Configure a Trustpoint CA

About this task

Use this procedure to configure the certificate authority and perform related actions. You can configure only one CA in a device at a time.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the trustpoint and associate it with the generated key pair:

    certificate ca WORD<1–45> {[common-name WORD<0–64>] [key-name WORD<0–45>] [ca-url WORD<0–1000>] [use-post <true|false>]}

  3. Configure an SHA-256 fingerprint to authenticate the received CA certificate:

    certificate ca WORD<1-45> sha256-fingerprint WORD<64-64>

  4. Configure the appropriate action:
    • Configure trustpoint, authenticate the trustpoint CA by getting the certificate of the CA, and store the CA certificate locally:

      certificate ca WORD<1–45> action caauth

    • Generate certificate signing request to obtain identity certificate from configured trustpoint CA, get the digital certificate, and store it locally, associating with the trustpoint CA:

      certificate ca WORD<1–45> action enroll [validity-days <7–1185>]

    • Get the Certificate Revocation List from the CDP and store into a file:

      certificate ca WORD<1–45> action get-crl

    • Install the subject certificate obtained from the given trustpoint CA:

      certificate ca WORD<1–45> action install

    • Configure trustpoint and perform no other operation:

      certificate ca WORD<1–45> action noop

    • Release the locally stored certificate associated with the trustpoint CA post revocation:

      certificate ca WORD<1–45> action remove

    • Generate certificate renew request for given trustpoint CA, get the new digital certificate, and store it locally by replacing the old certificate with the new one:

      certificate ca WORD<1–45> action renew [validity-days <7–1185>]

  5. Install the Root Certificate Authority‘s certificate obtained offline:

    certificate ca WORD<1–45> install–file {root-ca-filename WORD<1–80>}

  6. Set the HTTP request type to support the type of CA:

    certificate ca WORD<1–45> use-post <false | true>

Examples

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#certificate ca ej common-name subca5 key-name rsa_2048 
Switch:1(config)#certificate ca ej action enroll
Switch:1(config)#CP1  [07/21/16 12:22:11.992:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT 
INFO Digital Certificate Module : Configuration Saved
CP1  [07/21/16 12:22:12.284:CEST] 0x003a8639 00000000 GlobalRouter DIGITALCERT INFO Sent SCEP 
Request To CA : ej
CP1  [07/21/16 12:22:12.504:CEST] 0x003a8615 00000000 GlobalRouter DIGITALCERT INFO Received SCEP 
Response With SUCCESS status!
CP1  [07/21/16 12:22:12.508:CEST] 0x003a8611 00000000 GlobalRouter DIGITALCERT INFO Enroll 
Certificate Successful!
CP1  [07/21/16 12:22:12.509:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT INFO Digital 
Certificate Module : Configuration Saved

Configure an encrypted fingerprint to validate the certificate:

Switch:1(config)#certificate ca ej sha256-fingerprint EEA68F35CC6195CBB038073F520AA385A5A78F42

Variable Definitions

The following table defines parameters for the certificate ca command.

Variable

Value

action caauth

Authenticates the trustpoint CA by getting the certificate of the CA and stores the CA certificate locally.

action enroll [validity-days <7–1185>]

Generates certificate signing request to obtain identity certificate from configured trustpoint CA, gets the digital certificate, and stores it locally, associating with the trustpoint CA.

The validity-days specifies the number of days for which the certificate will remain valid. The default value is 365 days.

action get-crl

Gets the Certificate Revocation List from the CDP and stores into a file.

action install

Installs the subject certificate obtained from the given trustpoint CA.

action noop

Specifies that no operation should be performed after configuring trustpoint.

action remove

Releases the locally stored certificate associated with the trustpoint CA post revocation.

action renew [challenge-password WORD<0-128>]

Specifies the password. This password is provided offline by the CA during the end entity registration.

action renew [validity-days <7–1185>]

Generates certificate renewal request for given trustpoint CA, gets the digital certificate, and stores it locally by replacing the old certificate with the new one.

The validity-days specifies the number of days for which the certificate will remain valid. The default value is 365 days.

ca WORD<1–45>

Specifies the name of the certificate authority. It should be alphanumeric and case-sensitive. The maximum length should be 45 characters.

ca-url WORD<0–1000>

Specifies the trusted CA url.

common-name WORD<0–64>

Specifies the name of the owner of the device or user.

key-name WORD<0–45>

Specifies the key pair generated by the command that was first associated with the CA trustpoint.

install-file root-ca-filename WORD<1–80>

Installs the Root CA file obtained offline from the CA.

sha256-fingerprint WORD<64-64>

Specifies an encrypted fingerprint of the expected certificate to match.

use-post <false | true>

Specify the HTTP request style. The default value is True.

For example, True for EJBCA and False for Win2012 CA.