Professional Documents
Culture Documents
Module 5
Module 5
• Step 5 – declare a CA
• Note that in 12.3(7)T, crypto pki trustpoint replaces the crypto ca trustpoint
command from previous Cisco IOS software releases. The crypto ca trustpoint
command can be entered, but the command will be written in the configuration as
crypto pki trustpoint.
• Use the crypto pki trustpoint global configuration command to declare what CA the
router will use . The crypto pki trustpoint command will allow the router to re-enroll to
the CA server automatically when its certificates expire. Use the no form of this
command to delete all identity information and certificates associated with the CA.
• Step 10 (continue)–
verify the CA
support
configuration
• To view keys and
certificates, use the
commands shown in
Figures 1 and in
EXEC mode.
• Figure 2 displays the
running configuration
of a router properly
configured for CA
support.
• The typical process for enrolling a device, such as a router or PIX Security
Appliance, with a CA is as follows :
– Step 1 Configure the device for CA support.
– Step 2 Generate a public and private key-pair on the device.
– Step 3 The device authenticates the CA server:
• Send the certificate request to the CA/RA.
• Generate a CA/RA certificate.
• Download a CA/RA certificate to the device.
• Authenticate a CA/RA certificate via the CA/RA fingerprint.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• The typical process for enrolling a device, such as a router or PIX Security
Appliance, with a CA is as follows :
– Step 4 The device sends a certificate request to the CA.
– Step 5 The CA generates and signs an identity certificate.
– Step 6 The CA sends the certificates to the device and posts the
certificates in its public repository.
– Step 7 The device verifies the identify certificate and posts the certificate.
• Most of these steps have been automated by Cisco and the SCEP protocol
that is supported by many CA server vendors. Each vendor determines how
long certificates are valid.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• When using the PIX Security Appliance to implement IPSec VPNs using digital
certificates, the CA server enrollment process can be largely automated so that it scales
well to large deployments.
• Each PIX that is to be configured as an IPSec peer individually enrolls with the CA
server and obtains public and private encryption keys compatible with other peers that
are enrolled with the server.
• The PIX Security Appliance supports the following CA servers:
– Cisco IOS Certificate Server
– Baltimore Technologies
– Entrust
– Microsoft Certificate Services
– Netscape CMS
– RSA Keon
– VeriSign
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com