|
|
This chapter describes certification authority (CA) interoperability commands. Certification Authority (CA) interoperability is provided in support of the IP Security (IPSec) standard. CA interoperability permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
Without CA interoperability, Cisco IOS devices could not use CAs when deploying IPSec. CAs provide a manageable, scalable solution for IPSec networks.
Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring CA interoperability.
For configuration information, refer to the chapter "Configuring Certification Authority Interoperability" in the Cisco IOS Security Configuration Guide.
To manually add certificates, use the certificate command in certificate chain configuration mode. Use the no form of this command to delete your router's certificate or any RA certificates stored on your router.
certificate certificate-serial-number
Syntax Description
certificate-serial-number Specify the serial number of the certificate to add or delete.
Defaults
No default behavior or values.
Command Modes
Certificate chain configuration (config-cert-chain)
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually only used to delete certificates.
Examples
The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted.
myrouter# show crypto ca certificates
Certificate
Subject Name
Name: myrouter.example.com
IP Address: 10.0.0.1
Status: Available
Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF
Key Usage: General Purpose
CA Certificate
Status: Available
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Key Usage: Not Set
myrouter# configure terminal
myrouter(config)# crypto ca certificate chain myca
myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF
% Are you sure you want to remove the certificate [yes/no]? yes
% Be sure to ask the CA administrator to revoke this certificate.
myrouter(config-cert-chain)# exit
myrouter(config)#
Related Commands
Enters the certificate chain configuration mode.
Command
Description
To allow other peers' certificates to still be accepted by your router even if the appropriate Certificate Revocation List (CRL) is not accessible to your router, use the crl optional command in ca-identity configuration mode. Use the no form of the command to return to the default behavior in which CRL checking is mandatory before your router can accept a certificate.
crl optionalSyntax Description
This command has no arguments or keywords.
Defaults
The router must have and check the appropriate CRL before accepting another IPSec peer's certificate.
Command Modes
Ca-identity configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
When your router receives a certificate from a peer, it will download a Certificate Revocation List (CRL) from either the CA or a CRL distribution point as designated in the peer's certificate. Your router then checks the CRL to make sure the certificate the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.)
With CA systems that support Registration Authorities (RAs), multiple CRLs exist and the peer's certificate will indicate which CRL applies and should be downloaded by your router.
If your router does not have the applicable CRL and is unable to obtain one, your router will reject the peer's certificate---unless you include the crl optional command in your configuration. If you use the crl optional command, your router will still try to obtain a CRL, but if it cannot obtain a CRL it can accept the peer's certificate anyway.
When your router receives additional certificates from peers, your router will continue to attempt to download the appropriate CRL, even if it was previously unsuccessful, and even if the crl optional command is enabled. The crl optional command only specifies that when the router cannot obtain the CRL, the router is not forced to reject a peer's certificate outright.
Examples
The following example declares a CA and permits your router to accept certificates when CRLs are not obtainable. This example also specifies a nonstandard retry period and retry count.
crypto ca identity myca enrollment url http://ca_server enrollment retry-period 20 enrollment retry-count 100 crl optional
Related Commands
Declares the CA your router should use.
Command
Description
Syntax Description
name Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the CA's self-signed certificate which contains the CA's public key. Because the CA signs its own certificate, you should manually authenticate the CA's public key by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then RA signing and encryption certificates will be returned from the CA as well as the CA certificate.
This command is not saved to the router configuration. However, the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").
If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.
Examples
In the following example, the router requests the CA's certificate. The CA sends its certificate and the router prompts the administrator to verify the CA's certificate by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
myrouter# crypto ca authenticate myca Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no] y myrouter#
Related Commands
Declares the CA your router should use. Displays information about your certificate, the certificate of the CA, and any RA certificates.
Command
Description
Syntax Description
name Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Defaults
No default behavior or values..
Command Modes
Global configuration.
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.
Examples
The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted.
myrouter# show crypto ca certificates
Certificate
Subject Name
Name: myrouter.example.com
IP Address: 10.0.0.1
Status: Available
Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF
Key Usage: General Purpose
CA Certificate
Status: Available
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Key Usage: Not Set
myrouter# configure terminal
myrouter(config)# crypto ca certificate chain myca
myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF
% Are you sure you want to remove the certificate [yes/no]? yes
% Be sure to ask the CA administrator to revoke this certificate.
myrouter(config-cert-chain)# exit
myrouter(config)#
Related Commands
Adds certificates manually.
Command
Description
To specify that certificates and Certificate Revocation Lists (CRLs) should not be stored locally but retrieved from the CA when needed, use the crypto ca certificate query command in global configuration mode. This command puts the router into query mode. Use the no form of this command to cause certificates and CRLs to be stored locally (the default).
crypto ca certificate querySyntax Description
This command has no arguments or keywords.
Defaults
Certificates and CRLs are stored locally in the router's NVRAM.
Command Modes
Global configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
Normally, certain certificates and Certificate Revocation Lists (CRLs) are stored locally in the router's NVRAM, and each certificate and CRL uses a moderate amount of memory.
Examples
The following example prevents certificates and CRLs from being stored locally on the router; instead, they are retrieved from the CA when needed.
crypto ca certificate query
Syntax Description
name Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
.
Defaults
Normally, the router requests a new CRL only after the existing one expires.
Command Modes
Global configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
Use this command only if your CA does not support a Registration Authority (RA).
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives a peer's certificate after the applicable CRL has expired, it will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is not saved to the configuration.
Examples
The following example immediately downloads the latest CRL to your router:
crypto ca crl request
Syntax Description
name Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each of your router's RSA key pairs; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto ca enroll command is not saved in the router configuration.
 |
Note If your router reboots after you issue the crypto ca enroll command but before you receive the certificate(s), you must reissue the command. |
Responding to Prompts
When you issue the crypto ca enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
|
Note This password is not stored anywhere, so you need to remember this password. |
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
Examples
In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
myrouter(config)# crypto ca enroll myca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: <mypassword> Re-enter password: <mypassword> % The subject name in the certificate will be: myrouter.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 03433678 % Include an IP address in the subject name [yes/no]? yes Interface: ethernet0/0 Request certificate from CA [yes/no]? yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. myrouter(config)#
Some time later, the router receives the certificate from the CA and displays the following confirmation message:
myrouter(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210 %CRYPTO-6-CERTRET: Certificate received from Certificate Authority myrouter(config)#
If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority
The subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate Authority
Related Commands
Displays information about your certificate, the certificate of the CA, and any RA certificates.
Command
Description
To declare the CA your router should use, use the crypto ca identity command in global configuration mode. Use the no form of this command to delete all identity information and certificates associated with the CA.
crypto ca identity name
Syntax Description
name Create a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.
Defaults
Your router does not know about any CA until you declare one with this command.
Command Modes
Global configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
Use this command to declare a CA. Performing this command puts you into the ca-identity configuration mode, where you can specify characteristics for the CA with the following commands:
Examples
The following example declares a CA and identifies characteristics of the CA. In this example, the name "myca" is created for the CA, which is located at http://ca_server.
The CA does not use an RA or LDAP, and the CA's scripts are stored in the default location. This is the minimum possible configuration required to declare a CA.
crypto ca identity myca enrollment url http://ca_server
The following example declares a CA when the CA uses an RA. The CA's scripts are stored in the default location, and the CA uses the certificate enrollment protocol (CEP) instead of LDAP. This is the minimum possible configuration required to declare a CA that uses an RA.
crypto ca identity myca_with_ra enrollment url http://ca_server enrollment mode ra query url ldap://serverx
The following example declares a CA that uses an RA and a nonstandard cgi-bin script location. This example also specifies a nonstandard retry period and retry count, and permits the router to accept certificates when CRLs are not obtainable.
crypto ca identity myca_with_ra enrollment url http://example_ca/cgi-bin/somewhere/scripts.exe enrollment mode ra query url ldap://serverx enrollment retry-period 20 enrollment retry-count 100 crl optional
In the previous example, if the router does not receive a certificate back from the CA within 20 minutes of sending a certificate request, the router will resend the certificate request. The router will keep sending a certificate request every 20 minutes until a certificate is received or until 100 requests have been sent.
If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the nonstandard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts.
Related Commands
Changes the URL of the CA. Turns on RA mode. Specifies LDAP protocol support. Specifies the wait period between certificate request retries. Specifies how many times a router will resend a certificate request. Allows other peer certificates to still be accepted by your router even if the appropriate CRL is not accessible to your router.
Command
Description
To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [usage-keys]
Syntax Description
usage-keys (Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair.
Defaults
RSA key pairs do not exist. If the usage-keys keyword is not used, general-purpose keys will be generated.
Command Modes
Global configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs---one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
|
Note Before issuing this command, make sure your router has a hostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a host name and IP domain name. |
This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device).
There are two mutually-exclusive styles of RSA key pairs: special usage keys and general purpose keys. When you generate RSA key pairs, you will be prompted to select whether to generate special usage keys or general purpose keys.
Special Usage Keys
A CA is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA encrypted nonces. (However, you could specify more than one IKE policy, and have RSA signatures specified in one policy and RSA encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special usage keys. With special usage keys, each key is not unnecessarily exposed. (Without special usage keys, one key is used for both purposes, increasing that key's exposure.)
General Purpose Keys
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security, but takes longer to generate (see Table 24 for sample times) and takes longer to use. Below 512 is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024.)
| Modulus Length | ||||
|---|---|---|---|---|
| Router | 360 bits | 512 bits | 1024 bits | 2048 bits |
Cisco 2500 | 11 seconds | 20 seconds | 4 minutes, 38 seconds | longer than 1 hour |
Cisco 4700 | less than 1 second | 1 second | 4 seconds | 50 seconds |
Examples
The following example generates special usage RSA keys.
crypto key generate rsa usage-keys The name for the keys will be: myrouter.example.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return> Generating RSA keys.... [OK]. Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return> Generating RSA keys.... [OK].
The following example generates general purpose RSA keys. (Note, you cannot generate both special usage and general purpose keys; you can only generate one or the other.)
myrouter(config)# crypto key generate rsa The name for the keys will be: myrouter.example.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return> Generating RSA keys.... [OK]. myrouter(config)#
Related Commands
show crypto key mypubkey rsa Displays the RSA public key(s) of your router.
Command
Description
Syntax Description
There are no arguments or keywords for this command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
This command deletes all RSA keys that were previously generated by your router. If you issue this command, you must also perform two additional tasks:
|
Note This command cannot be undone (after you save your configuration), and after RSA keys have been deleted you cannot use certificates or the CA or participate in certificate exchanges with other IPSec peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again. |
This command is not saved to the configuration.
Examples
The following example deletes the general purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the router's certificate be revoked. The administrator then deletes the router's certificate from the configuration.
crypto key zeroize rsa crypto ca certificate chain no certificate
Related Commands
Enters the certificate chain configuration mode. Adds certificates manually.
Command
Description
Syntax Description
This command has no arguments or keywords.
Defaults
RA mode is turned off.
Command Modes
Ca-identity configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
This command is required if your CA system provides a Registration Authority (RA). This command provides compatibility with RA systems.
Examples
The following example shows the minimum configuration required to declare a CA when the CA provides an RA:
crypto ca identity myca enrollment url http://ca_server enrollment mode ra query url ldap://serverx
Related Commands
Declares the CA your router should use.
Command
Description
Syntax Description
number Specify how many times the router will resend a certificate request when the router does not receive a certificate from the CA from the previous request. Specify from 1 to 100 retries.
Defaults
The router will send the CA another certificate request until a valid certificate is received (no limit to the number of retries).
Command Modes
Ca-identity configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period) the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (the retry count) is exceeded. By default, the router will keep sending requests forever, but you can change this to a finite number with this command.
A retry count of 0 indicates that there is no limit to the number of times the router should resend the certificate request. By default, the retry count is 0.
Examples
The following example declares a CA, changes the retry period to 10 minutes, and changes the retry count to 60 retries. The router will resend the certificate request every 10 minutes until the router receives the certificate or until approximately 10 hours pass since the original request was sent, whichever occurs first. (10 minutes x 60 tries = 600 minutes = 10 hours.)
crypto ca identity myca enrollment url http://ca_server enrollment retry-period 10 enrollment retry-count 60
Related Commands
Declares the CA your router should use. Specifies the wait period between certificate request retries.
Command
Description
Syntax Description
minutes Specify the number of minutes the router waits before resending a certificate request to the CA, when the router does not receive a certificate from the CA by the previous request. Specify from 1 to 60 minutes. By default, the router retries every 1 minute.
Defaults
The router will send the CA another certificate request every 1 minute until a valid certificate is received.
Command Modes
Ca-identity configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period) the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries is exceeded. (By default, the router will keep sending requests forever, but you can change this to a finite number of permitted retries with the enrollment retry count command.)
Use the enrollment retry-period command to change the retry period from the default of 1 minute between retries.
Examples
The following example declares a CA and changes the retry period to 5 minutes:
crypto ca identity myca enrollment url http://ca_server enrollment retry-period 5
Related Commands
Declares the CA your router should use. Specifies how many times a router will resend a certificate request.
Command
Description
Syntax Description
url Specify the URL of the CA where your router should send certificate requests, for example, http://ca_server. This URL must be in the form of http://CA_name where CA_name is the CA's host DNS name or IP address. If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the non-standard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts.
Defaults
Your router does not know the CA URL until you specify it with this command.
Command Modes
Ca-identity configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
Use this command to specify the CA's URL. This command is required when you declare a CA with the crypto ca identity command.
The URL must include the CA script location if the CA scripts are not loaded into the default cgi-script location. The CA administrator should be able to tell you where the CA scripts are located.
To change a CA's URL, repeat the enrollment url command to overwrite the older URL.
Examples
The following example shows the absolute minimum configuration required to declare a CA:
crypto ca identity myca enrollment url http://ca_server
Related Commands
Declares the CA your router should use.
Command
Description
To specify LDAP protocol support, use the query url command in ca-identity configuration mode. Use the no form of this command to remove the query URL from the configuration and specify the default query protocol, certificate enrollment protocol (CEP).
query url url
Syntax Description
url Specify the URL of the LDAP server; for example, ldap://another_server. This URL must be in the form of ldap://server_name where server_name is the host DNS name or IP address of the LDAP server.
Defaults
The router uses CEP.
Command Modes
Ca-identity configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
This command is required if the CA supports a Registration Authority (RA) and the LDAP protocol; LDAP is a query protocol used when the router retrieves certificates and CRLs. The CA administrator should be able to tell you whether the CA supports LDAP or CEP; if the CA supports the LDAP protocol, the CA administrator can tell you the LDAP location where certificates and CRLs should be retrieved.
To change the query URL, repeat the query url command to overwrite the older URL.
This command is only valid if you also use the enrollment mode ra command.
Examples
The following example shows the configuration required to declare a CA when the CA supports LDAP:
crypto ca identity myca enrollment url http://ca_server enrollment mode ra query url ldap://bobs_server
Related Commands
Declares the CA your router should use.
Command
Description
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
This command shows information about the following certificates:
Examples
The following is sample output from the show crypto ca certificates command after you authenticated the CA by requesting the CA's certificate and public key with the crypto ca authenticate command:
CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set
The CA certificate might show Key Usage as "Not Set."
The following is sample output from the show crypto ca certificates command, and shows the router's certificate and the CA's certificate. In this example, a single, general purpose RSA key pair was previously generated, and a certificate was requested but not received for that key pair.
Certificate
Subject Name
Name: myrouter.example.com
IP Address: 10.0.0.1
Serial Number: 04806682
Status: Pending
Key Usage: General Purpose
Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000
CA Certificate
Status: Available
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Key Usage: Not Set
Note that in the previous sample, the router's certificate Status shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.
The following is sample output from the show crypto ca certificates command, and shows two router's certificates and the CA's certificate. In this example, special usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair.
Certificate
Subject Name
Name: myrouter.example.com
IP Address: 10.0.0.1
Status: Available
Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95
Key Usage: Signature
Certificate
Subject Name
Name: myrouter.example.com
IP Address: 10.0.0.1
Status: Available
Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897
Key Usage: Encryption
CA Certificate
Status: Available
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Key Usage: Not Set
The following is sample output from the show crypto ca certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto ca authenticate command.
CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set RA Signature Certificate Status: Available Certificate Serial Number: 34BCF8A0 Key Usage: Signature RA KeyEncipher Certificate Status: Available Certificate Serial Number: 34BCF89F Key Usage: Encryption
Related Commands
Obtains the certificate(s) of your router from the CA. Authenticates the CA (by obtaining the certificate of the CA).
Command
Description
Posted: Tue Apr 4 17:44:13 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.