|
Command or Action |
Purpose |
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
-
Enter your password if prompted.
|
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode. |
|
crypto pki trustpool policy
Example:
Router(config)# crypto pki trustpool policy Router(ca-trustpool)#
|
Enters ca-trustpool configuration mode where commands can be accessed to configure CA PKI trustpool policy parameters. |
|
cabundle url {url | none}
Example:
Router(ca-trustpool)# cabundle url http://www.cisco.com/security/pki/crl/crca2048.crl
|
Specifies the URL from which the PKI trustpool certificate authority CA certificate bundle is downloaded .
-
The url argument is the URL of the CA certificate bundle.
-
The none keyword specifies that autoupdates of the PKI trustpool CA are not permitted.
|
|
chain-validation
Example:
Router(ca-trustpool)# chain-validation
|
Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool. The default has validation stopping at the peer certificate's issuer. |
|
crl {cache {delete-after {minutes | none} | query url}
Example:
Router(ca-trustpool)# crl query http://www.cisco.com/security/pki/crl/crca2048.crl
|
Specifies the certificate revocation list (CRL) query and CRL cache options for the PKI trustpool.
-
The cache keyword specifies CRL cache options.
-
The delete-after keyword removes the CRL from the cache after a timeout.
-
The minutes argument is the number of minutes from 1 to 43,200 to wait before deleting the CRL from the cache.
-
The none keyword specifies that CRLs are not cached.
-
The query keyword with the url argument specifies the URL published by the CA server to query the CRL.
|
|
default command-name
Example:
Router(ca-trustpool)# default crl query http://www.cisco.com/security/pki/crl/crca2048.crl
|
Resets the value of a ca-trustpool configuration subcommand to its default .
-
The command-name argument is the ca-trustpool configuration mode command with its applicable keywords.
|
|
match certificate certificate-map-name [allow expired-certificate | override {cdp directory ldap-location | ocsp {number url url | trustpool name number url url} | sia number url} | skip [revocation-check | authorization-check]]
Example:
match certificate mycert override ocsp 1 url http://ocspts.identrust.com
|
Enables the use of certificate maps for the PKI trustpool.
-
The certifcate-map-name argument matches the certificate map name.
-
The optional allow expired-certificate keyword ignores expired certificates.
Note |
If this keyword is not configured, the router does not ignore expired certificates. |
-
The override keyword overrides the online certificate status protocol (OCSP) or SubjectInfoAccess (SIA) attribute fields in a certificate that is in the PKI trustpool.
-
The cdp keyword overrides the certificate distribution point (CDP) in a certificate.
-
The directory keyword and ldap-location specifies the CDP in either the http: or ldap: URL, or LDAP directory to override in the certificate.
-
The ocsp keyword and number argument and url keyword and url argument specifies the OCSP sequence number from 0 to 10000 and URL to override in the certificate.
-
The trustpool keyword and name and number arguments with the url keyword and url argument override the PKI trustpool for verifying the OCSP certificate by specifying the PKI trustpool name, sequence number, and URL.
-
The sia keyword and number and url arguments override the SIA URL in a certificate by specifying the SIA sequence number and URL.
-
The optional skip revocation-check keyword combination allows the PKI trustpool to enforce certificate revocation lists (CRLs) except for specific certificates.
Note |
If this keyword combination is not configured, then the PKI trustpool enforces CRLs for all certificates. |
-
The optional skip authorization-check keyword combination skips the authentication, authorization, and accounting (AAA) check of a certificate when public key infrastructure (PKI) integration with an AAA server is configured.
Note |
If this keyword combination is not configured, and PKI integration with an AAA server is configured, then the AAA checking of a certificate is done. |
|
|
ocsp {disable-nonce | url url}
Example:
Router(ca-trustpool)# ocsp url http://ocspts.identrust.com
|
Specifies OCSP settings for the PKI trustpool.
-
The disable-nonce keyword disables the OCSP Nonce extension.
-
The url keyword and url argument specify the OCSP server URL to override (if one exists) in the Authority Info Access (AIA) extension of the certificate. All certificates associated with a configured PKI trustpool are checked by the OCSP server at the specified HTTP URL. The URL can be a hostname, IPv4 address, or an IPv6 address.
|
|
revocation-check method1 [method2 [method3]]
Example:
Router(ca-trustpool)# revocation-check ocsp crl none
|
Disables revocation checking when the PKI trustpool policy is being used. The method argument is used by the router to check the revocation status of the certificate. Available keywords are as follows:
-
crl--Certificate checking is performed by a certificate revocation list (CRL). This is the default behavior.
-
none--Certificate checking is not required.
-
ocsp--Certificate checking is performed by an online certificate status protocol (OCSP) server.
If a second and third method are specified, each method is used only if the previous method returns an error, such as a server being down. |
|
source interface name number
Example:
Router(ca-trustpool)# source interface tunnel 1
|
Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool .
-
The name and numberarguments are for the interface type and number used as the source address for the PKI trustpool.
|
|
storage location
Example:
Router(ca-trustpool)# storage storage disk0:crca2048.crl
|
Specifies a file system location where PKI trustpool certificates are stored on the router.
-
The location is the file system location where the PKI trustpool certificates are stored. The types of file system locations are disk0:, disk1:, nvram:, unix:, or a named file system.
|
|
vrf vrf-name
Example:
Router(ca-trustpool)# vrf myvrf
|
Specifies the VPN routing and forwarding (VRF) instance to be used for enrolment, CRL retrieval, and OCSP status. |
|
show
Example:
Router(ca-trustpool)# show Chain validation will stop at the first CA certificate in the pool Trustpool CA certificates will expire 12:58:31 PST Apr 5 2012 Trustpool policy revocation order: crl Certficate matching is disabled Policy Overrides:
|
Displays the PKI trustpool policy of the router. |