5.8. Enrolling a Certificate on a Cisco Router

Simple Certificate Enrollment Protocol (SCEP), designed by Cisco, is a way for a router to communicate a certificate issuing authority, such as a CA, to enroll certificates for the router.
Normally, a router installer enters the CA's URL and a challenge password (also called a one-time PIN) into the router and issues a command to initiate the enrollment. The router then communicates with the CA over SCEP to generate, request, and retrieve the certificate. The router can also check the status of a pending request using SCEP.

5.8.1. Enabling SCEP Enrollments

For security reasons, SCEP enrollments are disabled by default in the CA. To allow routers to be enrolled, SCEP enrollments must be manually enabled for the CA.
  1. Stop the CA server, so that you can edit the configuration files. 
    systemctl stop pki-tomcatd@instance_name.service
  2. Open the CA's CS.cfg file. 
    vim /var/lib/pki/instance_name/ca/conf/CS.cfg
  3. Set the ca.scep.enable to true. If the parameter is not present, then add a line with the parameter. 
    ca.scep.enable=true
  4. Restart the CA server. 
    systemctl start pki-tomcatd@instance_name.service

5.8.2. Configuring Security Settings for SCEP

Several different parameters allow administrators to set specific security requirements for SCEP connections, such as not using the same certificate for enrollment authentication and regular certificate enrollments, or setting allowed encryption algorithms to prevent downgrading the connection strength. These parameters are listed in Table 5.2, “Configuration Parameters for SCEP Security”.

Table 5.2. Configuration Parameters for SCEP Security

Parameter Description
ca.scep.encryptionAlgorithm Sets the default or preferred encryption algorithm.
ca.scep.allowedEncryptionAlgorithms Sets a comma-separated list of allowed encryption algorithms.
ca.scep.hashAlgorithm Sets the default or preferred hash algorithm.
ca.scep.allowedHashAlgorithms Sets a comma-separated list of allowed hash algorithms.
ca.scep.nickname Gives the nickname of the certificate to use for SCEP communication. The default is to use the CA's key pair and certificate unless this parameter is set.
ca.scep.nonceSizeLimit Sets the maximum nonce size, in bytes, allowed for SCEP requests. The default is 16 bytes.
To set security settings for connections for SCEP enrollments:
  1. Stop the CA server, so that you can edit the configuration files. 
    systemctl stop pki-tomcatd@instance_name.service
  2. Open the CA's CS.cfg file. 
    vim /var/lib/pki/instance_name/ca/conf/CS.cfg
  3. Set the desired security parameters, as listed in Table 5.2, “Configuration Parameters for SCEP Security”. If the parameter is not already present, then add it to the CS.cfg file. 
    ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nickname=Server-Cert
ca.scep.nonceSizeLimit=20
  4. Restart the CA server. 
    systemctl start pki-tomcatd@instance_name.service

5.8.3. Configuring a Router for SCEP Enrollment

Note

Not all versions of router IOS have the relevant crypto features. Make sure that the firmware image has the Certification Authority Interoperability feature. Certificate System SCEP support was tested on a Cisco 2611 router running IOS C2600 Software (C2600-JK9S-M), version 12.2(40), RELEASE SOFTWARE (fc1).
Before enrolling SCEP certificates on the router, make sure that the router is appropriately configured:
  • The router must be configured with an IP address, DNS server, and routing information.
  • The router's date/time must be correct.
  • The router's hostname and dnsname must be configured.
See the router documentation for instructions on configuring the router hardware.

5.8.4. Generating the SCEP Certificate for a Router

The following procedure details how to generate the SCEP certificate for a router.
  1. Pick a random PIN.
  2. Add the PIN and the router's ID to the flatfile.txt file so that the router can authenticate directly against the CA. For example: 
    vim /var/lib/pki/instance_name/ca/conf/flatfile.txt

UID:172.16.24.238
PWD:Uojs93wkfd0IS
    Be sure to insert an empty line after the PWD line.
    The router's IP address can be an IPv4 address or an IPv6 address.
    Using flat file authentication is described in Section 9.2.4, “Configuring Flat File Authentication”.
  3. Log into the router's console. For this example, the router's name is scep: 
    scep>
  4. Enable privileged commands. 
    scep> enable
  5. Enter configuration mode. 
    scep# conf t
  6. Import the CA certificate for every CA in the certificate chain, starting with the root. For example, the following command sequence imports two CA certificates in the chain into the router: 
    scep(config)# crypto ca trusted-root1
scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 1
scep(config)# crypto ca trusted-root0
scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 0
  7. Set up a CA identity, and enter the URL to access the SCEP enrollment profile. For example, for the CA: 
    scep(config)# crypto ca identity CA
scep(ca-identity)# enrollment url http://server.example.com:8080/ca/cgi-bin
scep(ca-identity)# crl optional
  8. Get the CA's certificate. 
    scep(config)# crypto ca authenticate CA
Certificate has the following attributes:
Fingerprint: 145E3825 31998BA7 F001EA9A B4001F57
% Do you accept this certificate? [yes/no]: yes
  9. Generate RSA key pair. 
    scep(config)# crypto key generate rsa
The name for the keys will be: scep.server.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]:
Generating RSA keys ...
[OK]
  10. Lastly, generate the certificate on the router. 
    scep(config)# crypto ca enroll CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password: secret
Re-enter password: secret

% The subject name in the certificate will be: scep.server.example.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 57DE391C
% Include an IP address in the subject name? [yes/no]: yes
% Interface: Ethernet0/0
% Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.

% Fingerprint:D89DB555 E64CC2F7 123725B4 3DBDF263

Jan 12 13:41:17.348: %CRYPTO-6-CERTRET: Certificate received from Certificate
  11. Close configuration mode. 
     scep(config)# exit
  12. To make sure that the router was properly enrolled, list all of the certificates stored on the router. 
    scep# show crypto ca certificates
Certificate
 Status: Available
 Certificate Serial Number: 0C
 Key Usage: General Purpose
 Issuer:
	CN = Certificate Authority
	 O = Sfbay Red hat Domain 20070111d12
 Subject Name Contains:
	Name: scep.server.example.com
	IP Address: 10.14.1.94
	Serial Number: 57DE391C
 Validity Date:
	start date: 21:42:40 UTC Jan 12 2007
	end date: 21:49:50 UTC Dec 31 2008
 Associated Identity: CA

CA Certificate
 Status: Available
 Certificate Serial Number: 01
 Key Usage: Signature
 Issuer:
	CN = Certificate Authority
	 O = Sfbay Red hat Domain 20070111d12
 Subject:
	CN = Certificate Authority
	 O = Sfbay Red hat Domain 20070111d12
 Validity Date:
	start date: 21:49:50 UTC Jan 11 2007
	end date: 21:49:50 UTC Dec 31 2008
 Associated Identity: CA

5.8.5. Working with Subordinate CAs

Before a router can authenticate to a CA, every CA certificate in the CA's certificate chain must be imported into the router, starting with the root. For example, the following command sequence imports two CA certificates in the chain into the router: 
scep(config)# crypto ca trusted-root1
scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 1
scep(config)# crypto ca trusted-root0
scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 0
If the CA certificates do not have the CRL distribution point extension set, turn off the CRL requirement by setting it to optional: 
scep(ca-root)# crl optional
After that, set up the CA identity as described in Section 5.8.4, “Generating the SCEP Certificate for a Router”.

5.8.6. Re-enrolling a Router

Before a router can be re-enrolled with new certificates, the existing configuration has to be removed.
  1. Remove (zeroize) the existing keys. 
    scep(config)# crypto key zeroize rsa
% Keys to be removed are named scep.server.example.com.
Do you really want to remove these keys? [yes/no]: yes
  2. Remove the CA identity. 
    scep(config)# no crypto ca identity CA
% Removing an identity will destroy all certificates received from
the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

No enrollment sessions are currently active.

5.8.7. Enabling Debugging

The router provides additional debugging during SCEP operations by enabling the debug statements. 
 scep# debug crypto pki callbacks
 Crypto PKI callbacks debugging is on

 scep# debug crypto pki messages
 Crypto PKI Msg debugging is on

 scep# debug crypto pki transactions
 Crypto PKI Trans debugging is on

 scep#debug crypto verbose
 verbose debug output debugging is on

5.8.8. Issuing ECC Certificates with SCEP

By default, an ECC CA does not support SCEP out of box. However, it is possible to work around it by using a designated RSA certificate to handle each of the following two areas:
  • encryption/decryption cert - designate an RSA cert having encryption/decryption capability; (scepRSAcert in the following example)
  • signature cert - get an RSA cert to use on the client side for signing purpose instead of self-signed; (signingCert cert in the following example)
For example, with scepRSAcert cert being the encrypt/decrypt cert, and signingCert being the signing cert: 
sscep enroll -c ca.crt -e scepRSAcert.crt -k local.key -r local.csr -K sign.key -O sign.crt -E 3des -S sha256 -l cert.crt -u '​http://example.example.com:8080/ca/cgi-bin/pkiclient.exe'