Public Key Infrastructure (PKI) Basics #12 – NDES/SCEP – Part 2 Cisco 9800 WLC Enrollment

Using the Network Device Enrollment Service (NDES) to issue certificates to Cisco devices involves configuring NDES and the router to support Simple Certificate Enrollment Protocol (SCEP), which allows the router to obtain certificates from a Certificate Authority (CA) via NDES.

RFC


Duplicate a template on the intermediate CA.
Right-click on the “Router” template and duplicate

Note: The template has to be issued


Log into the NDES server and edit the registry.

For simplicity and lab testing only…

Below this is a 32-bit DWORD value called EnforcePassword, which is set to 1 in the default installation. Setting the value to 0 enables operation without a password.

Restart the IIS service on the NDES server.


Test the URL of the NDES server.


Enroll a Cisco 9800 WLC
1. Define aand Key Pair and Trust Point

crypto key generate rsa general-keys modu 2048 label 9800CL1-HTTPS-KEYPAIR exportable
!

crypto pki trustpoint 9800CL1-HTTPS-TRUSTPOINT
 enrollment retry count 100
 enrollment retry period 60
 enrollment mode ra
 enrollment url http://10.0.206.22:80/certsrv/mscep/mscep.dll
 serial-number none
 ip-address none
 fqdn 9800CL1.netprojekralac.com
 subject-name CN=9800CL1.netprojekralac.com.com,OU=Router SCEP,O=NETPROJEKRALAC LLC ,ST=NY,C=US
 revocation-check none
 rsakeypair 9800CL1-HTTPS-KEYPAIR  
 auto-enroll 30 regenerate
 
2. Download the CA’s root certificate
 
 crypto pki authenticate 9800CL1-HTTPS-TRUSTPOINT
 
3. Verify cert download 

do show crypto pki certificates
 
4. Enroll the certificate
 
 crypto pki enroll 9800CL1-HTTPS-TRUSTPOINT
 
 do show crypto pki certificate verbose 9800CL1-HTTPS-TRUSTPOINT
 
5. assign the trust point
 
 ip http secure-trustpoint 9800CL1-HTTPS-TRUSTPOINT
Review the certificate

Access the GUI of the Cisco 9800 WLC and validate the certificate.

Part one can be found here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.