Using a Public Key Infrastructure
(PKI) on Cisco routers is something that I do not encounter in the field. The
only PKI usage I’ve seen is the absolute necessity on DMZ servers (I.E:
Netscaler, Citrix AG, TMG, etcetera). It is used more and more frequently in a
private organizations, mainly for wireless and in some cases Microsoft Direct
Access.
In this entry, I will do a very basic
certificate use case on two Cisco routers.
For this example, we will use the
Cisco IOS secure HTTP server. Enabling the IOS secure HTTP server without
further configuration will automatically generate a self-signed certificate:
R2(config)#ip
http secure-server
%
Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*Mar 1 00:00:43.647: %SSH-5-ENABLED: SSH 1.99 has
been enabled
*Mar 1 00:00:43.787: %PKI-4-NOAUTOSAVE:
Configuration was modified. Issue
"write memory" to save new certificate
A show run will now show the
following:
crypto
pki trustpoint TP-self-signed-4279256517
enrollment selfsigned
subject-name
cn=IOS-Self-Signed-Certificate-4279256517
revocation-check none
rsakeypair TP-self-signed-4279256517
!
!
crypto
pki certificate chain TP-self-signed-4279256517
certificate self-signed 01
3082023A <output omitted for clarity>
quit
More info about the self signed
certificate is displayed with the following show commands:
show crypto pki certificates verbose
Router
Self-Signed Certificate
Status: Available
Version: 3
Certificate Serial Number: 0x1
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-4279256517
Subject:
Name:
IOS-Self-Signed-Certificate-4279256517
cn=IOS-Self-Signed-Certificate-4279256517
Validity Date:
start date: 00:00:43 UTC Mar 1 2002
end
date: 00:00:00 UTC Jan 1 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: MD5 with RSA Encryption
Fingerprint MD5: 591700B0 1D5D98A5 AF9C18DD
C3595BAB
Fingerprint SHA1: AD09EEAB A9F6A921 F2CBFC00
4797268F 697CE734
X509v3 extensions:
X509v3 Subject Key ID: E3DA9D5B 909C9FFA
6831BE80 F01FCCD6 32D60E10
X509v3 Basic Constraints:
CA: TRUE
X509v3 Subject Alternative Name:
R2
X509v3 Authority Key ID: E3DA9D5B 909C9FFA
6831BE80 F01FCCD6 32D60E10
Authority Info Access:
Associated Trustpoints: TP-self-signed-4279256517
show crypto key mypubkey rsa
%
Key pair was generated at: 00:00:43 UTC Mar 1 2002
Key
name: TP-self-signed-4279256517
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381
8D003081 89028181 00A755F1
BBC33C21 C6784EF2 842876E5 A938574C 325FF0D8
F2421350 FCFB597B B1BB5138
2E56FDAC D55B467C 3507545A 482A5DCD 70DC580F
7F03BA70 ADF750BF 605EC370
DF277E4A F39732B7 9DC6A001 E32541CD 6681B230
7E286450 D0CE9FFF 8038A582
6E47C2D9 9330A0E1 2712840D 85645F36 69036FE7
0DFE6997 FB0D8F61 0F020301 0001
%
Key pair was generated at: 00:00:44 UTC Mar 1 2002
Key
name: TP-self-signed-4279256517.server
Temporary
key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00
30680261 00AF71B8 4ADF80AA
5E542982 7C086554 14FD5E4D F6BDCA14 4E5C5491
3CA562B6 B75E83FA 9EFD5CE8
9CF2AAC5 4338AF70 93852486 52E9A4C1 1B097714
58BFC098 2FCDA1E3 929002BC
2281F739 69EFF9B0 FFF5E17D 1F10B908 40396FAF
18563D0D 59020301 0001
Opening the IOS web page in a Firefox browser will show the following:
As a sidenote, Firefox serves as a
great troubleshooting tool, as it generates verbose information about your
certificate. In this case, it shows two problems with this certificate:
a)
It is self-signed
b)
It’s signature algorithm is disabled in this browser
(and, most likely, all other browsers)
If you’ve
clicked through, viewing the certificate details again shows verbose
information:
The router output ( Signature Algorithm: MD5 with RSA Encryption) matches the detailed
output:
In the next part, we will address the first two issues with self-signed certificates.
No comments:
Post a Comment