Configure a Trustpoint CA

About this task

Use this procedure to configure the certificate authority and perform related actions. You can configure up to eight CA trustpoints.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the trustpoint and associate it with the generated key pair:

    certificate ca WORD<1–45> {[subject-name WORD<1-45>] [common-name WORD<0–64>] [key-name WORD<0–45>] [ca-url WORD<0–1000>] [use-post <true|false>]}

  3. Configure an SHA-256 fingerprint to authenticate the received CA certificate:

    certificate ca WORD<1-45> sha256-fingerprint WORD<64-64>

  4. Configure the appropriate action:
    • Configure trustpoint, authenticate the trustpoint CA by getting the certificate of the CA, and store the CA certificate locally:

      certificate ca WORD<1–45> action caauth

    • Generate certificate signing request to obtain identity certificate from configured trustpoint CA, get the digital certificate, and store it locally, associating with the trustpoint CA:

      certificate ca WORD<1–45> action enroll [validity-days <7–1185>]

    • Get the Certificate Revocation List from the CDP and store into a file:

      certificate ca WORD<1–45> action get-crl

    • Install the subject certificate obtained from the given trustpoint CA:

      certificate ca WORD<1–45> action install

    • Configure trustpoint and perform no other operation:

      certificate ca WORD<1–45> action noop

    • Release the locally stored certificate associated with the trustpoint CA post revocation:

      certificate ca WORD<1–45> action remove

    • Generate certificate renew request for given trustpoint CA, get the new digital certificate, and store it locally by replacing the old certificate with the new one:

      certificate ca WORD<1–45> action renew [validity-days <7–1185>]

  5. Install the Root Certificate Authority certificate obtained offline:

    certificate ca WORD<1–45> install–file {root-ca-filename WORD<1–80>}

  6. Set the HTTP request type to support the type of CA:

    certificate ca WORD<1–45> use-post <false | true>

Example

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#certificate ca ej common-name CaA2 key-name pki_key subject-name 822
Switch:1(config)#certificate ca ej action enroll
Switch:1(config)#CP1  [07/21/16 12:22:11.992:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT 
INFO Digital Certificate Module : Configuration Saved
CP1  [07/21/16 12:22:12.284:CEST] 0x003a8639 00000000 GlobalRouter DIGITALCERT INFO Sent SCEP 
Request To CA : ej
CP1  [07/21/16 12:22:12.504:CEST] 0x003a8615 00000000 GlobalRouter DIGITALCERT INFO Received SCEP 
Response With SUCCESS status!
CP1  [07/21/16 12:22:12.508:CEST] 0x003a8611 00000000 GlobalRouter DIGITALCERT INFO Enroll 
Certificate Successful!
CP1  [07/21/16 12:22:12.509:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT INFO Digital 
Certificate Module : Configuration Saved

Display configured online CA trustpoints:

Switch:1(config)#show certificate ca 


CA table entry
Name                      :   a1
CommonName                :   CaA1
KeyName                   :   rsa_2048
SubjectName               :   
CaUrl                     :   http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe
UsePost                   :   1
SubjectCertValidityDays   :   365
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   bd9bb74b3f4d75e86113222a8d291b6349c7a42c457e487b9be0a48b4f09cc7c
UsedFor                   :   


CA table entry
Name                      :   a2
CommonName                :   CaA2
KeyName                   :   pki_key
SubjectName               :   822
CaUrl                     :   http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe
UsePost                   :   1
SubjectCertValidityDays   :   365
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   0ccb8d0c38d36cf427187f0e1dd380536c078fd6fae39ec9872187327912056b
UsedFor                   :   Default

Variable Definitions

The following table defines parameters for the certificate ca command.

Variable

Value

action caauth

Authenticates the trustpoint CA by getting the certificate of the CA and stores the CA certificate locally.

action enroll [validity-days <7–1185>]

Generates certificate signing request to obtain identity certificate from configured trustpoint CA, gets the digital certificate, and stores it locally, associating with the trustpoint CA.

The validity-days specifies the number of days for which the certificate will remain valid. The default value is 365 days.

action get-crl

Gets the Certificate Revocation List from the CDP and stores into a file.

action install

Installs the subject certificate obtained from the given trustpoint CA.

action noop

Specifies that no operation should be performed after configuring trustpoint.

action remove

Releases the locally stored certificate associated with the trustpoint CA post revocation.

action renew [challenge-password WORD<0-128>]

Specifies the password. This password is provided offline by the CA during the end entity registration.

action renew [validity-days <7–1185>]

Generates certificate renewal request for given trustpoint CA, gets the digital certificate, and stores it locally by replacing the old certificate with the new one.

The validity-days specifies the number of days for which the certificate will remain valid. The default value is 365 days.

ca WORD<1–45>

Specifies the name of the CA. You can configure up to 8 CA trustpoints by specifying the CA name. It should be alphanumeric and case-sensitive. The maximum length should be 45 characters.

ca-url WORD<0–1000>

Specifies the trusted CA url.

common-name WORD<0–64>

Specifies the name of the owner of the device or user.

key-name WORD<0–45>

Specifies the key pair generated by the command that was first associated with the CA trustpoint.

install-file root-ca-filename WORD<1–80>

Installs the Root CA file obtained offline from the CA.

sha256-fingerprint WORD<64-64>

Specifies an encrypted fingerprint of the expected certificate to match.

subject-name WORD<1-45>

Note:

Exception: Not supported on VSP 8600 Series.

Specifies the configured Subject Identity label.

The default is Global.

use-post <false | true>

Specify the HTTP request style. The default value is True.

For example, True for EJBCA and False for Win2012 CA.