This article is going to configure the internet isp router. As an ios certificate authority. We will configure a loopback of 111, A ios http server and a crypto pkI trust point. This will be acting as a certificate authority for signing certificates that we request from the vpn head end and the spokes on the routers, We'll need to generate crypto keys and then use symbol. Certificate wrong protocol to request a certificate from the ca. In this example, We'll be using r1, 2 and 3 as the skep clients requesting a certificate from the isp router.

That's got the ipf 111. Each router will then have a trusted certificate and each route has a directly connected route and a default route to the isp. So therefore, It'll have the required route to request the certificate. So this example, Then, Is acting like godaddy or some sort of internet facing certificate authority that you would request, Certificates from and would manage your certificate pkI for you, Whereas an alternate solution would be to have a private certificate authority, Possibly behind your vpn head end. That you could then issue certificates to your hub and all your spokes before you establish your vpn topology.

This sort of certificate authority could be like an iis windows. Server certificate authority or a linux version could be dog tag. So we'll now move to configuring. The certificate authority and skip enrollment, So first on the isp router or the crypto authority, We will do crypto key, Generate rsa, We'll go super paranoid with modulus 4096 and then we'll label it ispcyprotectcouk and then make them exportable. So on the skept client we'll do crypto key, Generate rsa, Modulus 496 again and then we'll also do exportable. So on the isp we'll be able to view the key that we've just generated by doing a show.

Crypto, I'm sorry show crypto my key. My public my puppet key and then all and then we can see the key - that's labeled, Isp, Dot, Cybertechcod uk, Which is actually default label. So it would have been done this without the without the label I'll quickly label. The other side, Though, Just for commonality between them, Because I think I've got capital r1 for the host name on this side. So again, We'll do the do show crypto key my public key rsa. Sorry, I've just put the run in there.

Let me run I've done that twice now, So do do, Show crypto key map of key rsa and then we've got a key name. So that's my default one from earlier and I've got a lowercase one I'll just quickly. Do this uppercase sorry so now t're both the same like the isp. So now we have a key pair, We'll configure the certificate server.

So first things: first we'll set a ntp master on the isp. So then it thinks it's the authoritative timing, Source enterprise master and then we'll go crypto, PkI trust, Point ca and then we'll then use the rsa key pair, So isp cybertech, Dot, Co, Uk one we generated earlier then exit and then interface loopback one and it will Give that an ip address of 111 on the slash 32 we'll configure the http server so iphtp server, And then we should be able to go straight to the pkI services. Crypto pkI server, We'll call this ca and then we'll do issuer name, Cn equals isp and then o equals ciphertexcod. Uk then we'll do grant auto to automatically issue certificates and we'll do r512, And then we just need to know shut this. So then we need to create a password, So cisco, No cisco, Cisco.

I don't need to be seven characters or more so it will be cisco. One two three four, Oh also need to clock, Calendar dash valid and then try again so I'll. Just quickly go back to the ca, So crypto pkI server ca, No shutdown. There we go. The server has been enabled.

350-501 SPCOR Dumps

So we now have a active, Crypto authority on this router, And we can confirm this with the command it'll be, Do show, Show crypto, PkI I'll, Do show crypto pkI server, And here we confirm the settings we have set in the pkI server in the PcI trust point so next, Then we need to enroll the skep client to this server and get our r1 a trusted certificate. So we'll go straight in with crypto pkI trust point and we'll do isp, So we'll go enrollment, Url and then http colon four slash forward. Slash and then loop back at the ca, So one one one on the curtain: 18 for fqdn will be r1 dot, PsI protector code, Uk capital, R1 and then we'll do ip address I'll do show up in brief quickly, So the ip address this will be 11002 Ip dash address sorry 11002 subject: name will be capital c n equals r1 and o equals ciphertextk, And then revocationcheck will be none because we're not publishing the cro list and then we'll do rsa key pair will be the ones we've previously created and t'll do hash. I believe that was shar 512.

We put on the ca shell 512, And then we can just do the show command in here and we can view the config we just set. So next we can do crypto, Pki, Authenticate and that'll, Be the ca isp. Then we'll just go yes to except the ca certificate and then when t do crypto, Pki, Enroll and again it'll be isp and we're prompted with password so cisco, One, Two three four cisco on two three four and then we'll set the serial number and Then yes request ca. Then we can do a show, Crypto pkI certificate and that will show us the certificate. That's not then, On this router and we should be able to see that I've been I've got a certificate here.

That's been issued by the ca, So isp, Cybertechcom, Uk and the host is r one dot star protector code uk and then we then have our ca certificate as part of the chain below that which is the isp at cybertech uk. Then we do the same on the ca router, So we can confirm the ca certificate is the one that will we've got on the hub and again we can see here. The top ca certificate and issue is the I speak as itself. So next, Then, Let's go to r2 and r3, We'll generate the crypto keys and enroll them to the certificate authority as well.

And then, After that, We will then in the next article use the dmvp topology we've got and we'll do rsa signature authentication, So crypto pkI generate keys, Crypto key sorry generate rsa, Modulus, 4096 and then we'll just label it. We don't actually need to specify exportable keys because we're not exporting from the router so again we'll log into r3 and do the same then we'll do crypto pkI up key rsa, Modulus 4096 label cool. That's done then. So again, As per r1, We've got the commands here, So we can literally do crypto pcI trust point isp. We can almost copy these so enrollment url with that one http , 111, 80, And then it will do the ip.

The fqdnbr3 dot side protect the code. Uk and then the ip address this won't be and again subject: name will be r3 and cybertech. Verification check will be none and then the rsa keypad, With the one we just labeled hash r512 and we can just roll this straight to the. Go to thor if you want and do cisco one two, Three, Four cisco, One, Two three four, So we don't actually have to authenticate. If we do the enroll it'll do both anyway, And that should be the r3 with the keys we'll do the same on r2.

So again, Crypto peak at just point isp and we'll just quiz through this without speaking now the trust point is defined, We'll do the authenticate yes and then we'll do the enroll. So, Lastly, We can also do a show, Run and view the keys in the running config in hex format. So we can see the pkI certificate chain there and the ca there and that's really simple configuration of a ios ca and skep enrollment.

The 350-501 SPCOR Dumps is a wonderful tool for evaluating your performance in terms of the number of questions you can answer and your ability to maintain a healthy level of stress during the final exam. Additionally, it supports you in planning for a buffer, which acts as a safety net for you throughout the Certification exam.


Leave a comment