I need to retract on my previous mail as after further investigation it is required to act as store point for the CA Certficates. If not manually created prior to the CA Server config the trustpoint will be automatically created.
Stu Extract below from the Security config guide: Secure Connectivity - Trustpoint of the Certificate Server The certificate server will also have an automatically generated trustpoint of the same name; the trustpoint will store the certificate of the certificate server. After the router detects that a trustpoint is being used to store the certificate of the certificate server, the trustpoint will be locked so that it cannot be modified. Before configuring the certificate server you can perform the following: •Manually create and set up this trustpoint (using the *crypto pki trustpoint *command), which allows you to specify an alternative RSA key pair (using the* rsakeypair* command). •Specify that the initial autoenrollment key pair will be generated on a specific device, such as a configured and available USB token, using the *on * command. On Mon, Jul 6, 2009 at 4:53 PM, Stuart Hare <[email protected]>wrote: > Thanks for the confirmation Steve > > That was my take also, so was confused why it is included in the examples. > > Stu > > On Mon, Jul 6, 2009 at 4:15 PM, Steve Means <[email protected]>wrote: > >> No trustpoint is neccessary on the CA itself. Unless of course it is going >> to enroll with itself and participate in the VPN. >> >> We found that you can get away with a very minimal configuration for the >> CA and have it still work. :) >> >> Steve Means >> Security Instructor/Consultant >> [email protected] >> CCBOOTCAMP - A Cisco Learning Partner >> 877.654.2243 Toll Free >> +1.702.968.5100 Direct Outside the USA >> +1.702.446.0357 Fax >> YES! We take Cisco Learning Credits >> >> ________________________________ >> >> From: [email protected] on behalf of Stuart Hare >> Sent: Mon 7/6/2009 3:11 AM >> To: Keith Barker >> Cc: Piotr Kaluzny; Willians Barboza; [email protected] >> Subject: Re: IOS CA + VPN Client , CCBOOTCAMP working solution below >> >> >> >> Keith, >> >> Did you not include a pki trustpoint on the IOS CA? >> >> I have always included as they appear in the config guide examples, not >> sure >> if it is actually required though? >> >> Stu >> >> >> On Sat, Jul 4, 2009 at 8:42 PM, Keith Barker <[email protected]> >> wrote: >> >> > Hello Piotr- >> > >> > I put this configuration together on a rack to verify, and here is what >> > I found as a "recipe for success". >> > The full working configuration items are below. >> > >> > >> > >> > First, on the IOS CA server, make sure NTP and CA server are set up >> > correctly AND that http server is enabled. Also make sure your IOS CA >> > is set to "grant auto": >> > >> > >> > conf t >> > >> > clock timezone PST -8 >> > >> > clock summer-time PDT recurring >> > >> > ntp source Loopback0 >> > >> > ntp master 1 >> > >> > ntp authentication-key 1 md5 cisco >> > >> > ntp trusted-key 1 >> > >> > ntp authenticate >> > >> > ip http server >> > >> > ip domain-name CCBOOTCAMP.com >> > >> > >> > >> > crypto key generate rsa general-keys modulus 1024 exportable >> > >> > >> > >> > crypto pki server R1-CA_Server >> > >> > database url nvram: >> > >> > database level minimum >> > >> > issuer-name CN=R1.CCBOOTCAMP.com <http://r1.ccbootcamp.com/> < >> http://r1.ccbootcamp.com/> L=NV C=US >> > >> > cdp-url http://192.168.2.1/R1.cdp.crl >> > >> > grant auto >> > >> > no shut >> > >> > >> > >> > Then, make sure that HTTP is permitted between the VPN Client and the >> > IOS CA Server, (ACLs on Firewalls permitting the port 80 traffic, etc) >> > >> > On the VPN Software client PC, make sure that time agrees with the time >> > on the IOS router, and then under certificate enrollment configure the >> > following: >> > >> > URL: http://192.168.2.1/cgi-bin/pkiclient.exe (using the IP address >> of >> > the IOS CA Server) >> > >> > >> > CA Domain: (whatever you want) >> > >> > >> > Challenge Password: (whatever value you would like) >> > >> > >> > >> > After clicking "NEXT" supply a value for CN and OU. >> > >> > Click on the "ENROLL" button and you are set. >> > >> > That is all it took when I tested this today. >> > >> > I am using Cisco IOS Software, 2800 Software >> > (C2800NM-ADVENTERPRISEK9-M), Version 12.4(15)T7 and VPN Client ver 5.x >> > >> > >> > >> > Best wishes, >> > >> > >> > >> > >> > Keith Barker >> > CCIE #6783 (R&S / Security) >> > CCSI #21763 >> > Instructor >> > CCBOOTCAMP - A Cisco Learning Partner (CLP) >> > Email: [email protected] >> > Toll Free: 877-654-2243 >> > Direct: +1-702-968-5100 = Outside the USA >> > FAX: +1-702-446-8012 >> > YES! We take Cisco Learning Credits! >> > Training And Remote Racks: http://www.ccbootcamp.com < >> http://www.ccbootcamp.com/> >> > >> > >> > -----Original Message----- >> > From: [email protected] [mailto:[email protected]] On Behalf Of >> > Piotr Kaluzny >> > Sent: Tuesday, June 30, 2009 10:10 AM >> > To: [email protected]; Willians Barboza >> > Cc: [email protected] >> > Subject: Re: Re: IOS CA + VPN Client >> > >> > I simpy put "http://IP_ADDRESS <http://ip_address/> < >> http://ip_address/> <http://ip_address/>" on the VPN Client. I >> > tried this with >> > "CA" >> > and "password" fields filled out (as well with as without). On IOS/ASA I >> > did >> > not have any problems with SCEP enrollment. >> > >> > This time mismatch may be in fact a matter of a timezone, I will check >> > this >> > later. >> > >> > Thanks, >> > Piotr Kaluzny >> > >> > "Willians Barboza" napisa3(a): >> > >> > many things can cause problems:timezonesummertimeclock set what is the >> > URL you configured to enroll??? >> > >> > 2009/6/29 Piotr Kaluzny <[email protected]> >> > >> > Good Day, >> > >> > Does anyone know how to enroll Cisco VPN Client with IOS CA via >> > SCEP? It does not work for me, I got Error 42 "Unable to create >> > certificate enrollment request". I figured out how to do it via >> > PKCS#10 "cut & paste" but it is more time-intensive and I noticed >> > that after the enrollment time has to be adjusted on the VPN Client >> > PC because Certificates are not valid (even if I had set the time >> > correctly on the Router). >> > >> > Appreciate any feedback. >> > >> > Thanks, >> > Piotr Kaluzny >> > >> > >> >> >> -- >> Stuart Hare >> >> [email protected] >> >> >> >> > > > -- > Stuart Hare > > [email protected] > > > -- Stuart Hare [email protected]
