25
2012
How to create self-signed certificates
A digital certificate or identity certificate is an electronic document which uses a digital signature to bind a public key with an identity, information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). However, there are situations where it is not possible use a CA, so the only solutions is to use a self-signed certificate, an identity certificate that is signed by the same entity whose identity it certifies.
The standard used by Cisco is X.509, an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
The most common use of certificates is for HTTPS-based web sites. A web browser validates that an SSL web server is authentic, so that the user can feel secure that his/her interaction with the web site has no eavesdroppers and that the web site is who it claims to be. Other uses are VPN lan2lan, GetVPN and so on.
There are two different approaches to create a self-signed certificate: automatic or manual.
To automatically create an rsa key pairs and a certificate, enable the https server:
Ciscozine(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 3 seconds) Ciscozine(config)# *May 23 21:35:01.855: %SSH-5-ENABLED: SSH 1.99 has been enabled Ciscozine(config)# *May 23 21:35:02.035: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate Ciscozine(config)#
Where is the certificate?
Ciscozine#dir nvram:
Directory of nvram:/
124 -rw- 85 startup-config
125 ---- 0 private-config
126 -rw- 85 underlying-config
1 ---- 57 persistent-data
129016 bytes total (127855 bytes free)
Ciscozine#
Remember: Save the configuration to save the certificate!
Ciscozine#wr Building configuration... [OK] Ciscozine#
Ciscozine#dir nvram:
Directory of nvram:/
122 -rw- 1069 startup-config
123 ---- 1914 private-config
124 -rw- 1069 underlying-config
1 ---- 57 persistent-data
2 -rw- 559 IOS-Self-Sig#1.cer
129016 bytes total (123933 bytes free)
Ciscozine#
The second method requires three steps: create an rsa key pairs, create a self signed trust point and enroll the certificate.
Create an RSA keys:
Ciscozine(config)#crypto key generate rsa label ciscozine-rsa modulus 2048 The name for the keys will be: ciscozine-rsa % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 10 seconds) Ciscozine(config)#
Create a local PKI:
Ciscozine(config)#crypto pki trustpoint my-ciscozine-ca Ciscozine(ca-trustpoint)#enrollment selfsigned Ciscozine(ca-trustpoint)#subject-name O=Test,CN=www.ciscozine.com Ciscozine(ca-trustpoint)#rsakeypair ciscozine-rsa
Remembers: The “subject-name” is the name of the entity whose public key the certificate identifies. For instance, “O” identify the “Organization” and “CN” the Common name
Obtain the certificate from the local certificate authority:
Ciscozine(config)#crypto pki enroll my-ciscozine-ca % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created Ciscozine(config)#
Ciscozine#dir nvram:
Directory of nvram:/
124 -rw- 85 startup-config
125 ---- 0 private-config
126 -rw- 85 underlying-config
1 ---- 57 persistent-data
129016 bytes total (127855 bytes free)
Ciscozine#
Remember: You must save the configuration to save the certificate!
Ciscozine#wr Building configuration... [OK] Ciscozine#
Ciscozine#dir nvram:
Directory of nvram:/
118 -rw- 1019 startup-config
119 ---- 5468 private-config
120 -rw- 1019 underlying-config
1 ---- 57 persistent-data
2 -rw- 860 Ciscozine#1.cer
129016 bytes total (120429 bytes free)
Ciscozine#
To see more information about the certificates and the rsa keys are, you can use these commands:
- show crypto pki certificates
- show crypto pki trustpoints
- show crypto key mypubkey rsa
References:
Related Posts
- Senior Executives Say Cloud-Based Collaboration Leads to Higher Business Performance http://t.co/mG2W0O7z88
- Telefonica and Cisco Complete 4,000 kilometer 100Gbps IPoDWDM Trial http://t.co/7c0uqzH6bG
- Mozilla Releases Multiple Updates http://t.co/Kqldpe1MZ7
Email Updates
Archives
- May 2013
- April 2013
- March 2013
- February 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
Pingback: How to configure Cisco VPN SSL aka WebVPN | CiscoZine