Step 1 |
enable
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal
Router# configure terminal
|
Enters global configuration mode.
|
Step 3 |
crypto pki trustpoint
name
Router(config)# crypto pki trustpoint mytp
|
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.
|
Step 4 |
enrollment [mode |
retry period
minutes |
retry count
number]
url
url [pem]
Router(ca-trustpoint)# enrollment url http://cat.example.com
|
Specifies the URL of the CA on which your router should send certificate requests.
-
mode
--Specifies RA mode if your CA system provides an RA.
-
retry
period
minutes
--Specifies the wait period between certificate request retries. The default is 1 minute between retries.
-
retry
count
number
-- Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous
request. (Specify from 1 to 100 retries.)
-
url
url
-- URL of the file system where your router should send certificate requests. An IPv6 address can be added in the URL enclosed
in brackets. For example: http:// [2001:DB8:1:1::1]:80.
-
pem
-- Adds privacy-enhanced mail (PEM) boundaries to the certificate request.
Note
|
An enrollment method other than TFTP or manual cut-and-paste must be configured to support autoenrollment.
|
|
Step 5 |
eckeypair
label
Router(ca-trustpoint)# eckeypair Router_1_Key
|
(Optional) Configures the trustpoint to use an Elliptic Curve (EC) key on which certificate requests are generated using
ECDSA signatures. The
label argument specifies the EC key label that is configured using the
crypto
key
generate
rsa or
crypto
key
generate
ec
keysize command in global configuration mode. See the Configuring Internet Key Exchange for IPsec VPNs feature module for more information.
Note
|
If an ECDSA signed certificate is imported without a trustpoint configuration, then the label defaults to the FQDN value.
|
|
Step 6 |
subject-name [x.500-name ]
Router(ca-trustpoint)# subject-name cat
|
(Optional) Specifies the requested subject name that will be used in the certificate request.
-
x.500-name
--If it is not specified, the fully qualified domain name (FQDN), which is the default subject name, will be used.
|
Step 7 |
vrf
vrf-name
Router(ca-trustpoint)# vrf myvrf
|
(Optional) Specifies the the VRF instance in the public key infrastructure (PKI) trustpoint to be used for enrollment, certificate
revocation list (CRL) retrieval, and online certificate status protocol (OCSP) status.
|
Step 8 |
ip-address {ip-address |
interface |
none }
Router(ca-trustpoint)# ip address 192.168.1.66
|
(Optional) Includes the IP address of the specified interface in the certificate request.
-
Issue the
ip-address argument to specify either an IPv4 or IPv6 address.
-
Issue the
interface argument to specify an interface on the router.
-
Issue the
none keyword if no IP address should be included.
Note
|
If this command is enabled, you will not be prompted for an IP address during enrollment for this trustpoint.
|
|
Step 9 |
serial-number [none]
Router(ca-trustpoint)# serial-number
|
(Optional) Specifies the router serial number in the certificate request, unless the
none keyword is issued.
|
Step 10 |
auto-enroll [percent ] [regenerate ]
Router(ca-trustpoint)# auto-enroll regenerate
|
(Optional) Enables autoenrollment, allowing the client to automatically request a rollover certificate from the CA.
-
If autoenrollment is not enabled, the client must be manually re-enrolled in your PKI upon certificate expiration.
-
By default, only t he Domain Name System (DNS) name of the router is included in the certificate.
-
Use the
percent argument to specify that a new certificate will be requested after the percentage of the lifetime of the current certificate
is reached.
-
Use the
regenerate keyword to generate a new key for the certificate even if a named key already exists.
Note
|
If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear
in the trustpoint configuration to indicate whether the key pair is exportable: “! RSA key pair associated with trustpoint
is exportable.”
|
Note
|
It is recommended that a new key pair be generated for security reasons.
|
|
Step 11 |
usage
method1
[method2 [method3 ]]
Router(ca-trustpoint)# usage ssl-client
|
(Optional) Specifies the intended use for the certificate.
|
Step 12 |
password
string
Router(ca-trustpoint)# password string1
|
(Optional) Specifies the revocation password for the certificate.
Note
|
When SCEP is used, this password can be used to authorize the certificate request--often via a one-time password or similar
mechanism.
|
|
Step 13 |
rsakeypair
key-label
key-size
encryption-key-size
]]
Router(ca-trustpoint)# rsakeypair key-label 2048 2048
|
(Optional) Specifies which key pair to associate with the certificate.
-
A key pair with the
key-label argument will be generated during enrollment if it does not already exist or if the
auto-enroll
regenerate command was issued.
-
Specify the
key-size argument for generating the key, and specify the
encryption-key-size argument to request separate encryption, signature keys, and certificates. The key-size and encryption-key-size must be the
same size. Length of less than 2048 is not recommended.
Note
|
If this command is not enabled, the FQDN key pair is used.
|
|
Step 14 |
fingerprint
ca-fingerprint
Router(ca-trustpoint)# fingerprint 12EF53FA 355CD23E 12EF53FA 355CD23E
|
(Optional) Specifies a fingerprint that can be matched against the fingerprint of a CA certificate during authentication.
Note
|
If the fingerprint is not provided and authentication of the CA certificate is interactive, the fingerprint will be displayed
for verification.
|
|
Step 15 |
on
devicename
:
Router(ca-trustpoint)# on usbtoken0:
|
(Optional) Specifies that RSA keys will be created on the specified device upon autoenrollment initial key generation.
-
Devices that may be specified include NVRAM, local disks, and Universal Serial Bus (USB) tokens. USB tokens may be used as
cryptographic devices in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such
as key generation, signing, and authentication to be performed on the token.
|
Step 16 |
exit
Router(ca-trustpoint)# exit
|
Exits ca-trustpoint configuration mode and returns to global configuration mode.
|
Step 17 |
crypto
pki
authenticate
name
Router(config)# crypto pki authenticate mytp
|
Retrieves the CA certificate and authenticates it. Check the certificate fingerprint if prompted.
Note
|
This command is optional if the CA certificate is already loaded into the configuration.
|
|
Step 18 |
exit
|
Exits global configuration mode.
|
Step 19 |
copy
system:running-config
nvram:startup-config
Router#
copy system:running-config nvram:startup-config
|
(Optional) Copies the running configuration to the NVRAM startup configuration.
Note
|
Autoenrollment will not update NVRAM if the running configuration has been modified but not written to NVRAM.
|
|
Step 20 |
show
crypto
pki
certificates
Router# show crypto pki certificates
|
(Optional) Displays information about your certificates, including any rollover certificates.
|