ROOT-CA Configuration for EVE-NG SD-WAN Lab
In this blog post, I will show you how to configure a root-CA server for an SD-WAN lab. This will allow you to generate CSR requests for your SD-WAN controllers and edge devices.
Prerequisites
- EVE-NG emulator (or any preferred emulator)
- Basic knowledge of networking concepts and command-line interface (CLI)
Controller Topology:
The following controller topology is utilized for this demonstration:
Root CA Setup
- A vIOS router is used to configure the root CA in the EVE-NG lab. This is a lightweight option that consumes minimal resources. Alternatively, an open-source certificate tool like XCA can be used. However, for this case, we will use the router.
- To ensure that all controllers can contact the root CA router, all devices are placed in the same subnet. Reachability is achieved through a Layer 2 switch.
Addressing Scheme:
- Transport (VPN-0) side: 222.0.0.0/24
- Site-ID: 100
- Organization Name: lab
Step 1: Generate RSA keys
The first step is to generate RSA key pairs on the router.
This will create a key pair with the label "PKI" and a modulus size of 2048 bits and will be used to create the root CA certificate.
ROOT_CA#
ROOT_CA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROOT_CA(config)#
ROOT_CA(config)#crypto key generate rsa label PKI modulus 2048
The name for the keys will be: PKI
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
ROOT_CA(config)#
*Mar 30 05:40:55.971: %SSH-5-ENABLED: SSH 1.99 has been enabled
ROOT_CA(config)#ip ssh version 2
ROOT_CA(config)#ip http server
ROOT_CA(config)#exit
ROOT_CA#
}
Step 2: Configure the PKI server
Next, you need to configure the PKI server parameters on the router. This will specify the location of the CA certificate and the settings for the certificate enrollment process.
Along with this, we will also enable the interface connecting the L2 switch.
ROOT_CA#
ROOT_CA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROOT_CA(config)#crypto pki server PKI
ROOT_CA(cs-server)#database url flash:
% Server database url was changed. You need to move the
% existing database to the new location.
ROOT_CA(cs-server)#
ROOT_CA(cs-server)#database level complete
ROOT_CA(cs-server)#issuer-name cn=rootca.lab.local
ROOT_CA(cs-server)#hash sha256
ROOT_CA(cs-server)#database archive pkcs12 password cisco123
ROOT_CA(cs-server)#grant auto
ROOT_CA(cs-server)#
*Mar 30 05:48:26.956: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
ROOT_CA(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Certificate Server enabled.
ROOT_CA(cs-server)#
*Mar 30 05:48:42.682: %PKI-6-CS_ENABLED: Certificate server now enabled.
ROOT_CA(cs-server)#exit
ROOT_CA(config)#end
ROOT_CA#
*Mar 30 05:49:06.264: %SYS-5-CONFIG_I: Configured from console by console
ROOT_CA#
ROOT_CA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROOT_CA(config)#interf gi0/0
ROOT_CA(config-if)#ip add 222.0.0.13 255.255.255.0
ROOT_CA(config-if)#descri !! Connected to L2 switch !!
ROOT_CA(config-if)#no shut
ROOT_CA(config-if)#
*Mar 30 05:57:22.378: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Mar 30 05:57:23.378: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
ROOT_CA(config-if)#exit
ROOT_CA(config)#end
ROOT_CA#
ROOT_CA#
}
Step 3: Export the certificate
The final step is to export the CA certificate to the flash memory of the router, which can be used by the SD-WAN controllers and edge devices.
ROOT_CA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROOT_CA(config)#crypto pki export PKI pem url flash:
% The specified trustpoint is not enrolled (PKI).
% Only export the CA certificate in PEM format.
% Exporting CA certificate...
Destination filename [PKI.ca]?
Writing file to flash0:PKI.ca
ROOT_CA(config)#
ROOT_CA(config)#tftp-server flash:PKI.ca
ROOT_CA(config)#
ROOT_CA(config)#end
ROOT_CA#
}
This will create a file called PKI.ca in the router's flash memory. You can then copy this file to the TFTP server.
You can view the root certificate from flash: using the command more flash:PKI.ca
ROOT_CA#more flash:PKI.ca
-----BEGIN CERTIFICATE-----
MIIDFDCCAfygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExByb290
Y2EubGFiLmxvY2FsMB4XDTIyMDMzMDA1NDg0MVoXDTI1MDMyOTA1NDg0MVowGzEZ
MBcGA1UEAxMQcm9vdGNhLmxhYi5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALU9AJajFrnTdqU5wuEe5LeNaOdOxAuMvBO3Jq0sJnwJEnhesg5F
3OX103QkOpppObXoLJcsttF02TlshSj4m5HGDCBzHXCC8Pggy9ZRIEE+gU/FehZw
FXP87ySHpl2qxIO4oxAOLyE/6c0ub4MGZdE7sVkxZ+RoscV6VNJIkzwvVXNRFve8
rdJGEQvQRYyCRxWAvJZ0jCYtxqHzPHGwp4V6bENLigW4hGQh+8qVd/RuhI1lqYtU
W/XNv/jnmyydfF5ig2kPTtmoodKG1hmJggt8Zzvp/ZnPCHY73vgNBVebvC9Va2qm
+UPbY415Tty+KGkr4xZoh+Hch13NtOla7vcCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUutlQo0hGQK3f/JOAJSfF
zT9wMx8wHQYDVR0OBBYEFLrZUKNIRkCt3/yTgCUnxc0/cDMfMA0GCSqGSIb3DQEB
CwUAA4IBAQAaz1JgeJmWuUti4ZTabBlhMLPMogfjYXyPauwzLcGKJB+RHWw878ee
wgf3dmFJj9/F0GvE0s46MZnckaMdz0hfzs7XPVv7iazP5mpgN109/fq1tnkDEmaY
FSgRS7opXgFOpsyhaKn5pOwy9tN+yhtfmKKY3qBFMCZ+akTz6/rEaPOOeTB4tZL5
F3m/Npjn0Rwuj7/NgxUx537RjUb/WusVT3oRxatTyKrUSOEL+027gioQk1rEhX06
f0U4F+pFUWiADwTwgcL3K7cCe6IX18KBHMgXMp+UKefwYcqgyuXBmgRXYFoBZePt
EnkgcS9I1NUdWv+Nia0u/1OAhwxHmd+N
-----END CERTIFICATE-----
ROOT_CA#
That's it! You have now successfully configured a root-CA server for your SD-WAN lab.
Next steps
Once you have the root-CA certificate, you can generate CSR requests for your SD-WAN controllers and edge devices. The CSR requests will be sent to the root-CA server, which will issue the certificates.
No comments:
Post a Comment