Use the scripting tcl trustpoint namecommand to associate an existing configured trustpoint name with a certificate to verify Tcl scripts. This way, Tcl identifies which certificate is used for verifying the Tcl scripts. The name must match an existing configured trustpoint name, otherwise, the command is rejected with an error message on the console. You can enter the command multiple times and configure multiple trustpoint names. Once you enter the command, you cannot modify the trustpoint name. However, you can remove the trustpoint name using the no form of the command. You must individually remove each name. When the last name is removed, no signature checking is performed, and the untrusted script (that is, a script that has failed signature verification) action configured by the scripting tcl trustpoint untrusted command is also removed.
A Cisco IOS Crypto image software is required to enable this command and configure the Signed Tcl Scripts feature. The Crypto configuration commands enable the Cisco x.509 certificate storage. The scripting tcl trustpoint namecommand can be enabled after the Crypto configuration trustpoint commands are enabled.
The scripting tcl secure-mode command must be configured with the scripting tcl trustpoint namecommand to verify the integrity of Tcl script signatures run on the router. Both commands must be configured to fully operate this feature; otherwise, a syslog message is generated:
*Jun 13 17:53:31.659: %SYS-6-SCRIPTING_TCL_SECURE_TRUSTPOINT: scripting tcl secure-mode is enabled, however no scripting tcl trustpoint names configured, cannot verify signed TCL script.
In addition, the crypto pki trustpoint name command provided should contain a certificate that matches the certificate that was originally used to generate the digital signature on the Tcl script.