Digital certificate configuration examples

This section shows how to obtain an online CA signed certificate, remove the expired certificate, renew the certificate, and install an offline subject certificate.

Obtaining an online CA-signed subject certificate

Use the following procedure as an example to obtain an online CA signed subject certificate that the application can use.

About this task

In the following commands, the variable WORD<1-45> refers to the name of the certificate authority and the variable WORD<1-80> refers to the certificate filename.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the subject: 
    certificate subject common-name scepsub 
certificate subject e-mail test@mocana.com 
certificate subject unit Engineering 
certificate subject organization "Mocana Corporation" 
certificate subject locality "San Francisco" 
certificate subject country US
certificate subject province California
    Note

    Note

    The values mentioned are for example only.

  3. Generate the key pair: 
    certificate generate-keypair type rsa size 2048
  4. Configure the certificate authority (CA): 
    certificate ca ej common-name subca5 
certificate ca ej key-name rsa_2048 
certificate ca ej ca-url http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe 
certificate ca ej use-post true
    Note

    Note

    The values mentioned are for example.

  5. Copy and paste the Root CA certificate to: /intflash/.cert/.offlineRootCACert/.
  6. Install the Root CA certificate: 
    certificate ca WORD<1-45> install-file root-ca-filename WORD<1-80>
  7. Authenticate the CA: 
    certificate ca WORD<1-45> action caauth
  8. Enroll the subject certificate by the CA: 
    certificate ca WORD<1-45> action enroll
  9. Install the certificate: 
    certificate ca WORD<1-45> action install
  10. Optional: If the certificate expires, remove the enrolled subject certificate: 
    certificate ca WORD<1-45> action remove

    The certificate is removed from /intflash/.cert and /intflash/.cert/.installedCert/.

  11. Optional: To obtain the new certificate before the old certificate expires, enter the following command to renew the certificate: 
    certificate ca WORD<1-45> action renew

    The Certificate Authority generates a new certificate for the subject.

Installing an offline CA certificate

Use the following procedure as an example to install the offline CA certificate.

About this task

In the following commands, the variable WORD<1-80> refers to the certificate filename.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the subject: 
    certificate subject common-name scepsub 
certificate subject e-mail test@mocana.com 
certificate subject unit Engineering 
certificate subject organization "Mocana Corporation" 
certificate subject locality "San Francisco" 
certificate subject country US
certificate subject province California
    Note

    Note

    The values mentioned are for example only.

  3. Generate the certificate signing request using the command: 
    certificate generate-csr
  4. Use the generated CSR file to enroll the certificate on the server.
  5. Copy and paste the enrolled certificate along with Root to: /intflash/.cert/.offlineRootCACert/.
  6. Install the Root CA certificate: 
    certificate install-file offline-root-ca-filename WORD<1-80>
    Note

    Note

    If the subject certificate issuer is directly the Root, then Step 7 and 8 are optional. If the subject is issued by Intermediate CA, then Step 7 and 8 are mandatory, also in the certificate chain between Root and Subject, all the Intermediates must be installed using these steps.

  7. Copy and paste the Intermediate CA certificate to: /intflash/.cert/.offlineCACert/.
  8. Install the intermediate CA:

    certificate install-file offline-ca-filename WORD<1-80>

  9. Copy and paste the Offline subject certificate to: /intflash/.cert/.offlineCert/.
  10. Install the offline subject filename: 
    certificate install-file offline-subject-filename WORD<1-80>

Configuring X.509 V3 certificates for SSH Two Factor Authentication

Note

Note

DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.

Use the following procedure as an example to configure the SSH server on the VOSS switch, and the SSH client Secure CRT for two factor authentication using X.509 V3 certificates.

Before you begin

The following certificates must be loaded on the SSH server and SSH client:

  • For the Secure CRT (SSH client):

    • subject certificate from the PIV card.

  • For the VOSS switch (SSH server):

    • CAC-server.pem - the subject certificate

    • ca.cert.pem - the root CA certificate

    • Self-signedTrustAnchorCertificate.cer - the root CA certificate that signed the intermediate certificate

    • RSA2048IssuingCACertificate.cer - the intermediate certificate signed by the pervious root CA that signed the subject certificate.

About this task

Use the following steps as an example to configure the SSH server on the VOSS switch, the RADIUS Windows server, and the SSH client Secure CRT.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Ensure the switch is running in Enhanced Secure Mode: 
    Switch:1(config)#show boot config flags
flags enhancedsecure-mode true
    Note

    Note

    This shows a partial output of only the relevant entry.

  3. Ensure the switch clock is synchronized: 
    Switch:1#show clock
System Clock time : Fri Oct 12 19:36:36 2018 UTC
  4. Generate the key pair: 
    Switch:1(config)#certificate generate-keypair type rsa size 2048
Switch(config)#show certificate key-name
Key Name: rsa_2048
Public Key Value: …
  5. Configure the certificate subject parameters: 
    Switch:1(config)#certificate subject common-name CAC-server
Switch:1(config)#certificate subject e-mail user@companyname.com
Switch:1(config)#certificate subject unit CAC-project
Switch:1(config)#certificate subject organization Extreme
Switch:1(config)#certificate subject locality Salem
Switch:1(config)#certificate subject province New Hampshire
Switch:1(config)#certificate subject country US
Switch:1(config)#show certificate subject
Common-name : CAC-server
E-mail : jsmith@extremenetworks.com
Organizational unit : CAC-project
Organization : Extreme
Locality : Salem
State/Province : New Hampshire
Country : US
    Note

    Note

    The values mentioned are for example.

  6. Generate the Certificate Signing Request (CSR): 
    Switch:1(config)#certificate generate-csr
  7. Export the csr file from /intflash/.cert/.
  8. Create a subject certificate using the exported csr file.
  9. Import the root certificate .der file to /intflash/.cert/.offlineRootCACert.
  10. Import the intermediate certificate .der file to /intflash/.cert/.offlineCACert.
  11. Import the subject certificate .der file to /intflash/.cert/.offlineCert.
  12. Install the Root certificate: 
    Switch:1(config)#certificate install-file offline-root-ca-filename <SUBJECT_ROOT_CERTIFICATE_NAME>
Switch:1(config)#show certificate cert-type root-ca-cert
CERT STORE table entry
Certificate Type : Root CA Certificate
CommonName : ca_cert
VersionNumber : X.509 v3
SerialNumber : 00fb084e6b97f3f72a
IssuerName : CN:ca_cert, EM:none@none.com, OU:SSH, O:LUX, L:BUC, P:RO, C:RO
ValidityPeriodNotBefore : 06/15/2018 05:46:58
ValidityPeriodNotAfter : 06/10/2038 05:46:58
CertificateSignatureAlgorithm : sha256withRSAEncryption
CertificateSignature : …
Subject : CN:ca_cert, EM:none@none.com, OU:SSH, O:LUX, L:BUC, P:RO, C:RO
SubjectPublicKeyAlgorithm : rsaEncryption
SubjectPublicKey : …
HasBasicConstraint : 1
HasKeyUsage : 1
IsCa : 1
KeyUsage : 97 digitalSignature keyCertSign cRLSign
ExtendedKeyUsage :
CDPUrl :
OCSPUrl :
CertificateFileName : /intflash/.cert/.rootCACertStore/root_ca_cert_ca_cert.der
  13. Install the Intermediate certificate: 
    Switch:1(config)#certificate install-file offline-ca-filename <INTERMEDIATE_CERTIFICATE_NAME>
Switch:1(config)#show certificate cert-type intermediate-ca-cert
CERT STORE table entry
Certificate Type : Intermediate CA Certificate
CommonName : intermediate_csr
VersionNumber : X.509 v3
SerialNumber : 1000
IssuerName : CN:ca_cert, EM:none@none.com, OU:SSH, O:LUX, L:BUC, P:RO, C:RO
ValidityPeriodNotBefore : 06/15/2018 05:56:10
ValidityPeriodNotAfter : 06/12/2028 05:56:10
CertificateSignatureAlgorithm : sha256withRSAEncryption
CertificateSignature : …
Subject : CN:intermediate_csr, EM:none@none.com, OU:SSH, O:LUX, L:, P:RO, C:RO
SubjectPublicKeyAlgorithm : rsaEncryption
SubjectPublicKey : …
HasBasicConstraint : 1
HasKeyUsage : 1
IsCa : 1
KeyUsage : 97 digitalSignature keyCertSign cRLSign
ExtendedKeyUsage :
CDPUrl :
OCSPUrl :
CertificateFileName : /intflash/.cert/.caCertStore/ca_cert_intermediate_csr.der
  14. Install the Subject certificate: 
    Switch:1(config)# certificate install-file offline-subject-filename <SUBJECT_CERTIFICATE_NAME>
Switch:1(config)#show certificate cert-type offline-subject-cert
CERT table entry
Certificate Type : Offline Subject Certificate
VersionNumber : X.509 v3
SerialNumber : 1006
IssuerName : CN:intermediate_csr, EM:none@none.com, OU:SSH, O:LUX, L:, P:RO, C:RO
ValidityPeriodNotBefore : 07/26/2018 10:17:24
ValidityPeriodNotAfter : 08/05/2019 10:17:24
CertificateSignatureAlgorithm : sha256withRSAEncryption
CertificateSignature : …
Subject : CN:issue1, EM:issue1@none.com, OU:SSH1, O:LUX1, L:BUC1, P:BUC1, C:RO1
SubjectPublicKeyAlgorithm : rsaEncryption
SubjectPublicKey : …
HasBasicConstraint : 1
HasKeyUsage : 1
IsCa : 0
KeyUsage : 7 digitalSignature nonRepudiation keyEncipherment
ExtendedKeyUsage : TLS Web Client Authentication, Email Protection,
CDPUrl :
OCSPUrl : http://10.2.38.240:3141
Status : offline-certificate
Installed : 1
  15. Import the Root CA certificate .der file that signed the client certificate chain to /intflash/.cert/.offlineRootCACert.
  16. Install the Root CA certificate that signed the client certificate chain: 
    Switch:1(config)#certificate install-file offline-root-ca-filename <CLIENT_ROOT_CERTIFICATE_NAME>
Switch:1(config)#show certificate cert-type root-ca-cert
CERT STORE table entry
Certificate Type : Root CA Certificate
CommonName : ca_cert
VersionNumber : X.509 v3
SerialNumber : 00fb084e6b97f3f72a
IssuerName : CN:ca_cert, EM:none@none.com, OU:SSH, O:LUX, L:BUC, P:RO, C:RO
ValidityPeriodNotBefore : 06/15/2018 05:46:58
ValidityPeriodNotAfter : 06/10/2038 05:46:58
CertificateSignatureAlgorithm : sha256withRSAEncryption
CertificateSignature : …
Subject : CN:ca_cert, EM:none@none.com, OU:SSH, O:LUX, L:BUC, P:RO, C:RO
SubjectPublicKeyAlgorithm : rsaEncryption
SubjectPublicKey : …
HasBasicConstraint : 1
HasKeyUsage : 1
IsCa : 1
KeyUsage : 97 digitalSignature keyCertSign cRLSign
ExtendedKeyUsage :
CDPUrl :
OCSPUrl :
CertificateFileName : /intflash/.cert/.rootCACertStore/root_ca_cert_ca_cert.der
Switch:1(config)#no ssh rsa-auth
Switch:1(config)#no ssh dsa-auth
Switch:1(config)#no ssh pass-auth
Switch:1(config)#ssh x509v3-auth enable
Switch:1(config)#show ssh global
Total Active Sessions : 0
version : v2only
port : 22
max-sessions : 4
timeout : 60
action rsa-host key : rsa-hostkeysize 2048
action dsa-host key : dsa-hostkeysize 1024
rsa-auth : false
dsa-auth : false
pass-auth : false
keyboard-interactive-auth : false
x509-auth : true
x509-auth overwrite : false
x509-auth strip-domain : false
x509-auth use-domain : -
x509-auth revocation-check-method : OCSP
sftp enable : true
client enable : true
enable : true
authentication-type : aead-aes-128-gcm-ssh aead-aes-256-gcm-ssh hmac-sha1 hmac-sha2-256
encryption-type : 3des-cbc aead-aes-128-gcm-ssh aead-aes-256-gcm-ssh aes128-cbc aes128-ctr
aes192-cbc aes192-ctr aes256-cbc aes256-ctr blowfish-cbc rijndael128-cbc rijndael192-cbc
key-exchange-method : diffie-hellman-group1-sha1 diffie-hellman-group14-sha1
    Note

    Note

    Disable all other SSH authentication methods except X.509 V3 on the VOSS switch because the SSH client Secure CRT always prefers SSH RSA over X.509 V3 authentication. You can also force Secure CRT to negotiate X.509 V3 SSH RSA only.

  17. From the RADIUS server, configure a username that is the same as the principal-name from the PIV card certificate with an empty password, or with a specific password. Enable the network policy.
  18. From the RADIUS server, configure one standard attribute and one Vendor-specific attribute with a username and password policy.
  19. From the SSH client Secure CRT, import the External Root CA certificate ca.cert.pem.
  20. Connect a card reader to your computer and insert the smart card.
  21. From the SSH client Secure CRT, open an SSH session with the username from the subject certificate as configured on the RADIUS server. Select the proper certificate from the smart card.
  22. Enter the PIN for the smart card.

    The username is sent to the RADIUS server for authorization after you enter the PIN.

  23. Enter the password for the cardholder user.

X.509 Authentication Username Option Example

Use the following procedure as an example to configure username authentication options using X.509 V3 certificates.

Procedure

  1. Enable X.509 V3 authentication username override: 
    Switch:1(config)# ssh x509v3-auth username overwrite

    The switch disregards the username sent by the SSH client and uses the principal name from the client‘s certificate for authentication. If RADIUS authentication is configured, the username is sent after you type the RADIUS password. For example, if you configure the SSH client with the username "John" and enable x509v3-auth username overwrite on the device, the switch sends the principal name 1403824387@mil to the RADIUS server for authorization. 

    Test CAC John Smith
 Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
 NotBefore: 12/19/2017 7:00 PM
 NotAfter: 12/19/2020 6:59 PM
 Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
 Government, C=US
 Serial: 019ab3
 SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
 Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
 Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb1
  2. Enable X.509 V3 authentication username strip: 
    Switch:1(config)#ssh x509v3-auth username strip-domain

    If x509v3-auth username strip-domain is configured, the switch sends the principal name without the domain to the RADIUS for authorization. The username is sent after you type the RADIUS password. For example: If you select principal name 1403824387@mil, the switch sends the principal name 1403824387 without the domain to the RADIUS server for authorization.

    Test CAC John Smith
 Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
 NotBefore: 12/19/2017 7:00 PM
 NotAfter: 12/19/2020 6:59
 PM Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
 Government, C=US
 Serial: 019ab3
 SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
 Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
 Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129
  3. Enable X.509 V3 authentication username use-domain: 
    Switch:1(config)ssh x509v3-auth username use-domain extreme.com

    If you select the username as the principal name, the switch sends the principal name from the certificate with the domain configured on the switch to the RADIUS for authorization. The username is sent after typing the RADIUS password. For example: If you configure use-domain “extreme.com” on the switch and you configure the username to be the principal name 1403824387@mil, the switch sends the username 1403824387@extreme.com to the RADIUS server for authorization.

    Test CAC John Smith
 Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
 NotBefore: 12/19/2017 7:00 PM
 NotAfter: 12/19/2020 6:59 PM
 Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
 Government, C=US
 Serial: 019ab3
 SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
 Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
 Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129
  4. RADIUS server is not configured:
    If the Radius server is not configured, the authorization fallbacks locally on the switch, for the username. You must configure the usernames on the switch. You are prompted for the password. For example: If you select the principal name 1403824387@mil, the switch authorizes locally the username as 1403824387@mil or 1403824387 if strip domain is enabled. You are prompted for the password.
    Test CAC John Smith
 Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
 NotBefore: 12/19/2017 7:00 PM
 NotAfter: 12/19/2020 6:59 PM
 Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
 Government, C=US
 Serial: 019ab3
 SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
 Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
 Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129

Install Online Certificates for Fabric Extend with IPsec

Use the following procedure as an example to install subject certificates for switches that use Fabric Extend with IPsec. After you complete the certificate configuration, you must configure the IPsec authentication method for the Fabric Extend tunnel. For more information about IPsec configuration, see IPsec configuration using CLI. For more information about Fabric Extend, see Fabric Extend configuration using the CLI.

Note

Note

The values mentioned are for example only.

Before you begin

Configure the Fabric Extend tunnels between the branch and hub switches.

Procedure

  1. Configure the CA instance: 
    Switch:1(config)#certificate ca aaa common-name CaAaa
Switch:1(config)#certificate ca aaa key-name rsa_2048 
Switch:1(config)#certificate ca aaa ca-url http://192.0.2.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe 
Switch:1(config)#certificate ca aaa use-post true
Switch:1(config)#certificate ca aaa sha256-fingerprint EEA68F35CC6195CBB038073F520AA385A5A78F42
  2. Authenticate the CA TrustPoint: 
    Switch:1(config)# certificate ca aaa action caauth
1 2020-06-10T15:07:16.814Z XA1440 CP1 - 0x003a863d - 00000000 GlobalRouter DIGITALCERT INFO Sent SCEP Request To CA : aaa
1 2020-06-10T15:07:16.921Z XA1440 CP1 - 0x003a8615 - 00000000 GlobalRouter DIGITALCERT INFO Received SCEP Response With SUCCESS status!
1 2020-06-10T15:07:16.924Z XA1440 CP1 - 0x003a860e - 00000000 GlobalRouter DIGITALCERT INFO CA Certificate obtained online successfully installed
1 2020-06-10T15:07:16.929Z XA1440 CP1 - 0x003a863d - 00000000 GlobalRouter DIGITALCERT INFO Sent SCEP Request To CA : aaa
1 2020-06-10T15:07:17.218Z XA1440 CP1 - 0x003a8615 - 00000000 GlobalRouter DIGITALCERT INFO Received SCEP Response With SUCCESS status!
1 2020-06-10T15:07:17.235Z XA1440 CP1 - 0x003a864f - 00000000 GlobalRouter DIGITALCERT INFO Performing OCSP Check For Certificate : CaAaa
1 2020-06-10T15:07:17.430Z XA1440 CP1 - 0x003a8619 - 00000000 GlobalRouter DIGITALCERT INFO Received OCSP Response with SUCCESS Status!
1 2020-06-10T15:07:17.432Z XA1440 CP1 - 0x003a8610 - 00000000 GlobalRouter DIGITALCERT INFO Get CA Certificate Successful!
1 2020-06-10T15:07:17.433Z XA1440 CP1 - 0x003a8604 - 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved
  3. Enroll the subject certificate by the CA and install it: 
    Switch:1(config)#certificate ca aaa action enroll 

 Enter the Challenge Password: ****
1 2020-06-10T15:12:01.715Z XA1440 CP1 - 0x003a861b - 00000000 GlobalRouter DIGITALCERT INFO Enroll Digital Certificate With SUCCESS Status!
1 2020-06-10T15:12:01.715Z XA1440 CP1 - 0x003a8604 - 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved
Switch:1(config)#certificate ca aaa action install 
Switch:1(config)#show certificate cert-type online-subject-cert 

CERT table entry
Certificate Type                :   Online Subject Certificate
VersionNumber                   :   X.509 v3
SerialNumber                    :   22420c203796db8e
IssuerName                      :   CN:CaAaa, EM:, OU:, O:, L:, P:, C:
ValidityPeriodNotBefore         :   03/09/2020 16:12:10
ValidityPeriodNotAfter          :   03/09/2023 16:12:10
CertificateSignatureAlgorithm   :   sha256withRSAEncryption
CertificateSignature            :   2b8a93f4a1c9a97a69372342df1368a4fda77607251d1efc468184983223deca788919e1b1d9897044e7bffbda90d9625b7d607a1c04423bdbec0775cab0e9fd9c70244134e1b3831dbd6e7136e4a283d0ea9dbf06f0e0e28239dfd239506f6ce48acad5426bdad362916730dd4a76c3f97902230686c2e5982b2aab52d3f14b2a050644eccf463f21c953a1fe0264892854c72120656285da9dba7c98dd1658016784ee158d425fc8c1788576a1dc6df355bfd01f3007466b84802c9270ce602d5980fa434b1f13cb3c873f63f2411c295631bdacf62ad9a5f5001f765f8437bf8f2e8f38396add2d0bc49a77a46eca02faf548633360f7fcba24db144a49b6
Subject                         :   CN:Branch1, EM:, OU:, O:, L:, P:, C:
SubjectPublicKeyAlgorithm       :   rsaEncryption
SubjectPublicKey                :   00000000000000020000000100000000300d06092a864886f70d0101010500000000000000010d02000000000301000100000100db8df9204793924ad595f7c2b46e6a62d66f75d7f5db8bd64d0a348608b5ae77558a1b2dbd13d6961690b50df0a7b08223b58e4b62aa59532bec5327ee5c2770640d3ca0222088fda57d46a82faa6235d432f53a0d3e286a78053b565d31d8ea7068dd59fae9567230457dcd33a3e08c42e3b613c31c5bdfd59ca153480e5f6ddca8b8b3f4ee9e2cb262c71b7e4cc4e563ba6c815b9195170bcc15feb0f14d25b1cb58544e11e007fe2906e77a8a09008363ff3f856a8a92cadd09a438216f9fd5b43917559889429161ab7d0f5b3b4fab7c37c42c6ee87debb9ac31c06da8177d7e5997313b785d3e1ebef591b968826135d9fb423275de798ad077a3819c13
HasBasicConstraint              :   1
HasKeyUsage                     :   1
IsCa                            :   1
KeyUsage                        :   117 digitalSignature  keyEncipherment  keyAgreement  keyCertSign  cRLSign 
ExtendedKeyUsage                :   TLS Web Client Authentication, OCSP Signing, TLS Web Server Authentication, 
CDPUrl                          :   http://198.51.100.1:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=CaAaa
OCSPUrl                         :   http://198.51.100.1:8080/ejbca/publicweb/status/ocsp
  4. Configure the IPsec authentication-method: 
    Switch:1(config-isis-1-192.0.2.74)#ipsec auth-method rsa-sig
9036830-00 Rev AD