certificate authority high availability on cisco ios routers

CCIE Security V4 Technology Labs Section 7:Confidentiality and Secure Access

Certificate Authority High Availability onCisco IOS Routers

Last updated: May 20, 2013

Note:

For this task, either load the Section 7 Initial Configuration Files to initialize your rack

or completely remove any PKI/RSA-related configurations done on R2 and R3 in the

previous task.

Task

Configure R1 and R2 to function as redundant CA servers.

In case of a reload, R1 should always become the active router.

Insert Rack1-HA.ine.com in the Subject field of the CA certificate.

Ensure that client certificates are automatically approved.

Overview

Cisco IOS PKI can be deployed in a High Availability mode, providing redundancy for client

requests. Like other technologies supported by IOS in HA mode, such as Zone Based Firewall

(ZBF) of IPsec, PKI HA uses the Stateful Switch-Over (SSO) redundancy feature. This inter-device

redundancy function relies on two protocols: HSRP and SCTP.

HSRP determines the roles: ACTIVE and STANDBY.

SCTP ensures automatic synchronization between ACTIVE and STANDBY. For PKI, the following

are automatically synchronized from the ACTIVE:

CA server configuration

CA certificate

Certificate revocation list (CRL)

Serial file

RSA keys

To ensure functionality of the IOS PKI High Availability deployment, it is recommended that you use

the following configuration steps:

Configure and verify HSRP functionality.

Configure and verify inter-device SSO redundancy functionality (requires a manual reload on the

STANDBY device).

Do not continue further unless SSO is functional.

Configure and activate PKI server on the ACTIVE device.

Disable PKI server on the ACTIVE device and enable PKI redundancy.

Activate PKI server on the ACTIVE device.

Note:

The High Availability configuration from the PKI Configuration Guide of IOS 15MT is

found in the Configuring Authorization and Revocation of Certificates in a PKI

section.

Note:

Because of the high volume of data required to be synchronized, if the CA runs in

complete database level, the client-issued certificate files (.crt) will not be

synchronized with the standby system. The workaround is to have both CA systems

point to a common external storage for these files, by using the command

database url.

Configuration

R1:

ip http server

!

interface GigabitEthernet0/0

standby ip 136.1.18.12

standby priority 150

standby preempt

standby name PKI

!

!

ipc zone default

association 1

no shutdown

protocol sctp

local-port 5000

local-ip 136.1.18.1

remote-port 5000

remote-ip 136.1.18.2

!

!

redundancy inter-device

scheme standby PKI

R2:

ip http server

!

interface GigabitEthernet0/0

standby ip 136.1.18.12

standby preempt

standby name PKI

!

!

ipc zone default

association 1

no shutdown

protocol sctp

local-port 5000

local-ip 136.1.18.2

remote-port 5000

remote-ip 136.1.18.1

!

!

redundancy inter-device

scheme standby PKI

At this point, we need to save the configuration and reload the standby device to activate the

redundancy. Note that after the manual reload, R2 will detect itself as standby and induce another

forced reload. The following output shows the initial required reload.

Rack1R2#show redundancy inter-device

Redundancy inter-device state: RF_INTERDEV_STATE_INIT

Pending Scheme: Standby (Will not take effect until next reload)

Pending Groupname: PKI

Scheme: <NOT CONFIGURED>

Peer present: UNKNOWN

Security: Not configured

After SSO is functional, configure PKI only on the ACTIVE device; it will be automatically

synchronized to the STANDBY.

R1:

crypto key generate rsa general-keys redundancy label HA modulus 1024

!

crypto pki server HA

database level names

issuer-name CN=Rack1-HA.ine.com

database archive pkcs12 password ciscocisco

grant auto

no shutdown

!

crypto pki server HA

shutdown

redundancy

no shutdown

If PKI functionality is not synchronized as shown in the Verification section, it may be required to

perform another reload of both routers.

Verification

First, verify SSO inter-device redundancy.


Redundancy inter-device state: RF_INTERDEV_STATE_ACT

Scheme: Standby

Groupname: PKI Group State: Active

Peer present: RF_INTERDEV_PEER_COMM


!

!


Redundancy inter-device state: RF_INTERDEV_STATE_STDBY

Scheme: Standby

Groupname: PKI Group State: Standby

Peer present: RF_INTERDEV_PEER_COMM


!

!

Rack1R1#show redundancy states

my state = 13 -ACTIVE

peer state = 8 -STANDBY HOT

Mode = Duplex

Unit ID = 0

Maintenance Mode = Disabled

Manual Swact = enabled

Communications = Up

client count = 13

client_notification_TMR = 60000 milliseconds

RF debug mask = 0x0

!

!

Rack1R2#show redundancy states

my state = 8 -STANDBY HOT

peer state = 13 -ACTIVE

Mode = Duplex

Unit ID = 0

Maintenance Mode = Disabled

Manual Swact = cannot be initiated from this the standby unit

Communications = Up

client count = 13

client_notification_TMR = 60000 milliseconds

RF debug mask = 0x0

Verify PKI HA configuration.

Rack1R1#show crypto pki server

Certificate Server HA:

Status: enabled

State: enabled

Server's configuration is locked (enter "shut" to unlock it)

Issuer name: CN=Rack1-HA.ine.com

CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D

Granting mode is: auto

Last certificate issued serial number (hex): 1

CA certificate expiration timer: 19:42:37 UTC Apr 30 2016

CRL NextUpdate timer: 01:42:39 UTC May 2 2013

Current primary storage dir: nvram:

Database Level: Names - subject name data written as <serialnum>.cnm

Redundancy configured. This is active.

!

!



Status: enabled

State: enabled










Redundancy configured. This is standby.

!

!

Rack1R1#show crypto pki certificates

CA Certificate

Status: Available

Certificate Serial Number (hex): 01

Certificate Usage: Signature

Issuer:

cn=Rack1-HA.ine.com

Subject:

cn=Rack1-HA.ine.com

Validity Date:

start date: 19:42:37 UTC May 1 2013

end date: 19:42:37 UTC Apr 30 2016

Associated Trustpoints: HA

Storage: nvram:Rack1-HAinec#1CA.cer

!

!

Rack1R2#show crypto pki certificates

CA Certificate

Status: Available

Certificate Serial Number (hex): 01


Issuer:

cn=Rack1-HA.ine.com

Subject:

cn=Rack1-HA.ine.com

Validity Date:


end date: 19:42:37 UTC Apr 30 2016


Storage:

Enroll SW1 in the PKI infrastructure with R1 being the ACTIVE router (you may need to synchronize

time with NTP between SW1 and R1/R2).

SW1:

crypto pki trustpoint HA

enrollment url http://136.1.18.12

!

!

crypto pki authenticate HA

crypto pki enroll HA

Verify that SW1 received the certificate and R2 is synchronized with R1.

Rack1SW1#show crypto pki certificates

Certificate

Status: Available

Certificate Serial Number: 02

Certificate Usage: General Purpose

Issuer:

cn=Rack1-HA.ine.com

Subject:

Name: Rack1SW1.ine.com

hostname=Rack1SW1.ine.com

Validity Date:


end date: 21:50:18 UTC May 1 2014


CA Certificate

Status: Available



Issuer:

cn=Rack1-HA.ine.com

Subject:

cn=Rack1-HA.ine.com

Validity Date:


end date: 19:42:37 UTC Apr 30 2016


!

!

Rack1R1#show crypto pki server HA certificates

Serial Issued date Expire date Subject Name

1 <cert file not accessible>

Certificate might have been granted by other CA



!

!







Move the HSRP ACTIVE role to R2, and re-enroll SW1 in the PKI (when the ACTIVE role changes,

the STANDBY always receive a forced reload to ensure synchronization).

R2:

interface gigabitEthernet 0/0

standby priority 200

SW1:

crypto pki enroll HA

Verify that R2 is now the ACTIVE router/PKI server.



Status: enabled

State: enabled










Redundancy configured. This is active.

!

!



Status: enabled

State: enabled










Redundancy configured. This is standby.

Verify that SW1 received the certificate and R1 is synchronized with R2.

Rack1SW1#show crypto pki certificates

Certificate

Status: Available


Certificate Usage: General Purpose

Issuer:

cn=Rack1-HA.ine.com

Subject:

Name: Rack1SW1.ine.com

hostname=Rack1SW1.ine.com

Validity Date:


end date: 21:59:55 UTC May 1 2014


CA Certificate

Status: Available



Issuer:

cn=Rack1-HA.ine.com

Subject:

cn=Rack1-HA.ine.com

Validity Date:


end date: 19:42:37 UTC Apr 30 2016


!

!









!

!









certificate authority high availability on cisco ios routers

Documents