Table Of Contents
Import of RSA Key Pair and Certificates
in PEM FormatPrerequisites for Import of RSA Key Pair and Certificates
in PEM FormatRestrictions for Import of RSA Key Pair and Certificates
in PEM FormatInformation About Import of RSA Key Pair and Certificates
in PEM FormatCertificate Enrollment Methods
How to Configure and Implement Key Pairs and Certificates
in PEM FilesGenerating, Importing, and Exporting RSA Key Pairs in PEM Files
Generating, Importing, and Exporting RSA Key Pairs and Certificates
in PEM FilesGenerating a Certificate Request in a PEM File
Configuration Examples for Using Key Pairs and Certificates
in PEM FilesGenerating, Exporting, Importing, and Verifying RSA Keys in PEM Files: Example
Exporting Router RSA Key Pairs and Certificates From PEM Files: Example
Importing Router RSA Key Pairs and Certificate From PEM Files: Example
Import of RSA Key Pair and Certificates
in PEM Format
The Import of RSA Key Pair and Certificates in PEM Format feature allows customers to issue certificate requests and receive issued certificates in privacy-enhanced mail (PEM)-formatted files, which are widely used in secure socket layer (SSL) and secure shell (SSH) applications. Also, customers can use PEM-formatted files to import or export Rivest, Shamir, and Adelman (RSA) key pairs.
Feature History for Import of RSA Key Pair and Certificates in PEM Format
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Import of RSA Key Pair and Certificates in PEM Format
•
•
•
•
Prerequisites for Import of RSA Key Pair and Certificates
in PEM FormatEnsure that your router supports the public key infrastructure (PKI) subsystem, which requires the crypto subsystem. (Only K8 images support the Data Encryption Standard [DES] encryption algorithm.)
Restrictions for Import of RSA Key Pair and Certificates
in PEM FormatYou cannot export and import RSA keys that were generated without an exportable flag before your system was upgraded to Cisco IOS Release 12.3(4)T or later. You have to generate new RSA keys after you upgrade the Cisco IOS software.
Information About Import of RSA Key Pair and Certificates
in PEM FormatTo configure and implement RSA key pairs and certificates in PEM-formatted files, you should understand the following concepts:
•
Benefits
PEM-Formatted Files
Using PEM-formatted files to import or export RSA keys or certificates can be helpful for customers who are using SSL or SSH applications to manually generate RSA key pairs, request certificates from their certification authority (CA) server, and import the RSA keys back into their PKI applications. That is, customers using PEM-formatted files can directly use existing certificates and RSA key pairs on their Cisco IOS routers. (To see PEM file examples, refer to the section "Exporting Router RSA Key Pairs and Certificates From PEM Files: Example" later in this document.)
TFTP Enrollment Using IFS File System to Support File Transfers
Cisco IOS software has been enhanced to support the IOS File System (IFS), in addition to TFTP, for certificate enrollment. (For a complete list of supported enrollment methods, see the enrollment command.)
Certificate Enrollment Methods
Cisco IOS software supports the following methods to obtain a certificate from a CA:
•
•
•
•
Passphrase Protection
You have to include a passphrase to encrypt the PEM private key file that has been exported, and the same passphrase has to be entered when the PEM private key file is imported, in order to decrypt it. Encrypting the PEM private key file when it is being exported, deleted, or imported protects the file from unauthorized access and use while it is on a local device.
Caution
The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.
How to Configure and Implement Key Pairs and Certificates
in PEM FilesThis section contains the following procedures:
•
•
•
Generating, Importing, and Exporting RSA Key Pairs in PEM Files
Use this task to back up and recover only RSA key pairs in PEM files.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
What to Do Next
After you have imported your RSA keys, you should authenticate and enroll your router with a CA server. For information on completing these tasks, refer to the chapter "Configuring Certification Authority Interoperability" in the Cisco IOS Security Configuration Guide.
Generating, Importing, and Exporting RSA Key Pairs and Certificates
in PEM FilesUse this task to back up and recover the RSA key pairs and certificates of the router that are associated with a trustpoint.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Generating a Certificate Request in a PEM File
Use this task to generate a PEM-formatted certificate request (PKCS#10) that can be used when the CA server does not support SCEP.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
or
enrollment terminal [pem]
6.
7.
DETAILED STEPS
What to Do Next
Retrieve the request file from either the file system (if you specified the enrollment command) or the terminal console (if you specified the enrollment terminal command), and present the file to the CA server. After the certificate is granted, import the certificate (via the crypto ca import certificate command).
Configuration Examples for Using Key Pairs and Certificates
in PEM FilesThis section contains the following configuration examples:
•
•
•
Generating, Exporting, Importing, and Verifying RSA Keys in PEM Files: Example
The following example shows how to generate, export, bring the key back (import), and verify the status of the RSA key pair "mycs":
! Generate the key pair!Router(config)# crypto key generate rsa general-purpose label mycs exportableThe name for the keys will be: mycsChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys ...[OK]!! Archive the key pair to a remote location, and use a good password.!Router(config)# crypto key export rsa mycs pem url nvram: 3des PASSWORD% Key name: mycsUsage: General Purpose KeyExporting public key...Destination filename [mycs.pub]?Writing file to nvram:mycs.pubExporting private key...Destination filename [mycs.prv]?Writing file to nvram:mycs.prv!! Import the key as a different name.!Router(config)# crypto key import rsa mycs2 pem url nvram:mycs PASSWORD% Importing public key or certificate PEM file...Source filename [mycs.pub]?Reading file from nvram:mycs.pub% Importing private key PEM file...Source filename [mycs.prv]?Reading file from nvram:mycs.prv% Key pair import succeeded.!! After the key has been imported, it is no longer exportable.!! Verify the status of the key.!Router# show crypto key mypubkey rsa% Key pair was generated at: 18:04:56 GMT Jun 6 2003Key name: mycsUsage: General Purpose KeyKey is exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001% Key pair was generated at: 18:17:25 GMT Jun 6 2003Key name: mycs2Usage: General Purpose KeyKey is not exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001Exporting Router RSA Key Pairs and Certificates From PEM Files: Example
The following example shows how to generate and export the RSA key pair "aaa" and certificates of the router in PEM files that are associated with the trustpoint "mycs." This example also shows PEM-formatted files, which include PEM boundaries before and after the base64-encoded data, that are used by other SSL and SSH applications.
Router(config)# crypto key generate rsa general-keys label aaa exportableThe name for the keys will be:aaaChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.!How many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]!Router(config)# crypto ca trustpoint mycsRouter(ca-trustpoint)# enrollment url http://mycsRouter(ca-trustpoint)# rsakeypair aaaRouter(ca-trustpoint)# exitRouter(config)# crypto ca authenticate mycsCertificate has the following attributes:Fingerprint:C21514AC 12815946 09F635ED FBB6CF31% Do you accept this certificate? [yes/no]:yTrustpoint CA certificate accepted.!Router(config)# crypto ca enroll mycs%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The fully-qualified domain name in the certificate will be:Router% The subject name in the certificate will be:bizarro.cisco.com% Include the router serial number in the subject name? [yes/no]:n% Include an IP address in the subject name? [no]:nRequest certificate from CA? [yes/no]:y% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.Router(config)# Fingerprint: 8DA777BC 08477073 A5BE2403 812DD15700:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate AuthorityRouter(config)# crypto ca export aaa pem terminal 3des cisco123% CA certificate:-----BEGIN CERTIFICATE-----MIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES<snip>waDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn-----END CERTIFICATE-----% Key name:aaaUsage:General Purpose Key-----BEGIN RSA PRIVATE KEY-----Proc-Type:4,ENCRYPTEDDEK-Info:DES-EDE3-CBC,ED6B210B626BC81AUrguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87<snip>kLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4=-----END RSA PRIVATE KEY-----% Certificate:-----BEGIN CERTIFICATE-----MIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx<snip>6xlBaIsuMxnHmr89KkKkYlU6-----END CERTIFICATE-----Importing Router RSA Key Pairs and Certificate From PEM Files: Example
The following example shows how to import the RSA key pairs and certificate to the trustpoint "ggg" from PEM files via TFTP:
Router(config)# crypto ca import ggg pem url tftp://10.1.1.2/johndoe/msca cisco1234% Importing CA certificate...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.ca]?Reading file from tftp://10.1.1.2/johndoe/msca.caLoading johndoe/msca.ca from 10.1.1.2 (via Ethernet0):![OK - 1082 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.prv]?Reading file from tftp://10.1.1.2/johndoe/msca.prvLoading johndoe/msca.prv from 10.1.1.2 (via Ethernet0):![OK - 573 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.crt]?Reading file from tftp://10.1.1.2/johndoe/msca.crtLoading johndoe/msca.crt from 10.1.1.2 (via Ethernet0):![OK - 1289 bytes]% PEM files import succeeded.Router(config)#Additional References
The following sections provide references related to Import of RSA Key Pair and Certificates in PEM Format.
Related Documents
Standards
PKCS12 #12 v1.0
Personal Information Exchange Syntax Standard,
RSA Laboratories, June 24, 1999
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
New Commands
Modified Command
crypto ca export pem
To export certificates and Rivest, Shamir, and Adelman (RSA) keys that are associated with a trustpoint in a privacy enhanced mail (PEM)-formatted file, use the crypto ca export pem command in global configuration mode.
crypto ca export trustpoint pem {terminal | url url} {3des | des} passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto ca export pem command allows you to export certificate and RSA key pairs in PEM-formatted files. The PEM files can then be imported back into the Cisco IOS router (via the crypto ca import pem command) or other public key infrastructure (PKI) applications.
Examples
The following example shows how to generate and export the RSA key pair "aaa" and certificates of the router in PEM files that are associated with the trustpoint "mycs":
Router(config)# crypto key generate rsa general-keys label aaa exportableThe name for the keys will be:aaaChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.!How many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]!Router(config)# crypto ca trustpoint mycsRouter(ca-trustpoint)# enrollment url http://mycsRouter(ca-trustpoint)# rsakeypair aaaRouter(ca-trustpoint)# exitRouter(config)# crypto ca authenticate mycsCertificate has the following attributes:Fingerprint:C21514AC 12815946 09F635ED FBB6CF31% Do you accept this certificate? [yes/no]:yTrustpoint CA certificate accepted.!Router(config)# crypto ca enroll mycs%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The fully-qualified domain name in the certificate will be:Router% The subject name in the certificate will be:bizarro.cisco.com% Include the router serial number in the subject name? [yes/no]:n% Include an IP address in the subject name? [no]:nRequest certificate from CA? [yes/no]:y% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.Router(config)# Fingerprint: 8DA777BC 08477073 A5BE2403 812DD15700:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate AuthorityRouter(config)# crypto ca export aaa pem terminal 3des cisco123% CA certificate:-----BEGIN CERTIFICATE-----MIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES<snip>waDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn-----END CERTIFICATE-----% Key name:aaaUsage:General Purpose Key-----BEGIN RSA PRIVATE KEY-----Proc-Type:4,ENCRYPTEDDEK-Info:DES-EDE3-CBC,ED6B210B626BC81AUrguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87<snip>kLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4=-----END RSA PRIVATE KEY-----% Certificate:-----BEGIN CERTIFICATE-----MIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx<snip>6xlBaIsuMxnHmr89KkKkYlU6-----END CERTIFICATE-----Related Commands
crypto ca import pem
To import certificates and Rivest, Shamir, and Adelman (RSA) keys to a trustpoint from privacy enhanced mail (PEM)-formatted files, use the crypto ca import pem command in global configuration mode.
crypto ca import trustpoint pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto ca import pem command allows you import certificates and RSA key pairs in PEM-formatted files. The files can be previously exported from another router or generated from other public key infrastructure (PKI) applications.
Examples
The following example shows how to import PEM files to trustpoint "ggg" via TFTP:
Router(config)# crypto ca import ggg pem url tftp://10.1.1.2/johndoe/msca cisco1234% Importing CA certificate...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.ca]?Reading file from tftp://10.1.1.2/johndoe/msca.caLoading johndoe/msca.ca from 10.1.1.2 (via Ethernet0):![OK - 1082 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.prv]?Reading file from tftp://10.1.1.2/johndoe/msca.prvLoading johndoe/msca.prv from 10.1.1.2 (via Ethernet0):![OK - 573 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.crt]?Reading file from tftp://10.1.1.2/johndoe/msca.crtLoading johndoe/msca.crt from 10.1.1.2 (via Ethernet0):![OK - 1289 bytes]% PEM files import succeeded.Router(config)#Related Commands
crypto key export pem
To export Rivest, Shamir, and Adelman (RSA) keys in privacy enhanced mail (PEM)-formatted files, use the crypto key export pem command in global configuration mode.
crypto key export rsa key-label pem {terminal | url url} {3des | des} passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto key export pem command allows you to export RSA key pairs in PEM-formatted files. The PEM files can then be imported back into a Cisco IOS router or other public key infrastructure (PKI) applications.
Note
Examples
The following example shows how to generate, export, bring the key back (import), and verify the status of the RSA key pair "mycs":
! Generate the key pair!Router(config)# crypto key generate rsa general-purpose label mycs exportableThe name for the keys will be: mycsChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys ...[OK]!! Archive the key pair to a remote location, and use a good password.!Router(config)# crypto key export rsa mycs pem url nvram: 3des PASSWORD% Key name: mycsUsage: General Purpose KeyExporting public key...Destination filename [mycs.pub]?Writing file to nvram:mycs.pubExporting private key...Destination filename [mycs.prv]?Writing file to nvram:mycs.prv!! Import the key as a different name.!Router(config)# crypto key import rsa mycs2 pem url nvram:mycs PASSWORD% Importing public key or certificate PEM file...Source filename [mycs.pub]?Reading file from nvram:mycs.pub% Importing private key PEM file...Source filename [mycs.prv]?Reading file from nvram:mycs.prv% Key pair import succeeded.!! After the key has been imported, it is no longer exportable.!! Verify the status of the key.!Router# show crypto key mypubkey rsa% Key pair was generated at: 18:04:56 GMT Jun 6 2003Key name: mycsUsage: General Purpose KeyKey is exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001% Key pair was generated at: 18:17:25 GMT Jun 6 2003Key name: mycs2Usage: General Purpose KeyKey is not exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001Related Commands
crypto key generate rsa
Generates RSA key pairs.
crypto key import pem
Imports RSA keys in PEM-formatted files.
crypto key import pem
To import Rivest, Shamir, and Adelman (RSA) keys in privacy enhanced mail (PEM)-formatted files, use the crypto key import pem command in global configuration mode.
crypto key import rsa key-label pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto key import pem command allows you to import RSA key pairs in PEM-formatted files. The files can be previously exported from another Cisco IOS router or generated by other public key infrastructure (PKI) applications.
Examples
The following example shows how to generate, export, bring the key back (import), and verify the status of the RSA key pair "mycs":
! Generate the key pair!Router(config)# crypto key generate rsa general-purpose label mycs exportableThe name for the keys will be: mycsChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys ...[OK]!! Archive the key pair to a remote location, and use a good password.!Router(config)# crypto key export rsa mycs pem url nvram: 3des PASSWORD% Key name: mycsUsage: General Purpose KeyExporting public key...Destination filename [mycs.pub]?Writing file to nvram:mycs.pubExporting private key...Destination filename [mycs.prv]?Writing file to nvram:mycs.prv!! Import the key as a different name.!Router(config)# crypto key import rsa mycs2 pem url nvram:mycs PASSWORD% Importing public key or certificate PEM file...Source filename [mycs.pub]?Reading file from nvram:mycs.pub% Importing private key PEM file...Source filename [mycs.prv]?Reading file from nvram:mycs.prv% Key pair import succeeded.!! After the key has been imported, it is no longer exportable.!! Verify the status of the key.!Router# show crypto key mypubkey rsa% Key pair was generated at: 18:04:56 GMT Jun 6 2003Key name: mycsUsage: General Purpose KeyKey is exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001% Key pair was generated at: 18:17:25 GMT Jun 6 2003Key name: mycs2Usage: General Purpose KeyKey is not exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001Related Commands
crypto key export pem
Exports RSA keys in PEM-formatted files.
crypto key generate rsa
Generates RSA key pairs.
enrollment
To specify the enrollment parameters of a certification authority (CA), use the enrollment command in ca-trustpoint configuration mode. To remove any of the configured parameters, use the no form of this command.
enrollment [mode] [retry period minutes] [retry count number] url url [pem]
no enrollment [mode] [retry period minutes] [retry count number] url url [pem]
Syntax Description
mode
(Optional) Registration authority (RA) mode, if your CA system provides an RA. By default, RA mode is disabled.
retry period minutes
(Optional) Specifies the period in which the router will wait before sending the CA another certificate request. The default is 1 minute between retries. (Specify between 1 to 60 minutes.)
retry count number
(Optional) Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. The default is 10 retries. (Specify from 1 to 100 retries.)
url url
URL of the file system where your router should send certificate requests. For enrollment method options, see Table 1.
pem
(Optional) Adds privacy enhanced mail (PEM) boundaries to the certificate request.
Defaults
Your router does not know the CA URL until you specify it via url url.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the mode keyword to specify the mode supported by the CA. This keyword is required if your CA system provides an RA.
Use the retry period minutes option to change the retry period from the default of 1 minute between retries. After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. By default, the router will send a maximum of 10 requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (specified via the retry count number option) is exceeded.
Use the pem keyword to issue certificate requests (via the crypto ca enroll command) or receive issued certificates (via the crypto ca import certificate command) in PEM-formatted files.
Note
Use the url url option to specify or change the URL of the CA. Table 1 lists the available enrollment methods.
Table 1 Certificate Enrollment Methods
bootflash
Enroll via bootflash: file system
cns
Enroll via Cisco Networking Services (CNS): file system
flash
Enroll via flash: file system
ftp
Enroll via FTP: file system
SCEP1
Enroll via Simple Certificate Enrollment Protocol (SCEP) (an HTTP URL)
null
Enroll via null: file system
nvram
Enroll via NVRAM: file system
rcp
Enroll via remote copy protocol (rcp): file system
scp
Enroll via secure copy protocol (scp): file system
system
Enroll via system: file system
TFTP2
Enroll via TFTP: file system
1 If you are using SCEP for enrollment, the URL must be in the form http://CA_name, where CA_name is the host Domain Name System (DNS) name or IP address of the CA.
2 If you are using TFTP for enrollment, the URL must be in the form tftp://certserver/file_specification. (The file_specification is optional. See the section "TFTP Certificate Enrollment" for additional information.)
TFTP Certificate Enrollment
TFTP enrollment is used to send the enrollment request and retrieve the certificate of the CA and the certificate of the router. If the file_specification is included in the URL, the router will append an extension onto the file specification. When the crypto ca authenticate command is entered, the router will retrieve the certificate of the CA from the specified TFTP server. As appropriate, the router will append the extension ".ca" to the filename or the fully qualified domain name (FQDN). (If the url url option does not include a file specification, the FQDN of the router will be used.)
Note
Examples
The following example shows how to declare a CA named "ka" and specify the URL of the CA as "http://kahului:80":
crypto ca trustpoint kaenrollment url http://kahului:80Related Commands
enrollment terminal
To specify manual cut-and-paste certificate enrollment, use the enrollment terminal command in ca-trustpoint configuration mode. To delete a current enrollment request, use the no form of this command.
enrollment terminal [pem]
no enrollment terminal [pem]
Syntax Description
Defaults
No default behavior or values
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
A user may want to manually cut-and-paste certificate requests and certificates when he or she does not have a network connection between the router and certification authority (CA). When this command is enabled, the router displays the certificate request on the console terminal, allowing the user to enter the issued certificate on the terminal.
The pem Keyword
Use the pem keyword to issue certificate requests (via the crypto ca enroll command) or receive issued certificates (via the crypto ca import certificate command) in PEM-formatted files through the console terminal. If the CA server does not support simple certificate enrollment protocol (SCEP), the certificate request can be presented to the CA server manually.
Note
Examples
The following example shows how to manually specify certificate enrollment via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto ca trustpoint MSenrollment terminalcrypto ca authenticate MS!crypto ca enroll MScrypto ca import MS certificateRelated Commands
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
