IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates
in environments where PKI is needed for security reasons.
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital
certificates. A digital certificate certifies the ownership of a public key by the named subject of the
certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the
private key that corresponds to the certified public key. In this model of trust relationships, a CA is a
trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon
the certificate.
1. Cisco ISO based CA (Certificate Authority)
IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates
in environments where PKI is needed for security reasons.
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital
certificates. A digital certificate certifies the ownership of a public key by the named subject of the
certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the
private key that corresponds to the certified public key. In this model of trust relationships, a CA is a
trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon
the certificate.
Supported Standards
Cisco supports the following standards with this feature:
• IPSec- IP Security Protocol. IPSec is a framework of open standards that provides data
confidentiality, data integrity, and data authentication between participating peers. IPSec
provides these security services at the IP layer; it uses Internet Key Exchange to handle
negotiation of protocols and algorithms based on local policy, and to generate the encryption
and authentication keys to be used by IPSec. IPSec can be used to protect one or more data
flows between a pair of hosts, between a pair of security gateways, or between a security
gateway and a host.
• Internet Key Exchange (IKE)- A hybrid protocol that implements Oakley and Skeme key
exchanges inside the Internet Security Association Key Management Protocol (ISAKMP)
framework. Although IKE can be used with other protocols, its initial implementation is with the
Figure 1 Certificate Authority
2. Cisco ISO based CA (Certificate Authority)
IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and
negotiates IPSec security associations.
• Public-Key Cryptography Standard #7 (PKCS #7)- A standard from RSA Data Security, Inc., used
to encrypt and sign certificate enrollment messages.
• Public-Key Cryptography Standard #10 (PKCS #10)- A standard syntax from RSA Data Security,
Inc. for certificate requests.
• RSA Keys- RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and
Leonard Adleman. RSA keys come in pairs: one public key and one private key.
• X.509v3 certificates- Certificate support that allows the IPSec-protected network to scale by
providing the equivalent of a digital ID card to each device. When two devices wish to
communicate, they exchange digital certificates to prove their identity (thus removing the need
to manually exchange public keys with each peer or to manually specify a shared key at each
peer). These certificates are obtained from a certification authority (CA). X.509 is part of the
X.500 standard of the ITU.
Open source implementations
There exist several open source implementations of certificate authority software. Common to all is that
they provide the necessary services to issue, revoke and manage digital certificates.
Some open source implementations are:
• DogTag
• EJBCA
• gnoMint
• OpenCA
• OpenSSL, an SSL/TLS library that comes with tools allowing its use as a simple certificate
authority
• EasyRSA, OpenVPN's command line CA utilities using OpenSSL.
• r509
• TinyCA, which is a perl gui on top of some CPAN modules.
• XCA
• Automated Certificate Management Environment (ACME), Let's Encrypt's protocol for
communications between its certificate authority and servers. Let's Encrypt also provides node-
acme, a Node.js implementation of ACME, and lets-encrypt-preview, a Python-based test
implementation of server certificate management software using the ACME protocol.
Use the Third-Party SSL Certificate?
To assist in understanding the process of installing a third-party SSL certificate, we have outlined the
steps to be taken by yourself, HostGator and the certificate issuer. If you are a more visual person, then
the flow chart below See Below may help your understanding.
3. Cisco ISO based CA (Certificate Authority)
1. Fill out the Certificate Signing Request Form (CSR).
(Note: Please note that all information on the CSR page MUST match the WHOIS information for
that domain; otherwise the SSL will not be issued.)
2. HostGator will email you the CSR and RSA Key that you will need for the following steps. Please
keep this e-mail; without the information contained within, the following steps cannot be
completed.
3. Purchase your SSL certificate (if you haven't already) and send the certificate issuer the CSR we
sent you in step 2. (The certificate issuer does not need nor want the RSA Key.)
4. The certificate issuer will generate and return an SSL Certificate as well as an SSL CA Certificate
(Trusted Authority) (sometimes called a "CA Bundle"). These two pieces of information will be
Figure 2 Flow Chart
4. Cisco ISO based CA (Certificate Authority)
encrypted text documents. Typically, they will be provided via email as compressed (zipped)
attachments.
5. Now that you have the SSL certificate and the SSL CA certificate, you are ready to fill out the SSL
installation form. When you received the results for your CSR form, we provided you with the
RSA Private Key to submit on the installation form. Once you complete this form, click Submit to
complete your request.
6. Pay the HostGator invoice for installing the SSL Certificate. (Installation is free if you have a
managed Dedicated Server; $10 otherwise.)
5. Cisco ISO based CA (Certificate Authority)
CA Configuration
(Note: 1. R2 should reachable to R3.
2. NTP running between R1, R2, and R3.
3. R1 assume as ISP.)
R1
crypto key generate rsa label cisco general-keys exportable modulus 1024
crypto key export rsa cisco pem url nvram: 3des Cisco123
crypto pki server ciscopki
grant auto
issuer-name CN=cisco.com DN=.com L=GR C=IN
lifetime certificate 90
lifetime ca-certificate 365
Figure 3 Topology
6. Cisco ISO based CA (Certificate Authority)
lifetime crl 24
database level minimum
database url nvram:
no shut
exit
ip http server
R2
crypto pki trustpoint ciscopki
enrollment url http://101.1.1.1:80
revocation-check none
revocation-check crl none
exit
crypto pki authenticate ciscopki
crypto pki enroll ciscopki
crypto isakmp policy 10
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
exit
crypto ipsec transform-set tset esp-sha-hmac esp-aes
exit
ip access-list extended VPN
permit ip host 192.168.1.100 host 192.168.2.100
exit
crypto map CMAP 10 ipsec-isakmp
set transform-set tset
set peer 102.1.1.100
match address VPN
exit
int f0/0
7. Cisco ISO based CA (Certificate Authority)
crypto map CMAP
exit
R3
crypto pki trustpoint ciscopki
enrollment url http://101.1.1.1:80
revocation-check none
revocation-check crl none
exit
crypto pki authenticate ciscopki
crypto pki enroll ciscopki
crypto isakmp policy 10
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
exit
crypto ipsec transform-set tset esp-sha-hmac esp-aes
exit
ip access-list extended VPN
permit ip host 192.168.2.100 host 192.168.1.100
exit
crypto map CMAP 10 ipsec-isakmp
set transform-set tset
set peer 101.1.1.100
match address VPN
exit
int f0/0
crypto map CMAP
exit
8. Cisco ISO based CA (Certificate Authority)
Deleting RSA Keys from Your Router
Router(config)# crypto key zeroize rsa
Deletes all of your router's RSA keys.
Deleting Certificates from the Configuration
R1# show crypto ca certificates
R1(config)# crypto ca certificate chain name
R1(config-cert-cha)# no certificate certificate-serial-number
To delete the CA's certificate, you must remove the entire CA identity, which also removes all
certificates associated with the CA—your router's certificate, the CA certificate, and any RA certificates.
To remove a CA identity, use the following command in global configuration mode:
R1(config)# no crypto ca identity name
Viewing Keys and Certificates
Displays your router's RSA public keys.
R1# show crypto key mypubkey rsa
Displays a list of all the RSA public keys stored on your router. These include the public keys of peers
who have sent your router their certificates during peer authentication for IPSec.
R1# show crypto key pubkey-chain rsa
Displays details of a particular RSA public key stored on your router.
R1# show crypto key pubkey-chain rsa [name key-name | address key-address]
Displays information about your certificate, the CA's certificate, and any RA certificates.
R1# show crypto ca certificates
Displays the CA roots configured in the router.
R1# show crypto ca roots
(Note: This command can be implemented only when multiple CAs are configured in the router.)