Configure a Trustpoint CA
About this task
Use this procedure to configure the certificate authority and perform related actions. You can configure up to eight CA trustpoints.
Procedure
Example
Switch:1>enable Switch:1#configure terminal Switch:1(config)#certificate ca ej common-name CaA2 key-name pki_key subject-name 822 Switch:1(config)#certificate ca ej action enroll Switch:1(config)#CP1 [07/21/16 12:22:11.992:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved CP1 [07/21/16 12:22:12.284:CEST] 0x003a8639 00000000 GlobalRouter DIGITALCERT INFO Sent SCEP Request To CA : ej CP1 [07/21/16 12:22:12.504:CEST] 0x003a8615 00000000 GlobalRouter DIGITALCERT INFO Received SCEP Response With SUCCESS status! CP1 [07/21/16 12:22:12.508:CEST] 0x003a8611 00000000 GlobalRouter DIGITALCERT INFO Enroll Certificate Successful! CP1 [07/21/16 12:22:12.509:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved
Display configured online CA trustpoints:
Switch:1(config)#show certificate ca CA table entry Name : a1 CommonName : CaA1 KeyName : rsa_2048 SubjectName : CaUrl : http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe UsePost : 1 SubjectCertValidityDays : 365 Action : (null) LastActionStatus : (null) LastActionFailureReason : CA-Auth Sha256Fingerprint : bd9bb74b3f4d75e86113222a8d291b6349c7a42c457e487b9be0a48b4f09cc7c UsedFor : CA table entry Name : a2 CommonName : CaA2 KeyName : pki_key SubjectName : 822 CaUrl : http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe UsePost : 1 SubjectCertValidityDays : 365 Action : (null) LastActionStatus : (null) LastActionFailureReason : CA-Auth Sha256Fingerprint : 0ccb8d0c38d36cf427187f0e1dd380536c078fd6fae39ec9872187327912056b UsedFor : Default
Variable Definitions
The following table defines parameters for the certificate ca command.
Variable |
Value |
---|---|
action caauth |
Authenticates the trustpoint CA by getting the certificate of the CA and stores the CA certificate locally. |
action enroll [validity-days <7–1185>] |
Generates certificate signing request to obtain identity certificate from configured trustpoint CA, gets the digital certificate, and stores it locally, associating with the trustpoint CA. The validity-days specifies the number of days for which the certificate will remain valid. The default value is 365 days. |
action get-crl |
Gets the Certificate Revocation List from the CDP and stores into a file. |
action install |
Installs the subject certificate obtained from the given trustpoint CA. |
action noop |
Specifies that no operation should be performed after configuring trustpoint. |
action remove |
Releases the locally stored certificate associated with the trustpoint CA post revocation. |
action renew [challenge-password WORD<0-128>] |
Specifies the password. This password is provided offline by the CA during the end entity registration. |
action renew [validity-days <7–1185>] |
Generates certificate renewal request for given trustpoint CA, gets the digital certificate, and stores it locally by replacing the old certificate with the new one. The validity-days specifies the number of days for which the certificate will remain valid. The default value is 365 days. |
ca WORD<1–45> |
Specifies the name of the CA. You can configure up to 8 CA trustpoints by specifying the CA name. It should be alphanumeric and case-sensitive. The maximum length should be 45 characters. |
ca-url WORD<0–1000> |
Specifies the trusted CA url. |
common-name WORD<0–64> |
Specifies the name of the owner of the device or user. |
key-name WORD<0–45> |
Specifies the key pair generated by the command that was first associated with the CA trustpoint. |
install-file root-ca-filename WORD<1–80> |
Installs the Root CA file obtained offline from the CA. |
sha256-fingerprint WORD<64-64> |
Specifies an encrypted fingerprint of the expected certificate to match. |
subject-name WORD<1-45> |
Specifies the configured Subject Identity label. The default is Global. |
use-post <false | true> |
Specify the HTTP request style. The default value is True. For example, True for EJBCA and False for Win2012 CA. |