Pages

Wednesday, December 2, 2015

Public key Infrastructure (PKI)


PKI: Public key Infrastructure
Reason to plug into PKI
NTP, Authenticate, Enroll

ASA need to get identity certificate from CA.
ASA can generate self-signed permanent certificate as well. This should be installed on all user PCs which all want to connect to ASA. This is not scalable. If we don’t want error messages while connecting to ASA. ASA need to have identity certificate from CA.

We can make router as CA
Config :
crypto poi server My-CA-Server
database url nvram:
database level minimum
issuer-name CN=MY_CA.cisco.com L=NV C=US
cdp-url http://192.168.1.172/CA_Server.crl
grant auto
no shutdown

CA and ASA should agree on time. i.e. time should be synchronized.
Configure NTP , authenticate, this is required to get root certificate from CA. Once we have root cert we can enroll to get identity cert.

Why we need CA root certificate?
To get the public key of CA and all clients need that too.
All clients who trust CA will have public key of CA
Once we have root certificate, next step is to enrol. Enrolling is submitting a request for a ASA’s own identity certificate, issued by the CA.
For enrolling ASA will send its own public key and other details to CA. Now CA will provide a identity cert.
So finally ASA will have two certificate.
One root cert which we got by authenticating a CA
Another is identity cert of ASA

To get root CA cert we install it from a file or we can use SCEP protocol using url
Config to download Root CA:
crypto ca trustpoint MY-CA-1
revocation-check none
enrollment url http://192.168.1.172:80
crypto authenticate MY-CA-1

Config to download identity cert
crypto ca turstpoint MY-IDENTITY-Cert
keeper New-Pair-for-Cert
id-usage ssl-ipsec
no fqdn
ip-address 192.168.1.171
subject-name CN=ASA1
encrollment url http://192.168.1.172:80
crypto ca enroll MY-IDENTITY-Cert noconfirm

When client connect to ASA, ASA will send identity cert to client. Client will check whether it is issued by common  CA. If client trust and everything matches it won’t complain and client will confirm that it is connecting to ASA which it want to.







2 comments: