Cisco Router PKI (Public Key Infrastructure) Configuration Guide

Public Key Infrastructure (PKI) provides the foundation for secure authentication, encryption, and trust management in enterprise networks. Cisco routers use PKI extensively for technologies such as IPsec VPNs, SSL VPNs, DMVPN, FlexVPN, HTTPS management access, and 802.1X authentication.

Rather than relying on shared secrets, PKI uses digital certificates signed by a trusted Certificate Authority (CA). This allows routers to verify identities cryptographically and establish secure communications without manually distributing passwords across the network.

What is PKI?

PKI is a framework consisting of:

• Certificate Authority (CA)
• Registration Authority (RA)
• Digital Certificates
• Public and Private Key Pairs
• Certificate Revocation Lists (CRL)

In a Cisco environment, routers generate RSA key pairs locally. The public key is submitted to a CA through a Certificate Signing Request (CSR). The CA validates the identity and issues a signed certificate. Other devices can then trust the certificate if they trust the issuing CA.

PKI Components

Component	Purpose
Certificate Authority (CA)	Issues and signs certificates
Registration Authority (RA)	Validates enrollment requests
Certificate	Binds an identity to a public key
Private Key	Used for signing and decryption
Public Key	Used for verification and encryption
CRL	List of revoked certificates

PKI Workflow on Cisco Routers

1. Generate RSA key pair.
2. Create a trustpoint.
3. Authenticate the CA certificate.
4. Generate and submit a certificate request.
5. Receive signed certificate.
6. Install certificate.
7. Use certificate for VPNs and secure services.

Lab Topology

                 Certificate Authority
                     10.10.10.10
                           |
                   ----------------
                   |              |
             Client-R1       Client-R2
            192.168.1.1     192.168.2.1

The CA router acts as the trusted Certificate Authority. Both client routers enroll and receive certificates from the CA.

PKI Prerequisites

Before configuring PKI on Cisco IOS routers, configure a hostname and domain name. Cisco uses this information when generating RSA key pairs and creating certificate identity information. Also set the clock to current time.

hostname CA-Router
ip domain-name example.com

hostname Client-R1
ip domain-name example.com

clock set 14:30:00 June 19 2026

After the hostname and domain name are configured, generate the RSA key pair required for certificate operations.

crypto key generate rsa general-keys modulus 4096

Step 1: Configure the Cisco Router as a Certificate Authority

The following configuration creates a self-signed Certificate Authority on a Cisco router.

hostname CA-Router
crypto key generate rsa general-keys modulus 4096
crypto pki server ENTERPRISE-CA
issuer-name CN=Enterprise-Root-CA,O=ExampleCorp,C=US
 grant auto
 database level complete
 database url nvram:
 no shutdown

Verification:

show crypto pki server
show crypto pki certificates

The CA is now capable of signing certificate requests from Cisco devices.

Step 2: Configure Client Router Enrollment

Create RSA keys on the client router.

hostname Client-R1

crypto key generate rsa general-keys modulus 2048

Create Trustpoint

crypto pki trustpoint ENTERPRISE-CA

 enrollment url http://10.10.10.10
 revocation-check none
 rsakeypair Client-R1
 subject-name CN=Client-R1,O=ExampleCorp,C=US

Authenticate the CA

crypto pki authenticate ENTERPRISE-CA

The router displays the CA fingerprint. Verify the fingerprint before accepting.

Enroll with the CA

crypto pki enroll ENTERPRISE-CA

The router generates a Certificate Signing Request (CSR), sends it to the CA, and receives a signed certificate.

Verify Certificate Installation

show crypto pki certificates
show crypto pki trustpoints
show crypto key mypubkey rsa

Expected output should show:

• CA certificate
• Identity certificate
• RSA key pair
• Trustpoint status

Using PKI for IPsec VPN Authentication

One of the most common uses of PKI is certificate-based IPsec authentication.

Router R1

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication rsa-sig
 group 14

crypto isakmp identity dn

crypto ipsec transform-set VPN-SET
 esp-aes 256
 esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp
 set peer 192.168.2.1
 set transform-set VPN-SET
 match address 100

interface GigabitEthernet0/0
 crypto map VPN-MAP

Router R2

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication rsa-sig
 group 14

crypto isakmp identity dn

crypto ipsec transform-set VPN-SET
 esp-aes 256
 esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set VPN-SET
 match address 100

interface GigabitEthernet0/0
 crypto map VPN-MAP

Instead of pre-shared keys, both routers authenticate using their CA-issued certificates.

Useful PKI Verification Commands

Command	Purpose
show crypto pki certificates	Display installed certificates
show crypto pki trustpoints	Display trustpoint information
show crypto pki server	Verify CA server operation
show crypto key mypubkey rsa	View RSA public keys
show crypto isakmp sa	Verify Phase 1 VPN status
show crypto ipsec sa	Verify Phase 2 VPN status

Common PKI Troubleshooting

Certificate Enrollment Fails

debug crypto pki transactions
debug crypto pki messages

Verify IP connectivity to the CA and ensure HTTP enrollment is reachable.

Certificate Expired

show crypto pki certificates

Check certificate validity dates and renew if necessary.

VPN Authentication Failure

debug crypto isakmp
debug crypto ipsec

Ensure both routers trust the same CA and possess valid identity certificates.

Security Best Practices

• Use RSA 3072 or 4096-bit keys when possible.
• Protect CA private keys with strong access controls.
• Implement certificate revocation checking.
• Use SHA-256 or stronger hashing algorithms.
• Back up CA databases regularly.
• Monitor certificate expiration dates.

Conclusion

PKI provides scalable and secure identity management for Cisco networks. By replacing pre-shared keys with digital certificates, organizations gain stronger authentication, centralized trust management, and simplified VPN deployments. Cisco routers can function as both Certificate Authorities and certificate clients, making PKI an essential technology for secure enterprise networking, DMVPN, FlexVPN, HTTPS management, and certificate-based IPsec VPN implementations.