Configuring CA Support

Previous page
Table of content
Next page

When you decide you will be using a CA to support your IPSec implementation, you first need to decide what type of CA you will use: a local CA administered by your staff or a remote CA administered by the CA company. Either way, once you decide on CA usage, you need to make sure your router is set up to use it.

Managing NVRAM

Cisco IOS routers usually have a limited amount of NVRAM. NVRAM is the nonvolatile portion of memory where your saved configuration is stored. Knowing the amount of NVRAM is crucial because NVRAM is the location where your digital certificates along with other items are stored.

If you have a very large configuration or other files that take up most of your NVRAM, you can still use digital certificates. If you enable query mode on your router, then the router attempts to retrieve the digital certificates and store them in memory when they are required. To enable query mode, issue the following command from global configuration: 

 
 Router (config)# crypto ca certificate query

Setting Time and Time Zones

If you need to set the date and time, issue the following command: 

 
 Router#  clock set  <hh:mm:ss> <day> <month> <year>

If you have set your router's clock to Coordinated Universal Time (UTC), you need to configure your router for the proper time zone and offset. To set your time zone and offset from UTC, issue the following command: 

 
 Router (config)# clock timezone <name> <offset-value>

For example, if you want to set your router to Pacific Savings Time, which is a negative 8 hours from UTC, you would issue the following command: 

 
 Router (config)# clock timezone PST -8

Configuring the Router Hostname

Because digital certificates bind an entity to a public key, you must define the entity name as well as the domain the entity will reside in. For a router named R1 in the acmecomp.com domain, you would issue the following commands: 

 
 Router (config)# hostname R1 R1 (config)# ip domain-name acmecomp.com

Generating an RSA Key Pair

Once you have the clock set correctly on your router and the hostname set, you need to create your RSA key pair. To do so, issue the following command: 

 
 R1 (config)# crypto key generate rsa [usage-keys]

Some CAs require you to have a specific key pair for integrity checks and a completely different key pair for encrypting bulk data. To generate two sets of RSA key pairs, you issue the usage-keys keyword.

Declaring a CA

To declare which CA you will use, you first need to obtain certain CA information, such as the type of CA it is, the CA's IP address, and the URL the CA uses. Once you have this information, you can then begin the declaration process by issuing the following: 

 
 R1 (config)# crypto ca identity <name>

To declare a CA that you want to alias as MYCA, you would issue the following: 

 
 R1 (config)# crypto ca identity MYCA

The <name> parameter identifies the CA by an alias called <name> and puts you in ca-identity configuration mode.

In identity configuration mode, you need to identity the specific URL used to contact the CA: 

 
 R1 (ca-identity)#  enrollment url  http://30.1.3.5/cgi-bin

You can also ( optionally ) identify whether your CA uses an RA: 

 
 R1 (ca-identity  )# enrollment mode ra

If you want to specify that the CRL check is optional, you issue the following: 

 
 R1 (ca-identity  )# crl optional

Authenticating CA

When we authenticate the CA, we are actually requesting and obtaining the CA's self-signed root certificate. To authenticate a CA named MYCA, we would issue 

 
 R1 (config)# crypto ca authenticate MYCA

If your CA supports the use of an RA, the RA digital certificate will also be downloaded to the router.

Requesting an Identity Certificate

Once you have a copy of the CA's root certificate, you can request and obtain your own digital certificate. To request and obtain your own certificate from the MYCA CA, you would issue the following command: 

 
 R1 (config)#  crypto ca enroll  MYCA

When you issue this command, the router requests a challenge password. This challenge password is stored by the CA and can be used to revoke the certificate if it ever becomes compromised.

graphics/note_icon.gif

The challenge password is not stored anywhere in the configuration. Once you issue this command along with the challenge password, the CA sends a copy of its root certificate to the router.


Saving the Configuration

When you are done with your CA configuration and have obtained all required digital certificates, you must save your configuration so it will not be lost if a power outage occurs. To save your configuration, issue the following command: 

 
 R1# copy running-config startup-config

Previous page
Table of content
Next page
CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
FileMaker Pro 8: The Missing Manual
Network Security Architectures
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy