|
|
This chapter describes the function and displays the syntax for Certification Authority (CA) interoperability commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To manually add certificates, use the certificate certificate chain configuration command. Use the no form of this command to delete your router's certificate or any RA certificates stored on your router.
certificate certificate-serial-number
certificate-serial-number | Specify the serial number of the certificate to add or delete. |
To allow other peers' certificates to still be accepted by your router even if the appropriate Certificate Revocation List (CRL) is not accessible to your router, use the crl optional configuration command. Use the no form of the command to return to the default behavior in which CRL checking is mandatory before your router can accept a certificate.
crl optionalTo authenticate the CA (by getting the CA's certificate), use the crypto ca authenticate global configuration command.
crypto ca authenticate name
name | Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command. |
To enter the certificate chain configuration mode, use the crypto ca certificate chain global configuration command. (You need to be in certificate chain configuration mode to delete certificates.)
crypto ca certificate chain name
name | Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command. |
To specify that certificates and Certificate Revocation Lists (CRLs) should not be stored locally but retrieved from the CA when needed, use the crypto ca certificate query global configuration command. This command puts the router into query mode. Use the no form of this command to cause certificates and CRLs to be stored locally (the default).
crypto ca certificate queryTo request that a new Certificate Revocation List (CRL) be obtained immediately from the CA, use the crypto ca crl request global configuration command. Use this command only when your CA does not support a Registration Authority (RA).
crypto ca crl request name
name | Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command. |
To obtain your router's certificate(s) from the CA, use the crypto ca enroll global configuration command. Use the no form of this command to delete a current enrollment request.
crypto ca enroll name
name | Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command. |
To declare the CA your router should use, use the crypto ca identity global configuration command. Use the no form of this command to delete all identity information and certificates associated with the CA.
crypto ca identity name
name | Create a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. |
To generate RSA key pairs, use the crypto key generate rsa global configuration command.
crypto key generate rsa [usage-keys]
usage-keys | (Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair. |
To delete all of your router's RSA keys, use the crypto key zeroize rsa global configuration command.
crypto key zeroize rsaTo turn on RA mode, use the enrollment mode ra configuration command. Use the no form of the command to turn off RA mode.
enrollment mode raTo specify how many times a router will resend a certificate request, use the enrollment retry-count configuration command. Use the no form of the command to reset the retry count to the default of 0 which indicates an infinite number of retries.
enrollment retry-count number
number | Specify how many times the router will resend a certificate request when the router does not receive a certificate from the CA from the previous request. Specify from 1 to 100 retries. |
To specify the wait period between certificate request retries, use the enrollment retry-period configuration command. Use the no form of the command to reset the retry period to the default of 1 minute.
enrollment retry-period minutes
minutes | Specify the number of minutes the router waits before resending a certificate request to the CA, when the router does not receive a certificate from the CA by the previous request. Specify from 1 to 60 minutes. By default, the router retries every 1 minute. |
To specify the CA location by naming the CA's URL, use the enrollment url configuration command. Use the no form of this command to remove the CA's URL from the configuration.
enrollment url url
url | Specify the URL of the CA where your router should send certificate requests, for example, http://ca_server. This URL must be in the form of http://CA_name where CA_name is the CA's host DNS name or IP address. If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the non-standard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts. |
To specify LDAP protocol support, use the query url configuration command. Use the no form of this command to remove the query URL from the configuration and specify the default query protocol, certificate enrollment protocol (CEP).
query url url
url | Specify the URL of the LDAP server; for example, ldap://another_server. This URL must be in the form of ldap://server_name where server_name is the host DNS name or IP address of the LDAP server. |
To view information about your certificate, the CA's certificate, and any RA certificates, use the show crypto ca certificates EXEC command.
show crypto ca certificates
Posted: Mon Feb 8 13:56:02 PST 1999
Copyright 1989-1999©Cisco Systems Inc.