Learning Journal: Public Key Infrastructure - PKI

PKI
Authenticate CA (R1 request CA's public key from CA)
Enrol (R1 sends public key portion of generated private/public key pair to CA; with

other details to request its own digital certifcate from CA)
CA issues Identity certificate to R1
R1 and R2 validate each other by looking at signature of the digital certificate

signed by CA(they both trust).R1 and R2 can verify the signature of the CA because
they both have authenticated with CA and they both have a copy of public key of CA)

Configuration Steps to act Router as a CA
-can act as a ntp server (#ntp master 5)

//manually generate and use rsa key for CA
Server(config)#crypto key generate rsa label VPN-KEYS modulus 1024 exportable
Server(config)#crypto pki trustpoint CA
Server(ca-trustpoint)#rsakeypair VPN-KEYS
Server(ca-trustpoint)#exit

-#ip http server
-#crypto pki server CA
-#issuer-name CN=CA, O=cbtlocal
-#grant auto
-#no shutdown
show crypto pki server

Steps to enroll Router to CA to obtain a Digital Certificate,Creating a trustpoint
generate rsa key and give it a name
-#crypto pki trustpoint Trusted-CA
-#enrollment url http://5.5.5.5
-#rsakeypair r1.cbtnuggets.com
-#fqdn r1.cbtnuggets.com
-#subject-name CN=r1,O=cbtnuggets.com
-#revocation-check none

To get public key of the CA (authenticating the CA)
-#crypto pki authenticate Trusted-CA
show crypto pki trustpoints
show crypto pki certificates

To enroll to obtain digital cert
-#crypto pki enroll Trusted-CA