Enroll the PIX Security Appliance with a CA

The PIX Security Appliance enrolls with a CA server in a series of steps in which specific keys are generated and then exchanged by the PIX and the CA server to ultimately form a signed certificate.

The enrollment steps can be summarized as follows :

Step 1 The PIX Security Appliance generates an RSA public and private key pair.
Step 2 The PIX Security Appliance obtains a public key and its certificate from the CA server.
Step 3 The PIX Security Appliance requests a signed certificate from the CA using the generated RSA keys and the public key certificate from the CA server.
Step 4 The CA administrator verifies the request and sends a signed certificate.

Generate an RSA Key Pair
RSA Key pairs are generated with the crypto key generate rsa command. If additional keywords are not used, this command generates one general purpose RSA key pair. Because the key modulus is not specified, the default key modulus of 1024 is used. Other modulus sizes can be specified with the modulus keyword. Use the show crypto key mypubkey rsa command to view the created key pair.

To remove RSA key pairs, use the crypto key zeroize rsa command in global configuration mode.

Obtain a Public Key and Certificate from the CA Server
Create a trustpoint corresponding to the CA from which the PIX Security Appliance needs to receive its certificate with the crypto ca trustpoint trustpoint command. Upon entering this command, crypto ca trustpoint configuration mode is entered. To specify SCEP enrollment, use the enrollment url command. To specify manual enrollment, use the enrollment terminal command. As needed, specify other characteristics for the trustpoint. More information about these command can be found in the Command Reference.

After configuring the trustpoint, Obtain the CA certificate for the trustpoint with the crypto ca authenticate command. The public key of the CA is included with this certificate.

Request a Signed Certificate from the CA
Enroll the PIX Security Appliance with the trustpoint using the the crypto ca enroll command. Before entering this command, contact the CA administrator because the administrator may need to authenticate the enrollment request manually before the CA grants its certificates.

Verify that the CA Administrator Has Sent a Signed Certificate
After the enrollment is complete, verify that the enrollment process was successful using the show crypto ca certificate command. The output of this command shows the details of the certificate issued for the PIX Security Appliance and the CA certificate for the trustpoint. Be sure to save the configuration using the write memory command after the certificate ahs been received.

Lab Activity

Lab Exercise: Configure a Site-to-Site IPSec VPN Tunnel with CA Support

In this lab exercise, students will prepare for and then configure CA support. Students will then configure and verify IKE and IPSec Parameters. Students will verify that the VPN connection is up and working properly. Finally, students will verify the VPN status and configuration using PDM.

Lab Activity

e-Lab Activity: Configure Cisco PIX Security Appliance for CA Support (RSA Signatures)

In this lab activity, the student will configure a secure VPN gateway using IPSec between two PIX Security Appliances using digital certificates.

Cisco Security Appliance CLI Configuration Guide – Configuring Certificates