Crypto ca trustpoint

Find a Cisco Partner

Become a Cisco Partner

Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

crypto ca authenticate thru crypto ca trustpoint

View with Adobe Reader on loads of devices

crypto ca authenticate

This command become changed via the crypto pki authenticate command powerful with Cisco IOS Release 12.three(7)T and 12.2(18)SXE.

To authenticate the choices certification authority (by way of getting the choices certificates of the CA), use the crypto ca authenticate command in global configuration mode.

crypto ca authenticate name

Syntax Description

Specifies the name of the choices CA. This is the same name used when the CA became declared with the crypto ca identification command .

Command Default

No default behavior or values.

Command Modes

This command was introduced.

Usage Guidelines

This command is required whilst you to begin with configure CA help at your router.

This command authenticates the choices CA on your router by using acquiring the self-signed certificates of the CA that consists of the public key of the CA. Because the CA signs and symptoms its personal certificate, you must manually authenticate the public key of the CA via contacting the CA administrator when you perform this command.

If you are the use of RA mode (using the choices enrollment mode ra command) whilst you issue the choices crypto ca authenticate command, then registration authority signing and encryption certificate will be back from the choices CA in addition to the choices CA certificate.

This command is not saved to the router configuration. However. the general public keys embedded within the received CA (and RA) certificate are saved to the choices configuration as part of the choices RSA public key record (referred to as the “RSA public key chain”).

If the CA does no longer respond by way of a timeout length after this command is issued, the terminal control will be lower back so it will now not be tied up. If this happens, you must re-enter the command. Cisco IOS software program will no longer understand CA certificates expiration dates set for beyond the 12 months 2049. If the validity length of the CA certificates is ready to run out after the 12 months 2049, the subsequent mistakes message can be displayed whilst authentication with the choices CA server is tried:

mistakes retrieving certificates :incomplete chain

If you get hold of an errors message similar to this one, check the choices expiration date of your CA certificates. If the choices expiration date of your CA certificate is set after the 12 months 2049, you should reduce the expiration date by using a year or more.

In the subsequent example, the choices router requests the certificates of the choices CA. The CA sends its certificates and the router prompts the administrator to verify the choices certificate of the CA through checking the CA certificate’s fingerprint. The CA administrator can also view the CA certificates’s fingerprint, so that you should compare what the CA administrator sees to what the choices router shows on the choices screen. If the fingerprint on the choices router’s screen suits the choices fingerprint viewed by means of the choices CA administrator, you ought to be given the certificates as legitimate.

Related Commands

debug crypto pki transactions

Displays debug messages for the choices hint of interplay (message type) between the CA and the router.

show crypto pki certificate

Displays information approximately your certificate, the certificates of the choices CA, and any RA certificate.

crypto ca enroll

This command become changed by using the choices crypto pki sign up command effective with Cisco IOS Release 12.three(7)T and 12.2(18)SXE.

To acquire the certificates(s) of your router from the choices certification authority, use the choices crypto ca sign up command in worldwide configuration mode. To delete a modern-day enrollment request, use the choices no form of this command.

crypto ca join name

no crypto ca sign up call

Syntax Description

Specifies the name of the CA. Use the choices equal name as whilst you declared the CA using the choices crypto pki trustpointcommand.

Command Default

No default conduct or values.

Command Modes

This command became brought.

Usage Guidelines

This command requests certificates from the choices CA for all of your router’s RSA key pairs. This task is likewise referred to as enrolling with the CA. (Technically, enrolling and obtaining certificates are separate occasions, but they both occur while this command is issued.)

Your router wishes a signed certificates from the CA for every RSA key pairs of your router; in case you formerly generated fashionable cause keys, this command will gain the one certificates corresponding to the one general cause RSA key pair. If you previously generated unique usage keys, this command will attain certificates similar to every of the choices unique usage RSA key pairs.

If you have already got a certificate for your keys you may be unable to complete this command; as an alternative, you will be caused to put off the present certificate first. (You can eliminate current certificate with the no certificates command.)

The crypto ca sign up command isn’t saved inside the router configuration.

If your router reboots after you difficulty the crypto ca sign up command but earlier than you obtain the choices certificate(s), you must reissue the command.

When you issue the choices crypto ca join command, you are induced some of times.

First, you are triggered to create a assignment password. This password may be up to eighty characters in period. This password is vital within the occasion which you ever want to revoke your router’s certificates(s). When you ask the CA administrator to revoke your certificates, you have to supply this venture password as a protection towards fraudulent or wrong revocation requests.

This password isn’t always saved everywhere, so you want to recall this password.

If you lose the choices password, the choices CA administrator may nevertheless be able to revoke the router’s certificate but would require further manual authentication of the router administrator identification.

You also are brought about to signify whether or now not your router’s serial number must be protected in the obtained certificates. The serial number is not used by IP Security or Internet Key Exchange but can be used by the CA to both authenticate certificates or to later partner a certificate with a selected router. (Note that the choices serial range saved is the serial range of the choices inner board, now not the one on the choices enclosure.) Ask your CA administrator if serial numbers should be blanketed. If you’re unsure, consist of the choices serial wide variety.

Normally, you’ll no longer include the choices IP cope with because the IP deal with binds the certificate extra tightly to a selected entity. Also, if the router is moved, you will need to difficulty a brand new certificate. Finally, a router has more than one IP addresses, any of which might be used with IPSec.

If you imply that the IP address should be blanketed, you may then be precipitated to specify the interface of the choices IP cope with. This interface should correspond to the choices interface that you apply your crypto map set to. If you apply crypto map sets to multiple interface, specify the choices interface which you name inside the crypto map nearby-address command.

In the subsequent instance, a router with a preferred-motive RSA key pair requests a certificates from the CA. When the choices router displays the certificates fingerprint, the administrator verifies this number via calling the choices CA administrator, who checks the quantity. The fingerprint is correct, so the router administrator accepts the choices certificate.

There may be a put off between while the router administrator sends the request and whilst the certificates is surely acquired by means of the choices router. The quantity of postpone relies upon on the CA approach of operation.

Some time later, the choices router receives the certificates from the choices CA and displays the following affirmation message:

If essential, the choices router administrator can verify the displayed Fingerprint with the CA administrator.

If there’s a hassle with the certificate request and the certificates isn’t granted, the following message is displayed on the console as a substitute:

The situation call inside the certificates is routinely assigned to be similar to the RSA key pair’s call. In the choices above example, the RSA key pair was named “myrouter.example.com.” (The router assigned this call.)

Requesting certificates for a router with special usage keys could be similar to the choices previous instance, besides that certificate could have been lower back through the CA. When the choices router received the two certificates, the choices router might have displayed the same confirmation message:

Related Commands

debug crypto pki messages

Displays debug messages for the information of the choices interplay (message sell off) between the CA and the choices router.

debug crypto pki transactions

Displays debug messages for the choices trace of interplay (message kind) between the choices CA and the router.

show crypto pki certificates

Displays information about your certificates, the certificate of the CA, and any RA certificate.

crypto ca trustpoint

Effective with Cisco IOS Release 12.3(eight)T, 12.2(18)SXD, and 12.2(18)SXE, the choices crypto ca trustpoint command is changed with the crypto pki trustpoint command. See the choices crypto pki trustpoint command for extra facts.

To declare the choices certification authority (CA) that your router have to use, use the crypto ca trustpoint command in worldwide configuration mode. To delete all identification statistics and certificates related to the CA, use the choices no shape of this command.

crypto ca trustpoint name

no crypto ca trustpoint call

Syntax Description

Creates a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the call you formerly created.)

Command Default

Your router does not recognize any CAs until you declare a CA using this command.

Command Modes

This command turned into delivered.

The suit certificates subcommand became introduced.

This command became changed by way of the choices crypto pki trustpoint command. You can still enter the crypto ca relied on-rootor crypto ca trustpoint command, however the command might be written inside the configuration as “crypto pki trustpoint.”

Usage Guidelines

Use the choices crypto ca trustpoint command to declare a CA, which may be a self-signed root CA or a subordinate CA. Issuing the crypto ca trustpoint command places you in ca-trustpoint configuration mode.

You can specify traits for the trustpoint CA the use of the subsequent subcommands:

Beginning with Cisco IOS Release 12.2(eight)T, the crypto ca trustpoint command unified the choices capability of the crypto ca identity and crypto ca trusted-root instructions, thereby changing these commands. Although you may nonetheless enter the choices crypto ca identification and crypto ca trusted-root instructions, theconfiguration mode and command could be written inside the configuration as “crypto ca trustpoint.”

The following example indicates a way to claim the CA named “ka” and specify enrollment and CRL parameters:

The following example shows a certificates-based access manipulate listing (ACL) with the choices label “Group” defined in a crypto ca certificates map command and protected within the healthy certificate subcommand of the crypto ca the choices CRL to make certain that the choices certificate of the peer has not been revoked.

Resets the value of a ca-trustpoint configuration subcommand to its default.

Specifies the choices enrollment parameters of your CA.

Accesses the CA by HTTP thru the proxy server.

Assigns a special trustpoint as the choices number one trustpoint of the router.

Obtains the CA certificates via TFTP.