Configure the Certificate Authority

Use this procedure to configure the certificate authority (CA) and perform related actions. You can configure only one CA in a device at a time.

Procedure

  1. In the navigation pane, expand Configuration > Security > Control Path.
  2. Select Certificate.
  3. Select the CA tab.
  4. Select Insert.
  5. In the Name field, type a user-defined name of the CA.
  6. In the CommonName field, type the common name of the CA.
  7. In the KeyName field, type the name of the associated key pair.
  8. Complete the remaining optional configuration to customize the policy.
  9. Select Insert.
  10. Optional: Select Retry Action if the trustpoint CA certificate authentication fails or takes time for authentication. This can be done only when the selected Action is caauth.

CA field descriptions

Use the data in the following table to use the CA tab.

Name

Description

Name

Specifies the user-defined name referring to the Certificate Authority issuing the Digital Certificate.

CommonName

Specifies the Common Name of the Certificate Authority issuing the Digital Certificate.

KeyName

Specifies the name of the associated key pair.

CaUrl

Specifies the URL of the Certificate Authority issuing the Digital Certificate.

Action

Specifies the action the Certificate Authority can take:

  • noop — no operation

  • caauth — CA authentication

  • enroll — certificate enrolment request

  • renew — certificate renew request

  • remove — remove the subject certificate obtained online from the CA

  • install — install the subject certificate obtained online from the CA

  • getCrl — retrieve the Certificate Revocation List (CRL) from the CRL Distribution Point (CDP).

ActionChallengePassword

Specifies the challenge password required to perform the SCEP operation.

LastActionStatus

Specifies the status of the last action:
  • none - No action is performed yet

  • success - Execution of the action triggered is completed successfully

  • failed - Execution of the action triggered has failed

  • inProgress - Execution of the action triggered is in progress

LastActionFailureReason

Specifies the reason of failure for the last action performed by the Certificate Authority.

InstallRootCaFileName

Specifies the certificate file obtained offline from the Root Certificate Authority.

SubjectCertificateValidityDays

Specifies the number of days for which subject certificate will remain valid.

The default value is 365 days.

UsePost

Specifies the HTTP request type: URL or POST.

TRUE for EJBCA and FALSE for Win2012 CA

Sha256Fingerprint

Note:

Exception: not supported on VSP 8600 Series.

Specifies an encrypted fingerprint of the expected certificate to match.

SubjectName

Note:

Exception: not supported on VSP 8600 Series.

Specifies the Subject Name of the subject sending the Certificate Signing Request to the Certificate Authority.

UsedFor

Note:

Exception: not supported on VSP 8600 Series.

Specifies the name of the application the certificate uses.

The default is enabled if there is only 1 CA trustpoint configured.