The PIX Security Appliance enrolls with a CA server in a series of
steps in which specific keys are generated and then exchanged by the PIX and
the CA server to ultimately form a signed certificate.
The enrollment
steps can be summarized as follows
:
Step 1 The PIX Security Appliance generates an RSA public
and private key pair.
Step 2 The PIX Security Appliance obtains a public key and
its certificate from the CA server.
Step 3 The
PIX Security Appliance requests a signed certificate from the CA using the
generated RSA keys and the public key certificate from the CA
server.
Step 4 The CA administrator verifies the
request and sends a signed certificate.
Generate an RSA Key
Pair
RSA Key pairs are generated with the crypto key generate
rsa command. If additional keywords are not used, this command
generates one general purpose RSA key pair. Because the key modulus is not
specified, the default key modulus of 1024 is used. Other modulus sizes can be
specified with the modulus keyword. Use the show
crypto key mypubkey rsa command to view the created key pair.
To remove RSA key pairs, use the crypto key zeroize rsa
command in global configuration mode.
Obtain a Public Key and Certificate from the CA Server
Create a
trustpoint corresponding to the CA from which the PIX Security Appliance needs
to receive its certificate with the crypto ca trustpoint
trustpoint command. Upon entering this command, crypto ca
trustpoint configuration mode is entered. To specify SCEP enrollment, use the
enrollment url command. To specify manual enrollment, use
the enrollment terminal command. As needed, specify other
characteristics for the trustpoint. More information about these command can be
found in the Command Reference.
After configuring the trustpoint, Obtain
the CA certificate for the trustpoint with the crypto ca
authenticate command. The public key of the CA is included with this
certificate.
Request a Signed Certificate from the CA
Enroll
the PIX Security Appliance with the trustpoint using the the crypto ca
enroll command. Before entering this command, contact the CA
administrator because the administrator may need to authenticate the enrollment
request manually before the CA grants its certificates.
Verify that
the CA Administrator Has Sent a Signed Certificate
After the enrollment
is complete, verify that the enrollment process was successful using the
show crypto ca certificate command. The output of this
command shows the details of the certificate issued for the PIX Security
Appliance and the CA certificate for the trustpoint. Be sure to save the
configuration using the write memory command after the
certificate ahs been received.