Use the crypto ca authenticate command to use multi-tier CAs for trustpoint authentication or enrollment. You must use only privacy enhanced mail (PEM)-encoded
certificates for trustpoint authentication using multi-tier CAs.
The enrollment process remains the same as that of the enrollment using single-tier CA, except that you get a message on NCS
1004 console that prompts to use only PEM-encoded certificates.
Prerequisite
You must generate a key pair, import a public key and configure a trustpoint on NCS 1004 as detailed in the previous sections.
Configuration Example
RP/0/RP0/CPU0:ios#crypto ca authenticate test-ca
Mon Feb 6 08:17:48.943 UTC
Enter the base 64/PEM encoded certificate/certificates.
Please note: for multiple certificates use only PEM
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIF5TCCA82gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCSU4x
CzAJBgNVBAgMAktBMQwwCgYDVQQHDANCR0wxDTALBgNVBAoMBENTQ08xDTALBgNV
.
.
.
/4UzeeX6ll0gGJVbDwGeIZTH00artqxHquKQ2P7eXQ1pg0PRNRqWN90SvT5yE33N
eHgbtvdHg1K6K6IAj/NGnd7xUrA1TQ4bdmouCNkgbXM/G9DwgkOOvZ8KYRP9JW57
LYIv2ZcRS2vdnZRD9JPGVig2EgcfVPtj+Q==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9TCCA92gAwIBAgIUD6AGesleqedhorkrJ9HWjz1RQzswDQYJKoZIhvcNAQEL
BQAwXTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAktBMQwwCgYDVQQHDANCR0wxDTAL
.
.
.
+6rMWd6BmfSy2PT3Qz5AjO2+3N1dd67qRRrX7skklkX4JXY42n5/l9PQtSp0wTBh
uy5yUAagynu0z07GczE7E9V+tJHRmNTbnd8pxLk4lTwqtiCIXwQLZA75SkwCS5wh
fn7OrV7uFjMaggNkvj0kSSOkWxqJ+j/KqMAA2zQMUV+qdvT6i+ZV44U=
-----END CERTIFICATE-----
Serial Number : 10:01
Subject:
CN=SUB_CA_CERT,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Issued By :
CN=TWO-LEVEL-CA,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Validity Start : 12:31:40 UTC Sun Jun 14 2020
Validity End : 12:31:40 UTC Wed Jun 12 2030
CRL Distribution Point
http://10.105.236.78/crl_akshath_two_level_ca/crl.der
SHA1 Fingerprint:
D8E0C11ECED96F67FDBC800DB6A126676A76BD62
Serial Number : 0F:A0:06:7A:C9:5E:A9:E7:61:A2:B9:2B:27:D1:D6:8F:3D:51:43:3B
Subject:
CN=TWO-LEVEL-CA,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Issued By :
CN=TWO-LEVEL-CA,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Validity Start : 13:12:32 UTC Sun Jun 07 2020
Validity End : 13:12:32 UTC Sat Jun 02 2040
CRL Distribution Point
http://10.105.236.78/crl_akshath_two_level_ca/crl.der
SHA1 Fingerprint:
08E71248FB7578614442E713AC87C461D173952F
CA Certificate validated using issuer certificate.
RP/0/RP0/CPU0:ios#
Verification
Use the show crypto ca certificates test1 to view the CA certificate chain. The command output displays the Trusted Certificate Chain field if there is one or more subordinate CAs involved in the hierarchy.
RP/0/RP0/CPU0:ios#show crypto ca certificates test-ca
Mon Feb 6 09:03:53.019 UTC
Trustpoint : test-ca
==================================================
CA certificate
Serial Number : 10:01
Subject:
CN=SUB_CA_CERT,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Issued By :
CN=TWO-LEVEL-CA,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Validity Start : 12:31:40 UTC Sun Jun 14 2020
Validity End : 12:31:40 UTC Wed Jun 12 2030
CRL Distribution Point
http://10.105.236.78/crl_akshath_two_level_ca/crl.der
SHA1 Fingerprint:
D8E0C11ECED96F67FDBC800DB6A126676A76BD62
Trusted Certificate Chain
Serial Number : 0F:A0:06:7A:C9:5E:A9:E7:61:A2:B9:2B:27:D1:D6:8F:3D:51:43:3B
Subject:
CN=TWO-LEVEL-CA,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Issued By :
CN=TWO-LEVEL-CA,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Validity Start : 13:12:32 UTC Sun Jun 07 2020
Validity End : 13:12:32 UTC Sat Jun 02 2040
CRL Distribution Point
http://10.105.236.78/crl_akshath_two_level_ca/crl.der
SHA1 Fingerprint:
08E71248FB7578614442E713AC87C461D173952F
certificate
Key usage : General Purpose
Status : Available
Serial Number : 28:E5
Subject:
CN=test
Issued By :
CN=SUB_CA_CERT,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Validity Start : 08:49:54 UTC Mon Feb 06 2023
Validity End : 08:49:54 UTC Wed Mar 08 2023
SHA1 Fingerprint:
6C8644FA67D9CEBC7C5665C35838265F578835AB
Associated Trustpoint: test-ca