Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Task 2: Configure CA Support

Configuring PIX Firewall CA support requires careful attention for successful implementation. Having a detailed plan will lessen the chances of improper configuration. Some planning steps and their associated commands follow:

Step 1

Manage Flash memory usage (optional)—CA certificates, CRLs, and RSA key pairs might use up a significant amount of Flash memory space and might need to be monitored.

Step 2

Configure the PIX Firewall's time and date— The PIX Firewall must have an accurate time and date to enroll with a CA server.

Step 3

Configure the PIX Firewall's host name and domain name—The host name and domain name are required to associate the fully qualified domain name (FQDN) with the keys and certificates used by IPSec.

Step 4

Generate RSA signature key pairs—The RSA signature key pairs are used to sign and encrypt IKE key management messages used to obtain a certificate.

Step 5

Declare a CA—Specify the nickname and IP address of the CA.

Step 6

Configure CA communication parameters—Specify CA, RA, and retry parameters.

Step 7

Authenticate the CA—Obtain the CA's public key and certificate.

Step 8

Request signed certificates—Request signed certificates from your CA for all of your PIX Firewall's RSA key pairs.

Step 9

Save the configuration—Save the configuration to Flash memory.

Step 10

Verify CA support configuration—Verify CA support configuration with various show commands.

Step 11

Monitor and maintain CA interoperability (optional)—Delete certificates and update CRLs.


Step 1: Manage Flash Memory Usage (Optional)

In some cases, storing certificates and CRLs locally will not present a problem. However, in other cases, memory might become an issue—particularly if your CA supports an RA and a large number of CRLs are stored on your PIX Firewall. A PIX Firewall stores the following types of certificates:

  • RSA signature key pairs

  • Its own certificate

  • The CA's certificate

  • Two RA certificates (only if the CA supports RA)

The PIX Firewall stores the following numbers of CRLs:

  • One, if the CA does not support an RA

  • Multiple, if the CA supports an RA

Step 2: Set the PIX Firewall's Date and Time

Ensure that the PIX Firewall's time and date have been accurately set with the show clock command. The clock must be accurately set before generating RSA key pairs and enrolling with the CA server because the keys and certificates are time-sensitive.

To set the PIX Firewall's time and date, use the clock set configuration command. The command syntax is as follows:

clock set hh:mm:ss day month year
clock set hh:mm:ss month day year

hh:mm:ss

Current time in hours (military format), minutes, and seconds

day

The current day of the month, for example, 1

month

The current month expressed as the first three characters of the month, for example, apr for April

year

The current year expressed as four digits, for example, 2001


The following example sets the time to one second before midnight, December 31, 2000:

PIX1(config)# clock set 23:59:59 31 dec 2000

Cisco's PKI protocol uses the clock to make sure that a CRL is not expired. Otherwise, the CA might reject or allow certificates based on an incorrect time stamp.

NOTE

The lifetime of a certificate and the CRL is checked in GMT time. If you are using IPSec with certificates, set the PIX Firewall clock to GMT time to ensure that CRL checking works correctly.

Step 3: Configure the PIX Firewall's Host Name and Domain Name

You must configure the PIX Firewall's host name and IP domain name if this has not already been done. This is required because the PIX Firewall assigns a FQDN to the keys and certificates used by IPSec, and the FQDN is based on the host name and IP domain name you assign to the PIX Firewall. For example, a certificate is named "pix1.xyz.com" based on a PIX Firewall host name of "pix1" and a PIX Firewall IP domain name of "xyz.com."

To configure the PIX Firewall's host name and IP domain name, there are two commands to use. To configure the PIX Firewall's host name, use the following command:

hostname newname

To configure the PIX Firewall's IP domain name, use the following command:

domain-name name

Step 4: Generate RSA Key Pairs

RSA key pairs are used to sign and encrypt IKE key management messages and are required before you can obtain a certificate for your PIX Firewall.

To generate an RSA key pair, enter the following command in configuration mode:

ca generate rsa {key | specialkey} key_modulus_size

key

This specifies that one general purpose RSA key pair will be generated.

specialkey

This specifies that two special purpose RSA key pairs will be generated instead of one general purpose key.

key_modulus_size

The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits might cause key generation to take a few minutes, but it increases key entropy or life.


The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.

In the following example, one general purpose RSA key pair is to be generated. The selected size of the key modulus is 512.

pixfirewall(config)#ca generate rsa key 512

Step 5: Declare a CA

Declare one CA to be used by your PIX Firewall with the ca identity command in configuration mode. You can also specify the location of the CA server's CGI script and the LDAP IP address, if used. The command syntax is as follows:

ca identity ca_nickname ca_ipaddress [:ca_script_location] [ldap_ip address]

ca_nickname

The CA's name. Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.

ca_ipaddress

The CA's IP address.

:ca_script_location

The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script in the ca identity command.

ldap_ip address

(Optional) Specify the IP address of the LDAP server. By default, querying a certificate or a CRL is done with Cisco's PKI protocol. If the CA supports LDAP, query functions can also use LDAP.


An example of entering a ca identity command is as follows:

pixfirewall(config)#ca identity labca 172.30.1.51

Step 6: Configure CA Communication Parameters

Configure CA communication parameters with the ca configure command in configuration mode. You can use the command to indicate whether to contact the CA or an RA to obtain a certificate. Use different parameters for each type of supported CA. The command syntax is as follows:

ca configure ca_nickname {ca | ra} retry_period retry_count [crloptional]

ca_nickname

The CA's name. Use the nickname entered with the ca identity command.

ca | ra

Indicates whether to contact the CA or RA when using the ca configure command. Some CA systems provide an RA, which the PIX Firewall contacts instead of the CA.

retry_period

Specifies the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the firewall retries every minute.

retry_count

Specifies how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA for the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate.

crloptional

Allows other peers' certificates to be accepted by your PIX Firewall even if the appropriate CRL is not accessible to your PIX Firewall. The default is without crloptional.


An example of defining VeriSign CA server-related commands is as follows. The IP address of onsiteipsec.verisign.com server is 172.31.1.50.

pixfirewall(config)#ca identity vsec.cisco.com 172.31.1.50
pixfirewall(config)#ca configure vsec.cisco.com ca 1 20 crloptional

Note that the CA mode is specified.

An example of defining a Baltimore or an Entrust CA server is as follows. The IP address of the CA server is 172.30.1.51.

pixfirewall(config)#ca identity labca 172.30.1.51 172.30.1.51
pixfirewall(config)#ca configure labca ra 1 20 crloptional

The second IP address is for an LDAP query server running on the same host. Note that the RA mode is specified.

An example of defining a Microsoft Windows 2000 CA is as follows:

pixfirewall(config)#ca identity labca 172.30.1.51:/certsrv/mscep/mscep.dll
pixfirewall(config)#ca configure labca ra 1 20 crloptional

Step 7: Authenticate the CA

Authenticate the CA to verify that it is legitimate by obtaining its public key and its certificate with the ca authenticate command in configuration mode. After entering the command, manually authenticate the CA's public key by contacting the CA administrator to compare the CA certificate's fingerprint. An RA, if used (as in the Entrust CA), acts as a proxy for a CA. The command syntax is as follows:

ca authenticate ca_nickname [fingerprint]

ca_nickname

The CA's name. Use the nickname entered with the ca identity command.

fingerprint

A key consisting of alphanumeric characters the PIX Firewall uses to authenticate the CA's certificate. The fingerprint is optional and is used to authenticate the CA's public key within its certificate. The PIX Firewall discards the CA certificate if the fingerprint that you included in the command statement is not equal to the fingerprint within the CA's certificate.

Depending on the CA you are using, you might need to ask your local CA administrator for this fingerprint.

You also have the option to authenticate the public key manually by comparing the two fingerprints after you receive the CA's certificate, rather than entering it within the command statement.


An example of authenticating a CA is as follows:

pixfirewall(config)#ca authenticate labca

The certificate has the following attributes:

Fingerprint: 93700c31 4853ec4a ded81400 43d3c82c

Step 8: Request Signed Certificates

Request signed certificates from your CA for all your PIX Firewall's RSA key pairs using the ca enroll command. Before entering this command, have your CA administrator authenticate your PIX Firewall manually before granting its certificates. The command syntax is as follows:

ca enroll ca_nickname challenge_password [serial] [ipaddress]

ca_nickname

The CA's name. Use the nickname entered with the ca identity command.

challenge_password

A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.

serial

Specifies the PIX Firewall's serial number (optional).

ipaddress

The PIX Firewall's IP address (optional).


The ca enroll command requests certificates from the CA for all your PIX Firewall's RSA key pairs. This task is also known as enrolling with the CA.

During the enrollment process, you are prompted for a challenge password that can be used by the CA administrator to validate your identity. Do not forget the password you use. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when the ca enroll command is issued.)

Your PIX Firewall needs a signed certificate from the CA for each of your PIX Firewall's RSA key pairs. If you already have a certificate for your keys, you will not be able to complete this command; instead, you will be prompted to remove the existing certificate first.

If you want to cancel the current enrollment request, use the no ca enroll command.

An example of authenticating a CA is as follows:

pixfirewall(config)#ca enroll labca mypassword1234567

The argument mypassword1234567 in the example is a password, which is not saved with the configuration.

NOTE

The password is required if your certificate needs to be revoked, so it is crucial that you remember this password. Note it and store it in a safe place.

The ca enroll command requests as many certificates as there are RSA key pairs. You need to perform this command only once, even if you have special usage RSA key pairs.

NOTE

If your PIX Firewall reboots after you issued the ca enroll command but before you received the certificates, you must reissue the command and notify the CA administrator.

Step 9: Save the Configuration

Save your configuration with the ca save all and write memory commands.

  • The ca save all command allows you to save the PIX Firewall's RSA key pairs; the CA, the RA, and the PIX Firewall's certificates; and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall's Flash memory. The ca save command itself is not saved with the PIX Firewall configuration between reloads.

  • The write memory command stores current CA configuration in Flash memory.

Step 10: Verify CA Support Configuration

Use the show ca identity command to view the current CA identity settings stored in RAM.

Use the show ca configure command to view CA communication parameter settings.

Use the show ca certificate command to verify that the enrollment process was successful and to view PIX Firewall, CA, and RA certificates.

Use the show ca mypubkey rsa command to view your RSA key pairs. Example 7-1 displays sample output from the show ca mypubkey rsa command.

Example 7-1 show ca mypubkey rsa Command Output

% Key pair was generated at: 15:34:55 Jan 01 2000

Key name: labca.cisco.com

Usage: General Purpose Key

Key Data:

305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d

6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf

6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001.


Step 11: Monitor and Maintain CA Support

The following steps are optional, depending on your particular requirements:

  • Request a CRL

  • Delete PIX Firewall's RSA keys and certificates

  • Delete CA data from Flash memory

Request a CRL

Request a CRL at any time with the ca crl request command. The PIX Firewall automatically requests a CRL from the CA at various times, depending on whether the CA is in the RA mode or not. If the CA is not in the RA mode, a CRL is requested whenever the system reboots and finds that it does not already contain a valid (unexpired) CRL. If the CA is in the RA mode, no CRL can be obtained until a peer's certificate is sent by an IKE exchange. When a CRL expires, the PIX Firewall automatically requests an updated one. Until a new valid CRL is obtained, the PIX Firewall will not accept peers' certificates.

Delete PIX Firewall's RSA Keys and Certificates

Delete all your PIX Firewall's RSA keys with the ca zeroize rsa command. The command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional tasks. Perform these tasks in the following order:

Use the no ca identity command to manually remove the PIX Firewall's certificates from the configuration. This deletes all the certificates issued by the CA.

Ask the CA administrator to revoke your PIX Firewall's certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall's certificates using the crypto ca enroll command.

Delete CA Data from Flash Memory

The no ca save command removes the PIX Firewall's RSA key pairs; the CA, the RA, and the PIX Firewall's certificates; and the CA's CRLs from the persistent data file in Flash memory.

Example of a CA Server Configuration

Example 7-2 shows a sample of CA commands for an Entrust CA server.

Example 7-2 CA Commands for an Entrust CA Server

pix1# write terminal

!

hostname Pix1

domain-name labca.cisco.com

!

ca identity labca 172.30.1.51:cgi-bin/pkiclient.exe 172.30.1.51

ca configure labca ra 1 100 crloptional


NOTE

You must use the show ca mypubkey rsa command to view your RSA key pairs. You must use the show ca certificate command to view PIX Firewall, CA, and RA certificates.

  • + Share This
  • 🔖 Save To Your Account