trustpoint (profile-config-mode)

Profile Config Commands

Configures the trustpoint assigned for validating a CMP auth Operator

A certificate links identity information with a public key enclosed in the certificate.

A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain the CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key.

Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information.

Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.



Certificates/trustpoints used in this command should be verifiable as existing on the device.

For information on configuring trustpoints on a device, see trustpoint (device-config-mode).

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


trustpoint [cmp-auth-operator|https|radius-ca|radius-server] <TRUSTPOINT-NAME>


trustpoint [cmp-auth-operator|https|radius-ca|radius-server] <TRUSTPOINT-NAME>
trustpoint Assigns an existing trustpoint to validate CMP auth operator, client certificates, and RADIUS server certificate
https Assigns an existing trustpoint to validate HTTPS requests
cmp-auth-operator Assigns an existing trustpoint to validate CMP auth operator Once validated, CMP is used to obtain and manage digital certificates in a PKI network. Digital certificates link identity information with a public key enclosed within the certificate, and are issued by the CA.

Use this command to specify the CMP-assigned trustpoint. When specified, devices send a certificate request to the CMP supported CA server, and download the certificate directly from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire.

radius-ca Assigns an existing trustpoint to validate client certificates in EAP
radius-server Assigns an existing trustpoint to validate RADIUS server certificate
<TRUSTPOINT-NAME> The following keyword is common to all of the above parameters:
  • <TRUSTPOINT-NAME> – After selecting the service to validate, specify the trustpoint name (should be existing and stored on the device).


nx9500-6C8809(config-profile-testNX9500)#trustpoint cmp-auth-operator test

nx9500-6C8809(config-profile-testNX9500)#show context
profile nx9000 testNX9500
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 service pm sys-restart
 router bgp
 trustpoint cmp-auth-operator test

Related Commands

no Removes trustpoint-related configurations