Installing Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services and Enrolling for Certificates from a Cisco Router

The Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on Windows 2000 Server.

This tool is not installed by the Windows 2000 Resource Kit Setup. To install it, use the following procedure:

Before you start

• You must install the SCEP Add-on for Certificate Services for on a root certification authority (CA). Both enterprise root CAs and stand-alone root CAs are supported. You can install the SCEP Add-on for Certificate Services on a subordinate CA. However, as of October 1999, existing versions of Cisco routers will not be able to request certificates from the subordinate CA.

• The CA should be in a separate certification hierarchy from all other CAs in your organization.

• You need to have proper administrative privileges to install the SCEP Add-on for Certificate Services. By default, you need to be a member of the Enterprise Administrators group or the root Domain Administrators group to install this add-on on an enterprise CA, or you need to be a member of the computer administrators group to install this add-on on a standalone CA

• The SCEP Add-on for Certificate Services cannot be installed on a Windows 2000 CA that has any non-alphanumeric characters (&,*, :, ;, ', ", etc.) in its name.

To install SCEP Add-on for Certificate Services on a Windows 2000 root CA

1. Log on with the appropriate administrative privileges to the server on which the root CA is installed.

2. Click Start, click Run, then type drive:cepsetup.exe where drive is the CD-ROM drive where the Windows 2000 Resource Kit CD is located or the disk drive where you have downloaded cepsetup.exe.

3. In the SCEP Add-on for Certificate Services Setup wizard:

   • Select whether or not you want to require a challenge phrase for router certificate enrollment.

   • Enter information about who is enrolling for the Registration Authority (RA) certificate, which will later allow certificates to be requested from the CA on behalf of the router.

   • (Optional) Select Advanced Enrollment Options if you want to specify the cryptographic service provider (CSP) and key lengths for the RA signature and encryption keys.

   • The URL - http://URLHostName/certsrv/mscep/mscep.dll - is displayed when the SCEP Setup wizard finishes and confirms a successful installation. URLHostName is the name of the server which hosts the CA's enrollment Web pages (also referred to as Certificate Services Web pages).

To enroll for certificates from a Cisco router

Remove all current certificates stored on the router and configure the router for new certificate enrollment

1. At the routername> prompt, type EN

2. Type in your password. You are now in "Enable Mode" on the router.

3. At the routername# prompt, type config t.

4. At the routername(config)# prompt, type no crypt ca identity ExistingCAIdentityName.

5. Type y to destroy all certificates.

6. At the routername(config)# prompt, type crypt ca identity NewCAIdentityName.

7. At the routername(ca-identity)# prompt, type enrollment mode ra.

NOTE: Do not use the query sub-command at routername(ca-identity)# prompt to configure the router.

8. At the routername(ca-identity)# prompt, type enrollment url http://URLHostName/certsrv/mscep/mscep.dll where URLHostName is the name of the server which hosts the CA's enrollment Web pages (also referred to as Certificate Services Web pages).

9. If you do not want the router to check the CA's certificate revocation list (CRL), at the routername(ca-identity)# prompt, type crl optional.

10. At the routername(ca-identity)# prompt, type exit.

11. At the routername(config)# prompt, type exit.

12. At the routername# prompt, type write memory.

13. To confirm that your changes have taken place, at the routername# prompt, type write terminal. The router will display its configuration information. No certificates will appear in the displayed information and you will see the enrollment URL you entered.

Request the CA's certificate

1. At the routername# prompt, type config t.

2. At the routername(config)# prompt, type crypt ca authenticate NewCAIdentityName.

3. Attributes of CA certificate will be displayed, including the fingerprint of the CA certificate. The "fingerprint" is a series of alphanumeric characters unique to that CA certificate.

   You can confirm that the fingerprint of the CA certificate being presented to the router matches the fingerprint of the authentic CA certificate by connecting to the URL: http://URLHostName/certsrv/mscep/mscep.dll in Internet Explorer. Verify that the fingerprint displayed at this URL matches the fingerprint of the certificate being presented to the router.

   Type Y to accept the CA certificate.

4. To confirm that you received the CA certificate, at the routername(config)# prompt, type exit.

5. At the routername# prompt, type show crypt ca certificate. The CA certificate will be displayed on the screen.

Generate a public and private key pair

1. At the routername# prompt, type config t.

2. At the routername(config)# prompt, type crypt key gen rsa.

3. When you are asked if you want to replace your current keys, type Y.

4. Enter the number of bits in the modulus (key size). The default is 512.

Enroll for certificates.

1. At the routername(config)# prompt, type crypt ca enroll NewCAIdentityName.

2. You are asked to input a password.

   Using Internet Explorer, retrieve a valid challenge password by connecting to the URL: http://URLHostName/certsrv/mscep/mscep.dll.

   Some notes about this password:

   • Every time you connect to this URL, a different challenge password is displayed. Each challenge password is valid for 60 minutes and can only be used once.

   • The password displayed is both the challenge password for certificate enrollment and the password for certificate revocation. Remember this password so that in case you need to revoke the certificate, you can provide it to the CA administrator.

   • If you connect to the URL above and do not see a challenge password displayed, then the SCEP Add-on was not setup to require a challenge password. In this case, you can make up a password of your own choosing. This password will be used for certificate revocation only.

   • If you are requesting a certificate from an enterprise CA, you must have the right to enroll for certificates based on the IPSecIntermediateOffline certificate template in order to access the URL above. By default, a member of the Enterprise Administrators group or the root Domain Administrators group will have the right to enroll for certificates based on the IPSecIntermediateOffline certificate template.

     See the procedure entitled Set security permissions and delegate control of certificate templates in Windows 2000 Server online help for the procedure to change enrollment permissions for certificate templates.

   • By default anyone can view the Web page at the URL above if it is on a stand-alone CA.

3. Type Y to include the router serial number in the subject name.

4. Type Y to include the IP address in the subject name.

5. Type Y to request the certificate from the CA. The certificate request fingerprint will be displayed and the certificate will be received from the CA.

6. Type exit to leave config mode.

7. At the routername# prompt, type show crypt ca certificate to verify that you have certificate(s) for the router. The certificate(s) issued to the router, as well as the CA certificate, will be displayed on the screen.

Notes

• You should use Internet Explorer on a Windows 2000-based computer when performing procedural steps that require you to connect to the URL: http://URLHostName/certsrv/mscep/mscep.dll.

• If Internet Explorer is configured to use a proxy server, make sure that the Bypass proxy server for local addresses check box is selected in the Tools, Internet Options, Connections, LAN Settings dialog box in Internet Explorer.

• The router cannot process certificates whose issuer or subject has non-alphanumeric characters (*, :, ;, ', ", etc.)

• Some helpful procedures in Windows 2000 Server online documentation:

  • To issue or deny a pending certificate request on a stand-alone CA, see Review pending certificate requests in Windows Server help.

  • To revoke a certificate and publish a CRL, see Revoke an issued certificate and Manually publish the certificate revocation list in Windows Server help.

  • If you are issuing certificates to routers from a CA, you may want to view all issued certificates with the unstructured Name, unstructured Address, and serialNumber columns. To add these columns to the MMC view, see Customize the display of columns in Certification Authority in Windows Server help for general instructions to add columns to the Certification Authority snap-in display.