When you decide you will be using a CA to support your IPSec implementation, you first need to decide what type of CA you will use: a local CA administered by your staff or a remote CA administered by the CA company. Either way, once you decide on CA usage, you need to make sure your router is set up to use it. Managing NVRAMCisco IOS routers usually have a limited amount of NVRAM. NVRAM is the nonvolatile portion of memory where your saved configuration is stored. Knowing the amount of NVRAM is crucial because NVRAM is the location where your digital certificates along with other items are stored. If you have a very large configuration or other files that take up most of your NVRAM, you can still use digital certificates. If you enable query mode on your router, then the router attempts to retrieve the digital certificates and store them in memory when they are required. To enable query mode, issue the following command from global configuration: Router (config)# crypto ca certificate query Setting Time and Time ZonesIf you need to set the date and time, issue the following command: Router# clock set <hh:mm:ss> <day> <month> <year> If you have set your router's clock to Coordinated Universal Time (UTC), you need to configure your router for the proper time zone and offset. To set your time zone and offset from UTC, issue the following command: Router (config)# clock timezone <name> <offset-value> For example, if you want to set your router to Pacific Savings Time, which is a negative 8 hours from UTC, you would issue the following command: Router (config)# clock timezone PST -8 Configuring the Router HostnameBecause digital certificates bind an entity to a public key, you must define the entity name as well as the domain the entity will reside in. For a router named R1 in the acmecomp.com domain, you would issue the following commands: Router (config)# hostname R1 R1 (config)# ip domain-name acmecomp.com Generating an RSA Key PairOnce you have the clock set correctly on your router and the hostname set, you need to create your RSA key pair. To do so, issue the following command: R1 (config)# crypto key generate rsa [usage-keys] Some CAs require you to have a specific key pair for integrity checks and a completely different key pair for encrypting bulk data. To generate two sets of RSA key pairs, you issue the usage-keys keyword. Declaring a CATo declare which CA you will use, you first need to obtain certain CA information, such as the type of CA it is, the CA's IP address, and the URL the CA uses. Once you have this information, you can then begin the declaration process by issuing the following: R1 (config)# crypto ca identity <name> To declare a CA that you want to alias as MYCA, you would issue the following: R1 (config)# crypto ca identity MYCA The <name> parameter identifies the CA by an alias called <name> and puts you in ca-identity configuration mode. In identity configuration mode, you need to identity the specific URL used to contact the CA: R1 (ca-identity)# enrollment url http://30.1.3.5/cgi-bin You can also ( optionally ) identify whether your CA uses an RA: R1 (ca-identity )# enrollment mode ra If you want to specify that the CRL check is optional, you issue the following: R1 (ca-identity )# crl optional Authenticating CAWhen we authenticate the CA, we are actually requesting and obtaining the CA's self-signed root certificate. To authenticate a CA named MYCA, we would issue R1 (config)# crypto ca authenticate MYCA If your CA supports the use of an RA, the RA digital certificate will also be downloaded to the router. Requesting an Identity CertificateOnce you have a copy of the CA's root certificate, you can request and obtain your own digital certificate. To request and obtain your own certificate from the MYCA CA, you would issue the following command: R1 (config)# crypto ca enroll MYCA When you issue this command, the router requests a challenge password. This challenge password is stored by the CA and can be used to revoke the certificate if it ever becomes compromised.
Saving the ConfigurationWhen you are done with your CA configuration and have obtained all required digital certificates, you must save your configuration so it will not be lost if a power outage occurs. To save your configuration, issue the following command: R1# copy running-config startup-config |