Downloads |
Table Of Contents
Direct HTTP Enroll with CA Servers
Prerequisites for Direct HTTP Enroll with CA Servers
Restrictions for Direct HTTP Enroll with CA Servers
Information About Direct HTTP Enroll with CA Servers
Supported CA Enrollment Methods
About Registration Authorities
Certificate Enrollment Profiles
Benefit of Certificate Enrollment Profiles
How to Configure Direct HTTP Enrollment with CA Servers
Configuring an Enrollment Profile for the Client Router
Configuring an Enrollment Profile for the Client Router Enrolled with a Third-Party Vendor CA
Configuring a Cisco IOS CA to Accept Enrollment Requests from Clients of a Third-Party Vendor CA
Configuration Examples for Direct HTTP Enrollment
Direct HTTP Enrollment Configuration: Example
Different Authentication and Enrollment Methods Configuration: Example
Direct HTTP Enroll with CA Servers
The Direct HTTP Enroll with CA Servers feature allows users to bypass the registration authority (RA) when enrolling with a certification authority (CA) by configuring an enrollment profile. Thus, HTTP enrollment requests can be sent directly to the CA server.
Feature History for Direct HTTP Enroll with CA Servers
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Direct HTTP Enroll with CA Servers
•
•
•
•
Prerequisites for Direct HTTP Enroll with CA Servers
This feature is part of the public key infrastructure (PKI) subsystem. The PKI subsystem requires the crypto subsystem.
Restrictions for Direct HTTP Enroll with CA Servers
The CA certificate and router certificates must be returned in the following privacy enhanced mail (PEM) format:
-----BEGIN CERTIFICATE-----base64 encoded cert-----END CERTIFICATE-----Information About Direct HTTP Enroll with CA Servers
To configure the Direct HTTP Enroll with CA Servers feature, you should understand the following concepts:
•
•
•
Supported CA Enrollment Methods
Cisco IOS software supports the following methods to obtain a certificate from a certification authority (CA):
•
•
•
•
Note
About Registration Authorities
Some CA servers do not support SCEP directly; thus, a RA has to process the SCEP request for the CA. An RA is essentially a server that acts as a proxy for the CA so that CA functions can continue when the CA is offline. Although the RA is often part of the CA server, the RA could also be an additional application, requiring an additional device to run it.
Certificate Enrollment Profiles
Users may configure an enrollment profile for the router to send to the CA if their CA server does not support SCEP and they do not want to use an RA as a proxy. The enrollment profile allows users to send HTTP requests directly to the CA server instead of the RA proxy.
The profile allows users to specify certificate authentication, enrollment, and reenrollment parameters when prompted. The values for these parameters are referenced by two templates that make up the profile. One template contains parameters for the HTTP request that is sent to the CA server to obtain the certificate of the CA (also known as certificate authentication); the other template contains parameters for the HTTP request that is sent to the CA for certificate enrollment.
Prior to Cisco IOS Release 12.3(11)T and 12.2(18)SXE, certificate requests could be sent only in a PKCS #10 format; however, an additional parameter has now been added to the profile, allowing users to specify the PKCS #7 format for certificate renewal requests.
Note
Benefit of Certificate Enrollment Profiles
Configuring two templates enables users to specify different URLs or methods for certificate authentication and enrollment; for example, authentication (getting the certificate of the CA) can be done via TFTP (using the authentication url command) while enrollment can be done manually (using the enrollment terminal command).
How to Configure Direct HTTP Enrollment with CA Servers
This section contains the following procedures:
•
•
•
Configuring an Enrollment Profile for the Client Router
Perform this task to configure a certificate enrollment profile.
Restrictions
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
or
authentication terminal
8.
9.
or
enrollment terminal
10.
11.
12.
13.
14.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
crypto pki trustpoint name
Example:Router(config)# crypto pki trustpoint Entrust
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.
Step 4
enrollment profile label
Example:Router(ca-trustpoint)# enrollment profile E
Specifies that an enrollment profile can be used for certificate authentication and enrollment.
Step 5
exit
Example:Router(ca-trustpoint)# exit
Exits ca-trustpoint configuration mode.
Step 6
crypto pki profile enrollment label
Example:Router(config)# crypto pki profile enrollment E
Defines an enrollment profile and enters ca-profile-enroll configuration mode.
•
Step 7
authentication url url
Example:Router(ca-profile-enroll)# authentication url http://entrust:81
or
authentication terminal
Example:Router(ca-profile-enroll)# authentication terminal
(Optional) Specifies the URL of the CA server to which to send certificate authentication requests.
•
If using TFTP, the URL should read "tftp://certserver/file_specification." (If the URL does not include a file specification, the fully qualified domain name [FQDN] of the router will be used.)Specifies manual cut-and-paste certificate authentication.
Step 8
authentication command
Example:Router(ca-profile-enroll)# authentication command
(Optional) Specifies the HTTP command that is sent to the CA for authentication.
This command should be used after the authentication url command has been entered.
Step 9
enrollment url url
Example:Router(ca-profile-enroll)# enrollment url http://entrust:81/cda-cgi/clientcgi.exe
or
enrollment terminal
Example:Router(ca-profile-enroll)# enrollment terminal
Specifies the URL of the CA server to which to send certificate enrollment requests via HTTP or TFTP.
Specifies manual cut-and-paste certificate enrollment.Step 10
enrollment command
Example:Router(ca-profile-enroll)# enrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10 Request=$REQ
(Optional) Specifies the HTTP command that is sent to the CA for enrollment.
Note
Step 11
parameter number {value value | prompt string}
Example:Router(ca-profile-enroll)# parameter 1 value aaaa-bbbb-cccc
(Optional) Specifies parameters for an enrollment profile.
This command can be used multiple times to specify multiple values.
Step 12
exit
Example:Router(ca-profile-enroll config)# exit
Router(config)# exit
Exits ca-profile-enroll configuration mode and global configuration mode.
Step 13
show crypto pki certificates
Example:Router# show crypto pki certificates
(Optional) Verifies information about your certificate, the certificate of the CA, and RA certificates
Step 14
show crypto pki trustpoints
Example:Router# show crypto pki trustpoints
(Optional) Displays the trustpoints that are configured in the router.
Configuring an Enrollment Profile for the Client Router Enrolled with a Third-Party Vendor CA
Perform this task to configure a certificate enrollment profile for the client router that is already enrolled with a third-party vendor CA so that the router can reenroll with a Cisco IOS certificate server.
Prerequisites
Before configuring a certificate enrollment profile for the client router, you should have already performed the following tasks at the client router:
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
What to Do Next
Configure the Cisco IOS certificate server to accept enrollment requests only from clients already enrolled with the specified third-party vendor CA trustpoint. For more information, see the section "Configuring a Cisco IOS CA to Accept Enrollment Requests from Clients of a Third-Party Vendor CA."
Configuring a Cisco IOS CA to Accept Enrollment Requests from Clients of a Third-Party Vendor CA
Perform this task to configure a Cisco IOS certificate server to accept enrollment requests only from clients who are already enrolled with the third-party vendor CA trustpoint.
Restrictions
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
Configuration Examples for Direct HTTP Enrollment
This section provides the following configuration examples:
•
•
Direct HTTP Enrollment Configuration: Example
The following example show how to configure an enrollment profile for direct HTTP enrollment with a CA server:
crypto pki trustpoint Entrustenrollment profile Eserialcrypto pki profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Different Authentication and Enrollment Methods Configuration: Example
The following example shows how to configure the enrollment profile named "E" to perform certificate authentication via TFTP and certificate enrollment via cut-and-paste (manually):
crypto pki profile enrollment Eauthentication url tftp://server/filenameenrollment terminal
Configuring a Certificate Profile for a Client Router Already Enrolled with a Third-Party Vendor CA: Example
The following example shows how to configure the following tasks on the client router:
•
•
•
! Define trustpoint "msca-root" for non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1."crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!Configuring a Certificate Server to Automatically Accept Enrollment Requests Only from the Client Router: Example
The following example shows how to configure the certificate server, and issue and the grant auto trustpoint command to instruct the certificate server to accept enrollment request only from clients who are already enrolled with trustpoint "msca-root."
crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlAdditional References
The following sections provide references related to Direct HTTP Enroll with CA Servers.
Related Documents
Cisco IOS Certificate Server configuration information and tasks
Cisco IOS Certificate Server, 12.3(11)T feature module
Additional certificate enrollment configuration tasks and information
The chapter "Configuring Certification Authority Interoperability" in the Cisco IOS Security Configuration Guide
Additional CA commands
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents new commands only.
Cisco IOS Release 12.2(13)ZH and 12.3(4)T
Cisco IOS Release 12.3(11)T and 12.2(18)SXE
authentication command
To specify the HTTP command that is sent to the certification authority (CA) for authentication, use the authentication command in ca-profile-enroll configuration mode.
authentication command
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Use the authentication command to send the HTTP request to the CA server for certificate authentication. Before enabling this command, you must use the authentication url command.
After enabling this command, you can use the parameter command to specify enrollment parameters for your enrollment profile.
Examples
The following example shows how to configure certificate authentication via HTTP for the enrollment profile named "E":
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
Specifies the URL of the CA server to which to send authentication requests.
Defines an enrollment profile.
Specifies parameters for an enrollment profile.
authentication terminal
To specify manual cut-and-paste certificate authentication requests, use the authentication terminal command in ca-profile-enroll configuration mode. To delete a current authentication request, use the no form of this command.
authentication terminal
no authentication terminal
Syntax Description
This command has no arguments or keywords.
Defaults
An authentication request is not specified.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
A user may manually cut-and-paste certificate authentication requests when a network connection between the router and certification authority (CA) is not available. After this command is enabled, the authentication request is printed on the console terminal so that it can be manually copied (cut) by the user.
Examples
The following example shows how to specify manual certificate authentication and certificate enrollment via HTTP:
crypto ca profile enrollment Eauthentication terminalenrollment terminalenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
authentication url
To specify the URL of the certification authority (CA) server to which to send authentication requests, use the authentication url command in ca-profile-enroll configuration mode. To delete the authentication URL from your enrollment profile, use the no form of this command.
authentication url url
no authentication url url
Syntax Description
Defaults
Your router does not recognize the CA URL until you declare one using this command.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
If you do not specify the authentication command after you enable the authentication url command, the authentication url command functions the same as the enrollment url url command in trustpoint configuration mode. That is, the authentication url command will then be used only for certificate enrollment—not authentication.
This command allows the user to specify a different URL or a different method for authenticating a certificate and enrolling a certificate; for example, manual authentication and TFTP enrollment.
Examples
The following example shows how to configure an enrollment profile for direct HTTP enrollment with a CA server. In this example, the authentication command is also present.
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001The following example shows how to configure the enrollment profile named "E" to perform certificate authentication via HTTP and manual certificate enrollment:
crypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment terminalparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
Specifies the HTTP command that is sent to the CA for authentication.
Defines an enrollment profile.
enrollment
Specifies the enrollment parameters of your CA.
crypto ca profile enrollment
To define an enrollment profile, use the crypto ca profile enrollment command in global configuration mode. To delete all information associated with this enrollment profile, use the no form of this command.
crypto ca profile enrollment label
no crypto ca profile enrollment label
Syntax Description
label
Name for the enrollment profile; the enrollment profile name must match the name specified in the enrollment profile command.
Defaults
An enrollment profile does not exist.
Command Modes
Global configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Before entering this command, you must specify a named enrollment profile using the enrollment profile in ca-trustpoint configuration mode.
After entering the crypto ca profile enrollment command, you can use any of the following commands to define the profile parameters:
•
•
•
•
•
•
•
Note
Examples
The following example shows how to define the enrollment profile named "E" and associated profile parameters:
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
crypto ca trustpoint
Declares the CA that your router should use.
Specifies that an enrollment profile can be used for certificate authentication and enrollment.
enrollment command
To specify the HTTP command that is sent to the certification authority (CA) for enrollment, use the enrollment command in ca-profile-enroll configuration mode.
enrollment command
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
After enabling this command, you can use the parameter command to specify enrollment parameters for your enrollment profile.
Examples
The following example shows how to configure the enrollment profile name "E" for certificate enrollment:
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
enrollment credential
To specify an existing trustpoint from another vendor that is to be enrolled with the Cisco IOS certificate server, use the enrollment credential command in ca-profile-enroll configuration mode.
enrollment credential label
Syntax Description
Defaults
No default behavior or values.
Command Modes
Ca-profile-enroll configuration
Command History
Usage Guidelines
To configure a router that is already enrolled with a CA of another vendor that is to be enrolled with a Cisco IOS certificate server, you must configure a certificate enrollment profile (via the crypto pki profile enrollment command). Thereafter, you should issue the enrollment credential command, which specifies the trustpoint of another vendor that has to be enrolled with a Cisco IOS certificate server.
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the ! enrollment credential command) that "msca-root" is being initially enrolled with the ! Cisco IOS CA.crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!! Configure the certificate server, and issue and the grant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint "msca-root."crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlRelated Commands
enrollment profile
To specify that an enrollment profile can be used for certificate authentication and enrollment, use the enrollment profile command in ca-trustpoint configuration mode. To delete an enrollment profile from your configuration, use the no form of this command.
enrollment profile label
no enrollment profile label
Syntax Description
Defaults
Your router does not recognize any enrollment profiles until you declare one using this command.
Command Modes
Ca-trustpoint configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Before you can enable this command, you must enter the crypto ca trustpoint command.
The enrollment profile command enables your router to accept an enrollment profile, which can be configured via the crypto ca profile enrollment command. The enrollment profile, which consists of two templates, can be used to specify different URLs or methods for certificate authentication and enrollment.
Examples
The following example shows how to declare the enrollment profile named "E":
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
Defines an enrollment profile.
crypto ca trustpoint
Declares the CA that your router should use.
enrollment terminal
To specify manual cut-and-paste certificate enrollment, use the enrollment terminal command in ca-profile-enroll configuration mode. To delete a current enrollment request, use the no form of this command.
enrollment terminal
no enrollment terminal
Syntax Description
This command has no arguments or keywords.
Defaults
A certificate enrollment request is not specified.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
A user may manually cut-and-paste certificate authentication requests and certificates when a network connection between the router and certification authority (CA) is unavailable. After this command is enabled, the certificate request is printed on the console terminal so that it can be manually copied (cut) by the user.
Note
Examples
The following example shows how to configure the enrollment profile named "E" to perform certificate authentication via HTTP and manual certificate enrollment:
crypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment terminalparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
enrollment url
To specify the URL of the certification authority (CA) server to which to send enrollment requests, use the enrollment url command in ca-profile-enroll configuration mode. To delete the enrollment URL from your enrollment profile, use the no form of this command.
enrollment url url
no enrollment url url
Syntax Description
Defaults
Your router does not recognize the CA URL until you specify it using this command.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
This command allows the user to specify a different URL or a different method for authenticating a certificate and enrolling a certificate; for example, manual authentication and TFTP enrollment.
Examples
The following example shows how to enable certificate enrollment via HTTP for the profile name "E":
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
grant auto trustpoint
To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server will automatically grant certificate enrollment requests, use the grant auto trustpoint command in certificate server configuration mode.
grant auto trustpoint label
Syntax Description
Defaults
No default behavior or values.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.
Note
The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted—unless the server is set to be in auto grant mode (via the grant automatic command).
Caution
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the ! enrollment credential command) that "msca-root" is being initially enrolled with the ! Cisco IOS CA.crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!! Configure the certificate server, and issue the grant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint "msca-root."crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
parameter
To specify parameters for an enrollment profile, use the parameter command in ca-profile-enroll configuration mode. To disable specified parameters, use the no form of this command.
parameter number {value value | prompt string}
no parameter number {value value | prompt string}
Syntax Description
Defaults
No enrollment profile paramters are specified.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
The parameter command can be used within an enrollment profile after the authentication command command or the enrollment command has been enabled.
Examples
The following example shows how to specify parameters for the enrollment profile named "E":
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
