Downloads |
Table Of Contents
How to Configure Multiple-Tier CAs
Configuring CAs for Multiple-Tier Hierarchy
Manually Accepting the Initial CA (Root or Subordinate) Certificate
Configuration Examples for Multiple-Tiered CAs
Configuring Multiple-Tiered CAs: Example
Multiple-Tier CA Hierarchies
Hierarchical public key infrastructure (PKI) has been enhanced to support multiple-tier certification authorities (CAs). Before multiple CAs were supported, the customer would have to establish the hierarchy by first configuring a root CA (which has a self-signed certificate that contains its own public key). Thereafter, subordinate CAs were enrolled with the root CA. This design limited the customer's CA hierarchy to two tiers because each CA had to be a direct subordinate of the root CA.
Multiple-tier CA support eliminates the following restrictions:
•
Two-tier limitation. Cisco IOS now supports any number of CA tiers.
•
•
Feature History for Multiple-Tiered CA Hierarchies
Contents
•
•
How to Configure Multiple-Tier CAs
This section shows how to configure trustpoints (or CAs) for a multiple-tier CA hierarchy.
•
Configuring CAs for Multiple-Tier Hierarchy
In Cisco IOS software, each CA corresponds to a trustpoint. Thus, you should perform the following steps for each CA you want to configure within the hierarchy.
Manually Accepting the Initial CA (Root or Subordinate) Certificate
When you configure the first root or subordinate CA within the CA hierarchy, you will be asked to manually accept the CA certificate because Cisco IOS PKI cannot cryptographically check the validity of the root or subordinate CA certificate.
After the root or subordinate CA certificate has been manually accepted, it will be stored in the trusted certificate and can now be used to validate additional certificates.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Troubleshooting Tips
To verify information about your certificate and the certificate of the CA, use the show crypto ca certificates EXEC command.
Configuration Examples for Multiple-Tiered CAs
This section contains the following configuration example:
•
Configuring Multiple-Tiered CAs: Example
Figure 1 shows the enrollment relationships among CAs within a three-tiered hierarchy.
Figure 1 Three-Tiered CA Hierarchy Sample Topology
Each CA corresponds to a trustpoint. For example, CA11 and CA12 are subordinate CAs, holding CA certificates that have been issued by CA1; CA111, CA112, and CA113 are also subordinate CAs, but their CA certificates have been issued by CA11.
On the basis of Figure 1, if a customer wants to configure CA11 and CA112 on a router, the customer should follow this example:
Router(config)# crypto ca trustpoint CA11Router(ca-trustpoint)# enrollment url http://ciscoca-ultra:80Router(ca-trustpoint)# exitRouter(config)# crypto ca authenticate msCertificate has the following attributes:Fingerprint:84E470A2 38176CB1 AA0476B9 C0B4F478% Do you accept this certificate? [yes/no]:yTrustpoint CA certificate accepted.Router(config)# crypto ca trustpoint CA112Router(ca-trustpoint)# enrollment url http://kahului:80Router(ca-trustpoint)# exitRouter (config)# crypto ca authenticate CA112Certificate has the following attributes:Fingerprint:9F6BDD67 14F643C6 D23BB000 63257CDECertificate validated - Signed by existing trustpoint CA certificate.Trustpoint CA certificate accepted.
Note
Additional References
The following sections provide references related to multiple-tiered CA hierarchies.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
