Cisco Aironet Access Points

The Current Certificates table contains a brief summary of the main certificate attributes.

Click the numbered link to get more details of a particular certificate. A Certificate Detail window opens. Only one detail window can be open at one time.

Indicates whether this certificate is a CA (Certificate Authority) or local (router) certificate.

Indicates the availability of the certificate.

Shows whether the certificate is used for signature only, encryption, or both (general purpose).

The information about the certificate owner. If one subject needs several different certificates signed by one CA, such certificates can have the same value of this field.

A distinguished name which is a sequence of several object IDs with their corresponding values.

What date the specific certificate is no longer valid or activated.

The details of the certificate authority that the access point uses for certificate operations.

Digital certificates are based on public key cryptography where each participant is issued a public key (shared widely) and a private key (not shared). The keys are very large integer in computer-readable form and are interrelated so that anything encrypted with the public key requires the private key to decrypt it and vice versa. The certificate is digitally signed with the key of the issuing authority, the signature is verified, and the contents of the certificate are validated.

A consecutive numbering of the keys.

The name assigned to the individual name or organization who is in possession of the certificate holder's public key.

A brief description of the key type.

To transfer a software certificate, you need to export it and its associated private key in a suitable interchange format of the machine in which the certificate is first installed. This column specifies whether the key and certificate can be copied to other systems you use.

The date and time when the certificate was recognized. A certificate is valid only for a limited amount of time.

Which certificate authorities the access point is currently using for certificate operations.

The unique name assigned to define or group the details of the certificate authority together.

The router must contact the CA or RA to enroll in the PKI. Cisco IOS software enrolls with the CA via SCEP (Cisco's Simple Certificate Enrollment Protocol), which uses HTML as the application protocol and thus requires the router to have the URL to enroll. The CA documentation should offer the enrollment URL, which varies from vendor to vendor.

The details of the subject field in the requested X.509 certificate.

Specifies whether to perform a certificate renovation check for a received certificate. For EAP-TLS, this should be set to None.

An optional name to identify the RSA keys for the certificate.

The number of bits required for the RSA keys. Larger sizes are more secure.

If this option is chosen, the RSA keys generate when the certificate is enrolled with the certificate authority.

Certificates are automatically enrolled when the trustpoint is configured. You do not need to explicitly download the CA certificate and then enroll the router certificate because it is done automatically.

After defining the trustpoint, click the Retrieve button to download the certificate authority certificate.

After successfully retrieving the CA certificate, click the Enroll button to enroll the access point certificate(s) with the CA. This sends a certificate enrollment request to the CA and installs the received certificate(s). This may happen immediately or might take some time depending on the settings of the CA. For example, some CAs are set to immediately issue the certificate, while some might require human intervention, delaying the issuance of the certificate for some time.

When a trustpoint is deleted, the associated RSA keys are also deleted. If you want to keep the keys intact, this option must be chosen before deleting the trustpoint.