3J0MA0GCSqGSIb3DQEBBQUAA0EAtbxmUBOxZ/hcrCc3hY7pa6q/LmLonXSL8cjAbV2I7A5QGYaNi5k98FlEz1WOxW0J2C3/YsvIf4dYpsQWdKRJbQ==-----END CERTIFICATE-----% Router Certificate successfully importedssl-proxy(config)#^Z
Importing and Exporting the Key Pairs and Certificates
You can import and export key pairs and certificates using either the PKCS12 file format or privacy-enhanced mail (PEM) file format.
These sections describe how to import or export key pairs and certificates:
•
•
Note
Note
For example, in a three-tier certificate authority hierarchy (root CA, subordinate CA1, and subordinate CA2), when you import the subordinate CA1 certificate, enter the crl optional command for all the trustpoints associated with root CA. Similarly, when you import the subordinate CA2 certificate, enter the crl optional command for all the trustpoints associated with root CA and subordinate CA1.
After you successfully import the certificate, you can restore the original CRL options on the trustpoints.
Importing and Exporting a PKCS12 File
You can use an external PKI system to generate a PKCS12 file and then import this file to the module.
Note
Note
Note
To import or export a PKCS12 file, perform this task:
ssl-proxy(config)# crypto ca {import | export} trustpoint_label pkcs12 {scp:| ftp:| nvram:| rcp:| tftp:} [pkcs12_filename1 ] pass_phrase2
Imports or exports a PKCS12 file.
Note
1 If you do not specify the pkcs12_filename value, you will be prompted to accept the default filename (the default filename is the trustpoint_label value) or enter the filename. For ftp: or tftp:, include the full path in the pkcs12_filename value.
2 You will receive an error if you enter the pass phrase incorrectly.
This example shows how to import a PKCS12 file using SCP:
ssl-proxy(config)# crypto ca import TP2 pkcs12 scp: sky is blueAddress or name of remote host []? 10.1.1.1Source username [ssl-proxy]? admin-1Source filename [TP2]? /users/admin-1/pkcs12/TP2.p12Password:passwordSending file modes:C0644 4379 TP2.p12!ssl-proxy(config)#*Aug 22 12:30:00.531:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.ssl-proxy(config)#This example shows how to export a PKCS12 file using SCP:
ssl-proxy(config)# crypto ca export TP1 pkcs12 scp: sky is blueAddress or name of remote host []? 10.1.1.1Destination username [ssl-proxy]? admin-1Destination filename [TP1]? TP1.p12Password:Writing TP1.p12 Writing pkcs12 file to scp://admin-1@10.1.1.1/TP1.p12Password:!CRYPTO_PKI:Exported PKCS12 file successfully.ssl-proxy(config)#This example shows how to import a PKCS12 file using FTP:
ssl-proxy(config)# crypto ca import TP2 pkcs12 ftp: sky is blueAddress or name of remote host []? 10.1.1.1Source filename [TP2]? /admin-1/pkcs12/PK-1024Loading /admin-1/pkcs12/PK-1024 ![OK - 4339/4096 bytes]ssl-proxy(config)#This example shows how to export a PKCS12 file using FTP:
ssl-proxy(config)# crypto ca export TP1 pkcs12 ftp: sky is blueAddress or name of remote host []? 10.1.1.1Destination filename [TP1]? /admin-1/pkcs12/PK-1024Writing pkcs12 file to ftp://10.1.1.1//admin-1/pkcs12/PK-1024Writing /admin-1/pkcs12/PK-1024 !!CRYPTO_PKI:Exported PKCS12 file successfully.ssl-proxy(config)#After you import the PKCS12 file, see the "Verifying the Certificates and the Trustpoints" section to verify the certificate and trustpoint information.
Importing and Exporting the PEM Files
Note
Note
Note
To import or export PEM files, perform one of these tasks:
ssl-proxy(config)# crypto ca import trustpoint_label pem [exportable] {terminal | url {scp:| ftp:| nvram:| rcp:| tftp:} | usage-keys} pass_phrase1 ,2
Imports PEM files.
Note
ssl-proxy(config)# crypto ca export trustpoint_label pem {terminal | url {scp:| ftp:| nvram:| rcp:| tftp:} [des | 3des] pass_phrase1,2
Exports PEM files.
Note
1 You will receive an error if you enter the pass phrase incorrectly.
2 A pass phrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the pass phrase. A PEM file containing a certificate is not encrypted and is not protected by a pass phrase.
This example shows how to import the PEM files using TFTP:
Note
ssl-proxy(config)# crypto ca import TP5 pem url tftp://10.1.1.1/TP5 password% Importing CA certificate...Address or name of remote host [10.1.1.1]?Destination filename [TP5.ca]?Reading file from tftp://10.1.1.1/TP5.caLoading TP5.ca from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1976 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.prv]?Reading file from tftp://10.1.1.1/TP5.prvLoading TP5.prv from 10.1.1.1 (via Ethernet0/0.168): ![OK - 963 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.crt]?Reading file from tftp://10.1.1.1/TP5.crtLoading TP5.crt from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1692 bytes]% PEM files import succeeded.ssl-proxy(config)#endssl-proxy#*Apr 11 15:11:29.901: %SYS-5-CONFIG_I: Configured from console by consoleThis example shows how to export PEM files using TFTP:
ssl-proxy(config)# crypto ca export TP5 pem url tftp://10.1.1.1/tp99 3des password% Exporting CA certificate...Address or name of remote host [10.1.1.1]?Destination filename [tp99.ca]?% File 'tp99.ca' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.ca!% Key name: key1Usage: General Purpose Key% Exporting private key...Address or name of remote host [10.1.1.1]?Destination filename [tp99.prv]?% File 'tp99.prv' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.prv!% Exporting router certificate...Address or name of remote host [10.1.1.1]?Destination filename [tp99.crt]?% File 'tp99.crt' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.crt!ssl-proxy(config)#After you import the PEM files, see the "Verifying the Certificates and the Trustpoints" section to verify the certificate and trustpoint information.
Importing the PEM Files for Three Levels of Certificate Authority
In this section, the root certificate authority certificate (Tier 1) and intermediate certificate authority certificate (Tier 2) are obtained using the cut-and-paste option of offline enrollment. The intermediate certificate authority certificate (Tier 3), private keys, and router certificate are obtained by importing PEM files.
To import the PEM files for three levels of certificate authority, perform these steps:
Step 1
ssl-proxy(config)# crypto ca trustpoint 3tier-rootssl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# crl optionalssl-proxy(ca-trustpoint)# exitssl-proxy(config)# crypto ca authenticate 3tier-rootEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedStep 2
ssl-proxy(config)# crypto ca trustpoint 3tier-subca1ssl-proxy(ca-trustpoint)# enroll terminalssl-proxy(ca-trustpoint)# crl optionalssl-proxy(ca-trustpoint)# exitssl-proxy(config)# crypto ca authenticate 3tier-subca1Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIETzCCA/mgAwIBAgIKGj0cBwAAAAAADjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMzIyMDQyMVoXDTA0MTExMzIyMTQyMVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMS1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDcvV48nC2uukoSyGJ/GymCIEXZzMSzpbkYS7eWPaZYyiJDhCIKuUsMgFDRNfMQmUSArcWmPizFZc9PFumDa03vAgMBAAGjggJpMIICZTAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUWaaNN2U14BaBoU9mY+ncuHpP920wCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wga4GA1UdIwSBpjCBo4AUJgYtQFMo130SBSiceehK9seDRrGheaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQHEwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UEAxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCEGnVMc1P4ve4Q5mUWCdWwXAwgZcGA1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL3NpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28tbDhqNm9ocG5yXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWw4ajZvaHBuci9DZXJ0RW5yb2xsL2Npc2NvLWw4ajZvaHBucl9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXGNpc2NvLWw4ajZvaHBucl9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcnQwDQYJKoZIhvcNAQEFBQADQQA6kAV3Jx/BOr2hlSp9ER36ZkDJNIW93gNt2MkpcA07RmcrHln6q5RJ9WbvTxFnONdgpsag1EcOwn97XErHZ2ow-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:50A986F6 B471B82D E11B71FE 436A9BE6Certificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.% Certificate successfully importedStep 3
ssl-proxy(config)# crypto ca import tp-proxy1 pem terminal cisco% Enter PEM-formatted CA certificate.% End with a blank line or "quit" on a line by itself.-----BEGIN CERTIFICATE-----MIIESTCCA/OgAwIBAgIKHyiFxAAAAAAABjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhMB4XDTAzMTExMzIyMjI1MloXDTA0MTExMzIyMTQyMVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMi1jYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC7ChZc0NYLBHf1sr/3Z4y6w5WoeioIpCOCSydhnbd5wnwuethoyStVt9lr6i61jWKld68Z8EoTg71daiV/WR/HAgMBAAGjggJjMIICXzAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU6FmJopqqzpbFMj6TaB2/wjlWlqEwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wgagGA1UdIwSBoDCBnYAUWaaNN2U14BaBoU9mY+ncuHpP922heaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpjYWxpZm9ybmlhMREwDwYDVQQHEwhzYW4gam9zZTEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAsTA2hzczEgMB4GA1UEAxMXc2ltcHNvbi1kZXZ0ZXN0LXJvb3QtQ0GCCho9HAcAAAAAAA4wgZcGA1UdHwSBjzCBjDBDoEGgP4Y9aHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL3NpbXBzb24tZGV2dGVzdC1zdWIxLWNhLmNybDBFoEOgQYY/ZmlsZTovL1xcY2lzY28tZzI1dWE2bzRlXENlcnRFbnJvbGxcc2ltcHNvbi1kZXZ0ZXN0LXN1YjEtY2EuY3JsMIHIBggrBgEFBQcBAQSBuzCBuDBZBggrBgEFBQcwAoZNaHR0cDovL2Npc2NvLWcyNXVhNm80ZS9DZXJ0RW5yb2xsL2Npc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qtc3ViMS1jYS5jcnQwWwYIKwYBBQUHMAKGT2ZpbGU6Ly9cXGNpc2NvLWcyNXVhNm80ZVxDZXJ0RW5yb2xsXGNpc2NvLWcyNXVhNm80ZV9zaW1wc29uLWRldnRlc3Qtc3ViMS1jYS5jcnQwDQYJKoZIhvcNAQEFBQADQQCieB8rvVCqVF2cFw9/v51jGn7LQ6pUGT3bMRbOrgQKytTz/Yx09156nYZHrvVuLzmzz5CriI2saVx+q1Tarwil-----END CERTIFICATE-----% Enter PEM-formatted encrypted private key.% End with "quit" on a line by itself.-----BEGIN RSA PRIVATE KEY-----Proc-Type:4,ENCRYPTEDDEK-Info:DES-EDE3-CBC,F0D3269840071CF8gQb9JMplIE5AEdhumLuBFWT53k+L/EGLhFfQn/roPlEOiIGEB6y3DeYNN/xZSiy3JOHN0kh8Wjw3pshrdNVcoQj2X7BPI+YOipok40WOk5J/+dnRLwMjv+rl0tr+LcCknBdR8zIOkOJObULLUOXFBM7oB3Dsk4Y3FBv8EAR3AdQiZjevau4FIyQn+JfVZy+JwctmvZnX0c0fevPsgID4dCPkeY6+I0DkxMyRiuyn+wIrJw1xVA2VIOrRJojBNlRu6/APef8JwpfnNcgpcLYt/4Q+3Yjl9EfRLjgiL6eSRki/6K5lrV3eKbwOTyjvXq5hG0Q6dtNEoIvOg1Vad0CXeL+TxJ4ySq4E63OxIHkclDBsusGoUGLoZ+OtaxApAZ+5WbKqR+ND1LlPmS8/ZL9LMPhUh9eOqZJjJTe6NbxY7jeNHjAmpP7/WpB2f2kV/LZgn2AV4GALBZtqXtreGiayZzXpEA5J00lbzRZWf9JHA1diz/unW00/GH9LvCqA9O15YJGCrRMI9US7MWm8kIkiJqNgLtbPad5cOaieQe+Kncgcm18Hc7pfhDwXGG4RS40xTSV/kIR4Gi7h8Lu71wZKTaWYHBPTUyTIpNsFUEdvItHXOSBw2LWNWzdYgpGoMT/tryuu0lAC9YdBalAxY0DaqqpuXKzxfiw5QDbqZWVq3qAxXfLAtTgu/gFCuFQvbBGl87H1C+nOQUq2nkpMpHZLsl3V0w/2yqg+q6rUydANFF+a5vRaLgX/PGms92ZkZUdPZ5qeKJmoURSlMYxDuhQDl93RYxXJxOYIYrCrI/QaBpIH6QvUH60wWA==-----END RSA PRIVATE KEY-----quit% Enter PEM-formatted certificate.% End with a blank line or "quit" on a line by itself.-----BEGIN CERTIFICATE-----MIIEXTCCBAegAwIBAgIKTJOcWgAAAAAACTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1zdWIyLWNhMB4XDTAzMTEyNTIwMjExMFoXDTA0MTExMzIyMTQyMVowPjERMA8GA1UEBRMIQjBGRkYyMkUxKTAnBgkqhkiG9w0BCQITGnNpbXBzb24tNjUwOS1zdGUuY2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkhRKm38hSF7l0WXlYm8ixs2Hz/yjNw7tchtRPIp0qCTJKW00gzZpp8dqaNi3s2GVVWb+tCgsol0MZLIkyoj/9vT9MC7Zo3LOxYy9kD+6M9peUWMT4JLSD4Exzxsd87JpP1bo0o8WhYjvMor/bL30sW8ly2RH2vppEMn9eLEN0vwIDAQABo4ICajCCAmYwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBSx6uQ2sARlcjzhBSiMu7xeu1n6AjCBqAYDVR0jBIGgMIGdgBToWYmimqrOlsUyPpNoHb/COVaWoaF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtc3ViMS1jYYIKHyiFxAAAAAAABjAoBgNVHREBAf8EHjAcghpzaW1wc29uLTY1MDktc3RlLmNpc2NvLmNvbTCBlwYDVR0fBIGPMIGMMEOgQaA/hj1odHRwOi8vY2lzY28tb2pteGNuY3p2L0NlcnRFbnJvbGwvc2ltcHNvbi1kZXZ0ZXN0LXN1YjItY2EuY3JsMEWgQ6BBhj9maWxlOi8vXFxjaXNjby1vam14Y25jenZcQ2VydEVucm9sbFxzaW1wc29uLWRldnRlc3Qtc3ViMi1jYS5jcmwwgcgGCCsGAQUFBwEBBIG7MIG4MFkGCCsGAQUFBzAChk1odHRwOi8vY2lzY28tb2pteGNuY3p2L0NlcnRFbnJvbGwvY2lzY28tb2pteGNuY3p2X3NpbXBzb24tZGV2dGVzdC1zdWIyLWNhLmNydDBbBggrBgEFBQcwAoZPZmlsZTovL1xcY2lzY28tb2pteGNuY3p2XENlcnRFbnJvbGxcY2lzY28tb2pteGNuY3p2X3NpbXBzb24tZGV2dGVzdC1zdWIyLWNhLmNydDANBgkqhkiG9w0BAQUFAANBABFh7XeLwvfBtjAR+e5OaUH5KTGJDbeJppOmMFXnFakpgWop9Qg4cHRCQq7V0pAWiA6VtJOmpYgEIVNTAzAAHR4=-----END CERTIFICATE-----% PEM files import succeeded.ssl-proxy(config)# ^Zssl-proxy#*Dec 4 18:11:49.850:%SYS-5-CONFIG_I:Configured from console by consolessl-proxy#Step 4
ssl-proxy# show crypto ca certificates tp-proxy1CertificateStatus:AvailableCertificate Serial Number:04A0147B00000000010ECertificate Usage:General PurposeIssuer:CN = sub3caC = USSubject:Name:ssl-proxy.Serial Number:B0FFF0C2OID.1.2.840.113549.1.9.2 = ssl-proxy.OID.2.5.4.5 = B0FFF0C2CRL Distribution Point:http://sample.cisco.com/sub3ca.crlValidity Date:start date:18:04:09 UTC Jan 23 2003end date:21:05:17 UTC Dec 12 2003renew date:00:00:00 UTC Apr 1 2003Associated Trustpoints:tp-proxy1CA CertificateStatus:AvailableCertificate Serial Number:6D1E6B0F000000000007Certificate Usage:SignatureIssuer:CN = subtestC = USSubject:CN = sub3caC = USCRL Distribution Point:http://sample.cisco.com/subtest.crlValidity Date:start date:22:22:52 UTC Mar 28 2003end date:21:05:17 UTC Dec 12 2003Associated Trustpoints:tp-proxy1ssl-proxy# show crypto ca certificates 3tier-subca1CA CertificateStatus:AvailableCertificate Serial Number:29A47DEF0000000004E9Certificate Usage:SignatureIssuer:CN = 6ebf9b3e-9a6d-4400-893c-dd85dcfe911bC = USSubject:CN = subtestC = USCRL Distribution Point:http://sample.cisco.com/6ebf9b3e-9a6d-4400-893c-dd85dcfe911b.crlValidity Date:start date:20:55:17 UTC Dec 12 2002end date:21:05:17 UTC Dec 12 2003Associated Trustpoints:3tier-sub1ssl-proxy# show crypto ca certificates 3tier-rootCA CertificateStatus:AvailableCertificate Serial Number:7FD5B209B5C2448C47F77F140625D265Certificate Usage:SignatureIssuer:CN = 6ebf9b3e-9a6d-4400-893c-dd85dcfe911bC = USSubject:CN = 6ebf9b3e-9a6d-4400-893c-dd85dcfe911bC = USCRL Distribution Point:http://sample.cisco.com/6ebf9b3e-9a6d-4400-893c-dd85dcfe911b.crlValidity Date:start date:00:05:32 UTC Jun 13 2002end date:00:11:58 UTC Jun 13 2004Associated Trustpoints:3tier-root
Verifying the Certificates and the Trustpoints
To verify information about your certificates and trustpoints, perform this task in EXEC mode:
Sharing the Keys and the Certificates
The SSL daughter card supports the sharing of the same key pair by multiple certificates. However, this is not a good practice because if one key pair is compromised, all the certificates must be revoked and replaced.
Because proxy services are added and removed at different times, the certificates also expire at different times. Some certificate authorities require you to refresh the key pair at the time of renewal. If certificates share one key pair, you need to renew the certificates at the same time. In general, it is easier to manage certificates if each certificate has its own key pair.
The SSL daughter card does not impose any restrictions on sharing certificates among multiple proxy services and multiple SSL daughter cards. The same trustpoint can be assigned to multiple proxy services.
From a business point of view, the certificate authority may impose restrictions (for example, on the number of servers in a server farm that can use the same certificate). There may be contractual or licensing agreements regarding certificate sharing. Consult with the certificate authority or your legal staff regarding business contractual aspects.
Some web browsers compare the subject name of the server certificate with the host name or the IP address that appears on the URL. If the subject name does not match the host name or IP address, a dialog box appears, prompting the user to verify and accept the certificate. To avoid this step, you should limit the sharing of certificates based on the host name or IP address.
Configuring a Root CA (Trusted Root)
To configure a trusted root, perform this task beginning in global configuration mode:
Step 1
Router(config)# crypto ca trusted-root name
Configures a root with a selected name and enters trusted root configuration mode.
Step 2
Router(ca-root)# crl query url
(Optional) Queries the CRL published by the configured root with the LDAP1 URL.
Step 3
Router(ca-root)# exit
(Optional) Exits trusted root configuration mode.
Step 4
Router(config)# crypto ca trustpoint name
(Optional) Enters certificate authority identity configuration mode.
Step 5
Router(ca-identity) #crl optional
(Optional) Allows other peer certificates to be accepted by your switch even if the appropriate CRL is not accessible to your switch.
Step 6
Router(ca-identity)# exit
(Optional) Exits certificate authority identity configuration mode.
Step 7
Router(config)# crypto ca trusted-root name
(Optional) Enters trusted root configuration mode.
Step 8
Router(ca-root)# root {CEP url | TFTP server-hostname filename}
Uses SCEP2 , with the given identity and URL, or TFTP to get a root certificate.
Note
Note
Step 9
Router(ca-root)# root proxy url
Defines the HTTP proxy server for getting a root certificate.
1 LDAP = Lightweight Directory Access Protocol.
2 SCEP = Simple Certificate Enrollment Protocol.
Saving Your Configuration
Caution
Tip
To save your configuration to NVRAM, perform this task:
Note
The automatic backup of the configuration to NVRAM feature automatically backs up the last saved configuration. If the current write process fails, the configuration is restored to the previous configuration automatically.
Oversized Configuration
If you save an oversized configuration with more than 256 proxy services and 356 certificates, you might encounter a situation where you could corrupt the contents in the NVRAM.
You should always copy to running-config before saving to NVRAM. When you save the running-config file to a remote server, each certificate is saved as a hexadecimal dump in the file. If you copy the running-config file back to running-config and then save it to NVRAM, the certificates are saved again, but as binary files. However, if you copy the running-config file directly from the remote server to startup-config, the certificates that are saved as hexadecimal dumps are also saved, resulting in two copies of the same certificate: one in hexadecimal dump and one as a binary file. This action is unnecessary, and if the remote file is very large, it may overwrite part of the contents in the NVRAM, which could corrupt the contents.
Verifying the Saved Configuration
To verify the saved configuration, perform this task:
Step 1
Displays the startup configuration.
Step 2
Displays the names and sizes of the files in NVRAM.
Note
Erasing the Saved Configuration
To erase a saved configuration, perform one of these tasks:
Note
Caution
Backing Up the Keys and the Certificates
If an event occurs that interrupts the process of saving the keys and certificates to NVRAM (for example, a power failure), you could lose the keys and certificates that are being saved. You can obtain public keys and certificates from the certificate authority. However, you cannot recover private keys.
If a secure server is available, back up the key pairs and the associated certificate chain by exporting each trustpoint to a PKCS12 file. You can then import the PKCS12 files to recover the keys and certificates.
Security Guidelines
When backing up keys and certificates, observe the following guidelines:
•
•
•
•
Monitoring and Maintaining the Keys and Certificates
These tasks are optional:
•
•
•
Deleting the RSA Keys from the Module
Caution
Under certain circumstances you might want to delete the RSA keys from a module. For example, if you believe the RSA keys were compromised in some way and should no longer be used, you should delete the keys.
To delete all RSA keys from the module, perform this task in global configuration mode:
After you delete the RSA keys from a module, complete these two additional tasks:
•
•
Displaying the Keys and Certificates
To display the keys and certificates, perform one of these tasks in EXEC mode:
Deleting the Certificates from the Configuration
The module saves its own certificates and the certificate of the certificate authority. You can delete the certificates that are saved on the module.
To delete the certificate from the module configuration, perform this task in global configuration mode:
Deletes the certificate.
Assigning a Certificate to a Proxy Service
When you enter the certificate rsa general-purpose trustpoint trustpoint_label subcommand (under the ssl-proxy service proxy_service command), you assign a certificate to the specified proxy service. You can enter the certificate rsa general-purpose trustpoint subcommand multiple times for the proxy service.
If the trustpoint label is modified, the proxy service is taken out of service during the transition. Existing connections continue to use the old certificate until the connections are closed or cleared. New connections use the certificate from the new trustpoint, and the service is available again.
However, if the new trustpoint does not have a certificate yet, the operational status of the service remains down. New connections are not established until the new certificate is available. If the certificate is deleted by entering the no certificate rsa general-purpose trustpoint subcommand, the existing connections continue to use the certificate until the connections are closed or cleared. Although the certificate is obsolete, it is not removed from the proxy service until all connections are closed or cleared.
This example shows how to assign a trustpoint to a proxy service:
ssl-proxy# configure terminalssl-proxy(config)# ssl-proxy service s2ssl-proxy(config-ssl-proxy)# virtual ip 10.1.1.2 p tcp p 443ssl-proxy(config-ssl-proxy)# server ip 20.0.0.3 p tcp p 80ssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# certficate rsa general trustpoint tp-1ssl-proxy(config-ssl-proxy)# endssl-proxy#ssl-proxy# show ssl-proxy service s2Service id:6, bound_service_id:262Virtual IP:10.1.1.2, port:443Server IP:20.0.0.3, port:80rsa-general-purpose certificate trustpoint:tp-1Certificate chain in use for new connections:Server Certificate:Key Label:tp-1Serial Number:3C2CD2330001000000DBRoot CA Certificate:Serial Number:313AD6510D25ABAE4626E96305511AC4Certificate chain completeAdmin Status:upOperation Status:upssl-proxy#This example shows how to change a trustpoint for a proxy service:
Note
ssl-proxy# configure terminalssl-proxy(config)# ssl-proxy service s2ssl-proxy(config-ssl-proxy)# certificate rsa general trustpoint tp-2ssl-proxy(config-ssl-proxy)# endssl-proxy#ssl-proxy# show ssl-proxy service s2Service id:6, bound_service_id:262Virtual IP:10.1.1.2, port:443Server IP:20.0.0.3, port:80rsa-general-purpose certificate trustpoint:tp-2Certificate chain in use for new connections:Server Certificate:Key Label:k2Serial Number:70FCBFEC000100000D65Root CA Certificate:Serial Number:313AD6510D25ABAE4626E96305511AC4Obsolete certificate chain in use for old connections:Server Certificate:Key Label:tp-1Serial Number:3C2CD2330001000000DBRoot CA Certificate:Serial Number:313AD6510D25ABAE4626E96305511AC4Certificate chain completeAdmin Status:upOperation Status:upssl-proxy#Renewing a Certificate
Some certificate authorities require that you generate a new key pair to renew a certificate, while other certificate authorities allow you to use the key pair of the expiring certificate to renew a certificate. Both cases are supported on the CSM-S.
The SSL server certificates usually expire in one or two years. Graceful rollover of certificates avoids sudden loss of services.
This example shows that the proxy service s2 is assigned trustpoint t2:
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)# ssl-proxy service s2ssl-proxy(config-ssl-proxy)# certificate rsa general-purpose trustpoint t2ssl-proxy(config-ssl-proxy)# endssl-proxy#ssl-proxy# show ssl-proxy service s2Service id:0, bound_service_id:256Virtual IP:10.1.1.1, port:443Server IP:10.1.1.10, port:80Nat pool:pool2rsa-general-purpose certificate trustpoint:t2Certificate chain in use for new connections:Server Certificate:Key Label:k2Serial Number:1DFBB1FD000100000D48Root CA Certificate:Serial Number:313AD6510D25ABAE4626E96305511AC4Certificate chain completeAdmin Status:upOperation Status:upThis example shows that the key pair for trustpoint t2 is refreshed, and the old certificate is deleted from the Cisco IOS database. Graceful rollover starts automatically for proxy service s2.
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)# crypto key generate rsa general-key k2 exportable% You already have RSA keys defined named k2.% Do you really want to replace them? [yes/no]:yesChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys ...[OK]ssl-proxy(config)#endssl-proxy# show ssl-proxy service s2Service id:0, bound_service_id:256Virtual IP:10.1.1.1, port:443Server IP:10.1.1.10, port:80Nat pool:pool2rsa-general-purpose certificate trustpoint:t2Certificate chain in graceful rollover, being renewed:Server Certificate:Key Label:k2Serial Number:1DFBB1FD000100000D48Root CA Certificate:Serial Number:313AD6510D25ABAE4626E96305511AC4Server certificate in graceful rolloverAdmin Status:upOperation Status:upThis example shows that the existing and new connections use the old certificate until trustpoint t2 reenrolls. After trustpoint t2 reenrolls, the new connections use the new certificate; the existing connections continue to use the old certificate until the connections are closed.
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)# crypto ca enroll t2%% Start certificate enrollment ..% The subject name in the certificate will be:CN=host1.cisco.com% The subject name in the certificate will be:ssl-proxy.cisco.com% The serial number in the certificate will be:00000000% The IP address in the certificate is 10.1.1.1% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.Fingerprint: 6518C579 A0498063 C5795057 A6170 075ssl-proxy(config)# end*Sep 24 15:19:34.339:%CRYPTO-6-CERTRET:Certificate received from Certificate Authorityssl-proxy# show ssl-proxy service s2Service id:0, bound_service_id:256Virtual IP:10.1.1.1, port:443Server IP:10.1.1.10, port:80Nat pool:pool2rsa-general-purpose certificate trustpoint:t2Certificate chain in use for new connections:Server Certificate:Key Label:k2Serial Number:2475A2FC000100000D4DRoot CA Certificate:Serial Number:313AD6510D25ABAE4626E96305511AC4Obsolete certificate chain in use for old connections:Server Certificate:Key Label:k2Serial Number:1DFBB1FD000100000D48Root CA Certificate:Serial Number:313AD6510D25ABAE4626E96305511AC4Certificate chain completeAdmin Status:upOperation Status:upThis example shows that the obsolete certificate is removed after all of the existing connections are closed.
ssl-proxy# show ssl-proxy service s2Service id:0, bound_service_id:256Virtual IP:10.1.1.1, port:443Server IP:10.1.1.10, port:80Nat pool:pool2rsa-general-purpose certificate trustpoint:t2Certificate chain in use for new connections:Server Certificate:Key Label:k2Serial Number:2475A2FC000100000D4DRoot CA Certificate:Serial Number:313AD6510D25ABAE4626E96305511AC4Certificate chain completeAdmin Status:upOperation Status:upConfiguring the Automatic Certificate Renewal and Enrollment
When you configure the automatic enrollment, the module automatically requests a certificate from the certificate authority that is using the parameters in the configuration.
You can configure the certificate to automatically renew after a specified percentage of the validity time has passed. For example, if the certificate is valid for 300 days, and you specify renewal_percent as 80, the certificate automatically renews after 240 days have passed since the start validity time of the certificate.
Note
To enable automatic enrollment and renewal and to display timer information, perform this task:
This example shows how to enable automatic enrollment and auto renewal:
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)# crypto ca trustpoint tk21ssl-proxy(ca-trustpoint)# auto-enroll 90ssl-proxy(ca-trustpoint)# endssl-proxy# show crypto ca timersPKI Timers| 44.306| 44.306 RENEW tp-new|255d 5:28:32.348 RENEW tk21ssl-proxy#Enabling the Key and Certificate History
When you enter the ssl-proxy pki history command, you enable the SSL proxy services key and certificate history. This history creates a record for each addition or deletion of the key pair and certificate chain for a proxy service.
When you enter the show ssl-proxy certificate-history command, the records are displayed. Each record logs the service name, key pair name, time of generation or import, trustpoint name, certificate subject name and issuer name, serial number, and date.
You can store up to 512 records in memory. For each record, a syslog message is generated. The oldest records are deleted after the limit of 512 records is reached.
To enable key and certificate history and display the records, perform this task:
This example shows how to enable the key and certificate history and display the records for a specified proxy service:
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)#ssl-proxy pki historyssl-proxy(config)#endssl-proxy# show ssl-proxy certificate-history service s2Record 1, Timestamp:00:00:22, 17:44:18 UTC Sep 29 2002Installed Server Certificate, Index 0Proxy Service:s2, Trust Point:t2Key Pair Name:k2, Key Usage:RSA General Purpose, Not ExportableTime of Key Generation:06:29:08 UTC Sep 28 2002Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = ssl-proxy.cisco.com,OID.1.2.840.113549.1.9.8 = 10.1.1.1Issuer Name:CN = TestCA, OU = Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US,EA =<16> simpson-pki@cisco.comSerial Number:3728ADCD000100000D4FValidity Start Time:15:56:55 UTC Sep 28 2002End Time:16:06:55 UTC Sep 28 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordTotal number of certificate history records displayed = 1Caching the Peer Certificates
You can configure the SSL daughter card to cache the authenticated server and client (peer) certificates. Caching the authenticated peer certificates saves time by not requiring the SSL daughter card to authenticate the same certificate again. The SSL daughter card uses the cached certificate information when it receives the same peer certificate within a specified timeout interval and the verify option (signature-only or all) matches.
Note
In an environment where the SSL daughter card repeatedly receives a number of certificates and the risk is acceptable, caching the authenticated peer certificates can reduce the overhead.
For example, in a site-to-site VPN environment, where two SSL daughter cards authenticate each other's certificates during full handshakes, caching is applicable. A combination of verifying signature-only and caching authenticated peer certificates gives the best performance.
The peer certificates that expire within the specified time interval are not cached. The SSL daughter card uses the separate cache entries for signature-only and verify-all options. Matching the verify options is one of the criteria for a cache hit.
Since the same peer certificate can be received on the different proxy services at a different time, and each proxy service has its own certificate authority pool, the issuer of the peer certificate may be in the certificate authority pool of the previous proxy service and not in the certificate authority pool of the current proxy service. This situation is considered a cache miss, and the peer certificate is verified.
To cache the authenticated peer certificates, perform this task:
Configuring the Certificate Expiration Warning
You can configure the SSL daughter card to log warning messages when certificates have expired or will expire within a specified amount of time. When you enable certificate expiration warnings, the SSL daughter card checks every 30 minutes for the expiration information for the following:
•
•
•
You can specify a time interval between 1 and 720 hours.
Note
If a certificate will expire within the specified interval, or has already expired, the SSL daughter card logs a single warning message for the certificate.
In addition, you can enable the CISCO-SSL-PROXY-MIB certificate expiration trap to issue a trap each time that a proxy service certificate expiration warning is logged. For more information on configuring SNMP traps, see the "Configuring SNMP Traps" section on page 7-24.
To enable the certificate expiration warning and configure the warning interval, perform this task:
This example shows how to enable the certificate expiration warning and configure the warning interval:
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)# ssl-proxy pki certificate check-expiring interval 36*Nov 27 03:44:05.207:%STE-6-PKI_CERT_EXP_WARN_ENABLED:Proxy service certificate expirationwarning has been enabled. Time interval is set to 36 hours.ssl-proxy(config)# endThis example shows how to clear the internal memory of any previously logged warning messages and restart the logging process:
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)# ssl-proxy pki certificate check-expiring interval 0*Nov 27 03:44:15.207:%STE-6-PKI_CERT_EXP_WARN_DISABLED:Checking of certificate expiration has been disabled.ssl-proxy(config)# ssl-proxy pki certificate check-expiring interval 1*Nov 27 03:44:16.207:%STE-6-PKI_CERT_EXP_WARN_ENABLED:Proxy service certificate expirationwarning has been enabled. Time interval is set to 36 hours.ssl-proxy(config)# endThis example shows a syslog message for a proxy service certificate that will expire or has expired:
Jan 1 00:00:18.971:%STE-4-PKI_PROXY_SERVICE_CERT_EXPIRING:A proxy service certificate isgoing to expire or has expired at this time:20:16:26 UTC Sep 5 2004, proxy service:s7,trustpoint:tk21.This example shows a syslog message for a certificate authority certificate that is associated with one or more proxy services that will expire or has expired:
Jan 1 00:00:18.971:%STE-4-PKI_PROXY_SERVICE_CA_CERT_EXPIRING:A CA certificate is going toexpire or has expired at this time:22:19:38 UTC Mar 4 2004, subject name:CN = ExampleCA,OU = Example Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =example@cisco.com, serial number:313AD6510D25ABAE4626E96305511AC4.This example shows a syslog message for a certificate authority certificate assigned to a trusted certificate authority pool that will expire or has expired:
Jan 1 00:00:18.971:%STE-4-PKI_CA_POOL_CERT_EXPIRING:A CA certificate in a CApool is goingto expire or has expired at this time:22:19:38 UTC Mar 4 2004, CA pool:pool2,trustpoint:tp1-root.Configuring the Certificate Authentication
This section describes how to configure client and server authentication:
•
•
•
When you configure client or server certificate authentication, you need to specify the form of verification as signature-only or all. Both options check the validity start time and validity end time of each certificate being authenticated. If the start time is in the future or the end time has passed, the SSL daughter card does not accept the certificate.
When you enter the verify signature-only command, the SSL daughter card verifies the certificate chain from the peer certificate to the next certificate (which should be the issuer of the previous certificate), then to the next certificate, and so on until one of the following conditions is met:
•
•
When you enter the verify all command, the SSL daughter card sorts the certificate chain in order, ignoring any unrelated or redundant certificates. The SSL daughter card determines if the top-most certificate in the sorted chain is issued by a trusted certificate authority or if it matches a trusted certificate authority certificate.
If the SSL daughter card cannot trust the top-most certificate, the chain is rejected.
If the SSL daughter card trusts the top-most certificate, then the SSL daughter card performs the following for each certificate in the chain:
•
•
•
If you verify only the signature, that verification process checks only the validity and signature of a minimum number of certificates in the chain. Verifying all performs more checking and validates all the certificates received, but takes longer and uses more CPU time.
You can download and update CRLs by entering CLI commands to reduce real-time delay. However, the CRL lookup is a slow process. See the "Certificate Revocation List" section for infomation about the CRLs.
Client Certificate Authentication
When you configure the SSL daughter card as an SSL server, you can configure the SSL daughter card to authenticate the SSL client. In this case, the SSL daughter card requests a certificate from the SSL client for authentication.
To authenticate the SSL client, the SSL daughter card verifies the following:
•
•
•
For verifying the SSL client certificates, the SSL daughter card is configured with a list of trusted certificate authorities (certificate authority pool). A trusted certificate authority pool is a subset of the trusted certificate authorities in the database. The SSL daughter card trusts only the certificates issued by the certificate authorities that you configure in the certificate authority pool.
Note
Note
Note
To configure client authentication, perform this task:
Step 1
ssl-proxy(config)# ssl-proxy pool ca_pool_name
Creates the certificate authority pool.
Note
Step 2
ssl-proxy(config-ssl-proxy)# ca trustpoint ca_trustpoint_label1
Adds a trusted certificate authority to the pool.
Note
Step 3
ssl-proxy(config-ssl-proxy)# exit
Returns to config mode.
Step 4
ssl-proxy(config)# ssl-proxy service proxy_name
Defines the name of the SSL server proxy service.
Step 5
ssl-proxy(config-ssl-proxy)# trusted-ca ca_pool_name
Associates the trusted certificate authority pool with the proxy service.
Step 6
ssl-proxy(config-ssl-proxy)# authenticate verify {signature-only2 | all3 }
Enables the client certificate authentication and specifies the form of verification.
Note
Step 7
ssl-proxy(config-ssl-proxy)# exit
Exits from configuration mode.
1 The SSL daughter card supports up to eight levels of certificate authority. We recommend that you add all levels of certificate authority, or at least the root certificate authority, to the certificate authority pool.
2 When you verify signature-only, the authentication stops at the level corresponding to one of the trusted certificate authority trustpoints in the trusted certificate authority pool.
3 When you verify all, the highest level issuer in the certificate chain must be configured as a trusted certificate authority trustpoint. The SSL daughter card authenticates all the certificates in the peer certificate chain and stops only at the highest level certificate authority. There must be a certificate authority trustpoint for the highest level certificate authority, and this trustpoint should be authenticated.
This example shows how to configure a client certificate authentication verifying the signature only:
ssl-proxy(config)# crypto ca trustpoint rootcassl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# exitssl-proxy(config)#ssl-proxy(config)# crypto ca authenticate rootcaEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedssl-proxy(config)#ssl-proxy(config)# ssl-proxy pool ca rootcassl-proxy(config-ca-pool)# ca trustpoint rootcassl-proxy(config-ca-pool)# ^Zssl-proxy(config)# ssl-proxy service client-auth-sig-onlyssl-proxy(config-ssl-proxy)# virtual ipaddr 14.0.0.1 protocol tcp port 443ssl-proxy(config-ssl-proxy)# server ipaddr 24.0.0.1 protocol tcp port 80ssl-proxy(config-ssl-proxy)# certificate rsa general-purpose trustpoint test-certssl-proxy(config-ssl-proxy)# trusted-ca rootcassl-proxy(config-ssl-proxy)# authenticate verify signature-onlyssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# !This example shows how to configure a client certificate authentication verifying all:
ssl-proxy(config)# crypto ca trustpoint rootcassl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# exitssl-proxy(config)#ssl-proxy(config)# crypto ca authenticate rootcaEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedssl-proxy(config)#ssl-proxy(config)# ssl-proxy pool ca rootcassl-proxy(config-ca-pool)# ca trustpoint rootcassl-proxy(config-ca-pool)# ^Zssl-proxy(config)# ssl-proxy service client-auth-verify-allssl-proxy(config-ssl-proxy)# virtual ipaddr 14.0.0.2 protocol tcp port 443ssl-proxy(config-ssl-proxy)# server ipaddr 24.0.0.1 protocol tcp port 80ssl-proxy(config-ssl-proxy)# certificate rsa general-purpose trustpoint test-certssl-proxy(config-ssl-proxy)# trusted-ca rootcassl-proxy(config-ssl-proxy)# authenticate verify allssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# !Server Certificate Authentication
When you configure the SSL daughter card as an SSL client (for example, for back-end encryption), the SSL daughter card always authenticates the SSL server.
To authenticate the SSL server, the SSL daughter card verifies the following:
•
•
•
By default, the SSL daughter card accepts any certificate issued by any certificate authority trustpoint that has a certificate, is not listed in the CRL, and is not rejected by an ACL.
Optionally, you can create a trusted certificate authority pool and associate it with the proxy service. In this case, the SSL daughter card accepts only certificates that are issued by the certificate authorities in the pool.
You can also select to verify only the signature by entering the authenticate verify signature-only command. Verifying the signature skips CRL and ACL checking. You must configure a trusted certificate authorities pool in order to specify the signature-only option.
To configure server certificate authentication, perform this task:
Step 1
Creates the certificate authority pool.
Note
Step 2
Adds a trusted certificate authority to the pool.
Note
Step 3
Returns to config mode.
Step 4
Defines the name of the SSL client proxy service.
Note
Step 5
ssl-proxy(config-ssl-proxy)# trusted-ca ca_pool_name(Optional) Associates the certificate authority pool with the proxy service.
Note
Step 6
(Optional) Enables the server certificate authentication and specifies the form of verification.
Note
Step 7
Exits configuration mode
1 The SSL daughter card supports up to eight levels of certificate authority. We recommend that you add all levels of certificate authority, or at least the root certificate authority, to the certificate authority pool.
2 When you verify signature-only, the authentication stops at the level corresponding to one of the trusted certificate authority trustpoints in the trusted certificate authority pool.
3 When you verify all, the highest level issuer in the certificate chain must be configured as a trusted certificate authority trustpoint. The SSL daughter card authenticates all the certificates in the peer certificate chain and stops only at the highest level certificate authority. There must be a certificate authority trustpoint for the highest level certificate authority, and this trustpoint should be authenticated.
This example shows how to configure the server certificate authentication verifying the signature only:
ssl-proxy(config)# crypto ca trustpoint rootcassl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# exitssl-proxy(config)#ssl-proxy(config)# crypto ca authenticate rootcaEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedssl-proxy(config)#ssl-proxy(config)# ssl-proxy pool ca rootcassl-proxy(config-ca-pool)# ca trustpoint rootcassl-proxy(config-ca-pool)# ^Zssl-proxy(config)# ssl-proxy service client-proxy-sig-only clientssl-proxy(config-ssl-proxy)# virtual ipaddr 14.0.0.3 protocol tcp port 81ssl-proxy(config-ssl-proxy)# server ipaddr 24.0.0.2 protocol tcp port 443ssl-proxy(config-ssl-proxy)# trusted-ca rootcassl-proxy(config-ssl-proxy)# authenticate verify signature-onlyssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# !This example shows how to configure the server certificate authentication verifying all:
ssl-proxy(config)# crypto ca trustpoint rootcassl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# exitssl-proxy(config)#ssl-proxy(config)# crypto ca authenticate rootcaEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedssl-proxy(config)#ssl-proxy(config)# ssl-proxy pool ca rootcassl-proxy(config-ca-pool)# ca trustpoint rootcassl-proxy(config-ca-pool)# ^Zssl-proxy(config)# ssl-proxy service client-proxy-verify-all clientssl-proxy(config-ssl-proxy)# virtual ipaddr 14.0.0.4 protocol tcp port 81ssl-proxy(config-ssl-proxy)# server ipaddr 24.0.0.2 protocol tcp port 443ssl-proxy(config-ssl-proxy)# trusted-ca rootcassl-proxy(config-ssl-proxy)# authenticate verify allssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# ^ZThis example shows how to configure the server certificate authentication verifying all; the SSL daughter card is configured as a client and sends its certificate to the SSL server if it is requested.
ssl-proxy(config)# crypto ca trustpoint rootcassl-proxy(ca-trustpoint)# enrollment terminalssl-proxy(ca-trustpoint)# crl optionalssl-proxy(ca-trustpoint)# exitssl-proxy(config)#ssl-proxy(config)# crypto ca authenticate rootcaEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2FuIGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIxNTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNVBAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5lVQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGXBgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9cXGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wyYjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IOEoBcmZteA+TQcKg=-----END CERTIFICATE-----Certificate has the following attributes:Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedssl-proxy(config)#ssl-proxy(config)# ssl-proxy pool ca rootcassl-proxy(config-ca-pool)# ca trustpoint rootcassl-proxy(config-ca-pool)# ^Zssl-proxy(config)# ssl-proxy service client-proxy-sending-client-cert clientssl-proxy(config-ssl-proxy)# virtual ipaddr 14.0.0.5 protocol tcp port 81ssl-proxy(config-ssl-proxy)# server ipaddr 24.0.0.3 protocol tcp port 443ssl-proxy(config-ssl-proxy)# certificate rsa general-purpose trustpoint test-certssl-proxy(config-ssl-proxy)# trusted-ca rootcassl-proxy(config-ssl-proxy)# authenticate verify allssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# !Certificate Revocation List
A certificate revocation list (CRL) is a time-stamped list that identifies the certificates that should no longer be trusted. Each revoked certificate is identified in a CRL by its certificate serial number. When a participating peer device uses a certificate, that device not only checks the certificate signature and validity but also checks that the certificate serial number is not on that CRL.
Note
This section describes how to download and configure CRLs:
•
•
Downloading the CRL
If the certificate being validated contains a CRL distribution point (CDP) extension field, the module uses the CDP as the download path. The SSL daughter card supports three types of CDPs:
•
For example, http://hostname/file.crl
•
For example, CN=CRL,O=cisco,C=us
•
For example, ldap://hostname/CN=CRL,O=cisco,C=us
If the certificate does not have a CDP, the SSL daughter card looks for a trustpoint that is associated with the certificate. If the SSL daughter card finds one or more associated trustpoints, the SSL daughter card uses one of the trustpoints to determine the download path and protocol using the SCEP enrollment URL. If there is no SCEP enrollment URL, the validation fails.
Note
The SSL daughter card does not perform a CRL lookup on the root certificate authority certificates because of the following reasons:
•
•
If the download path is not known, or if the download operation fails, the peer certificate chain is rejected.
After the module downloads the CRL, the module checks to see if the serial number of the certificate appears on the CRL. If the serial number of the certificate being validated appears on the CRL, the peer certificate chain is rejected.
Note
Configuring the CRL Options
Note
By default, the SSL daughter card always performs a CRL lookup if the trustpoint has been selected to validate a certificate. If the CRL is not in the database or has expired, the SSL daughter card dowloads a CRL and saves it to the database for later use. If the CRL download fails, the SSL daughter card rejects the certificate that is being validated.
You can configure two options for CRL lookup:
•
If the SSL daughter card finds a CRL in the database and has not expired, then the SSL daughter card performs a CRL lookup. If the SSL daughter card does not find a CRL, the SSL daughter card attempts to download a CRL. However, if the CRL download fails, the SSL daughter card accepts the certificate.
•
If the SSL daughter card finds a CRL in the database that has not expired, then the SSL daughter card performs a CRL lookup. If the SSL daughter card does not find the CRL, the SSL daughter card accepts the certificate. The SSL daughter card makes no attempt to download a CRL.
To configure the CRL options, perform this task:
Updating a CRL
A CRL can be reused with subsequent certificates until the CRL expires.
If the specified NextUpdate time of the CRL is reached, the CRL is deleted. Enter the show crypto ca timers command to display the time remaining for the CRL.
If a CRL has not expired yet, but you suspect that the contents of the CRL are out of date, you can download the latest CRL immediately to replace the old CRL.
To request immediate download of the latest CRL, perform this task:
Requests an updated CRL.
This command replaces the currently stored CRL with the newest version of the CRL.
Note
This example shows how to download the CRL that is associated with the trustpoint "tp-root:"
ssl-proxy(config)# crypto ca crl request tp-rootEntering the X.500 CDP Information
You can enter the host name and port if the CDP is in X.500 DN format. The query takes the information in the following form: ldap://hostname:[port]
For example, if a certficate being validated has the following:
•
•
then the two parts are combined to form the complete URL as follows:
ldap://10.1.1.1/CN=CRL,O=Cisco,C=US
Note
To query the CRL with the X.500 URL, perform this task:
Queries the CRL with the X.500 URL. The URL used to query the CRL must be an X.500 URL.
Entering a CRL Manually
If the certificate authority server does not publish the CRL online (through HTTP, LDAP, or SCEP), you can get a hexadecimal dump of the CRL offline and enter it manually.
To enter the CRL manually, perform this task:
This example shows how to enter a CRL manually:
ssl-proxy(config)# crypto ca certificate chain tpssl-proxy(config-cert-chain)# crlEnter the CRL in hexadecimalidecimal representation....ssl-proxy(config-pubkey)# 30 82 01 7E 30 81 E8 30 0D 06 09 2A 86 48 86 F7ssl-proxy(config-pubkey)# 0D 01 01 05 05 00 30 16 31 14 30 12 06 03 55 04ssl-proxy(config-pubkey)# 03 13 0B 69 6F 73 2D 72 6F 6F 74 20 43 41 17 0Dssl-proxy(config-pubkey)# 30 33 31 32 31 31 32 33 33 37 35 34 5A 17 0D 30ssl-proxy(config-pubkey)# 33 31 32 31 38 32 33 33 37 35 34 5A 30 81 A0 30ssl-proxy(config-pubkey)# 12 02 01 04 17 0D 30 33 31 30 31 34 32 32 32 35ssl-proxy(config-pubkey)# 30 34 5A 30 12 02 01 03 17 0D 30 33 31 30 31 34ssl-proxy(config-pubkey)# 32 32 32 35 33 30 5A 30 12 02 01 05 17 0D 30 33ssl-proxy(config-pubkey)# 31 31 31 33 31 39 30 39 33 36 5A 30 12 02 01 06ssl-proxy(config-pubkey)# 17 0D 30 33 31 31 31 33 31 39 32 30 34 32 5A 30ssl-proxy(config-pubkey)# 12 02 01 07 17 0D 30 33 31 31 31 33 32 32 30 35ssl-proxy(config-pubkey)# 35 32 5A 30 12 02 01 08 17 0D 30 33 31 31 31 33ssl-proxy(config-pubkey)# 32 32 34 34 32 30 5A 30 12 02 01 2B 17 0D 30 33ssl-proxy(config-pubkey)# 31 31 31 33 32 33 33 36 35 37 5A 30 12 02 01 09ssl-proxy(config-pubkey)# 17 0D 30 33 31 31 31 33 32 33 33 37 34 38 5A 30ssl-proxy(config-pubkey)# 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 81ssl-proxy(config-pubkey)# 81 00 67 DE 12 99 9F C5 DF 4A F8 24 76 CE 98 4Fssl-proxy(config-pubkey)# 7C 5C 72 1C E0 00 A9 CE 08 6E 46 8F 4D 1B FA 8Essl-proxy(config-pubkey)# C9 DE CF AC 13 7D 2F BF D4 A6 C2 7B E2 31 B1 ECssl-proxy(config-pubkey)# 99 83 54 B3 11 24 6F C3 C3 93 C4 53 38 B6 72 86ssl-proxy(config-pubkey)# 0A 30 F2 95 71 AE 15 66 87 3E C1 7F 8B 46 6F A9ssl-proxy(config-pubkey)# 77 D0 FF D4 FC 73 83 79 98 BD 40 DB C1 72 9D 95ssl-proxy(config-pubkey)# 9B 57 D1 3C 2F EF B6 63 6B 5B E4 35 40 52 2D 3Assl-proxy(config-pubkey)# 19 1A 4E CA 70 C6 ED 49 7A 7C 01 88 B9 CA 14 7Bssl-proxy(config-pubkey)# 0E 1Fssl-proxy(config-pubkey)# quitssl-proxy(config-cert-chain)# endDisplaying the CRL Information
To display information about the CRLs, perform this task:
Displays the expiration date and time of each CRL in the database.
This example shows the expiration date and time of each CRL in the database:
ssl-proxy# show crypto ca crlsCRL Issuer Name:CN = test-root-CA, OU = lab, O = cisco, L = san jose, ST = california, C = USLastUpdate:19:08:45 UTC Dec 3 2003NextUpdate:20:13:45 UTC Dec 3 2003Retrieved from CRL Distribution Point:http://test-ca/CertEnroll/test-root-CA.crlDeleting a CRL
Note
To delete a CRL, enter the no crl command for any certificate chain of a trustpoint.
To delete a CRL, perform this task:
This example shows how to delete the CRL:
ssl-proxy(config)# crypto ca certificate chain tp1ssl-proxy(config-cert-chain)# no crlssl-proxy(config-cert-chain)# endCertificate Security Attribute-Based Access Control
The Certificate Security Attribute-Based Access Control feature adds fields to the certificate that allow you to specify an access control list (ACL), so that you can create a certificate-based ACL.
For information on configuring the certificate security attribute-based access control, refer to Certificate Security Attribute-Based Access Control at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftcrtacl.htm
Feedback