Cisco IOS – Enrolling for Certificates with NDES

KB ID 0000948

Problem

To get your Cisco Router or Switch to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.

Solution

When dealing with certificates, it’s important that your device is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Setting IOS Time (Manually and via NTP)

1. Choose either of the options below, (as applicable). Note: I’m in the UK so my time is GMT, and I need to allow for daylight saving time, (so your settings ma vary depending on your locale).

[box]

Setting Time Manually

Petes-RTR(config)#clock timezone GMT 0
Petes-RTR(config)#clock summer-time BST recurring last Sunday March 01:00 last Sunday October 01:00
Petes-RTR(config)#exit
Petes-RTR#clock set 10:47:00 Apr 30 2014
Petes-RTR#show clock
10:47:05.499 BST Wed Apr 30 2014
Petes-RTR#

Setting Time via NTP

Petes-RTR#show clock
*15:36:38.383 PCTime Mon Feb 16 2009
Petes-RTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-RTR(config)#ntp server 87.124.126.49
APPLY THE 'CUP Of COFFEE RULE'

Petes-RTR#show clock
10:09:52.437 PCTime Wed Apr 30 2014
Petes-RTR#

[/box]

Enrolling via NDES

1. Make sure the device can contact the NDES server, (simply pinging it should suffice). Then set a hostname and domain name. These are required to generate an RSA Key-pair on the device before we start.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#hostname RTR-1
RTR-1(config)#ip domain-name testbench.local
RTR-1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: RTR-1.testbench.local

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

RTR-1(config)#
*Mar 1 01:01:47.491: %SSH-5-ENABLED: SSH 1.99 has been enabled

[/box]

2. Create a set of CA settings (a trustpoint), then authenticate to it.

[box]

RTR-1(config)#crypto pki trustpoint PNL-TRUSTPOINT
RTR-1(ca-trustpoint)# enrollment url http://192.168.80.130/CertSrv/mscep/mscep.dll
RTR-1(ca-trustpoint)#enrollment mode ra
RTR-1(ca-trustpoint)#revocation-check crl
RTR-1(ca-trustpoint)#enrollment retry count 3
RTR-1(ca-trustpoint)#enrollment retry period 5
RTR-1(ca-trustpoint)#fqdn RTR-1.testbench.local

RTR-1(ca-trustpoint)#exit
RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
Certificate has the following attributes:
Fingerprint MD5: 0454B8F4 73374DE8 2FB034CB B887B1D4
Fingerprint SHA1: 2A542238 0CF3856B D0EF3E1A CBB57003 21C114F5

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
RTR-1(config)#
[/box]

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.

http://{IP-or-name-of-NDES-server}/CertSrv/mscep_admin

This is the password you need to enter.

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

[box]

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password 24033E4BFF217D60[/box]

4. Enroll for a certificate.

[box]

RTR-1(config)#crypto pki enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..

% The subject name in the certificate will include: RTR-1.testbench.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX0945W0MY
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate PNL-TRUSTPOINT verbose' commandwill show the fingerprint.

RTR-1(config)#
May 14 10:46:46.479: CRYPTO_PKI: Certificate Request Fingerprint MD5: 25E06B18 2BF6E2B7 780AA427 89AB9A15
May 14 10:46:46.483: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 044725E7 B34F6AF8 EFB4C28B 8E7CE192 230BDC9E
RTR-1(config)#
May 14 10:46:47.875: %PKI-6-CERTRET: Certificate received from Certificate Authority
RTR-1(config)#

[/box]

5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

Oh Crap! It went wrong?

Possible errors you might see;

Error 1

[box]

RTR-1(config)#crypto key generate rsa modulus 2048
% Please define a domain-name first.

[/box]

To be honest, it couldn’t be more descriptive! You can’t generate an RSA key-pair without a hostname, and a domain name.

[box]

R1(config)#hostname RTR-1 RTR-1(config)#ip domain-name testbench.local[/box]

Error 2

[box]

RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
% Error in saving certificate: status = FAIL

RTR-1(config)#%CRYPTO_PKI: Cert not yet valid or is expired -
start date: 13:18:46 UTC May 12 2014
end date: 13:28:46 UTC May 12 2019

[/box]

Certificates are time specific, make sure the device has its clock set correctly, (preferably via NTP). And the time on the Certificate Services Server is set correctly.

Windows – Setting Domain Time

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES