This documentation has been moved
Storing PKI Credentials
Downloads: This chapterpdf (PDF - 133.0KB) The complete bookPDF (PDF - 3.42MB) | Feedback

Storing PKI Credentials

Table Of Contents

Storing PKI Credentials

Finding Feature Information

Contents

Prerequisites for Storing PKI Credentials

Restrictions for Storing PKI Credentials

Information About Storing PKI Credentials

How to Configure Storing PKI Credentials Locally

Configuration Examples for PKI Storage

Additional References

Related Documents

Technical Assistance

Feature Information for Storing PKI Credentials


Storing PKI Credentials


First Published: May 2, 2005
Last Updated: February 28, 2011

This module explains how to store public key infrastructure (PKI) credentials, such as Rivest, Shamir, and Adelman (RSA) keys and certificates in a specific location. An example of a certificate storage location includes NVRAM, which is the default location, and other local storage locations, such as flash, as supported by your platform.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Storing PKI Credentials" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Storing PKI Credentials

Restrictions for Storing PKI Credentials

Information About Storing PKI Credentials

How to Configure Storing PKI Credentials Locally

Configuration Examples for PKI Storage

Additional References

Feature Information for Storing PKI Credentials

Prerequisites for Storing PKI Credentials

Before you can specify the local certificate storage location, your system should meet the following requirements:

A Cisco IOS XE Release 2.1-enabled image or a later image

A platform that supports storing PKI credentials as separate files

A configuration that contains at least one certificate

An accessible local file system

Restrictions for Storing PKI Credentials

When storing certificates to a local storage location, the following restrictions are applicable:

Only local file systems may be used. An error message will be displayed if a remote file system is selected, and the command will not take effect.

A subdirectory may be specified if supported by the local file system. NVRAM does not support subdirectories.

Information About Storing PKI Credentials

Certificates are stored to NVRAM by default; however, some routers do not have the required amount of NVRAM to successfully store certificates. You have the ability to specify where certificates are stored on a local file system.

All Cisco platforms support NVRAM and flash local storage. Depending on your platform, you may have other supported local storage options including bootflash, slot, disk, USB flash.

During run time, you can specify what active local storage device you would like to use to store certificates.

How to Configure Storing PKI Credentials Locally

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto pki certificate storage location-name

4. exit

5. copy source-url destination-url

6. show crypto pki certificates storage

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto pki certificate storage location-name

Example:

Router(config)# crypto pki certificate storage flash:/certs

Specifies the local storage location for certificates.

Step 4 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Step 5 

copy source-url destination-url

Example:

Router# copy system:running-config nvram:startup-config

(Optional) Saves the running configuration to the startup configuration.

Note Settings will only take effect when the running configuration is saved to the startup configuration.

Step 6 

show crypto pki certificates storage

Example:

Router# show crypto pki certificates storage

(Optional) Displays the current setting for the PKI certificate storage location.

Examples

The following is sample output for the show crypto pki certificates storage command where the certificates are stored in the certs subdirectory of disk0:

Router# show crypto pki certificates storage

Certificates will be stored in disk0:/certs/

Configuration Examples for PKI Storage

The following configuration example shows how to store certificates to the certs subdirectory. The certs subdirectory does not exist and is automatically created.

Router# dir nvram:

 114  -rw-        4687                    <no date>  startup-config
 115  ----        5545                    <no date>  private-config
 116  -rw-        4687                    <no date>  underlying-config
   1  ----          34                    <no date>  persistent-data
   3  -rw-         707                    <no date>  ioscaroot#7401CA.cer
   9  -rw-         863                    <no date>  msca-root#826E.cer
  10  -rw-         759                    <no date>  msca-root#1BA8CA.cer
  11  -rw-         863                    <no date>  msca-root#75B8.cer
  24  -rw-        1149                    <no date>  storagename#6500CA.cer
  26  -rw-         863                    <no date>  msca-root#83EE.cer

129016 bytes total (92108 bytes free)

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# crypto pki certificate storage disk0:/certs
Requested directory does not exist -- created
Certificates will be stored in disk0:/certs/

Router(config)# end
Router# write
*May 27 02:09:00:%SYS-5-CONFIG_I:Configured from console by consolemem
Building configuration...
[OK]

Router# directory disk0:/certs

Directory of disk0:/certs/

  14  -rw-         707  May 27 2005 02:09:02 +00:00  ioscaroot#7401CA.cer
  15  -rw-         863  May 27 2005 02:09:02 +00:00  msca-root#826E.cer
  16  -rw-         759  May 27 2005 02:09:02 +00:00  msca-root#1BA8CA.cer
  17  -rw-         863  May 27 2005 02:09:02 +00:00  msca-root#75B8.cer
  18  -rw-        1149  May 27 2005 02:09:02 +00:00  storagename#6500CA.cer
  19  -rw-         863  May 27 2005 02:09:02 +00:00  msca-root#83EE.cer

47894528 bytes total (20934656 bytes free)


! The certificate files are now on disk0/certs:

Additional References

Related Documents

Related Topic
Document Title

RSA keys

"Deploying RSA Keys Within a PKI" module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity

File management (loading, copying, and rebooting files)

Cisco IOS XE Configuration Fundamentals Configuration Guide

Security commands

Cisco IOS Security Command Reference


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for Storing PKI Credentials

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.


.

Table 1 Feature Information for Storing PKI Credentials 

Feature Name
Releases
Feature Information

Certificate — Storage Location Specification

Cisco IOS XE Release 2.1

This feature allows you to specify the storage location of local certificates for platforms that support storing certificates as separate files. All Cisco platforms support NVRAM, which is the default location, and flash local storage. Depending on your platform, you may have other supported local storage options including bootflash, slot, disk, or USB flash.

The following sections provide information about this feature:

How to Configure Storing PKI Credentials Locally

Configuration Examples for PKI Storage

The following commands were introduced by this feature: crypto pki certificate storage, show crypto pki certificates storage