PKI
Public Key Infrastructure manages certificates for supporting IPSec protocol. This includes: - RSA key generation. - Import Certificate Authorities. - PKCS#10 Certificate Signing Request( CSR).
Note
All PKI actions are permanent jobs; It does not appear in running config but is preserved after the router reboot.
Note
Currently, no certificate revocation method is supported.
Key Generation
A pair of private/public keys are used for issuing certificate requests or used in other protocols.
- crypto key generate rsa label NAME modulus (2048|4096)
Generate a new RSA key pair and store it as NAME. The key modulus can be determined( default is 2048).
- crypto key generate x25519 label LABEL
Generate a new X25519 key pair and store it as LABEL.
- crypto key generate rawraw label LABEL bytes (32-1024)
Generate Raw bytes and store them as LABEL. The number of generated bytes can be set( default is 32).
- crypto key generate ssh modulus (2048|4096)
Generate a new RSA keypair to be used by SSH
Importing a CA
First, to import a CA, we need to define a trustpoint. A trustpoint is a CA( and optionally a general-purpose certificate signed by that CA). After defining trustpoint, authentication
is needed to import the CA. This certificate could be self-signed, and the SSH terminal is the input( SoodarOS administrator should copy/paste the certificate).
Note
All inputs/outputs( including certificate, CSR and…) are in PEM format
- crypto pki trustpoint NAME
Create a new
trustpoint
- crypto pki authenticate TP
Authenticate the trustpoint TP and write its CA to non-volatile memory.
Example :
n1(config)# crypto pki trustpoint root-ca
n1(config)# crypto pki authenticate root-ca
Enter the base 64 encoded CA certificate
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIIQMT8Qv03sXYwDQYJKoZIhvcNAQELBQAwNTELMAkGA1UE
BhMCSVIxEzARBgNVBAoTClRlbXAgQ29ycC4xETAPBgNVBAMTCHRlbXAuY29tMB4X
DTIxMDEyMDExNDIzNFoXDTI0MDEyMDExNDIzNFowNTELMAkGA1UEBhMCSVIxEzAR
BgNVBAoTClRlbXAgQ29ycC4xETAPBgNVBAMTCHRlbXAuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy1KPgdCS6BB7PCdeggnsf6NjW4KBxeG6H18R
lOHYoTBMlR3QrvCrpgoZv3DtGR8T6Ch0/HdL1GdFJ7RcJqZPbaxdepqI08SZG4VD
CcZbIOdCNgKWD+jaO0vgyfcK2cXKY70bdyUuJLwNvSvPEPhzH1UNx7kfBdvGn2Vg
s/XyYhsn3xc6ioODT+HUAAd2WvBIOzd+RUo0yANJRKbPnLPgpNEiE1wG6Bj6orjR
ajnC8SYt5XGqD0DX7JGi7bELHw0JGdDk1acr9GQyjwVobDYCKDTuW4ELDsS+2GIK
E76rmlAGrJGy3po2itVbmMprhbTl3EOpxPzl78qkG/r0i4lUXQIDAQABo18wXTAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU7CsuL8vJ
o0kfANvQjVQkaR4K/WQwGwYDVR0RBBQwEoIQb3RoZXIuZG9tYWluLmNvbTANBgkq
hkiG9w0BAQsFAAOCAQEAHe8iOUjW8+BNBCfyyfcQOokd7UuK/0DE40wEXVRpMzyv
4IoLNnz5SmWBZo5WdtkIUfGMc9ll8uRsBpIcqHOR8ZSRkjswtOFn+C5KxNXum1pQ
cLmNpxn2ecsr2K2qW6IRfig8cQwzpFe3c59zFf13gKdr6g0B+lpx/hMBdhyaUn6A
9uXtvgeCzAqdJehpo12IKNnYeL+GrfHcFe7R7BRLD2XzoAgjFR48w24h3FbrxM8I
1jqEwbvnGT7FECGZbyKGBEM/dY1gbVD19GTJlaZ8z3HrHdaRFvCYgAqFLTVtU8Q+
lq+EWiCSMRlPPx1OiLDddbxRw2JIjdF7XIsU3WGhtw==
-----END CERTIFICATE-----
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
n1# show crypto pki certificate root-ca
Trustpoint: root-ca
CA:
subject: "C=IR, O=Temp Corp., CN=temp.com"
issuer: "C=IR, O=Temp Corp., CN=temp.com"
validity: not before Jan 20 15:12:34 2021, not valid yet (valid in 58 seconds)
not after Jan 20 15:12:34 2024, ok (expires in 1095 days)
serial: 40:c4:fc:42:fd:37:b1:76
altNames: other.domain.com
flags: CA CRLSign self-signed
subjkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
pubkey: RSA 2048 bits
keyid: cf:d8:04:82:62:b9:f1:a9:84:75:56:e7:1b:5b:ac:4a:c8:ba:ae:21
subjkey: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
Fingerprint: 954E9105EEE221C7BCDF351BBA0184E950F82C75
Generate a certificate and CSR
Users can request a certificate signing and import that certificate.
To do this, a trustpoint needs to have these parameters set:
1. Certificate’s SN( and optionally some SANs)
2. A RSA key pair to create and sign the CSR.
3. An enrollment method. Currently, only the SSH terminal( copy and paste) method is available and could be skipped.
After setting up trustpoint, and authenticating it, a CSR should be generated. If terminal enrollment is used, the PKCS#10 format
CSR is printed on the screen, and SoodarOS administrator needs to copy it and sign it by a CA. To import this signed certificate, an authentication
for this trustpoint is needed.
- subject-name LINE...
Certificate SN setting
- subject-alt-name LINE
Certificate SAN setting
Note
Enter the command multiple times to set multiple SANs. Up to 100 SANs are supported.
- no subject-alt-name LINE
Remove a SAN from trustpoint.
- rsakeypair KEY
Use previously-generated key pair KEY to sign CSR
- enrollment terminal pem
Enroll via terminal( copy and paste), including PEM encapsulation boundaries.
- crypto pki enroll TP
Generate a Certificate Signing Request for trustpoint TP. If terminal enrollment is used, the PKCS#10 format CSR is printed on the screen
- crypto pki import TP certificate
Import the trustpoint TP’s general-purpose certificate and write it to non-volatile memory.
Note
Imported general-purpose certificate should be signed by the same CA that the trustpoint is authenticated, or else, it fails to import.
Example :
n1(config)# crypto key generate rsa label mycert-key modulus 2048
n1# show crypto key mycert-key
Keypair Label: mycert-key
Algorithm: RSA
Modulus: 2048 bits
Subject key: fcc893035eda7e736d0a612bad1d000612c87724
Key ID: E5611192FEAD3FDFA877A0BAC5F336480A8C2D97
n1(config)# crypto pki trustpoint mycert
n1(ca-trustpoint)# subject-name C=IR, O=My Org, CN=my.org
n1(ca-trustpoint)# subject-alt-name other.my.org
n1(ca-trustpoint)# subject-alt-name other2.my.com
n1(ca-trustpoint)# rsakeypair mycert-key
n1(config)# crypto pki authenticate mycert
Enter the base 64 encoded CA certificate
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIIM7DVFqEvgxgwDQYJKoZIhvcNAQELBQAwOjELMAkGA1UE
BhMCQ0gxEzARBgNVBAoTCnN0cm9uZ1N3YW4xFjAUBgNVBAMTDXN0cm9uZ1N3YW4g
Q0EwHhcNMjAxMTExMDk1OTEzWhcNMjMxMTExMDk1OTEzWjA6MQswCQYDVQQGEwJD
SDETMBEGA1UEChMKc3Ryb25nU3dhbjEWMBQGA1UEAxMNc3Ryb25nU3dhbiBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjhd9ZFsCS4O3TcnXWFy/cr
wXnVCxev6g5XecHG0A+jaOS6MyJowjJU/CY5S8/LWKIBlKFhdswDT0LaPodnKw8e
RVGwAfQSYb8OymUeHByzxxfhqcCjYu0qWdb2Tf9yVadkt//qW5n2F78j3prFlZ4o
pbG1sLhACY+729iJxB7dg5DKXxECBzSiMo2dScZpQKuADiev4g7TmEH0u3MUa9zU
CzIhoqjzEJ1wF4YC7Y6BZxQU4c04RZGctaOmKRUT0NfVGbqseJHsJVZSCDFud/ls
48tDmQ08GULFNFlFAeGWcUnLle2sorsB+zjfQrJQJBtE/RuoKZ3ODK+ZwGH8wHEC
AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O
BBYEFNET3aeJu4082kUYI8TpeBK4w61sMA0GCSqGSIb3DQEBCwUAA4IBAQCB2ciJ
D197+CIwL/DveAJf7Bt0cMD2lPwY4hsHUyHridX2B/t6EMOOujWPouSeBYjLBz7s
akHwh3G9Yx4wlS+k+du5AbkQHMnYigeO4rul+tCg7FzouxFtKEcD6T707DnSEkP+
iA9mLeKxCK3P4vGY2H9x6McqZ1aM55xmdEbvD3QhUMLePBk4aMVKyOr4yWRQgUPB
oBqRVSEvthOyXEWtPkqxY72O/5IQmHDSncBP/D+wiC2wQsYQZhmDoN6d74OqkcBr
HMWDCUM1b8RfVBTeIKvkvQ14BgwPveO99E+P6rrNhdxRA8BwmnNyMvrd81Z1FDU/
J+XkIuPRfz33vO00
-----END CERTIFICATE-----
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
n1(ca-trustpoint)# enrollment terminal pem
n1(config)# crypto pki enroll mycert
-----BEGIN CERTIFICATE REQUEST-----
MIICrTCCAZUCAQAwLzELMAkGA1UEBhMCSVIxDzANBgNVBAoTBk15IE9yZzEPMA0G
A1UEAxMGbXkub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtvWm
Xi+CtKrJndPw09hPOnTO8DSDIJqi3GdcNDVRcdKb/FB+/C++Vyb2vOLNICxCmRJH
RnoZKPnWqRHWyHeVCNr+Da+bFYHXd4LyaZtCzEoUrmULMyBWGmbUfUlfFpOCa4yq
28qV1BjYXEm93X56XIaT/WpqXELihJC2nnBPxhkLHA80fLmQPZdOzytrjeJt1Rvn
I/PpI+OzEN9/pUvGLv29wfzUN2T9WGdIY/SJuyafQ2972juRA2OTTSsMSOxM4fuj
Mk116RixYvHCd454gehPKOqMUHbXKZ7tQXPaDFtiQIgNqBMz4AlT40Wn3GsODV8Y
AtJ9UOvhmMW1iTHC2wIDAQABoDkwNwYJKoZIhvcNAQkOMSowKDAmBgNVHREEHzAd
ggxvdGhlci5teS5vcmeCDW90aGVyMi5teS5jb20wDQYJKoZIhvcNAQELBQADggEB
AKwvB+bPTMpU2t3HE6CA0mLA9ufc9EqWx2YCTyddTJ8Qp7xhdXywzB64R5Um/mqy
x7lMEyS69pZzTMivm28piIEplSdjKSiHmRpVZsXGWvhpz1alqA6h5IaWlm9s3Bga
YKBmaC0uEsuhXnAxFBPtbwWSaGN0uD5kKTkwZXMxKv4gVkTbrdZfZ2uJR2CiZu1q
yb7u47MeZF4xfcnvFZCuUjlLmpFXMLXjYuNywJP6U/i1DpSG07mDYcnEfS9Ku/o/
gdNBahSspRtBVOx4QtnN4bGZ0MDEn5cEBuWcN4dNbE30dn70NKaNe1DhdKQ/lUxQ
qyIP+5tc2i8GoJsL9wyWJIo=
-----END CERTIFICATE REQUEST-----
n1(config)# crypto pki import mycert certificate
Enter the base 64 encoded CA certificate
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIIVmyRIVfPsKowDQYJKoZIhvcNAQELBQAwNTELMAkGA1UE
BhMCSVIxEzARBgNVBAoTClRlbXAgQ29ycC4xETAPBgNVBAMTCHRlbXAuY29tMB4X
DTIxMDEyMDExNDgzNloXDTI0MDEyMDExNDgzNlowLzELMAkGA1UEBhMCSVIxDzAN
BgNVBAoTBk15IE9yZzEPMA0GA1UEAxMGbXkub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAtvWmXi+CtKrJndPw09hPOnTO8DSDIJqi3GdcNDVRcdKb
/FB+/C++Vyb2vOLNICxCmRJHRnoZKPnWqRHWyHeVCNr+Da+bFYHXd4LyaZtCzEoU
rmULMyBWGmbUfUlfFpOCa4yq28qV1BjYXEm93X56XIaT/WpqXELihJC2nnBPxhkL
HA80fLmQPZdOzytrjeJt1RvnI/PpI+OzEN9/pUvGLv29wfzUN2T9WGdIY/SJuyaf
Q2972juRA2OTTSsMSOxM4fujMk116RixYvHCd454gehPKOqMUHbXKZ7tQXPaDFti
QIgNqBMz4AlT40Wn3GsODV8YAtJ9UOvhmMW1iTHC2wIDAQABo0swSTAfBgNVHSME
GDAWgBTsKy4vy8mjSR8A29CNVCRpHgr9ZDAmBgNVHREEHzAdggxvdGhlci5teS5v
cmeCDW90aGVyMi5teS5jb20wDQYJKoZIhvcNAQELBQADggEBAGbt3R0FyA48FWUh
eoud1zh6ujrg0PgFjOhAMnWaln8nXdhMjJJvOI/MZtcyl7fghXr1Asr2M9I3KMxh
BbBefCci5+94g+QucP/R0v5/fzFpiV8gRYXD8o7UWyYanQG5SUyTCdpR5vXxVbEW
FXp3Yk1HBYXDe09AK9AGwRVFHTkaaPze8U5FyJpbrjDZuD/cbkN4lFn+lw49JahO
cVqYXyY84rHjvbq98081NsittSa4QUqBNo8nUXYj+yLuNiV39Zh1pWzl/kugy0yR
mvrqC3irZGXeJbSLDaAT1LdJhiu2Axc7EjwKxcNK+GiXyN/B/7JJrWLL0u6xaA9L
ezbvqQw=
-----END CERTIFICATE-----
Installed successfully
n1# show crypto pki certificate mycert
Trustpoint: n1Cert
CA:
subject: "C=IR, O=Temp Corp., CN=temp.com"
issuer: "C=IR, O=Temp Corp., CN=temp.com"
validity: not before Jan 20 15:12:34 2021, ok
not after Jan 20 15:12:34 2024, ok (expires in 1094 days)
serial: 40:c4:fc:42:fd:37:b1:76
altNames: other.domain.com
flags: CA CRLSign self-signed
subjkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
pubkey: RSA 2048 bits
keyid: cf:d8:04:82:62:b9:f1:a9:84:75:56:e7:1b:5b:ac:4a:c8:ba:ae:21
subjkey: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
Fingerprint: 954E9105EEE221C7BCDF351BBA0184E950F82C75
General Purpose Certificate:
subject: "C=IR, O=My Org, CN=my.org"
issuer: "C=IR, O=Temp Corp., CN=temp.com"
validity: not before Jan 20 15:18:36 2021, ok
not after Jan 20 15:18:36 2024, ok (expires in 1094 days)
serial: 56:6c:91:21:57:cf:b0:aa
altNames: other.my.org, other2.my.com
flags:
authkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
subjkeyId: fc:c8:93:03:5e:da:7e:73:6d:0a:61:2b:ad:1d:00:06:12:c8:77:24
pubkey: RSA 2048 bits
keyid: e5:61:11:92:fe:ad:3f:df:a8:77:a0:ba:c5:f3:36:48:0a:8c:2d:97
subjkey: fc:c8:93:03:5e:da:7e:73:6d:0a:61:2b:ad:1d:00:06:12:c8:77:24
Keypair: mycert-key
Fingerprint: D51636591648DBDE21FEEFA4C6DF4B38A96502B5
Self-signed Trustpoints
Self-signed certificates are available to generate in SoodarOS PKI system. Set the enrollment method of trustpoint to selfsigned, and you are good to go.
A self-signed certificate can’t be imported or authenticated. Enrolling this ``trustpoint``generates the certificate.
Example :
n1(config)# crypto key generate rsa label self-signed-key
n1(config)# crypto pki trustpoint self-signed-tp
n1(ca-trustpoint)# enrollment selfsigned
n1(ca-trustpoint)# rsakeypair self-signed-key
n1(ca-trustpoint)# subject-name C=IR, O=Independent Ltd., CN=self.indie.com
n1(config)# crypto pki enroll self-signed-tp
n1# show crypto pki certificate self-signed-tp
Trustpoint: self-signed-tp
CA:
subject: "C=IR, O=Independent Ltd., CN=self.indie.com"
issuer: "C=IR, O=Independent Ltd., CN=self.indie.com"
validity: not before Jan 20 15:45:09 2021, ok
not after Jan 20 15:45:09 2024, ok (expires in 1094 days)
serial: 15:9a:3b:16:34:f9:79:49
flags: CA CRLSign self-signed
subjkeyId: 33:74:e2:a1:5e:d1:49:bf:c7:bf:f7:23:4c:c6:53:a0:07:56:24:09
pubkey: RSA 2048 bits
keyid: bd:12:cd:f2:1a:b7:d2:27:82:26:db:51:01:d2:60:0d:48:24:bf:3d
subjkey: 33:74:e2:a1:5e:d1:49:bf:c7:bf:f7:23:4c:c6:53:a0:07:56:24:09
Fingerprint: 89177619D312F1AEFAC0A5C8B9DE5E0196B56F16
Removing a private key
Admin can remove unused private keys. Removing is done securely by shredding and zeroing the key file.
- crypto key zeroize RSAKEY
Shred a key pair.
Note
Removing a key makes the ``trustpoint``s using them invalid. It’s the admin’s duty to take care of this situation and remove unused keys or remove all certificates depending on that key.
Removing a trustpoint
Admin can remove a trustpoint. This action removes the CA and general-purpose certificate( if available) and updates the system CA database.
- no crypto pki trustpoint TPNAME
Viewing installed Certificates and keys
After installing a certificate, one can see that certificate with a show command.
- show crypto pki certificate [CA]
Show available certificates on device. If CA name is not provided, all certificates on the system are shown.
Example :
n1# show crypto pki certificate mycert Trustpoint: n1Cert CA: subject: "C=IR, O=Temp Corp., CN=temp.com" issuer: "C=IR, O=Temp Corp., CN=temp.com" validity: not before Jan 20 15:12:34 2021, ok not after Jan 20 15:12:34 2024, ok (expires in 1094 days) serial: 40:c4:fc:42:fd:37:b1:76 altNames: other.domain.com flags: CA CRLSign self-signed subjkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64 pubkey: RSA 2048 bits keyid: cf:d8:04:82:62:b9:f1:a9:84:75:56:e7:1b:5b:ac:4a:c8:ba:ae:21 subjkey: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64 Fingerprint: 954E9105EEE221C7BCDF351BBA0184E950F82C75 General Purpose Certificate: subject: "C=IR, O=My Org, CN=my.org" issuer: "C=IR, O=Temp Corp., CN=temp.com" validity: not before Jan 20 15:18:36 2021, ok not after Jan 20 15:18:36 2024, ok (expires in 1094 days) serial: 56:6c:91:21:57:cf:b0:aa altNames: other.my.org, other2.my.com flags: authkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64 subjkeyId: fc:c8:93:03:5e:da:7e:73:6d:0a:61:2b:ad:1d:00:06:12:c8:77:24 pubkey: RSA 2048 bits keyid: e5:61:11:92:fe:ad:3f:df:a8:77:a0:ba:c5:f3:36:48:0a:8c:2d:97 subjkey: fc:c8:93:03:5e:da:7e:73:6d:0a:61:2b:ad:1d:00:06:12:c8:77:24 Keypair: mycert-key Fingerprint: D51636591648DBDE21FEEFA4C6DF4B38A96502B5
- show crypto key [[KEY] [json]] [ssh]
Show key information. If a key name is not provided, all keys on the system are shown. Output can be JSON( except SSH)
Example :
n1# show crypto key mycert-key-rsa Keypair Label: mycert-key-rsa Algorithm: RSA Modulus: 2048 bits Subject key: FCC893035EDA7E736D0A612BAD1D000612C87724 Key ID: E5611192FEAD3FDFA877A0BAC5F336480A8C2D97 n1# show crypto key x25519-key Keypair Label: x25519-key Algorithm: X25519 Public key: DEE5089576AD02780EFEF6908034E6BD471C2C6DF7FE68FC77F12C5DFCDB9D59 Public key base64: 3uUIlXatAngO/vaQgDTmvUccLG33/mj8d/EsXfzbnVk= n1# show crypto key raw-key Keypair Label: raw-key Algorithm: Raw Length: 256 bits n1# show crypto key json { "keys":[ { "label":"mycert-key-rsa", "algorithm":"RSA", "modulus":2048, "subject_key":"FCC893035EDA7E736D0A612BAD1D000612C87724", "key_id":"E5611192FEAD3FDFA877A0BAC5F336480A8C2D97" }, { "label":"x25519-key", "algorithm":"X25519", "public_key":"DEE5089576AD02780EFEF6908034E6BD471C2C6DF7FE68FC77F12C5DFCDB9D59" }, { "label":"raw-key", "algorithm":"RAW", "length":256 } ] }