Example using EST for certificate enrollment

This example illustrates the configuration of an EST profile and enrolling application certificates using an EST server.

Prerequisites:

  • An EST server is reachable from the switch management port.
  • Availability of the root CA certificate used to validate the server certificate.

This example shows the following:

  • Installing the root CA certificate as a TA profile for validation of the EST server certificate.
  • Configuring an EST profile with the EST server information, including the username and password for client authentication and the EST server URL.
  • Issuing a request to enroll a leaf certificate using the EST server.
  • Assigning the enrolled certificate to the EST client and syslog client on the switch.

Each section in the below example is preceded by descriptive text.

Example

================================================================================ The switch in its default configuration state. ================================================================================ switch# show running-config Current configuration: ! !Version AOS-CX FL.10.06.0001CM !export-password: default user admin group administrators password ciphertext AQBapTLgcT+DNrtd0bmdXIP2L0AY NUpwwyQEIZX4oMKtwlXcYgAAAOmKlfxH+ugf3Fe2JuWar2uKG7A/R6bqMO/ZHS364NOmpXV/Ko37ZhCq cFpaOJsk01+IJPRUkbpigCeEObM67Od8/vrASJaO6EAj+RBnWCrifwdChcUUS3XpbCUl7dmxYHNg ! ! ssh server vrf default ssh server vrf mgmt vsf member 1 type jl668a vlan 1 spanning-tree interface mgmt no shutdown ip dhcp interface 1/1/1 no shutdown no routing vlan access 1 interface 1/1/2 no shutdown no routing vlan access 1 interface 1/1/3 no shutdown no routing vlan access 1 ... interface 1/1/26 no shutdown no routing vlan access 1 interface 1/1/27 no shutdown no routing vlan access 1 interface 1/1/28 no shutdown no routing vlan access 1 interface vlan 1 ip dhcp ! ! https-server vrf default https-server vrf mgmt switch# ================================================================================ The mgmt port is connected to a network with DNS available and the EST server reachable. ================================================================================ switch# show interface mgmt Address Mode : dhcp Admin State : up Mac Address : 38:21:c7:59:cd:81 IPv4 address/subnet-mask : 999.100.205.146/24 Default gateway IPv4 : 999.100.205.1 IPv6 address/prefix : IPv6 link local address/prefix: fe80::3a21:c7ff:fe59:cd81/64 Default gateway IPv6 : Primary Nameserver : Secondary Nameserver : switch# ================================================================================ Configure the root CA cert as a TA profile that will validate the server cert. ================================================================================ switch# config switch(config)# switch(config)# crypto pki ta-profile root-ca-for-est-server switch(config-ta-root-ca-for-est-server)# switch(config-ta-root-ca-for-est-server)# ta-certificate import terminal Paste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-ta-cert)# -----BEGIN CERTIFICATE----- NVBAYTonfig-ta-cert)# MIIB2DCCAX6gAwIBAgIJAKtmJvZZy9RdMAoGCCqGSM49BAMCMGIxCzAJBg QKEwNIonfig-ta-cert)# AlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUm9zZXZpbGxlMQwwCgYDVQ 0yMDA1onfig-ta-cert)# UEUxDjAMBgNVBAsTBUFydWJhMRQwEgYDVQQDEwtkYW5lc3Qtcm9vdDAeFw ... YDVR0Ponfig-ta-cert)# VCnKTlhxfmV72nfxYpI979UsopuP5nCjHTAbMAwGA1UdEwQFMAMBAf8wCw eo6yN0onfig-ta-cert)# BAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIQDb/uHvU8DFRTyfnP9wk1i6sd c=00(config-ta-cert)# UvUO5t7/rrVxRQIgMHGjHhaN1nkjYBG8Ei3C1UDILiKlO7McMTCWVo4Ik5 switch(config-ta-cert)# -----END CERTIFICATE----- switch(config-ta-cert)# The certificate you are importing has the following attributes: Subject: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root Issuer: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root Serial Number: 0xAB6626FXXXXD45D TA certificate import is allowed only once for a TA profile Do you want to accept this certificate (y/n)? y switch(config-ta-root-ca-for-est-server)# switch(config-ta-root-ca-for-est-server)# exit switch(config)# switch(config)# show crypto pki ta-profile TA Profile Name TA Certificate Revocation Check -------------------------------- -------------------- ---------------- root-ca-for-est-server Installed, valid disabled switch(config)# ================================================================================ Configure the EST profile with the EST server URL, username/password. ================================================================================ switch(config)# crypto pki est-profile test-est-server switch(config-est-test-est-server)# switch(config-est-test-est-server)# user fred password plaintext barney switch(config-est-test-est-server)# switch(config-est-test-est-server)# url https://999.0.10.229:8443/.well-known/est switch(config-est-test-est-server)# switch(config-est-test-est-server)# exit switch(config)# ================================================================================ At the time the EST URL is set, the switch sends a request to the EST server to get the set of trusted CA certs. If that is successful, TA profiles will be auto-created for those CA certs. Display the list of TA profiles and EST profile details. ================================================================================ switch(config)# show crypto pki ta-profile TA Profile Name TA Certificate Revocation Check -------------------------------- -------------------- ---------------- test-est-server-est-ta00 Installed, valid OCSP test-est-server-est-ta02 Installed, valid OCSP test-est-server-est-ta05 Installed, valid OCSP test-est-server-est-ta01 Installed, valid OCSP root-ca-for-est-server Installed, valid disabled test-est-server-est-ta04 Installed, valid OCSP test-est-server-est-ta03 Installed, valid OCSP switch(config)# show crypto pki est-profile Downloaded Enrolled Profile Name TA Profiles Certificates -------------------------------- ----------- ------------ test-est-server 6 1 switch(config)# show crypto pki est-profile test-est-server Profile Name : test-est-server Service VRF : mgmt Service URL : https://999.0.10.229:8443/.well-known/est Arbitrary Label : not configured Arbitrary Label Enrollment : not configured Arbitrary Label Reenrollment : not configured Authentication Username : fred Authentication Password : AQBapR7ndgoxkMlWQUQvK+Dvd3S6m+s9fdaPQwdkMbIYEMnMBgAAAHRhhliYwA== Retry Interval : 30 seconds Retry Count : 3 times Reenrollment Lead Time : 2 days Downloaded TA Profiles : 6 Enrolled Certificates : cert-for-app switch(config)# ================================================================================ Originally, the switch only has two built-in certificates. ================================================================================ switch(config)# show crypto pki certificate Certificate Name Cert Status EST Status Associated Applications ---------------------- -------------- ----------------- ------------------------------ local-cert installed n/a captive-portal, est-client, https-server, radsec-client, syslog-client device-identity installed n/a none switch(config)# ================================================================================ Create a new certificate, configure its key type, key size, and subject fields. ================================================================================ switch(config)# crypto pki certificate cert-for-app switch(config-cert-cert-for-app)# switch(config-cert-cert-for-app)# key-type ecdsa curve-size 521 switch(config-cert-cert-for-app)# switch(config-cert-cert-for-app)# subject Do you want to use the switch serial number as the common name (y/n)? n Common Name: 999.100.205.146 Org Unit: Aruba-Roseville Org Name: HPE Locality: Roseville State: CA Country: US switch(config-cert-cert-for-app)# ================================================================================ Request to enroll the certificate through the EST server. ================================================================================ switch(config-cert-cert-for-app)# enroll est-profile test-est-server You are enrolling a certificate with the following attributes: Subject: C=US, ST=CA, L=Roseville, OU=Aruba-Roseville, O=HPE, CN=999.100.205.146 Key Type: ECDSA (521) Continue (y/n)? y Certificate enrollment via test-est-server has been initiated. Please use 'show crypto pki certificate cert-for-app' to check its status. switch(config-cert-cert-for-app)# ================================================================================ Check the cert status to see if enrollment is successful. It is. ================================================================================ switch(config-cert-cert-for-app)# show crypto pki certificate Certificate Name Cert Status EST Status Associated Applications ---------------------- -------------- ----------------- ------------------------------ local-cert installed n/a captive-portal, est-client, https-server, radsec-client, syslog-client device-identity installed n/a none cert-for-app installed enroll success none switch(config-cert-cert-for-app)# switch(config-cert-cert-for-app)# exit switch(config)# switch(config)# show crypto pki certificate cert-for-app pem Certificate Name: cert-for-app Associated Applications: est-client Certificate Status: installed EST Status: enroll success Certificate Type: regular Intermediates: Subject: C = US, ST = CA, O = HPE, OU = Aruba, CN = danest-int2 Issuer: C = US, ST = CA, O = HPE, OU = Aruba, CN = danest-int1 Serial Number: 0x02 Subject: C = US, ST = CA, O = HPE, OU = Aruba, CN = danest-int1 Issuer: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root Serial Number: 0x01 Subject: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root Issuer: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root Serial Number: 0xAB6626FXXXXD45D -----BEGIN CERTIFICATE----- MIICizCCAjKgAwIBAgICAIgwCQYHKoZIzj0EATBOMQswCQYDVQQGEwJVUzELMAkG A1UECBMCQ0ExDDAKBgNVBAoTA0hQRTEOMAwGA1UECxMFQXJ1YmExFDASBgNVBAMT C2RhbmVzdC1pbnQyMB4XDTIwMTAyODE5NTczOVoXDTIwMTEyNTE5NTczOVowbzEL ... RTEOMAwGA1UECxMFQXJ1YmExFDASBgNVBAMTC2RhbmVzdC1pbnQxggECMAkGByqG SM49BAEDSAAwRQIgVC1kVIewXhpBSQVqVsQ36MbzrhR4XsaGbQeu7+O8gbUCIQCH cS17gcLbNxJ1WVr2jnZpPBxy9vID38FjirJiGZ5cZw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBpzCCAU2gAwIBAgIBAjAJBgcqhkjOPQQBME4xCzAJBgNVBAYTAlVTMQswCQYD VQQIEwJDQTEMMAoGA1UEChMDSFBFMQ4wDAYDVQQLEwVBcnViYTEUMBIGA1UEAxML ZGFuZXN0LWludDEwHhcNMjAwNTIwMDUyNDExWhcNMzAwNTE4MDUyNDExWjBOMQsw ... 7ovbXodgN8lqDvBl1VTJYlLBSzl9FKMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8E BAMCAQYwCQYHKoZIzj0EAQNJADBGAiEA+i3x7KEZsxObVruM1kwqWe+QXiLKbgNL fL077jsSMhYCIQD/dFBkH/yN0NFzb3wI7OaooO83HY2p/47t2pIBk/JNfg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBuTCCAWGgAwIBAgIBATAJBgcqhkjOPQQBMGIxCzAJBgNVBAYTAlVTMQswCQYD VQQIEwJDQTESMBAGA1UEBxMJUm9zZXZpbGxlMQwwCgYDVQQKEwNIUEUxDjAMBgNV BAsTBUFydWJhMRQwEgYDVQQDEwtkYW5lc3Qtcm9vdDAeFw0yMDA1MjAwNTE1MjNa ... BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAJBgcqhkjOPQQBA0cAMEQCIGrlZmBX SmbhDvG9pRiXG0YMqVbvZd37jRQdE+mEk2jfAiBFGhzMjUadhQbuPUTNs9A7bdYk wej0mJe5bRpd7sqwRQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB2DCCAX6gAwIBAgIJAKtmJvZZy9RdMAoGCCqGSM49BAMCMGIxCzAJBgNVBAYT AlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUm9zZXZpbGxlMQwwCgYDVQQKEwNI UEUxDjAMBgNVBAsTBUFydWJhMRQwEgYDVQQDEwtkYW5lc3Qtcm9vdDAeFw0yMDA1 ... VCnKTlhxfmV72nfxYpI979UsopuP5nCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P BAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIQDb/uHvU8DFRTyfnP9wk1i6sdeo6yN0 UvUO5t7/rrVxRQIgMHGjHhaN1nkjYBG8Ei3C1UDILiKlO7McMTCWVo4Ik5c= -----END CERTIFICATE----- switch(config)# ================================================================================ Initially, all applications use the default local-cert. ================================================================================ switch(config)# show crypto pki application Associated Applications Certificate Name Cert Status -------------------------- ------------------- --------------------------------- captive-portal not configured, using local-cert est-client not configured, using local-cert https-server not configured, using local-cert radsec-client not configured, using local-cert syslog-client not configured, using local-cert switch(config)# ================================================================================ Assign the newly enrolled cert to applications as desired. In this example, the cert is assigned to the est-client and syslog. ================================================================================ switch(config)# crypto pki application est-client certificate cert-for-app switch(config)# crypto pki application syslog-client certificate cert-for-app switch(config)# switch(config)# show crypto pki application Associated Applications Certificate Name Cert Status -------------------------- ------------------- ------------------------------ captive-portal not configured, using local-cert est-client cert-for-app valid https-server not configured, using local-cert radsec-client not configured, using local-cert syslog-client cert-for-app valid switch(config)#