Appendix A

  • Article

This appendix provides information about configuring certificates and Simple Certificate Enrollment Protocol (SCEP), obtaining certificates for PIX through SCEP, and Cisco CLI and Windows Server 2003 NETSH commands.

Certificate and SCEP Configuration

To configure certificates, perform the following steps.

  1. Access Add/Remove Programs and select Add/Remove Windows Components.
  2. Select Certificate Services. You should see the following prompt. Click Yes and return to the Component Wizard.
  3. To select the IIS components, select Application Services and click Details.
  4. In the next dialog box, select Internet Information Services and select Details.
  5. In the next dialog box, select World Wide Web Service and click Details.
  6. In the next dialog box, select Active Server Pages, select World Wide Web Service, and then click OK three times. When you select World Wide Web Publishing Services, Common Files and Internet Services Manager are also selected by default.
  7. After you return to the main screen, click Next to continue the installation.
  8. You should receive the following prompts during the installation of your certification authority (CA). Select the type of CA you would like to implement. (Details for this decision are beyond the scope of this document.) Click Next.
  9. In Common Name for this CA, type the name you would like to use. For this scenario, in Distinguished name suffix, type CN=CA,DC=ISAPIXLAB,DC=LOCAL. Then, click Next.
  10. The wizard begins generating the cryptographic keys. After this is complete, click Next.
  11. Ensure the database default locations are acceptable, and then click Next.
  12. For the following prompt, ensure you understand the implications of enabling Active Server Pages (ASP) on your Web server. After installing a stand-alone CA, the only way to retrieve certificates is through the use of the CA Web site, which has to use ASP. After you obtain your certificates, you can disable the use of ASP, and then later enable it as needed. Click Yes.

To configure Simple Certificate Enrollment Protocol (SCEP), perform the following steps.

  1. Install SCEP Add-On for Windows Server 2003 Certificate Services from https://go.microsoft.com/fwlink/?LinkId=32060. Click Yes.
  2. To accept the license agreement, click Yes.
  3. To continue, click Next.
  4. Select Use a service account, and click Next.
  5. You will need to create a user account, assign it Read and Enroll permissions for the IPSec (Offline Request) template, and make it a member of the IIS_WPG Group.
  6. Provide the service account information. It must be in domain\username or username@domainname.com syntax. Then, click Next.
  7. We recommend that you select Require SCEP Challenge Phrase to Enroll. After your device is ready to enroll with the CA, go to the https://ca/certsrv/mscep/msdep.dll Web site (from any client). This will provide you with a Challenge Phrase that you will need to specify during enrollment. The Challenge Phrase is good for 60 minutes. Then, click Next.
  8. Provide the Registration Authority information, and then click Next.
  9. Review the information, and then click Finish.

To enable certificates, perform the following steps.

  1. To open the Certtmpl.msc file, click Start, click Run, type certtmpl.msc, and then click OK.
  2. Find the IPSec (Offline request) certificate template.
  3. Go to the properties of the template, and then select the Security tab. Add the user created previously (SCEPUser), and assign that user Read and Enroll permissions.
  4. Go to Active Directory Users and Computers (or Computer Management if Active Directory is not installed or the CA is not a part of a domain). Find the IIS_WPG User Group and add SCEPUser into this group.

Completing these tasks allows the SCEPUser account to retrieve certificates on behalf of the SCEP clients.

To install a certificate on the local machine store on ISA Server 2004, perform the following steps.

  1. To access the Web site, point Internet Explorer to the Internal IP address of ISA Server for the proxy settings. Access the CA by going to https://ca-ip-addresss/certsrv. You should see the following screen. Select Request a certificate.
  2. Select submit an advanced certificate request.
  3. Select Create and submit a request to this CA.
  4. On the Advanced Certificate Request page, enter the following:
    In Identifying information, type information in the Name, E-Mail, Company, Department, City, State and Country/Region boxes.
    In Type of Certificate Needed, select IPSec Certificate.
    In Key Options, leave the CSP and Key Usage fields as the default. Change the Key Size to 512, leave the Automatic key container name selected, and select Mark keys as exportable (optional). Select Store certificate in the local computer certificate store.
    In Additional Options, leave Request Format as CMC, and the Hash Algorithm as SHA-1. Do not select Save request to a file. In Friendly Name, type a name such as isa.isapixlab.local.
    Then, click Submit.
  5. You will receive the following warning when requesting the certificate. To continue, select Yes.
    You should see the ActiveX prompt Waiting for server response while the request is being submitted.
    You should see the following screen with the certificate Request ID.
  6. Open the Certification Authority console and navigate to the Pending Requests node. Find the certificate request with an ID of 9, right-click it, select All Tasks, and then select Issue. The certificate should then move to the Issued Certificates node.
  7. From ISA Server, return to the https://ca-ip-address/certsrv Web site and select View the status of a pending certificate request.
  8. Select the certificate that is shown. When you initially visited the site, a cookie was issued to your client that identifies which certificate belongs to you.
  9. Select Install this certificate.
  10. A Potential Scripting Violation warning appears. After reading and understanding the warning, select Yes to install the certificate.
  11. The following screen appears, letting you know that the certificate was installed. Close Internet Explorer.

To add and then import a certificate, perform the following steps.

  1. Click Start, click Run, type MMC, and then click OK. From the File menu, click Add\Remove Snap-in. From the list provided, select Certificates and click Add. You will be prompted to select the certificate store. Select Computer Account.
  2. Navigate to Certificates by expanding Local Computer\Personal\Certificates, and you will see the certificate that was just installed. Double-click the certificate to view the properties.
    The following screen shows the certificate properties. The certificate is currently invalid because Windows cannot verify this certificate to a trusted authority. You need to install the certification authority certificate for this system to trust this certificate.
  3. Open Internet Explorer and go to the https://ca-ip-address/certsrv Web site. Select Download a CA certificate, certificate chain, or CRL.
    ISA04_Operations_IPSecCisco_AppendixA_35#83969452-cde0-45a0-861f-cdd8f4334003
  4. Select Download CA certificate. Do not select Install this CA certificate chain. If you do, the Trusted Root CA certificate will be installed into the currently logged on user's certificate store. For the IPSec certificate, the Trusted Root CA must be installed in the Local Computer context.
  5. In File Download, select Save, and save the certnew.cer file to the Desktop.
  6. Go into the console created earlier and right-click the Trusted Root Certification Authorities node. Click All Tasks, and then click Import.
  7. The Certificate Import Wizard will open. Click Next.
  8. Browse to the location where you saved the certnew.cer file and click Next.
  9. In Certificate Store, the Trusted Root Certification Authorities store should be selected. Click Next.
  10. In the final screen of the wizard, click Finish.
  11. You should receive a prompt that the Import was successful. Click OK.
  12. Return to the console and navigate to the Certificates Local Computer\Certificates node. You should see the Trusted Root CA installed now. It is highlighted on the following screen.
  13. Navigate to Certificates Local Computer\Personal\Certificate and open the certificate for IPSec that was installed earlier. It should not have any errors in the certificate. To close the console, click OK.

To begin using this certificate with your IPSec tunnel mode configuration, perform the following steps.

  1. In the ISA Server console, select the Virtual Private Networks (VPN) node. Click the Remote Sites tab, select the PIXNet Remote Site, and then click Configure Remote Site Network.
  2. When the properties appear, click the Authentication tab. Select Use a certificate from this certificate authority (CA). Click Browse and browse through the list to find the certification authority's name.
  3. Do not look for the name of the certificate issued to you. When IPSec negotiations take place, a message is passed from the initiator to the responder called the Certificate Request Payload (CRP) that contains the trusted root that the initiator wants to choose. The responder will check to see if it has an IPSec Main Mode rule that uses that Trusted Root. Select the certificate and then click OK.
  4. The following screen shows the Authentication tab with the distinguished name of the certification authority. Click OK and then click Apply to make the change effective.

This completes the certificate installation procedure for ISA Server.

Obtain Certificate for PIX through SCEP

To obtain a certificate for PIX through SCEP, perform the following steps.

  1. You must ensure that the time on each device matches. Use the show clock command on the PIX to make sure it is correct.
  2. If the certification authority (CA) is on the subnet behind the ISA Server computer, you will need to add the following commands to access the CA from the PIX:
    • pix501(config)# access-list outside_cryptomap_20 permit ip interface outside 172.25.10.0 255.255.255.0
    • pix501(config)# access-list outside_cryptomap_20 permit ip interface outside host 192.168.55.1.
  3. After you do this, you should be able to search for the CA on the remote subnet.
    This procedure is from the Cisco PIX Firewall and VPN Configuration Guide.
     
    pix501(config)# ca zeroize rsa
    pix501(config)# hostname pix501
    pix501(config)# domain-name isapixlab.local
    pix501(config)# ca generate rsa key 512
    Keypair generation process begin.
    .Success.
     
    pix501(config)# ca identity ca.isapixlab.local 172.25.3.20:/certsrv/mscep/mscep.dll
    pix501(config)# ca configure ca.isapixlab.local ra 1 20
  4. To obtain the certificate thumbprint and challenge phrase, access the https://ca-ip-address/certsrv/mscep/mscep.dll Web site.
  5. You should see the following screen. You will be prompted for authentication. Ensure you provide Administrator credentials to access this site.
  6. Now that you have the thumbprint and challenge phrase, you need to go to the PIX and enter the following. (The response from the CA is included as well for reference.)
    pix501(config)# ca authenticate ca.isapixlab.local 54E7EEFEFAFC3E11CC74B7FB24AACA79
     
    Certificate has the following attributes:
     
    pix501(config)# 7eefe fafc3e11 cc74b7fb 24aaca79
  7. Click enter to return to the enable prompt, and then enter the following:
    >pix501(config)# ca enroll ca.isapixlab.local 81F47ECA6CE8DDEB serial ipaddress
     
    You will receive the following...
    %
    % Start certificate enrollment ..
     
    % The subject name in the certificate will be: pix501.isapixlab.local
     
    % Certificate request sent to Certificate Authority
    % The certificate request fingerprint will be displayed.
    pix501(config)#     Fingerprint:  40c6bd6e 940f0dd3 da2b648a 5fc96fa5
     
    CRYPTO_PKI: status = 102: certificate request pending
  8. When you see the certificate request pending response (shown in the preceding step), go to the CA and check the Pending Requests node and issue the certificate. This usually takes about 10-15 seconds to appear.
  9. If you are unable to determine which request is from the PIX, scroll to the right to the Issued Common Name column to find the correct certificate. The name you declared in the hostname and domain-name commands should appear.
  10. Right-click the certificate, click All Tasks, and then click Issue.
  11. Now the certificate should move to the Issued Certificates node. Go back to the PIX console and you should see the following response:
    CRYPTO_PKI: status = 102: certificate request pending
    CRYPTO_PKI: status = 102: certificate request pending
    The certificate has been granted by CA!
     
    pix501(config)# show ca certificate
    Certificate
    **  Status: Available**
    **  Certificate Serial Number: 2e560ef300000000000a**
    **  Key Usage: General Purpose**
    **  Subject Name:**
    **    CN = pix501.isapixlab.local**
    **    UNSTRUCTURED NAME = pix501.isapixlab.local**
    **    UNSTRUCTURED IP = 192.168.55.1**
    **    Serial Number = <xxxxxxx>**
    **  Validity Date:**
    **    start date: 22:57:23 UTC Oct 30 2003**
    **    end   date: 23:07:23 UTC Oct 30 2004**
     
    RA Signature Certificate
    **  Status: Available**
    **  Certificate Serial Number: 6120d313000000000002**
    **  Key Usage: Signature**
    **    EA =<16> ra@isapixlab.local**
    **    CN = RACert**
    **    OU = ISAPIXLAB Testing**
    **    O = ISAPIXLABs**
    **    L = Redmond**
    **    ST = WA**
    **    C = US**
    **  Validity Date:**
    **    start date: 23:36:42 UTC Oct 21 2003**
    **    end   date: 23:46:42 UTC Oct 21 2004**
     
    CA Certificate
    **  Status: Available**
    **  Certificate Serial Number: 7dfcce0a1b5df8bf4f9b7a037356076a**
    **  Key Usage: Signature**
    **    CN = CA**
    **    OID.0.9.2342.19200300.100.1.25 =<16> ISAPIXLAB**
    **    OID.0.9.2342.19200300.100.1.25 =<16> LOCAL**
    **  Validity Date:**
    **    start date: 23:18:05 UTC Oct 21 2003**
    **    end   date: 23:21:51 UTC Oct 21 2008**
     
    RA KeyEncipher Certificate
    **  Status: Available**
    **  Certificate Serial Number: 6120d5a3000000000003**
    **  Key Usage: Encryption**
    **    EA =<16> ra@isapixlab.local**
    **    CN = RACert**
    **    OU = ISAPIXLAB Testing**
    **    O = ISAPIXLABs**
    **    L = Redmond**
    **    ST = WA**
    **    C = US**
    **  Validity Date:**
    **    start date: 23:36:43 UTC Oct 21 2003**
    **    end   date: 23:46:43 UTC Oct 21 2004**
  12. On the PIX, complete these commands to commit the certificate to the configuration:
    pix501(config)# ca save all
    pix501(config)# wr mem
    Building configuration...
    Cryptochecksum: 65bca87c 39fa1373 b941190a 2778d0f9
    [OK]
  13. At the CA, you can view the properties of the certificate by going to Issued Certificates, and double-clicking the certificate. You will see the following dialog box.
  14. At the PIX, run the following commands to change the PIX to use the certificate:
    pix501(config)# no isakmp policy 20
    pix501(config)# isakmp policy 20 authen rsa-sig
    pix501(config)# isakmp policy 20 encrypt 3des
    pix501(config)# isakmp policy 20 hash sha
    pix501(config)# isakmp policy 20 group 2
    pix501(config)# isakmp policy 20 lifetime 28800
    pix501(config)# isakmp identity address

After you do this, IPSec negotiations should complete successfully. If they do not, use the debug crypto isakmp and debug crypto ca commands on the PIX to determine where Main Mode negotiations fail. There should be no reason to use debug crypto ipsec because the use of certificates is only negotiated in Main Mode, (which is what debug crypto isakmp monitors).

Cisco CLI and Windows Server 2003 NETSH Commands

For the IPSec tunnel mode configuration, all of the following commands were completed at the config prompt: (pixfirewall (config)#)

>isakmp key 123456789 address 192.168.55.100 netmask 255.255.255.255 no-xauth no config-mode

>isakmp policy 20 authentication pre-share

>isakmp policy 20 encryption 3des

>isakmp policy 20 hash sha

>isakmp policy 20 group 2

>isakmp enable outside

>name 172.25.10.0 ISANet

>pdm location 172.25.10.0 255.255.255.0 outside

>access-list inside_outbound_nat0_acl line 1 permit ip 172.25.3.0 255.255.255.0 172.25.10.0 255.255.255.0

>nat (inside) 0 access-list inside_outbound_nat0_acl

>access-list outside_cryptomap_20 permit ip 172.25.3.0 255.255.255.0 172.25.10.0 255.255.255.0

>crypto map outside_map 20 set peer 192.168.55.100

>crypto map outside_map 20 match address outside_cryptomap_20

>crypto map outside_map 20 set transform-set ESP-3DES-SHA

>crypto map outside_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

>crypto map outside_map interface outside

>sysopt connection permit-ipsec