the below article will explain how to configure a PKI server & client on cisco router. The demonstration is done in GNS3.

  1. The below configuration has to be done for PKI server/client work.
    a. The http server is enabled.
    b. The time is synched via NTP (IMPORTNAT: if the CA server time is ahead of the client, the enrollment will fail.)
    c. general key pair is generated.
    d. Domain name is configured.

  2. Conguration for Server:
    R3(config)#crypto pki server ROOT_CA
    R3(cs-server)#grant ?
    auto Automatically grant incoming SCEP enrollment requests
    none Automatically reject any incoming SCEP enrollment request
    ra-auto Automatically grant RA-authorized incoming SCEP enrollment request

R3(cs-server)#grant auto
R3(cs-server)#lifetime certificate ?
<0-7305> Lifetime in days

R3(cs-server)#lifetime certificate 365

R3(cs-server)#issuer-name ?
LINE Issuer name

R3(cs-server)#issuer-name CN=R3.ine.com

R3(config)#ip domain name ine.com

R3(config)#do sh run | s pki
crypto pki server ROOT_CA
no database archive
issuer-name CN=R3.ine.com
grant auto
shutdown

R3(config)#crypto pki server ROOT_CA
R3(cs-server)#no shut

%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

R3#sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=R3.ine.com
Subject:
cn=R3.ine.com
Validity Date:
start date: 06:25:29 UTC Jun 4 2018
end date: 06:25:29 UTC Jun 3 2021
Associated Trustpoints: ROOT_CA

R3# sh crypto pki server
Certificate Server ROOT_CA:
Status: disabled, HTTP Server is disabled !-- http is disabled
State: check failed
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=R3.ine.com
CA cert fingerprint: 36C67C4E 680217D5 46685CD3 D156DB53
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 06:25:29 UTC Jun 3 2021
CRL NextUpdate timer: 12:25:29 UTC Jun 4 2018
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage

R3(config)#ip http server

R3#sh crypto pki server
Certificate Server ROOT_CA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=R3.ine.com
CA cert fingerprint: 36C67C4E 680217D5 46685CD3 D156DB53
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 06:25:29 UTC Jun 3 2021
CRL NextUpdate timer: 12:25:29 UTC Jun 4 2018
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage

===============================================

Configuration for client:

R1(config)#crypt pki trustpoint R3

R1(ca-trustpoint)#enrollment url http://150.1.3.3

R1(config)#crypto key generate rsa general-keys label IPSEC_PKI modulus 1024

R1#sh crypto key mypubkey Rsa
% Key pair was generated at: 06:41:08 UTC Jun 4 2018
Key name: IPSEC_PKI
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 008E0C3C
710703FC 85305724 AE36BEF7 B2BB2B9C C476C1B9 6C9E0EDB D6EB46CE AE288D33
C43FC774 3A3645F0 548BBAB1 13276648 5A48CE5F 80C22F0D 86AAD257 FECEA51B
EA02C095 D75A6D27 4800904C FBCCFB0F 09BF0818 E0D80746 23828207 7CEE568A
97DF1877 51775C35 21CC2748 FEB0CBFD 32F053EF 40F9F684 46664934 29020301 0001
% Key pair was generated at: 06:41:09 UTC Jun 4 2018
Key name: IPSEC_PKI.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A04028 2F345565
E9F379E3 27450DBC 5DF5306B 936966B0 CEABA54B 4F562A3A 0EE94A5A 2E5AE90E
AB61B02F 5D2C7E51 F42D2349 D79244B7 879F0A01 9A422745 8A791F4D 0EF83123
B26D4AB1 289D15E8 11791DCB 93C6FBF5 F29FE47A F25F9A54 FB020301 0001

R1# sh run | s pki
crypto pki trustpoint R3
enrollment url http://150.1.3.3:80
revocation-check crl !-- This is a lab environment, it is changed to NONE.

R1(config)#crypto pki trustpoint R3
R1(ca-trustpoint)#revocation-check none
R1(ca-trustpoint)#rsakeypair IPSEC_PKI

  1. DEBUGGING

R1#debug crypto pki transactions
Crypto PKI Trans debugging is on
R3#debug crypto pki server
Crypto PKI Certificate Server debugging is on

R1(config)#crypto pki authenticate R3
Certificate has the following attributes:
Fingerprint MD5: 36C67C4E 680217D5 46685CD3 D156DB53
Fingerprint SHA1: 6679D074 81BDD9AF 948D8C98 2A1B3673 B586372A

% Do you accept this certificate? [yes/no]:
*Jun 4 06:49:42.534: CRYPTO_PKI: Sending CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetCACert&message=R3 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 150.1.3.3

Jun 4 06:49:42.534: CRYPTO_PKI: locked trustpoint R3, refcount is 1
Jun 4 06:49:42.535: CRYPTO_PKI: http connection opened
*Jun 4 06:49:42.535: CRYPTO_PKI: Sending HTTP message

*Jun 4 06:49:42.535: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 150.1.3.3

Jun 4 06:49:42.537: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0
Jun 4 06:49:42.537: CRYPTO_PKI: locked trustpoint R3, refcount is 1
Jun 4 06:49:42.550: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0
Jun 4 06:49:42.550: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Date: Mon, 04 Jun 2018 06:49:42 GMT
Server: cisco-IOS
Content-Type: application/x-x509-ca-cert
Expires: Mon, 04 Jun 2018 06:49:42 GMT
Last-Modified: Mon, 04 Jun 2018 06:49:42 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Accept-Ranges: none

Content-Type indicates we have received a CA certificate.

Jun 4 06:49:42.551: Received 519 bytes from server as CA certificate:
Jun 4 06:49:42.551: CRYPTO_PKI_SCEP: Client Sending GetCACaps request
Jun 4 06:49:42.551: CRYPTO_PKI: locked trustpoint R3, refcount is 1
Jun 4 06:49:42.552: CRYPTO_PKI: http connection opened
*Jun 4 06:49:42.552: CRYPTO_PKI: Sending HTTP message

*Jun 4 06:49:42.552: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 150.1.3.3

Jun 4 06:49:42.553: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0
Jun 4 06:49:42.553: CRYPTO_PKI: locked trustpoint R3, refcount is 1
Jun 4 06:49:42.564: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0
Jun 4 06:49:42.564: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Date: Mon, 04 Jun 2018 06:49:42 GMT
Server: cisco-IOS
Content-Type: application/x-pki-message
Expires: Mon, 04 Jun 2018 06:49:42 GMT
Last-Modified: Mon, 04 Jun 2018 06:49:42 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Accept-Ranges: none

CA_CAP_GET_NEXT_CA_CERT CA_CAP_RENEWAL CA_CAP_SHA_1 CA_CAP_SHA_256 CA_CAP_SHA_384 CA_CAP_SHA_512
Jun 4 06:49:42.564: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completed
Jun 4 06:49:42.564: CRYPTO_PKI: CA certificate received.
*Jun 4 06:49:42.564: CRYPTO_PKI: CA certificate received.

*Jun 4 06:49:42.565: CRYPTO_PKI: crypto_pki_authenticate_tp_cert()

*Jun 4 06:49:42.565: CRYPTO_PKI: trustpoint R3 authentication status = 0

% Please answer 'yes' or 'no'.

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

R1(config)#crypto pki enroll R3
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: R1.ine.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 2048012
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]: 150.1.1.1
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose R3' commandwill show the fingerprint.

R3(config)#
Jun 4 06:49:42.542: CRYPTO_PKI_SCEP: CS received SCEP GetCACert request
Jun 4 06:49:42.542: CRYPTO_PKI_SCEP: CS sending CA certificate
Jun 4 06:49:42.544: CRYPTO_CS: CA certificate sent
Jun 4 06:49:42.561: CRYPTO_PKI_SCEP: CS received GetCACaps request
Jun 4 06:49:42.561: CRYPTO_PKI_SCEP: CA sending list of capabilites (GetNextCACert Renewal SHA2 hashes)
Jun 4 06:49:42.562: CRYPTO_CS: Capabilities sent
R3(config)#
Jun 4 06:53:08.454: CRYPTO_PKI_SCEP: CS received PKIOperation request
Jun 4 06:53:08.454: CRYPTO_CS: processing SCEP request, 2121 bytes
Jun 4 06:53:08.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1
Jun 4 06:53:08.460: CRYPTO_CS: scep msg type - 19
Jun 4 06:53:08.460: CRYPTO_CS: trans id - E98E01D5675545C286BA0F7719D0A62C
Jun 4 06:53:08.464: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1
Jun 4 06:53:08.464: CRYPTO_CS: received an enrollment request
Jun 4 06:53:08.464: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to trans id E98E01D5675545C286BA0F7719D0A62C
Jun 4 06:53:08.464: CRYPTO_CS: Enrollment password (challenge) obtained from pkcs10 message is cisco123
Jun 4 06:53:08.464: CRYPTO_CS: No enrollment request in the erdbase corresponding to challenge cisco123
Jun 4 06:53:08.464: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to enrollment password cisco123
Jun 4 06:53:08.464: CRYPTO_CS: cert which signed the enrollment request is not an RA cert
Jun 4 06:53:08.464: CRYPTO_CS: checking policy for enrollment request ID=1
Jun 4 06:53:08.464: CRYPTO_CS: request has been authorized, transaction id=E98E01D5675545C286BA0F7719D0A62C
Jun 4 06:53:08.464: CRYPTO_CS: locking the CS
Jun 4 06:53:08.464: CRYPTO_CS: added key usage extension
*Jun 4 06:53:08.464: CRYPTO_CS: Validity: 06:53:08 UTC Jun 4 2018-06:53:08 UTC Jun 4 2019

Jun 4 06:53:08.468: CRYPTO_CS: writing serial number 0x2.
Jun 4 06:53:08.468: CRYPTO_CS: file opened: nvram:ROOT_CA.ser
Jun 4 06:53:08.468: CRYPTO_CS: Writing 32 bytes to ser file
Jun 4 06:53:08.468: CRYPTO_CS: reqID=1 granted, fingerprint=B
Jun 4 06:53:08.468: CRYPTO_CS: unlocking the CS
Jun 4 06:53:08.468: CRYPTO_PKI_SCEP: CS Sending CertRep Response - GRANTED(E98E01D5675545C286BA0F7719D0A62C)
Jun 4 06:53:08.468: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1
R3(config)#
Jun 4 06:53:08.478: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1
*Jun 4 06:53:08.482: CRYPTO_CS: Certificate generated and sent to requestor

R1(config)#do sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=R3.ine.com
Subject:
Name: R1.ine.com
IP Address: 150.1.1.1
Serial Number: 2048012
serialNumber=2048012+ipaddress=150.1.1.1+hostname=R1.ine.com
Validity Date:
start date: 06:53:08 UTC Jun 4 2018
end date: 06:53:08 UTC Jun 4 2019
Associated Trustpoints: R3

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=R3.ine.com
Subject:
cn=R3.ine.com
Validity Date:
start date: 06:25:29 UTC Jun 4 2018
end date: 06:25:29 UTC Jun 3 2021
Associated Trustpoints: R3

  1. The below enrollment is done on a ASA, because the CA server time is ahead of ASA system time, the enrollment failed.

asa1/act/pri(config)# crypto ca enroll R3
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****
Re-enter password: ****

% The fully-qualified domain name in the certificate will be: asa1.ine.com

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 9APW6PPKHC0

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
asa1/act/pri(config)#
Certificate is not valid yet.
The certificate enrollment request failed!
%ASA-3-717002: Certificate enrollment failed for trustpoint R3. Reason: Generic request failure.