Using a Cisco Router with a Self-Signed Certificate

For application development and testing, you can generate self-signed certificates to encrypt communications between your applications and the router. When you enter the transport type tls command, you can use the localcert local-trustpoint option to specify whether the router generates its own certificate or get its certificate from the local trustpoint:

  • If you explicitly specify the localcert local-trustpoint option, the router gets its certificate from the local trustpoint.

  • If you do not specify the localcert local-trustpoint option, the router uses its own self-signed certificate. If a self-signed certificate is already present, the router reuses it. If the self-signed cert is not present, the generates a new one and uses that.

Once a certificate has been generated, you can copy it to a location readable by your onePK application (such as the nerootca.pem file.) Alternatively, applications can be designed to use pinned certificates. An application can request a key from a network device and verify it against a local pinning file. If the key is not found, the application can then ask the user whether to accept or reject the key.


Note


Self-signed certificates are appropriate for application development and testing in small deployments only. Do not use self-signed certificates in a production environment. For additional security, as well as more precise control over the use and revocation of individual certificates, a production deployment must always use a Certificate Authority to sign and manage certificates. Never use pinning in a production environment; to manage certificates and keys in such environments, use secure mechanisms, such as PKI with a CA. See Using a Cisco Router with a Certificate Authority.


SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    onep

    4.    transport type tls disable-remote-validation

    5.    CNTL/Z

    6.    copy running-config startup-config

    7.    show onep status


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable

    Example:
    Router> enable          
     

    Enters global configuration mode.

     
    Step 2configure terminal

    Example:
    Router# configure terminal 
     

    Enters global configuration mode.

     
    Step 3 onep

    Example:
    Router(config)# onep
     

    Enters onep configuration mode

     
    Step 4 transport type tls disable-remote-validation

    Example:
    Router(config-onep)# transport type tls disable-remote-validation 
    Generating 1024 bit RSA keys, keys will be non-exportable...
     

    Enables TLS on the router and configures the router to use a self-signed certificate. Also disables remote certificate validation, as bidirectional certificate exchange is not supported with self-signed certificates.

     
    Step 5 CNTL/Z

    Example:
    Router(config-onep)# ^Z
    Router#
    *Feb 12 07:23:37.156: %SYS-5-CONFIG_I: Configured from console by console 
     

    Exits Configuration Terminal.

     
    Step 6copy running-config startup-config

    Example:
    Router# copy running-config startup-config
    Building configuration...
    [OK]   
     

    Saves your changes to the startup configuration.

     
    Step 7 show onep status

    Example:
    Router# show onep status
    Status: enabled by: Config
    Version: 1.4.0
    Transport: tls; Status: running; Port: 15002; localcert: TP-self-signed-4294967295; client cert validation disabled
    Certificate Fingerprint SHA1: 15947854 B327D612 EA083014 623A0B0C BD559677 
    Transport: tipc; Status: disabled
    Session Max Limit: 10
    CPU Interval: 0 seconds
    CPU Falling Threshold: 0%
    CPU Rising Threshold: 0%
    History Buffer: Enabled
    History Buffer Purge: Oldest
    History Buffer Size: 32768 bytes
    History Syslog: Disabled
    History Archived Session: 0
    History Max Archive: 16
    Trace buffer debugging level is info
    
    Service Set: Base
    State: Enabled by Default
    Version 1.4.0
    Accessible by:
      All Applications
    
    Service Set: Vty
    State: Disabled
    Version 0.1.0
    Accessible by:
      None
     
    Service Set: Mediatrace
    State: Disabled
    Version 1.0.0
    Accessible by:
      None
     
     

    Displays the onep configuration used by this router.

    The Certificate Fingerprint section contains information that the pinning mechanism uses. See "Managing Certificates and Keys in End-Node Hosted Applications" in Tech Note: TLS Certificate Pinning and TLS Debugging on the Cisco DevNet site.

     
    What to Do Next

    After completing this procedure, you can test your configuration. Go to Testing Certificate Installation to run one of the sample applications.