Firewalls

ca

To configure the firewall to interoperate with a certification authority (CA). (Configuration mode.)
ca authenticate ca_nickname [fingerprint] [no] ca configure ca_nickname ca | ra retry_period retry_count [crloptional] show ca configure [no] ca crl request ca_nickname show ca crl [no] ca enroll ca_nickname challenge_password [serial] [ipaddress] ca generate rsa key | specialkey key_modulus_size [no] ca identity ca_nickname ca_ipaddress[:ca_script_location] [ldap_ip address] show ca identity [no] ca save all ca zeroize rsa [keypair_name] show ca certificate show ca mypubkey rsa

Syntax Description

ca_nickname The name of the certification authority (CA). Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.
Currently, the firewall supports only one CA at a time.

fingerprint A key consisting of alphanumeric characters the firewall uses to authenticate CA's certificate.

ca | ra Indicates whether to contact the CA or Registration Authority (RA) when using the ca configure command.
Some CA systems provide an RA, which the firewall contacts instead of the CA.

retry_period Specify the number of minutes the firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the PIX Firewall retries every 1 minute.

retry_count Specify how many times the firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the firewall should contact the CA to obtain a pending certificate.

crloptional Allows other peers' certificates be accepted by the firewall even if the appropriate certificate revocation list (CRL) is not accessible to the PIX Firewall. The default is without the crloptional option.

challenge_password A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.

serial Return the firewall unit's serial number in the certificate.

ipaddress Return the firewall unit's IP address in the certificate.

key This specifies that one general-purpose RSA key pair will be generated.

specialkey This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.

key_modulus_size The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes.

ca_ipaddress The CA's IP address.

:ca_script_location The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script using ca identity.
A firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.

ldap_ipaddress The IP address of the Lightweight Directory Access Protocol (LDAP) server.
By default, querying of a certificate or a CRL is done via the PKI protocol. If the CA supports LDAP, query functions may also use LDAP.

Usage Guidelines
The sections that follow describe each ca command.
The firewall currently supports the CA servers from VeriSign, Entrust, Baltimore Technologies, and Microsoft.
If you are using the VeriSign CA, use the crloptional parameter with the ca configure command.
The lifetime of a certificate and the certificate revocation list (CRL) is checked in GMT. Set the clock to GMT to ensure that CRL checking works correctly.

ca authenticate

Obtain the self-signed certificate of a CA. This certificate contains the CA's public key.
To authenticate a peer's certificate(s), a firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the key's fingerprint, which is retrieved in an out-of-band process. The firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command.
If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.
The ca authenticate command is not saved to the firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command.
To view the CA's certificate, use the show ca certificate command. If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, re-enter the command.
Examples
In this example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.
ca authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123

The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.
ca authenticate myca 0123456789ABCDEF0123
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 5432
%Error in verifying the received fingerprint. Type help or `?' for a list of
available commands.

ca configure

Specify the communication parameters between the PIX Firewall and the CA.
Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command. When using VeriSign as the CA, always use the crloptional option with the ca configure command. Without the crloptional option, an error occurs when the firewall validates the certificate during main mode, which causes the peer firewall to fail. This problem occurs because the firewall is not able to poll the CRL from the VeriSign CA.
The following example indicates that myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates that the firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the firewall to accept other peer's certificates.
ca configure myca ca 5 15 crloptional

ca crl request

Allow the firewall to obtain an updated CRL from the CA at any time.
A CRL lists all the network's devices' certificates that have been revoked. The firewall will not accept revoked certificates; therefore, any peer with a revoked certificate cannot exchange IPSec traffic with the firewall.
The first time the firewall receives a certificate from a peer, it will download a CRL from the CA. a firewall then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. When the CRL does expire, the firewall automatically updates it by downloading a new CRL and replacing the expired CRL with the new CRL.
If the firewall has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
The ca crl request command is not saved with the firewall configuration between reloads.
The following example indicates the firewall will obtain an updated CRL from the CA with the name myca:
ca crl request myca

Running no ca crl deletes the CRL within the firewall.
ca enroll

Send an enrollment request to the CA requesting a certificate for all of the firewall unit's key pairs. This is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
a firewall needs a signed certificate from the CA for each of its RSA key pairs; if you previously generated general purpose keys, the ca enroll command will obtain one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for the keys, you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first.
The ca enroll command is not saved with the firewall configuration between reloads. To verify if the enrollment process succeeded and to display the firewall unit's certificate, use the show ca certificate command. If you want to cancel the current enrollment request, use the no ca enroll command.
The required challenge password is necessary in the event that you need to revoke the firewall unit's certificate(s). When you ask the CA administrator to revoke the certificate, supply this challenge password as a protection against fraudulent or mistaken revocation requests.
This password is not stored anywhere, so you need to remember this password.
If you lose the password, the CA administrator may still be able to revoke the firewall's certificate, but will require further manual authentication of the firewall administrator identity.
The firewall unit's serial number is optional. If you provide the serial option, the serial number will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask the CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial option.
The firewall unit's IP address is optional. If you provide the ipaddress option, the IP address will be included in the obtained certificate. Normally, you would not include the ipaddress option because the IP address binds the certificate more tightly to a specific entity. Also, if the firewall is moved, you would need to issue a new certificate.
When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. The ca enroll command used to acquire certificates will, by default, get a certificate with the identity based on host name. The default identity type for the isakmp identity command is based on address instead of host name. You can reconcile this disparity of identity types by using the isakmp identity address command. See the isakmp command page for information about the isakmp identity address command.
The following example indicates that the firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the firewall unit's serial number to be embedded in the certificate.
ca enroll myca.example.com 1234567890 serial

ca generate rsa

Generate RSA key pairs for the firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. If the firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Before issuing this command, make sure the firewall has a host name and domain name configured (using the hostname and domain-name commands). You will be unable to complete the ca generate rsa command without a host name and domain name.
The ca generate rsa command is not saved in the firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.
In this example, one general-purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.
ca generate rsa key 2048

You cannot generate both special usage and general purpose keys; you can only generate one or the other.
ca identity

Declares the CA that the firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity command from the configuration and deletes all certificates issued by the specified CA and CRLs. The show ca identity command shows the current settings stored in RAM.
The firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the previously listed location, include the location and the name of the script within the ca identity command statement.
By default, querying of a certificate or a CRL is done via the PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement.
The following example indicates that the CA myca.example.com is declared as the firewall unit's supported CA. The CA's IP address of 205.139.94.231 is provided.
ca identity myca.example.com 205.139.94.231

ca save all

Save the firewall unit's RSA key pairs, the CA, RA and PIX Firewall unit's certificates, and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from firewall unit's Flash memory.
The ca save command itself is not saved with the firewall configuration between reloads.
To view the current status of requested certificates, and relevant information of received certificates, such as CA and RA certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user is allowed to issue this show command.
ca zeroize rsa

Delete all RSA keys that were previously generated by the firewall. If you issue this command, also perform two additional tasks. Perform these tasks in the following order:
Use the no ca identity command to manually remove the firewall unit's certificates from the configuration. This will delete all the certificates issued by the CA.
Ask the CA administrator to revoke the firewall unit's certificates at the CA. Supply the challenge password you created when you originally obtained the firewall unit's certificates using the crypto ca enroll command.

To delete a specific RSA key pair, specify the name of the RSA key you want to delete using the option keypair_name within the ca zeroize rsa command statement.
You may have more than one pair of RSA keys due to SSH.
show ca certificate

Display the CA Server's subject name, CRL distribution point (where the firewall will obtain the CRL), and lifetime of both the CA server's root certificate and the
firewall's certificates.
The following is sample output of the show ca certificate command. The CA certificate stems from a Microsoft CA server previously generated for this firewall.
show ca certificate RA Signature Certificate Status:Available Certificate Serial Number:6106e08a000000000005 Key Usage:Signature CN = SCEP OU = VSEC O = Cisco L = San Jose ST = CA C = US EA =<16> username@example.com Validity Date: start date:17:17:09 Jul 11 2000 end date:17:27:09 Jul 11 2001 Certificate Status:Available Certificate Serial Number:1f80655400000000000a Key Usage:General Purpose Subject Name Name:pixfirewall.example.com Validity Date: start date:20:06:23 Jul 17 2000 end date:20:16:23 Jul 17 2001 CA Certificate Status:Available Certificate Serial Number:25b81813efe58fb34726eec44ae82365 Key Usage:Signature CN = MSCA OU = Cisco O = VSEC L = San Jose ST = CA C = US EA =<16> username@example.com Validity Date: start date:17:07:34 Jul 11 2000 RA KeyEncipher Certificate Status:Available Certificate Serial Number:6106e24c000000000006 Key Usage:Encryption CN = SCEP OU = VSEC O = Cisco L = San Jose ST = CA C = US EA =<16> username@example.com Validity Date: start date:17:17:10 Jul 11 2000 end date:17:27:10 Jul 11 01

show ca certificate Output Strings

Sample Output String Description

CN common name

C country

EA E-mail address

L locality

ST state or province

O organization name

OU organizational unit name

DC domain component

show ca crl

Show whether there is a CRL in RAM, and where and when the CRL is downloaded.
The following is sample output of the show ca crl command
show ca crl CRL: CRL Issuer Name: CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA =<16> username@example.com LastUpdate:17:07:40 Jul 11 2000 NextUpdate:05:27:40 Jul 19 2000

show ca mypubkey rsa

Display the firewall unit's public keys in a DER/BER encoded PKCS#1 representation.
The following is sample output of the show ca mypubkey rsa command. Special usage RSA keys were previously generated for this firewall using the ca generate rsa command.
show ca mypubkey rsa % Key pair was generated at: 15:34:55 Aug 05 1999 Key name: pixfirewall.example.com Usage: Signature Key Key Data: 305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d 6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf 6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001 % Key pair was generated at: 15:34:55 Aug 05 1999 Key name: pixfirewall.example.com Usage: Encryption Key Key Data: 305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a 48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98 908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001

ca_nickname	The name of the certification authority (CA). Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. Currently, the firewall supports only one CA at a time.
fingerprint	A key consisting of alphanumeric characters the firewall uses to authenticate CA's certificate.
ca \| ra	Indicates whether to contact the CA or Registration Authority (RA) when using the ca configure command. Some CA systems provide an RA, which the firewall contacts instead of the CA.
retry_period	Specify the number of minutes the firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the PIX Firewall retries every 1 minute.
retry_count	Specify how many times the firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the firewall should contact the CA to obtain a pending certificate.
crloptional	Allows other peers' certificates be accepted by the firewall even if the appropriate certificate revocation list (CRL) is not accessible to the PIX Firewall. The default is without the crloptional option.
challenge_password	A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.
serial	Return the firewall unit's serial number in the certificate.
ipaddress	Return the firewall unit's IP address in the certificate.
key	This specifies that one general-purpose RSA key pair will be generated.
specialkey	This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.
key_modulus_size	The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes.
ca_ipaddress	The CA's IP address.
:ca_script_location	The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script using ca identity. A firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.
ldap_ipaddress	The IP address of the Lightweight Directory Access Protocol (LDAP) server. By default, querying of a certificate or a CRL is done via the PKI protocol. If the CA supports LDAP, query functions may also use LDAP.

Sample Output String	Description
CN	common name
C	country
EA	E-mail address
L	locality
ST	state or province
O	organization name
OU	organizational unit name
DC	domain component