Home > Articles > Security > Network Security

PKI Processes and Procedures

  • Print
  • + Share This
Several processes need to occur in a PKI network for a deployment to function smoothly. To address these processes, this chapter covers enrollment, Certificate Expiration and Renewal, Certificate Verification and Enforcement, and PKI Resiliency.
This chapter is from the book

Understanding the basics of cryptography and the building blocks of public key infrastructures provides a foundation for exploring the core processes and practical application of PKI. These processes govern how to get a certificate, how to keep a certificate that is current, how to revoke a certificate, and how to keep a PKI up and running if an outage occurs.

Enrollment

Enrollment is the process to obtain a certificate. The two process of enrollment are manual enrollment and a network SCEP-based enrollment. Network-based SCEP is discussed later in this chapter. Simple Certificate Enrollment Protocol (SCEP) is an IETF draft, draft-nourse-scep-20. Whereas both processes follow the same principles, the procedure for implementation varies. The common events for both scenarios are as follows:

  • An end host generates an RSA (Rivest, Shamir and Adleman) key pair.
  • A certificate request containing the end host's public key is delivered to a certificate authority (CA).
  • The CA signs the request with the CA's private key and generates the end host's certificate.
  • The certificate is delivered back to the end host.

Manual Enrollment

Sometimes a network connection may not be possible or secure between an endpoint and a certificate server. In this situation a non-network-based approach might be preferred. This approach requires an administrator to manually copy and paste a certificate into the local router.

Manual copy-and-paste enrollment has several steps. The high-level steps are presented here, followed by a detailed example. Example 3-1 through Example 3-6, which illustrates the execution of the following steps:

  1. The spoke is configured to use terminal enrollment.
  2. The certificate authority exports its certificate to the screen.
  3. The spoke authenticates the certificate authority certificate and verifies the fingerprint.
  4. The spoke makes an enrollment request.
  5. The certificate authority grants the request.
  6. The spoke certificate is pasted into the terminal.
  • Step 1. Configure the spoke to use terminal enrollment, as illustrated in Example 3-1.

    Example 3-1. Configure Spoke to Use Terminal Enrollment

    r35-4-1023(config)# crypto pki trustpoint ra
    r35-4-1023(ca-trustpoint)# enrollment terminal
          
  • Step 2. The certificate authority exports its certificate to the screen, as shown in Example 3-2.

    Example 3-2. CA Exports Certificate

    Device: SUB-CA
    
    S-3845-ra-subca(config)# crypto pki export ra-subca pem terminal
    % CA certificate:
    -----BEGIN CERTIFICATE-----
    MIICMDCCAZmgAwIBAgIBCDANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdyb290
    LWNhMB4XDTA5MDEyODE2MjExOVoXDTExMDEyODE2MjExOVowEzERMA8GA1UEAxMI
    cmEtc3ViY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPoXSGDFGRqPiVQt
    cRscN6uGG+nY1exDTzY18AUaP83laS6ylbHek1P9nzwKNZysO9Ya8+ObhG9SEHCh
    XUJd4Y2DovwWnxzFEhqvWI7hVP8vkWmRFZx7EooiWlW/lTxgqrnjdg4/N9OTej0E
    pmExbQfL3TN+ZAckHrVbWl8w7OH7AgMBAAGjgZQwgZEwMQYDVR0fBCowKDAmoCSg
    IoYgaHR0cDovLzE3Mi4yNi4xODUuOTkvcm9vdC1jYS5jcmwwDwYDVR0TAQH/BAUw
    AwEB/zALBgNVHQ8EBAMCB4AwHwYDVR0jBBgwFoAUDkMCSiWkFtEXEC4a0UrEnEV/
    QdAwHQYDVR0OBBYEFOOEC8szKHCxiv4yrUtP+fgFjhTtMA0GCSqGSIb3DQEBBAUA
    A4GBAF1IN0RnKRKmj2SwrygZcYdgmMPkzaXFW+9c7xEq8UWO25bG3MqKLEwEURgU
    DcZ1jMgJeciGiQMO6N0kpWwYwVI1w0dJZ5Ab2Nby9ew892viw/vFWjeTdJvTkrd7
    KjLtRgnnslm26gsFhA1X9uvKpXfFsDp4kLnMxZxRIPQUc8m7
    -----END CERTIFICATE-----
  • Step 3. The spoke authenticates the CA certificate and verifies the fingerprint, as shown in Example 3-3.

    Example 3-3. Authentication of CA Certificate and Verification of Fingerprint

    Device: SPOKE
    
    r35-4-1023(config)# crypto pki authenticate ra
    
    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself
    
    -----BEGIN CERTIFICATE-----
    MIICMDCCAZmgAwIBAgIBCDANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdyb290
    LWNhMB4XDTA5MDEyODE2MjExOVoXDTExMDEyODE2MjExOVowEzERMA8GA1UEAxMI
    cmEtc3ViY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPoXSGDFGRqPiVQt
    cRscN6uGG+nY1exDTzY18AUaP83laS6ylbHek1P9nzwKNZysO9Ya8+ObhG9SEHCh
    XUJd4Y2DovwWnxzFEhqvWI7hVP8vkWmRFZx7EooiWlW/lTxgqrnjdg4/N9OTej0E
    pmExbQfL3TN+ZAckHrVbWl8w7OH7AgMBAAGjgZQwgZEwMQYDVR0fBCowKDAmoCSg
    IoYgaHR0cDovLzE3Mi4yNi4xODUuOTkvcm9vdC1jYS5jcmwwDwYDVR0TAQH/BAUw
    AwEB/zALBgNVHQ8EBAMCB4AwHwYDVR0jBBgwFoAUDkMCSiWkFtEXEC4a0UrEnEV/
    QdAwHQYDVR0OBBYEFOOEC8szKHCxiv4yrUtP+fgFjhTtMA0GCSqGSIb3DQEBBAUA
    A4GBAF1IN0RnKRKmj2SwrygZcYdgmMPkzaXFW+9c7xEq8UWO25bG3MqKLEwEURgU
    DcZ1jMgJeciGiQMO6N0kpWwYwVI1w0dJZ5Ab2Nby9ew892viw/vFWjeTdJvTkrd7
    KjLtRgnnslm26gsFhA1X9uvKpXfFsDp4kLnMxZxRIPQUc8m7
    -----END CERTIFICATE-----
    
    Trustpoint 'ra' is a subordinate CA and holds a non self signed cert
    Certificate has the following attributes:
           Fingerprint MD5: ECE8BE9E 9C5179A5 ABD983A2 6E5F5DE8
          Fingerprint SHA1: 0A86F03E 077E587B 2DB4644A 5BA55F0F FC57D2EF
    
    % Do you accept this certificate? [yes/no]: yes
    Trustpoint CA certificate accepted.
    % Certificate successfully imported
    
    Device: SUB-CA verify fingerprint
    S-3845-ra-subca#show crypto pki certificates verbose
    Certificate
      Status: Available
      Version: 3
      Certificate Serial Number (hex): 0D
      Certificate Usage: General Purpose
      Issuer:
        cn=ra-subca
      Subject:
        Name: ra-subca.cisco.com
        IP Address: 192.168.159.243
        Serial Number: FTX1111A468
        serialNumber=FTX1111A468+ipaddress=192.168.159.243+hostname=ra-subca.cisco.com
      CRL Distribution Points:
        http://172.26.185.99/ra-subca.crl
      Validity Date:
        start date: 15:26:27 EST Jul 13 2009
        end   date: 15:26:27 EST Jan 9 2010
        renew date: 15:26:27 EST Dec 4 2009
      Subject Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (512 bit)
      Signature Algorithm: MD5 with RSA Encryption
      Fingerprint MD5: 542CDC69 10C8D510 65DF5E3C 66CEF438
      Fingerprint SHA1: 5C4C6F15 E1F5E184 C4681535 3CC61012 F5D694EC
      X509v3 extensions:
        X509v3 Key Usage: A0000000
          Digital Signature
          Key Encipherment
        X509v3 Subject Key ID: 5A1CBE8B A043B0A3 651D50C7 AFB04761 B92A8862
        X509v3 Authority Key ID: E3840BCB 332870B1 8AFE32AD 4B4FF9F8 058E14ED
        Authority Info Access:
      Associated Trustpoints: ra
      Storage: nvram:ra-subca#D.cer
      Key Label: ra
      Key storage device: private config
    
    CA Certificate (subordinate CA certificate)
      Status: Available
      Version: 3
      Certificate Serial Number (hex): 08
      Certificate Usage: Signature
      Issuer:
        cn=root-ca
      Subject:
        cn=ra-subca
      CRL Distribution Points:
        http://172.26.185.99/root-ca.crl
      Validity Date:
        start date: 12:21:19 EST Jan 28 2009
        end   date: 12:21:19 EST Jan 28 2011
      Subject Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (1024 bit)
      Signature Algorithm: MD5 with RSA Encryption
      Fingerprint MD5: ECE8BE9E 9C5179A5 ABD983A2 6E5F5DE8
      Fingerprint SHA1: 0A86F03E 077E587B 2DB4644A 5BA55F0F FC57D2EF
      X509v3 extensions:
        X509v3 Key Usage: 80000000
          Digital Signature
        X509v3 Subject Key ID: E3840BCB 332870B1 8AFE32AD 4B4FF9F8 058E14ED
        X509v3 Basic Constraints:
            CA: TRUE
        X509v3 Authority Key ID: 0E43024A 25A416D1 17102E1A D14AC49C 457F41D0
        Authority Info Access:
      Associated Trustpoints: ra ra-subca
      Storage: nvram:root-ca#8CA.cer
  • Step 4. The spoke makes an enrollment request, as shown in Example 3-4.

    Example 3-4. Spoke Makes Enrollment Request

             Device: SPOKE Generate enrollment request
    
    r35-4-1023(config)# crypto pki enroll ra
    % Start certificate enrollment ..
    
    % The subject name in the certificate will include: r35-4-1023
    % Include the router serial number in the subject name? [yes/no]: yes
    % The serial number in the certificate will be: FTX1048A6EJ
    % Include an IP address in the subject name? [no]:
    Display Certificate Request to terminal? [yes/no]: yes
    Certificate Request follows:
    
    -----BEGIN CERTIFICATE REQUEST-----
    MIIBCjCBtQIBADAvMS0wEgYDVQQFEwtGVFgxMDQ4QTZFSjAXBgkqhkiG9w0BCQIW
    CnIzNS00LTEwMjMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxcrafPm39Mmk51I+
    dhnuVtkU9cYPOSHhS694b1taJG42esxtSUV8AwP4TcnQC/omIaIM1k5qIwnPe7FI
    7Vic8QIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJ
    KoZIhvcNAQEEBQADQQBXw6esEMhzh9Jig0M3COwpX/wWMxUYQryYJK+uNDQf/PqH
    n7zzC6Ii3UmfxlJKoK+Dgc6K3X87TVY6JRgMnlos
    -----END CERTIFICATE REQUEST-----
    
    
    Device: SUB-CA paste request generated from spoke
    
    S-3845-ra-subca#crypto pki server ra-subca request pkcs10 terminal pem
    % Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
    % End with a blank line or "quit" on a line by itself.
    -----BEGIN CERTIFICATE REQUEST-----
    MIIBCjCBtQIBADAvMS0wEgYDVQQFEwtGVFgxMDQ4QTZFSjAXBgkqhkiG9w0BCQIW
    CnIzNS00LTEwMjMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxcrafPm39Mmk51I+
    dhnuVtkU9cYPOSHhS694b1taJG42esxtSUV8AwP4TcnQC/omIaIM1k5qIwnPe7FI
    7Vic8QIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJ
    KoZIhvcNAQEEBQADQQBXw6esEMhzh9Jig0M3COwpX/wWMxUYQryYJK+uNDQf/PqH
    n7zzC6Ii3UmfxlJKoK+Dgc6K3X87TVY6JRgMnlos
    -----END CERTIFICATE REQUEST-----
    
    % Enrollment request pending, reqId=2
  • Step 5. The certificate authority grants the request, as shown in Example 3-5.

    Example 3-5. CA Grants Request

    Device: SUB-CA
    
    S-3845-ra-subca# crypto pki server ra-subca grant 2
    Writing 2.crt !
    Writing 2.cnm !
    Writing ra-subca.ser !
    % Granted certificate:
    -----BEGIN CERTIFICATE-----
    MIIB/DCCAWWgAwIBAgIBAjANBgkqhkiG9w0BAQQFADATMREwDwYDVQQDEwhyYS1z
    dWJjYTAeFw0wOTA3MjkxNTI1MzZaFw0xMDAxMjUxNTI1MzZaMC8xLTASBgNVBAUT
    C0ZUWDEwNDhBNkVKMBcGCSqGSIb3DQEJAhYKcjM1LTQtMTAyMzBcMA0GCSqGSIb3
    DQEBAQUAA0sAMEgCQQDFytp8+bf0yaTnUj52Ge5W2RT1xg85IeFLr3hvW1okbjZ6
    zG1JRXwDA/hNydAL+iYhogzWTmojCc97sUjtWJzxAgMBAAGjgYcwgYQwMgYDVR0f
    BCswKTAnoCWgI4YhaHR0cDovLzE3Mi4yNi4xODUuOTkvcmEtc3ViY2EuY3JsMA4G
    A1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBTjhAvLMyhwsYr+Mq1LT/n4BY4U7TAd
    BgNVHQ4EFgQULA4QQvFQjDDe2ZwgmND9L1MYhJIwDQYJKoZIhvcNAQEEBQADgYEA
    4eyutNSNdNA2uKgqatQGT66Nxx2s6DF4fLPJY7wLMHJv+pXwrmzYzJpKqQrzf0ZL
    WbaVHu6RdRvq35PFSdIm72l/whuATZSEdnHUsEU9GnGDjpvJCmAw73IAa8LDnfaZ
    3N2NaAxY4CXAsxHWWtD1ea7A7utdS0R29d2aqNkvaXM=
    -----END CERTIFICATE-----
  • Step 6. Paste the spoke certificate into the terminal, as shown in Example 3-6.

    Example 3-6. Spoke Certificate Pasted into Terminal

             SPOKE import certificate from SUB-CA
    
    r35-4-1023(config)# crypto pki import ra certificate
    
    Enter the base 64 encoded certificate.
    End with a blank line or the word "quit" on a line by itself
    
    -----BEGIN CERTIFICATE-----
    MIIB/DCCAWWgAwIBAgIBAjANBgkqhkiG9w0BAQQFADATMREwDwYDVQQDEwhyYS1z
    dWJjYTAeFw0wOTA3MjkxNTI1MzZaFw0xMDAxMjUxNTI1MzZaMC8xLTASBgNVBAUT
    C0ZUWDEwNDhBNkVKMBcGCSqGSIb3DQEJAhYKcjM1LTQtMTAyMzBcMA0GCSqGSIb3
    DQEBAQUAA0sAMEgCQQDFytp8+bf0yaTnUj52Ge5W2RT1xg85IeFLr3hvW1okbjZ6
    zG1JRXwDA/hNydAL+iYhogzWTmojCc97sUjtWJzxAgMBAAGjgYcwgYQwMgYDVR0f
    BCswKTAnoCWgI4YhaHR0cDovLzE3Mi4yNi4xODUuOTkvcmEtc3ViY2EuY3JsMA4G
    A1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBTjhAvLMyhwsYr+Mq1LT/n4BY4U7TAd
    BgNVHQ4EFgQULA4QQvFQjDDe2ZwgmND9L1MYhJIwDQYJKoZIhvcNAQEEBQADgYEA
    4eyutNSNdNA2uKgqatQGT66Nxx2s6DF4fLPJY7wLMHJv+pXwrmzYzJpKqQrzf0ZL
    WbaVHu6RdRvq35PFSdIm72l/whuATZSEdnHUsEU9GnGDjpvJCmAw73IAa8LDnfaZ
    3N2NaAxY4CXAsxHWWtD1ea7A7utdS0R29d2aqNkvaXM=
    -----END CERTIFICATE-----
    
    % Router Certificate successfully imported

The entire process is conducted by use of terminal access. Consequently, no packet exchanges are required between the certificate authority and the end spoke.

SCEP-Based Enrollment

Adding a large number of routers in an enterprise and going through the steps for each of those would be a painful exercise for the network engineer. Consider a thousand routers. Often, engineers prefer to have a templated configuration that can be set up one time, enabling automation for subsequent certificates upon certificate expiration.

When network connections are possible between an endpoint and a certificate server, a network-based approach might be preferred because it provides the opportunity to templatize the approach, and in the future with features mentioned later, automatic addressing of certificate expiry issues. This approach is easier to implement and requires significantly less labor. Whenever possible, SCEP enrollment is the preferred solution. This approach requires minimal configuration on the router endpoints.

The use of the network-based approach has the chief benefit of improving scalability and limiting operational overhead. SCEP enables an endpoint to request a certificate or other certificate-related functions (revocation checking, and so on) remotely. SCEP runs on TCP port 80; however, it can also run on a nonstandard TCP port.

When an end device has an RSA key pair, it can make a request to the certificate authority using SCEP. That certificate request includes the public key. The CA responds with the new certificate, which is encrypted with the requestor's public key. This way, only the person making the request can decrypt it.

SCEP-based enrollment is configured in trustpoint mode. TCP port 80 is the default port used for SCEP and is configurable using the enrollment command. If a nonstandard port is used, make sure the http server configuration on the CA matches the nonstandard port. As shown in Example 3-7, the spoke is configured to use the CA or sub-CA URL for enrollment.

Example 3-7. SCE- Based Enrollment Configuration Example

r35-4-1023(config)#crypto pki trustpoint ra
r35-4-1023(ca-trustpoint)# enrollment url http://192.168.159.243:80
  • + Share This
  • 🔖 Save To Your Account