Public Key Infrastructure Configuration Guide
Total Page:16
File Type:pdf, Size:1020Kb
Public Key Infrastructure Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2017 Cisco Systems, Inc. All rights reserved. CONTENTS CHAPTER 1 Read Me First 1 CHAPTER 2 Cisco IOS XE PKI Overview Understanding and Planning a PKI 3 Finding Feature Information 3 Information About Cisco IOS XE PKI 3 What Is Cisco IOS XE PKI 3 RSA Keys Overview 4 What Are CAs 5 Hierarchical PKI Multiple CAs 5 When to Use Multiple CAs 6 Certificate Enrollment How It Works 6 Certificate Enrollment Via Secure Device Provisioning 7 Certificate Revocation Why It Occurs 7 Planning for a PKI 7 Where to Go Next 8 Additional References for Understanding and Planning a PKI 8 Glossary 9 CHAPTER 3 Deploying RSA Keys Within a PKI 11 Finding Feature Information 11 Prerequisites for Configuring RSA Keys for a PKI 12 Information About RSA Keys Configuration 12 RSA Keys Overview 12 Usage RSA Keys Versus General-Purpose RSA Keys 12 How RSA Key Pairs are Associated with a Trustpoint 13 Reasons to Store Multiple RSA Keys on a Router 13 Benefits of Exportable RSA Keys 13 Passphrase Protection While Importing and Exporting RSA Keys 14 Public Key Infrastructure Configuration Guide iii Contents How to Set Up and Deploy RSA Keys Within a PKI 14 Generating an RSA Key Pair 14 What to Do Next 15 Managing RSA Key Pairs and Trustpoint Certificates 16 Exporting and Importing RSA Keys 19 Exporting and Importing RSA Keys in PKCS12 Files 19 Exporting and Importing RSA Keys in PEM-Formatted Files 21 Encrypting and Locking Private Keys on a Router 24 Removing RSA Key Pair Settings 26 Configuration Examples for RSA Key Pair Deployment 28 Generating and Specifying RSA Keys Example 28 Exporting and Importing RSA Keys Examples 28 Exporting and Importing RSA Keys in PKCS12 Files Example 28 Exporting and Importing and RSA Keys in PEM Files Example 29 Exporting Router RSA Key Pairs and Certificates from PEM Files Example 30 Importing Router RSA Key Pairs and Certificate from PEM Files Example 31 Encrypting and Locking Private Keys on a Router Examples 31 Configuring and Verifying an Encrypted Key Example 31 Configuring and Verifying a Locked Key Example 32 Where to Go Next 32 Additional References 32 Feature Information for RSA Keys Within a PKI 33 CHAPTER 4 Configuring Authorization and Revocation of Certificates in a PKI 37 Finding Feature Information 37 Prerequisites for Authorization and Revocation of Certificates 38 Restrictions for Authorization and Revocation of Certificates 38 Information About Authorization and Revocation of Certificates 39 PKI Authorization 39 PKI and AAA Server Integration for Certificate Status 39 RADIUS or TACACS+ Choosing a AAA Server Protocol 39 Attribute-Value Pairs for PKI and AAA Server Integration 40 CRLs or OCSP Server Choosing a Certificate Revocation Mechanism 41 What Is a CRL 41 Querying All CDPs During Revocation Check 42 Public Key Infrastructure Configuration Guide iv Contents What Is OCSP 42 When to Use an OCSP Server 43 When to Use Certificate-Based ACLs for Authorization or Revocation 43 Ignore Revocation Checks Using a Certificate-Based ACL 44 PKI Certificate Chain Validation 45 How to Configure Authorization and Revocation of Certificates for Your PKI 46 Configuring PKI Integration with a AAA Server 46 Troubleshooting Tips 49 Configuring a Revocation Mechanism for PKI Certificate Status Checking 50 The revocation-check Command 50 Nonces and Peer Communications with OCSP Servers 50 Configuring Certificate Authorization and Revocation Settings 53 Configuring Certificate-Based ACLs to Ignore Revocation Checks 53 Manually Overriding CDPs in a Certificate 54 Manually Overriding the OCSP Server Setting in a Certificate 54 Configuring CRL Cache Control 54 Configuring Certificate Serial Number Session Control 54 Troubleshooting Tips 60 Configuring Certificate Chain Validation 61 Configuration Examples for Setting Up Authorization and Revocation of Certificates 62 Configuring and Verifying PKI AAA Authorization Examples 62 Router Configuration Example 62 Debug of a Successful PKI AAA Authorization Example 64 Debugs of a Failed PKI AAA Authorization Example 65 Configuring a Revocation Mechanism Examples 66 Configuring an OCSP Server Example 66 Specifying a CRL and Then an OCSP Server Example 66 Specifying an OCSP Server Example 66 Disabling Nonces in Communications with the OCSP Server Example 67 Configuring a Hub Router at a Central Site for Certificate Revocation Checks Example 67 Configuring Certificate Authorization and Revocation Settings Examples 70 Configuring CRL Cache Control 71 Configuring Certificate Serial Number Session Control 72 Configuring Certificate Chain Validation Examples 73 Configuring Certificate Chain Validation from Peer to Root CA 73 Public Key Infrastructure Configuration Guide v Contents Configuring Certificate Chain Validation from Peer to Subordinate CA 73 Configuring Certificate Chain Validation Through a Gap 74 Additional References 74 Feature Information for Certificate Authorization and Revocation 75 CHAPTER 5 Configuring Certificate Enrollment for a PKI 81 Finding Feature Information 81 Prerequisites for PKI Certificate Enrollment 82 Information About Certificate Enrollment for a PKI 82 What Are CAs 82 Framework for Multiple CAs 82 Authentication of the CA 83 Supported Certificate Enrollment Methods 83 Cisco IOS Suite-B Support for Certificate Enrollment for a PKI 84 Registration Authorities 85 Automatic Certificate Enrollment 85 Certificate Enrollment Profiles 86 How to Configure Certificate Enrollment for a PKI 86 Configuring Certificate Enrollment or Autoenrollment 86 Configuring Manual Certificate Enrollment 92 PEM-Formatted Files for Certificate Enrollment Request 92 Restrictions for Manual Certificate Enrollment 92 Configuring Cut-and-Paste Certificate Enrollment 92 Configuring TFTP Certificate Enrollment 95 Certifying a URL Link for Secure Communication with a Trend Micro Server 98 Configuring a Persistent Self-Signed Certificate for Enrollment via SSL 103 Persistent Self-Signed Certificates Overview 103 Restrictions 104 Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters 104 Enabling the HTTPS Server 106 Configuring a Certificate Enrollment Profile for Enrollment or Reenrollment 107 What to Do Next 111 Configuration Examples for PKI Certificate Enrollment Requests 111 Configuring Certificate Enrollment or Autoenrollment Example 111 Configuring Autoenrollment Example 112 Public Key Infrastructure Configuration Guide vi Contents Configuring Certificate Autoenrollment with Key Regeneration Example 112 Configuring Cut-and-Paste Certificate Enrollment Example 113 Configuring Manual Certificate Enrollment with Key Regeneration Example 115 Creating and Verifying a Persistent Self-Signed Certificate Example 116 Enabling the HTTPS Server Example 116 Verifying the Self-Signed Certificate Configuration Example 117 Configuring Direct HTTP Enrollment Example 118 Additional References 118 Feature Information for PKI Certificate Enrollment 120 CHAPTER