Configuring Cisco IOS certificate server

Here’s the topology, I’m going to use to configure a Cisco IOS Certificate Server:


1. Set the clock on all the routers using certificates.

Every certificate has a field called “validity” that specifies the date & time, before and after which, the certificate is considered to be invalid. Hence it is necessary to have the clock set on the devices that use certificate services.

You could either do this by configuring NTP on the routers or by setting the clock using the clock set command from exec mode.

2. Next enable ip http server on the Server

Server(config)#ip http server

step 1

3. Now create an RSA key-pair on the Server

Server(config)#crypto key generate rsa label VPN-KEYS modulus 1024 exportable

step 2

4. Create a trust-point on the Server and specify the rsa keys to be used

Server(config)#crypto pki trustpoint CA
Server(ca-trustpoint)#rsakeypair VPN-KEYS

step 3

5. Now create a certificate server on the Server using the same name used while creating the trust-point and configure the parameters

Server(config)#crypto pki server CA
Server(cs-server)#issuer-name CN=cisco.lab.local C=IN
Server(cs-server)#database url nvram:
Server(cs-server)#database level complete
Server(cs-server)#hash sha512
Server(cs-server)#lifetime certificate 365
Server(cs-server)#lifetime ca-certificate 365
Server(cs-server)#no grant auto
Server(cs-server)#lifetime crl 24
Server(cs-server)#no shutdown

Once you enter the no shutdown command, you'll be prompted for a password, choose a password (e.g. cisco123) and enter it twice. This should turn on the Certificate Services as seen in the screenshot below.

step 4

6. Now create an RSA key pair on the Client

Client(config)#crypto key generate rsa label VPN-KEYS modulus 1024 exportable

step 5

7. Create a trust-point on the Client and specify the RSA key pair to be used and the url of the Server

Client(config)#crypto pki trustpoint CA
Client(ca-trustpoint)#enrollment url
Client(ca-trustpoint)#revocation-check crl
Client(ca-trustpoint)#rsakeypair VPN-KEYS

step 6

8. Authenticate the Server

Client(config)#crypto pki authenticate CA

Once you authenticate the CA, you’ll be presented with the MD5 & SHA1 fingerprints of the certificate. Verify and accept the certificate – as shown in the screenshot below.

step 7

9. Enroll the Client to the CA

Client(config)#crypto pki enroll CA

Once you enter the above command, enter the same password used to enable the certificate authority (cisco123 in this example) as shown in the screenshot below.

Before requesting the certificate from the server, you could optionally specify to include the subject name and the serial number of the router in the certificate.

step 8

10. Grant the certificate request on the Server

Since we issued the “no grant auto” command on the CA, each certificate request has to be granted manually. Check the pending certificate requests on the CA using the crypto pki server CA info requests command

step 9

Enter the crypto pki server CA grany all command to grant all the pending requests.

step 10

On the Client, use the show crypto pki certificates command to view the CA’s certificate and the certificate received from the CA.

step 11

Download running configuration of both routers

Add a Comment

Your email address will not be published. Required fields are marked *