Configure a Trustpoint CA
About this task
Use this procedure to configure the certificate authority and perform related actions. You can configure only one CA in a device at a time.
Procedure
Examples
Switch:1>enable Switch:1#configure terminal Switch:1(config)#certificate ca ej common-name subca5 key-name rsa_2048 Switch:1(config)#certificate ca ej action enroll Switch:1(config)#CP1 [07/21/16 12:22:11.992:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved CP1 [07/21/16 12:22:12.284:CEST] 0x003a8639 00000000 GlobalRouter DIGITALCERT INFO Sent SCEP Request To CA : ej CP1 [07/21/16 12:22:12.504:CEST] 0x003a8615 00000000 GlobalRouter DIGITALCERT INFO Received SCEP Response With SUCCESS status! CP1 [07/21/16 12:22:12.508:CEST] 0x003a8611 00000000 GlobalRouter DIGITALCERT INFO Enroll Certificate Successful! CP1 [07/21/16 12:22:12.509:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved
Configure an encrypted fingerprint to validate the certificate:
Switch:1(config)#certificate ca ej sha256-fingerprint EEA68F35CC6195CBB038073F520AA385A5A78F42
Variable Definitions
The following table defines parameters for the certificate ca command.
Variable |
Value |
---|---|
action caauth |
Authenticates the trustpoint CA by getting the certificate of the CA and stores the CA certificate locally. |
action enroll [validity-days <7–1185>] |
Generates certificate signing request to obtain identity certificate from configured trustpoint CA, gets the digital certificate, and stores it locally, associating with the trustpoint CA. The validity-days specifies the number of days for which the certificate will remain valid. The default value is 365 days. |
action get-crl |
Gets the Certificate Revocation List from the CDP and stores into a file. |
action install |
Installs the subject certificate obtained from the given trustpoint CA. |
action noop |
Specifies that no operation should be performed after configuring trustpoint. |
action remove |
Releases the locally stored certificate associated with the trustpoint CA post revocation. |
action renew [challenge-password WORD<0-128>] |
Specifies the password. This password is provided offline by the CA during the end entity registration. |
action renew [validity-days <7–1185>] |
Generates certificate renewal request for given trustpoint CA, gets the digital certificate, and stores it locally by replacing the old certificate with the new one. The validity-days specifies the number of days for which the certificate will remain valid. The default value is 365 days. |
ca WORD<1–45> |
Specifies the name of the certificate authority. It should be alphanumeric and case-sensitive. The maximum length should be 45 characters. |
ca-url WORD<0–1000> |
Specifies the trusted CA url. |
common-name WORD<0–64> |
Specifies the name of the owner of the device or user. |
key-name WORD<0–45> |
Specifies the key pair generated by the command that was first associated with the CA trustpoint. |
install-file root-ca-filename WORD<1–80> |
Installs the Root CA file obtained offline from the CA. |
sha256-fingerprint WORD<64-64> |
Specifies an encrypted fingerprint of the expected certificate to match. |
use-post <false | true> |
Specify the HTTP request style. The default value is True. For example, True for EJBCA and False for Win2012 CA. |