[Openswan Users] CA server issue with cisco

Ming-Ching Tiew mctiew at yahoo.com
Tue May 20 18:56:50 EDT 2008

--- On Tue, 5/20/08, Paul Wouters <paul at xelerance.com> wrote:

> From: Paul Wouters <paul at xelerance.com>
> Subject: Re: [Openswan Users] CA server issue with cisco
> To: "Ming-Ching Tiew" <mctiew at yahoo.com>
> Cc: users at openswan.org
> Date: Tuesday, May 20, 2008, 7:23 PM
> On Tue, 20 May 2008, Ming-Ching Tiew wrote:
> > > Is it using OCSP? There is support for that.
> > >
> >
> > Thanks for the information. I did some checking on
> OCSP. It seems that OCSP has more to do with certificate
> status, while I am have seen here, is more of a certificate
> management stuff but perform over http.
> >
> > On checking, I found something on SCEP and an
> implementation called OpenSCEP. I will verify to see if the
> OpenSCEP will meet this ( because the doc I have on the
> Cisco IPSEC does not specifically mention the word SCEP, it
> just say ca enrolment using http ).
> They might mean just a CRL based on a CRL certificate
> attribute pointing to a http server serving the crl.
> See crlcheckinterval= and strictcrl= options in ipsec.conf.

I am pretty sure they are not referring to CRL at all and it's to do with certificate management ( or certificate enrollment to use their terminology ). Their doc has something like this :-

In this output, the Cisco enrollment protocol uses HTTP in order to talk to the CA. The dt3-45a(ca-identity)#enrollment url http://ciscoca-ultra command tells the router to go to the specified URL in order to interact with the CA. The dt3-45a(ca-identity)#crypto ca authenticate verisign-ca command instructs the router to fetch the certificate of the CA. Before you can enroll in the CA, you need to make sure you talk to the real CA. Verify the certificate of the CA with the CA administrator in order to ensure authenticity.

           dt3-45a(ca-identity)#enrollment url http://ciscoca-ultra                             
           dt3-45a(ca-identity)#crypto ca authenticate verisign-ca

Enroll Certificates for the Client Router Issue the crypto ca enroll verisign-ca command in order to begin enrollment with the CA. There are several steps to this. First, you have to verify the identity of the CA, then the CA has to verify the identity of the router. If you ever need to revoke your certificate before it expires, if you renumber the interfaces of your router or if you believe that your certificate is compromised, you need to provide a password to the CA administrator. Enter that, as is illustrated in this output. After you enter your password, the router continues.

           dt3-45a(config)#crypto ca enroll verisign-ca 
%Start certificate enrollment .. 
%Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. 
Re-enter password:

The way I see it, they dictate they mechanism used to get the cert req to the CA and get it signed. 



More information about the Users mailing list