In many enterprise or lab environments, setting up a dedicated PKI infrastructure can be resource-intensive. Cisco IOS routers provide the capability to act as lightweight Certificate Authorities (CAs), allowing for certificate issuance and management for VPNs and secure communication without relying on external PKI services. Here’s how to set it up.
Step 1: Set the Clock or Configure NTP
Before starting any PKI configuration, the router’s clock must be accurately set. Certificates depend heavily on proper timekeeping for validation and expiration.
You can either set the time manually:
clock set
Or synchronize with an NTP server:
ntp server ip-address
Step 2: Generate Exportable RSA Keys
Next, you’ll generate the keys that the router will use for signing certificates. These must be marked as exportable if you intend to reuse or back them up later:
crypto key generate rsa general-keys exportable label name 1024
To export the key and store it in NVRAM:
crypto key export rsa label-name pem url nvram: 3des password
Step 3: Enable Required Services
The router must run an HTTP server to serve certificate requests:
ip http server
Then, you can enable and configure the PKI server:
crypto pki server name database level minimum database url nvram: issuer-name cn=name l=location c=country lifetime certificate number-of-days grant auto no shutdown
You’ll be prompted to set a password that secures the CA functionality.
Step 4: Save and Verify
Don’t forget to save your configuration:
write mem
Finally, verify that the PKI server is active and running:
show crypto pki server
With this setup, your router can now issue and manage certificates for other network devices, making it a viable internal CA in testbeds or branch office deployments. It’s a quick and efficient way to deploy secure communication in environments where a full PKI solution isn’t practical.
