18.1 Key Terms
PKI
= Public key infrastructure. A scalable architecture that includes software,
hardware, people, and procedures to facilitate the management of digital
certificates
CA
= Certificate authority. A system that generates and issues digital
certificates. This is usually a device that is trusted by both parties using
certificates.
subordinate
CA = A certificate authority at a level below the root CA. Large PKI
infrastructures use multiple subordinate CAs to offload the work from a single
root CA.
root
certificate = The certificate at the top of a certificate hierarchy in
PKI.
identity
certificate = A digital certificate assigned to a device, host, person,
or email in a PKI infrastructure offering a concept of validated identity.
PKCS#7
= Public Key Cryptography Standards #7 is used by a CA to distribute digital
certificates.
PKCS#12
= Public Key Cryptography Standards #12 is a file format used to store private
keys with accompanying public key certificates.
RSA
= In 1977, Rivest, Shamir, and Adleman developed a public key algorithm still
used by most browsers today. This is an asymmetrical algorithm used for
authentication.
digital
signature = An encrypted hash that uniquely identifies the sender of a
message and authenticates the validity and integrity of the data received.
Signing is done with the private key of the sender, and validation of that
signature (done by the receiver) is done using the public key of the sender.
public
key = The part of a key pair that is shared with other people in a PKI
exchange
X.509v3
= The ITU standard for PKI. Version 3 typically refers more to the IETF
standard (RFC 3280), which includes CRL usage.
CRL
= Certificate revocation list. Used in a PKI environment to inform clients
about certificates that have been revoked by the CA.
SCEP
= Simple Certificate Enrollment Protocol. SCEP was created to facilitate
large-scale deployments of PKI, by automating the process of authenticating and
enrolling with a CA that supports SCEP. This is a Cisco-sponsored protocol and
is supported by some, but not all, other vendors.
LDAP
= Lightweight Directory Access Protocol. This protocol can be used for
gathering/managing information from an LDAP-accessible directory/database. An
example of its use is having a AAA server use an LDAP request to Active Directory
to verify the credentials of a user.
18.2 Things to
Remember
Component >
Description
RSA
digital signatures > Using its private key to encrypt a generated
hash, a digital signature is created. The receiver uses the public key of the
sender to validate the digital signature and verify the identity of the peer.
Digital
certificate > File that contains the public key of the entity, a
serial number, and the signature of the CA that issued the certificate
Public
and private keys > Used as a pair to encrypt and decrypt data in an
asymmetrical fashion
Certificate
authority > The CA’s job is to fulfil certificate requests and
generate the digital certificates for its clients to use. It also maintains a
list of valid certificates that have been issued, and maintains a CRL listing
any revoked certificates.
X.509v3
> A common certificate format used today
Subordinate
CA/RA > Assistant to the CA, which can issue certificates to clients.
Clients need both the certificates from the root and the subordinate to verify
signatures all the way to the root. Used in a hierarchal PKI topology.
PKCS
> Public Key Cryptography Standards, agreed to and implemented by vendors
who want the ability to have compatibility with other devices in the PKI.
18.3 Command
References
Command >
Description
crypto
key generate rsa > Generate a public/private key pair on the ASA
crypto
ca authenticate > Retrieve and installs the root certificate via SCEP
crypto
ca enroll > Request and installs an identity certificate via SCEP
18.4 Command
Examples
Generating a New
Key Pair
K-ASA (config)# crypto
key generate rsa label My-Key-Pair modulus 2048 noconfirm
Authentication and
Enrolling with a New CA via SCEP
K-ASA (config)# crypto
ca trustpoint New-CA-to-Use
K-ASA (config-ca-trustpoint)# keypair New-Key-Pair
K-ASA (config-ca-trustpoint)# id-usage ssl-ipsec
K-ASA (config-ca-trustpoint)# no fqdn
K-ASA (config-ca-trustpoint)# subject-name CN=ciscoasa
K-ASA (config-ca-trustpoint)# enrolment url http://192.168.1.105
K-ASA (config-ca-trustpoint)# exit
K-ASA (config)# crypto
ca authenticate New-CA-to-Use nointeractive
K-ASA (config)# crypto
ca enrol New-CA-to-Use noconfirm
Comments
Post a Comment