cc/td/doc/product/software/ios121/121sup/121csum1
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Certification Authority Interoperability Commands

Certification Authority Interoperability Commands

This chapter explains the function and syntax of the certification authority interoperability commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.

certificate

To manually add certificates, use the certificate command in certificate chain configuration mode. Use the no form of this command to delete your router's certificate or any RA certificates stored on your router.

certificate certificate-serial-number

no certificate certificate-serial-number

Syntax Description

certificate-serial-number

Specify the serial number of the certificate to add or delete.

crl optional

To allow other peers' certificates to still be accepted by your router even if the appropriate Certificate Revocation List (CRL) is not accessible to your router, use the crl optional command in ca-identity configuration mode. Use the no form of the command to return to the default behavior in which CRL checking is mandatory before your router can accept a certificate.

crl optional

no crl optional

Syntax Description

This command has no arguments or keywords.

crypto ca authenticate

To authenticate the CA (by getting the CA's certificate), use the crypto ca authenticate command in global configuration mode.

crypto ca authenticate name

Syntax Description

name

Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.

crypto ca certificate chain

To enter the certificate chain configuration mode, use the crypto ca certificate chain command in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.)

crypto ca certificate chain name

Syntax Description

name

Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.

crypto ca certificate query

To specify that certificates and Certificate Revocation Lists (CRLs) should not be stored locally but retrieved from the CA when needed, use the crypto ca certificate query command in global configuration mode. This command puts the router into query mode. Use the no form of this command to cause certificates and CRLs to be stored locally (the default).

crypto ca certificate query

no crypto ca certificate query

Syntax Description

This command has no arguments or keywords.

crypto ca crl request

To request that a new Certificate Revocation List (CRL) be obtained immediately from the CA, use the crypto ca crl request command in global configuration mode. Use this command only when your CA does not support a Registration Authority (RA).

crypto ca crl request name

Syntax Description

name

Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.

crypto ca enroll

To obtain your router's certificate(s) from the CA, use the crypto ca enroll command in global configuration mode. Use the no form of this command to delete a current enrollment request.

crypto ca enroll name

no crypto ca enroll name

Syntax Description

name

Specify the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.

crypto ca identity

To declare the CA your router should use, use the crypto ca identity command in global configuration mode. Use the no form of this command to delete all identity information and certificates associated with the CA.

crypto ca identity name

no crypto ca identity name

Syntax Description

name

Create a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.

crypto key generate rsa (CA)

To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode.

crypto key generate rsa [usage-keys]

Syntax Description

usage-keys

(Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair.

crypto key zeroize rsa

To delete all of your router's RSA keys, use the crypto key zeroize rsa command in global configuration mode.

crypto key zeroize rsa

Syntax Description

This command has no arguments or keywords.

enrollment mode ra

To turn on RA mode, use the enrollment mode ra command in ca-identity configuration mode. Use the no form of the command to turn off RA mode.

enrollment mode ra

no enrollment mode ra

Syntax Description

This command has no arguments or keywords.

enrollment retry count

To specify how many times a router will resend a certificate request, use the enrollment retry-count command in ca-identity configuration mode. Use the no form of the command to reset the retry count to the default of 0 which indicates an infinite number of retries.

enrollment retry count number

no enrollment retry count

Syntax Description

number

Specify how many times the router will resend a certificate request when the router does not receive a certificate from the CA from the previous request.

Specify from 1 to 100 retries.

enrollment retry period

To specify the wait period between certificate request retries, use the enrollment retry period command in ca-identity configuration mode. Use the no form of the command to reset the retry period to the default of 1 minute.

enrollment retry period minutes

no enrollment retry period

Syntax Description

minutes

Specify the number of minutes the router waits before resending a certificate request to the CA, when the router does not receive a certificate from the CA by the previous request.

Specify from 1 to 60 minutes. By default, the router retries every 1 minute.

enrollment url

To specify the CA location by naming the CA's URL, use the enrollment url command in ca-identity configuration mode. Use the no form of this command to remove the CA's URL from the configuration.

enrollment url url

no enrollment url url

Syntax Description

url

Specify the URL of the CA where your router should send certificate requests, for example, http://ca_server.

This URL must be in the form of http://CA_name where CA_name is the CA's host DNS name or IP address.

If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the non-standard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts.

query url

To specify LDAP protocol support, use the query url command in ca-identity configuration mode. Use the no form of this command to remove the query URL from the configuration and specify the default query protocol, certificate enrollment protocol (CEP).

query url url

no query url url

Syntax Description

url

Specify the URL of the LDAP server; for example, ldap://another_server.

This URL must be in the form of ldap://server_name where server_name is the host DNS name or IP address of the LDAP server.

show crypto ca certificates

To view information about your certificate, the CA's certificate, and any RA certificates, use the show crypto ca certificates command in EXEC mode.

show crypto ca certificates

Syntax Description

This command has no arguments or keywords.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Jul 26 16:19:50 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.