cc/td/doc/product/software/ios120/12supdoc/12cmdsum
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Certification Authority Interoperability Commands

Certification Authority Interoperability Commands

This chapter describes the function and displays the syntax for Certification Authority (CA) interoperability commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.

certificate

To manually add certificates, use the certificate certificate chain configuration command. Use the no form of this command to delete your router's certificate or any RA certificates stored on your router.

certificate certificate-serial-number
no certificate certificate-serial-number

certificate-serial-number

Specify the serial number of the certificate to add or delete.


crl optional

To allow other peers' certificates to still be accepted by your router even if the appropriate Certificate Revocation List (CRL) is not accessible to your router, use the crl optional configuration command. Use the no form of the command to return to the default behavior in which CRL checking is mandatory before your router can accept a certificate.

crl optional
no crl optional

crypto ca authenticate

To authenticate the CA (by getting the CA's certificate), use the crypto ca authenticate global configuration command.

crypto ca authenticate name

name

Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.


crypto ca certificate chain

To enter the certificate chain configuration mode, use the crypto ca certificate chain global configuration command. (You need to be in certificate chain configuration mode to delete certificates.)

crypto ca certificate chain name

name

Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.


crypto ca certificate query

To specify that certificates and Certificate Revocation Lists (CRLs) should not be stored locally but retrieved from the CA when needed, use the crypto ca certificate query global configuration command. This command puts the router into query mode. Use the no form of this command to cause certificates and CRLs to be stored locally (the default).

crypto ca certificate query
no crypto ca certificate query

crypto ca crl request

To request that a new Certificate Revocation List (CRL) be obtained immediately from the CA, use the crypto ca crl request global configuration command. Use this command only when your CA does not support a Registration Authority (RA).

crypto ca crl request name

name

Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.


crypto ca enroll

To obtain your router's certificate(s) from the CA, use the crypto ca enroll global configuration command. Use the no form of this command to delete a current enrollment request.

crypto ca enroll name
no crypto ca enroll name

name

Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.


crypto ca identity

To declare the CA your router should use, use the crypto ca identity global configuration command. Use the no form of this command to delete all identity information and certificates associated with the CA.

crypto ca identity name
no crypto ca identity name

name

Create a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.


crypto key generate rsa

To generate RSA key pairs, use the crypto key generate rsa global configuration command.

crypto key generate rsa [usage-keys]

usage-keys

(Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair.


crypto key zeroize rsa

To delete all of your router's RSA keys, use the crypto key zeroize rsa global configuration command.

crypto key zeroize rsa

enrollment mode ra

To turn on RA mode, use the enrollment mode ra configuration command. Use the no form of the command to turn off RA mode.

enrollment mode ra
no enrollment mode ra

enrollment retry-count

To specify how many times a router will resend a certificate request, use the enrollment retry-count configuration command. Use the no form of the command to reset the retry count to the default of 0 which indicates an infinite number of retries.

enrollment retry-count number
no enrollment retry-count

number

Specify how many times the router will resend a certificate request when the router does not receive a certificate from the CA from the previous request.

Specify from 1 to 100 retries.


enrollment retry-period

To specify the wait period between certificate request retries, use the enrollment retry-period configuration command. Use the no form of the command to reset the retry period to the default of 1 minute.

enrollment retry-period minutes
no enrollment retry-period

minutes

Specify the number of minutes the router waits before resending a certificate request to the CA, when the router does not receive a certificate from the CA by the previous request.

Specify from 1 to 60 minutes. By default, the router retries every 1 minute.


enrollment url

To specify the CA location by naming the CA's URL, use the enrollment url configuration command. Use the no form of this command to remove the CA's URL from the configuration.

enrollment url url
no enrollment url url

url

Specify the URL of the CA where your router should send certificate requests, for example, http://ca_server.

This URL must be in the form of http://CA_name where CA_name is the CA's host DNS name or IP address.

If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the non-standard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts.


query url

To specify LDAP protocol support, use the query url configuration command. Use the no form of this command to remove the query URL from the configuration and specify the default query protocol, certificate enrollment protocol (CEP).

query url url
no query url url

url

Specify the URL of the LDAP server; for example, ldap://another_server.

This URL must be in the form of ldap://server_name where server_name is the host DNS name or IP address of the LDAP server.


show crypto ca certificates

To view information about your certificate, the CA's certificate, and any RA certificates, use the show crypto ca certificates EXEC command.

show crypto ca certificates

hometocprevnextglossaryfeedbacksearchhelp
Posted: Mon Feb 8 13:56:02 PST 1999
Copyright 1989-1999©Cisco Systems Inc.