|
Command or Action |
Purpose |
Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
-
Enter your password if prompted.
|
Step 2 |
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode. |
Step 3 |
crypto pki trustpoint name
Example:
Router(config)# crypto pki trustpoint mytp
|
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode. |
Step 4 |
enrollment [mode | retry period minutes | retry count number] url url [pem]
Example:
Router(ca-trustpoint)# enrollment url http://cat.example.com
|
Specifies the URL of the CA on which your router should send certificate requests.
-
mode --Specifies RA mode if your CA system provides an RA.
-
retry period minutes --Specifies the wait period between certificate request retries. The default is 1 minute between retries.
-
retry count number -- Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. (Specify from 1 to 100 retries.)
-
url url -- URL of the file system where your router should send certificate requests. An IPv6 address can be added in the URL enclosed in brackets. For example: http:// [2001:DB8:1:1::1]:80. For more enrollment method options, see the enrollment url (ca-trustpoint) command page.
-
pem -- Adds privacy-enhanced mail (PEM) boundaries to the certificate request.
Note |
An enrollment method other than TFTP or manual cut-and-paste must be configured to support autoenrollment. |
|
Step 5 |
eckeypair label
Example:
Router(ca-trustpoint)# eckeypair Router_1_Key
|
(Optional) Configures the trustpoint to use an Elliptic Curve (EC) key on which certificate requests are generated using ECDSA signatures. The label argument specifies the EC key label that is configured using the crypto key generate rsa or crypto key generate ec keysize command in global configuration mode. See the Configuring Internet Key Exchange for IPsec VPNs feature module for more information.
Note |
If an ECDSA signed certificate is imported without a trustpoint configuration, then the label defaults to the FQDN value. |
|
Step 6 |
subject-name [x.500-name]
Example:
Router(ca-trustpoint)# subject-name cat
|
(Optional) Specifies the requested subject name that will be used in the certificate request.
-
x.500-name --If it is not specified, the fully qualified domain name (FQDN), which is the default subject name, will be used.
|
Step 7 |
vrf vrf-name
Example:
Router(ca-trustpoint)# vrf myvrf
|
(Optional) Specifies the the VRF instance in the public key infrastructure (PKI) trustpoint to be used for enrollment, certificate revocation list (CRL) retrieval, and online certificate status protocol (OCSP) status. |
Step 8 |
ip-address {ip-address | interface | none}
Example:
Router(ca-trustpoint)# ip address 192.168.1.66
|
(Optional) Includes the IP address of the specified interface in the certificate request.
-
Issue the ip-address argument to specify either an IPv4 or IPv6 address.
-
Issue the interface argument to specify an interface on the router.
-
Issue the none keyword if no IP address should be included.
Note |
If this command is enabled, you will not be prompted for an IP address during enrollment for this trustpoint. |
|
Step 9 |
serial-number [none]
Example:
Router(ca-trustpoint)# serial-number
|
(Optional) Specifies the router serial number in the certificate request, unless the none keyword is issued.
-
Issue the none keyword to specify that a serial number will not be included in the certificate request.
|
Step 10 |
auto-enroll [percent] [regenerate]
Example:
Router(ca-trustpoint)# auto-enroll regenerate
|
(Optional) Enables autoenrollment, allowing the client to automatically request a rollover certificate from the CA.
-
If autoenrollment is not enabled, the client must be manually re-enrolled in your PKI upon certificate expiration.
-
By default, only t he Domain Name System (DNS) name of the router is included in the certificate.
-
Use the percent argument to specify that a new certificate will be requested after the percentage of the lifetime of the current certificate is reached.
-
Use the regenerate keyword to generate a new key for the certificate even if a named key already exists.
Note |
If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable: “! RSA key pair associated with trustpoint is exportable.” |
Note |
It is recommended that a new key pair be generated for security reasons. |
|
Step 11 |
usage method1 [method2 [method3]]
Example:
Router(ca-trustpoint)# usage ssl-client
|
(Optional) Specifies the intended use for the certificate.
-
Available options are ike, ssl-client, and ssl-server; the default is ike.
|
Step 12 |
password string
Example:
Router(ca-trustpoint)# password string1
|
(Optional) Specifies the revocation password for the certificate.
-
If this command is enabled, you will not be prompted for a password during enrollment for this trustpoint.
Note |
When SCEP is used, this password can be used to authorize the certificate request--often via a one-time password or similar mechanism. |
|
Step 13 |
rsakeypair key-label key-size encryption-key-size ]]
Example:
Router(ca-trustpoint)# rsakeypair key-label 2048 2048
|
(Optional) Specifies which key pair to associate with the certificate.
-
A key pair with the key-label argument will be generated during enrollment if it does not already exist or if the auto-enroll regenerate command was issued.
-
Specify the key-size argument for generating the key, and specify the encryption-key-size argument to request separate encryption, signature keys, and certificates. The key-size and encryption-key-size must be the same size. Length of less than 2048 is not recommended.
Note |
If this command is not enabled, the FQDN key pair is used. |
|
Step 14 |
fingerprint ca-fingerprint
Example:
Router(ca-trustpoint)# fingerprint 12EF53FA 355CD23E 12EF53FA 355CD23E
|
(Optional) Specifies a fingerprint that can be matched against the fingerprint of a CA certificate during authentication.
Note |
If the fingerprint is not provided and authentication of the CA certificate is interactive, the fingerprint will be displayed for verification. |
|
Step 15 |
on devicename :
Example:
Router(ca-trustpoint)# on usbtoken0:
|
(Optional) Specifies that RSA keys will be created on the specified device upon autoenrollment initial key generation.
-
Devices that may be specified include NVRAM, local disks, and Universal Serial Bus (USB) tokens. USB tokens may be used as cryptographic devices in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication to be performed on the token.
|
Step 16 |
exit
Example:
Router(ca-trustpoint)# exit
|
Exits ca-trustpoint configuration mode and returns to global configuration mode. |
Step 17 |
crypto pki authenticate name
Example:
Router(config)# crypto pki authenticate mytp
|
Retrieves the CA certificate and authenticates it.
-
Check the certificate fingerprint if prompted.
Note |
This command is optional if the CA certificate is already loaded into the configuration. |
|
Step 18 |
exit
Example:
|
Exits global configuration mode. |
Step 19 |
copy system:running-config nvram:startup-config
Example:
Router#
copy system:running-config nvram:startup-config
|
(Optional) Copies the running configuration to the NVRAM startup configuration.
Note |
Autoenrollment will not update NVRAM if the running configuration has been modified but not written to NVRAM. |
|
Step 20 |
show crypto pki certificates
Example:
Router# show crypto pki certificates
|
(Optional) Displays information about your certificates, including any rollover certificates. |