Public Key Infrastructure and Virtual Private … Key Infrastructure and Virtual Private Network: concepts, solutions and ... if DP people are to survive!!) 2. ... • i certificati

Public Key Infrastructure and Public Key Infrastructure and Virtual Private Network:Virtual Private Network:concepts, solutions and concepts, solutions and

projectsprojects

Ing. Mirko TedaldiCryptoNet

[email protected]

OverviewOverview

•• Introduction: who is CryptoNetIntroduction: who is CryptoNet•• Outlines of introduction to cryptography, Outlines of introduction to cryptography,

PKI and relative Entrust TechnologiesPKI and relative Entrust Technologies•• Introduction to Virtual Private Network Introduction to Virtual Private Network

(VPN) and the IPSec protocol(VPN) and the IPSec protocol•• The Role of PKI in VPNThe Role of PKI in VPN•• A case study: the VPN project for A case study: the VPN project for

OMNITELOMNITEL•• The architecture of the VPN OMNITELThe architecture of the VPN OMNITEL•• Outlines of the VPN project managementOutlines of the VPN project management

CryptoNet: who we areCryptoNet: who we are• The only Italian Company 100% devoted to securitydevoted to security (infosec as the only business area, from corporate security policy design to router secure configurations);

•Committed to enable Customer INNOVATION as a way to gain Competitive Advantage

•1998199819981998: very large "BNL Group security" contract; the first Ipsec WW network in Europe (Luxottica); first IPSEC demo with CISCO in Europe (TIM).

• 1999199919991999: the two largest Ipsec VPNs in the world with CISCO (1000 routers, OMNITEL 2000, 20.000, RUPA...); the first on-line trading with digi sig and timestamping

• Customers list: FIAT, ENEL, ENI, Pirelli, SIA, CSELT, SSGRR, BNL, Magneti Marelli, Urmet, ABB, Luxottica, Omnitel, SOGEI/Ministero delle Finanze, RUPA, Ministero del Tesoro, WIND … … … ;

•Good experience in the technical, regulatory and business-drivers fields.

•1995199519951995: first mass market Crypto SC in Italy; first WWW-based Information System over the Internet in Italy•1996199619961996: first Corporate Internet-connection security CERTIFICATION in Italy

•1997199719971997: first secure Internet Home banking in Italy; introduction of first Active RSA SC in Italy

• 2000200020002000: the largest SSO and digi sig integration for SAP (40.000 seats) in Europe, implemented in 12 Weeks from contract signature;

How can we do it?How can we do it?1. Focus, Focus, Focus.

2. Have a highly trained sales force, used to consult with customers as a mean to design the solution

4. Enjoy what we do, and be proud of our achievements.

5. Deliver the highest quality services in the industry, and look for customers who need the quality and pay for it

6. Network with other companies similar to ours (Cybersafe, Entrust, Timestep, PeerLogic…).

3. Have an extremely skilled delivery group, expose it to the most challenging projects in the marketplace, invest all the money needed to improve skills, experiences, qualifications.

6. In the end, we do it from day one!

What we do bestWhat we do best1. Use technology to COLLAPSE technological and

organizational complexity (technology layers requiring attention have to diminish, if DP people are to survive!!)

2. Constantly adopt the best practices through our partnership with the best companies in the world

4. Don’t be worried being the first at doing complex things: there will always be the first, and all the times it happened to us we were successful.

5. Avoid unnecessary complexity: the less pieces you use, the less pieces will have the chance to break.

6. Earn the genuine enthusiasm of every customer we serve

3. Always take into account our systems will have stakeholders in the IT community (systems managers), in the End Users community, in the Financial community. ROI has to be measurable. Expensive systems have to deliver high value, or … we’re out of business quickly. Being out of business quickly is bad –we don’t like it-.

Just an example:Just an example:

Some of the requirements to have an operational system:: Authentication Authorization, Streamlined and generalized access to Information Resources,Network security from internal and external intrusions and Denial of Service Attacks, Support for roaming users, Support for non-repudiation of transactions, confidentiality, Integration with pre-existent systems, Integration with pre-existent systems environment (OS, Network….).

And, again: disaster recovery, security policy, personnel education and training.In the end, architectural openness to new technologies (WAP….).

We have already done it.

ConfidentialitàConfidentialitàEvitare che destinatari non autorizzati leggano il messaggio

AutenticazioneAutenticazioneProteggere l’identità del mittente del messaggio da alterazioni

IntegritàIntegritàProteggere i messaggi da alterazioni intenzionali o accidentali

NonNon--ripudioripudioProteggere i destinatari di un messaggio dal rischio di ripudio dell’invio da parte del mittente

Controllo degli accessiControllo degli accessiRendere accessibile il contenuto del messaggio solo ai destinatari autorizzati

I livelli ISO di sicurezzaI livelli ISO di sicurezza

I due tipi di algoritmi I due tipi di algoritmi crittograficicrittografici

••Crittografia simmetricaCrittografia simmetrica ( o a chiave segreta): utilizza una sola chiave crittografica che deve essere posseduta sia dal mittente sia dal destinatario del messaggio

••Crittografia asimmetricaCrittografia asimmetrica (o a chiave pubblica):utilizza una coppia di chiavi (una pubblica e l’altra privata) possedute entrambi da un unico proprietario

Chiave segreta comune

CIFRA DECIFRA

Chiave segreta comune

Bob Alice

La Crittografia SimmetricaLa Crittografia Simmetrica

Bob e Alice condividono una chiave segreta comune

Alice Bob

CIFRA

Chiave pubblicadi Bob

DECIFRA

Chiave privatadi Bob

La Crittografia AsimmetricaLa Crittografia Asimmetrica

CONFIDENZIALITÀCONFIDENZIALITÀ

Solo Bob può decifrare il documento, perché solo lui possiede la chiave privata

Alice Bob

CIFRA

Chiave privatadi Alice

DECIFRA

Chiave pubblicadi Alice

La Crittografia AsimmetricaLa Crittografia Asimmetrica

AUTENTICAZIONEAUTENTICAZIONE

Bob è sicuro che il messaggio è stato cifrato da Alice perché solo lei possiede la sua chiave privata

Funzione hash =Documento hash

hash Chiave privata=

Documento Chiavepubblica

DIGITAL SIGNATUREDIGITAL SIGNATURE

Digital Signature

Creazione della Firma DigitaleCreazione della Firma Digitale

Chiave pubblicadel firmatario

Funzione hash =Documento Hash “fresco”

=?

Verifica della Firma DigitaleVerifica della Firma Digitale

=Hash decifrato

Comparazione del hash decifratocon hash fresco

I Certificati ElettroniciI Certificati Elettronici

Mirko TedaldiCA: CryptoNet

Valido dal 16/1/2000 al 15/1/2001Valore della chiave pubblica

Informazionicontenute nel

certificato

Firma della CA

Chiave privatadella CA

ThirdThird--Party TrustParty Trust

Alice Bob

Autorità di Certificazione

Garantisce la corrispondenza tra chiave pubblica e soggetto attraverso i certificati certificati digitalidigitali

Public Key InfrastructurePublic Key Infrastructure

CA

externalCA

RA

End entityregistrationauthenticationinitializationkey generationcertificationkey backup/recoverykey updatecertificate revocation

certificate/CRL downloadpolicy/CPS download

cross-certificationor hierarchical relation

certificate/CRL pubblicationpolicy/CPS distribution

CA/RAcommunication

Certificate/CRLrepository

RequirementsRequirementsRequirementsCertification

Authority

CertificateRepository

CertificateRevocation

Key Backup& Recovery

Support fornon-repudiation

AutomaticKey Update

Timestamping

Key HistoriesCross-certification

ENTRUST PKI softwareENTRUST PKI software

Entrust/AdminSecurity OfficersAdministrators

Entrust/Timestamp

Entrust/Authority

Web Browsers& Servers

SETWalletsMerchantsPayment Gateway

RoutersFirewallsGatewaysAccess Devices

Directory

Entrust/PKI Architecture

Entrust/EntelligenceEntrust-Ready Applications


Entrust/Timestamp

Entrust/Authority




Directory



Entrust Authority :

• Emissione certificati,

• Revoca certificati,

• Aggiornamento automatico delle chiavi,

• Impostazione delle politiche,

• Altre

Entrust Authority :

• Emissione certificati,

• Revoca certificati,

• Aggiornamento automatico delle chiavi,

• Impostazione delle politiche,

• Altre


Entrust/Timestamp

Entrust/Authority




Directory


La directory è il repository ove sono pubblicate:

• le liste di revoca dei certificati (CRL),

• le liste di revoca dei cross-certificati (ARL),

• i certificati di cifra.

La directory è il repository ove sono pubblicate:

• le liste di revoca dei certificati (CRL),

• le liste di revoca dei cross-certificati (ARL),

• i certificati di cifra.



Entrust/Timestamp

Entrust/Authority




Directory


Entrust/RA :

tramite questa interfaccia è possibile amministrare remotamente l’Authority.

Entrust/RA :

tramite questa interfaccia è possibile amministrare remotamente l’Authority.



Entrust/Timestamp

Entrust/Authority




Directory



Entrust / Entelligence.

Il software lato client di Entrust è completamente integrato con le funzioni del desktop di Windows 95/98 e NT.

E’ possibile cifrare (decifrare), firmare (verificare), apporre una marca temporale (validare temporalmente) ogni tipo di file con un semplice click.

Entrust / Entelligence.

Il software lato client di Entrust è completamente integrato con le funzioni del desktop di Windows 95/98 e NT.

E’ possibile cifrare (decifrare), firmare (verificare), apporre una marca temporale (validare temporalmente) ogni tipo di file con un semplice click.


Entrust/Timestamp

Entrust/Authority




Directory



Entrust / VPN CONNECTOR:

una registration authority per i device IPSec : cisco, axent, etc…

Entrust / VPN CONNECTOR:

una registration authority per i device IPSec : cisco, axent, etc…

Scalability: Automatic Key Scalability: Automatic Key Lifecycle ManagementLifecycle Management

Key Generation

Key Expiry

Key Usage

Certificate Issuance

Certificate ValidationCertificate Validation

•Keys and certificates require periodic renewal

•For scalability, VPN devices and IPSec client software should transparently update keys and certificates prior to expiry

What is a VPN?What is a VPN?• At its simplest, a VPN (Virtual Private

Network) is a network built on top of the services of another network– often VPNs are built on the public Internet, but

not always

Network

Network

Network

Network

Network

Network

Network

Network

Network

NetworkNetwork

Network

Network Network

Network

Network

Network

NetworkParis Office

Sydney Office

New York Office Tokyo Office

Uses for VPNsUses for VPNs

• There are three key problems being solved:1.Remote Access: giving remote users on-

demand access to network resources2.Branch Office: giving remote offices

permanent VPN connectivity(sometimes called gateway to gateway)

3.Extranet: giving partners access to common resources

Prevailing MethodsPrevailing Methods

Internet

HQ LanRemote Office Lan

Modem Pool

RouterRouter

Firewall

Roaming User

Home User

VPN MethodsVPN Methods

Internet

HQ LanRemote Office Lan

Modem Pool

RouterRouter

Firewall

Roaming User

Home User

Encrypted TunnelClear Text Clear Text

Business Reasons for VPNsBusiness Reasons for VPNs

• Increased business being done over Internet• Secures communications at network layer

(IP) across all applications (including legacy apps)

• Cost effective for remote access: compare to a modem pool and long distance charges

“How often do they dial in and for how long? What about

international calls? What will it cost to maintain this?”

The Nature of Secure VPNsThe Nature of Secure VPNs• The classic problems

– authentication– integrity– confidentiality

“Which devices do I trust? Which client machines do I

trust? Is anyone able to monitor my session? Is anyone able to

hijack my session?”

Why is PKI important to VPN?Why is PKI important to VPN?

• It is relatively easy to build a secure pipe or tunnel between two nodes or users on a public network

• Unless you know exactly who is at both ends of the pipe it has little value (initial authentication is fundamental)

• Digital certificates provide a means to strongly authenticate users and devices in a VPN tunnel

• A managed PKI provides a scalable platform upon which to build large, secure, and trusted VPN’s.

ScalabilityScalability

• VPNs do not scale without using public-key certificates

Effort ∝ n2 Effort ∝ n

Withcertificates

WithoutCertificates(fully-meshed)

PresharedKeys

Certificates

VPN + PKIVPN + PKI

Internal network

Internal network

VPNVPN

PKIPKI

Authentication in IPSecAuthentication in IPSec

• Manual keying– Difficult to administer, distribute– Prone to error

• Pre-shared keys– Single key or passphrase per peer– Still results in huge numbers of keys in meshed

networks• Digital signature and certificates

– Third Party Trust minimizes the number of keys required for strong authentication

IP Header

IP Header

IPSec Header(s)AH/ESP

IPSec Header(s)AH/ESP

IP Data (Encrypted)

IP Data (Encrypted)

An outline of IPSecAn outline of IPSec• “The goal of the IPSec architecture is to provide various

security services for traffic at the IP layer, in both the IPv4 and IPv6 environments.” (IETF-RFC2401)

• Interoperable authentication, integrity and encryption

Encapsulating Security Payload Header (ESP)

Encapsulating Security Payload Header (ESP)

• ESP header is prepended toIP datagram

• Confidentiality through encryption of IP datagram

• Integrity through keyed hash function

Security Parameter Index (SPI)Security Parameter Index (SPI)

Sequence Number FieldSequence Number Field

Padding (If Any)Padding (If Any)

PadLength

PadLength

NextHeaderNext

Header

Initialization VectorInitialization Vector

Authentication DataAuthentication Data

Payload DataPayload Data

NextHeaderNext

HeaderPayloadLength

PayloadLength RESERVEDRESERVED

Security Parameter Index (SPI)Security Parameter Index (SPI)

Sequence Number FieldSequence Number Field

Authentication DataAuthentication Data

AuthenticationAuthenticationHeader (AH)Header (AH)

• AH header is prependedto IP datagram or to upper-layer protocol

• IP datagram, part of AH header, and message itself are authenticated with a keyed hash function

IPSec SessionsIPSec Sessions

IKE (1) ISAKMP SA

IKE(2) IPSEC SA IPSEC SAIKE(2)Ip tunneled Ip tunneled

IKE(2) IPSEC SA IPSEC SAIKE(2)Ip tunneled Ip tunneled

From net Ato net B

From net Ato net C

IKEIKE

Utilizzato per effettuare l’autenticazione tra i punti terminali della VPN e per lo scambio delle chiavi delle sessioni IPSEC. Si appoggia sul protocollo UDP (porta 500).

• phase phase 11 - durante questa fase avviene l’autenticazione tra i punti terminali della VPN (sessione ISAKMP),

• phase phase 22 - in questa fase vengono contrattati gli algoritmi, la lunghezza della chiave, la durata massima della sessione e la chiave di sessione per le sessioni IPSEC

Router

Firewall

Insecure Channel

Security Association (SA)Security Association (SA)

• Agreement between two entities on method to communicate securely

• Unidirectional—two-way communication consists of two SAs

CA

ROUTER 1

VPN GCI

SLAVE 1 DIR

SLAVE 2 DIR

VPN CON.

CA ADMNI

MASTER DIR

ROUTER 2

VPN VPN ArchitectureArchitecture

Protocollo Funzionalità PortaTCP

CMPCertificate Management Protocol

Key and certificate management 829

LDAPLightweight Directory Access Protocol

Accesso a directory X.500 attraversoTCP/IP

389

DISPDirectory Shadowing Protocol

Shadowing tra master directory e slave directory

102

CEPCertificate Enrollment Protocol

Enrollment dei router Cisco 1600

HTTPHypertext Transfer Protocol

Accesso tramite web server alla CGI del VPN Connector

80

Protocolli di ComunicazioneProtocolli di Comunicazione

Protocollo Funzionalità PortaTCP

SPKMSimple Public-Key GSS-API Mechanism

Amministrazione remota della CAattraverso l’interfaccia Entrust/Admin

710

DAPDirectory Access Protocol

Amministrazione remota delle directoryattraverso l’interfaccia DAC

102

Protocolli di AmministrazioneProtocolli di Amministrazione

Sorgente Destinatario Protocol Azione

ENROLLMENT

Router VPN CGI HTTP Richiesta di enrollement

VPN CGI VPN Connector CEP Dispatch della richiesta dienrollment

VPN Connector Certification Authority

SEP Abilitazione del router nellaCA

Certification Authority

Master Directory LDAP Pubblicazione dei certificati dei router

Master Directory Slave Directory DISP Update delle copie shadow

Le Le comunicazioni comunicazioni in in una una VPN (1)VPN (1)

IPSEC

Router Slave Directory LDAP Scaricamento delle CRL

REVOCA

VPN Connector Master Directory LDAP Revoca dei certificati deirouter

Sorgente Destinatario Protocol Azione

Le Le comunicazioni comunicazioni in in una una VPN (2)VPN (2)

Il processo di enrollmentIl processo di enrollmentQuando un nuovo router entra a far parte di una VPN occorre innanzitutto effettuare il processo di enrollment, che consiste in :• autenticazione e riconoscimento della certification authority,• generazione delle coppie di chiavi crittografiche,• richiesta di certificazione delle chiavi ed ottenimento dei proprio certificati digitali

Il processo di enrollmentIl processo di enrollment

1° passo : il riconoscimendo dell’authority

RA(VPN Connector)

CERTS?

1° passo : il riconoscimendo dell’authority

RA(VPN Connector)

Fingerprint:aa:b0:c2:...

Fingerprint ?Aa:b0:c2:...


2° passo : generazione delle chiavi a bordo del router

RA(VPN Connector)

CA:o=cryptonet,c=it


3° passo : certificazione delle chiavi pubbliche

RA(VPN Connector)

CA:o=cryptonet,c=it

Per favorecertificare



RA(VPN Connector)

CA:o=cryptonet,c=it

Fingerprint:b2:c4:e6:00:…e9:aa:cc:01:...?

b2:c4:e6:00:…e9:aa:cc:01:...Fingerprint ?



CA:o=cryptonet,c=it

GRANT!

CA


Fine : il router possiede tutto il materiale necessario per farsi riconoscere.

CA:o=cryptonet,c=it


• Viene effettuato una tantum,• è un processo complesso e molto delicato,• la procedura deve essere eseguita

scrupolosamente per non comprometterne la validità,

• coinvolge diversi attori :– Amministratori del router,– Amministratori della VPN (RA),– Amministratori della CA


L’autenticazione tra routersL’autenticazione tra routersDurante il normale funzionamento della VPN, gli unici momenti in cui vi è un contatto con la PKI è durante la fase di autenticazione:

ca trust

DIRECTORY X.500

CRL ?Revoked certs:012342143,123234213,234342343,333242324

OK!

Il download delle CRLIl download delle CRL

Durante il normale funzionamento della VPN, l’unica interazione con la PKI avviene con la sola directory, per ottenere le CRL più aggiornate:

• non richiede alcuna operazione manuale,• viene effettuata soltanto quando scade l’ultima CRL che è stata scaricata

The customerThe customer

• Name : Omnitel Pronto ItaliaOmnitel Pronto Italia

• Importance: 2nd mobile operator in the world

• Subscribers: > 9M

The projectThe project

• Name: Omnitel2000• Scope: use GSM as distribution points of new

services (from horoscope to finance)• Challenge: time to market• Requirements: availability of service,

scalability

The solutionThe solution

• Idea: create a star network between Omnitel and content providers, use IP over CDN, authenticate end-points

• Products: Cisco routers (the net), Entrust/PKI, Entrust/VPN Connector, PeerLogic i500 directory

• Results: 1st (for birth) and 2nd (for growth = 1000 routers) largest VPN in the world based on this technology

OmnitelVPNOmnitelVPN: main project tasks: main project tasks

1)1) Fase preparatoriaFase preparatoria 12 man-day

2) 2) ApproviggionamentoApproviggionamento 2 man-day

3) 3) InstallazioneInstallazione 54 man-day

4) Test 4) Test sistemasistema 6 man-day

5)5) ConsegnaConsegna del del sistemasistema 2 man-day

6)6) IstruzioneIstruzione del del personalepersonale 70 man-day

7) 7) DocumentazioneDocumentazione 60 man-day

8) 8) ManutenzioneManutenzione (out of project plan)

6XE7DVNV�6XE7DVNV��

•• )DVH�SUHSDUDWRULD)DVH�SUHSDUDWRULD��

• Fase preparatoria

• Studio topologia

• Configurazione rete

• Sistemi di protezione

• Struttura di naming X.500

��$SSURYLJJLRQDPHQWR$SSURYLJJLRQDPHQWR

• Hardware

• Licenze Software

6XE7DVNV�6XE7DVNV��,QVWDOOD]LRQH,QVWDOOD]LRQH

•'LUHFWRU\�0DVWHU

½Installazione software 1

½Configurazione DSA 1



½Configurazione ridondanza

•&HUWLILFDWLRQ�$XWKRULW\

½Installazione software

½Preconfigurazione

•931�&RQQHFWRU

½Installazione e configurazioneweb server

½Registration Authority GUI

7HVW�LQWHUPHGLR�GL�VLVWHPD

½Configurazione CISCO

½Enrollment e debug

'LUHFWRU\�6HFRQGDULH





½Configurazione ridondanza

6XE7DVNV�6XE7DVNV��

��7HVW��7HVW�VLVWHPD�VLVWHPD

•&RQILJXUD]LRQH�&,6&2

½Dichiarazione CA

½Generazione chiavi

•(QUROOPHQW�H�GHEXJ

��&RQVHJQD�&RQVHJQD�GHO��GHO�VLVWHPDVLVWHPD

��,VWUX]LRQH�,VWUX]LRQH�GHO��GHO�SHUVRQDOHSHUVRQDOH

•Generico su PKI

•Amministratore VPN

•Amministratore

��'RFXPHQWD]LRQH'RFXPHQWD]LRQH

•Documentazione di progetto

•Guida risoluzione problemi

•Guida alle procedure

3URMHFW3URMHFW�:RUNSODQ�:RUNSODQID Task Name

1 3URMHFW�PDQDJHPHQW

2 )DVH�SUHSDUDWRULD

3 Studio topologia

4 Configurazione rete

5 Sistemi di protezione

6 Struttura di naming X.500

7 $SSURYLJJLRQDPHQWR

8 Hardware

9 Licenze Software

10 ,QVWDOOD]LRQH

11 Directory Master

12 Certification Authority

13 VPN Connector

14 Test intermedio di sistema

15 Directory Secondarie

16 7HVW�VLVWHPD

17 Configurazione CISCO

18 Enrollment e debug

19 &RQVHJQD�GHO�VLVWHPD

20 ,VWUX]LRQH�GHO�SHUVRQDOH

21 Generico su PKI

22 Amministratore VPN

23 Amministratore CISCO

24 'RFXPHQWD]LRQH

25 Documentazione di progetto

26 Guida risoluzione problemi

27 30 03 06 09 12 15 18 21 24 27 30 02 05 08 11 14 17 20 23 26 29 01 0427 Nov ’00 04 Dec ’00 11 Dec ’00 18 Dec ’00 25 Dec ’00 01 Jan ’01 08 Jan ’01 15 Jan ’01 22 Jan ’01 29 Jan ’01 05

QuestionQuestionTimeTime

[email protected]@cryptonet.it

Altro materialeAltro materiale

Types of EnrollmentTypes of Enrollment

PKCS #7File-basedcertificateretrieval

PKCS #10File-based

certificate request CEPHTTP-based

certificate requestand retrieval

PKCS-equippedVPN device

CEP-equippedVPN device

Certification Authority(CA)

PKIX-equippedVPN device

PKIX-CMPcertificate request and management

Supported in VPN Connector

Supported with EntrustIPSec Negotiator

How IPSec works in PKI environmentHow IPSec works in PKI environment

Entrust/Authority (CA)LDAP Directory

IPSec AH/ESP

IKE

PKI Support

User/Node A1. PKI EnrollmentKey/cert lifetime ~1yr IPSec AH/ESP

IKE

PKI Support

User/Node B

PK(A)

IKE SA IKE SA

IPSec SA

PK(B)

Cert(A)+Sig

IKE SA

IPSec SA

IPSec SA

Cert(B)+Sig2. Mutual authentication using digital signature and certificates. On success IKE SA is negotiated. Lifetime ~days.

3. IKE SA used to secure IPSec SA negotiation. Lifetime shorter than IKE SA and can be limited by data volume.

4. IPSec SA and keys used to secure AH/ESP traffic.

AH/ESP

5. When IPSec SA expires:-> re-negotiate with

pre-existing IKE SAWhen IKE SA expires:

-> authenticate with dig sig and certsand negotiate new IKE SA (step 2)

6. When certs expire re-enroll (PKCS#10) or use PKIX-CMP to automatically update with new keys and certs.

LDAPPKIX-CMP

CA definitionCA definition

• ip domain-name cryptonet.it• crypto ca identity myCA• enrollment mode ra• enrollment url http://192.168.0.1/cgi-bin• query url ldap://192.168.0.2• crl optional

An example of Cisco An example of Cisco ConfigurationConfiguration

Step 1—Generate Public/Private KeysStep 1—Generate Public/Private Keyscisco(config)#crypto key gen rsa usage-keyThe name for the keys will be: mirko.cryptonet.itChoose the size of the key modulus in the range of 360 to 2048 for yourSignature Keys. Choosing a key modulus greater than 512 may takea few minutes.

How many bits in the modulus [1024]:Generating RSA keys ...[OK]Choose the size of the key modulus in the range of 360 to 2048 for yourEncryption Keys. Choosing a key modulus greater than 512 may takea few minutes.

How many bits in the modulus [1024]:Generating RSA keys ...[OK]


#sho crypto key mypublic rsa% Key pair was generated at: 01:18:43 UTC Mar 1 1999Key name: mirko.cryptonet.itUsage: Signature KeyKey Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00BEDC6C FBD327FC2AFC7521 F2DE3D04 D3239759 7908C8F1 64F0E58F 0116CF6A 897D6210 2D4BFC80CE41DF7B AA75ECAA 6680B13F 30F079BE DD361565 A325B72A 3D020301 0001

% Key pair was generated at: 01:18:45 UTC Mar 1 1993Key name: mirko.cryptonet.itUsage: Encryption KeyKey Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C06DC2 3AE2BF72CE9FD6F6 55C13A0D A3C183D5 1E7E4523 E8863DDC D852FD32 86461BBC F10EEA778A6A5AC9 AFEF6B0A 03107565 03384DB4 4E6C4A77 0C594B10 31020301 0001

Step 1—Generate Public/Private KeysStep 1—Generate Public/Private Keys


Cisco(config)#cryp ca authenticate myCACertificate has the following attributes:Fingerprint: 1A5416D6 2EEE8943 D11CCEE1 3DEE9CE7% Do you accept this certificate? [yes/no]: y

Step 2—Request the CA and RA CertificatesManually verify Fingerprint of CAStep 2—Request the CA and RA CertificatesManually verify Fingerprint of CA


Step 2—Request the CA and RA CertificatesManually verify Fingerprint of CAStep 2—Request the CA and RA CertificatesManually verify Fingerprint of CA


cisco(config)#crypto ca enroll myCA% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.

Password:Re-enter password:

% The subject name in the certificate will be: mirko.cryptonet.it% Include the router serial number in the subject name? [yes/no]: n% Include an IP address in the subject name? [yes/no]: nRequest certificate from CA? [yes/no]: y

Step 3—Enrol the Router with the CAStep 3—Enrol the Router with the CA


cisco(config)#Signing Certificate Request Fingerprint:4C6DB57D 7CAF8531 7778DDB3 CCEB1FFB

Encryption Certificate Request Fingerprint:D33447FE 71FF2F24 DA98EC73 822BE4F7

Step 3—Enrol the Router with the CAFingerprints sent to CA for manual verificationStep 3—Enrol the Router with the CAFingerprints sent to CA for manual verification


Step 3—Enrol the Router with the CAFingerprints sent to CA for manual verificationStep 3—Enrol the Router with the CAFingerprints sent to CA for manual verification


cisco#show crypto ca certificateCertificate

Subject NameName: mirko.cryptonet.it

Status: PendingKey Usage: SignatureFingerprint: 4C6DB57D 7CAF8531 7778DDB3 CCEB1FFB

CertificateSubject Name

Name: mirko.cryptonet.itStatus: PendingKey Usage: EncryptionFingerprint: D33447FE 71FF2F24 DA98EC73 822BE4F7

Step 4—CA grants CertificatesStatus Pending -> AvailableStep 4—CA grants CertificatesStatus Pending -> Available


Step 4—CA grants CertificatesStep 4—CA grants Certificates


Documents

Public Key Infrastructure and Virtual Private … Key Infrastructure and Virtual Private Network: concepts, solutions and ... if DP people are to survive!!) 2. ... • i certificati