Step 2–9 Monitor and Maintain CA Interoperability (Optional)

Request a CRL

When the router receives a certificate from a peer, it will download a CRL from either the CA or from a CA-designated CRL distribution point. The router then looks for the certificate on the CRL to make sure it hasn’t been revoked. The router won’t accept the certificate and it won’t authenticate the peer if the certificate appears on the CRL. A CRL can continue to be reused with other certificates until the CRL expires. If the router receives a certificate after the CRL has expired, it will download the latest CRL.

If the CA system supports RAs, multiple CRLs can exist. The certificate in question will indicate which CRL applies and should be downloaded by the router for authentication. If the router doesn’t have or is unable to download the appropriate CRL, the certificate will normally be rejected. The exception to this would be if the router configuration contains the crl optional feature under the crypto ca identity command. With the crl optional command, the router will still try to get the required CRL, but failing that, it can accept the peer’s certificate anyway. The router will continue to try to get the CRL.

If the CA server requires a local CRL, use the global configuration crypto ca crl request command to request an immediate download of the latest CRL. Use the same name used to declare the CA with the crypto ca identity command:

Rtr1(config)#crypto ca crl request name

An example for the chapter scenario would look like the following:

Rtr1(config)#crypto ca crl request ca-ipsec

Delete Router’s RSA Keys

While this could seem like a harsh step, it might be necessary to delete a router’s RSA keys if you had reason to believe the RSA keys were compromised. This process can’t be undone and all new key exchanges would have to wait until new RSA key requests could be processed.

Use the global configuration crypto key zeroize rsa command to delete all the router’s RSA keys. The syntax and an example follow:

Rtr1(config)#crypto key zeroize rsa

Delete Both Public and Private Certificates from the Configuration

The crypto key zeroize rsa command in the last step deletes all RSA keys generated by the router. In addition to this command, it would be necessary to perform two additional tasks:

• Request the CA administrator revoke the router’s certificates at the CA. The challenge password created when the router’s certificates were originally enrolled must be supplied.

• The router’s certificates must be manually removed from the configuration using the certificate command in Certificate Chain Configuration mode. The syntax would be as follows:

1. Rtr1(config-cert-chain)#no certificate certificate-serial-number

In the following example, the show command is used to determine the serial number(s) of the certificate to be deleted:

Rtr1#show crypto ca certificates
Certificate
  Subject Name
    Name: rtr1.ca-test.com
    IP Address: 10.0.1.21
  Status: Available
  Certificate Serial Number: 9876543210ABCDEF9876543210ABCDEF
  Key Usage: General Purpose

CA Certificate
  Status: Available
  Certificate Serial Number: 0192837465A0B1C2D3E4F50192837465A
  Key Usage: Not Set
Rtr1#config t
Rtr1(config)#crypto ca certificate chain ca-ipsec
Rtr1(config-cert-chain)#no certificate 0192837465A0B1C2D3E4F50192837465A
% Are you sure you want to remove the certificate [yes/no]? yes
% Be sure to ask the CA administrator to revoke this certificate.
Rtr1(config-cert-chain)#exit
Rtr1(config)#

To delete the CA’s certificate, you must remove the entire CA identity, which also removes all certificates associated with the CA�"the router’s certificate, the CA certificate, and any RA certificates. Use the global configuration no crypto ca identity command to remove the CA identity. The syntax is

Rtr1(config)#no crypto ca identity name

The following example demonstrates using the no crypto ca identity command to remove the CA identity:

Rtr1(config)#no crypto ca identity ca-ipsec
% Removing an identity will destroy all certificates received from
 the related Certificate Authority.

Are you sure you want to do this? [yes/no]: y
% Be sure to ask the CA administrator to revoke your certificates.
Rtr1(config)#

Delete Peer’s Public Keys

If a peer’s RSA public keys have been compromised, it could be necessary to delete the peer’s public keys. Use the following commands to accomplish this task:

Rtr1(config)#crypto key pubkey-chain rsa

Rtr1(config-pubkey-chain)#no named-key key-name [encryption | signature]

or

Rtr1(config-pubkey-chain)#no addressed-key key-address [encryption | signature]

The global configuration crypto key pubkey-chain rsa command enters the Public Key Chain Configuration mode.

The choice of named-key or addressed-key depends on which keys were created originally. If only general purpose RSA keys were generated, don’t use either of the encryption or signature keywords. If the IPSec remote peer generated special-usage keys resulting in two pairs of keys, then you must perform the appropriate command twice and use the encryption and signature keywords in turn. Similarly, using the encryption or signature keywords makes it possible to delete only one type of key.