AOS-CX 10.10 Security Guide Help Center
Example using EST for certificate enrollment
This example illustrates the configuration of an EST profile and enrolling application certificates using an EST server.
Prerequisites:
- An EST server is reachable from the switch management port.
- Availability of the root CA certificate used to validate the server certificate.
This example shows the following:
- Installing the root CA certificate as a TA profile for validation of the EST server certificate.
- Configuring an EST profile with the EST server information, including the username and password for client authentication and the EST server URL.
- Issuing a request to enroll a leaf certificate using the EST server.
- Assigning the enrolled certificate to the EST client and syslog client on the switch.
Each section in the below example is preceded by descriptive text.
Example
================================================================================
The switch in its default configuration state.
================================================================================
switch# show running-config
Current configuration:
!
!Version AOS-CX FL.10.06.0001CM
!export-password: default
user admin group administrators password ciphertext AQBapTLgcT+DNrtd0bmdXIP2L0AY
NUpwwyQEIZX4oMKtwlXcYgAAAOmKlfxH+ugf3Fe2JuWar2uKG7A/R6bqMO/ZHS364NOmpXV/Ko37ZhCq
cFpaOJsk01+IJPRUkbpigCeEObM67Od8/vrASJaO6EAj+RBnWCrifwdChcUUS3XpbCUl7dmxYHNg
!
!
ssh server vrf default
ssh server vrf mgmt
vsf member 1
type jl668a
vlan 1
spanning-tree
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
no routing
vlan access 1
interface 1/1/2
no shutdown
no routing
vlan access 1
interface 1/1/3
no shutdown
no routing
vlan access 1
...
interface 1/1/26
no shutdown
no routing
vlan access 1
interface 1/1/27
no shutdown
no routing
vlan access 1
interface 1/1/28
no shutdown
no routing
vlan access 1
interface vlan 1
ip dhcp
!
!
https-server vrf default
https-server vrf mgmt
switch#
================================================================================
The mgmt port is connected to a network with DNS available and the
EST server reachable.
================================================================================
switch# show interface mgmt
Address Mode : dhcp
Admin State : up
Mac Address : 38:21:c7:59:cd:81
IPv4 address/subnet-mask : 999.100.205.146/24
Default gateway IPv4 : 999.100.205.1
IPv6 address/prefix :
IPv6 link local address/prefix: fe80::3a21:c7ff:fe59:cd81/64
Default gateway IPv6 :
Primary Nameserver :
Secondary Nameserver :
switch#
================================================================================
Configure the root CA cert as a TA profile that will validate the server cert.
================================================================================
switch# config
switch(config)#
switch(config)# crypto pki ta-profile root-ca-for-est-server
switch(config-ta-root-ca-for-est-server)#
switch(config-ta-root-ca-for-est-server)# ta-certificate import terminal
Paste the certificate in PEM format below, then hit enter and ctrl-D:
switch(config-ta-cert)# -----BEGIN CERTIFICATE-----
NVBAYTonfig-ta-cert)# MIIB2DCCAX6gAwIBAgIJAKtmJvZZy9RdMAoGCCqGSM49BAMCMGIxCzAJBg
QKEwNIonfig-ta-cert)# AlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUm9zZXZpbGxlMQwwCgYDVQ
0yMDA1onfig-ta-cert)# UEUxDjAMBgNVBAsTBUFydWJhMRQwEgYDVQQDEwtkYW5lc3Qtcm9vdDAeFw
...
YDVR0Ponfig-ta-cert)# VCnKTlhxfmV72nfxYpI979UsopuP5nCjHTAbMAwGA1UdEwQFMAMBAf8wCw
eo6yN0onfig-ta-cert)# BAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIQDb/uHvU8DFRTyfnP9wk1i6sd
c=00(config-ta-cert)# UvUO5t7/rrVxRQIgMHGjHhaN1nkjYBG8Ei3C1UDILiKlO7McMTCWVo4Ik5
switch(config-ta-cert)# -----END CERTIFICATE-----
switch(config-ta-cert)#
The certificate you are importing has the following attributes:
Subject: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root
Issuer: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root
Serial Number: 0xAB6626FXXXXD45D
TA certificate import is allowed only once for a TA profile
Do you want to accept this certificate (y/n)? y
switch(config-ta-root-ca-for-est-server)#
switch(config-ta-root-ca-for-est-server)# exit
switch(config)#
switch(config)# show crypto pki ta-profile
TA Profile Name TA Certificate Revocation Check
-------------------------------- -------------------- ----------------
root-ca-for-est-server Installed, valid disabled
switch(config)#
================================================================================
Configure the EST profile with the EST server URL, username/password.
================================================================================
switch(config)# crypto pki est-profile test-est-server
switch(config-est-test-est-server)#
switch(config-est-test-est-server)# user fred password plaintext barney
switch(config-est-test-est-server)#
switch(config-est-test-est-server)# url https://999.0.10.229:8443/.well-known/est
switch(config-est-test-est-server)#
switch(config-est-test-est-server)# exit
switch(config)#
================================================================================
At the time the EST URL is set, the switch sends a request to the EST server to
get the set of trusted CA certs. If that is successful, TA profiles will be
auto-created for those CA certs.
Display the list of TA profiles and EST profile details.
================================================================================
switch(config)# show crypto pki ta-profile
TA Profile Name TA Certificate Revocation Check
-------------------------------- -------------------- ----------------
test-est-server-est-ta00 Installed, valid OCSP
test-est-server-est-ta02 Installed, valid OCSP
test-est-server-est-ta05 Installed, valid OCSP
test-est-server-est-ta01 Installed, valid OCSP
root-ca-for-est-server Installed, valid disabled
test-est-server-est-ta04 Installed, valid OCSP
test-est-server-est-ta03 Installed, valid OCSP
switch(config)# show crypto pki est-profile
Downloaded Enrolled
Profile Name TA Profiles Certificates
-------------------------------- ----------- ------------
test-est-server 6 1
switch(config)# show crypto pki est-profile test-est-server
Profile Name : test-est-server
Service VRF : mgmt
Service URL : https://999.0.10.229:8443/.well-known/est
Arbitrary Label : not configured
Arbitrary Label Enrollment : not configured
Arbitrary Label Reenrollment : not configured
Authentication Username : fred
Authentication Password :
AQBapR7ndgoxkMlWQUQvK+Dvd3S6m+s9fdaPQwdkMbIYEMnMBgAAAHRhhliYwA==
Retry Interval : 30 seconds
Retry Count : 3 times
Reenrollment Lead Time : 2 days
Downloaded TA Profiles : 6
Enrolled Certificates :
cert-for-app
switch(config)#
================================================================================
Originally, the switch only has two built-in certificates.
================================================================================
switch(config)# show crypto pki certificate
Certificate Name Cert Status EST Status Associated Applications
---------------------- -------------- ----------------- ------------------------------
local-cert installed n/a captive-portal, est-client,
https-server, radsec-client,
syslog-client
device-identity installed n/a none
switch(config)#
================================================================================
Create a new certificate, configure its key type, key size, and subject fields.
================================================================================
switch(config)# crypto pki certificate cert-for-app
switch(config-cert-cert-for-app)#
switch(config-cert-cert-for-app)# key-type ecdsa curve-size 521
switch(config-cert-cert-for-app)#
switch(config-cert-cert-for-app)# subject
Do you want to use the switch serial number as the common name (y/n)? n
Common Name: 999.100.205.146
Org Unit: Aruba-Roseville
Org Name: HPE
Locality: Roseville
State: CA
Country: US
switch(config-cert-cert-for-app)#
================================================================================
Request to enroll the certificate through the EST server.
================================================================================
switch(config-cert-cert-for-app)# enroll est-profile test-est-server
You are enrolling a certificate with the following attributes:
Subject: C=US, ST=CA, L=Roseville, OU=Aruba-Roseville, O=HPE,
CN=999.100.205.146
Key Type: ECDSA (521)
Continue (y/n)? y
Certificate enrollment via test-est-server has been initiated. Please use
'show crypto pki certificate cert-for-app' to check its status.
switch(config-cert-cert-for-app)#
================================================================================
Check the cert status to see if enrollment is successful. It is.
================================================================================
switch(config-cert-cert-for-app)# show crypto pki certificate
Certificate Name Cert Status EST Status Associated Applications
---------------------- -------------- ----------------- ------------------------------
local-cert installed n/a captive-portal, est-client,
https-server, radsec-client,
syslog-client
device-identity installed n/a none
cert-for-app installed enroll success none
switch(config-cert-cert-for-app)#
switch(config-cert-cert-for-app)# exit
switch(config)#
switch(config)# show crypto pki certificate cert-for-app pem
Certificate Name: cert-for-app
Associated Applications:
est-client
Certificate Status: installed
EST Status: enroll success
Certificate Type: regular
Intermediates:
Subject: C = US, ST = CA, O = HPE, OU = Aruba, CN = danest-int2
Issuer: C = US, ST = CA, O = HPE, OU = Aruba, CN = danest-int1
Serial Number: 0x02
Subject: C = US, ST = CA, O = HPE, OU = Aruba, CN = danest-int1
Issuer: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root
Serial Number: 0x01
Subject: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root
Issuer: C = US, ST = CA, L = Roseville, O = HPE, OU = Aruba, CN = danest-root
Serial Number: 0xAB6626FXXXXD45D
-----BEGIN CERTIFICATE-----
MIICizCCAjKgAwIBAgICAIgwCQYHKoZIzj0EATBOMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCQ0ExDDAKBgNVBAoTA0hQRTEOMAwGA1UECxMFQXJ1YmExFDASBgNVBAMT
C2RhbmVzdC1pbnQyMB4XDTIwMTAyODE5NTczOVoXDTIwMTEyNTE5NTczOVowbzEL
...
RTEOMAwGA1UECxMFQXJ1YmExFDASBgNVBAMTC2RhbmVzdC1pbnQxggECMAkGByqG
SM49BAEDSAAwRQIgVC1kVIewXhpBSQVqVsQ36MbzrhR4XsaGbQeu7+O8gbUCIQCH
cS17gcLbNxJ1WVr2jnZpPBxy9vID38FjirJiGZ5cZw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBpzCCAU2gAwIBAgIBAjAJBgcqhkjOPQQBME4xCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTEMMAoGA1UEChMDSFBFMQ4wDAYDVQQLEwVBcnViYTEUMBIGA1UEAxML
ZGFuZXN0LWludDEwHhcNMjAwNTIwMDUyNDExWhcNMzAwNTE4MDUyNDExWjBOMQsw
...
7ovbXodgN8lqDvBl1VTJYlLBSzl9FKMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8E
BAMCAQYwCQYHKoZIzj0EAQNJADBGAiEA+i3x7KEZsxObVruM1kwqWe+QXiLKbgNL
fL077jsSMhYCIQD/dFBkH/yN0NFzb3wI7OaooO83HY2p/47t2pIBk/JNfg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBuTCCAWGgAwIBAgIBATAJBgcqhkjOPQQBMGIxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTESMBAGA1UEBxMJUm9zZXZpbGxlMQwwCgYDVQQKEwNIUEUxDjAMBgNV
BAsTBUFydWJhMRQwEgYDVQQDEwtkYW5lc3Qtcm9vdDAeFw0yMDA1MjAwNTE1MjNa
...
BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAJBgcqhkjOPQQBA0cAMEQCIGrlZmBX
SmbhDvG9pRiXG0YMqVbvZd37jRQdE+mEk2jfAiBFGhzMjUadhQbuPUTNs9A7bdYk
wej0mJe5bRpd7sqwRQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB2DCCAX6gAwIBAgIJAKtmJvZZy9RdMAoGCCqGSM49BAMCMGIxCzAJBgNVBAYT
AlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUm9zZXZpbGxlMQwwCgYDVQQKEwNI
UEUxDjAMBgNVBAsTBUFydWJhMRQwEgYDVQQDEwtkYW5lc3Qtcm9vdDAeFw0yMDA1
...
VCnKTlhxfmV72nfxYpI979UsopuP5nCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P
BAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIQDb/uHvU8DFRTyfnP9wk1i6sdeo6yN0
UvUO5t7/rrVxRQIgMHGjHhaN1nkjYBG8Ei3C1UDILiKlO7McMTCWVo4Ik5c=
-----END CERTIFICATE-----
switch(config)#
================================================================================
Initially, all applications use the default local-cert.
================================================================================
switch(config)# show crypto pki application
Associated Applications Certificate Name Cert Status
-------------------------- ------------------- ---------------------------------
captive-portal not configured, using local-cert
est-client not configured, using local-cert
https-server not configured, using local-cert
radsec-client not configured, using local-cert
syslog-client not configured, using local-cert
switch(config)#
================================================================================
Assign the newly enrolled cert to applications as desired.
In this example, the cert is assigned to the est-client and syslog.
================================================================================
switch(config)# crypto pki application est-client certificate cert-for-app
switch(config)# crypto pki application syslog-client certificate cert-for-app
switch(config)#
switch(config)# show crypto pki application
Associated Applications Certificate Name Cert Status
-------------------------- ------------------- ------------------------------
captive-portal not configured, using local-cert
est-client cert-for-app valid
https-server not configured, using local-cert
radsec-client not configured, using local-cert
syslog-client cert-for-app valid
switch(config)#