
Now I found a **very** good PKI free software, I try to use it everywhere I
need certificates. My first //difficult// task was with IOS. You can find here
some notes.

Here my IOS config related to my CA :

<code>
!
crypto ca trustpoint FMSCA
 enrollment url http://pki.intranet.fimasys.fr:8080/ejbca/publicweb/apply/scep
 serial-number
 source interface Ethernet0
 auto-enroll regenerate
!
</code>

Description / Notes 

   * The enrollment line tell how (the method, here an url -> http) to contact the PKI software. Note: you **must** omit the pkiclient.exe filename at the end which is automagically add by IOS.
   * serial-number tell to IOS to include the serial number 
   * The name of the trustpoint you use **MUST MATCH** exactly the shortname of your CA in ejbca

One you have that, use the command :

<code>
# crypto ca authenticate FMSCA
</code>

to fetch the CA certificate. Then, set the password enrollment with the command :

<code>
# crypto ca enroll FMSCA
</code>

Then, login to EJBCA, and create a new entity profile looks like :

{{ios-profile.jpg}}

Check your ejbca logs, you shoud see something like :

<code>
ERROR [PKCS10RequestMessage] No CN in DN: SN=12013150+unstructuredName=saroumane.nanthrax.net
ERROR [Log4jLogDevice] October 19, 2005 9:48:33 AM CEST, CAId : 0, CA, EVENT_ERROR_USERAUTHENTICATION, Administrator : PUBLICWEBUSER, IP Address : 192.168.134.1, User : 12013150, Certificate : No Certificate Involved, Comment : Got request for nonexisting user: 12013150
</code>

So, you know you must add an entity using the serial Number as username, the password you define in IOS, and serialNumber / unstructuredNamed as subject DN fields.

<code>
saroumane#sh crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 426FA96340F5D2CA
  Certificate Usage: General Purpose
  Issuer:
    c=FR
    o=Fimasys
    cn=Fimasys Security CA
  Subject:
    Name: saroumane.nanthrax.net
    Serial Number: 12013150
    serialNumber=12013150
    hostname=saroumane.nanthrax.net
  Validity Date:
    start date: 08:58:28 CET Oct 19 2005
    end   date: 09:08:28 CET Oct 19 2007
  Associated Trustpoints: FMSCA

CA Certificate
  Status: Available
  Certificate Serial Number: 7AA2B9942CD0D362
  Certificate Usage: Signature
  Issuer:
    c=FR
    o=Fimasys
    cn=Fimasys Security CA
  Subject:
    c=FR
    o=Fimasys
    cn=Fimasys Security CA
  Validity Date:
    start date: 07:29:35 CET Oct 17 2005
    end   date: 07:39:35 CET Oct 15 2015
  Associated Trustpoints: FMSCA
</code>

[[geeklog:comments:20051018|Comments]]