Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

Published byJasmine Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates

2 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 5.1 Configure CA Support on a Cisco Router Module 5 – Configure Site-to-Site VPNs Using Digital Certificates

3 © 2006 Cisco Systems, Inc. All rights reserved.

4

5

6

7

8

9

10

11

12

13

14

15

16

17 (Optional) Manage NVRAM Memory Usage Types of certificates stored on a router: The identity certificate of the router The root certificate of the CA Root certificates obtained from CA servers Two RA certificates, these are CA vendor-specific The number of CRLs stored on a router: One, if the CA does not support an RA Multiple, if the CA supports an RA Turn on query mode by using crypto ca certificate query

18 © 2006 Cisco Systems, Inc. All rights reserved. The clock must be accurately set before generating RSA key pairs and enrolling with the CA server because certificates are time-sensitive

19 © 2006 Cisco Systems, Inc. All rights reserved. Router assigns a fully qualified domain name to the keys and certificates, FQDN is based on the host name and IP domain name assigned.

20 © 2006 Cisco Systems, Inc. All rights reserved.

21 RSA key pairs are used to sign and encrypt IKE key management messages and are required before obtaining a certificate for the router.

22 © 2006 Cisco Systems, Inc. All rights reserved. Generating RSA Keys  Two mutually exclusive types of RSA key pairs  Special-usage Keys Two pairs of RSA keys are created. One for RSA signatures, and the other for RSA encrypted nonces as the authentication method.  Each key is not unnecessarily exposed  General-purpose Keys One pair of RSA keys is created. Used with IKE policies specifying either RSA signatures or RSA encrypted nonces.  A longer modulus could offer stronger security, but takes longer to generate and also takes longer to use.  Cisco recommends using a minimum modulus of 1024.

23 © 2006 Cisco Systems, Inc. All rights reserved.

24 Command will allow the router to re-enroll to the CA server automatically when its certificates expire

25 © 2006 Cisco Systems, Inc. All rights reserved.

26

27 Authenticate CA  The router needs to authenticate the CA to verify that it is valid.  Done by obtaining the self-signed certificate of the CA Contains the public key of the CA.  Because the CA certificate is self-signed the public key of the CA should be manually authenticated. Done by contacting the CA administrator to verify the fingerprint of the CA certificate.  To get the public key of the CA, use the crypto pki authenticatename command  Use the same name that was used when declaring the CA with the crypto pki trustpoint command.

28 © 2006 Cisco Systems, Inc. All rights reserved.

29 Request a certificate for the router  A signed certificate must be obtained from the CA for each RSA key pair on the router. crypto pki enroll name  During the enrollment process, a challenge password is created. Can be used by the CA administrator to validate the identity of the individual that is requesting the certificate.  If a certificate for the keys already exists, the administrator is prompted to remove the existing certificate first. no certificate command.

30 © 2006 Cisco Systems, Inc. All rights reserved.

31 Monitor and Maintain CA Interoperability (Optional)  The following steps are optional, depending on the particular requirements: Request a CRL Query a CRL Delete RSA Keys from the router Delete peer public keys Delete certificates from the configuration View keys and certificates

32 © 2006 Cisco Systems, Inc. All rights reserved. Request a Certificate Revocation List  When the router receives a certificate from a peer, the router will download a CRL from the CA.  Router then checks the CRL to make sure the certificate that the peer sent has not been revoked.  If the certificate appears on the CRL, the router will not accept the certificate and will not authenticate the peer.  A CRL can be reused with subsequent certificates until the CRL expires if query mode is off.  To request immediate download of the latest CRL, use the crypto pki crl request name

33 © 2006 Cisco Systems, Inc. All rights reserved. Delete RSA Keys from the Router  If the RSA keys are believed to be compromised  crypto key zeroize rsa  After the RSA keys are deleted, the CA administrator should be asked to revoke certificates for the router at the CA.  It will be necessary to supply the challenge password created when the certificated were obtained with the crypto pki enroll command.  The certificates should also be manually removed from the router configuration.

34 © 2006 Cisco Systems, Inc. All rights reserved. Delete Certificates from the Configuration  The router saves its own certificates, the certificate of the CA, and any RA certificates, unless the router is in query mode.

35 © 2006 Cisco Systems, Inc. All rights reserved. Delete Public Keys of Peer  If the integrity of a peer public key is doubted, the key should be deleted.  To delete the CA certificate, the entire CA trustpoint must be removed. Also removes all certificates associated with the CA, To remove a CA trustpoint, use the no crypto pki trustpoint name

36 © 2006 Cisco Systems, Inc. All rights reserved.

37

38

39

40

41 Q and A

42 © 2006 Cisco Systems, Inc. All rights reserved.

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services

Similar presentations

Ads by Google