Cisco - IOS Certificate Authority Server & IOS Client SCEP enrolment

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] this video is going to configure the internet isp router as an ios certificate authority we will configure a loopback of 1.1.1 a ios http server and a crypto pki trust point this will be acting as a certificate authority for signing certificates that we request from the vpn head end and the spokes on the routers we'll need to generate crypto keys and then use symbol certificate wrong protocol to request a certificate from the ca in this example we'll be using r1 2 and 3 as the skep clients requesting a certificate from the isp router that's got the ipf 1.1.1 each router will then have a trusted certificate and each route has a directly connected route and a default route to the isp so therefore it'll have the required route to request the certificate so this example then is acting like um godaddy or some sort of internet facing certificate authority that you would request certificates from and would manage your certificate pki for you whereas an alternate solution would be to have a private certificate authority possibly behind your vpn head end that you could then issue certificates to your hub and all your spokes before you establish your vpn topology this sort of certificate authority could be like an iis windows server certificate authority or a linux version could be dog tag so we'll now move to configuring the certificate authority and skip enrollment so first on the isp router or the crypto authority we will do crypto key generate rsa we'll go super paranoid with modulus 4096 and then we'll label it isp.cyprotect.co.uk and then make them exportable so on the skept client we'll do crypto key generate rsa modulus 496 again and then we'll also do um exportable so on the isp we'll be able to view the um key that we've just generated by doing a show crypto i'm sorry show crypto my key my public my puppet key and then all and then we can see the key that's labeled um isp dot cybertech.cod uk which is actually default label so it would have been done this without the um without the label um i'll quickly label the other side though just for commonality between them because i think i've got capital r1 for the host name on this side so again we'll do the do show crypto key my public key rsa oh sorry i've just put the run in there let me run i've done that twice now so do do show crypto key map of key rsa and then we've got a key name so that's my default one from earlier and i've got a lowercase one i'll just quickly do this uppercase sorry so now they're both the same like the isp so now we have a key pair we'll configure the certificate server so first things first we'll set a ntp master on the isp so then it thinks it's the authoritative timing source enterprise master and then we'll go crypto pki trust point ca and then we'll then use the rsa key pair so isp cybertech dot co uk one we generated earlier then exit and then interface loopback one and it will give that an ip address of 1.1.1 on the slash 32. we'll configure the http server so iphtp server and then we should be able to go straight to the pki services crypto pki server we'll call this ca and then we'll do issuer name cn equals isp and then o equals ciphertex.cod uk then we'll do grant auto to automatically issue certificates and we'll do r512 and then we just need to know shut this so then we need to create a um password so cisco no cisco cisco i don't need to be seven characters or more so it will be cisco one two three four oh also need to clock calendar dash valid and then try again so i'll just quickly go back to the ca so crypto pki server ca no shutdown there we go the server has been enabled so we now have a active um crypto authority on this router and we can confirm this with the command um it'll be do show show crypto pki i'll do show crypto pki server and here we confirm the settings we have set in the pki server in the pci trust point so next then we need to enroll the skep client to this server and get our r1 a trusted certificate so we'll go straight in with crypto pki trust point and we'll do isp so we'll go enrollment url and then http colon four slash forward slash and then loop back at the ca so one one one on the curtain 18 for fqdn will be r1 dot psi protector code uk capital r1 and then we'll do ip address i'll do show up in brief quickly so the ip address this will be 11002 ip dash address sorry 11002 subject name will be capital c n equals r1 and o equals ciphertext.k and then revocationcheck will be none because we're not publishing the cro list and then we'll do rsa key pair will be the ones we've previously created and they'll do hash i believe that was shar 512 we put on the ca yeah shell 512 and then we can just do the show command in here and we can view the config we just set so next we can do crypto pki authenticate and that'll be the ca isp then we'll just go yes to except the um ca certificate and then when they do crypto pki enroll and again it'll be isp and we're prompted with password so cisco one two three four cisco on two three four and then yes we'll set the serial number and then yes request ca then we can do a show crypto pki certificate and that will show us the certificate that's not then on this router and we should be able to see that i've been i've got a certificate here that's been issued by the ca so isp cybertech.com uk and the host is r one dot star protector code uk and then we then have our ca certificate as part of the chain below that which is the isp at cybertech uk then we do the same on the um ca router so we can confirm the ca certificate is the one that will we've got on the hub and again we can see here the top ca certificate and issue is the i speak as itself so next then let's go to r2 and r3 we'll generate the crypto keys and enroll them to the um certificate authority as well and then after that we will then in the next video use the dmvp topology we've got and we'll do rsa signature authentication so crypto pki generate keys crypto key sorry generate rsa modulus 4096 and then we'll just label it we don't actually need to specify exportable keys because we're not exporting from the router so again we'll log into r3 and do the same then we'll do um crypto pki up key rsa modulus 4096 label cool that's done then so again as per r1 we've got the commands here so we can literally do crypto pci trust point isp we can almost copy these so enrollment url with that one http okay 111 80 and then it will do the ip the fqdnbr3 dot side protect the code uk and then the ip address this won't be 3302 and again subject name will be r3 and cybertech okay verification check will be none and then the rsa keypad with the one we just labeled hash r512 and we can just roll this straight to the um go to thor if you want and do cisco one two three four cisco one two three four so we don't actually have to authenticate if we do the enroll it'll do both anyway and that should be the r3 with the keys we'll do the same on r2 so again crypto peak at just point isp and we'll just quiz through this without speaking now the trust point is defined we'll do the authenticate yes and then we'll do the enroll so lastly we can also do a show run and view the um keys in the running config in hex format so we can see the pki certificate chain there and the ca there and that's really simple configuration of a ios ca and skep enrollment at some point we'll do a um a pka trust so we'll do a spawn that ca as well but um for now we'll just move on to the dmvpn rsa authentication [Music] video

Info

Channel: RL Network Security

Views: 1,165

Rating: undefined out of 5

Keywords:

Id: 64kUJB5SwUA

Channel Id: undefined

Length: 14min 53sec (893 seconds)

Published: Tue Oct 27 2020