In the last article, we saw how to configure a site-to-site VPN tunnel between a Cisco ASA (or Cisco router, etc.) and an Ubuntu server. In that article, we used pre-shared keys for authentication. In this article, we will look at how to use digital certificates for authentication.
I have edited the lab setup slightly to include a Cisco router that will act as a certificate server:
I have already configured the router as an IOS certificate server and enroled the Cisco ASA with this CA for a digital certificate of its own. You can refer to this article for the steps to configuring a Cisco IOS certificate server. Also, these two articles (part 1 and part 2) will guide you on how to configure the Cisco ASA to use digital certificates for VPN authentication.
The configuration change and additions on the ASA is as follows:
crypto ca trustpoint IOS-CA enrollment url http://192.0.2.100:80 subject-name CN=ASA, O=example.com, c=NG ! crypto ikev1 policy 20 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 ! crypto map MYMAP 10 set trustpoint IOS-CA ! tunnel-group 192.0.2.1 ipsec-attributes peer-id-validate nocheck ikev1 trust-point IOS-CA !
Like I already said, the Cisco ASA has been enroled with the IOS CA. We can view the certificates on the Cisco ASA by using the show crypto ca certificates command:
Let’s now turn our attention to the Ubuntu computer. Before we make changes to our VPN configuration file, we first need to enrol with the Cisco IOS certificate server so that we can get a digital certificate to use for authentication. We will be using OpenSSL for this process. There is a good OpenSSL cookbook here that walks you through the steps of obtaining a certificate from a CA but here’s the summary:
RSA key generation.
Create a Certificate Signing Request (CSR) with which to request a certificate from the CA.
Add certificates (CA certificate and granted certificate) to relevant stores.
When using Openswan, there are certain predefined locations for you to store the different files related to digital certificates as shown below (located in the /etc/ipsec.d folder):
In the above screenshot, RSA keys are to be stored in the “private” folder, CA certificates should be stored in the “cacerts” folder and device certificates should be stored in the “certs” folder.
So let’s first generate our RSA keys. You can choose to protect your private keys using an encryption algorithm (such as 3DES, AES) and specifying a passphrase. Openswan supports private keys that are encrypted using the 3DES algorithm. Therefore, we will use the following command to generate our RSA keys:
openssl genrsa –des3 -out /etc/ipsec.d/private/UbuntuKey.pem 2048
I protected my private key using a passphrase of “cisco123”. It is important to remember this passphrase as we will use it later in our configuration.
The next step is to create a certificate signing request (CSR) which we will do using the following command:
openssl req -new -key /etc/ipsec.d/private/UbuntuKey.pem -out /etc/ipsec.d/private/UbuntuCSR.pem
Note: If you protected your private key with a passphrase, you will be required to enter the passphrase to generate the CSR.
The location of the CSR file is not really important as we just need to copy the contents and use it to get a certificate from the CA. For the CSR, we will be required to fill out the CSR details such as country, common name and organization name. If you want a field to be left blank, use a period “.” instead of just pressing Enter so that the field is not filled with the default value (for fields that have default values). My CSR looks like this:
Let’s view and copy the contents of the CSR file we generated:
The content of my CSR file is as follows:
-----BEGIN CERTIFICATE REQUEST----- MIICeTCCAWECAQAwNDELMAkGA1UEBhMCTkcxFDASBgNVBAoMC2V4YW1wbGUuY29t MQ8wDQYDVQQDDAZVYnVudHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCzppVG6hUYlJRKlgaP2nhc+edMpK+YFljXEdf8bzn/i++YsCCTgo0AR/Uc4XXH 8xVhQo7l+rd0PZKDuVfE1e5XSLujKo+7sixubsi0hupZ9eSgD8UcAV2yet9wlJ7C AcHBQivzrKV0bvkKkHYzOG7IVyjagoM7UQ//S4NeVKgdRIqbQaTMdE8QgMiyyhD4 5ZxS+ItTgGUvUiMvdYufNfaksBlbqY1ePGfdK/ByrAuds3mDzBBBwUQqw5i1swiy Y93jwbWzKw+YJ0hB0UMnwGNjrAtbj9miYJSHMYSX6rpJCJlYmzfeHTCcjivfGftj 9/AOi1SI1+XPeYGjaytUqbC5AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAFXyb z6t1gMTGqfvUutTbK2ZAttb/jJbXg/6dH3QlrHhOiLnpiu7ClTkHtK1LTt3XArn9 bFGulPHuvpZTOBUZpbRHi3gjQbIuvUG1z4mTF84tRjfgHwLHzLS72t4/2x34+wkR YB1uAkzHq41qCUWJgRBqte7WZ4kEsIeHZvxg5VNtjn27xWGi/Gs9t41SD8DyC3gg 7tThJMgHrgZ1rklqu1Q4eS4xAAeHRL7MFmjOijMIxK4WVjmjRz5bH+OWrQAhf4Kp Y+ccXWJdiJAQIqgBipJM+4qJcDEnxrTFePJgFRs/Xby0+WeAOuCehKz++jdyEXLX QatDI+YBu2v4trNUnA== -----END CERTIFICATE REQUEST-----
The Cisco IOS certificate server can grant certificates by pasting the contents of a CSR into the terminal. To do that, we will use the following command from EXEC mode:
crypto pki server IOS-CA request pkcs10 terminal pem
With this command, the Cisco IOS will request for the contents of the CSR file and then generate a certificate which we can then copy and paste into a file.
Notice the line that begins with “Granted certificate” followed by the certificate: the certificate was automatically granted because of the way I set up the certificate server (i.e. I configured the “grant auto” command).
All I have to do now is copy the certificate (everything after the “% Granted certificate:”) and paste it in a file in the Ubuntu system. In my case, I have put the certificate in /etc/ipsec.d/certs/UbuntuCert.pem. Let’s view the certificate in a format that makes sense using the following command:
openssl x509 -text -in /etc/ipsec.d/certs/UbuntuCert.pem -noout
The snippet of my own certificate is as shown below:
The next thing we need to do is add the CA certificate to the cacerts folder. We can export the IOS CA certificate using the crypto pki export command.
On the Ubuntu system, I have saved mine in the following file: /etc/ipsec.d/cacerts/IOS-CA_Cert.pem. Let’s view this file in a format that we can comprehend:
openssl x509 -text -in /etc/ipsec.d/cacerts/IOS-CA_Cert.pem -noout
Let’s stop here for now. So far, we have added a Cisco IOS router to act as a certificate authority. The Cisco ASA and the Ubuntu system have also received digital certificates from the CA which they will use for VPN authentication.
In the next article, we will complete this topic by configuring the VPN tunnel to use the digital certificates for authentication.
References and further reading
IOS CA – basic deployment; certificate enrollment and signing process: https://supportforums.cisco.com/document/57441/ios-ca-basic-deployment-certificate-enrollment-and-signing-process
Howto OpenSWAN: https://www.shrew.net/support/Howto_OpenSWAN