Tuesday, July 27, 2010

Misc 45

Now that we have a PKI set up, it's time to put it to good use. The most confusing thing about a Cisco router running HTTPS (such as one hosting WebVPN) is how it should obtain its certificate from a real CA. Now I'm going to show you the simplest way of obtaining a certificate (simplest in terms of technology, not necessary in terms of procedure).
First of we should have a CA set up in Linux, if not, you can refer to this article.

Now back on the router we want to run WebVPN on. What we want to do now is to create a trustpoint that we can enroll our certificates with. A trustpoint represents a CA, and the method we enroll our certificate is specified in there. But before we do that, we'll need to generate a keypair, which every RSA certificate needs:
crypto key gen rsa exportable label RSAKEYPAIR

Now that we have our RSA keypair, we can now create the trustpoint:
crypto pki trustpoint CA
rsakeypair RSAKEYPAIR

Now we'll specify our enrollment method, which is copying and pasting through the terminal. Now that's really low-tech. To do this, we'll specify:
enrollment terminal pem

Finally we'll specify the common name of the host. This common name needs to be the exact FQDN of the host. If the host does not have a domain name associated with it, you will need to specify the exact IP address it is going to use:
subject CN=

Now you can actually specify a longer subject String with OU and all the extra stuff, but this will suffice for a very basic certificate. Now it's time to enroll the certificate:
crypto pki enroll CA

It will ask you if you want to display it on the terminal. Select YES and you should have something similar to this on your screen:

Now what you do with this information is that you need to copy the entire page from ----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- and paste it into a file. What should you name the file? We'll, you've guessed it, you'll name it newreq.pem and place it into the /etc/ssl/ folder of your CA. Then we'll run the signature command with CA.pl. If you don't know what I'm talking about, you'll again need to refer to this article.

Now you should end up with a newcert.pem. Before we import the certificate, we'll need to import the certificate authority's root certificate. Why do we need to do that? This is because you don't have a button that says "Add Exception" in a Router, so you'll either have to have a CA certificate that you trust, or it's all not going to work at all.

Be sure that the system clock is set correctly! This is crucial as the certificates will be checked for both time and date to see if it's valid. To do this, we'll type:
conf t
clock timezone SGT +8
clock set 19:11:00 July 27 2010

So we'll begin by invoking the command to allow importing of the root CA:
crypto pki authen CA

Next, we'll paste the contents of cacert.pem from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- into the prompt. In case you're wondering, cacert.pem is actually found in /etc/ssl/demoCA/.

Now it's finally time to import your certificate. We do it the same way as we import the CA certificate, except that we'll use the command:
crypto pki import CA certificate

Now that you have a certificate, we'll set up our WebVPN but this time with the trust point set to the trustpoint which you imported your certificate into. If you want to set up WebVPN, you can follow along this article.

In the future I'll go into topics like using automatic enrollment and so on, so stay tuned! Before I go into those, it's time to set up OpenVPN on a WRT54G and connect using a Windows host!

No comments :

Post a Comment