Greetings fellow networkers,
In this installment of PKI for network engineers, we’re going to build up our two tier Elliptic Curve PKI hierarchy in one shot. There are a lot of tasks, but only a few of them differ from our RSA setup. I’ll highlight those below.
- Cryptographic service provider and Hash algorithm.
- I’m using ECDSA 384 and SHA384
- Although the Microsoft CA supports 521 bit EC Keys, Cisco IOS maxes at 384
- I’m using ECDSA 384 and SHA384
- No NDES/SCEP. NDES supports RSA only for in-band device enrollment
- There is a new standard called EST (enrollment over secure transport)
- IOS and IOS-XE support EST as clients
- There’s an open source project called libEST you can use to test.
- Cisco ISE as of version 2.2 supports EST
- There is a new standard called EST (enrollment over secure transport)
- Web enrollment doesn’t support version 3 or 4 templates
- When duplicating templates, be aware of this fact
- Mind your signatures and public key algorithms.
- RSA public keys can be signed by a EC CA and vice versa. Keep this in mind when creating your templates and take care to test them and inspect your certificates to make sure you’re getting what you think you’re getting
Resources:
- Densemode Two level PKI Hierarchy Setup Workflow
- Cisco IOS EST Client and libEST Link
- Suite B PKI step by step guide (technet) Link
Settings, scriptlets, helpful text blocks:
Hi Mr. Densmode 😉
thanks for that great introduction!
May I ask you about the CRL procedure on a client?
Lets say I have a CDP configuration like this:
http://crl.test-server-1.domain/crld/%3CCAName%3E+.crl
http://crl.test.server-2.domain/crld/%3CCAName%3E+.crl
http://ocsp-test-server
My questions:
1) must the a Client proceed/check all 3 Links?
2) has oscp a higher priority? and CRLs can be skipped?
3) What happens if one of the CRLs is not online?
Thanks in advanced,
Thomas