The document describes configuring certificate authority (CA) high availability on Cisco IOS routers R1 and R2 using HSRP and SCTP. Key steps include:
1. Configuring HSRP and SCTP on R1 and R2 to establish an active-standby redundancy relationship.
2. Configuring the PKI server on the active router only. The configuration and issued certificates will synchronize to the standby.
3. Verifying the redundancy, PKI server state, and that certificates issued by the active router are available on the standby.
Original Description:
Original Title
Certificate Authority High Availability on Cisco IOS Routers
The document describes configuring certificate authority (CA) high availability on Cisco IOS routers R1 and R2 using HSRP and SCTP. Key steps include:
1. Configuring HSRP and SCTP on R1 and R2 to establish an active-standby redundancy relationship.
2. Configuring the PKI server on the active router only. The configuration and issued certificates will synchronize to the standby.
3. Verifying the redundancy, PKI server state, and that certificates issued by the active router are available on the standby.
The document describes configuring certificate authority (CA) high availability on Cisco IOS routers R1 and R2 using HSRP and SCTP. Key steps include:
1. Configuring HSRP and SCTP on R1 and R2 to establish an active-standby redundancy relationship.
2. Configuring the PKI server on the active router only. The configuration and issued certificates will synchronize to the standby.
3. Verifying the redundancy, PKI server state, and that certificates issued by the active router are available on the standby.
Certificate Authority High Availability on Cisco IOS Routers Last updated: May 20, 2013 Note: For this task, either load the Section 7 Initial Configuration Files to initialize your rack or completely remove any PKI/RSA-related configurations done on R2 and R3 in the previous task. Task Configure R1 and R2 to function as redundant CA servers. In case of a reload, R1 should always become the active router. Insert Rack1-HA.ine.com in the Subject field of the CA certificate. Ensure that client certificates are automatically approved. Overview Cisco IOS PKI can be deployed in a High Availability mode, providing redundancy for client requests. Like other technologies supported by IOS in HA mode, such as Zone Based Firewall (ZBF) of IPsec, PKI HA uses the Stateful Switch-Over (SSO) redundancy feature. This inter-device redundancy function relies on two protocols: HSRP and SCTP. HSRP determines the roles: ACTIVE and STANDBY. SCTP ensures automatic synchronization between ACTIVE and STANDBY. For PKI, the following are automatically synchronized from the ACTIVE: CA server configuration CA certificate Certificate revocation list (CRL) Serial file RSA keys To ensure functionality of the IOS PKI High Availability deployment, it is recommended that you use the following configuration steps: Configure and verify HSRP functionality. Configure and verify inter-device SSO redundancy functionality (requires a manual reload on the STANDBY device).
Do not continue further unless SSO is functional.
Configure and activate PKI server on the ACTIVE device. Disable PKI server on the ACTIVE device and enable PKI redundancy. Activate PKI server on the ACTIVE device. Note: The High Availability configuration from the PKI Configuration Guide of IOS 15MT is found in the Configuring Authorization and Revocation of Certificates in a PKI section. Note: Because of the high volume of data required to be synchronized, if the CA runs in complete database level, the client-issued certificate files (.crt) will not be synchronized with the standby system. The workaround is to have both CA systems point to a common external storage for these files, by using the command database url . Configuration R1: ip http server ! interface GigabitEthernet0/0 standby ip 136.1.18.12 standby priority 150 standby preempt standby name PKI ! ! ipc zone default association 1 no shutdown protocol sctp local-port 5000 local-ip 136.1.18.1 remote-port 5000 remote-ip 136.1.18.2 ! ! redundancy inter-device scheme standby PKI R2: ip http server ! interface GigabitEthernet0/0 standby ip 136.1.18.12 standby preempt standby name PKI ! ! ipc zone default association 1 no shutdown protocol sctp local-port 5000 local-ip 136.1.18.2 remote-port 5000 remote-ip 136.1.18.1 ! ! redundancy inter-device scheme standby PKI At this point, we need to save the configuration and reload the standby device to activate the redundancy. Note that after the manual reload, R2 will detect itself as standby and induce another forced reload. The following output shows the initial required reload. Rack1R2#show redundancy inter-device Redundancy inter-device state: RF_INTERDEV_STATE_INIT Pending Scheme: Standby (Will not take effect until next reload) Pending Groupname: PKI Scheme: <NOT CONFIGURED> Peer present: UNKNOWN Security: Not configured After SSO is functional, configure PKI only on the ACTIVE device; it will be automatically synchronized to the STANDBY. R1: crypto key generate rsa general-keys redundancy label HA modulus 1024 ! crypto pki server HA database level names issuer-name CN=Rack1-HA.ine.com database archive pkcs12 password ciscocisco grant auto no shutdown ! crypto pki server HA shutdown redundancy no shutdown If PKI functionality is not synchronized as shown in the Verification section, it may be required to perform another reload of both routers. Verification First, verify SSO inter-device redundancy. Rack1R1#show redundancy inter-device Redundancy inter-device state: RF_INTERDEV_STATE_ACT Scheme: Standby Groupname: PKI Group State: Active Peer present: RF_INTERDEV_PEER_COMM Security: Not configured ! ! Rack1R2#show redundancy inter-device Redundancy inter-device state: RF_INTERDEV_STATE_STDBY Scheme: Standby Groupname: PKI Group State: Standby Peer present: RF_INTERDEV_PEER_COMM Security: Not configured ! ! Rack1R1#show redundancy states my state = 13 -ACTIVE peer state = 8 -STANDBY HOT Mode = Duplex Unit ID = 0 Maintenance Mode = Disabled Manual Swact = enabled Communications = Up client count = 13 client_notification_TMR = 60000 milliseconds RF debug mask = 0x0 ! ! Rack1R2#show redundancy states my state = 8 -STANDBY HOT peer state = 13 -ACTIVE Mode = Duplex Unit ID = 0 Maintenance Mode = Disabled Manual Swact = cannot be initiated from this the standby unit Communications = Up client count = 13 client_notification_TMR = 60000 milliseconds RF debug mask = 0x0 Verify PKI HA configuration. Rack1R1#show crypto pki server Certificate Server HA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=Rack1-HA.ine.com CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D Granting mode is: auto Last certificate issued serial number (hex): 1 CA certificate expiration timer: 19:42:37 UTC Apr 30 2016 CRL NextUpdate timer: 01:42:39 UTC May 2 2013 Current primary storage dir: nvram: Database Level: Names - subject name data written as <serialnum>.cnm Redundancy configured. This is active. ! ! Rack1R2#show crypto pki server Certificate Server HA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=Rack1-HA.ine.com CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D Granting mode is: auto Last certificate issued serial number (hex): 1 CA certificate expiration timer: 19:42:37 UTC Apr 30 2016 CRL NextUpdate timer: 01:42:39 UTC May 2 2013 Current primary storage dir: nvram: Database Level: Names - subject name data written as <serialnum>.cnm Redundancy configured. This is standby. ! ! Rack1R1#show crypto pki certificates CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=Rack1-HA.ine.com Subject: cn=Rack1-HA.ine.com Validity Date: start date: 19:42:37 UTC May 1 2013 end date: 19:42:37 UTC Apr 30 2016 Associated Trustpoints: HA Storage: nvram:Rack1-HAinec#1CA.cer ! ! Rack1R2#show crypto pki certificates CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=Rack1-HA.ine.com Subject: cn=Rack1-HA.ine.com Validity Date: start date: 19:42:37 UTC May 1 2013 end date: 19:42:37 UTC Apr 30 2016 Associated Trustpoints: HA Storage: Enroll SW1 in the PKI infrastructure with R1 being the ACTIVE router (you may need to synchronize time with NTP between SW1 and R1/R2). SW1: crypto pki trustpoint HA enrollment url http://136.1.18.12 ! ! crypto pki authenticate HA crypto pki enroll HA Verify that SW1 received the certificate and R2 is synchronized with R1. Rack1SW1#show crypto pki certificates Certificate Status: Available Certificate Serial Number: 02 Certificate Usage: General Purpose Issuer: cn=Rack1-HA.ine.com Subject: Name: Rack1SW1.ine.com hostname=Rack1SW1.ine.com Validity Date: start date: 21:50:18 UTC May 1 2013 end date: 21:50:18 UTC May 1 2014 Associated Trustpoints: HA CA Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: Signature Issuer: cn=Rack1-HA.ine.com Subject: cn=Rack1-HA.ine.com Validity Date: start date: 19:42:37 UTC May 1 2013 end date: 19:42:37 UTC Apr 30 2016 Associated Trustpoints: HA ! ! Rack1R1#show crypto pki server HA certificates Serial Issued date Expire date Subject Name 1 <cert file not accessible> Certificate might have been granted by other CA 2 <cert file not accessible> Certificate might have been granted by other CA ! ! Rack1R2#show crypto pki server HA certificates Serial Issued date Expire date Subject Name 1 <cert file not accessible> Certificate might have been granted by other CA 2 <cert file not accessible> Certificate might have been granted by other CA Move the HSRP ACTIVE role to R2, and re-enroll SW1 in the PKI (when the ACTIVE role changes, the STANDBY always receive a forced reload to ensure synchronization). R2: interface gigabitEthernet 0/0 standby priority 200 SW1: crypto pki enroll HA Verify that R2 is now the ACTIVE router/PKI server. Rack1R2#show crypto pki server Certificate Server HA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=Rack1-HA.ine.com CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D Granting mode is: auto Last certificate issued serial number (hex): 3 CA certificate expiration timer: 19:42:37 UTC Apr 30 2016 CRL NextUpdate timer: 01:42:39 UTC May 2 2013 Current primary storage dir: nvram: Database Level: Names - subject name data written as <serialnum>.cnm Redundancy configured. This is active. ! ! Rack1R1#show crypto pki server Certificate Server HA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=Rack1-HA.ine.com CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D Granting mode is: auto Last certificate issued serial number (hex): 3 CA certificate expiration timer: 19:42:37 UTC Apr 30 2016 CRL NextUpdate timer: 01:42:39 UTC May 2 2013 Current primary storage dir: nvram: Database Level: Names - subject name data written as <serialnum>.cnm Redundancy configured. This is standby. Verify that SW1 received the certificate and R1 is synchronized with R2. Rack1SW1#show crypto pki certificates Certificate Status: Available Certificate Serial Number: 03 Certificate Usage: General Purpose Issuer: cn=Rack1-HA.ine.com Subject: Name: Rack1SW1.ine.com hostname=Rack1SW1.ine.com Validity Date: start date: 21:59:55 UTC May 1 2013 end date: 21:59:55 UTC May 1 2014 Associated Trustpoints: HA CA Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: Signature Issuer: cn=Rack1-HA.ine.com Subject: cn=Rack1-HA.ine.com Validity Date: start date: 19:42:37 UTC May 1 2013 end date: 19:42:37 UTC Apr 30 2016 Associated Trustpoints: HA ! ! Rack1R2#show crypto pki server HA certificates Serial Issued date Expire date Subject Name 1 <cert file not accessible> Certificate might have been granted by other CA 2 <cert file not accessible> Certificate might have been granted by other CA 3 <cert file not accessible> Certificate might have been granted by other CA ! ! Rack1R1#show crypto pki server HA certificates Serial Issued date Expire date Subject Name 1 <cert file not accessible> Certificate might have been granted by other CA 2 <cert file not accessible> Certificate might have been granted by other CA 3 <cert file not accessible> Certificate might have been granted by other CA