enroll command to request certificates from the CA for the
Rivest, Shamir, and Adelman (RSA) key pairs for the router defined by the
command in trustpoint configuration mode. If no
command is configured for the current trustpoint, the default RSA key pair is
used for enrollment. This task is also known as enrolling with the CA.
(Enrolling and obtaining certificates are two separate events, but they both
occur when the crypto ca
enroll command is issued.) When using manual enrollment, these
two operations occur separately.
The router needs a
signed certificate from the CA for each of the RSA key pairs on the router; if
you previously generated general-purpose keys, this command obtains the one
certificate corresponding to the one general-purpose RSA key pair. If you
previously generated special-usage keys, this command obtains two certificates
corresponding to each of the special-usage RSA key pairs.
If you already have
a certificate for your keys, you are unable to configure this command; instead,
you are prompted to remove the existing certificate first. (You can remove
existing certificates by removing the trustpoint configuration with the
no crypto ca
enroll command is not saved in the router configuration.