Example: Configuring EST for Cisco devices

This example describes how to configure Trust Protection Platform for certificate enrollment for network devices (such as routers or switches) via Enrollment over Secure Transport (EST) protocol. This configuration will require all devices to authenticate using client certificate prior requesting new certificate.

Enable and start the EST Service component on each server that will handle EST request from devices. Perform these steps on each server that will handle EST requests.

  1. Open Venafi Configuration Console

  2. In the Windows Services section, click Enrollment over Secure Transport Service.

    • If the status is Stopped (disabled)

      In the Actions panel, click Enable, and then click Start.

    • If the status is Stopped (automatic)

      In the Actions panel, click Start

    • If the status is Running (automatic)

      The service is already running

To verify that the server is operational, open browser and navigate to https://[your-server.example.com]:50443/.well-known/est/. If your browser prompts you to select client certificate, then the server is operational. No additional action is needed.

NOTE  EST is served over HTTPS with default port 50443. This port is used so that EST won't interfere with any running web services (like IIS) on the same server. For assistance, please contact support.

This section provides prerequisite details.

  1. Create the following policy folders:

    • Policy > Administration > CA Templates
    • Policy > Certificates > Network Devices > EST
  2. In Policy > Administration > CA Templates, create a new CA Template that will be used to issue certificates for devices that request certificates via EST. Name the template Template for Network Devices.

  3. Upload Root/Intermediate CA certificate that will be used for chaining the client’s certificate.

    NOTE   Only clients that are authenticated using certificates issued by this selected Root/Intermediate CA will be allowed to request new certificate via EST.

    1. Prepare the Root/Intermediate certificate that you want to trust in file in PEM format
    2. Open https://your-server.example.com/vedadmin and select Roots tree.
    3. Use the Add button to import the certificates.

  4. (Optional) If you want to require clients to provide a username and password in addition to the certificate, you have to create a new Username credential. In this example, we will name the credential EST User Credential with username my_est_user and password my_est_pwd.

    NOTE  Using the username and password authentication increases the security of device enrollment. If you choose to use this, you'll need to enter the username and password in the devices that enroll via EST.

    1. In the Policy tree, create the Administration > Credentials policy folder.
    2. Right click Credentials, and then select Add > Credential > Username Credential.
    3. In the Credential Name field, give the credential a name.
    4. Enter a User Name and a Password.
  1. From the TLS Protect menu bar, click Clients > Work Settings.
  2. Click Add Work. In the Add Work window, give this work a Name, and then select Certificate enrollment via EST Protocol. Click Create.
  3. Enable the work by clicking Yes under Certificate Enrollment via EST Protocol Enabled?

  4. In the General Information section, populate the following

    1. In the Create Certificates in Folder dropdown, select the folder you want to create the devices in. In this example, we will select the folder that we created in the prerequisites: Policy \ Certificates \ Network Devices \ EST.
    2. In the Object Naming Pattern field, select the object naming macro you want to use.
    3. In the CA Template dropdown, select the CA template you want to use. In this example, we will select the CA template that we created in the prerequisites: Template for Network Devices.

    4. (Optional) In the Certificate Origin field, enter a value to be used as the friendly name of the system requesting the certificates. In this example, we will use Network Devices.

      NOTE  The Certificate Origin is used for reporting purposes only.

    5. (Optional) Enter a Description for this work.
    6. In the Contact field, enter the individuals or group who are the contacts for this work.

  5. In the Client Certificate Authentication section, do the following:

    1. From the Trusted Certificate Authorities and Certificates section, select whether you want to allow all trusted certificate authorities or if you want to select specific certificate authorities.

      If you select specific authorities, enter which authorities you want to trust in the Trusted Certificate Authorities and Certificates field.

      In this example, we'll select the same certificates uploaded in Step 2: Configure Work to process certificate requests from devices via EST.

    2. From the Validation Type section, select a validation type.
    3. From the Revocation Status Check section, select whether you want to enable or disable the check. If you enable it, then select whether you want to accept or reject the request in the case that the revocation status can't be determined.

  6. (Optional) In the Client Password Authentication section, do the following:

    1. Select the username credential to use to client authentication. In this example, we created EST User Credential in the prerequisites section, so we'll select that credential here.

      If you don't already have a credential, click Create New Credential to create one.

    2. After you select a credential, the Accept Requests Authenticated Only by Password checkbox appears. Click the checkbox if you want to enable password-only authentication requests.

      NOTE  Using password-only authentication is less secure and is not recommended.

  7. In the Certificate Re-Enrollment section, select the checkbox if you want to revoke the previous certificate when a new certificate is issued. The old certificate will be revoked one hour after the new certificate is issued.

  8. In the Advanced Setting section, select whether you want to enable Identity Information Verification, and if so, whether to accept requests that do not contain identity information.

    IMPORTANT  Choosing to require valid identity information is more secure, but not all devices support this capability. For this reason, we recommend selecting Accept Requests with Valid or Missing Identity Information.

  9. Click Save.

In the steps bellow, we will create a new Group which will contain the network devices that will be allowed to request a certificate via EST.

  1. From the TLS Protect menu bar, click Clients > Client Group Settings.
  2. Click Add a Group. The Add a Group modal opens,
  3. Enter a Name for the group. Select Certificate Enrollment via EST Protocol, and then click Add a Group. After the group is created, the group page opens.

  4. In the navigation pane, click Membership Criteria. By default, the membership criteria contains a Client Type attribute that is set equal to EST.

    1. Click AND to add another criteria line. A new line opens with the CA Label attribute.
    2. Set the CA Label to be equal to network-device.
    3. Click Save.

  5. In the navigation pane, click Assigned Work.

    1. Click Assign Work.
    2. From the Work drop-down, select the work that was created in the previous step. In this example, we'll select Certificate enrollment via EST Protocol.

After the EST work and groups are configured, you now need to configure your network device clients to request certificates from Trust Protection Platform. Refer to your device's documentation for specific instructions and to the examples documented below.

Cisco device example enrollment

In the example below we are going to configure a Cisco IOS device to request a certificate from Trust Protection Platform via the EST protocol.

NOTE  The steps below may vary between different Cisco devices and OS versions. Please refer to your device's documentation.

Import the certificate for client authentication into the Cisco device

You can skip this step if your device already has a certificate (like SUDI) that can be used for client authentication to Trust Protection Platform.

NOTE  The device certificate must be issued by the same Certificate Authority that is configured as trusted in the Client Certificate Authentication section from Step 3: Create new Work for certificate enrollment via EST.

  1. Prepare the following files:

    • The private key of the device certificate in an encrypted PEM file with password “MyPassword”. Name the file device_private_key.pem.
    • The certificate of the device in a PEM file. Name it device_certificate.pem.
    • The certificate chain (root and all intermediate certificates) of the device certificate in a PEM file. Name it device_chain_certificates.pem.

  2. Open a terminal to your device and execute the following:

    crypto pki trustpoint LDevID
  enrollment terminal pem
  crl optional
  exit
crypto pki import LDevID pem terminal pass MyPassword
  3. At this point, the router will ask to import the certificate chain (device_chain_certificates.pem), the private key (device_private_key.pem), and the device certificate (device_certificate.pem) on the console terminal.

Import the certificate chain of the Venafi Operational Certificate into the device

  1. Prepare the following files:

    • The certificate chain (root and all intermediate certificates) of the Venafi Operational Certificate in a PEM file. Name it voc_chain_certificates.pem.

  2. On the terminal, execute the following:

    crypto pki trustpoint VOC-root
  enrollment terminal PEM
  crl optional
  exit
crypto ca authenticate VOC-root
  3. At this point, the router will ask to import the chain of the Venafi Operational Certificate (voc_chain_certificates.pem) on the console terminal.

Generate new keypair on the device

On the terminal, execute the following:

crypto key generate rsa modulus 2048 label test-rsakey

Create new enrollment profile

  1. On the terminal, execute the following:

    crypto pki profile enrollment test-profile
  method-est
  enrollment url https://my_est_user:my_est_pwd@tpp.example.com:50443/.well-known/est/network-device 
  enrollment credential LDevID
exit

    NOTE  The ‘enrollment url’ command above includes username (my_est_user) and password(my_est_pwd) that are specified as ‘EST User Credential’ on Trust Protection Platform. Also, ‘network-device’ is the CA Label specified on Group.

Create trustpoint for enrollment

On the terminal, execute the following:

crypto pki trustpoint test-trustpoint
  usage ike
  serial-number none
  ip-address none
  fqdn none
  subject-name CN=myRouter
  subject-alt-name DNS=myRouter.int
  enrollment profile test-profile
  revocation-check none
  rsakeypair test-rsakey
  enrollment mode ra
exit

Start certificate enrollment operation

  1. On the terminal, execute the following:

    crypto pki authenticate test-trustpoint
crypto pki enroll test-trustpoint

    At this point the device should perform certificate enrollment from the Trust Protection Platform

  2. To check if the certificates are provisioned, you can execute the following command:

    show crypto pki certificate verbose test-trustpoint