Configuring Cisco Router as a CA server can actually save you some money

To better understand the content I have configured and tested CA server in LAN environment.

Cisco Router as a CA server

There are two ways for authenticating VPN , people generally use Pre-shared key as discussed in my previous post with S2S VPN tunnel, the other way around is using Certificates given by a Certificate Authority. We can although mix and match both Pre-shared key and Certificate that will add extra layer of security inside our VPN infrastructure. For certificates we can either use internal CA or we can use domain hosting like and others as trusted CA server. For our lab we will use cisco router R1 as CA server and ASA1 to trust and install certificate from CA server and Windows XP machine running clientless VPN will use certificates instead of Pre-shared key for authentication. Lets start configuring and testing.

Configuration of R1 as CA server:-

Configuration of R1 as CA server:-

  • Before starting configuration we need to make sure that all devices in the lab is properly synchronized and valid to NTP server. See my previous post here for NTP server related configuration on cisco devices and Windows Box.
  • The first step is to generate the RSA key pair that the Cisco IOS CA server uses. On the router (R1), generate the RSA keys as below:-

R1(config)#crypto key generate rsa general-keys label afroz1 ?
exportable  Allow the key to be exported
modulus     Provide number of modulus bits on the command line
on          create key on specified device.
storage     Store key on specified device
R1(config)#crypto key generate rsa general-keys label afroz1 exportable
The name for the keys will be: afroz1
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be exportable…[OK]

Feb 10 16:36:05.414: %SSH-5-ENABLED: SSH 1.99 has been enabled

Note: We must use the same name for the key pair (key-label) that we plan to use for the certificate server.

  • Export the keys to non-volatile RAM (NVRAM) or TFTP (based on our configuration). In this example, NVRAM is used.

R1(config)#crypto key export rsa afroz1 pem url nvram: 3des afroz123
% Key name: afroz1
Usage: General Purpose Key
Exporting public key…
Destination filename []?
Writing file to
Exporting private key…
Destination filename [afroz1.prv]?
Writing file to nvram:afroz1.prv

  • Verify the keys.

R1#sh crypto key mypubkey rsa
% Key pair was generated at: 22:06:05 UTC Feb 10 2013
Key name: afroz1
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C7E38F
0D4F5BA7 A5FC5148 CB2D3F90 16F18D87 B84EEF18 04FA85F3 63B3C646 9A409001
6E618B0B 36E02D4A 1558D5AD 93269515 B52C55C6 3366D75E 8E30B8F1 25704857
9647F78F 7BEF64F5 F4FFB305 67B45656 A783E629 E3890B7B E7DF40F0 C1BB2480
61F0AD2F 726B5FE8 E4B37AB7 D855D77B 84D10956 22DCC9B6 1218A30D 4D020301 0001
% Key pair was generated at: 22:06:06 UTC Feb 10 2013
Key name: afroz1.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A5D2D7 B111742C
50598BBE 222E0E2C E05F1D01 CD159987 6E24942A E362E209 7BC4AEF3 3C53A5ED
AF88F144 717B3D6F 56F0261F 014002DF EE5172A3 9E946FA0 26D78F8D 4C34B4CF
A7F3ABCA FEDE0E3B 41A71B82 5506C413 2274D1F3 89D368F9 AD020301 0001

  • Enable the http server on the router so that client can enroll.

R1(config)#ip http server

  • Enable and Configure the CA Server on the Router, This is where the certificate will be generated for the CA Server.  This certificate will be used at the client trustpoints to verify that the local certificates were signed by a trusted authority.

R1(config)#crypto pki server afroz1
R1(cs-server)#database url nvr
R1(cs-server)#database url nvram:
% Server database url was changed. You need to move the
% existing database to the new location.
R1(cs-server)#database level minimum
R1(cs-server)#issuer-name L=DELHI C=IN
R1(cs-server)#lifetime ca-certificate 365
R1(cs-server)#lifetime cer
R1(cs-server)#lifetime certificate 200
R1(cs-server)#lifetime crl 24
R1(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: afroz123

Re-enter password: afroz123
% Exporting Certificate Server signing certificate and keys…

% Certificate Server enabled.
Feb 10 16:50:27.181: %PKI-6-CS_ENABLED: Certificate server now enabled.

  • Our CA Server is ready and open for business!
  • Configure and Enroll the ASA1 to the Certificate Server R1

ASA1(config)# domain-name
ASA1(config)# crypto key generate rsa general-keys modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait…

  • Rest of the configuration we will do with the help of ASDM interface. Lets start with our ASDM SSL VPN Wizard for Clientless VPN.
  • Click Next and fill in the details and on the Certificate Tab click “Manage” for certificate configuration.
  • After clicking Manage Tab click on ADD to add the certificate from CA server. Add the values as we have configured on R1 as CA server.
  • Mention Key pair with “afroz1” and certificate Subject DN as “C=IN, L=DELHI”. Click on Generate self-signed certificate and click ADD certificate. If everything was mentioned correct as configured on our CA server the certificate will be added successfully.
  • Create a connection group alias and click on next.
  • On next screen User authentication select local database and add username and password of your choice and click add and then next.
  • On next screen create a new group policy and click on next.
  • Click on Manage for Bookmarks, if you want any. Review the configuration and click on Finish to end the setup.
  •  The last thing to allow WebVPN connection on outside interface by following.