Sunday, March 9, 2014

Configuring Cisco IOS Manual Certificate Enrollment

Configuring Manual Certificate Enrollment

Manual certificate enrollment can be set up via TFTP or the manual cut-and-paste method. Both options can be used if your CA does not support SCEP or if a network connection between the router and CA is not possible. Perform one of the following tasks to set up manual certificate enrollment:

PEM-Formatted Files for Certificate Enrollment Request

Using PEM-formatted files for certificate requests can be helpful for customers who are using terminal or profile-based enrollment to request certificates from their CA server. Customers using PEM-formatted files can directly use existing certificates on their routers.

Restrictions for Manual Certificate Enrollment

SCEP Restriction
We do not recommend switching URLs if SCEP is used; that is, if the enrollment URL is “http://myca,” do not change the enrollment URL after getting the CA certificate and before enrolling the certificate. A user can switch between TFTP and manual cut-and-paste.
Key Regeneration Restriction
Do not regenerate the keys manually using the crypto key generate command; key regeneration will occur when the crypto pki enrollcommand is issued if the regenerate keyword is specified.

Configuring Cut-and-Paste Certificate Enrollment

Perform this task to configure cut-and-paste certificate enrollment. This task helps you to configure manual certificate enrollment via the cut-and-paste method for peers participating in your PKI.
SUMMARY STEPS
    1.    enable 
    2.    configure terminal 
    3.    crypto pki trustpoint name 
    4.    enrollment terminal pem 
    5.    fingerprint ca-fingerprint 
    6.    exit 
    7.    crypto pki authenticate name 
    8.    crypto pki enroll name
    9.    crypto pki import name certificate
    10.    exit 
    11.    show crypto pki certificates 

No comments: