Configuring SCEP and Managing CRLs
This chapter describes how to configure the Simple Certificate Enrollment Protocol (SCEP) and how to manage Certification Revocation Lists (CRLs) using the Riverbed CLI. This chapter includes the following sections:
This section makes the following assumptions:
n You have configured SSL on the SteelHead (for details, see
SSL Deployments).
n You have set up a SCEP server.
Using SCEP to configure on-demand and automatic reenrollment
SCEP is for securely issuing and revoking digital certificates in a simple, scalable manner on network devices. The SteelHead uses SCEP to configure on-demand enrollment and automatic reenrollment of SSL peering certificates.
Currently, the SteelHead can only enroll peering certificates.
This section describes how to configure on-demand and automatic reenrollment of SSL peering certificates.
The following table summarizes the SCEP commands.
SCEP commands | Parameters | | Definition |
secure-peering scep auto-reenroll | enable | | Enables automatic reenrollment of a certificate to be signed by a CA. |
exp-threshold <num-of-days> | | Specify the amount of time (in days) to schedule reenrollment before the certificate expires. |
last-result clear-alarm | | Clears the automatic reenrollment last-result alarm. The last result is the last completed enrollment attempt. |
secure-peering scep max-num-polls | <max-number- polls> | | Specify the maximum number of polls before the SteelHead cancels the enrollment. The peering certificate is not modified. The default value is 5. A poll is a request to the server for an enrolled certificate by the SteelHead. The SteelHead polls only if the server responds with pending. If the server responds with fail, then the SteelHead does not poll. |
secure-peering scep on-demand cancel | None | | Cancels any active on-demand enrollment. |
secure-peering scep on-demand gen-key-and-csr | rsa | | Generates a new private key and CSR for on-demand enrollment using the Rivest-Shamir-Adleman algorithm. |
state <string> | Specify the state. No abbreviations allowed. |
org-unit <string> | Specify the organizational unit (for example, the department). |
org <string> | Specify the organization name (for example, the company). |
locality <string> | Specify the city. |
email <email- address> | Specify an email address of the contact person. |
country <string> | Specify the country (two-letter code only). |
common-name <string> | Specify the hostname of the peer. |
key-size {512 | 1024 | 2048} | Specify the key size in bits (for example, 512, 1024, 2048). |
secure-peering scep on-demand start | | | Starts an on-demand enrollment (in the background by default). |
foreground | | Starts an on-demand enrollment in the foreground. |
secure-peering scep passphrase | <pass-phrase> | | Specify the challenge password phrase. |
secure-peering scep poll-frequency | <minutes> | | Specify the poll frequency in minutes. The default value is 5. |
secure-peering scep trust | peering-ca <peer-ca> | | Specify the name of the existing peering CA. |
secure-peering scep url | <url> | | Specify the URL of the SCEP responder. Use the following format: http://host[:port/path/to/service]. |
Configuring on-demand enrollment
The following example configures the most common on-demand enrollment SCEP settings.
You can only perform one enrollment of a certificate at a time. You must stop enrollment before you begin the enrollment process for another certificate.
To configure on-demand enrollment of certificates
1. To configure SCEP settings, connect to the SteelHead CLI and enter the following commands:
enable
configure terminal
secure-peering scep url <http://host[:port/path/to/service>
secure-peering scep trust peering-ca <name>
secure-peering scep poll-frequency 10
secure-peering scep max-num-polls 6
secure-peering scep passphrase “<device-unique-passphrase>”
2. To perform an on-demand enrollment you must first generate a new key and Certificate Signing Request (CSR), at the system prompt enter the command:
secure-peering scep on-demand gen-key-and-csr rsa 1048 country us org mycompany org-unit
engineering
3. To display the CSR (including the fingerprint), at the system prompt enter the command:
show secure-peering scep peering on-demand csr
4. To start an on-demand enrollment, at the system prompt enter the command:
secure-peering scep on-demand start
5. To view current status and the result of the last attempt (since boot), at the system prompt enter the following commands:
show secure-peering scep enrollment status
show secure-peering scep on-demand last-result
6. To stop enrollment, at the system prompt enter the following commands:
secure-peering scep on-demand cancel
show secure-peering scep on-demand last-result
You must stop enrollment before you can begin the enrollment process for another certificate.
Configuring automatic reenrollment
The following example configures the most common automatic reenrollment SCEP settings.
To configure automatic reenrollment of certificates
1. To configure SCEP settings, connect to the SteelHead CLI and enter the following commands:
enable
configure terminal
secure-peering scep url http://entrust-connector/cgi-bin/pkiclient.exe
secure-peering scep trust peering-ca <name>
secure-peering scep poll-frequency 10
secure-peering scep max-num-polls 6
secure-peering scep passphrase “<device-unique-passphrase>”
2. To configure automatic reenrollment, at the system prompt enter the following commands:
secure-peering scep auto-reenroll exp-threshold 30
secure-peering scep auto-reenroll enable
3. To view current automatic reenrollment settings, at the system prompt enter the following commands:
show secure-peering scep peering auto-reenroll csr
show secure-peering scep peering on-demand last-result
Viewing SCEP settings and alarms
This section describes how view SCEP settings and alarms.
The following table summarizes the commands for SCEP settings.
Command | Parameters | Definition |
show secure-peering scep | None | Displays SCEP information. |
show secure-peering scep auto-reenroll | csr | Displays the automatic reenrollment CSR. |
last-result | Displays the result of the last completed automatic reenrollment. |
show secure-peering scep ca | <ca-name> certificate | Displays a specified SCEP peering CA certificate. |
show secure-peering scep enrollment status | None | Displays enrollment status information. |
show secure-peering scep on-demand | csr | Displays on-demand enrollment information. |
last-result | Displays result of the last completed on-demand enrollment. |
An SCEP alarm is triggered when the SteelHead requests an SCEP server to dynamically reenroll an SSL peering certificate and the request fails. The SteelHead uses SCEP to dynamically reenroll a peering certificate to be signed by a certificate authority. The alarm clears automatically when the next automatic reenrollment succeeds.
To view SCEP alarm status
1. Connect to the SteelHead CLI and enter enable mode.
2. Enter the following the command:
show stats alarm ssl_peer_scep_auto_reenroll
Alarm ssl_peer_scep_auto_reenroll:
Enabled: yes
Alarm state: ok
Rising error threshold: no
Rising clear threshold: no
Falling error threshold: no
Falling clear threshold: no
Rate limit bucket counts: { 5, 20, 50 }
Rate limit bucket windows: { 3600, 86400, 604800 }
Last checked at: 2009/07/30 17:43:07
Last checked value: true
Last event at:
Last rising error at:
Last rising clear at:
Last falling error at:
Last falling clear at:
To clear the SCEP alarm
1. Connect to the SteelHead CLI and enter configuration mode.
2. Enter the following the command:
secure-peering scep auto-reenroll last-result clear-alarm
Managing Certificate Revocation Lists
Certificate Revocation Lists (CRLs) allow CAs to revoke issued certificates (for example, when the private key of the certificate is compromised).
CRLs are not used by default in the SteelHead.
A CRL is a database that contains a list of digital certificates that have been invalidated before their expiration date, including the reasons for the revocation, and the names of the issuing certificate signing authorities. The CRL is issued by the CA that issues the corresponding certificates. All CRLs have a lifetime during which they are valid (often 24 hours or less).
CRLs are used when a:
n server-side SteelHead verifies the certificate presented by the server in the SSL handshake between the server-side SteelHead and the server.
n server-side SteelHead verifies the certificate presented by the client-side SteelHead in the handshake between the two SteelHeads for establishing a secure inner channel over the WAN.
n client-side SteelHead verifies the certificate presented by the server-side SteelHead in the handshake between the two SteelHeads for establishing a secure inner channel over the WAN.
Currently, the SteelHead only supports downloading CRLs from Lightweight Directory Access Protocol (LDAP) servers.
The following table summarizes CRL management commands.
CRL commands | Parameters | | Definition |
protocol ssl crl ca | | | Configures CRL for automatically discovered CAs. You can update automatically discovered CRLs using this command. |
<ca-name> | | Specify the name of an SSL CA certificate. |
cdp <integer> | | Specify an integer index of a Cisco Distribution Point (CDP) in a CA certificate. The no protocol ssl crl ca * cdp * command option removes the update. |
| ldap server {<ip-address> | <hostname>} | Specify the LDAP server IP address or hostname to modify a CDP URI. |
port <port> | Optionally, specify the LDAP service port. |
crl-attr-name <attr-name> | Optionally, specify the attribute name of CRL in a LDAP entry. |
protocol ssl crl cas enable | | | Enables CRL polling and use of CRL in handshake verifications of CA certificates. Enabling CRL allows the CA to revoke a certificate. For example, when the private key of the certificate is compromised, the CA can issue a CRL that revokes the certificate. |
protocol ssl crl handshake | | | Configures handshake behavior for a CRL. |
| fail-if-missing | | If a relevant CRL cannot be found the handshake fails. |
[no] protocol ssl crl manual | ca | | Specify the CA name to manually configure the CDP. The no protocol ssl crl manual command removes manually configured CDPs. |
uri <uri> | Specify the complete CDP URI to manually configure the CDP for the CA. |
peering ca | | Specify the CA name to manually configure the CDP for the peering CA. |
uri <uri> | Specify the complete CDP URI to manually configure the CDP for the peering CA. |
protocol ssl crl peering | ca <ca-name> | | Configures a CRL for an automatically discovered peering CA. |
cdp <integer> | Specify an integer index of a cdp in a peering CA certificate. The no protocol ssl crl peering ca * cdp * command removes the update. |
ldap server {<ip-address> | <hostname>} | Specify the IP address or hostname of a LDAP server. |
crl-attr-name {<string> | port <port-number>} | Optionally, specify an attribute name of CRL in a LDAP entry. |
port <port-number> | Optionally, specify the LDAP service port. |
cas enable | | Enables CRL polling and use of CRL in handshake verification. |
protocol ssl crl query-now | ca <string> cdp <integer> | | Download CRL issued by SSL CA. Specify the CA name and CDP integer. |
peering ca <ca-name> cdp <integer> | | Download CRL issued by SSL peering CA. Specify the CA name and CDP integer. |
show protocol ssl crl | ca <ca-name> | | Display current state of CRL polling of a CA. |
cas crl-file <string> text | | Display information about the specified CRL file in text format. |
report ca <ca-name> | | Display reports of CRL polling from the CA. |
Managing CRLs
This section describes how to manage CRLs using the CLI.
To update an incomplete CDP
1. To enable CRL polling and handshakes, connect to the SteelHead CLI and enter configuration mode.
2. Enter the following set commands:
protocol ssl crl cas enable
protocol ssl crl peering cas enable
3. To view the CRL polling status of all CAs, enter the following command:
show protocol ssl crl ca cas
<<This example lists two CDPs: one complete CDP and one incomplete CDP.>>
CA: Comodo_Trusted_Services
CDP Index: 1
DP Name 1: URI:http://crl.comodoca.com/TrustedCertificateServices.crl
Last Query Status: unavailable
CDP Index: 2
DP Name 1: URI:http://crl.comodo.net/TrustedCertificateServices.crl
Last Query Status: unavailable
<<An incomplete CDP is indicated by the DirName format.>>
CA: Entrust_Client
CDP Index: 1
DP Name 1: DirName:/C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/CPS incorp. by
ref.limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Client Certification Authority
CN=CRL1
Last Query Status: unavailable
CDP Index: 2
DP Name 1: URI:http://www.entrust.net/CRL/Client1.crl
Last Query Status: unavailable
In this case, the Entrust Client is an incomplete CDP as indicated by DirName format. Currently, the SteelHead only supports updates in the DirName format.
4. To update the incomplete CDP URI, enter the following commands:
protocol ssl crl ca Entrust_Client cdp 1 ldap-server 192.168.172.1
protocol ssl crl peering ca Entrust_Client cdp 1 ldap-server 192.168.172.1
5. To view the status of the updated CDP, enter the following command:
show protocol ssl crl ca Entrust_Client
The status of CRL polling can be either pending, success, or error.
6. To check CRL polling status of all CAs, enter the following command:
show protocol ssl crl cas
Viewing CRL alarm status
This section describes how to view a CRL alarm and how to clear a CRL alarm.
To view CRL alarm status
1. Connect to the SteelHead CLI and enter enable mode.
2. Enter the following the command:
show stats alarm crl_error
Alarm crl_error:
Enabled: yes
Alarm state: ok
Rising error threshold: 1
Rising clear threshold: 1
Falling error threshold: no
Falling clear threshold: no
Rate limit bucket counts: { 5, 20, 50 }
Rate limit bucket windows: { 3600, 86400, 604800 }
Last checked at: 2009/07/30 17:40:34
Last checked value: 0
Last event at:
Last rising error at:
Last rising clear at:
Last falling error at:
Last falling clear at:
To clear a CRL alarm, you must either rectify the problem by updating the incomplete CDP or you must disable CRL polling.
To disable CRL polling and clear a CRL alarm
1. Connect to the SteelHead CLI and enter configuration mode.
2. Enter the following the command:
no protocol ssl crl cas enable