Saturday, July 10, 2010

How to see a Cisco IOS CA's root certificate

If you have created an IOS CA server and want to see its root certificate for distribution to other machines, then you must look at its storage location. Suppose you used the following to create your CA:

# enable
(config)# cry pki server thehacklist
(cs-server)# database url flash:
(cs-server)# issuer-name C=IN, ST=WB, O=thehacklist
(cs-server)# cdp none
(cs-server)# grant auto
(cs-server)# no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.
(cs-server)# end

Now if you look at the storage location (flash in this case, as specified above), you will see a three files named after your CA server (with extensions ending in ser, crl and p12).

# dir flash:
Directory of flash:/

11 -rw- 32 Jul 10 2010 17:54:20 +00:00 thehacklist.ser
1 -rw- 1826 Jan 15 2008 17:52:38 +00:00 sdmconfig-38xx.cfg
2 -rw- 6036480 Jan 15 2008 17:53:10 +00:00 sdm.tar
3 -rw- 861696 Jan 15 2008 17:53:26 +00:00 es.tar
4 -rw- 1164288 Jan 15 2008 17:53:46 +00:00 common.tar
5 -rw- 1038 Jan 15 2008 17:54:02 +00:00 home.shtml
6 -rw- 113152 Jan 15 2008 17:54:16 +00:00 home.tar
7 -rw- 1697952 Jan 15 2008 17:54:42 +00:00 securedesktop-ios-3.1.1.45-k9.pkg
8 -rw- 416354 Jan 15 2008 17:55:06 +00:00 sslclient-win-1.1.3.173.pkg
9 -rw- 59526004 Jun 29 2010 19:23:10 +00:00 c3845-advipservicesk9-mz.124-22.T2
10 -rw- 60288320 Dec 15 2008 23:27:58 +00:00 c3845-adventerprisek9-mz.124-20.T
12 -rw- 247 Jul 10 2010 17:54:20 +00:00 thehacklist.crl
13 -rw- 1627 Jul 10 2010 17:54:22 +00:00 thehacklist_00001.pem

From here, to see the root certificate of the CA, you can use:

# more flash:/thehacklist_00001.pem
-----BEGIN CERTIFICATE-----
MIIB/TCCAWagAwIBAgIBATANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdjbG91
ZGNhMB4XDTEwMDUwNTIxNDI1MloXDTEzMDUwNDIxNDI1MlowEjEQMA4GA1UEAxMH
Y2xvdWRjYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlKg0l1DdBpgc/5j3
mA8XodkRq3d5c6K4ZYgUKftEUBAJV3tQz8/ms+CObfmvOn8BdZl0vsLDhJIPRCoq
pypec//gtJpQAAo2I8PCl874yB8k/ebhxBMMhzxQ7y70B0d6gbl8Ub+pmXJnl7Gi
61G41bmNCzXHdfUUiVczpVnaaaaaaaaaaaaaaaaaaaYDVR0TAQH/BAUwAwEB/zAO
BgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUbjpam0qXL8U93MSmngJ1vE1USrMw
HQYDVR0OBBYEFG46WptKly/FPdzEpp4CdbxNVEqzMA0GCSqGSIb3DQEBBAUAA4GB
ACDHm7NNssxSzdD1aQUyUtAni9zo2TCrdcVYtUa5z497JWAPK5YE1tGsMdkYawky
/sUuQMQY4nQFaHtlwKoDHKUSRuygq24GjCUXwoSLLR8jqzfuSgah1ZPohZUPRFEo
EAN2hDdw3Y0o75rsHzie355AH2a22nDnyAm+89EJqEsv
-----END CERTIFICATE-----

1 comment:

  1. I really appreciate your fantastic post. Thanks for sharing such a nice tip. Good information and will be useful for us.
    Visit my site:- Cisco Router Support

    ReplyDelete