Configure a Trustpoint CA on Fabric IPsec Gateway VM

About this task

Use this procedure to configure the certificate authority (CA) to use Simple Certificate Enrollment Protocol (SCEP) with a CA server for online certificate provisioning.

Procedure

  1. Enter Fabric IPsec Gateway Configuration mode:

    enable

    virtual-service WORD<1-128> console

    Note

    Note

    Type CTRL+Y to exit the console.

  2. Configure the trusted CA URL:

    set certificate ca-trustpoint <ca-label> ca-url <ca-url>

  3. Configure the common name of the CA:

    set certificate ca-trustpoint <ca-label> caname <caname>

  4. Configure the HTTP request type to support the type of CA:

    set certificate ca-trustpoint <ca-label> get-method <post | get>

  5. Configure the appropriate action:
    • Configure the trustpoint, authenticate the trustpoint CA by getting the certificate of the CA, and store the CA certificate locally:

      certificate ca <ca-trustpoint> caAuth

    • Generate the certificate enrollment request, get the digital certificate, and store it locally, associating with the trustpoint CA:

      certificate ca <ca-trustpoint> enroll <subject-label>

    • Get the Certificate Revocation List (CRL) from the CDP and store into a file:

      certificate get crl-from <A.B.C.D> <user> <file-path> <cacert-filename>

    • Get the CA certificate obtained from the trustpoint CA:

      certificate get cacert-from <A.B.C.D> <user> <file-path>

    • Get the subject certificate obtained from the trustpoint CA:

      certificate get signedcert-from <A.B.C.D> <user> <file-path> <subject-label>

    • Release the locally stored certificate associated with the trustpoint CA after revocation:

      certificate ca <ca-trustpoint> remove <subject-label>

    • Remove all certificates from the CA trustpoint:

      Note

      Note

      You can clean the CA trustpoint only if the subject-label is not configured on an IPsec tunnel.

      certificate ca <ca-trustpoint> clean

Example

Switch:1>enable
Switch:1#virtual-service FIGW console
FIGW>set certificate ca-trustpoint caExtremeEJBCA ca-url http://192.0.2.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe 
FIGW>set certificate ca-trustpoint caExtremeEJBCA caname subca5
FIGW>set certificate ca-trustpoint caExtremeEJBCA get-method post 

Variable Definitions

The following table defines parameters for the set certificate ca-trustpoint command.

Variable

Value

<ca-label>

Specifies the name of the certificate authority (CA). The name can use alphanumeric characters and is case-sensitive. The maximum length is 45 characters.

ca-url <ca-url>

Specifies the trusted CA URL.

caname <caname>

Specifies the name of the owner of the device or user.

get-method <post | get>

Specifies the HTTP request style. You can use post for EJBCA or get for Win2012 CA. The default value is post.

The following table defines parameters for the certificate ca command.

Variable

Value

<ca-trustpoint>

Specifies the name of the certificate authority. The name can be alphanumeric and is case-sensitive. The maximum length is 45 characters.

<subject-label>

Specifies the subject identity.

The following table defines parameters for the certificate get command.

Variable

Value

cacert-from <A.B.C.D> <user> <file-path>

Specifies where to obtain the CA certificate. Specify the IP address, username, and remote file path.

crl-from <A.B.C.D> <user> <file-path> <cacert-filename>

Specifies where to obtain the Certificate Revocation List. Specify the IP address, username, remote file path, and the CA certificate file to verify the CRL.

signedcert-from <A.B.C.D> <user> <file-path> <subject-label>

Specifies where to obtain the subject certificate. Specify the IP address, username, remote file path, and subject label.